This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts

for publication in the IEEE GLOBECOM 2005 proceedings.

Mobility and Security Issues in Wireless Ad-hoc

Sensor Networks
Noureddine Boudriga and Mohammad .S. Obaidat
University of Carthage, Tunisia and Monmouth Univeristy, NJ, USA
Corresponding E-mail Addresses: Obaidat@monmouth.edu or Nab@supcom.rnu.tn
Abstract. The emergence of wireless ad-hoc networks is
considered extremely attractive in terms of new applications
enabler. The integration of reliable sensors in nodes of
wireless ad-hoc networks has posed various interesting
challenges to the community of researchers and engineers.
We focus in this paper on two fundamental issues: supporting
high mobility of sensors and guaranteeing continuity of
sensing, while providing for the correlation of collected data.
We propose an efficient scheme for the management of data,
sensor mobility, and sensing security.
I.

INTRODUCTION

Networks of wireless sensors for monitoring specific

events about physical environments have emerged as an
important new application area for wireless ad-hoc
networking. Application domains are diverse and can
encompass a variety of data types including audio, image, and
parameters describing physical properties. When integrated to
nodes in wireless ad-hoc networks, reliable and power
efficient sensors are able to perform significant signal
processing, real-time computation, and network selfconfiguration to achieve scalable, robust and long-lived
sensor networks. Attractive applications for such a technology
cover a wide spectrum of services where computing is tightly
coupled with the mobility management of sensors and targets,
along with a high vulnerability of the environment where the
ad-hoc network is deployed. Potential applications include
military intelligence (e.g., target tracking in a battle field),
environmental monitoring, weather forecasting, and disaster
relief networking [1].
While recent research activity has focused on the
efficiency of energy management and communication
protocols in wireless ad-hoc networks [3, 4], much less
attention has considered the security guarantees, and
monitoring issues related to the continuous character of the
physical environment to be witnessed by sensors. Mobility
affects the quality of communication and reliability of
computation performed with the support of wireless sensors
[2]. At least for the aforementioned examples of applications,
the security aspects are as important as the energy
consumption of the sensors and the performance issues of the
supporting system. Beside applications in military
intelligence, security is critical in the surveillance of airport
zones as well as in the transportations traffic. To
accommodate those differences, security mechanisms,
handover techniques, and monitoring scheme should be
enhanced or be adapted.

IEEE Globecom 2005

The key networking challenges in ad-hoc sensor networks

that we discuss here are: (a) supporting multi-hop
communication while limiting radio operation to conserve
power and guarantee continuous sensing activity, (b) data
management, including handling frameworks that support
attribute-based data correlation, collecting information, and
event-based aggregating, (c) geographic routing challenges in
networks where nodes know the location of their
neighbouring nodes, and (d) monitoring and maintenance of
such dynamic, resource-limited systems.
The major contributions of our work include:
An assessment of communication security threats in the
presence of highly mobile sensors, which may experience
a great deal of handover.
The definition of a formal model for the management of
multilevel trust to be applied to network resources,
controlled events, and related tasks.
An authentication-based scheme that protects the sensors,
the sensor procedures, and the transmitted alerts from
malicious activities
A monitoring model for guaranteeing the efficiency and
continuity of the wireless ad hoc sensor network tasks.
The model is capable of coping with the large size of the
network and the effect of mobility.
The remaining part of this paper is organized as follows.
In Section II, we develop a model for wireless ad-hoc sensor
networks. Section III studies the major threats of such
networks and discusses related protection schemes. Section
IV describes our scheme to allow sensor (or transporting ad
hoc node) move from one cell to another. Section V provides
for data collection and continuity. It also discusses the
monitoring and maintenance of our wireless ad-hoc sensor
network. Section VI concludes this paper.
II. WASN MODEL
A wireless ad-hoc sensor network (WASN), in our work,
consists of a large ad hoc network involving hundreds and
even thousands of nodes equipped with a larger set of sensors.
The sensors belong to different classes and therefore may
perform the same monitoring function. The nodes are
characterized by a high degree of mobility, a great deal of
handover, and frequent operations of accessing or leaving the
covering radio cells. The service provided by the wireless adhoc network is characterized by a need for a continuous
monitoring of the environment to be supervised and the
necessity to handle undelivered sets of alerts collected while
the nodes are not under radio coverage.

2777

0-7803-9415-1/05/$20.00 2005 IEEE

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2005 proceedings.

Sensors that are deployed within the wireless ad-hoc

network are intended to collect (and react on) data about the
physical world, under monitoring. The information that they
may collect are correlated based on the nature of the events
they detect, the geographic location and the object they report
on. Hence, the use of sensors is expected to be highly datacentric and the data transmitted by sensors should not suffer
long period of disruption. Unlike traditional end-to-end
networking techniques, routing, message protection, and data
management in ad-hoc sensor networks need to be performed
jointly in order to maximize energy usage and limit threats.
Hence, a significant networking feature is to provide a
flexible platform to build data management frameworks that
use various application-specific data aggregation schemes,
perform some intelligent activity, and provide a limited
storage capacity for unsent data.
To maximize energy use, a node should observe some
difference between the amount of events generated by the
sensors and the amount of data effectively sent for correlation
and analysis. Two factors can be exploited to reduce the
amount of alerts communicated for analysis: (a) not all data
are necessary for users, hence, only interesting event
detections or user-required data need to be selectively
communicated; (b) alerts can be combined before
transmission; and (c) if the sensor network is dense, a
significant correlation between alerts can be expected and
should be exploited to reduce the size of data transmitted.
Moreover, collected data are likely to be geographically
correlated. Data reduction or fusion schemes would need to
take advantage of such correlations.
The large number of sensor nodes expected to be
deployed in the wireless ad-hoc sensor networks, the
unpredictable nature of sensor activity conditions, and the
mobility model that we want to use require that a significant
mechanism be integrated to address scalability and reliability
problems. In fact, increased levels of system dynamics can be
expected, including frequent or irregular node failures and
service interruption. In addition, designing long-lived
applications using such ad-hoc sensor networks under varying
conditions implies that the nodes themselves must handle the
measurement of a specific set of attributes that are able to
help achieving a high QoS and protection. The network
should provide an adaptive configuration in an energyconstrained fashion, if needed.
Routing in wireless ad-hoc sensor networks (WASN)
differs from routing in normal ad-hoc wireless networks in
two ways: First, routing in WASN is attribute-based and often
includes geographical location. Second, energy constraints,
network dynamics and deployment scale prevent proactive or
global schemes in WASN routing. Routing schemes that
operate primarily on local information are more appropriate
since these can be reactive to local changes, while not
requiring energy expensive and global transfers of routing
tables. Such reactive approaches are potentially more energy
efficient as well, since sensor networks are expected to have
bursty traffic. For this, we assume that a wireless ad-hoc node
(as depicted in Figure 1) is of two types:

IEEE Globecom 2005

Supporting nodes: The first type of node serves as a

cluster head. It is responsible for relaying all the
collected data from sensors to the host(s) where they are
correlated and analyzed. The nodes do not have energy
problem. They are assumed to be trustworthy, in the
sense that they can be trusted, if needed, and behave
consistently with respect to a specific security policy.
These nodes are called base stations (BS).
Sensor nodes: The second type of node allows the
deployment of multiple sensors, which can experience
power limitation and node failure. We do not assume that
sensor nodes are temper resistant, but assume that
adversaries can compromise them and extract key
material, data, and code stored on those nodes.
As for the need of system monitoring, wireless ad-hoc
sensor networks use some kind of logging facility to keep
track of the system state. In WASNs, these logs are often
transferred over the ad-hoc nodes to places where they can be
maintained persistently. The log information can be remotely
analyzed to monitor security problems or system failures.
Monitoring often assumes that maintenance logs are cheap to
handle, and bandwidth is inexpensive. While such an
assumption is certainly true for todays Internet, energy
constraints on sensor networks makes it impossible to
communicate extensive logs from nodes in the network to a
central location.

BS
BS
SN
SN
SN

BS
SN

Figure 1: Generic WASN

Numerous models of different complexity have been

established, based on application requirements (in terms of
QoS and security) and sensor nature. We adopt in this paper
two principles, which are shared with most models. First, we
assume that sensing ability decreases as distance grows.
Second, we assume that sensing ability can improve as the
exposure time increases. Based on this, we adopt the general
sensing model SM given by:
SM(s, p) = / [(d(s, p)]

2778

0-7803-9415-1/05/$20.00 2005 IEEE

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2005 proceedings.

where p is an arbitrary point in the area to monitor, s is a

sensor, d(s, p) is the distance separating s from p, and and
are sensor technology-dependent parameters.
III. THREATS ASSESSMENT
Because wireless ad-hoc sensor networks use wireless
communications, one can assume that radio links are insecure.
Hackers can eavesdrop on radio transmissions, replay
previously copied packets issued by sensor nodes, and insert
bits in the communication channels. An ideal WASN should
provide authenticity, confidentiality, and integrity of
transmitted data. Moreover, it should guarantee the
authentication, trustworthy, and availability of sensor nodes.
In the presence of insider adversaries, it is likely that some of
these goals can be achieved. It is, however, conceivable to
attain the abovementioned goals in the presence of only
outsider adversaries.
Major attacks against a WASN include, but are not
limited to, the following attacks [4]: selective forwarding,
sinkholes, wormholes, sybil and hello flooding. In selective
forwarding, an adversary node may refuse certain messages,
ensuring that data related to sensing activity are not
propagated any further, or are un-properly relayed. A
sophisticated form of these attacks takes place when: (i) a
malicious node, explicitly involved in a path of data flow,
selectively forwards generated packets; or (ii) a malicious,
overhearing a flow passing through neighbor nodes, is able to
jam or cause collision on forwarded packets.
Multiple path routing can be used to protect against
selective forwarding attacks. Packets routed over a number of
n paths whose nodes are completely disjoint are completely
protected against selective forwarding attacks involving at
most n compromised nodes and may offer some probabilistic
control when n or more nodes are compromised.
Unfortunately, completely disjoint paths may not be easy to
find. However, we believe that, if n = 2 or 3 and the WASN is
highly dense, this control can be achieved.
Sinkhole attacks attempt to make a compromised ad-hoc
node look attractive to its environment with respect to the
collected information by sensors. For example, an adversary
having a powerful transmitter can be attractive for high QoS
routes to a specific base station, even though the WASN is
implementing a protocol allowing the verification of QoS
using an end-to-end acknowledgement. On the other hand,
wormhole attacks allow an adversary to tunnel data packets
received in one area of the environment covered by the
WASN to another part of the network over a low latency
private link, in order to replay them. If the adversary is
located close to a base station, it may be able to disrupt
routing decisions and induce erroneous analysis of alerts by
creating a wormhole.
Sinkhole and wormhole attacks are very difficult to
protect against. While wormhole attacks are difficult to detect
because they use a private (and possibly invisible) channel,
Sinkhole attacks are hard to defend against in protocols that
use advertised information because this information is hard to

IEEE Globecom 2005

verify. However, techniques are being developed to detect

wormhole attacks such as the ones reported in [7].
Unfortunately, these techniques require extremely rigid time
synchronization, which is almost unfeasible for a large class
of WASNs. Artificial links created with wormholes can be
detected in geographic routing because neighboring nodes can
realize that the distance between them and the issuing node is
far from the normal radio range.
In a Sybil attack [6], one node is able to present multiple
identities to other nodes in the WASN and be involved in
different activities with various identities. This induces a
significant reduction in the effectiveness of any fault-tolerant
scheme in the network, where sensor nodes may think they
are interoperating with disjoint nodes, while they may be
actually interacting with an adversary. One solution against
Sybil attack is to have every node share a symmetric key with
a trusted base station. A sensor node, wishing to send its data
to a given BS, should use a reliable algorithm to provide
mutual authentication with the BS before sending its data.
Since many protocols allow nodes broadcasting Hello
packets to announce themselves to their neighbors. Any node
receiving the hello packet is allowed to consider that the
source of the packet is within a radio range. The adversary
node can, therefore, advertise a high QoS route to every node
in the network causing a large number of nodes to attempt to
use that route and inducing the loss of the packet they send. A
simple defense against Hello flood attacks is to guarantee the
bi-directionality of a link before taking meaningful actions
based on a message received over that link.
Other attacks targeting sensor activities include: (a)
insertion of malicious code, which may take control over the
sensor network on behalf of adversaries and can either send
false observations about the physical environment or gather
information about the monitored entities to adversaries; (b)
inject false message giving incorrect information about the
physical environment to monitor sensor states; and (c)
interception of sensitive information about the location of
sensors or application specific information including message
fields such as IDs and timestamps. Moreover, the deployment
of security mechanisms in an ad-hoc network adds overhead
and security threats. To minimize security risk, we believe
that there is a need to assign different security levels to the
messages flowing through the ad-hoc sensor network,
differentiating sensitive data (e.g., mobile code and reported
information on the detected events) from the applicationbased information conveyed with exchanged packets. We also
make the choice in the following section to not allow mobile
code flowing to sensor nodes and to not authorize remote
inaccessible intelligence in sensor nodes.
IV. MANAGING MOBILE SENSORS
Our mobile sensor management scheme includes four
processes: (a) initialization and registration of mobile sensors;
(b) sending and authenticating sensors data, (c) establishing
the handoff procedure; and (d) Leaving or entering radio
coverage. Next, we present a brief description of each of these
aforementioned processes.

2779

0-7803-9415-1/05/$20.00 2005 IEEE

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2005 proceedings.

During initialization, an ad-hoc node allows every sensor

deployed in that node to get registered with a base station.
The BS issues X.509 certificates for sensors and nodes. The
sensors will deliver the data about the events that they detect
to the appropriate BSs. The ad-hoc node uses its certificate
for routing purposes and co-signing the messages sent by the
sensors. The BSs share a secure directory of the certificates
they issue and supply the online verification service that
might be needed to authenticate messages, source messages,
and signatures. A final action performed during initialization
is to synchronize the event transmission between a sensor and
the event analysis center, as well as the initialization of the
needed parameters for security protection.
The sending and authentication process assumes the
availability of multiple paths from a sensor node to one or
more base stations. The transmission is made in a way that
the receiving BS is able to verify all intermediate signatures
and compare the results arriving via different paths. Data
related to collected events should be time-stamped (and
numbered) to avoid replay attacks. They can aggregate a set
of correlated events (e.g., events related to the occurrence of
the same object can be counted). The efficiency of the
messages authentication and integrity is based on the
effectiveness of the signature operation and the availability of
a secure certificate repository at the BS level. The sending
and authentication process assumes that signed messages are
stored at the sensor level and that a reasonable level of
intelligence is available at the sensor and node levels.
The third process is executed when a node experiences a
handover. Since a sensor node is connected to one or more
BSs via multiple paths, a typical handover occurs in two
different cases. First, the sensor node can realize that it is
moving from one radio coverage to another. Second, upon
receipt of a Hello packet, the sensor node can decide to use
the packet sender to build a new path to a BS. For this, it
might be useful that the Hello packet should include the
identity of the BS the sender is connected to and some useful
information about a path connecting the sender to that BS
(e.g., number of hops, trust levels). Besides, a procedure can
be followed to optimize the establishment and use of paths to
BSs.
The fourth process allows a sensor node to leave a
covered area, where it has multiple paths allowing it to send
the data it collects about the physical environment and
provide useful redundancy. Reasons for leaving the area may
include communication problems, node energy limitation, or
simply unreachability of nodes due to their mobility. When a
sensor node leaves an area controlled by a given BS, this BS
is in charge of deleting all the paths it has with the leaving
sensor node (eventually after a predefined timeout), provided
that the sensor node did not do it properly. During
communication disruption, the node should continue
collecting the events it has to monitor. When the sensor node
gets back to the ad-hoc sensor network, it first builds at least
one path to an available base station and then sends the
history that the sensor has gathered to the appropriate BSs.

IEEE Globecom 2005

Finally, let us now notice that a multilevel trust model can

be managed within the wireless ad-hoc sensor network. In this
model, a sensor node, denoted by N, is represented by the
following tuple:
(N, tr(N); (s1, lev1 ); (s2 , lev2 ); ; (sk, levk ))
where tr(N) is the trust level of node N, characterizing the trust
level that the base stations have in it, k is the number of
th
sensors implemented in node N, sn is the n sensor in N, and
levn represents the security sensitivity allocated to the nth
sensor. The system is assumed to manage trust levels with
respect to the following statements:
- If for sensor sn the inequality tr(N) < levn is satisfied, then
the sn should encrypt any message it sends to a BS and
will have only to sign that encrypted message and relay it
appropriately.
- If the sensor node experiences (or is shown to be targeted
by) attacks, the trust level tr(N) is decreased based on
predefined policy rules establishing the way the level is
represented and decreased. The BS witnessing the attack
is responsible for informing sensors s1, s2, , and sk and
the other BSs as well..
- If the trust level of sensor node N goes under a given value
(i.e., the minimal acceptable trust level), say tr(N)< ,
then sensors implemented in sensor node N should be
considered invalid and should be dropped from the
network monitoring.
- If conflicts occur between the messages received at a BS
and assumed to arrive from the same sender, the message
flowing via the most trusted nodes is prioritized.
Managing the multilevel trust model assumes that a set of
trust levels is defined and be totally ordered. A numerical
representation of that order may give a useful semantics for
the operations increase-level and decrease-level.
V. DATA COLLECTION AND CONTINUITY
Data collection provided within the WASN is done by
sensors gathering information about specific events. Sensors
are assumed to constitute a dense network, meaning that in
the same limited area several sensors may have to report on
the same event occurrence. For the sake of simplicity, we
assume that sensors use the same data structure to represent
information about events so that correlation of events at the
appropriate BSs is a matter of time synchronization and
localization. Time synchronization is achieved by having the
BSs broadcast periodically a universal time and requiring that
paths linking sensors to the related BSs should not contain
more than a small number of segments (or sensor nodes). In
practice, this shows that the number of BSs is an important
issue and the WASN hierarchy has limited number of layers.
Localization assumes that sensor nodes are able to estimate
the location of any neighboring sender.
Continuity of the WASN service is provided through
three principles to be respected: link continuity, alert
reporting continuity, and continuity of observation. Link
continuity is satisfied by providing multiple paths to BSs and

2780

0-7803-9415-1/05/$20.00 2005 IEEE

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2005 proceedings.

assuming that sensor node density gives a large probability

that all the controlled area is radio covered, meaning that the
only way for a sensor node to leave the WASN is to
shutdown its system or be in failure. Moreover, it means that
handoff operations are typically compensated for by the
existing multiple paths and the creation of a new path.
Finally, this indicates that adding paths to support continuity
should be done very often.
Alert reporting continuity is guaranteed by having the
sensor nodes send all the information collected by their
sensors to the related BSs and requiring that a sensor submits
the history of events it had stored, while it is not connected,
as soon as it gets back to the WASN. Observation continuity
is attempted to be satisfied by reducing sensor failure,
increasing uniform distribution of each class of sensors, and
ad-hoc node availability, as well as increasing communication
protocol security. To do so, appropriate mobility models
should be used.
Finally, let us consider the monitoring process of a
WASN and assume that it deploys the needed mechanisms to
provide the assurance that the sensor nodes are performing
appropriately and securely. The monitoring process include
three major sub-processes: trust management, malicious
attack detection, and sensor state control. The first subprocess is done by providing a security policy that contains
the rules governing the modification of the trust levels and
providing a set of metrics that help estimate the presence of
malicious attacks. The resulting rule base and metric base are
dynamic in the way that new rules and metrics are added
whenever they are needed.
Detection of malicious attacks is based on the activity of
the node sensors (through the implementation of useful
metrics) and the availability of protection-oriented
mechanisms integrated at the node level that helps develop an
intrusion tolerant environment. Mechanisms to react against
attacks include: nodes trust reduction, node isolation, and
sensor invalidation.
Sensor state control is obtained by using a dynamic set of
state classifiers that combine the metrics values available for
a sensor node. A typical state classifier has the following
form:
SC(state, e1,..,en) = i,Ii i mi(eIi)

propose an efficient scheme for the management of data,

sensor mobility, and sensing security. This paper has
provided an authentication-based scheme that protects the
sensors, the sensor procedures, and the transmitted alerts from
malicious activities. It has also defined a formal model for the
management of multilevel trust to be applied to network
resources, controlled events, and related tasks.

REFERENCES
[1]

I.F. Akyildiz, W. Su, Y. Sankarasubranmaniam, and Erdal

Cayirci, A Survey on Sensor Networks, IEEE
Communications Magazine, 40(8): 102-114, 2002

[2] S. Slijececic, V. Tsiatsis, M. Potkonjek, and M.B. Srivatsava,

On Communication Security in Wireless Ad-Hoc Sensor
th
Networks, Proc. 11 IEEE Int. Workshops on Enabling
Technologies: Infrastructure for collaborative enterprises
(WETICE02), 2002
[3] A. Perrig, R. Szewczyk, V. Wen, and J.D. Tygar, SPINS:
Security Protocols for sensor networks, Mobicom 2001, pp.
189-199, Italy, June 2001
[4]

J. Rebaey, J. Ammer, J.L. da Silva, and D. Patel, Pico-radio:

ad-hoc wireless networking of ubiquitous low energy
sensor/monitor node, Proc. of the IEEE Computer Society
Annual Workshop on VLSI (WVLSI'00), pp. 9-12, Orlanda,
Florida, April 2000

[5]

C. Karlof and D. Wagner, Secure Routing in Wireless Sensor

Networks: Attacks and Countermeasures, IEEE International
Workshop on Wireless Sensor Network Protocols and
Applications, pp. 113-127, May 2002.

[6]

st
J.R. Douceur, The Sybil attack, 1 International Workshop
on peer-to-peer Systems (IPTPS02), pp. 251-260, March
2002.

[7]

Y.C. Hu, A. Perrig, and D.B. Johnson, Wormhole detection in

wireless ad-hoc networks, CS Dept., Rice Univ., Technical
Report, TR01-384, June 2002.

where Ii is a sub-list of events related to metric mi, i is a

weight to be established for metrics mi. Typical decisions
assert that the state of sensor s is insecure on the occurrence
of events e1,..,en if SC(state, e1,..,en) is exceeding a threshold
, meaning that SC(state, e1,..,en) > .
VI. CONCLUSION
The integration of reliable sensors in nodes of wireless
ad-hoc networks has posed various interesting challenges to
the research and development community. We focused in this
paper on two fundamental issues: supporting high mobility of
sensors and guaranteeing continuity of sensing, while
providing for the correlation of the collected data. We

IEEE Globecom 2005

2781

0-7803-9415-1/05/$20.00 2005 IEEE