kemal akkayawireless & network security 1 department of computer science southern illinois...
TRANSCRIPT
Wireless & Network Security 1 Kemal Akkaya
Department of Computer ScienceSouthern Illinois University Carbondale
CS 591 – Wireless & Network SecurityLecture 12: Distributed Trust
Dr. Kemal AkkayaE-mail: [email protected]
Wireless & Network Security 2 Kemal Akkaya
Trust Management in MANETs/WSNsTrust Management in MANETs/WSNs All participants actively contribute to network
activities such as routing and packet forwarding
Special characteristics: limited memory perishable battery power lower bandwidth
Two approaches:Monitoring-based
CONFIDANTWatchdog
Reputation-based CORE RFSN
Wireless & Network Security 3 Kemal Akkaya
Limitations of network security
Distributed collaborative data processing Network security -> Make sure that only authenticated nodes
participate. Network security cannot -> Verify if nodes function properly
Distributed data gathering Network security can -> message integrity, confidentiality, secure
relaying. Network security cannot -> data authentication.
How do nodes trust each other?How do nodes trust the information provided by other nodes?
Wireless & Network Security 4 Kemal Akkaya
CONFIDANT Buchegger, S. and Le Boudec, J. 2002. Performance analysis of
the CONFIDANT protocol. In Proceedings of the 3rd ACM international Symposium on Mobile Ad Hoc Networking &Amp; Computing (Lausanne, Switzerland, June 09 - 11, 2002). MobiHoc '02. ACM, New York, NY, 226-236.
Detect, prevent, and/or discourage: No forwarding (of control messages or data) Traffic deviation
Advertise many routes Advertise routes too often Advertise no routes
Route salvaging, rerouting to avoid a broken although no error has been observed
Lock of error messages, although an error has been observed (and vice versa)
Silent route change (tampering with message headers of either control or data packets)
Wireless & Network Security 5 Kemal Akkaya
Reputation Systems response to Attacks
A different method to handling attacks is to prevent them: Only allow good nodes onto the network Secure key to access network
Reputation systems detect misbehavior and then try to thwart attacks. A good idea even if other methods have been used to prevent
attacks and secure access
Inspiration of CONFIDANT: Richard Dawkin's The Selfish Gene Suckers Cheats Grudgers
Wireless & Network Security 6 Kemal Akkaya
CONFIDANT built on top of DSR
Dynamic Source Routing (DSR) Reactive/On-Demand routing Nodes send a ROUTE REQUEST message Neighbors add themselves to the source route and forward it on If the receiving node is the destination or has a route to the
destination it sends a REPLY message with the full route First received ROUTE REPLY wins Failed links can be salvaged by partial alternate route Routes are cached for some period of time
Observed Behavior 'Neighborhood Watch' behavior that is directly observed, overheard,
by the node.
Reported Behavior Share experienced misbehavior and learn from friends.
Wireless & Network Security 7 Kemal Akkaya
CONFIDANT Components
The Monitor Directly observes behavior
The Trust Manager Sends and receives
ALARMs
The Reputation System Node Rating
The Path Manager Route management based
on Reputation
(Every nodes implements all of these components)
Wireless & Network Security 8 Kemal Akkaya
The Monitor
Directly observes behaviorno forward (only observation implemented in
this simulation)Packet alteration
Data packetsRouting packets
Consistent claim of neighboring nodesAny other observable metric
Wireless & Network Security 9 Kemal Akkaya
The Trust Manager
Generate an alarm on experienced or observed misbehavior.
Forward alarm on received report of misbehavior.
Maintain trust table to determine trustworthiness of alarm Determining trust level
algorithm is an open question in paper
Table of nodes and their rating.
Weighted between past rating and newly observed behavior and reported reputation.
Only negative experience is counted
Positive change and timeout are not addressed yet.
Assume negative behavior is rare, and probably means node can never be trusted.
The Reputation System
Wireless & Network Security 10 Kemal Akkaya
The Path Manager
Path re-ranking according to security metric (re-rank route based on reputation).
Deletion of paths containing malicious nodes.Action on receiving a request for a route from a
malicious node (ignore request).Action on receiving request for a route
containing a malicious node in the source route (ignore, alert source).
Wireless & Network Security 11 Kemal Akkaya
CONFIDANT Results
Wireless & Network Security 12 Kemal Akkaya
CONFIDANT Results
Wireless & Network Security 13 Kemal Akkaya
Watchdog and Pathrater
S. Marti, T.J. Giuli, K. Lai, and M. Baker, “Mitigating Routing Misbehavior in Mobile Ad Hoc Networks,” Proc. MobiCom '00.
Extra facilities added to the network to detect and mitigate routing behavior.
Two extensions to DSR: Watchdog identifies misbehaving nodes by overhearing
transmissionsPathrater avoids routing packets through these nodes
Wireless & Network Security 14 Kemal Akkaya
Watchdog The watchdog is implemented by
maintaining a buffer of recently sent packets compare each overheard packet to buffered packets to see if there
is a match. If so, the packet in the buffer in removed and forgotten. A certain timeout indicates a failure tally – count it and see if it
exceeds a bandwidth threshold. If so, send a message back to the source.
Advantages It can detect misbehavior at the forwarding level
Disadvantages It might not detect a misbehaving node, due to
Ambiguous collisions Receiver collisions Limited transmission power False misbehavior Collusion Partial dropping
Wireless & Network Security 15 Kemal Akkaya
Disadvantages
Honest Nodes Ambiguous collisions Receiver collisions
Dishonest Nodes Transmission power
intentionally limited by a dishonest node
False misbehavior report by malicious node
Multiple dishonest nodes in collusion (groups of nodes)
Partial dropping by a dishonest node
Wireless & Network Security 16 Kemal Akkaya
PathRater
The pathrater, run by each node, combines knowledge of misbehaving nodes with link reliability data to pick the route.
Each node maintains a rating for every other node it knows about in the network
It calculates a path metric by averaging the node rating in the path. If there are multiple paths to the same destination, the path with the highest metric is chosen.
Wireless & Network Security 17 Kemal Akkaya
Simulation Results
Combined use of WD – Watchdog PR - PathRater SRR – Extra Route Request
Two mobility scenarios Performance Metrics
Throughput: The percentage of sent data packets actually received by the intended destinations
Overhead: The ratio of routing-related transmissions to data transmissions in a simulation
False positives: False positives occur when the Watchdog mechanism reports that a node is misbehaving when in fact it is not
Compromised nodes: from 0% to 40%
Wireless & Network Security 18 Kemal Akkaya
Throughput as % of misbehaving nodes
Wireless & Network Security 19 Kemal Akkaya
Throughput as % of misbehaving nodes
Wireless & Network Security 20 Kemal Akkaya
Overhead as % of misbehaving nodes
Wireless & Network Security 21 Kemal Akkaya
Overhead as % of misbehaving nodes
Wireless & Network Security 22 Kemal Akkaya
Throughput in presence of false detections
Wireless & Network Security 23 Kemal Akkaya
Reputation based Trust: CORE
CORE: A Collaborative Reputation Mechanism to enforce node cooperation in Mobile Ad hoc Networks”.
Proposed by Michiardi and Molva to enforce node cooperation in MANETs based on a collaborative monitoring technique
Nodes modeled as a members of a community The reputation is formed and updated along the time.
assigns more weight to the past observations than the current observations
Three types of reputation subjective reputation indirect reputation functional reputation
Wireless & Network Security 24 Kemal Akkaya
CORE Details Has two protocol entities
Requester refers to a network entity asking for the execution of a function f
Provider refers to any entity supposed to correctly execute the function f
Each node maintains An RT Table for each function f
An entry in RT has: unique ID recent subjective reputation recent indirect reputation composite reputation for a predefined function
RTs updated in two situations: during the request phase during the reply phase
Each node is also equipped with a watchdog mechanism for promiscuous observation.
Wireless & Network Security 25 Kemal Akkaya
Reputation based Trust in WSNs
S. Ganeriwal and M. Srivastava. Reputation-based framework for high integrity sensor networks. In proceedings of the 2nd ACM workshop on Security of ad hoc and sensor networks (SASN ’04), October 2004 pp. 66-77.
The first reputation and trustbased model designed and developed exclusively for sensor networks.
Distributed, symmetric reputation-based model that uses both first-hand and second-hand information for updating reputation values.
Nodes maintain the reputation and trust values for only nodes in their neighborhood.
Wireless & Network Security 26 Kemal Akkaya
Reputation based framework for sensor networks (RFSN)
Embedded in every social network is a web of trust
How does human societies evolve? Principle of reciprocal altruism
Be nice to others who are nice to you When faced with uncertainties
Trust them who have the reputation of being trustworthy
Proposed solution: Form a similar community of trustworthy nodes in the network over time
Wireless & Network Security 27 Kemal Akkaya
Sensor network already follow a community model Individual nodes do not have any utilityCollaborative information gathering, data processing and
relaying.Missing element is trust….
Nodes are dumb and they collaborate with every node. Internal adversaries exploit this very fact!Faulty sensors results in equally detrimental effects.
RFSN incorporates intelligence into nodesExposes trust as an explicit metric!Cooperate with ONLY those nodes that are trustworthy.
Why this approach?
Wireless & Network Security 28 Kemal Akkaya
Architecture of RFSN
Observe the action of other nodes – Watchdog mechanism Develop a perception of other nodes over time – Reputation Share experiences to facilitate community growth – Second
hand information Predict their future behavior – Trust Cooperate/Non-cooperate with trustworthy nodes – Behavior
Watchdog mechanism Reputation Trust Behavior
Second hand information
Wireless & Network Security 29 Kemal Akkaya
Integration of approaches
Development of high integrity sensor networks will be a combination of techniques from different fields
Watchdog mechanism Reputation Trust Behavior
Second hand information
Protocol DevelopmentMonitoringData AnalysisStatistics….
Cryptography Decision theory
Wireless & Network Security 30 Kemal Akkaya
Reputation representation
0,0,10)1()()(
)(),( 11
xxxBetaRij
Probabilistic formulation Use beta distribution to represent reputation of a node.
Reputation of node j from the perspective of node i
Why beta distribution? Simple to store: Just characterized by 2 parameters. Intuitive: α and β represents magnitude of cooperation and non-cooperation. Efficient: Easy reputation updates, integration, trust formulation.
Maintain reputation for just neighboring nodes Use locality – Provides scalability.
Wireless & Network Security 31 Kemal Akkaya
Reputation propagation
What to propagate?Constraints
Information about good nodes – Saves from bad mouthing attacks
Independent information – Critical to derivation in earlier slide
Re
pu
tatio
n
RT iNC
RT iC
Behavior
Trust
RTD iC
Wa
tchdo
g
Second Hand Info
RTD iNC
Re
pu
tatio
n
RT iNC
RT iC
Behavior
Trust
RTD iC
Wa
tchdo
g
Second Hand Info
Re
pu
tatio
n
RT iNC
RT iC
Behavior
Trust
RTD iC
Wa
tchdo
g
Second Hand Info
RTD iNC
Re
pu
tatio
n
RT iNC
RT iC
Behavior
Trust
RTD iC
Wa
tchdo
g
Second Hand Info
Re
pu
tatio
n
RT iNC
RT iC
Behavior
Trust
RTD iC
Wa
tchdo
g
Second Hand Info
RTD iNC
Re
pu
tatio
n
RT iNC
RT iC
Behavior
Trust
RTD iC
Wa
tchdo
g
Second Hand Info
Re
pu
tatio
n
RT iNC
RT iC
Behavior
Trust
RTD iC
Wa
tchdo
g
Second Hand Info
RTD iNC
Wireless & Network Security 32 Kemal Akkaya
Simulation study - NESLsim
Simulation set up Comparison with DUMB-RFSN
Representative of heuristic based approaches. Metric : Trust between node i and j. Parameter choices : Threshold (0.9), Initialization (Beta(1,1)).
Consistent data module
i
j
Routing module
Wireless & Network Security 33 Kemal Akkaya
0 5 10 15 20 25 30 35 40 45 500.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Number of Packets
Tru
st
Me
tric
Scenario 1; 2 children; DUMB-BRSNScenario 2; 6 children; DUMB-BRSNInitial Trust MetricScenario 1; 2 children; BRSNScenario 2; 6 children; BRSN
Bad Mouthing Attacks
Attack: Propagate false bad reputation information about good nodes
Countermeasure: Good Reputation System
Set up: Node j cooperates fully
Scenario 1: 1 malicious child
DUMB-RFSN: Node i will conclude wrongly node j to be malicious.
RFSN: Completely resilient.
Wireless & Network Security 34 Kemal Akkaya
0 5 10 15 20 25 30 35 40 45 500.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Number of Packets
Tru
st
Me
tric
Scenario 1; 2 children; DUMB-BRSNScenario 2; 6 children; DUMB-BRSNInitial Trust MetricScenario 1; 2 children; BRSNScenario 2; 6 children; BRSN
Bad Mouthing Attacks (Contd..)
Set up: Node j cooperates fully
Scenario 2: 4 malicious children,
1 good child
DUMB-RFSN: Performance is more worse.
RFSN: Neglects bad nodes. Selectively takes advantage of 1 good node.
Wireless & Network Security 35 Kemal Akkaya
0 5 10 15 20 25 30 35 40 45 500
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Number of Packets
Tru
st
Me
tric
Scenario 1; 2 children; DUMB-BRSNScenario 1; 2 children; BRSNInitial Trust MetricScenario 2; 6 children; DUMB-BRSNScenario 2; 6 children; BRSN
Both lines coincide
Ballot Stuffing
Attack: Malicious nodes propagate false good reputation information.
Countermeasure: Weight the second hand information appropriately
Set up: Node j is malicious and colludes with malicious children nodes.
Scenario 1: 1 malicious child
RFSN: Completely resilient.
DUMB-RFSN: Node i will conclude node j to be trustworthy.
Wireless & Network Security 36 Kemal Akkaya
ComparisonMetric RFSN Confidant Core E-bay PeerTrust
Architecture Distributed Distributed Distributed Centralized Distributed
Context Sensor Networks
Ad-hoc Networks
Ad-hoc Networks
Internet Peer-to-peer networks
Scope Compromised / Faulty nodes
Routing misbehavior
Routing Misbehavior
E-trading Choosing the right peer
Formulation Bayesian formulation based on decision theory
Heuristics/ Bayesian formulation based on game theory
Heuristics based on game theory
Heuristics Heuristics
Reputation propagation
Only good Only bad Only good Both god and bad
Both good and bad
Maintenance Local Local Local Global Global