Malicious Relay Detection Using Sentinels: A Stochastic Geometry Framework

I. Introduction

WIRELESS communication networks comprising many interconnected nodes are vulnerable to disruption or corruption of vital information by malicious nodes present in the network. Securing these networks can be very difficult because the attack surface can be enormous. Any device in the network can be a potential entry point via exposed serial ports, physical tampering, hard-coded keys and credentials, insecure wireless communications and applications. The data contained in the network may be sensitive or valuable, entailing huge potential gains for the attacker that hinders data transmission, steals information and/or modifies data.

Conventionally, security schemes are developed mostly for the upper layers of the network, with a focus on cryptography based methods. For example, data integrity can be ensured by message authentication codes or digital signatures. However, the low hardware complexity and energy consumption requirements of IoT devices pose a challenge to adopt computationally exhaustive algorithms [1]. Additionally, the management of secret keys often requires complex protocols and architectures, rendering the cryptography-based methods difficult to implement in large IoT networks [2].

In this paper, we consider a hierarchical wireless network architecture, a typical setup in IoT, in which a group of IoT devices connects to an access point (AP) through another wireless node known as a gateway or relay. The clustering of nodes results in relays becoming higher value targets since a relay can easily disrupt the communication of all the devices it serves. The attack model assumes that the compromised relays may either alter, drop or artificially craft data packets. We adopt the sentinel based security scheme proposed in [3] to detect such data integrity attacks initiated by IoT relays. Sentinels are special passive nodes, sniffing data packets transmitted by both IoT devices and relays, by exploiting the broadcast nature of wireless transmissions. The proposed detection system is based on having sentinels compare the MAC layer payloads transmitted by the devices and their associated relays, which should be identical because the relays are only forwarding the IoT packets. Taking the wireless communication characteristics of the transmissions into account (e.g., possible outages due to bad channel conditions and interference), the sentinels detect relays engaged in such malicious activity with the desired probability. Unlike [3], [4], which assume known channel parameters, here we take a stochastic geometry approach to analyze the detection performance.

A. Related Work

A cross-layer approach to the detection of malicious relays in a two-hop wireless network was presented in [5], but its operation assumed that some devices forward the same information through two different relays. In [6], a channel-aware scheme for selective forwarding attack detection is proposed, but it has the drawback of high missed detection probability in case only a small fraction of packets are dropped by a malicious node. Detection of false data injection attacks by a malicious relay via physical layer techniques was presented in [7], [8]. In [7], the detection scheme operated at the modulated symbol level, but the detection performance degraded significantly in scenarios where the end-to-end channel gain between the source and the final destination is small. In [8], a Bayesian test approach at the packet level is proposed, but the performance is unsatisfactory when the relay corrupts only a small fraction of bits.

In [9], the use of received signal strength indicator readings was proposed for the detection of selective forwarding attacks. However, this method relied on a sophisticated localization algorithm for estimating the distances among nodes. The use of a checkpoint node along the forwarding path was proposed in [10] for the detection of selective forwarding attack. This scheme, however, requires major changes to existing wireless sensor network protocols, including implementation of one-way hash functions and the exchange of ACK packets with timing information.

An overhearing-based approach to malicious node detection was proposed in [11], here each node is expected to report the packet forwarding ratio for its neighbors. This approach, however, results in heavy computational load on the network resources, as every device continuously monitors the information exchanged with neighboring nodes. In [12], a similar approach was adopted, and nodes were assumed to monitor their two-hop neighbors. A watchdog technique for data integrity attack detection was presented in [13], but it does not consider packet loss due to channel noise, and also suffers from the heavy computational load as each node is expected to monitor its neighboring node. In [14], the destination detects Byzantine attacks by observing certain signals containing side information, which cannot be altered by the malicious relay. We remark that an important distinction between our sentinel based malicious detection, and previous works based on watchdog approach [11]-[13], is that the sentinel based detection scheme does not require any changes to standard wireless/IoT protocols: The task of monitoring and reporting malicious behavior is entrusted only to secure sentinel nodes which are placed appropriately by the network designer.

In [15], a malicious relay detection scheme, operating in the absence of a reference signal at the receiver, was presented for an amplify-and-forward relay network. This scheme exploited the knowledge of channel characteristics, but the system was analyzed only in an asymptotic setting with an extremely large number of symbols required for detection. In a similar amplifyand-forward relay setting presented in [16], a novel approach to detect the malicious relays engaged in false information forwarding in the presence of unreliable CSI is proposed. However, not all types of false forwarding and dishonest CSI feedback attacks can be detected, especially when there is no direct link between the source and the destination.

The overhearing/watchdog-based relay detection schemes in the above-mentioned papers either did not consider the outage characteristics or assumed fixed received interference and signal powers to calculate the outage probability. In fact, the perceived signal powers and the interference from concurrent transmissions at the sniffer nodes (sentinels) depend on the network geometry. A significant difference in our scheme is its ability to model the network geometry to accurately capture the outage characteristics. This is achieved through the use of stochastic geometry modelling which has been successfully adopted in heterogeneous [17]-[19] and IoT/machine-to-machine relay networks [20]-[22]. For example, the optimal partitioning of spectrum resources into IoT devices and relay nodes to maximize the density of supported IoT devices has been addressed in [20]. The analysis of resource scheduling strategies at the relay nodes has been studied in [21]. A multi-hop data aggregation scheme to minimize the energy density of an IoT network has been proposed in [22].

Stochastic geometry has also been used in a number of papers studying physical layer security. In [23], secure communication in a cognitive radio network, in the presence of randomly distributed eavesdroppers has been studied. Based on various channel knowledge assumptions at the transmitter, transmission protocols have been designed to achieve secure transmission. In [24], [25], interference from the secondary users of a random cognitive radio network is exploited as artificial noise to improve the secrecy throughput of the primary network. In [26], two secrecy improvement techniques namely, creating guard zones and adding artificial noise have been comparatively analyzed using stochastic geometry. In [27] the secrecy performance of a primary network overlaid with an RF energy harvesting secondary IoT network has been studied. Assuming that the secondary network is solely powered by the ambient RF energy harvested from the transmissions of the primary network, the optimal deployment density for the secondary network for maximal energy harvesting has been calculated under secure communication constraints. As discussed, the earlier works on stochastic geometry focused on beamforming design [28], [29] to improve secrecy in various scenarios and proposed useful optimizations secrecy. In this paper, we focus on another aspect of secure communications, which is message integrity.

Our proposed scheme complements cryptography-based approaches as an additional defense mechanism, because the limited processing capabilities of resource-constrained devices may not be relied upon to support a desired level of security. Additionally, cryptography-based detection of data integrity attack has the limitation that it cannot locate the malicious relay node in multi-hop networks [30].

B. Contributions

This paper proposes a stochastic geometry framework to analyze the detection probability of data integrity attacks launched by relays in an IoT network. In particular, the locations of the devices, relays, APs, and sentinels are represented as point processes with certain densities. Stochastic geometry modeling allows us to calculate the interference and signal power distributions and thus to derive the outage probability of each link averaged over the space of all network realizations. ¹ Then, the minimum density of sentinels which ensures a certain detection probability is calculated. The analysis is performed for two detection models, named based on the degree of communication among sentinels: isolated detection and co-operative detection. Further details on the system model are provided in the following section.

¹ The outage in device-to-relay and relay-to-AP links refer to a failed decoding attempt, whereas in device-to-sentinel and relay-to-sentinel links, it is the failure of the associated sentinel(s) to sniff and decode the packet.

The distinguishing features of our proposed scheme, and the resulting analysis are as follows.

1. Our model considers a practical scenario where different wireless links in the network may have different packet error probabilities depending on their channel conditions. As such, some transmissions may be unsuccessful, and the probability of sentinels capturing a certain packet is a function of the network geometry.

2. Unlike the majority of physical layer security schemes, our model does not assume known channel parameters or node locations for the design. Thanks to the use of stochastic geometry, the obtained results are the averages over the space of all possible network realizations. Thus, the presented communication theoretical results serve as a baseline for the design of future sentinel based detection schemes.

3. The proposed detection scheme imposes no additional burden on the resource-constrained IoT devices and relays, but rather passively monitors them for anomalies through the passive sentinel nodes. The network operator is notified only when an anomaly is detected. While adding sentinels comes with additional hardware and maintenance costs, as will be shown through analysis, a respectable attack detection probability can be achieved even when the sentinel node density is much lower than the relay node density. This is a critical advantage over other schemes, which typically require additional computations on the part of IoT devices.

4. The probability of false alarm in our detection scheme is negligible. We remark that a false alarm occurs only in the unlikely scenario where the packet cyclic redundancy check (CRC) fails to detect errors in the decoded packet (after error correction), even though the decoded packet is in error. Therefore, the false alarm probability in our detection scheme can be made negligible by using a sufficiently long CRC. This is distinct from previously proposed detection schemes which trade probability of missed detection against the probability of false alarm.

II. SYSTEM MODEL

A. Network Model

Consider a wireless IoT network where IoT devices connect to the APs only via wireless decode-and-forward relays. The locations of devices, relays, APs and sentinels are assumed to follow four independent homogeneous spatial Poisson point processes (PPPs), [TeX:] $$\Phi_{D}=\left\{D_{i}\right\}, \Phi_{R}=\left\{R_{i}\right\}, \Phi_{A}=\left\{A_{i}\right\}$$ and [TeX:] $$\Phi_{S}=\left\{S_{i}\right\}$$ with densities [TeX:] $$\lambda_{D}, \lambda_{R}, \lambda_{A} \text { and } \lambda_{S}$$ respectively (Fig. 1). Each device is associated to its nearest relay and each relay is linked to its nearest AP, which also perceives the strongest average received power. Therefore, the spatial tessellation formed by the association regions of relays and access points can be characterized as two independent Poisson Voronoi tessellations [31]. The boundaries of relay association regions are shown in Fig. 1 by solid blue lines. Each relay listens to the devices within its own association region. Similar association regions are formed for linking relays to the APs, but this is not displayed in Fig. 1 for clarity. The sentinel association depends on the type of detection model employed.

1. Isolated Detection: In this model, the sentinels are unable to communicate with each other (excluding the initial association region setup) and have to detect the attacks individually. Therefore, a sentinel must overhear the transmissions of both a relay and other devices associated with this relay, in order to assess the malicious activity of this relay cluster. For maximal detection performance, each relay shall be associated with the sentinel which receives the relay’s transmission with the highest average signal power. All the devices linked to a particular relay are monitored by the same sentinel. For instance, if the sentinel located at [TeX:] $$S_{0}$$ is the nearest sentinel to the relay located at [TeX:] $$R_{0}$$, all devices linked to this relay at [TeX:] $$R_{0}$$ would also be associated with [TeX:] $$S_{0}$$ even though [TeX:] $$S_{0}$$ is not necessarily the nearest sentinel to these devices. Such an association rule is necessary for the sentinel to overhear both the device’s and its associated relay’s transmissions of a particular data packet.

2. Co-operative Detection: If the sentinels can communicate with each other in the detection process, the detection performance improves. It is assumed that the transmitted device and relay packets are captured by a sentinel whenever the observed signal-to-interference ratio (SIR) exceeds a required value. Then, the device and relay versions of the sniffed packets with the identical sequence number and source ID are compared among sentinels to verify data integrity. Cooperative detection is able to detect packet modifications by the relay even when disjoint sets of sentinels capture a packet transmitted from a device and the same packet forwarded by the relay. In such a scenario, isolated detection would fail. It should be noted that instead of transmitting the whole sniffed packet for comparison, sentinels can compute and share only the checksums of MAC payloads, along with the source ID and sequence numbers to label the checksums. This would reduce the signaling overhead and allow a more robust error correction scheme for sentinel transmissions.

We assume that the APs (relays) schedule their linked relays (devices) by assigning each relay (device) a different time slot, i.e., time division multiple access (TDMA). Hence, no more than one relay (device) can transmit within an association region of each AP (relay) in the same time slot. While we perform the analysis for a certain frequency channel, the analysis applies in the same way to other orthogonal frequency channels. In-active and transmitting IoT devices are labeled separately in Fig. 1. Note however that, multiple relays (devices) within different APs’ (relays’) association regions can transmit concurrently, thus causing mutual interference. The resulting spatial point processes of concurrently transmitting devices and relays are denoted by [TeX:] $$\Phi_{D}^{a} \text { and } \Phi_{R}^{a}, \text { where } \Phi_{D}^{a} \subset \Phi_{D} \text { and } \Phi_{R}^{a} \subset \Phi_{R}$$.

We denote the effective density of transmitting devices by [TeX:] $$\lambda_{D} \delta_{D}$$ and relays by [TeX:] $$\lambda_{R} \delta_{R} \text { where } \delta_{D} \text { and } \delta_{R}$$ are the fractions of devices and relays, respectively, which transmit in a time slot. ² It is further assumed that the devices and relays transmit in orthogonal channels, therefore, no device-to-AP or relay-to-relay interference is present.

² Provided that [TeX:] $$\lambda_{D} \delta_{D} \leq \lambda_{R} \text { and } \lambda_{R} \delta_{R} \leq \lambda_{A}$$, to ensure a considerable capture probability. This means, no more than a single device (relay) is transmitting within the association region of a relay (AP).

B. Channel Model

The transmitting devices and relays transmit with powers denoted by [TeX:] $$P_{D} \text { and } P_{R}$$ respectively. The propagation model accounts for the path loss attenuation and large scale fading. For any transmitter located at [TeX:] $$X$$ and receiver at [TeX:] $$Y$$, the path attenuation from [TeX:] $$X \text{ to } Y$$ is given by [TeX:] $$\|Y-X\|^{-\alpha}$$, where [TeX:] $$\|Y-X\|$$ is the distance between [TeX:] $$X$$ and [TeX:] $$Y$$, and denotes the path-loss exponent. The fading power gain from [TeX:] $$X$$ to [TeX:] $$Y$$ is denoted by [TeX:] $$h_{Y, X}$$. We assume that [TeX:] $$\left\{h_{Y, X}\right\}$$'s are unit mean exponential random variables (Rayleigh fading), independent across [TeX:] $$\{X\}$$ and [TeX:] $$\{Y\}$$s and transmission cycles. Received signals can be decoded only if they are received with SIR above a certain threshold . I.e., for a transmitting node at [TeX:] $$X \in\left\{\Phi_{D} \cup \Phi_{R}\right\}$$, the probability of its intended receiver at [TeX:] $$Y \in\left\{\Phi_{R} \cup \Phi_{S} \cup \Phi_{A}\right\}$$ successfully capturing its packet is,

where [TeX:] $$\epsilon_{X \rightarrow Y}$$ is the outage probability from [TeX:] $$X \text { to } Y \text { and } I_{Y}$$ is the aggregate interference received at [TeX:] $$Y$$.

C. Attack Model and Detection

The threat model and the sentinel based detection model are discussed in the following. Then, the attack detection probability is formulated as a performance metric.

It can be safely assumed that a unique source ID (e.g., MAC address) and a sequence number are associated with packets transmitted from each IoT device. The MAC layer also adds cyclic redundancy check (CRC) bits to the packet before passing it to the physical layer for error control coding and modulation. For a given packet transmission from device [TeX:] $$D_{j}$$ to relay [TeX:] $$R_{i}$$, if the CRC fails at [TeX:] $$R_{i}$$ due to interference and noise, then [TeX:] $$R_{i}$$ does not send back an acknowledgment to [TeX:] $$D_{j}$$, and the packet with the same source ID, sequence number and payload has to be re-transmitted by [TeX:] $$D_{j}$$ until an acknowledgment is received from [TeX:] $$R_{i}$$. Each relay node first demodulates and decodes the received physical layer signal using a suitable error control and/or correction scheme. Upon successfully decoding the packet, the relay keeps the source ID and sequence number in the header, adds its own ID, and passes the data to the physical layer for error control coding and modulation. Similarly, if CRC fails at the AP when decoding the packet transmitted by the relay [TeX:] $$R_{i}$$, the AP does not send an acknowledgment, demanding a re-transmission from the relay [TeX:] $$R_{i}$$. Acknowledgment packets are small and encoded with a robust error correction scheme so that they are received errorfree.

The relays can be compromised due to several vulnerabilities including but not limited to default, weak or hard-coded credentials/keys, exposed serial ports, insecure wireless communications and applications, and physical tampering. Furthermore, the limited processing capabilities of IoT devices render the use of strong cryptography-based authentication and integrity checks uncommon, thus allowing the compromised relay node to tamper with the data packets undetected. In the absence of an appropriate attack detection mechanism, the adversary may inject malicious commands or false data, deny critical data transmissions for a prolonged duration, and even use the compromised relay node as an entry point to reach the susceptible parts of a cyber-physical system. In line with these potential risks, our attack model assumes that the compromised relay nodes either i) alter, ii) drop or iii) artificially craft data packets prior to relaying. The sentinels aim to detect the presence of a malicious relay node engaged in any of the three integrity attacks.

1. Altering the payload: The relay modifies the payload prior to transmission. The sentinels detect such attacks if they can successfully capture the corresponding packets (identical source ID and sequence number) transmitted by the IoT device and the relay.

2. Dropping packets: The relay intentionally drops some of the received packets instead of forwarding them to the AP, and also tampers with the sequence numbers such that the AP receives packets with consecutive sequence numbers. Note that, if the sequence numbers are not modified, the AP notices the missing sequence numbers. For instance, after correctly forwarding packets with sequence number [TeX:] $$1, \ldots, i$$, the compromised relay may drop the [TeX:] $$(i+1)$$'st packet, and forward the [TeX:] $$(i+k)$$'th packet with the tampered sequence number of [TeX:] $$i+k-1 \text { for } k=1,2, \ldots$$ Such an attack can be detected if the sentinels can capture and compare any of the [TeX:] $$(i+k)$$'th packet from the device, and the packet labeled with sequence number [TeX:] $$i+k$$ from the relay.

3. Crafting packets: The compromised relay may craft a packet with spoofed source/destination ID and sequence number to test the presence, functionality or the accuracy of intrusion detection systems. If the source/destination ID and sequence numbers of the forged packet do not match the expected headers by the AP, then the attack can be readily detected by the AP. To avoid detection by the AP, the relay has to attach an appropriate source ID and the subsequent sequence number for that source, then send it to the AP as if it originated from an IoT device. The sentinels can detect such forged packets if they can capture both the forged packet and the corresponding authentic packet transmitted by the device, whose source ID and sequence number match that of the forged packet.

Note that all three types of integrity attacks can be detected if the sentinels capture at least two packets, one transmitted by the device and another from the relay whose source ID and sequence number match that of the device. Due to the proximity of a device to its associated relay induced by the Poisson Voronoi tessellation of the relays, there would be a weak correlation in the signal power from a device and its associated relay perceived at the typical sentinel. Nevertheless, this correlation would be limited because the device can still be located anywhere within the Poisson Voronoi cell with a uniform probability distribution, and also because the channel gains are independent. Motivated by this argument, the detection probability of an attack is assumed to be the product of the probabilities of successfully capturing a typical device and a typical relay packet, or

where [TeX:] $$\epsilon_{D \rightarrow S} \text { and } \epsilon_{R \rightarrow S}$$ are the outage probabilities when decoding a device and relay transmission, respectively.

D. Effects of Re-transmissions on the Detection Performance

As stated above and in line with conventional MAC protocols, re-transmissions are triggered until the appropriate acknowledgment packet is received in both device-to-relay and relay-to-AP links. When a transmission is repeated, the sentinels can capitalize on multiple opportunities to sniff the packet, improving the detection performance. For instance, if a relay node requests a re-transmission from its associated device before tampering with the data and relaying, it is sufficient for the sentinels to capture the malicious packet by the relay and either one of the transmitted packets from the device. Thus, [TeX:] $$\left(1-\epsilon_{D \rightarrow S}\right)$$ in (2) would have to be replaced by a higher probability, measuring the event that sentinels capture at least one of the device transmissions. However, we argue that the malicious relays may be smart enough not to request re-transmissions when they intend to alter the payload. To minimize the risk of being detected, a compromised relay may choose not to request re-transmissions for the packets whose source and sequence ID matches the malicious packets that it injects. Similarly, the compromised relay may choose not to transmit the malicious packet more than once if acknowledgment is not received from its associated AP. Therefore, the detection probability metric should not account for re-transmissions.

III. OUTAGE ANALYSIS

In this section, using stochastic geometry, we derive the outage probabilities for all four wireless links: device-to-relay [TeX:] $$\left(\epsilon_{D \rightarrow R}\right)$$, relay-to-AP [TeX:] $$\left(\epsilon_{R} \rightarrow A\right)$$ and relay-to-sentinel [TeX:] $$\left(\epsilon_{R} \rightarrow S\right)$$. For the outage analysis, we condition on a typical receiving node and its tagged transmitter. Then, we express the received interference distribution and thus the probability of outage conditioned on the locations of this transmitter/receiver pair. Finally, we integrate the conditional outage probability over the distance distribution of the typical transmitter/receiver pair to obtain the average outage probability.

A. Communication Links: Device-to-Relay and Relay-to-AP

Since the same node association rule applies for device-torelay and relay-to-AP wireless links, here we develop a Theorem which characterizes the received interference distribution from PPP distributed transmitters, when the typical transmitter (device or relay) is scheduled to transmit to its nearest receiver (relay or AP respectively). Then, using this Theorem, the capture probabilities of device-to-relay and relay-to-AP links can be obtained thanks to the PPP approximation on the locations of active transmitters.

Without loss of generality, let us assume that the typical receiver at [TeX:] $$Y_{0}$$, selected among the homogeneous PPP distributed receivers [TeX:] $$\Phi_{Y} \text { of density } \lambda_{Y}$$, is located at the origin. As per the association rule of transmitter/receiver pairs, the association region of this typical receiver can be defined as a Poisson Voronoi cell [31],

Let the interfering transmitter process [TeX:] $$\Phi_{X} \backslash \mathcal{V}_{Y_{0}}$$ be a homogeneous PPP with density [TeX:] $$\lambda_{X}$$ outside the association region of the typical receiver. Also let [TeX:] $$X_{0} \in \Phi_{X} \cap \mathcal{V}_{Y_{0}}$$ be the location of a tagged (marked) active transmitter of the typical receiver, uniformly distributed in [TeX:] $$\mathcal{V}_{Y_{0}}$$³. Given constant transmit powers of [TeX:] $$P_{X}$$ and i.i.d unit mean exponential channel fading gains of [TeX:] $$h_{Y_{0}, X}$$ for all [TeX:] $$X \in \Phi_{X}$$, the received interference power at [TeX:] $$Y_{0}$$ is

The following Theorem characterizes the Laplace transform of the distribution of [TeX:] $$I_{Y_{0}}$$ and the capture probability at a typical receiver.

³ [TeX:] $$\Phi_{X}$$ is a PPP with density [TeX:] $$\lambda_{X}$$ outside [TeX:] $$\mathcal{V}_{Y_{0}}$$, and not a PPP inside [TeX:] $$\mathcal{V}_{Y_{0}}$$ because it has a single point at [TeX:] $$X_{0} \text { in } \mathcal{V}_{Y_{0}}$$.

Theorem 1. Laplace transform of the interference distribution at the typical receiver is

and the capture probability at this typical receiver is,

where [TeX:] $$C_{\alpha}(\theta)=\int_{1}^{\infty} \frac{\mathrm{dt}}{1+\theta^{-1} t^{\alpha / 2}}$$ and is Rayleigh distributed with parameter [TeX:] $$\left(2 \pi \lambda_{Y}\right)^{-1 / 2}$$

Proof: The proof is given in Appendix A.

When [TeX:] $$\alpha=4$$, the results in Theorem 1 can be further simplified as follows.

Corollary 1. If [TeX:] $$\alpha=4$$,

where [TeX:] $$\mathcal{A}(\cdot)$$ is the auxiliary function given in terms of trigono- metric functions and integrals,

with

Proof: The proof is provided in Appendix B.

Note that the capture probability in (6) and (8) does not depend on [TeX:] $$P_{X}$$, since all nodes transmit with the same power and therefore both signal and interference power scale linearly with [TeX:] $$P_{X}$$. The right-hand side of (8) can be calculated numerically by a Riemann sum over [TeX:] $$r$$, or by a Monte-Carlo simulation of the Rayleigh random variable with parameter [TeX:] $$\left(2 \pi \lambda_{Y}\right)^{-1 / 2}$$.

The derivations so far have assumed that the interfering transmitters are distributed as a homogeneous PPP. Although [TeX:] $$\Phi_{D}$$ and [TeX:] $$\Phi_{R}$$ are homogeneous PPPs, the scheduling of devices by the relays and relays by the APs ensures that no more than a single device (relay) can be active at a time in an association region of a relay (an AP). Therefore, the resulting spatial processes of simultaneously transmitting devices and relays, i.e., [TeX:] $$\Phi_{D}^{a}$$ of density [TeX:] $$\lambda_{D} \delta_{D} \text { and } \Phi_{R}^{a} \text { of density } \lambda_{R} \delta_{R}$$, have at most one point in each Poisson Voronoi region. Such a spatial distribution is known as Poisson Voronoi perturbed lattice or user point process (UPP) and the interference distribution resulting from [TeX:] $$\Phi_{D}^{a}$$ and [TeX:] $$\Phi_{R}^{a}$$ are intractable. In [32], the pair correlation function of UPP has been accurately characterized to approximate UPP to Ginibre Point Process or PPP depending on the cell vacancy rate. In particular, in the case where the Poisson Voronoi cells are heavily loaded with users – with the extreme case being UPP of type 1, implying exactly one user per cell – the UPP demonstrates pair correlation function similar to that of the Ginibre Point Process. On the other hand, if the Poisson Voronoi cells are lightly loaded with users the user process is called UPP of type II, and the PPP approximation is more accurate.

In our model of an IoT network, the density of transmitting devices [TeX:] $$\lambda_{D} \delta_{D}$$ has to be considerably smaller than the density of relays [TeX:] $$\lambda_{R}$$, and the density of transmitting relays [TeX:] $$\lambda_{R} \delta_{R}$$ has to be considerably smaller than the density of receiving AP density [TeX:] $$\lambda_{A}$$ to ensure a reasonable end-to-end success probability. For example, as will be shown in Section V, assuming a 1-to-3 ratio of user containing cells to empty cells, i.e., [TeX:] $$\lambda_{D} \delta_{D} \approx 0.25 \lambda_{R}$$ and [TeX:] $$\lambda_{R} \delta_{R} \approx 0.25 \lambda_{A}$$ yields an end-to-end success probability of only 0.46. For higher success probability values, the ratio of empty cells should be even larger. Therefore, in line with the idea that UPP of type II can be well approximated to a PPP when most Poisson Voronoi cells are empty [32], replacing the UPP of interfering devices (relays) outside the association region of the typical relay (AP) with a PPP of density [TeX:] $$\lambda_{D} \delta_{D}\left(\lambda_{R} \delta_{R}\right)$$ provides a good approximation to the actual interference from [TeX:] $$\Phi_{D}^{a}\left(\Phi_{R}^{a}\right)$$. The analysis becomes intractable without this approximation and similar approximations were also used in [33], [22], [34].

Approximating the interfering device process with a PPP of density [TeX:] $$\lambda_{D} \delta_{D}$$ outside the association region of the typical relay, we can use Theorem 1 to express the interference distribution and the outage probability for device-to-relay link as

where is Rayleigh distributed with parameter [TeX:] $$\left(2 \pi \lambda_{R}\right)^{-1 / 2}$$. Then, the outage probability for the device-to-relay link is

with [TeX:] $$\mathcal{C}(.)$$ given in Theorem 1 for general , and in Corollary 1 for = 4. Note that we use equality sign (=) rather than approximately equal sign (≈) to indicate the approximation due to the modeling of UPP of type II as a PPP, in order to reserve the approximately equal sign for other approximations that we utilize in the upcoming sections. The PPP approximation has been thoroughly verified in the simulations as well as in other papers, e.g., [22], [35]

Similarly, the interfering relay process can be approximated with a PPP of density [TeX:] $$\lambda_{R} \delta_{R}$$ outside the association region of the typical AP. Hence, we can use Theorem 1 to express the interference distribution and the outage probability for relay-toAP link as

where is Rayleigh distributed with parameter [TeX:] $$\left(2 \pi \lambda_{A}\right)^{-1 / 2}$$, and

The accuracy of (10) and (12) for the outage probability are verified through Monte-Carlo simulations in Section V.

B. Security Links: Device-to-Sentinel and Relay-to-Sentinel

It was stated in the previous subsection that the locations of transmitting devices and relays form UPPs of type II whose Probability Generating Functional (PGFL) is intractable, and approximating the UPP of type II with a PPP of equivalent density can provide a good approximation. We resort to a similar PPP approximation to calculate the interference received at a sentinel node. In particular, we approximate the spatial distributions of actively transmitting devices and relays with homogeneous PPPs of densities [TeX:] $$\lambda_{D} \delta_{D} \text { and } \lambda_{R} \delta_{R}$$, respectively. Since there is no rule describing the positions of transmitting relays and devices relative to the sentinels, the received interference distributions at the typical sentinel is straightforward. The Laplace transform of the interference from homogeneous PPP distributed transmitters of density [TeX:] $$\lambda_{X}$$ with Rayleigh fading assumption is known to be (from [36], Eq. (8)),

where [TeX:] $$K_{\alpha}=2 \pi /[\alpha \sin (2 \pi / \alpha)]$$.

Likewise, the received interference distribution at the typical sentinel, when decoding device and relay packets respectively would be,

B.1 Isolated Detection

In the following, we calculate the capture probability for relay-to-sentinel links by conditioning on the distance between the typical sentinel and its associated relay, i.e., [TeX:] $$\left\|S_{0}-R_{0}\right\|$$, according to the isolated detection scheme. Since the association between relays and sentinels is such that each relay is linked to its nearest sentinel, the distance between the typical sentinel at [TeX:] $$S_{0} \in \Phi_{S}$$ and its associated relay at [TeX:] $$R_{0} \in \Phi_{R}^{a} \cap \mathcal{V}_{S_{0}}$$ has a Rayleigh distribution with parameter [TeX:] $$\left(2 \pi \lambda_{S}\right)^{-1 / 2}$$. Then, the probability that the typical sentinel captures the packet transmitted by its tagged relay at [TeX:] $$R_{0} \in \Phi_{R}^{a} \cap \mathcal{V}_{S_{0}}$$ can be calculated by integrating the conditional capture probability over the distance distribution of [TeX:] $$\left\|S_{0}-R_{0}\right\|$$,

where (a) follows from the complementary cumulative distribution function of the exponential random variable [TeX:] $$h_{S_{0}, R_{0}}$$, (b) from substituting the Laplace transform [TeX:] $$\mathcal{L}_{I_{R} \rightarrow s}(s)$$ from (14), and (c) from evaluating the integral by the change of variables [TeX:] $$v \leftarrow r^{2}$$. This result is reasonable as an increased transmitting relay density would result in higher interference, reducing the capture probability; whereas an increased sentinel density stochastically reduces the nearest sentinel distance, thus improving the capture probability.

We now proceed to analyze the capture probability for deviceto-sentinel links, by analyzing the distance distribution between a sentinel and its associated device. As stated in Section II, each device is monitored by the same sentinels with its receiving relay, in order for this sentinel to overhear and compare the device’s and relay’s transmission of a particular data packet. Let us denote the distances between the associated pairs of relay/sentinel and device/relay nodes by [TeX:] $$r_{\mathrm{RS}}, r_{\mathrm{DR}}$$ respectively. Then, the distance between the associated pair of device/sentinel nodes can be expressed as

where is as shown in Fig. 2. Considering that [TeX:] $$r_{\mathrm{RS}} \text { and } r_{\mathrm{DR}}$$ are Rayleigh distributed (nearest Poisson point distribution) with parameters [TeX:] $$\left(2 \pi \lambda_{S}\right)^{-1 / 2} \text { and }\left(2 \pi \lambda_{R}\right)^{-1 / 2}$$ respectively, and the PDF of [TeX:] $$\theta, f(\theta)=1 /(2 \pi) \text { in }[0,2 \pi)$$, the distribution of [TeX:] $$r_{\mathrm{DS}}$$ can only be expressed in terms of iterated integrals. For tractability, we conjecture that the distribution of [TeX:] $$r_{\mathrm{DS}}$$ is similar to a Rayleigh distribution with an appropriate parameter. If [TeX:] $$r_{\mathrm{DS}}$$ is assumed to be Rayleigh distributed, [TeX:] $$r_{\mathrm{DS}}^{2}$$ is exponentially distributed. We choose the mean of [TeX:] $$r_{\mathrm{DS}}^{2}$$ as

which follows from the fact that [TeX:] $$r_{\mathrm{RS}}^{2} \text { and } r_{\mathrm{DR}}^{2}$$ are exponential random variables with parameters [TeX:] $$1 /\left(\pi \lambda_{S}\right) \text { and } 1 /\left(\pi \lambda_{R}\right)$$ and is uniformly distributed in [TeX:] $$[0,2 \pi)$$. Thus,

is the approximate distribution of[TeX:] $$r_{\mathrm{DS}}^{2}$$. The accuracy of this approximation is verified in Fig. 3 where the cumulative distribution functions of the approximate [TeX:] $$r_{\mathrm{DS}}^{2}$$ and Monte-Carlo calculated distance square between the associated device-sentinel pairs are compared.

Then, the probability that the typical sentinel captures the packet transmitted by its associated device can be calculated by integrating the conditional capture probability over the distribution of [TeX:] $$r_{\mathrm{DS}}^{2}=\left\|S_{0}-R_{0}\right\|^{2}$$ given in (18),

B.2 Co-operative Detection

In co-operative detection, the packet transmitted by the typical relay at [TeX:] $$R_{0}$$ cannot be detected if none of the sentinels in [TeX:] $$\Phi_{S}$$ captures the packet transmitted by this relay. Specifically,

in which [TeX:] $$\epsilon_{R_{0} \rightarrow S_{i}}$$ denotes the miss-detection probability of the transmission from the typical relay to sentinel at [TeX:] $$S_{i}$$, i.e.,

[TeX:] $$\forall S_{i} \in \Phi_{S}$$ similar to (1). The right-hand-side of (20) can be evaluated by using PGFLs,

where (a) follows from the complementary cumulative distribution function of [TeX:] $$h_{S_{i}, R_{0}}$$, (b) from substituting the Laplace transform of [TeX:] $$I_{R \rightarrow S_{i}} \text { at } s=\eta\left\|S_{i}-R_{0}\right\|^{\alpha} / P_{R}$$ using(14),(c)from the fact that the expectation of a product over a point process is a PGFL, thus using the PGFL of a PPP from (A.3) in [37] with the intensity function [TeX:] $$\Lambda(r)=2 \pi r \lambda_{S}$$, and the last step from evaluating the integral by the change of variables [TeX:] $$v \leftarrow r^{2}$$.

Similarly, the packet transmitted by the typical device at [TeX:] $$D_{0}$$ cannot be detected if none of the sentinels in [TeX:] $$\Phi_{S}$$ captures the packet transmitted by this device,

Going through the same steps as in (22), we have the capture probability of device packets as

IV. PROBLEM FORMULATION and OPTIMIZATION

With the expressions derived above, it is possible to solve problems such as finding the minimal sentinel density to ensure a certain detection probability, given other network parameters. In the following, we formulate and solve Problem 1 for both isolated detection and co-operative detection schemes.

Problem 1.

To solve Problem 1, the expressions for [TeX:] $$\left(1-\epsilon_{R} \rightarrow S\right)$$ and [TeX:] $$\left(1-\epsilon_{D \rightarrow S}\right)$$ can be substituted from (15) and (19) for isolated detection and from (22) and (24) for co-operative detection.

A. Solution for Isolated Detection

From (15) and (19), one can note that [TeX:] $$\left(1-\epsilon_{R \rightarrow S}^{(i)}\right)$$ and [TeX:] $$\left(1-\epsilon_{D \rightarrow S}^{(i)}\right)$$ are both increasing functions of [TeX:] $$\lambda_{S}$$. In other words, the probability that the typical sentinel captures both the tagged device and relay versions of the packet increases with increasing sentinel density. Therefore, [TeX:] $$\lambda_{S}^{*}$$ is attained when the first inequality constraint is satisfied with equality,

B. Solution for Co-operative Detection

Similarly [TeX:] $$\left(1-\epsilon_{R \rightarrow S}^{(c)}\right) \text { from (22)} \text { and }\left(1-\epsilon_{D \rightarrow S}^{(c)}\right) \text { from (24) }$$ are increasing functions of [TeX:] $$\lambda_{S} . \text { Thus, } \lambda_{S}^{*}$$ is minimized when the first inequality constraint is satisfied with equality. An implicit solution exists for [TeX:] $$\lambda_{S}^{*}$$,

Based on the solutions of (26) and (27), the minimum required sentinel density [TeX:] $$\lambda_{S}^{*}$$ to achieve a certain immediate detection probability is shown in Fig. 4. The isolated detection model is much more sensitive to the detection threshold, i.e., it requires significantly denser sentinel deployment to achieve a given detection probability.

V. SIMULATIONS and DISCUSSION

In this section, Monte-Carlo simulations are presented to confirm the accuracy of the analytical results and to obtain insights on how system parameters affect the detection performance and end-to-end success rate of IoT transmissions. The parameters in Table 1 are used for simulations unless otherwise indicated in the plots.

In Fig. 5, the probability that a packet transmitted by devices or relays is captured by sentinels is plotted against the sentinel density. In general, the analytical plots follow the same trend as the Monte-Carlo plots. The limited discrepancy between the analytical and simulation plots of the isolated detection scheme is due to the PPP assumption of interfering nodes, and also due to the approximation (conjectured in (18)) on the distance distribution between a device and its associated sentinel.

Fig. 6 shows the detection probability of an attack, in comparison with the end-to-end success probability of IoT packets, plotted over the density of transmitting devices. As [TeX:] $$\lambda_{D} \delta_{D}$$ increases, the interference in device-to-relay and device-tosentinel links also increases, resulting in a lower capture probability in these links. Therefore, all three plots are decaying as transmitting device density is increasing. The rate of decay in sentinel detection probability is higher than that of end-to-end success probability, suggesting that the detection model is more sensitive to the interference level when capturing device packets.

Figs. 7 and 8 illustrate the detection probability of an attack, in comparison with the end-to-end success probability of IoT packets, plotted over the density of relays and ratio of transmitting relays respectively. Note that as relay density increases, typical device-to-relay distance decreases, resulting in a better capture probability for device-to relay links. On the other hand, increasing relay density increases the interference caused by the relays, reducing the capture probability at relay-to-AP links. The former effect is dominant up until [TeX:] $$\lambda_{R} \approx 2 \times 10^{-4}$$, whereas the latter dominates for larger [TeX:] $$\lambda_{R}$$ as can be seen from the end-to-end success probability plot (black squares). Both the attack detection probability and end-to-end success probability consistently decrease with the ratio of transmitting relays due to increased interference. At low relay densities, the analytical plot of the isolated detection scheme is less accurate due to the approximation in (18).

B. Discussion

The foremost finding of this paper is that using passive sentinel nodes – even when they are much less in number than the relay nodes – to monitor data traffic in an IoT relay network is feasible from the communication theory perspective. This finding can be observed from Figs. 5–8, where [TeX:] $$\lambda_{S}<\lambda_{R}$$ leads to similar performance between the end-to-end success probability of the network and the attack detection probability of sentinels. It should also be noted that these Figures display the immediate detection probability of an attack performed on a single packet. As multiple packets are observed by the sentinel, the detection probability increases dramatically.

The sentinel-based detection is scalable because the task of each sentinel is simply to compare the transmitted MAC payload from a device in its vicinity with the corresponding payload forwarded by the relay. Even in co-operative detection, the sentinels only need to exchange certain messages locally, thus the increasing network area does not translate into a larger number of exchanged messages between the sentinels. The sentinelbased detection can also be considered in a multi-hop setting wherein sentinels compare the MAC payload transmitted by nodes with the corresponding payload forwarded by the respective next-hop-nodes in their vicinity. In this manner, the attack detection for each hop is an independent task, the probability of which is calculated in this paper.

Our sentinel approach has several advantages over other network intrusion detection systems and techniques [10]-[12]. Firstly, the proposed method does not require any change in the existing protocols or deployed devices but rather introduces a new set of sentinel nodes. Since the intrusion detection is performed only at the external sentinel devices, the IoT network is not burdened with computational load or signaling overhead unlike the prior work.

Secondly, the security of the users would be compromised if the intrusion detection system itself is compromised. It can be safely argued that the passive sentinel devices can be designed with the latest security technologies (e.g., Trusted Execution Environment), therefore, they would be less prone to attacks than any other wireless device in an IoT network. Privacy measures such as imposing hardware limitations on the transmit interfaces of the sentinel devices can be considered to protect the privacy of the IoT network. Therefore, integrity checking by sentinels would be a more secure approach than offloading such a critical task to the network whose integrity is questionable in the first place. On the other hand, we acknowledge that there will be a hardware cost (and bandwidth cost for co-operative detection) of deploying sentinels. Yet, the costs will be limited because very good attack detection performance can be achieved with [TeX:] $$\lambda_{S}<\lambda_{R}$$.

Thirdly, the false alarm rate in our sentinel based detection scheme is negligible as it occurs only in the unlikely scenario where the packet CRC fails to detect errors, even though the decoded packet is in error. Further, the detection scheme operates at the MAC layer and therefore remains effective even in scenarios where different wireless links may employ distinct modulation and coding schemes at the physical layer.

Finally, the other methods commonly relied on known channel parameters in their analysis which is unrealistic in a large IoT network. Through the use of stochastic geometry, we have demonstrated the feasibility of our sentinel-based method from a communication theoretical perspective. It should be noted however that, the use of stochastic geometry also has a downside. It only provides system-level insights (e.g., detection performance as a function of node densities) for an average network rather than suggesting precise refinements to a specific network. Hence, the fine-tuning of other useful parameters (e.g., finding exact sentinel locations, varying sentinel density based on the IoT network load) are not studied in this paper and will be investigated in future work.

VI. CONCLUSION

In this paper, we have proposed sentinel based attack detection schemes to identify malicious relays that alter, drop or craft data packets in an IoT network. The proposed schemes are well suited to resource-constrained IoT networks and can supplement higher-layer security mechanisms. We have applied a stochastic geometry approach to interference modeling, and hence optimized the density of sentinel nodes for given densities of relay and IoT devices, as well as the desired attack detection probability. Co-operative detection performance is shown to be significantly better than that of isolated detection because the packet modifications can be detected in the co-operative scheme when the device and relay versions of the same packet are captured by different sentinels. On the other hand, isolated detection requires no communication among sentinels, except for the initial association region setup. Minimum sentinel density to achieve a certain attack detection performance was calculated for both schemes. It has been shown that the required sentinel density (especially in co-operative detection) can be much smaller than the relay density to achieve a detection probability approximately equal to the end-to-end success probability of the IoT network. This outcome, combined with the fact that sentinels do not add computational burden to the IoT network, confirms sentinels as viable solutions for preserving data integrity in IoT relay networks.

APPENDIX A PROOF OF THEOREM 1

The intensity function of the interfering nodes is [TeX:] $$\lambda_{X}$$ outside [TeX:] $$\mathcal{V}_{Y_{0}}$$. Transforming into polar coordinates, we have intensity function of [TeX:] $$\Lambda(r)=2 \pi r \lambda_{X}$$ defined outside [TeX:] $$\mathcal{V}_{Y_{0}}, \text { with } r$$ denoting the distance from the origin (or [TeX:] $$Y_{0}$$). Let [TeX:] $$\rho_{X}, \forall X \in \Phi_{X}$$ denote the distances between the interfering nodes and their intended receivers. Therefore, [TeX:] $$\rho_{X}$$'s are i.i.d with a nearest Poisson point distribution, i.e., Rayleigh distribution,

The interfering nodes are outside [TeX:] $$\mathcal{V}_{Y_{0}}$$ if and only if they are farther from the origin than they are to their associated receivers at [TeX:] $$Y_{i} \in \Phi_{Y}$$ as specified by association rule in (3). Specifically, [TeX:] $$\|X\|>\rho_{X}, \forall X \in \Phi_{X} \backslash\left\{X_{0}\right\}$$. Hence, the intensity function of the interfering nodes defined in [TeX:] $$\mathbb{R}^{2} \text { is } \Lambda(r)=2 \pi r \lambda_{X} \mathbb{1}\left(r>\rho_{X}\right), \text { where } \mathbb{1}(\cdot)$$ is the indicator function. Using this intensity function, the Laplace transform of the interference distribution in (4) can be evaluated as follows.

where (a) follows from the i.i.d nature of [TeX:] $$\left\{h_{Y_{0}, X}\right\}$$s and their Moment Generating Function (MGF), (b) from using the Probability Generating Functional (PGFL) of the inhomogeneous PPP [TeX:] $$\Phi_{X} \backslash \mathcal{V}_{Y_{0}}$$ with intensity function [TeX:] $$\Lambda(r)=2 \pi r q \lambda_{X} \mathbb{1}\left(\mathbb{r}>\rho_{\mathbb{X}}\right)$$ ((A.3) in [37]) and (c) from the change of variables [TeX:] $$t \leftarrow r^{2} / \rho^{2}$$.

From (1), the capture probability [TeX:] $$1-\epsilon_{X} \rightarrow Y$$ can be calculated by de-conditioning on the typical transmitter/receiver distance [TeX:] $$\left\|Y_{0}-X_{0}\right\|=r$$,

where (a) follows from the complementary cumulative distribution function of the exponential random variable [TeX:] $$h_{Y_{0}, X_{0}}$$ and by substituting the nearest Poisson point distribution [TeX:] $$f_{\left\|Y_{0}-X_{0}\right\|}(r)=2 \pi \lambda_{Y} e^{-\pi \lambda_{Y} r^{2}}$$, and (b) is because the expression inside the expected value operator is in the form of the Laplace transform of the distribution of [TeX:] $$I_{Y_{0}}$$ evaluated at [TeX:] $$s=\eta r^{\alpha} / P_{X}$$.

APPENDIX B PROOF OF COROLLARY 1

We first show that,

here (a) follows from the change of variables [TeX:] $$r \leftarrow \rho^{2} / w$$, (b) from solving the inner integral by noting [TeX:] $$\mathrm{d}\left(\tan ^{-1}(\mathrm{rt})\right) / \mathrm{dt} = r /\left(1+r^{2} t^{2}\right)$$, (c) from integration by parts with [TeX:] $$u=\cot ^{-1}(r), \mathrm{d} \mathrm{v}=\exp (-\pi \lambda \mathrm{wr}) \mathrm{dr}$$, and the last step from expressing the integral in terms of the auxiliary function,

Then, the above result with [TeX:] $$w=\sqrt{s P_{X}}$$ can be used in (5), to replace [TeX:] $$\mathbb{E}_{\rho}\left[\rho^{2} C_{\alpha}\left(s P_{X} \rho^{-\alpha}\right)\right] \text { with } \sqrt{s P_{X}}\left(\frac{\pi}{2}-\mathcal{A}\left(\pi \lambda_{Y} \sqrt{s P_{X}}\right)\right)$$,

Finally, (32) can be integrated over the distance distribution [TeX:] $$f_{\left\|Y_{0}-X_{0}\right\|}(r)=2 \pi \lambda_{Y} e^{-\pi \lambda_{Y} r^{2}} \text { for } r \geq 0$$ to obtain the capture probability in (8).