Autonomic trust reasoning enables misbehavior detection in OLSR

Notion of trust Overview of OLSR Trust-Based Reasoning for OLSR Example of attack Hello message fabrication Conclusions and

Autonomic trust reasoning enables misbehaviordetection in OLSR

Asmaa Adnane 1, Rafael de Sousa 2, Christophe Bidan 1 andLudovic Me1

1Supelec, SSIR team (EA 4039), France2University of Brasılia - LabRedes, supported by CNPq - Brazil

20th March 2008

A. Adnane, R. de Sousa, C. Bidan, L. Me

Autonomic trust reasoning enables misbehavior detection in OLSR


Plan

1 Trust-Based Reasoning for OLSR

2 Example of attack Hello message fabrication

3 Conclusions and future works

4 Bibliography




Notion of trust

The fact that an entity A trusts an entity B in some respectmeans that

A believes that B will behave in a certain way and performsome action in certain specific circumstancesA actually believes that B has the potential to carry out therelated tasks competently and honestly

Trust specification language [2]

A trusts B with respect to (doing) the action c

A trustsc(B)

the non trust is presented by the following expression :

A¬trusts(B)




Characteristics of the OLSR protocol[1] (1/2)

Flooding routing OLSR routingA. Adnane, R. de Sousa, C. Bidan, L. Me



Characteristics of the OLSR protocol[1] (2/2)

Proactive link-state routing protocol, with a floodingmechanism to diffuse link state information

Multi-point relays (MPRs) are selected nodes that forwardmessages during the flooding process

HELLO messages

Sent periodically by a node to advertise its linksAllow a node to establish its view of the 2-hop neighborhood,then MPR selection

TC messages

Convey the topological information necessary for computingroutesPeriodically broadcast by MPRs advertising link state tosymmetric neighbors




Notations

MANET : the set of the whole MANET nodes

LSx : Link Set

NSx : Neighbor Set

2HNSx : 2-Hop Neighbor Set

MPRSx : MPR Set (MPRSx ⊆ NSx)

MPRSSx : MPR Selection Set




Application of Trust-based Reasoning in OLSR

Validation process

Validation of basic belief

Validation of MPR selection

Validation of local viewValidation of neighbors view





Validation of basic belief (1/3)

AB

HELLOB ,LSBLSB = {}LSA = {BASYM}

HELLOALSB = {ASYM ,CSYM}NSB = {A}

HELLOB LSA = {BSYM}NSA = {B}

2HNSA = {C}

MPRSA = {B}HELLOA,LSA = {BMPR}

MPRSSB = {A}

TCB = {A}*






In [3] authors present intrinsic properties of the protocol regardingthe expected correct behavior in message processing and routingorganization.

TCY ⊆ HELLOY

X ∈ TCY ⇒ Y ∈ MPRSX

TCY = (TCY )Z






In the point of view of trust :

HELLO and TC message of any neighbor must be consistent:

XHELLOY←− Y,X

TCY←− Y ,TCY * NSY ⇒ X¬trusts(Y)

Received TC must be consistent with local MPR selection:

XTCY←− ∗, X ∈ TCY, Y /∈MPRSX ⇒ X¬trusts(Y)

TC messages can not be modified before forwarding:

XTCY←− Y, ∃m ∈MPRSY,TCY 6= (TCY)m

⇒ X¬trusts(Y, m)




Validation of MPR Selection

Validation of MPR selection

MPR Selection is a critical operation as it provides each node theaccess to the network. In our approach, after the MPR Selectioneach node should verify the two following points:

1 the nodes selected as MPR must behave correctly regardingthe operations of broadcasting TC messages and forwardingTC messages and data packets originated by MPR selectors;

2 the local choices of MPRs by a node must be in accordance toglobal topology information received by this node.





Supervising MPR behavior

MPR selection leads to the following expression :

∀ Y ∈ MPRSX : X trustsfw (Y ) (1)

this trust relation is broken in the following situation :

Checking TC message generation:

Y ∈ MPRSX , (XTCY8 Y ) or (X

TCY← Y ,X /∈ TCY )⇒ X¬trusts(Y )

Checking data packet and TC message forwarding:

Y ∈ MPRSX , (XTCX→ ∗,X

TC8 Y ) or (X

DATA→ ∗,X

DATAX8 Y )⇒ X¬trusts(Y )





Validation of neighbor view (1/2)

Checking the TC messages received from neighbor: If A,B ∈ NSX ,then the following implications must hold:

NSA = NSB ⇒MPRSSA ∩MPRSSB = ∅, a commonneighbor of A and B must not select both of them as MPRs





Validation of neighbor view (2/2)

NSB ⊂ NSA ⇒MPRSSB = ∅, B should not be selected asMPR, all its neighbors will select A as MPR, so B should notgenerate a TC message




Example of attack : Hello message fabrication

att

1 2

T

3

4

Symmetric linkFalse link (node)




Consequences of the attack

Consequences of the attack

att 1T

HELLO, LST = {att.1} HELLO, LS1 = {att, T , 2}

MPRST = {att}

HELLO, LSatt = {T , 1, 2, 4} HELLO, LSatt = {T , 1, 2, 4}

NSatt = {T , 1, 2, 4}




Detection of the attack

Detection of attack by the target node

att T 1

TCatt = {T , 4, 1, 2} = NSatt

TC1 = {2},NS1 = {att,T , 2}

Trust check: OK

Trust check:(att) neighborhood contains node (1) neighborhood,but this one broadcasts a TC message

Node (T): Mistrust the nodes (att) and (1)





Detection of attack by the node 1

att 1 2HELLO,NS2 = {1, 3}

HELLO,NSatt = {T , 1, 2, 4}

Trust check: OK

Trust check:Node (1) is a symmetric neighbor of (2),

Node (1) : Mistrust the nodes (att) and (2)TCatt = {T , 1, 2, 4}

Trust check:Node (att) is MPR of (2), but not advertised in HELLO(2)

Node (1) : Mistrust the nodes (att) and (2)

but not advertised in HELLO(2),





Detection of attack by the nodes 2 and 3

1att 2 3

Trust check:Node (att) advertises my address in a TC message,

Node (2) : Mistrust the node (att)

TCatt

but it is not my MPR.

(TCatt)fw

(TCatt)fw

Node (att) is a symmetric neighbor of (2),

Node (3) : Mistrust the nodes (att) and (2)but not advertised in HELLO(2),

Trust check:




Conclusions

Each node is enabled to mistrust misbehaving nodes bycorrelation of received message and deductions using theprotocol trust rules without modifying the protocol.

The simulation using attack scenarios shows the effectivenessof using mistrust to detect some known attacks against OLSR.

Future works

Trust-based reasoning in OLSR nodes can also be useful forrouting table validation,

Measure the impact of trust-based reasoning on the protocol,not only to detect attacks, but to react and take measures tocounter them.




Bibliography

Clausen T, Jacquet P (2003) IETF RFC-3626: Optimized LinkState Routing Protocol OLSR.

Yahalom R, Klein B, Beth T (1993) Trust Relationships inSecure Systems - A Distributed Authentication Perspective. In:SP’93: Proceedings of the 1993 IEEE Symposium on Securityand Privacy. IEEE Computer Society, Washington, USA.

M. Wang and L. Lamont and P Mason and M. Gorlatova(2005) : An Effective Intrusion Detection Approach for OLSRMANET Protocol. In the first Workshop on Secure NetworkProtocols (NPSec). Boston, Massachusetts, USA.




Autonomic trust reasoning enables misbehaviordetection in OLSR

Questions and remarks ?



Technology

Autonomic trust reasoning enables misbehavior detection in OLSR