Building a trustworthy, secure, and private

Download Report

Transcript Building a trustworthy, secure, and private

Building A Trustworthy, Secure,
And Privacy Preserving Network
Bharat Bhargava
CERIAS Security Center
CWSA Wireless Center
Department of CS and ECE
Purdue University
Supported by NSF IIS 0209059, NSF IIS 0242840 ,
NSF ANI 0219110, CISCO, Motorola, IBM
1
Research Team
•
Faculty Collaborators
–
–
–
–
–
•
Postdoc
–
–
–
–
•
Dongyan Xu, middleware and privacy
Mike Zoltowski, smart antennas, wireless security
Sonia Fahmy, Internet security
Ninghui Li, trust
Cristina Nita-Rotaru, Internet security
Lezsek Lilien, privacy and vulneribility
Xiaoxin Wu, wireless security
Jun Wen, QoS
Mamata Jenamani, privacy
Ph.D. students
–
–
–
–
–
Ahsan Habib, Internet Security
Mohamed Hefeeda, peer-to-peer
Yi Lu, wireless security and congestion control
Yuhui Zhong, trust management and fraud
Weichao Wang, security of ad hoc networks
More information at http://www.cs.purdue.edu/people/bb
2
Motivation
• Lack of trust, privacy, security, and reliability
impedes information sharing among distributed
entities.
– San Diego supercomputer center detected 13,000
DoS attacks in a three-week period [eWeek, 2003]
– Internet attacks in February, 2004 caused an
estimated $68 billion to $83 billion in damages
worldwide [British Computer Security Report]
– Business losses due to privacy violations
• Online consumers worry about revealing personal data
• This fear held back $15 billion in online revenue in 2001
– 52,658 reported system crashes caused by software
vulnerabilities in 2002 [Express Computers 2002]
3
Research is required for the creation
of knowledge and learning in secure
networking, systems, and applications.
4
Goal
• Enable the deployment of security
sensitive applications in the pervasive
computing and communication
environments.
5
Problem Statement
• A trustworthy, secure, and privacy preserving
network platform must be established for
trusted collaboration. The fundamental
research problems include:
– Trust management
– Privacy preserved interactions
– Dealing with a variety of attacks and frauds in
networks
– Intruder identification in ad hoc networks (focus
of this seminar)
6
Applications/Broad Impacts
• Guidelines for the design and deployment of
security sensitive applications in the next
generation networks
– Data sharing for medical research and treatment
– Collaboration among government agencies for
homeland security
– Transportation system (security check during travel,
hazardous material disposal)
– Collaboration among government officials, law
enforcement and security personnel, and health care
facilities during bio-terrorism and other emergencies
7
Scientific Contributions
A. Trust formalization
B. Privacy preservation in interactions
C. Network tomography techniques for DoS
attacks
D. Intrusion detection and intruder
identification in ad hoc networks
E. Vulnerability analysis and threat
assessment
8
A. Trust Formalization
• Problem
– Dynamically establish and update trust among entities in an
open environment.
• Research directions
– Handling uncertain evidence
– Modeling dynamic trust
– Formalization and detection of fraud
• Challenges
– Uncertain information complicates the inference procedure.
– Subjectivity leads to various interpretations toward the same
information.
– The multi-faceted and context-dependent characteristics of trust
require tradeoff between representation comprehensiveness and
computation simplicity of the trust model.
9
Uncertain Evidence
• Probability-based approach to evaluate the
uncertainty of a logic expression given a set of
uncertain evidence
– Atomic formula: Bayes network + causal
inference + conditional probability interpretation
of opinion
– AND/OR expressions: rule defined by Jsang
[Jsang'01]
– Subjectivity is realized using discounting operator
proposed by Shafer [Shafer'76]
10
Dynamic Trust
• Trust production based on direct interaction
– Identify behavior patterns and their characteristic
features
– Determine which pattern is the best match of an
interaction sequence
– Develop personalized trust production algorithms
considering behavior patterns
• Reputation aggregation
– Global reputation vs. personalized reputation
– Personalized reputation aggregation
• Determine the subset of trust information useful for
a specific trustor by using collaborative filters
• Translate trust information into the scale of a
specific trustor
11
Trust Enhanced Role Assignment
(TERA) Prototype
• Trust enhanced role mapping (TERM) server
assigns roles to users based on
– Uncertain & subjective evidence
– Dynamic trust
• Reputation server
– Dynamic trust information repository
– Evaluate reputation from trust information by using
algorithms specified by TERM server
Prototype and demo are available at
http://www.cs.purdue.edu/homes/bb/NSFtrust/
12
TERA Architecture
RBAC enhanced
application server
Interactions
User's behavior
Assigned role
Trust based on behaviors
Role request
Alice
Reputation
TERM server
Trust based on behaviors
Reputation server
Assigned role
Bob
Role request
Reputation
TERM server
Interactions
TERA
User's behavior
RBAC enhanced
application server
13
Trust Enhanced Role Mapping (TERM) Server
• Evidence rewriting
• Role assignment
– Policy parser
– Request processor & inference engine
– Constraint enforcement
• Policy base
• Trust information management
– User behavior modeling
– Trust production
14
TERM Server
Reputation
server
Trust information
Application
server
Behaviors
Reputation
Trust
Information
Management
Trust toward
issuer
Trust toward
user/issuer
Evidence
Rewriting
Assign role
Role
Assignment
user
Request role
Evidence
statement
Evidence
statement
Role-assignment
Policy
Policy Base
TERM
Credential
Manager
Role-assignment
policies
Credentials provided /
retrieved
Policy
maker
15
Fraud Formalization and Detection
• Model fraud intention
– Uncovered deceiving intention
– Trapping intention
– Illusive intention
• Fraud detection
– Profile-based anomaly detection
• Monitor suspicious actions based upon the
established patterns of an entity
– State transition analysis
• Build an automaton to identify activities that lead
towards a fraudulent state
16
Model Fraud Intentions
• Uncovered deceiving
intention
– Satisfaction ratings
are stably low.
– Ratings vary in a
small range over
time.
17
Model Fraud Intentions
• Trapping intention
– Rating sequence can
be divided into two
phases: preparing
and trapping.
– A swindler behaves
well to achieve a
trustworthy image
before he conducts
frauds.
18
Model Fraud Intentions
• Illusive intention
– A smart swindler
attempts to cover the
bad effects by
intentionally doing
something good after
misbehaviors.
– Process of preparing
and trapping is
repeated.
19
B. Private and Trusted Interactions
• Problem
– Preserve privacy, gain trust, and control dissemination of data
• Research directions
– Dissemination of private data
– Privacy and trust tradeoff
– Privacy metrics
• Challenges
– Specify policies through metadata and establish guards as
procedures
– Efficient implementation
– Estimate privacy depending on who will get this information,
possible uses of this information, and information disclosed in
the past
– Privacy metrics are usually ad hoc and customized
Detail slides at http://www.cs.purdue.edu/homes/bb/priv_trust_cerias.ppt
20
Preserving Privacy in Data Dissemination
•
•
•
•
Design self-descriptive private objects
Construct a mechanism for apoptosis of
private objects
apoptosis = clean self-destruction
Develop proximity-based evaporation of
private objects
Develop schemes for data distortions
21
Privacy-Trust Tradeoff
• Gain a certain level of trust with the least loss of
privacy
• Build trust based on digital credentials of users
that contain private information
• Formulate the privacy-trust tradeoff problem
• Estimate privacy loss due to disclosing a set of
credentials
• Estimate trust gain due to disclosing a set of
credentials
• Develop algorithms that minimize privacy loss
for required trust gain
22
Privacy Metrics
• Determine the degree of data privacy
– Size of anonymity set metrics
– Entropy-based metrics
• Privacy metrics should account for:
– Dynamics of legitimate users
– Dynamics of violators
– Associated costs
23
Size of Anonymity Set Metrics
• The larger set of indistinguishable entities, the lower
probability of identifying any one of them
– Can use to ”anonymize” a selected private attribute value
within the domain of its all possible values
“Hiding in a crowd”
“Less” anonymous (1/4)
“More” anonymous (1/n)
24
Dynamics of Entropy
• Decrease of system entropy with attribute
disclosures (capturing dynamics)
H*
Entropy
Level
Disclosed attributes
(a)
All
attributes
(b)
(c)
(d)
– When entropy reaches a threshold (b), data evaporation can be invoked to
increase entropy by controlled data distortions
– When entropy drops to a very low level (c), apoptosis can be triggered to
destroy private data
– Entropy increases (d) if the set of attributes grows or the disclosed attributes
25
become less valuable – e.g., obsolete or more data now available
Private and Trusted System (PRETTY) Prototype
(4)
(1)
(2)
[2c2]
(3) User Role
[2b] [2d]
[2a]
[2c1]
TERA = Trust-Enhanced Role Assignment
26
Information Flow for PRETTY
1) User application sends query to server application.
2) Server application sends user information to TERA server for trust evaluation
and role assignment.
a) If a higher trust level is required for query, TERA server sends the request for more
user’s credentials to privacy negotiator.
b) Based on server’s privacy policies and the credential requirements, privacy negotiator
interacts with user’s privacy negotiator to build a higher level of trust.
c) Trust gain and privacy loss evaluator selects credentials that will increase trust to the
required level with the least privacy loss. Calculation considers credential
requirements and credentials disclosed in previous interactions.
d) According to privacy policies and calculated privacy loss, user’s privacy negotiator
decides whether or not to supply credentials to the server.
3) Once trust level meets the minimum requirements, appropriate roles are
assigned to user for execution of his query.
4) Based on query results, user’s trust level and privacy polices, data disseminator
determines: (i) whether to distort data and if so to what degree, and (ii) what
privacy enforcement metadata should be associated with it.
27
Experimental Studies
• Private object implementation
– Validate and evaluate the cost, efficiency, and the impacts on the
dissemination of objects
– Study the apoptosis and evaporation mechanisms for private objects
• Tradeoff between privacy and trust
– Study the effectiveness and efficiency of the probability-based and
lattice-based privacy loss evaluation methods
– Assess the usability of the evaluator of trust gain and privacy loss
• Location-based routing and services
– Evaluate the dynamic mappings between trust levels and distortion
levels
28
C. Tomography Research
• Problem
– Defend against denial of service attacks
– Optimize the selection of data providers in peer-topeer systems
• Research Directions
– Stripe based probing to infer individual link loss by
edge-to-edge measurements
– Overlay based monitoring to identify congested links
by end-to-end path measurement
– Topology inference to estimate available bandwidth
by path segment measurements
29
Defeating DoS Attacks in Internet
30
Overlay-based Monitoring
• Do not need individual link loss to identify
all congested links
• Edge routers form an overlay network for
probing. Each edge router probe part of the
network
• Problem statement
– Given topology of a network domain, identify
which links are congested and possibly under
attack
31
Loss Ratio
Delay (ms)
Attack Scenarios
Time (sec)
Time (sec)
(a) Changing delay pattern due to attack
(b) Changing in loss pattern due to attack
32
Loss Ratio
Loss Ratio
Identified Congested Links
Time (sec)
(a) Counter clockwise probing
Time (sec)
(b) Clockwise probing
Probe46 in graph (a) and Probe76 in graph (b) observe high losses,
which means link C4  E6 is congested.
33
Probing: Simple Method
Congested link
(a) Topology
(b) Overlay
(c) internal links
34
Analyzing Simple Method
• Lemma 1. If P and P’ are probe paths in the first
and the second round of probing respectively,
|P  P’ | ≤ 1
• Theorem 1. If only one probe path P is shown to
be congested in any round of probing, the
simple method successfully identifies status of
each link in P
• Performs better if edge-to-edge paths are
congested
• The average length of the probe paths in the
Simple method is ≤ 4
35
Theorem 2. Let p be
the probability of a link
being congested in
any arbitrary overlay
network. The simple
method determines
the status of any link
of the topology with
probability at least 2(1p)4-(1-p)7+p(1-p)12
Detection Probability
Performance: Simple Method
Frac of actual congested links
36
Advanced Method
AdvancedMethod()
begin
Conduct Simple Method. E is the unsolved equation set
for Each undecided variable Xij of E do
node1 = FindNode(Tree T, vi, IN)
node2 = FindNode(Tree T, vj , OUT)
if node1 ≠ NULL AND node2 ≠ NULL then
Probe(node1, node2). Update equation set E
end if
Stop if no more probe exists
endfor
end
37
Analyzing Advanced Method
• Lemma 2. For an arbitrary overlay network with n
n(3n  2)
edge routers, on the average a link lies on b = 8 log n
edge-to-edge paths
• Lemma 3. For an arbitrary overlay network with n
edge routers, the average length of all edge-to3n
edge paths is d = 2 log
n
• Theorem 3. Let p be the probability of a link being
congested. The advanced method can detect the
status of a link with probability at least
(1-(1-(1-p)d)b)
38
D. Intruder Identification in Adhoc Ondemand Distance Vector (AODV)
• Problem
– AODV are vulnerable to various attacks such as false
distance vector, false destination sequence, and
wormhole attacks
– Detecting attacks without identifying and isolating the
malicious hosts leaves the security mechanisms in a
passive mode
• Challenges
– Locate the sources of attacks in a self-organized
infrastructure
– Combine local decisions with knowledge from other
hosts to achieve consistent conclusions on the
malicious hosts
39
Attacks on Routing in Mobile Ad Hoc
Networks
Attacks on routing
Active attacks
Routing
procedure
False reply
Wormhole
attacks
Passive
attacks
Flood network
Route
request
Packet silent
discard
Routing
information
hiding
Route
broken
message
40
• Related Work
– Vulnerability model of ad hoc routing protocols [Yang
et al., SASN ’03]
– A generic multi layer integrated IDS structure [Zhang
and Lee, MobiCom ’00]
– IDS combining with trust [Albert et al., ICEIS ’02]
– Information theoretic measures using entropy
[Okazaki et al., SAINT ’02]
– SAODV adopts both hash chain and digital signature
to protect routing information [Zapata et al, WiSe’03]
– Security-aware ad hoc routing [Kravets et al,
MobiHOC’01]
41
Ideas
• Monitor the sequence numbers in the route
request packets to detect abnormal conditions
• Apply reverse labeling restriction to identify and
isolate attackers
• Combine local decisions with knowledge from
other hosts to achieve consistent conclusions
• Combine with trust assessment methods to
improve robustness
42
Introduction to AODV
• Introduced in 97 by Perkins at NOKIA, Royer
at UCSB
• 12 versions of IETF draft in 4 years, 4
academic implementations, 2 simulations
• Combines on-demand and distance vector
• Broadcast Route Query, Unicast Route Reply
• Quick adaptation to dynamic link condition
and scalability to large scale network
• Support multicast
43
Route Discovery in AODV (An Example)
D
S1
S3
S2
S4
S
Route to the source
Route to the destination
44
Attacks on AODV
• Route request flooding
– query non-existing host (RREQ will flood throughout the
network)
• False distance vector
– reply “one hop to destination” to every request and select a
large enough sequence number
• False destination sequence number
– select a large number (even beat the reply from the real
destination)
• Wormhole attacks
– tunnel route request through wormhole and attract the data
traffic to the wormhole
• Coordinated attacks
– The malicious hosts establish trust to frame other hosts, or
conduct attacks alternatively to avoid being identified
45
Impacts of Attacks on AODV
We simulate the attacks and measure their impacts on packet delivery ratios
and protocol overhead
No Attacks
Packet Delivery
Ratio
96%
Control packet /
data packet
0.38
Vicious Flooding
91%
2.93
False Distance
75%
0.38
False Destination
Sequence
53%
0.66
Wormhole
61%
0.41
46
False Destination Sequence Attack
S3
RREQ(D, 3)
S
RREP(D, 5)
RREQ(D, 3)
D
RREQ(D, 3)
S1
RREQ(D, 3)
RREP(D, 20)
S2
M
Packets from S to D are sinking at M. Node movement
breaks the path from S to M (trigger route rediscovery).
47
During Route Rediscovery, False Destination
Sequence Attack Is Detected
(1). S broadcasts a
request that carries the
old sequence + 1 = 21
D
S3
RREQ(D, 21)
S
(2) D receives the RREQ.
Local sequence is 5, but the
sequence in RREQ is 21. D
detects the false destination sequence attack.
S1
S2
M
S4
Propagation of RREQ
48
Reverse Labeling Restriction (RLR)
Blacklists are updated after an attack is detected.
• Basic Ideas
• Every host maintains a blacklist to record suspicious
hosts. Suspicious hosts can be released from the
blacklist.
• The destination host will broadcast an INVALID
packet with its signature when it finds that the
system is under attack on sequence. The packet
carries the host’s identification, current sequence,
new sequence, and its own blacklist.
• Every host receiving this packet will examine its
route entry to the destination host. If the sequence
number is larger than the current sequence in
INVALID packet, the presence of an attack is noted.
The previous host that provides the false route will
be added into this host’s blacklist.
49
BL {}
S3
S
D
INVALID ( D, 5, 21,
{}, SIGN )
BL {S2}
S1
BL {S1}
S2
M{}
BL
BL {M}
S4
BL {}
D broadcasts INVALID packet with current sequence = 5, new sequence = 21. S3
examines its route table, the entry to D is not false. S3 forwards packet to S1. S1
finds that its route entry to D has sequence 20, which is > 5. It knows that the
route is false. The hop which provides this false route to S1 was S2. S2 will be put
into S1’s blacklist. S1 forwards packet to S2 and S. S2 adds M into its blacklist. S
adds S1 into its blacklist. S forwards packet to S4. S4 does not change its blacklist
since it is not involved in this route.
Correct destination sequence number is broadcasted.
Blacklist at each host in the path is determined.
50
D1
S4
[M]
D3
[M]
S1
D2
M
[M]
S3
D4
[M]
S2
M attacks 4 routes (S1-D1, S2-D2, S3-D3, and S4-D4). When the first two
false routes are detected, D3 and D4 add M into their blacklists. When later
D3 and D4 become victim destinations, they will broadcast their blacklists,
and every host will get two votes that M is malicious host.
Hosts closer to malicious site are in blacklists of multiple
hosts. In the above figure, M is in four blacklists.
51
Combine Local Decisions with
Knowledge from Other Hosts
• When a host is destination of a route and is
victim by any malicious host, it will broadcast
its blacklist.
• Each host obtains blacklists from victim
hosts.
• If M is in multiple blacklists, M is classified as
a malicious host based on certain threshold.
• Intruder is identified.
• Trust values can be assigned to other hosts
based on past information.
52
Acceleration in Intruder Identification
D3
D2
D1
D3
D2
D1
M2
M3
M2
M1
S1
M3
M1
S2
Routing topology
S3
S1
S2
S3
Reverse labeling procedure
Multiple attackers exist in the network. More routes are under attack. When
the false routes are detected, more blacklists will be broadcasted.
53
Reverse Labeling Restriction
• Update Blacklist by INVALID Packet
• Next hop on the invalid route will be put into
local blacklist, a timer starts, and a counter
increases. The time duration that the host
stays in blacklist is exponential to the
counter value.
• Labeling process will be conducted in the
reverse direction of the false route.
• When timer expires, the suspicious host will
be released from the blacklist and routing
information from it will be accepted.
54
Deal With Hosts in Blacklist
• Packets from hosts in blacklist
• Route request: If the request is from suspicious
hosts, ignore it.
• Route reply: If the previous hop is suspicious and
the query destination is not the previous hop, the
reply will be ignored.
• Route error: will be processed as usual. RERR will
activate re-discovery, which will help to detect
attacks on destination sequence.
• INVALID: if the sender is suspicious, the packet
will be processed but the blacklist will be ignored.
55
Attacks of Malicious Hosts on RLR
• Attack 1: Malicious host M sends false
INVALID packet
• Because the INVALID packets are signed, it
cannot send the packets in other hosts’ name
• If M sends INVALID in its own name
• If the reported sequence number is greater than the
real sequence number, every host ignores this
attack
• If the reported sequence number is less than the
real sequence number, RLR will converge at the
malicious host. M is included in blacklist of more
hosts. M accelerated the intruder identification
directing towards M.
56
• Attack 2: Malicious host M frames other
innocent hosts by sending false blacklist
• If the malicious host has been identified, the
blacklist will be ignored
• If the malicious host has not been identified, this
operation can only make the threshold lower. If
the threshold is selected properly, it will not
impact the identification results.
• Combining trust can further limit the impact of this
attack.
57
• Attack 3: Malicious host M only sends
false destination sequence about some
special host
• The special host will detect the attack and
send INVALID packets.
• Other hosts can establish new routes to the
destination by receiving the INVALID packets.
58
Experimental Studies of RLR
• The experiments are conducted using ns2.
• Various network scenarios are formed by
varying the number of independent
attackers, number of connections, and
host mobility.
• The examined parameters include:
– Packet delivery ratio
– Identification accuracy: false positive and
false negative ratio
– Communication and computation overhead
59
Simulation Parameter
Simulation duration
1000 seconds
Simulation area
1000 * 1000 m
Number of mobile hosts
Transmission range
Pause time between the host
reaches current target and
moves to next target
30
250 m
0 – 60 seconds
Maximum speed
5 m/s
Number of CBR connection
25/50
Packet rate
2 pkt / sec
60
Experiment 1: Measure the Changes in
Packet Delivery Ratio
Purpose: investigate the impacts of host mobility,
number of attackers, and number of connections
on the performance improvement brought by RLR
Input parameters: host pause time, number of
independent attackers, number of connections
Output parameters: packet delivery ratio
Observation: When only one attacker exists in the
network, RLR brings a 30% increase in the
packet delivery ratio. When multiple attacker
exist in the system, the delivery ratio will not
recover before all attackers are identified.
61
Increase in Packet Delivery Ratio: Single Attacker
X-axis is host pause time, which evaluates the mobility of host. Y-axis is delivery ratio.
25 connections and 50 connections are considered. RLR brings a 30% increase in
delivery ratio. 100% delivery is difficult to achieve due to network partition, route
discovery delay and buffer.
62
Increase in Packet Delivery Ratio: Multiple Attackers
X-axis is number of attackers. Y-axis is delivery ratio. 25 connections and 50
connections are considered. RLR brings a 20% to 30% increase in delivery ratio.
63
Experiment 2: Measure the Accuracy of
Intruder Identification
Purpose: investigate the impacts of host mobility,
number of attackers ,and connection scenarios
on the detection accuracy of RLR
Input parameters: number of independent attackers,
number of connections, host pause time
Output parameters: false positive alarm ratio, false
negative alarm ratio
Observation: The increase in connections may improve
the detection accuracy of RLR. When multiple
attackers exist in the network, RLR has a high
false positive ratio.
64
Accuracy of RLR: Single Attacker
30 hosts, 25 connections
Host Pause
time (sec)
# of normal
hosts identify
the attacker
# of normal
hosts marked
as malicious
30 hosts, 50 connections
# of normal
hosts identify
the attacker
# of normal
hosts marked
as malicious
0
24
0.22
29
2.2
10
25
0
29
1.4
20
24
0
25
1.1
30
28
0
29
1.1
40
24
0
29
0.6
50
24
0.07
29
1.1
60
24
0.07
24
1.0
The accuracy of RLR when there is only one attacker in the
system
65
Accuracy of RLR: Multiple Attackers
30 hosts, 25 connections
# of attackers
# of normal
hosts identify
all attackers
# of normal
hosts marked
as malicious
30 hosts, 50 connections
# of normal
hosts identify
all attackers
# of normal
hosts marked
as malicious
1
28
0
29
1.1
2
28
0.65
28
2.6
3
25
1
27
1.4
4
21
0.62
25
2.2
5
15
0.67
19
4.1
The accuracy of RLR when there are multiple attackers
66
Experiment 3: Measure the
Communication Overhead
Purpose: investigate the impacts of host mobility and
connection scenarios on the overhead of RLR
Input parameters: number of connections, host pause
time
Output parameters: control packet overhead
Observation: When no false destination sequence
attacks exist in the network, RLR introduces
small packet overhead into the system.
67
Control Packet Overhead
X-axis is host pause time, which evaluates the mobility of host. Y-axis is
normalized overhead (# of control packet / # of delivered data packet). 25
connections and 50 connections are considered. RLR increases the overhead
slightly.
68
Research Opportunities: Improve
Robustness of RLR
• Protect the good hosts from being framed
by malicious hosts
• The malicious hosts can frame the good hosts
by putting them into blacklist.
• By lowering the trust values of both complainer
and complainee, we can restrict the impacts of
the gossip distributed by the attackers.
• Adopting the trust management scheme
proposed by Aberer and Despotovic [CIKM’01]
to determine the lowering speed.
69
• Avoid putting every host into blacklist
• Combining the host density and movement
model, we can estimate the time ratio that two
hosts are neighbors
• The counter for a suspicious host decreases as
time passes
• Adjusting the decreasing ratio to control the
average percentage of time that a host stays in
the blacklist of another host
70
• Defend against coordinated attacks
• The behaviors of collusive attackers show
Byzantine manners. The malicious hosts may
establish trust to frame other hosts, or conduct
attacks alternatively to avoid being identified.
• Look for the effective methods to defend
against such attacks. Possible research
directions include:
• Apply classification methods to detect the hosts
that have similar behavior patterns
• Study the behavior histories of the hosts that
belong to the same group and detect the
pattern of malicious behavior (time-based,
order-based)
71
An Architecture of Intruder Identification
Agent
72
• Intruder identification can be applied to
detect more attacks in ad hoc networks:
– DoS attacks
– Malicious discard
– Trust abuse and privacy violation
• Reverse labeling mechanism can be
applied to identify the attackers that
– Disseminate false routing information
– Discard data packets
– Generate gossip to destroy other hosts’
reputation
73
Conclusions on Intruder Identification
• False destination sequence attacks can be
detected by the anomaly patterns of the
sequence numbers
• Reverse labeling method can reconstruct the
false routing tree
• Isolating the attackers brings a sharp
increase in network performance
• On going research will improve the
robustness of the mechanism and the
accuracy of identification
74
Related Ongoing Research
A. Detecting wormhole attacks
B. Position-based private routing in ad hoc
networks
C. Fault tolerant authentication in movable
base station systems
D. Congestion avoidance routing in ad hoc
networks
75
Detecting Wormhole Attacks
• Problem statement
The malicious nodes can eavesdrop the packets,
tunnel them to another location in the network, and
retransmit them. This generates a false scenario that
the original sender is in the neighborhood of the
remote location.
wireless
node 1
wireless
node 2
tunnel
attacker 1
attacker 2
76
• Research challenges
– Detect wormholes when the malicious host can be
the legal member of the network
– Control the overhead introduced by wormhole
detection to avoid the hosts being overwhelmed
77
Classification of Wormholes
• the wormholes are divided into 3 groups:
– Closed
– Half open
– Open
78
The Approach: End-to-End Mechanism
• Assumption:
– The hosts have the positioning devices and loosely
synchronized clocks
– Pair-wise keys have been deployed
• Ideas:
– The source and the intermediate hosts will attach the
<time, position> pairs that record the receiving and
forwarding events
– The attached information is protected by message
authentication codes (MAC)
– The neighbor relation validations are conducted by
the destination
79
Validation at the Destination
• The MAC codes are calculated correctly
• The neighbor hosts are within the radio
range when the packet is passed
• The average moving speed between the
<time, position> pairs from the same host
does not exceed the maximum value.
80
Controlling Overhead:
Cell-based Open Tunnel Avoidance
• Divide the area into same-sized cells and
the time into same-length slots
• Require a constant storage space and
linear computation operations for every
intermediate host
• Have a configurable wormhole detection
capability
81
Computation Efficiency
• The experiments are conducted on a iPAQ 3630
with 206M Hz CPU and 64M RAM
• The computation overhead of wormhole
detection for one 10-hop route consumes less
than 0.5% of its CPU.
• The computation resource of a real PDA can
support wormhole detection using COTA without
trouble.
82
Conclusions
• The end-to-end mechanism can detect
half open and open wormholes in ad hoc
networks
• As a position information management
scheme, COTA requires constant storage
space and linear computation resource for
every intermediate host
• The proposed mechanism can be adopted
by real mobile devices
83
B. Position-based Private Routing in Ad
Hoc Networks
• Problem statement
– To hide the identities of the nodes who are
involved in routing in mobile wireless ad hoc
networks.
• Challenges
– Traditional ad hoc routing algorithms depend
on private information (e.g., ID) exposure in
the network.
– Privacy solutions for P2P networks are not
suitable in ad hoc networks.
84
Weak Privacy for Traditional Positionbased Ad Hoc Routing Algorithm
• Position information of each node has to be
locally broadcast periodically.
• Adversaries are able to obtain node trajectory
based on the position report.
• Adversaries can estimate network topology.
• Once a match between a node position and its
real ID is found, a tracer can always stay close
to this node and monitor its behavior.
85
AO2P: Ad Hoc On-Demand Positionbased Private Routing
• Position of destination is the information
exposed in the network for routing discovery.
• A receiver-contention scheme is designed to
determine the next hop in a route.
• Pseudo IDs are used instead of real IDs for data
packet delivery after a route is built up.
• Route with a smaller number of hops will be
used for better end-to-end throughput.
86
AO2P Routing Privacy and Accuracy
• Only the position of destination is revealed in the
network for routing discovery. The privacy of the
destination relies on the difficulty of matching a position
to a node ID.
• Node mobility enhances destination privacy because a
match between a position to a node ID is temporary.
• The privacy for the source and the intermediate
forwarders is well preserved.
• Routing accuracy relies on the fact that at a specific
time, only one node can be at a position. Since the
pseudo ID for a node is generated from its position and
the time it is at that position, the probability that more
than one node have the same pseudo ID is negligible.
87
Privacy Enhancement: R-AO2P
• The position of reference point is carried in rreq instead
of the position of the destination.
• The reference point is on the extended line from the
sender to the destination. It can be used for routing
discovery because generally, a node that processes the
rreq closer to the reference point will also process the
rreq closer to the destination.
• The position of the destination is only disclosed to the
nodes who are involved in routing.
Reference point in R-AO2P
88
Illustrated Results
• Average delay for next hop determination
89
Illustrated Results
• Packet delivery ratio
90
Conclusions
• AO2P preserves node privacy in mobile ad
hoc networks.
• AO2P has low next hop determination
delay.
• Compared to other position-based ad hoc
routing algorithm, AO2P has little routing
performance degradation.
91
C. Fault Tolerant Authentication in
Movable Base Station System
• Problem
– To ensure security and prevent theft of resources
(like bandwidth), all the packets originating inside
the network should be authenticated.
– Authentication may become unreliable when
base station fails or node moves from one cell to
another.
• Challenge
– How to design fault tolerant authentication
methods that are robust in the above conditions
– How to design the protocols adaptable and reconfigurable
92
Proposed Schemes
•
We propose two schemes to solve the
problem.
– Virtual Home Agent
– Hierarchical Authentication
•
They differ in the architecture and the
responsibilities that the Mobile Nodes
and Base Stations (Agents) hold.
93
Virtual Home Agent Scheme
VHA ID = IP ADDRESS
Master Home Agent (MHA)
Database Server
Shared Secrets
Database
Backup Home Agents
Other nodes in the network
94
Advantages of Proposed Scheme
• Has only 3 states and hence the overhead of
state maintenance is negligible.
• Very few tasks need to be performed in each
state (outlined in the tech report).
• Flexible – there could be multiple VHAs in the
same LAN and a MHA could be a BHA for
another VHA, a BHA could be a BHA for
more than one VHA at the same time.
95
Disadvantages of Virtual HA Solution
• Not scalable if every packet has to be
authenticated
– Ex: huge audio or video data
• BHA (Backup Home Agents) are idle most
of the time (they just listen to MHA’s
advertisements.
• Central Database is still a single point of
failure.
96
Hierarchical Authentication Scheme
• Multiple Home Agents in a LAN are organized
in a hierarchy (like a tree data structure).
• A Mobile Node shares a key with each of the
Agents above it in the tree (Multiple Keys).
• At any time, highest priority key is used for
sending packets or obtaining any other kind
of service.
97
Hierarchical Authentication Scheme
A
K2
Database
B
K1
C
Database
D
E
F
G
(K1, P1)
(K2, P2)
98
Hierarchical Authentication Scheme
Key Priority depends on several factors and
computed as cumulative sum of weighted
priorities of each factors:
Example Factors:
• Communication Delays
• Processing Speed of the Agents
• Key Usage
• Life Time of the Key
99
D. Congestion Avoidance Routing in Ad
Hoc Networks
• Objective
– To bring the consideration of congestion in the design
of the routing protocols.
• Thrust
– To avoid congestion by minimizing contention for
channel access.
• Challenges
– The global coupling effect of wireless channel access
in ad hoc networks.
– Quantification of congestion without exchanging
messages with neighbors.
100
Intermediate Delay (IMD)
• IMD is a routing metric that characterizes
the impacts of channel contention, the
length of the route, and the traffic load at
individual nodes.
• IMD estimates the delay introduced by the
intermediate nodes along the route using
the sum of delays from each node.
101
Ad Hoc Routing Based on IMD
B
B
C
C
A
A
2P/C
P/C
D
Simplification of delay computation:
1. If channel capacity is C and
packet size is P, delay is P/C.
P/C 2P/C
E
G
F
2. If n nodes are in contention for a
channel, each node gets C/n
share of the channel capacity.
The delay is nP/C.
PC
P/C
H
P/C
J
I
Adapt to changes in traffic and network topology
102
Delay Estimation
• A mobile node is modeled as a single
server queuing system.
• Total delay includes the delay for
transmitting a packet and the delay in the
queue.
• The key is to estimate the delay for
transmitting a packet.
– Node with active traffic
• Use the mean value to estimate the delay.
– Node without active traffic
• Study the procedure of packet transmission to
obtain the expectation of the delay.
103
IEEE 802.11 DCF
(Distributed Coordination Function)
E[Tsucc]=TRTS+TCTS+TDATA+TACK+3TSIFS+E[Tbackoff]
E[Tfail]=TRTS+Ttimeout+E[Tbackoff]
104
SAGA: Self-Adjusting Congestion
Avoidance Routing Protocol
• SAGA is a distance vector routing
protocol.
– use IMD instead of hop count as the distance
– bypass hop spots where contention is intense
• Lazy route query uses special route
advertisement for local route discovery.
• Approach to reduce the oscillation of IMD
and prevent a node from switching back
and forth among alternative routes.
105
Experimental Evaluation
• Objective
– Study the performance of SAGA, AODV, DSR, and
DSDV under congestion.
• Performance metrics
– Throughput, delivery ratio, protocol overhead, and
end-to-end delay
• Method
– Simulation using the network simulator ns2
– Two types of UDP traffic: constant bit rate (CBR) and
pareto on/off (POO)
– The offered traffic load is taken as the input parameter
– Six experiments by varying the maximum speed of
movement of nodes and the number of connections
– Five independent runs with random scenarios for each
experiment
106
30 CBR Connections, Low Mobility (4m/s)
107
10 POO Connections, High Mobility (20m/s)
108