On the Reliability of Wireless Sensors with Software-Based ...

2009 10th International Symposium on Pervasive Systems, Algorithms, and NetworksOn the Reliability of Wireless Sensors withSoftware-based Attestation for IntrusionDetectionIng-Ray ChenDepartment of Computer ScienceVirginia Techirchen@cs.vt.eduDing-Chau WangDepartment of Information ManagementSouthern Taiwan Universityzh9@mail.stut.edu.twAbstract—Wireless sensor nodes are widely used in manyareas, including military operation surveillance, naturalphenomenon monitoring, and medical diagnosis datacollection. These applications need to store and transmitsensitive or secret data, which requires intrusion detectionmechanisms be deployed to ensure sensor node health, aswell as to maintain quality of service and survivability.Because wireless sensors have inherent resourceconstraints, it is crucial to reduce energy consumption dueto intrusion detection activities. In this paper by means of aprobability model, we analyze the best frequency at whichintrusion detection based on probabilistic code attestationon the sensor node should be performed so that the sensorreliability is maximized by exploiting the trade-off betweenthe energy consumption and intrusion detectioneffectiveness. When given a set of parameter valuescharacterizing the operational and networking conditions,a sensor can dynamically set its intrusion detection rateidentified by the mathematical model to maximize itsreliability and the expected sensor lifetime.Keywords — Wireless sensor networks, intrusiondetection, software-based attestation, performanceevaluation, reliability.I. INTRODUCTIONWireless sensors facilitate many applications in a wide rangeof areas, such as traffic data collection in transportation,earthquake monitoring for emergency response, combat zonesurveillance and disease diagnosis in medical environments.Sensor nodes typically have limited computational resourcesand battery power in an autonomous framework without energysupply. A wireless sensor network generally consists of a largenumber of sensor nodes that communicate with their neighborsand send data to a base station or gateway through multi-hoptransmission.The basic sensor activities include sensing, transmission, anddata processing. All these activities consume a sensor’s batterypower which is crucial to the sensor and the network lifetime.Therefore efficient power management is important to prolongthe battery lifetime of sensors and network sustainability.Power management schemes include low-energy protocols andtopologies in which sensor nodes sleep and wake up accordingto certain rules. Another kind of power management is at theapplication level and not protocol-specific, such asevent-driven and source-driven power management [1].Wireless sensor nodes are usually small and have manyphysical constraints, making them vulnerable to insider oroutsider attacks. Security properties such as authentication,secrecy, and data integrity, need to be maintained in thenetwork. Authentication is to ensure that a sending node isindeed who it claims to be. Secrecy, or confidentiality, meansthat parties other than the destination will not understand datatransmission. Integrity ensures that data are the same as that aresent when received. These security properties normally can beachieved by means of secure key management against outsiderattacks except jamming [2].A more severe attack is due to inside attackers. A sensornode can be compromised by various ways, e.g., throughcapture or by malicious code breaking into the sensor node. Acompromised node may perform attacks to disrupt the system.For sensor nodes, the most severe outcome is that a sensor nodemaliciously outputs incorrect sensing data causing disasters.The only way to deal with insider attackers is to employintrusion detection to detect compromised nodes. Among theseintrusion detection schemes, software-based attestation or codeattestation [3-8] is an attractive technique because it doesn’trequire any physical access to the sensor or secure hardwareinside a sensor node. However, whether or not the energyconsumption of software-based attestation is affordable forresource-constrained sensor nodes, or what the rate it should beinvoked has not been investigated in the literatures. This paperaddresses this problem. We develop a probabilistic model toquantitatively analyze the effect of software-based attestationand how often it should execute on a sensor to maximize thesensor reliability and lifetime. The contribution of this paper is978-0-7695-3908-9/09 $26.00 © 2009 IEEEDOI 10.1109/I-SPAN.2009.36184Authorized licensed use limited to: to IEEExplore provided by Virginia Tech Libraries. Downloaded on March 21,2010 at 21:03:37 EDT from IEEE Xplore. Restrictions apply.

that we are the first to study the impact of intrusion detectionbased on software-based attestation on a sensor node’sreliability and lifetime by exploiting the trade-off between theintrusion detection operation frequency and energyconsumption. When given a set of parameter valuescharacterizing the system dynamic operating conditions, asensor can dynamically set its intrusion detection intervalidentified by the mathematical model to maximize its reliabilityand sensor lifetime.II. RELATED WORKIntrusion detection methods are generally classified into twotypes: signature-based (or misuse) detection andanomaly-based detection. Signature-based detection usescharacteristics of attacks to form signatures or patterns, anddetect attacks by matching activities against the signatures.Anomaly-based detection is based on an assumption that theattacker’s behavior deviates from the normal network behavior.Software-based attestation methods for embedded deviceshave been proposed without the requirement of physical accessto the device or secure hardware [3-8]. The assumption is that amalicious node will contain at least one line of code that isdifferent than the clean code. For example, Seshadri et al. [3]proposed SWATT, a challenge-response protocol, to verify thememory contents of embedded devices. In SWATT a trustedverifier in the transmission range of the embedded device cansend a randomly generated challenge to the device. Thechallenge is used by the pseudorandom number generator togenerate a sequence of memory access addresses for memorytraversal in the device, so an attacker cannot predict whichmemory locations will be accessed in order to pre-compute theverification code. The device is considered compromised ifeither the response checksum doesn’t match or the responsetime takes longer than expected. The only way to hidemalicious changes to the memory contents of the embeddeddevice is to change its hardware. A downside of SWATTalgorithm is that the time difference to compute the checksumbecomes prominent as the number of memory locations forcode attestation increases.Because wireless sensor nodes have limited computationalpower and battery life, not all general attestation methods forembedded devices are applicable. Many software-basedattestation techniques have been proposed specifically forwireless sensor networks. Park et al. [4] proposed to verify theintegrity of the program residing in each sensor devicewhenever the device joins the network or has experienced along service blockage. Before sensors are deployed, a digest ofthe original program is computed using a randomized hashfunction, from which a digital signature is derived. During codeattestation, the verifier processes the signature with a trapdoorone-way function and compares the result with the digest forthe current program. By using a randomized hash function,faking or replaying the digest can be avoided. However, codeattestation is done only when a sensor joins the network or hasexperienced a long service blockage, so an intrusion thatdoesn’t result in a long service blockage cannot be detected.In [5], the attester which has an exact image of the memorycontents of each sensor sends an attestation routine to thesensor and waits for an expected period of time to get aresponse. The routine randomly reads the sensor’s staticmemory contents and returns a checksum of the memorycontents. The attester can verify whether the receivedchecksum matches a pre-computed checksum. However thereis no performance evaluation.Yang et al. [6] proposed two distributed software-basedattestation schemes to detect compromised nodes in sensornetworks. They used a pseudorandom noise generation and ablock-based pseudorandom memory traversal mechanism insensor nodes to monitor security properties. In their firstscheme, pseudorandom numbers derived from a uniquenoise-generation seed are filled in the node’s empty memoryspace before deployment, and afterwards the node distributes ashare of the seed to its neighbors. When a cluster head sends arandom challenge to a node, its neighbors will collaborate toattest this node by pseudorandom memory traversals. In thesecond scheme, the attestation is similar but the decision ismade by a majority voting based scheme by the neighborsinstead of by the cluster head. Therefore, when a trusted verifieris not available, attestation can still be carried out. Theirmethod uses a memory block as the size for memory traversal,so it is more efficient than SWATT that traverses the memoryin bytes. Seshadri et al. [7] proposed secure code update by anattestation protocol (called SCUBA) to detect and recovercompromised nodes in sensor networks. SCUBA is able to doattestation and use untampered code execution to recovercompromised nodes through code updates. However, therecovery requires a base station, which may not be alwaysavailable within the transmission range of the compromisednode.Energy consumption of sensor nodes has been studiedextensively, including [9-11]. Achir et al. [9] proposed aMarkov model from which they obtained the energyconsumption of a wireless sensor node considering both MACand PHY layers of the IEEE 802.15.4 standard. Chiasserini etal. [10] developed a Markov model for a sensor network whosenodes may enter sleep mode, and used this model to evaluatethe network’s performance in terms of energy consumption,network capacity, and data delivery delay. In [11], Calle et al.measured sensor’s energy consumption rates in wireless sensornetwork using Crossbow Mica2 motes employing agossip-based protocol. Their results showed measurements ofresistor voltage, current through the circuit, voltage intransmitting node, and energy consumption.No work exists in the literature considering the tradeoffbetween energy consumption vs. intrusion detection. Inparticular, no work exists exploring how often softwareattestation should be performed to balance out energyconsumption such that the sensor node is able to reliablygenerate sensor readings throughout its prolonged lifetimebecause of energy conservation. In this paper, we study theenergy consumption of software-based attestation and analyzethe effect of false positives and false negatives of185Authorized licensed use limited to: to IEEExplore provided by Virginia Tech Libraries. Downloaded on March 21,2010 at 21:03:37 EDT from IEEE Xplore. Restrictions apply.

software-based attestation, as well as how often softwareattestation should be performed to maximize the sensor nodereliability while prolonging its useful lifetime.III. PROBLEM STATEMENTWe use software-based attestation for detectingcompromised sensor nodes. The verification process is to verifythe memory content of a wireless sensor by computing thechecksum of program code and data. If code attestationhappens too often, the energy consumption may drain thebattery power quickly such that the reliability of the sensornode decreases and this offsets the benefits of software-basedattestation. On the other hand, if it is not done frequentlyenough, an intrusion may not be detected in time such that acompromised sensor may return incorrect sensor readings tofail the system. Therefore, it is critical to identify the best rate atwhich code attestation should be performed based on thecharacteristics of the energy model, the attacker model, and thecode attestation model so as to achieve the maximum reliabilitywhile prolonging the useful lifetime of the sensor node.IV. SYSTEM MODELWe consider source-driven sensors based on non-scheduledevent power management as described in [1]. A sensor node’sfunctionality includes periodic sensing, code attestation andrecovery as needed. The reliability of a sensor node ismeasured by its mean time to failure (MTTF) defined by thenumber of periodic sensor reading events that the sensor node isable to return sensor reading correctly before failure. A sensornode failure occurs when either the sensor node’s energy isdepleted or it’s compromised and returns incorrect sensorreadings. When a sensor node is compromised, it can berecovered if the code attestation process can correctly identifythe anomaly prior to a sensor reading event; otherwise, thesensor node will return incorrect sensor readings and thus isconsidered failed.Below we explain the model parameters used in the paper.The initial energy level of a sensor node, E, is assumed to be 2.5joules as in [12]. We assume that the bandwidth in the wirelessnetwork is 1Mbp and a sensor packet carrying sensor readingseach time is 30 bytes. According to the measurements in [11],the transmission energy consumption rate of Crossbow Mica2motes employing the Gossip-Based Sleep Protocol is82.33mjoules/s. Therefore the energy consumption by asensing event including transmission power consumption, E s , isabout 30*8*10 -6 *82.33 ≅ 0.02mjoule. We assume that thecomputational power consumption rate is 50mjoules/s, theCPU power of a sensor node is 10 MIPs, and the code length tobe attested is 2000 instructions [11]. Therefore the energyconsumption of each code attestation process, E c , is about2000/10*10 -6 *50=0.01mjoule. A recovery process involvesreloading and checking the integrity of the code, so the energyconsumption per recovery E r may be up to three times ofmagnitude of E c , in the range of 0.01 – 0.03 mjoule.Using code attestation as the means for intrusion detection, itis possible that it may not be perfect, e.g., due to the selection ofthe memory location. In general, the false positive probabilityP fp and the false negative probability P fn of code attestationmust be less than 1% for it to be feasible. Therefore, theirvalues are set in the range of 0%-1%. The sensor reading timeinterval T is set to be in the 1-10 seconds range, with the defaultvalue being set at 4 seconds by a random choice. The rate atwhich a sensor node is compromised (e.g., due to a capture oran attack), λ, is assumed to be in the range of 0.0058 - 0.0072per hour, meaning that a sensor node is compromised once inevery 5-8 days; its magnitude can be estimated by first orderapproximation from analyzing historical data and anticipatedmission difficulty. When λ is high, the environment is morehostile.Finally we set a parameter q to represent the probability thatcode attestation will be performed at the time a sensor readingoperation is performed. If q=1 it means that code attestation isperformed every time the sensor reading event occurs. If q=0 itmeans that code attestation will never be performed. Thus ourcode attestation procedure is invoked probabilisticallydepending on the value of q. Our objective is to determine theoptimal q value at which MTTF is maximized given a set ofvalues for parameters characterizing the operational andnetworking conditions of the wireless sensor network. We varythe values of key parameters to test their effects on the optimalq at which the sensor reliability measured by MTTF ismaximized.V. PERFORMANCE MODELWe develop a probability model and derive an analyticalexpression for computing the reliability of a sensor node interms of its MTTF. A sensor fails when either the sensornode’s energy is depleted, or it is compromised before energydepletion and it returns incorrect sensor readings in a periodicsensor reading event. In our probability model, a sensor node isbeing attested probabilistically based on code attestationtechniques by which the sensor node’s memory content istraversed and checked to see if any malicious code exists or ifany discrepancy exists from the original code. If the sensornode doesn’t respond with a correct result, i.e., answering thequery with a correct memory checksum, within a predefinedresponse time, the sensor is also considered compromised.For a compromised node if code attestation is performed andcorrectly identifies the node as compromised, then thecompromised sensor can be recovered through secure softwareupdate, provided that code attestation is performed before thesensor node outputs incorrect readings. On the other hand, ifcode attestation fails to identify the sensor node as having beencompromised, it is a false negative. In this case the failurerecovery will not be performed and the sensor is considered ashaving failed because it will generate incorrect sensor readings.For the case in which a sensor node is not compromised butcode attestation mistakenly identifies it as compromised, it is afalse positive. In this case, an unnecessary recovery will still becarried out, which does not hurt the functionality of the sensorexcept wasting energy unnecessarily.There are three types of activities consuming a sensor’senergy: sensing (E s ), attestation (E c ), and recovery (E r ). Themaximum number of sensor reading events that the sensor node186Authorized licensed use limited to: to IEEExplore provided by Virginia Tech Libraries. Downloaded on March 21,2010 at 21:03:37 EDT from IEEE Xplore. Restrictions apply.

can provide prior to energy exhaustion, N q , thus can becalculated as:ENq= Es+ q *(Ec+θ * Er)(1)where q is the probability of invoking code attestation at theperiodic sensor reading event time and θ is the probability ofinvoking the code recovery procedure because code attestationconcludes that the sensor node has been compromised and mustbe recovered.A sensor’s expected lifetime, MTTF, is defined as themaximum number of sensor readings that the sensor node canperform before failure, therefore MTTF can be calculated as:Nq∑ − 1i=1iNqMTTF = i * Rq*(1 − Rq)+ Nq* Rq(2)where i is the number of successful sensor reading operations anode performs before it fails, the probability of which is equalto R i q * (1-R q ) with R q being the probability that the sensor willreturn correct readings when it performs a sensor readingNqoperation. In Equation (2), the last term N q * R q accounts forthe special case in which all N q sensing operations aresuccessful by the sensor node.Let T be the sensor reading interval and X be the time tocompromise a sensor node. Let P 1 be the probability that thesensor reading event occurs prior to the sensor node havingbeen compromised, i.e., P 1 =Probability(X > T). For the case inwhich X is a random variable exponentially distributed withrate λ, P 1 can be calculated as:P 1=e *T-λ (3)Let P 2 be the probability that a sensor reading event occursafter the sensor has been compromised, but software attestationis invoked before a sensor reading event and successfullydetects and recovers the compromised node. Then, P 2 = (1-P 1 )* q * (1- P fn ). Substituting in the expression for P 1 , P 2 can becalculated as:-λ*TP2 = (1- e ) * q * (1- Pfn)(4)Since R q is the probability that the sensor node returns correctreadings, it can be calculated as the sum of P 1 and P 2 :-λ*T-λ*TRq= e + (1- e )* q *(1- Pfn)(5)Since θ is probability that software attestation concludes thatthe sensor node is compromised and needs to be recovered, it isequal to the sum of (1-P 1 ) * (1- P fn ) and P 1 * P fp , i.e.,-λ*T-λ*Tθ = (1 − e )*(1 − Pfn)+ e * Pfp(6)From the above equations, it can be seen that the sensor nodereliability measured by its MTTF is determined by E, E s , E c , E r ,T, q, λ, P fp , and P fn . The total energy consumption by attestationand recovery depends on q, λ, T, P fn and P fp . The rate thatsensor is compromised (λ) varies in different environments. Asensor node has no control of the λ value. However, it candetermine its software-based attestation probability, q, at theperiodic sensor reading operation time to maximize itsreliability and lifetime by balancing energy consumption vs.intrusion detection.VI. RESULTS AND ANALYSISIn this section we present numerical data as a result ofcomputing MTTF based on Equation 2. Our objective is toshow that there exists an optimal setting for probabilistic codeattestation to be performed on a sensor node under whichMTTF is maximized. Specifically, when given a set ofparameter values characterizing the operational and networkingenvironments (as represented by E s , E c , E r , λ, P fp , and P fn ) thereexists an optimal q to achieve maximum MTTF values. We alsoanalyze the sensitivity of the result with respect to E s , E c , E r , λ,P fp , and P fn and provide physical interpretations.Figure 1 shows the effect of λ on MTTF with all otherparameters fixed at their default values as indicated. Weobserve that there exists an optimal q under which MTTF ismaximized. When λ is sufficiently low (< 0.005 hour -1 ), theoptimal q is zero, meaning no software attestation is the best formaximizing MTTF. This means that if the rate at which thesensor node is compromised is small, software attestation canbe too costly for the sensor node and therefore the sensor nodeMTTF will not be enhanced by this intrusion detectionmechanism. On the other hand, when λ is sufficiently large(>0.007 hour -1 ), the optimal q is 1. This means that when thesensor compromising rate is high, it is beneficial to do softwareattestation often despite the cost associated with codeattestation and recovery. We observe that when λ is within0.005 hour -1 and 0.007 hour -1 , an optimal q within the range of 0and 1 exists at which MTTF is maximized. This optimal q valueexists because of the tradeoff between energy consumption ofcode attestation vs. its effectiveness in intrusion detection.Figure 1: Effect of λ on MTTF (E s =0.02 mjoule, E c =0.01mjoule, E r =0.02 mjoule, T=4 s, P fp =0.5%, P fn =0.5%).Figure 2 shows how MTTF changes when P fn varies. Weobserve that the optimal q value for maximizing MTTFdecreases as P fn increases. This result indicates that if the falsenegative probability of code attestation increases, it is better toperform code attestation less frequently because codeattestation may miss identifying a compromised sensor node187Authorized licensed use limited to: to IEEExplore provided by Virginia Tech Libraries. Downloaded on March 21,2010 at 21:03:37 EDT from IEEE Xplore. Restrictions apply.

and still could cause failure. Correspondingly, Figure 3 showsthe effect of P fp on MTTF. We see that similarly as P fpincreases, the optimal q decreases. This is because when thefalse positive probability is high, the chance of a health sensorbeing incorrectly diagnosed as compromised is high, causingunnecessary failure recovery operations to be performed on thesensor node. Comparing Figure 3 with Figure 2, we observethat the MTTF is more sensitive to P fp than P fn because falsepositives unnecessarily invoke failure recovery actions by codeupdates which waste substantial energy.each sensor data reading event. We observe that the optimal qthat maximizes MTTF is relatively insensitive to E s .Correspondingly Figure 5 shows the sensitivity of MTTF withrespect to E c . As E c increases, the optimal q decreases withgreat sensitivity while the maximum MTTF value decreasestoo. This means that when the energy consumption for runningsoftware attestation is relatively large compared with that forsensing or recovery, it is better to run code attestation lessfrequently to maximize MTTF.Figure 2: Effect of P fn on MTTF (E s =0.02 mjoule, E c =0.01mjoule, E r =0.02 mjoule, λ=0.00648 hour -1 , T=4 s, P fp =0.5%).Figure 4: Effect of E s on MTTF (E c =0.01 mjoule, E r =0.02mjoule, λ=0.00648 hour -1 , T=4 s, P fp =0.5%, P fn =0.5%).Figure 5: Effect of E c on MTTF (E s =0.02 mjoule, E r =0.02mjoule, λ=0.00648 hour -1 , T=4 s, P fp =0.5%, P fn =0.5%).Figure 3: Effect of P fp on MTTF (E s =0.02 mjoule, E c =0.01mjoule, E r =0.02 mjoule, λ=0.00648 hour -1 , T=4 s, P fn =0.5%).Next we test the effects of various energy consumption rateson the MTTF of a sensor node. Figure 4 shows the effect of E son MTTF. We again observe that there exists an optimal qunder which MTTF is maximized. As E s increases the sensorMTTF decreases because more energy is being consumed onSimilarly Figure 6 shows the effect of E r on MTTF. It can beseen that the optimal q decreases shifting toward left slightly asE r increases. It suggests that as the recovery cost is highcompared with sensing or code attestation, software attestationshould run less often to achieve the maximum MTTF value. Insummary we see that both the energy consumption rates of codeattestation and recovery greatly affect how often costattestation should be executed for the benefit (detecting the188Authorized licensed use limited to: to IEEExplore provided by Virginia Tech Libraries. Downloaded on March 21,2010 at 21:03:37 EDT from IEEE Xplore. Restrictions apply.

compromised node) to outweigh the cost (energyconsumption).attestation and code recovery without considering theencompassing wireless sensor network environment. In thefuture, we plan to extend the energy model to consider routingand reconfiguration functions typically performed by a sensornode in a wireless sensor network. We also plan to explore codeattestation protocols not based on probabilistic invocation.Finally, we plan to validate analytical results obtained throughexperimental evaluation.ACKNOWLEDGEMENTThe authors would like to thank Julia Xu who is a MSgraduate student at Virginia Tech for implementing C code fornumerical data analysis.Figure 6: Effect of E r on MTTF (E s =0.02 mjoule, E c =0.01mjoule, λ=0.00648 hour -1 , T=4 s, P fp =0.5%, P fn =0.5%).VII. CONCLUSION AND FUTURE WORKDue to inherent resource constrains of sensor nodes, it iscritical to apply a light-weight intrusion detection method andtune it with the right configuration in order to maximize thelifetime of sensor nodes against malicious insider attacks. Codeattestation is a light-weight intrusion detection techniqueapplicable to sensor nodes without having to physically accesssensor nodes.In this paper we develop a probability model to analyze howoften code attestation should be performed to maximize theexpected lifetime of a sensor where a sensor fails when eitherthe sensor node’s energy is depleted, or it is compromisedbefore energy depletion and returns incorrect sensor readings ina sensor reading event. We evaluate a design by which codeattestation is invoked probabilistically with probability qwhenever a periodic sensor reading event is triggered. Ouranalysis results show that there always exists an optimal qunder which the sensor reliability measured by its expectedlifetime is maximized. Furthermore, we conclude that codeattestation should be executed more often (that is with a large q)whenever the compromising rate λ is high, the false resultprobability (negative or positive) is low, the energyconsumption for running code attestation is low, or the energyconsumption for code recovery is low compared with theenergy consumption for sensor data reading. The systemdesigner can monitor the wireless sensor environment and giveproper values for these model parameters and then apply theanalytical formula derived in the paper to find the best q valuefor maximizing the expected lifetime of sensors.Our work is the first to address the tradeoff between energyconsumption of code attestation vs. its effectiveness inintrusion detection to maximize a sensor’s expected lifetime.However, the energy model considered is limited to a sensornode for performing simple tasks such as data reporting, codeREFERENCES[1] S.H. Lee, B.H. Cho, L. Choi, and S.J. Kim, “Event-Driven PowerManagement for Wireless Sensor Networks”, Lecture Notes inComputer Science, Volume 4761/2007, Springer, pp. 419-428.[2] X. Chen, K. Makki, Y. Kang and N. Pissinou, “Sensor networksecurity: A survey,” IEEE Communications Surveys andTutorials, Vol. 11, No. 2, 2009, pp. 52-73.[3] A. Seshadri, A. Perrig, A, L. van Doorn, and P. Khosla,“SWATT: softWare-based attestation for embedded devices,”IEEE Symp. Security and Privacy, 2004, pp. 272 – 282.[4] T. Park, and K. G. Shin, “Soft tamper-proofing via programintegrity verification in wireless sensor networks,” IEEE Trans.Mobile Computing, Vol. 4, No. 3, 2005, pp. 297-209.[5] M. Shaneck, K. Mahadevan, V. Kher, and Y. Kim, “Remotesoftware-based attestation for wireless sensors,” ESAS, July 2005[6] Y. Yang, X. Wang, S. Zhu and G. Cao; “DistributedSoftware-based Attestation for Node Compromise Detection inSensor Networks,” 26th IEEE International Symposium onReliable Distributed Systems, Oct. 2007, pp. 219 - 230.[7] A. Seshadri, M. Luk, A. Perrig, L. van Doorn, and P. Khosla,“SCUBA: Secure Code Update by Attestation in sensornetworks,” 5th ACM workshop on Wireless security, September2006, pp. 85 – 94.[8] K. Chang, and K.G. Shin, “Distributed Authentication ofProgram Integrity Verification in Wireless Sensor Networks,”IEEE Transactions on Information and System Security, Volume11, Issue 3, March 2008.[9] M Achir, and L Ouvry, “QoS and energy consumption in wirelesssensor networks using CSMA/CA,” IEEE Conference on SystemsCommunications, Aug. 2005, pp. 33 – 39.[10] C.-F Chiasserini, and M. Garetto., “Modeling the performance ofwireless sensor networks,” INFOCOM, March 2004.[11] M. Calle, J Kabara, “Measuring energy consumption in wirelesssensor networks,” IEEE 17th International Symposium onPersonal, Indoor and Mobile Radio Communications, Sept.2006, pp. 1 - 5[12] A. Mounir, and O. Laurent, “Power Consumption Prediction inWireless Sensor Networks,” ITC Specialist Seminar onPerformance Evaluation of Wireless and Mobile Systems,Antwerp, Belgium (2004).189Authorized licensed use limited to: to IEEExplore provided by Virginia Tech Libraries. Downloaded on March 21,2010 at 21:03:37 EDT from IEEE Xplore. Restrictions apply.