miranda 02
TRANSCRIPT
-
7/26/2019 Miranda 02
1/6
Preventing selfishness in open mobile ad hoc networks
Hugo Miranda Lus Rodrigues
Abstract
Mobile ad hoc networks are a new and challengingtopic on mobile computing. A particular character-istic of ad hoc networks is their self-organization,what makes them highly dependable of the partic-ipants. Until recently, it was assumed that thesenetworks would be composed of cooperative hosts,where their owners share a common goal. How-ever, this assumption will probably be droppeddue to the generalization of computers equippedwith wireless network devices. This position papershows how the selfishness of the participants in aad hoc network can prejudice its overall functioningand sketches a protocol that discourages this kindof behavior.
1 IntroductionThe research effort on mobile networks (infra-structured or ad hoc) has focused mainly on rout-ing and usually assumes that all nodes are coopera-tive. These assumptions hold on military, or searchand rescue operations, where all hosts belong tothe same authority and their users share the samegoals. The application of mobile ad hoc networks(MANETs) for the support of open communitieshas emerged recently. In such environment, differ-ent users, with different goals, share the resourcesof their devices, ensuring global connectivity. Thissort of communities can already be found in wirednetworks, namely on peer-to-peer networks.
However, there is a significant difference betweenthe fixed and the mobile environment. Some re-sources, namely battery power, are scarce in a mo-bile environment and can be depleted at fast pacewith the device utilization. This can lead to a self-ish behavior of the device owner, that may attemptto take the benefit from the resources provided bythe other nodes without, in return, making avail-able the resources of his own devices.
In this scenario, open MANETs will likely resem-ble social environments. A group of persons canprovide benefits to each of its members as long aseveryone provides his contribution. For our partic-ular case, each member of a MANET will be called
to forward messages and to participate on routingprotocols. A selfish behavior threatens the entirecommunity. Optimal paths may not be available.As a response, other nodes may also start to behavein the same way. In the extreme, this can take tothe complete decoupling of the network. This kindof problems was already noticed on peer-to-peer filedistribution systems. It was observed in Gnutellathat the number of sites providing valuable contentto the network was a small part of the number ofusers retrieving information [1].
To provide the expected service, open MANETsshould implement a protocol that discourages the
selfish behavior. The protocol should apply somekind of penalty to the users that intentionallypresent selfish behavior and be tolerant to mali-cious attacks and to communication failures, thatcould penalize well-behaved hosts.
This paper is organized as follows. Section 2presents a possible scenario that motivates the needof selfishness prevention protocols. Section 3 pro-vides an overview of previous work realized on thesubject. One protocol extending previous ones ispresented on section 4. The future work and theconclusions are presented in section 5.
2 Motivation
Picture yourself in a conference room. The talkgoes boring and you think that this is the perfecttime for checking your e-mail using your new lap-top with a 802.11 network card. The conference ishosting an Internet room holding a wireless basestation. However, the room is too far from yourcurrent location and you are out of range. Youropinion about the speaker is shared by the major-
-
7/26/2019 Miranda 02
2/6
ity of the audience and you notice that a few more
laptops are being opened. Some of them really closeto the door. You are sure that they are within thebase station range. Suddenly, your desktop showsthat an ad hoc network has been established andyou have Internet access.
Your MANET utility application lets you knowthat you can reach two hosts within the wirelessbase station range and you start retrieving your e-mail. In the middle of the download you noticethat the available bandwidth has decreased and afew moments latter you are unable to reach your e-mail server. However, your utility application keeps
showing that those two nodes are active.
You lost connectivity when one of those nodesfound that the battery power of his laptop andsome of the available bandwidth was being usedfor forwarding your (and others) messages. Whenyour laptop stopped receiving acknowledgments, itstarted a new routing protocol round that led himto the second computer. The user of this computernoticed a huge increase on the number of forwardedmessages and, to prevent himself from depleting hisbattery, also ceased to forward messages on behalf
of the other users. Because one of the users of theMANET was selfish, you have now the opportu-nity to get the most of the boring talk! Probably,next time you will apply the same policy to anyoneattempting to use your network card.
As previously mentioned, MANETs where envi-sioned for search-and-rescue, military and law en-forcement operations. In these examples, all userswork together toward a common goal. There-fore, selfishness behavior is not expected sinceit would only prejudice the group. We envisionthat MANETs will rapidly expand to other do-mains, like the one presented above. In these OpenMANETs, users do not share a common goal. Eachuser will agree to share his resources only if thisbrings him some benefit and not to the group as inClosed MANETs.
While being impossible to forbid selfish behavior,Open MANETs users should be discouraged to doit. This can only be achieved by applying some kindof penalty to users. The following section showssome proposals toward this goal.
3 Related work
Malicious networks nodes that participate in rout-ing protocols but refuse to forward messages maycorrupt a MANET. These problems can be cir-cumvented by implementing a reputation system.In [5], the reputation system is used to instructcorrect nodes of those that should be avoided inmessages routes. However, as is, the system re-wards selfish nodes, who benefit from not forward-ing messages while being able to use the network.
On modern society, services are usually pro-vided in exchange of an amount of money, pre-viously agreed between both parts. The Termin-
odes project defined a virtual currency named beansused by nodes to pay for the messages. Those beanswould be distributed by the intermediary nodesthat forwarded the message [3, 4]. Implementationsof digital cash systems supporting fraud detectionrequire several different participants and the ex-change of a significant number of messages [6].To reduce this overhead, Terminodes assumes thathosts are equipped with a tamper resistant securitymodule, responsible for all the operations over thebeans counter, that would refuse to forward mes-sages whenever the number of beans available are
not sufficient to pay for the service. The modulesuse a Public Key Infrastructure (PKI) to ensurethe authentication of the tamper resistant modules.This infrastructure can be used with two billingmodels. In the Packet Purse Model, the senderpays to every intermediary node for the message,while in thePacket Trade Modelis the receiver thatis charged. In both models, hosts are charged as afunction of the number of hops traveled by the mes-sage.
The CONFIDANT protocol [2] implements areputation system for the members of MANETs.Nodes with a bad reputation may see their requestsignored by the remaining participant, this way ex-cluding them from the network. When comparedwith the previous system, CONFIDANT shows twointeresting advantages. It does not require any spe-cial hardware and avoids the self-inflicted punish-ment that could be the exploitation point for ma-licious users. The system tolerates certain kinds ofattacks by being suspicious on the incoming selfish-ness alerts that other nodes broadcast and relyingmostly on its self experience.
These systems show two approaches that con-
-
7/26/2019 Miranda 02
3/6
flict in several aspects. The number of requests
received by hosts depends of their geographical po-sition. Hosts may become overloaded with requestsbecause they are positioned in a strategical point inthe MANET. A well-behaved node that temporar-ily supports a huge amount of requests should lat-ter be rewarded by this service. CONFIDANT hasno memory, in the sense that the services providedby some host are quickly forgotten by the reputa-tion system. On the other hand, beanscan be keptindefinitely by hosts. In MANETs, it is expectedthat hosts move frequently, therefore changing thenetwork topology. The number of hops that a mes-sage must travel is a function based on the instant
position of the sender and the receiver and varieswith time. Terminodes charges the sender or thereceiver of a message based on the number of hopstraveled what may seems unfair since any of themwill pay based on a factor that is outside his con-trol.
4 The protocol
People tend to cooperate as long as they notice thatthere is a fair division of the tasks in a group. This
problem is extended for MANETs where the un-fairness of the service division may prevent usersfrom using their own devices. Beside punishment,selfishness prevention protocols must perform anequally important role in the fair distribution of ser-vices by the overall community what is not guaran-teed by all routing protocols. This can be achievedif hosts are allowed to present some justified self-ishness, by refusing part of the requests received,forcing the clients to search for alternatives.
Under some circumstances, like when two deviceowners in a MANET are friends or when the net-work administrator attempts to send a message,
selfishness may be acceptable. In the first case onehost is willing to provide unlimited services to an-other but this is orthogonal to the community. Thesecond shows one case of MANET acceptable self-ishness.
This section presents a new selfishness preven-tion protocol. The protocol shares some of theproperties of both protocols previously described:it presents a long time memory that allows hoststo be rewarded by services provided in the pastand does not charge by the number of hops used.
On the other hand, the protocol introduces some
new concepts by tolerating justified selfishness andby encompassing trapdoors toward socially accept-able selfishness. The protocol uses only one mes-sage, that each host periodically broadcasts and al-lows that hosts not running it participate in theMANET.
4.1 System model
In the exposition of the algorithm, every node isassumed to have the same transmission power andis equipped with an omni-directional antenna. Likein other broadcast mediums, hosts are able to listen
to messages that are not addressed to him. Eachhost has a unique network address which can notbe changed and is included in the messages that hesends.
In order for the protocol to behave correctly twoconditions are required: i) at least one route com-posed of only well-behaved nodes must exist be-tween any two well-behaved nodes and ii) selfishnodes do not cooperate between themselves. Re-moving these constraints is an open issue that willbe addressed in the future.
4.2 The algorithm
Outline The algorithm is based on a messagethat each node broadcasts periodically stating itsview about the neighborhood. The message ex-poses a sufficient amount of information that al-lows the remaining nodes to detect a liar, this waydefeating possible attacks.
The protocol introduces the fairness concept byallowing hosts to publicly declare that they refuseto forward messages to some hosts. It is up to thecommunity to evaluate if the proportion of refusedhosts reaches an unacceptable level of selfishness.
Data structures For each host q, each otherhost p will keep a data structure statusp[q] withthe following fields:
credits a signed integer increased for each messagethatp forwarded on behalf ofqand decreasedfor each message that q sent on behalf of p.The initial value is 0.
maxCredits the upper bound to credits.
-
7/26/2019 Miranda 02
4/6
state One of the following constants: OK, SUS-
PECTED, OTHERS SUSPECTED and SELF-ISH. The initial state of each new node is OK.A correct node p should continue to provideservices to a node q in the SELFISH state aslong as statusp[q].credits
-
7/26/2019 Miranda 02
5/6
All cooperative hosts, lightly loaded network
This is the most favorable scenario. Scwill be nearzero for all participants. In this case, hosts willbroadcast periodically oneselfStatemessage, wherethe fields selfishTo and knownSelfishNodes will beempty. The overhead introduced by the protocolis the periodic broadcast of one message. The casewhere some hosts do not implement the protocol ishandled transparently: they will ignore the contentof these messages. The nodes that are running theprotocol will create astatusstructure for them, thatwill be mostly kept with the default values.
All cooperative hosts, heavily loaded net-work Starting from the previous example,Sc willbecome excessively positive for some hosts and ex-cessively negative for others. Those that have beenmore loaded by requests from other hosts will startto move some of the nodes from the notSelfishTotothe selfishTo list. One can envision several criteriafor the selection, using for example statistical infor-mation about the number of hops toward the usualdestination of the messages of each host, or thenumber of negative credits. To keep network func-tionality, it is important that two or more loadedhosts attempt to define disjoint selfishTolists. Note
that well-behaved nodes should accept their move-ments to these lists and continue to provide servicesas long as their credits with the loaded hosts remainnegative.
Nodes not running the protocol that are placedin selfishTo lists will start to notice that their mes-sages are not being delivered. Their reaction tothis event will depend on several factors, for exam-ple the routing protocol being used.
One selfish node Selfish nodes are always penal-ized, whether they run the protocol or not, because
the decision is taken locally at each node basedon the information provided by its pairs. Whena host q refuses to forward messages, its addresswill be included in the knownSelfishNodes list ofthe selfState messages of the other hosts. Hostslistening to these messages will start to removethe entries fromstatusp[q].notSelfishT oand plac-ing them in statusp[q].selfishTo. Whenever the
rate statusp[q].notSelfishTo
statusp[q].notSelfishTo+statusp[q].selfishTo goes
bellow some threshold, hosts will begin to setstatusp[q].state = SELFISH. Eventually, q will
exhaust its credits with every host running the pro-
tocol and will have its messages refused.Previously selfish nodes may be reintegrated inthe group by broadcasting a new selfStatemessagewith some hosts in the notSelfishTolist. To preventrepetitive behavior, non-selfish hosts may reducemaxCreditsfor the host. One alternative procedure,which also allows the reintegration of hosts not run-ning the protocol is to become silent for a sufficientperiod of time so that their records can be erasedby having the dead counter to reach the threshold.
Malicious selfish host In order to attempt to
subvert the system, one malicious user must alwayshave knowledge of the protocol. Changing the stateof an host to SELFISHis an operation local to eachprotocol based on the following conditions: i) it ex-hausted the credits limit; ii) it refused to forwardmessages to some other host and iii) it was con-sidered selfish by a sufficient number of hosts. Thenumber of credits is a variable local to each host.Preventing one host from maliciously changing thisvalue lies on the broader problem of computer se-curity and is out of the scope of this paper.
The only possible attempt to subvert the proto-
col would be to fake the number of host that he isserving, by placing non-used addresses or by falselydeclaring some existing hosts on the notSelfishTofield of itsselfStatemessages. This would allow himto fool hosts that are not requesting services, post-poning (possibly indefinitely) the problem of thecredit exhaustion. These two possible turnaroundsare separately handled in the protocol. Unknownaddresses are ignored when each host accounts forthe number of hosts that the nodes are serving, sothe host has no advantage on providing this infor-mation. Declaring to be available to provide ser-vices to some hosts (that is, placing their address inthe notSelfishTo field) will make these nodes to re-quest him to forward messages. If he refuses, hostswill start to place the malicious host address in theknownSelfishNodes field which in turn, will makeits rate of serving hosts lower, eventually (when asufficient number of nodes detects the fraud) bel-low the acceptable threshold for the hosts to con-sider him selfish. Note that invalid addresses areexpected due to the limited transmission range ofthe network devices and can not, by themselves,be considered an attempt to subvert the protocol.
-
7/26/2019 Miranda 02
6/6
The definition of a proper threshold must be sub-
ject of further study and may vary depending onthe density of the nodes in the MANET area.
4.4 Other considerations
Node movement MANETs expect their hoststo move frequently, changing the network topology.When moving, one host may become outside therange of another. Even in the presence of pend-ing messages, the protocol does not falsely considerthese hosts as selfish thanks to the deadtimer thatwill erase all the information of the host if no mes-sages are heard from him for some period of time.
Socially acceptable selfishness The two cate-gories of socially acceptable selfishness presentedabove are handled differently by the protocol.Friendship can be tolerated by instructing nodes tonever declare some address to be selfish. This way,even when the remaining members of the commu-nity start to declare the host has selfish, he willalways be able to forward messages to that one.Note that the friends of a selfish node must stillbe able to request services from other nodes, andare accountable by the credits that should be payedfor the service. MANET acceptable selfishness canbe implemented with a Private Key Infrastructurewhere the certification authority makes availablethe public key of the hosts that can use the net-work without restrictions. All messages from thathost should be signed and no credits accountabilityshould be imposed to intermediary nodes.
5 Conclusions and future
work
MANETs are particularly sensible to unexpectedbehaviors. The generalization of wireless deviceswill soon turn MANETs in one of the most impor-tant connection methods to the Internet. However,the lack of a common goal in MANETs without acentralized human authority will make them diffi-cult to maintain: each user will attempt to retrievethe most of the network while expecting to pay asless as possible. In human communities, this kindof behavior is called selfishness. While prohibitingselfishness shows to be impossible over a decentral-
ized network, applying punishments to those that
present this behavior may be beneficial.This position paper outlined a selfishness preven-tion protocol for Open MANETs. The protocolshows some novelties: its decentralization avoidsthe usage of complex payment systems and it in-troduces the concept of justified selfishness thatmakes the whole system more fair, not penalizingusers by their network topological location. Thiswork is on its early stages of development and lackstheoretical and experimental validation. Futurework includes an experimental evaluation over anetwork simulator, where different topologies andhost movements will be tested. Its integration with
routing protocols may also shows to be beneficial.
References
[1] E. Adar and B. Huberman. Free riding ongnutella. First Monday, 5(10), October 2000.
[2] S. Buchegger and J.-Y. Le Boudec. Performanceanalysis of the CONFIDANT protocol: Cooper-ation Of Nodes - Fairness In Distributed Ad-hocNeTworks. Technical Report IC/2002/01, SwissFederal Institute of Technology, Lausanne, Jan-
uary 2002.
[3] L. Buttyan and J. Hubaux. Enforcing serviceavailability in mobile ad-hoc wans. In Proc. ofthe First IEEE/ACM Workshop on Mobile AdHoc Networking and Computing (MobiHOC),Boston, MA, USA, August 2000.
[4] L. Buttyan and J. Hubaux. Stimulating co-operation in self-organizing mobile ad hoc net-works. Technical Report DSC/2001/046, SwissFederal Institute of Technology, Lausanne, Au-gust 2001.
[5] S. Marti, T. Giuli, K. Lai, and M. Baker. Mit-igating routing misbehavior in mobile ad hocnetworks. In Proceedings of Mobicom 2000,Boston, USA, August 2000.
[6] P. Verssimo and L. Rodrigues. Distributed Sys-tems for System Architects, volume 1 of Ad-vances in Distributed Computing and Middle-ware. Kluwer Academic Publishers, Boston,January 2001.