kemal akkayawireless & network security 1 department of computer science southern illinois...

Wireless & Network Security 1 Kemal Akkaya

Department of Computer ScienceSouthern Illinois University Carbondale

CS 591 – Wireless & Network SecurityLecture 12: Distributed Trust

Dr. Kemal AkkayaE-mail: [email protected]


Trust Management in MANETs/WSNsTrust Management in MANETs/WSNs All participants actively contribute to network

activities such as routing and packet forwarding

Special characteristics: limited memory perishable battery power lower bandwidth

Two approaches:Monitoring-based

CONFIDANTWatchdog

Reputation-based CORE RFSN


Limitations of network security

Distributed collaborative data processing Network security -> Make sure that only authenticated nodes

participate. Network security cannot -> Verify if nodes function properly

Distributed data gathering Network security can -> message integrity, confidentiality, secure

relaying. Network security cannot -> data authentication.

How do nodes trust each other?How do nodes trust the information provided by other nodes?


CONFIDANT Buchegger, S. and Le Boudec, J. 2002. Performance analysis of

the CONFIDANT protocol. In Proceedings of the 3rd ACM international Symposium on Mobile Ad Hoc Networking &Amp; Computing (Lausanne, Switzerland, June 09 - 11, 2002). MobiHoc '02. ACM, New York, NY, 226-236.

Detect, prevent, and/or discourage: No forwarding (of control messages or data) Traffic deviation

Advertise many routes Advertise routes too often Advertise no routes

Route salvaging, rerouting to avoid a broken although no error has been observed

Lock of error messages, although an error has been observed (and vice versa)

Silent route change (tampering with message headers of either control or data packets)


Reputation Systems response to Attacks

A different method to handling attacks is to prevent them: Only allow good nodes onto the network Secure key to access network

Reputation systems detect misbehavior and then try to thwart attacks. A good idea even if other methods have been used to prevent

attacks and secure access

Inspiration of CONFIDANT: Richard Dawkin's The Selfish Gene Suckers Cheats Grudgers


CONFIDANT built on top of DSR

Dynamic Source Routing (DSR) Reactive/On-Demand routing Nodes send a ROUTE REQUEST message Neighbors add themselves to the source route and forward it on If the receiving node is the destination or has a route to the

destination it sends a REPLY message with the full route First received ROUTE REPLY wins Failed links can be salvaged by partial alternate route Routes are cached for some period of time

Observed Behavior 'Neighborhood Watch' behavior that is directly observed, overheard,

by the node.

Reported Behavior Share experienced misbehavior and learn from friends.


CONFIDANT Components

The Monitor Directly observes behavior

The Trust Manager Sends and receives

ALARMs

The Reputation System Node Rating

The Path Manager Route management based

on Reputation

(Every nodes implements all of these components)


The Monitor

Directly observes behaviorno forward (only observation implemented in

this simulation)Packet alteration

Data packetsRouting packets

Consistent claim of neighboring nodesAny other observable metric


The Trust Manager

Generate an alarm on experienced or observed misbehavior.

Forward alarm on received report of misbehavior.

Maintain trust table to determine trustworthiness of alarm Determining trust level

algorithm is an open question in paper

Table of nodes and their rating.

Weighted between past rating and newly observed behavior and reported reputation.

Only negative experience is counted

Positive change and timeout are not addressed yet.

Assume negative behavior is rare, and probably means node can never be trusted.

The Reputation System


The Path Manager

Path re-ranking according to security metric (re-rank route based on reputation).

Deletion of paths containing malicious nodes.Action on receiving a request for a route from a

malicious node (ignore request).Action on receiving request for a route

containing a malicious node in the source route (ignore, alert source).


CONFIDANT Results


Watchdog and Pathrater

S. Marti, T.J. Giuli, K. Lai, and M. Baker, “Mitigating Routing Misbehavior in Mobile Ad Hoc Networks,” Proc. MobiCom '00.

Extra facilities added to the network to detect and mitigate routing behavior.

Two extensions to DSR: Watchdog identifies misbehaving nodes by overhearing

transmissionsPathrater avoids routing packets through these nodes


Watchdog The watchdog is implemented by

maintaining a buffer of recently sent packets compare each overheard packet to buffered packets to see if there

is a match. If so, the packet in the buffer in removed and forgotten. A certain timeout indicates a failure tally – count it and see if it

exceeds a bandwidth threshold. If so, send a message back to the source.

Advantages It can detect misbehavior at the forwarding level

Disadvantages It might not detect a misbehaving node, due to

Ambiguous collisions Receiver collisions Limited transmission power False misbehavior Collusion Partial dropping


Disadvantages

Honest Nodes Ambiguous collisions Receiver collisions

Dishonest Nodes Transmission power

intentionally limited by a dishonest node

False misbehavior report by malicious node

Multiple dishonest nodes in collusion (groups of nodes)

Partial dropping by a dishonest node


PathRater

The pathrater, run by each node, combines knowledge of misbehaving nodes with link reliability data to pick the route.

Each node maintains a rating for every other node it knows about in the network

It calculates a path metric by averaging the node rating in the path. If there are multiple paths to the same destination, the path with the highest metric is chosen.


Simulation Results

Combined use of WD – Watchdog PR - PathRater SRR – Extra Route Request

Two mobility scenarios Performance Metrics

Throughput: The percentage of sent data packets actually received by the intended destinations

Overhead: The ratio of routing-related transmissions to data transmissions in a simulation

False positives: False positives occur when the Watchdog mechanism reports that a node is misbehaving when in fact it is not

Compromised nodes: from 0% to 40%


Throughput as % of misbehaving nodes


Overhead as % of misbehaving nodes


Throughput in presence of false detections


Reputation based Trust: CORE

CORE: A Collaborative Reputation Mechanism to enforce node cooperation in Mobile Ad hoc Networks”.

Proposed by Michiardi and Molva to enforce node cooperation in MANETs based on a collaborative monitoring technique

Nodes modeled as a members of a community The reputation is formed and updated along the time.

assigns more weight to the past observations than the current observations

Three types of reputation subjective reputation indirect reputation functional reputation


CORE Details Has two protocol entities

Requester refers to a network entity asking for the execution of a function f

Provider refers to any entity supposed to correctly execute the function f

Each node maintains An RT Table for each function f

An entry in RT has: unique ID recent subjective reputation recent indirect reputation composite reputation for a predefined function

RTs updated in two situations: during the request phase during the reply phase

Each node is also equipped with a watchdog mechanism for promiscuous observation.


Reputation based Trust in WSNs

S. Ganeriwal and M. Srivastava. Reputation-based framework for high integrity sensor networks. In proceedings of the 2nd ACM workshop on Security of ad hoc and sensor networks (SASN ’04), October 2004 pp. 66-77.

The first reputation and trustbased model designed and developed exclusively for sensor networks.

Distributed, symmetric reputation-based model that uses both first-hand and second-hand information for updating reputation values.

Nodes maintain the reputation and trust values for only nodes in their neighborhood.


Reputation based framework for sensor networks (RFSN)

Embedded in every social network is a web of trust

How does human societies evolve? Principle of reciprocal altruism

Be nice to others who are nice to you When faced with uncertainties

Trust them who have the reputation of being trustworthy

Proposed solution: Form a similar community of trustworthy nodes in the network over time


Sensor network already follow a community model Individual nodes do not have any utilityCollaborative information gathering, data processing and

relaying.Missing element is trust….

Nodes are dumb and they collaborate with every node. Internal adversaries exploit this very fact!Faulty sensors results in equally detrimental effects.

RFSN incorporates intelligence into nodesExposes trust as an explicit metric!Cooperate with ONLY those nodes that are trustworthy.

Why this approach?


Architecture of RFSN

Observe the action of other nodes – Watchdog mechanism Develop a perception of other nodes over time – Reputation Share experiences to facilitate community growth – Second

hand information Predict their future behavior – Trust Cooperate/Non-cooperate with trustworthy nodes – Behavior

Watchdog mechanism Reputation Trust Behavior

Second hand information


Integration of approaches

Development of high integrity sensor networks will be a combination of techniques from different fields

Watchdog mechanism Reputation Trust Behavior

Second hand information

Protocol DevelopmentMonitoringData AnalysisStatistics….

Cryptography Decision theory


Reputation representation

0,0,10)1()()(

)(),( 11

xxxBetaRij

Probabilistic formulation Use beta distribution to represent reputation of a node.

Reputation of node j from the perspective of node i

Why beta distribution? Simple to store: Just characterized by 2 parameters. Intuitive: α and β represents magnitude of cooperation and non-cooperation. Efficient: Easy reputation updates, integration, trust formulation.

Maintain reputation for just neighboring nodes Use locality – Provides scalability.


Reputation propagation

What to propagate?Constraints

Information about good nodes – Saves from bad mouthing attacks

Independent information – Critical to derivation in earlier slide

Re

pu

tatio

n

RT iNC

RT iC

Behavior

Trust

RTD iC

Wa

tchdo

g

Second Hand Info

RTD iNC

Re

pu

tatio

n

RT iNC

RT iC

Behavior

Trust

RTD iC

Wa

tchdo

g

Second Hand Info

Re

pu

tatio

n

RT iNC

RT iC

Behavior

Trust

RTD iC

Wa

tchdo

g

Second Hand Info

RTD iNC

Re

pu

tatio

n

RT iNC

RT iC

Behavior

Trust

RTD iC

Wa

tchdo

g

Second Hand Info

Re

pu

tatio

n

RT iNC

RT iC

Behavior

Trust

RTD iC

Wa

tchdo

g

Second Hand Info

RTD iNC

Re

pu

tatio

n

RT iNC

RT iC

Behavior

Trust

RTD iC

Wa

tchdo

g

Second Hand Info

Re

pu

tatio

n

RT iNC

RT iC

Behavior

Trust

RTD iC

Wa

tchdo

g

Second Hand Info

RTD iNC


Simulation study - NESLsim

Simulation set up Comparison with DUMB-RFSN

Representative of heuristic based approaches. Metric : Trust between node i and j. Parameter choices : Threshold (0.9), Initialization (Beta(1,1)).

Consistent data module

i

j

Routing module


0 5 10 15 20 25 30 35 40 45 500.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Number of Packets

Tru

st

Me

tric

Scenario 1; 2 children; DUMB-BRSNScenario 2; 6 children; DUMB-BRSNInitial Trust MetricScenario 1; 2 children; BRSNScenario 2; 6 children; BRSN

Bad Mouthing Attacks

Attack: Propagate false bad reputation information about good nodes

Countermeasure: Good Reputation System

Set up: Node j cooperates fully

Scenario 1: 1 malicious child

DUMB-RFSN: Node i will conclude wrongly node j to be malicious.

RFSN: Completely resilient.


0 5 10 15 20 25 30 35 40 45 500.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Number of Packets

Tru

st

Me

tric

Scenario 1; 2 children; DUMB-BRSNScenario 2; 6 children; DUMB-BRSNInitial Trust MetricScenario 1; 2 children; BRSNScenario 2; 6 children; BRSN

Bad Mouthing Attacks (Contd..)

Set up: Node j cooperates fully

Scenario 2: 4 malicious children,

1 good child

DUMB-RFSN: Performance is more worse.

RFSN: Neglects bad nodes. Selectively takes advantage of 1 good node.


0 5 10 15 20 25 30 35 40 45 500

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Number of Packets

Tru

st

Me

tric

Scenario 1; 2 children; DUMB-BRSNScenario 1; 2 children; BRSNInitial Trust MetricScenario 2; 6 children; DUMB-BRSNScenario 2; 6 children; BRSN

Both lines coincide

Ballot Stuffing

Attack: Malicious nodes propagate false good reputation information.

Countermeasure: Weight the second hand information appropriately

Set up: Node j is malicious and colludes with malicious children nodes.

Scenario 1: 1 malicious child

RFSN: Completely resilient.

DUMB-RFSN: Node i will conclude node j to be trustworthy.


ComparisonMetric RFSN Confidant Core E-bay PeerTrust

Architecture Distributed Distributed Distributed Centralized Distributed

Context Sensor Networks

Ad-hoc Networks

Ad-hoc Networks

Internet Peer-to-peer networks

Scope Compromised / Faulty nodes

Routing misbehavior

Routing Misbehavior

E-trading Choosing the right peer

Formulation Bayesian formulation based on decision theory

Heuristics/ Bayesian formulation based on game theory

Heuristics based on game theory

Heuristics Heuristics

Reputation propagation

Only good Only bad Only good Both god and bad

Both good and bad

Maintenance Local Local Local Global Global

kemal akkayawireless & network security 1 department of computer science southern illinois...

Documents

network activities

network secure key

source route

route reply

good nodes

routes route salvaging

nodes function

authenticated nodes