View
41
Download
0
Category
Tags:
Preview:
DESCRIPTION
Robust Trust Establishment for MANETs. Network/Computer Security Workshop 2006 Lehigh University, Bethlehem, PA May 15-16, 2006. by Charikleia Zouridaki ECE Dept., George Mason University Fairfax, VA 22030 Joint work with: Brian L. Mark, Marek Hejmo (GMU) - PowerPoint PPT Presentation
Citation preview
1
Robust Trust Establishment for MANETs
by Charikleia Zouridaki
ECE Dept., George Mason University
Fairfax, VA 22030
Joint work with: Brian L. Mark, Marek Hejmo (GMU)
Roshan K. Thomas (SPARTA, Inc.)
Network/Computer Security Workshop 2006Lehigh University, Bethlehem, PA
May 15-16, 2006
2
Agenda
1. Introduction – Problem Statement
2. Preliminaries: Overview of Hermes*
3. Trust Evaluation using Acknowledgements
4. Formulation of Opinions
5. Security Analysis
6. Simulation Results
7. Conclusions
* C. Zouridaki, B. L. Mark, M. Hejmo, R. K. Thomas, A Quantitative Trust Establishment Framework for Reliable Data Packet Delivery in MANETs. In Proc. 3rd ACM SASN’05, pp. 1-10, November 2005
3
Mobile Ad hoc NETworks (MANETs)vs. infrastructured wireless networks
•Each computer can communicate with every wireless enabled computer•One of the computers is the “bridge” to the wired LAN
•Each mobile node gets connected to an access point•The access point “bridges” the wireless LAN to a wired LAN
MANET IETF definition: a MANET is an autonomous system of mobile routers (and associated hosts) connected by wireless links; the union of which forms an arbitrary graph
4
Key Issues and Our Scope• Source node S must rely on other nodes to forward its packets
on multi-hop routes to destination node D
• Secure and reliable handling of packets by intermediate nodes is difficult to ensure • A malicious node within a route may drop packets
• Hermes • improves the reliability of packet forwarding over multi-hop routes in
the presence of malicious nodes both with respect to packet forwarding and trust propagation
• Hermes accurately computes Ti,j
• Under the assumption that the behavior of a given node with respect to propagating trust is no worse than its behavior in forwarding packets
• We extend Hermes to relax this assumption 3 types of misbehavior are considered
5
Hermes Overview
Collect ObservationData
Utilize Information(collected in Phase 1)
To form opinion P
for each node
Use opinions P (derived in Phase 2)
To find the most“trusted” Route to D
Phase 1 Phase 2 Phase 3
Hermes does not differentiate malicious packet forwarding behavior from packet loss due to congestion or link breakage.
6
Hermes Overview - detailed
observation data trust tconfidence c
Trustworthiness T
Opinion PAveraged opinionRouting opinion
VR P
Between neighbor nodes i, j
Between any pair of nodes i, mApplication of opinion metric to routing
Neighbors: nodes in transmission/reception range
t є [0, 1] degree to whicha neighbor can be trustedc є [0, 1] measure of statistical dispersion of t
T є [0, 1] = f (t, c)
P є [0, 1] = f (T) є [0, 1] = f (P) over observation windowsPVR є [0, 1] = f ( )P
7
First-Hand Trust EvaluationBayesian Framework:•Random variable Rk є [0, 1], represents a notion of trust over an observation window W : mk= # of forwarded packets, nk= total # of packets
• Suppose a prior pdf for Rk-1:
•Then:
•so:
•At t = 0:
),(~)( 11 kkkkkk mnbmabetarf
),(~)( 111 kkk babetarf
kkkkkkk mnbbmaa 11 ,
)1,1()(0 betarf
),( kkkk bat
),(121 kkk bac
1,0 ct
0
5.00
0
c
t
• Trust & confidence, , are computed as:
•At t = 0:
beta(20, 20)
beta(180, 20)
8
Trustworthiness T / Accumulation of Evidence
),(),0,5.0(
11
)1()1(
1
22
2
2
2
2
tTTTT
yx
yc
xt
T
acceptdef
• (x,y)-ellipses in the unit square determine the set of (t,c) pairs that are mapped to T as:
• θ: [-π/2, 0] and (x,y) determine the mapping from (t, c) to T
• Accumulation of Evidence• nodes snoop all received frames at the MAC layer & record packet delivery statistics of neighbor nodes •Windowing mechanisms, systematically expire old observation data to:
• improve the accuracy of the opinion metric• maintain the responsiveness of the system
9
Extension: Trust Evaluation using Acknowledgements
• Motivation: obtain first-hand information for non-neighbor nodes
• ACK scheme: uses ACKs, timeouts, NACKs
• Nodes collect information about downstream nodes
s i1 i3 din
ACKi2
s i1 i3 dini2
NACK
s i1 i3 dini2
NACK
FIN
10
s i1 i3 din
ACKi2
s i1 i3 dini2
NACK
Data MACs,d MACs,n MACs,2 MACs,1
packet
ACK r1d(k|0) r1
n(k|0) r12(k|0) r1
1(k|0)ACK packet
ACK r12(k|1) r1
1(k|1)NACK packet
Authentication of data and ACK/NACK packets
11
Authentication of ACK/NACK packets• Let's consider
• a path R = {s, i1, i2,…, in-1, in = d}, where n>1, • a packet p of sequence number k, • the shared key Kj,s • an one-way hash function h(.)
• source constructs (n-1)+(n-2) hash chains, each of length three• (n-1) for ACK authentication • (n-2) for NACK authentication
• to ensure that malicious intermediate nodes cannot discard the MAC field of another node without being detected
• r0j (k|0) = (Kj,s|| k|| 0): first element for node ai for ACK auth.
• r0j (k|1) = (Kj,s|| k|| 1): first element for node ai for NACK auth.
• r1j (k|0), r1
j (k|1) & r2j (k|0), r2
j (k|1) are constructed by applying h(.)
For S: Data = data||k||r21(k|0)|| r2
2(k|0)|| r23(k|0)||…||r2
n(k|0)|| r2d(k|0)||r2
1(k|1)|| r2
2(k|1)|| r23(k|1)||…||r2
n(k|1)
12
Trust Evaluation for Forwarding
• node X keeps packet delivery statistics for all nodes y
• compute first-hand tX,y and cX,y according to the Bayesian framework
• mapped to TX,y: allows for fine-grained node comparison
• Good nodes = T > Tdef, bad nodes = T ≤ Tdef
• Goal of the scheme: to identify bad nodes• even if it means a good node might temporarily appear as faulty by
sending valid NACKs
• We assume that if node X forwards packet p, it will also forward the corresponding ACK or NACK of p
13
Extended Hermes: without Recommendations
Collect Data•MAC layer snooping for neighbors
•ACK scheme for non-neighbors
Update Record•Packet delivery statistics
Update Trustworthiness Tx
Opinion Formulation
Calculate Routing Opinion
Route Selection
Route Selection
Px=Tx
14
Recommendations
Recommendations accelerate the convergence of the trust establishment procedures
• Node i asks for recommendations to: • establish trust opinion for node m, when Ti,m < Taccept,
• evaluate node j as a recommender
• Good recommender: TR > Tdef, bad recommender: TR
≤ Tdef
• Node i asks for d recommendations:• Good recommenders, nodes for which TR
< TRaccept,
• Bad recommenders if necessary
15
Algorithm of Recommendations for node i
while recommendations for node m are sought do
choose recommender set D;
obtain f ≤ d recommendations;
if Ti,m<Taccept then
temporarily place Ttmpi,m = max{Tj,m:j in D};
end if
run RC-test for recommendation Tj,m, for every j in D;
update recommender trustworthiness TRi,j , for every j in D;
form opinion Pi,m;
end while
16
Trustworthiness of Recommendations
• node i has Ti,m and received Tj,m from node j• The trustworthiness of the recommendation is evaluated as:
RC-test: |Ti,m-Tj,m| ≤ thr thr = threshold
• The RC-test outcome determines how the trustworthiness of the recommender is updated
• Exception: j is the upstream neighbor of m, m has initiated more than thr*100% NACKs
i j i3 dinm
NACK
17
Trustworthiness of Recommenders
• Recommender Trustworthiness TRi,j is the trustworthiness that
i places to j in respect to reliable propagation of trustworthiness values T
• TR is updated according to the Bayesian framework as ~ beta(γ, δ)
• γk = γk-1 + η & δk = δk-1 + η
• η = 1, when RC-test succeeds
0, when RC-test succeeds
• tRk, cR
k, TRk are computed as functions of γk and δk
18
Definition of Opinion
• Generalize the notion of trustworthiness opinion• First-hand & second-hand information
• max: because trustworthiness T • increases with the number of network observations
• is of bigger value when it has not been propagated many times in the network as recommendation
ji
jiT
TPPP
Rji
ji
defmjmjjij
mi
,1
,
for },{max
,,
,,,,
19
Extended Hermes: with Recommendations
Calculate Opinion•Combine first-hand trustworthiness
& second-hand opinion
Run RC-test
Update Recommender Trustworthiness
Choose Recommender Set
Collect Data•MAC layer snooping for neighbors
•ACK scheme for non-neighbors
Update Record•Packet delivery statistics
Update Trustworthiness Tx
Trustworthiness Formulation
Calculate Routing Opinion
Route Selection
Route Selection
Opinion Formulation
20
Security Properties of Extended Hermes
• Ability to model independence in malicious behaviors• Robustness against multiple false recommendations• Convergence in the identification of bad nodes• Resilience against multiple, concurrent and colluding
attacks• Independence from attack probability and placement• Resilience against duplication and replay
21
Simulation Results
• 10 nodes • randomly placed in a 500 x 500 m area• wireless radio transmission range = 250 m• traffic flows are generated randomly, as a function of
• number of network nodes • min and max allowed number of nodes on a route
one or more attackers may participate per flow attackers may be neighbors or non-neighbors
• Nodes (randomly chosen) exhibit four types of behavior:• Type I: Good nodes and good recommenders;• Type II: Bad nodes and good recommenders;• Type III: Good nodes and bad recommenders;• Type IV: Bad nodes and bad recommenders.
22
Simulation 1: Network View
• 8 random traffic flows, along different paths
• number of nodes on a route: min=4, max = 7
• Nodes 1, 3, 4, 5, 8, 9, 10: Type I
• Node 7: Type II: forwards 20% of packets
• Node 6: Type III: propagates recommendations of P = 0.5
• Node 2: Type IV: forwards 20% of packets, propagates recommendations of P = 0.5
• Source nodes send 100 data packets/round
• trustworthiness parameters are set as x = sqrt(2) and y = sqrt(9)
• threshold thr=0.1
23
Simulation 1: Opinion of good node/recommender for all other nodes after (a) 1, (b) 3, (c) 10, (d) 30 rounds
24
Simulation 1: Network view Pi,j, TRi,j
(a) Opinion Pi,j (b) Trustworthiness TRi,j
25
Simulation 1: Network View Pi,j (a) with (b) without Recommendations
(b)
26
Simulation 1: Node Behavior Changes
• nodes 1, 4, 5, 8, 9, 10: Type I• nodes 2, 6: bad recommenders, propagating P = 0,5• node 3: Type II• node 2 is good: rounds 1-5, bad: 6-50 (Type III Type IV)• node 7 is bad: rounds 1-10, good 11-50 (Type II Type I) • node 6: Type III• Good nodes = forward 100% packets • Bad nodes = forward 20% packets • Threshold thr = 0,1
27
Simulation 2: Convergence Comparison
• BN-recognition %: the % of all bad nodes that are recognized as bad by all the members of the network• nodes 1, 3, 4, 5, 8, 9, 10: Type I• node 7: Type II• node 6: Type III• node 2: Type IV• Good nodes: forward 100% of packets• Bad nodes 20% • Good recommenders propagate valid trust values• Bad recommenders send P = 0,5 • Initially: 1 flow, add: 1 flow/round• number of nodes on a route = 5• Threshold thr = 0.1 • Trustworthiness parameters: x = sqrt(2), y=sqrt(9)
28
Simulation 3: Hermes 2 vs. Hermes
•10 nodes, 5 traffic flows•Node 9: Bad, forwards 20% of packets•Hermes: bad nodes = bad recommenders Tdef used for trustworthiness calculation of nodes downstream of bad node •We simulated that: node 9 = bad recommender that propagates P = Tdef •Other nodes forward 90% of packets
29
Conclusion
Main contributions of extended Hermes:
• an acknowledgement scheme for first-hand trust information with respect to non-neighbor nodes
• a recommendation scheme that is robust against the propagation of false trust information
Summary of extensions to Hermes:
• allows nodes to form accurate opinions for any network node
• models the independence of malicious behavior with respect to packet forwarding and trust propagation
• identifies the effect of attacks by individual or colluding malicious nodes
30
Thank you!
Questions?
Recommended