A Secure Authentication Scheme based on Brownian Motion in hierarchy Wireless Sensor Networks

In the last few years, the Internet of Things (IoT) has experienced exponential advancements. In IoT infrastructures, Wireless Sensor Network (WSN) has been considered as one of the crucial technologies to support a lot of amazing services. To fulﬁll new requirements of deployed network environments, the security issue in wireless sensor networks has to be met new challenges such as secured and lightweight requirements


Introduction
Wireless sensor network (WSN) is a vital technology for IoT applications since it is widely applied to collect and monitor various physical parameters [1] [2].In a distributed sensor networks, a sensor node is normally constrained by the power supply and physical size that leads to a poor security capacity [3][4] [5].Furthermore, Security of wireless sensor networks becomes a critical issue in some practical cases such as scientific exploration in civil operations, battlefield surveillance in military, security monitoring, target tracking or health care system [4] [5].To save network energy, a WWSN is regularly configured in a hierarchy topology.In this network type, several sensor nodes are formed to a cluster to aggregate sensed data before forwarding to the sink node.Unfortunately, attackers can have a chance to attack either data link between a cluster head and the sink node or sensor nodes [6].In literature, watermarking has been recognized as a promising approach for ensuring authentication, privacy, and digital copyrights protection in WSN environment due to its lightweight processing as compared with the other conventional approach [7][8].This approach helps to hide useful information in sensed data sources appeared on an image form, then is easily processed by varied image processing methods [12].In this paper, a novel lightweight authentication scheme based on watermarking techniques is proposed.In which, the watermark data for authentication is extracted naturally from Brownian motion characteristic of the sensor agent node.Because every collected sensory data is reflected as a pixel intensity, the watermarked data is created as an image matrix which is secured for data transmissions.The proposed scheme is validated by both numerical results and theoretical analysis.The rest of this paper is organized as follows.Section 2 presents typical related work for watermarking and authentication in WSNs.In Section 3, we present the background for our new method.Section 4 devotes to the proposed watermarking scheme.Section 5 provides a performance evaluation and Section 6 concludes the paper.

Related work
Security for wireless sensor networks has received much attention in recent years due to their important roles in IoT area [3][1] [13].In which, authentication has been evolved to many security mechanisms such as network access control, key distribution or data protection.In [13]- [18], authentication has been emphasized as a key protection mechanism for controlling network/device access.it enables sensor nodes to verify themselves and ensures that authorized devices are given appropriate right to access to devices/networks.Authentication process combining with access control is proposed to enhance device protection features in heterogeneous sensor networks [15] [16].An identity authentication model was proposed in [17], which composes both a public key distribution technique and a lightweight protocol for securing device communications.In IoT environments, the lightweight property of a secure mechanism tends to the critical point of energy saving aims in case of multiple constrained conditions such as transmission technology limitations and computational capacity of IoT devices [18] [14].To reach this aim, the authors in [20] proposed a cooperation concept, in which mobile sensors act with static nodes to handle failures of static sensor networks by filling faulty gaps.According to the indicated works, network topology for authentication scheme can be derived, in which a mobile node can act as agent node that cooperates with other static nodes to get local authentication information in passive ways.This information will be a part of watermarked data that can be used for secure authentication.On the other hand, watermarking techniques can be used for many applications that require some degree of security such as tamper detection, ownership protection, etc.The authors in [21] proposed using watermarking to recognize the authorship by imposing additional constraints during data acquisition processes and/or data processing.In this paper, the authors show that the spread spectrum technique can be used for the watermarking progress by various transformations and simple embedding operations.The watermarking approach in [22] is proposed for data authenticity and integrity targets.This proposal focuses on reducing watermark payload and computational complexity through the semi-blind technique.The watermark can be embedded directly into the original data in order to reduce the complexity of this scheme.However, any mediated node can check authentication by comparing original watermark and extracted watermark, thus, the watermark can be exploited by attackers.Especially, the authors in [23] presented a method for visualizing gathered data as an image.In this scheme, sensor nodes collect data from the whole network at a certain time snapshot.Each sensor node presents a pixel on the image with its collected data representing the pixel intensity.The watermark bits are spread based upon orthogonal pseudo-random modulation pulses to avoid interfering.However, watermark data is chosen randomly that needs to comfort with the network's image matrix.Intuitively, one of the shortcomings of watermarkbased authentication is the provision of two-way authentication.Sensor nodes are recognized by the database, but they cannot verify whether or not their data accurately reaches the expected database.This problem can be mitigated by a lightweight authentication scheme that combines both initial authentication phase and final authentication phase in a sensor node and base station respectively [24], where key generation is the important criterion for a securing model.Key generated from dynamic and random properties is well suited to cryptographic key generation in IoT applications [25].Thanks to the strongly random characteristic of Brownian motion, this information is utilized to create an appropriated dynamic key for authentication schemes [26].Hence, in this paper, the watermark data is extracted from average distance between a Brownian node and the virtual root in a geographic network area.Since local sensor nodes have only known a part of location information of the Brownian node, the scheme can provide enhanced security protection for watermark data.Moreover, an appropriate two-way authentication scheme is proposed to protect the Brownian node itself which is validated by overall security analysis.

Assumptions
Without loss of generality, we assume a wireless sensor network is deployed in a planar area where static sensor nodes are assumed to be distributed in a grid network topology.In a hierarchy configuration, several sensor nodes are formed into a cluster which has an aggregation node called a cluster head.It is responsible for collecting sensory data from its group for keeping network energy-efficiency.A Brownian sensor node is called an agent node that moves in the planar as a twodimensional Brownian motion model [27].This moving action is commonly in dynamic environments such as underwater or molecular sensor networks.Assume that the examined WSN is a k-covered and homogeneous network [28].As depicted in Fig. 1, a transmission range of the sensor node is r = l √ 2 and the distance between two sensor nodes is estimated by a practical power measurement.r Agent node According to [29] [30], we assume that only the sink node has a location information database of sensor nodes which come from a physical system such as a global position system (GPS).

Characteristics of the agent node
An agent node has moved freely in a planar of wireless sensor network deployed.Let an agent sensor movement be presented as m(t) = (w 1 (t), w 2 (t)), where w 1 (t) and w 2 (t) represent the position of a point m in the Cartesian coordinates (x-axis and the y-axis) at time t.We assume that w 1 (t) and w 2 (t) is the onedimensional Wiener processes that satisfy the following characteristics: 1. w t = 0 almost surely; 2. w t has independent increments, i.e. with 0 ≤ t 1 ≤ t 2 ≤ ... ≤ t n , the increments w t n − w t n−1 , w t n−1 − w t n−2 , ..., w t 2 − w t 1 are independent random variables; 3. w t has Gaussian increments.Thus, w t+h − w t , h ≥ 0 is normally distributed with mean 0 and variance h, i.e. w t+h − w t ∼ N (0, h); 4. w t has a continuous path; it is continuous in t almost surely.As specified in [31], the wiener process that specifies Brown motion is closely linked to the normal distribution.Since the probability distribution function follows the normal distribution with (µ = 0, t), we have the probability distribution function of the wiener process as follows.
for all x ∈ IR.Therefore, the coordinates of an agent node m within a time interval are the random variables.their probability distribution function is formed to a Gaussian distribution.Moreover, we can recognize that the maximum variable of its coordinates is approximated a Gaussian distribution too.This is proven by a lemma 1 bellows.
Let X and Y be two independent random variables, we can determine the cumulative distribution function of Z as follows: Since X and Y follows the Gaussian distribution, thus ) . ( where According to [32], the probability density function of Z is given by We can calculate the expected value of Z as follows: ). ( We can determine the second moment of Z as The variance of Z is given by the following expression: We can conclude that the variance of Z = max{X, Y } is the approximated Gaussian distribution with main parameters in equations (4) (5) (6).Moreover, the cumulative distribution function of Z simulated by numerical results that validates these similar characteristics (Fig. 2).Analysis: N 1 (0,1), N 2 (0,1) -0.9 -0.8 -0.7 0.03 0.04 0.05 its group is created as a data image, its size is depended on a number of sensors in the cluster.In reality, to enhance energy-efficient utility, a cluster is formed as equal cluster size or unequal cluster size that depends on a practical routing strategy.The watermark data generated by measuring the maximum distance of agent nodes and sensor nodes is embedded in the data image that forms a watermarked data.On the sink node side, watermark data is extracted to verify the agent node authentication and sensory data integrity.In this scheme, only the sink node has known a real position of the agent node while every sensor node having a part of three coordinated parameters.Hence, by a simple embedding procedure, the watermark data is secured overtime then against masquerade attacks.Moreover, the cluster head can use advantage transform techniques to reduce data size for saving data transmit energy.Denote d (x, y) the embedded watermark data at the cluster node, we have d (x, y) = o i + b i × p(x, y) × d t .In this equation, o i represents an original data value of a static WSN node, b i presents the watermark bit, p(x, y) is a pseudo-random value, and d t is a watermark data that presents the coordinates of the mobile WSN node at time t, d t = max{X t ,Y t }.To detect the watermark, we follow the approach proposed in [23].This method considers watermark presence conditions based on the statistical characteristics of the correlation coefficients.Using this approach, we investigate all transform cases to reveal the conditions for watermark detection through the following formula: where r i are the correlation coefficients, b i are watermark bits, erf c is the complementary error function, p f is the fixed false alarm probability and L is the length of the watermark sample.

The proposed two-way authentication procedure
To prevent counterfeit attacks by releasing malicious motion nodes into the network, assume that the Brownian motion node has a unique identification (id) which can be detected by the sink node and sensor nodes.Obviously, adverse conditions with the misbehavior of spurious motion nodes will cause a falseness in the distance measured by each fixed node.Thus, at each round, the agent node needs to send its id value and the distance value of the communicated nodes simultaneously.This information will match with the collected information at the cluster head node and be authenticated at the sink node as analyzed above.
However, it is a disturbing matter to authenticate the agent node because it can be completely forged, and the agent node itself can not validate the static sensor node which it wants to exchange information.This is the drawback of the proposed watermark mechanism when two-way data authentication is not provided.
To overcome this limitation as well as reduce the cost authentication by the third party, the agent node and other sensor nodes should establish the session keys compromised to authenticate each other.As pointed out before, keys generated from characteristic features of the naturally dynamic channels such as wireless sensor networks are appropriate to low-cost devices.Therefore, we propose modified key generation algorithms which encoding bits are based on mean and standard deviation values [34].
For the sake of simplicity, we assume that the agent node is more powerful than conventional sensor nodes in terms of energy, memory and computational ability when it can be self-locating at all times.Firstly, we use a data value which relied on the position of the agent node at the s th session to generate keys (Algorithm 1, INPUT).Proximity thresholds are based on expected values and deviation values of the received data (Algorithm 1, line 1-2), with the threshold adjustment coefficient, α.Accordingly, the encryption bits for a session key are quantized (Algorithm 1, line 3-6).The location information of the agent node in the s th session is the basis for key generating for the (s + 1) th session, as this information is only known by such pair of nodes through authentication and getting information from the sink node.The computational complexity of calculating the mean and variance is O(n).--------------(V s Z is a variance of Z s ) 3: for i ← 1 to n do 4: if Z s (i) ≥ η s + then k s = 1 5: else if Z s (i) ≤ η s − then k s = 1 6: else k s = 0 (Key dropped) 7: End if 8: End for In the proposed scheme, a session key is generated in every round and verified by Algorithm 1. Assume every node has a unique identification (id); a pairwise key between a sensor node and the sink node is predefined, k p [35].k p is a symmetric key reserved for examining a trusted sensor node in an authenticate phase.Note that, a cluster head is voted in every round that depends on how is better energy than its members.In the data collection phase, sensory data is aggregated at the cluster head.The whole process is described by the schema as in Fig. 4.
(1) At the first step, the agent node a (mobile node) sends its identification (id a ) and its distance d na of the node a and a sensor node wanted to connect, node n. the distance can be estimated by received signal power.M(1) = a → n : (id a ||d na ).
(2) a sensor node n compares its distance value d an with its d na received.If d an = d na then it is validated the exact sensor node which communicates to.Node n does the XOR operand of the node id a and the node id n before encoding by predefined key (k p ), this message is sent to the sink node.
(3) The sink node has already k p ,id a and id n in its database, it can verify an agent node id a .Moreover, the location information of a agent node is determined by several sensor nodes in this round s, Z.Based on location parameter Z, the sink node generates a new session key k s as presented in logarithm 1.The sink node sends its id s and watermark threshold to agent node through a sensor node n.M(3) = s → n : k p (id s , Z). (4) a sensor node n authenticates the sink node id s , then passes the location information to an agent node.M(4) = n → a : Z||(id n ⊕ id s ).The agent node a uses received value Z to generate a session key k s .
(5) Node a grants this communication path between an agent node, a sensor node and the sink node is safety.It sends back a session key k s to sensor node n to use as new session key to protect data between the node n and the node s.

Numerical results
To simulate our proposed watermark scheme, a Gaussian generation function in Mathlab tools is used to create a sensory data matrix, (8x8) [12].The average values of 10.000 Gaussian random processes are formed to a normal distribution.A watermark data is extracted from movement characteristic of the agent node.Assume that it has a random coordination

Agent node
Sensor node Sink

M(1): (Id || d )
a an (2) without drift following time t, dx(t) = σ x dw 1 (t) and dy(t) = σ y dw 2 (t).In this context, w 1 (t) and w 2 (t) are independent Wiener processes in one dimension.σ x and σ y are diffusion coefficients of the Brownian motion coordinators, respectively.Figure 5 shows the intensity of the watermark data versus diffusion coefficients of the agent node, the surface plot represents the case in which these diffusion coefficients are different in the coordinate (i.e.σ x σ y ) and the other represents the symmetric case, it means that they have the same diffusion coefficient (i.e.σ x = σ y ).The results show that with a diffusion coefficient of less than 20, the watermark intensity does not exceed 12.

Watermark vulnerable detection analysis
A fundamental limitation of the traditional authentication scheme based on watermark data is that the sink node can not accurately detect the attacked nodes which watermarked data is modified across an entire network.Instead, the sink's database only detects whether data is being tapped or not based on the probability of watermark detection.Therefore, we propose a method for determining interfered nodes relied upon the random characteristics of Brownian motion in the watermarkbased authentication model.Definition 1: Let d i (s) is the deviation of the probability density function of original data and received data, then we have: where T h is a detection threshold.
Proclamation 1: Modified watermark data can be detected by Definition 1.
Proof would be presented by Lemma 2.
Remark 1: Suppose that a function f (x) is infinitely differentiable on R, then f (x) can be rewritten as In which, Equation ( 11) is equivalent to We have, in which and c ∈ R is between µ and x.We have From equation ( 12), we have: Recall that, the original watermark data is created by Brownian motion characteristic.Hence, the probability density function of original watermark data is illustrated as the green line in Fig. 6.The diffusion coefficients of the Brownian motion node are demonstrated its behavior, they affect directly to maximum perturbation of the watermark data change.In this example, the diffusion coefficient is set as 10 and presented by the red line.As proven in Lemma 2, the green line is illustrated upper bound of the received watermarked data and the red line is illustrated lower bound of the received watermark data.As shown in Fig. 6, the watermark data has been attacked when its probability density function is outside of two lines.In other word, the watermark data in the allowable threshold if the probability density function of its intensity lies in the radius perturbations of original data.

Complexity evaluation
As mentioned above, in many IoT applications, sensor nodes are often restrained by power, memory and computing capacity.According to common mechanisms, in every round, the agent node needs to send its distance information to the sink node.It seem to be unreasonable for a larger network when an agent node sends a request to join the session every time it wants to communicate.Instead of sending multiple requests for multiple sessions, the agent node just only communicates with a sensor node which is located in its transmission range.When a agent node moves to a new location, a newly sensible sensor node becomes a new candidate sensor to make a new communication process.As the result, the cost for sending communication requests is ameliorated.In Brownian motion case, the time interval which an object firstly goes out of a circular area is called first hitting time of circle.In our model, first hitting time t h = t L (a, r t ) is defined as the first time the Brownian motion node a reaches out the transmission area radius r t of a sensor node, n.Lemma 3: With an agent node a, in which d(t) and d(t 0 ) are the distances between the agent node a and the sensor node n at time t 0 and t.Lemma 4: If σ a > 0 is the diffusion coefficient of a Brownian node a then, Proof: In [36], the authors presented the result of joint distribution of the first hitting time and its location of a Brownian motion rambling in a sphere, which is represented by Lemma 5 below. .We have, From ( 18) and ( 19) we obtain, From Lemma 4 we find that the Brownian node will minimize the requesting process as it is closest to a sensor node.Therefore, each time exchanging information with the database the Brownian node needs to select the closest neighbor acting as the forwarding node, and keep the connection with this node until it exits the transmission range of this WSN node, thereby the computational complexity of communication processes is considerable reduced not only for intentional deployment scenarios but also random distribution ones.

Conclusion
Authentication is one of the main problems for security assurance in IoT infrastructure, especially in wireless sensor networks.This paper focuses on the security issues of wireless sensor networks under the conditions of limited resources and the heterogeneity of the devices.Using watermarking techniques, we propose a novel lightweight secure authentication scheme for sensor nodes.Our scheme utilizes the natural movement of a Brownian sensor node in order to build the convenience watermark data in a passive way.As the result, our scheme can hide watermark information from local sensor nodes when only the sink node can examine the accuracy of random location parameters.Moreover, a session key is generated from the watermark data that enhance data secure in this network.Beside that, a theoretical analysis and reasonable lemmas to find out the suitable method for realizing a lightweight authentication scheme are presented.Finally, we examine a watermark vulnerable detection analysis for protecting the watermark data through numerical results.In our future work, the proposed authentication scheme can be integrated to a clustered routing protocol to approach to new optimization criteria.

Figure 2 . 3 A
Figure 2. The CDF with varied parameters of Z

Figure 3 .
Figure 3. Illustration of a watermarking process

Algorithm 1 :
Key generation Algorithm INPUT: Z s = max{X s , Y s } (Agent node coordinators) OUTPUT: k s (Session Key) 1:

5 A
Secure Authentication Scheme based on Brownian Motion in hierarchy Wireless Sensor Networks EAI Endorsed Transactions on Industrial Networks and Intelligent Systems 08 2019 -10 2019 | Volume 6 | Issue 21| e1