1. PROVEST: Provenance-based Trust Model for Delay Tolerant Networks
A Review of
PROVEST: Provenance-based Trust Model
for Delay Tolerant Networks
Authors: Jin-Hee Cho, Ing-Ray Chen
Yang Xiao

2. Content Background System Models PROVEST Experiment
Delay Tolerant Networking (DTN)
Trust Evaluation
Provenance
System Models
PROVEST
Experiment
- I will introduce these concepts separately and put them together when we come to PROVEST.

3. Delay Tolerant Networking (DTN)
DTN Features
No guarantee of end-to-end connectivity
High delay & disruption
Examples
Environment monitoring
Emergence response
Mobile ad-hoc network (MANET)
Vehicular ad-hoc network (VANET)
Routing is Essential
Establishing a complete end-to-end path
Store-and-forward  Used in DTN
Flooding
Opportunistic routing
DTN: Often nodes are highly mobile and the communication channel is unstable. No continuous network connectivity.
Causes: Limits of wireless range, sparsity of mobile nodes, limits of energy source, the interference from attackers and noise.
Store-and-forward: Every message will be temporally buffered in a node, then forwarded to the next hop when possible. message will eventually reach its destination
Flooding:
Opportunistic routing:
Image credit: Google Image Search

4. Trust Evaluation What is Trust What to trust in DTN?
My understanding: A composite measurement of a system’s efficacy, which often includes security, robustness, performance, and other beneficial attributes
What to trust in DTN?
Nodes in DTN
What are They Trusted for?
Competence
Energy saving
QoS (eg: low routing delay)
Security
Availability, reliability
Not compromised by attackers
This is my definition.
As Compromised network nodes may do a variety of bad things, such as dropping, intentionally keep and reply a message, or modifying messages and insert misleading content.
Image credit: Google Image Search

5. Provenance Provenance in Original Meaning
All the paperwork about an artwork that records its ownership changes
Provenance in Computer Science
Data lineage, which often includes authenticity and integrity, sometimes auditability of traces of data operation or transfer
Used for bug finding or responsibility tracing
Provenance has been used to verify trust, trustworthiness, or correctness of information in many research areas.
Image credit: Google Image Search

6. Content Background System Models PROVEST Experiment DTN Network Model
Key Management
Attack Model
PROVEST
Experiment
- I will introduce these concepts separately and put them together when we come to PROVEST.

7. DTN Network Model Node Behavior Join and Leave Random-walk speed
𝑣 𝑖 ←𝑈[𝑣,𝑣′]
Energy level
Initial: 𝑒 𝑖 ←𝑈[𝑒,𝑒′]
Detection error: false pos/neg
𝑃 𝑓𝑝 , 𝑃 𝑓𝑛 ← 0, 𝑃 𝑟 , 𝑃 𝑟 ←(0,1]
Behavior seeds
A malicious node forwards message with probability 𝑃 𝑓 ←[0,1]
For block hole and grey hole attacks
A malicious node randomly attacks with intensity 𝑃 𝑎 ←[0,1]
For fake/no identity, false recommendation, message modification attacks
Join and Leave
Node join rate: 𝜆
Node leave rate: 𝜇
A node randomly moves to one of five locations (i.e., north, west, south, east, and current location) in accordance with its speed.
Energy represents the capability or competence of node j to do the basic routing function.
𝑃 𝑓 : Probability of packet forwarding
𝑃 𝑎 : Probability of attack intensity
Network join rate: 𝑃 𝜆 =𝜆/(𝜆+𝜇)

8. Key Management Group Communication Key: 𝐾 𝑆,𝑡
To counter outsider attacks
All group members communicate internally with 𝐾 𝑆,𝑡
Trusted Authorities (TAs)
Assign 𝐾 𝑆,𝑡 for the group nodes
To be rekeyed periodically, as 𝑡 changes
Different TAs should act according for
users from the same group
The symmetric keys issued at the same time t by multiple TAs are the same so that all legitimate nodes can communicate with the same key.
All group members contributing to the group key generation based on Diffie-Hellman key exchange WON’T work in sparse DTN

9. Attack Model General Assumption Attack Vectors
Messages can be dropped, modified, or forged by attackers or compromised nodes
All by compromised insiders
Attack Vectors
Control Based Attacks
No/fake identity
Black hole
Grey hole
Whitewashing
Packet injection
Content Based Attacks
Fake recommendation
Message Modification
In order to prevent this newcomer attack, the authenticity of a node is ensured through private/public key pairs which were given in network deployment.
To counter message modification: micro-TESLA.
Some of the attacks can not be effective countered, which will later be the adversarial behavior, which once detected will be used to lower the compromised parties’ trust score.
No/fake Identity: Hide real ID in message
Fake recommendation: Giving misleading opinion
Message modification: Change essential message content
Block hole attack: Persistently drop packets to perform DoS attack
Grey hole attack: Randomly drop packets to perform DoS attack
Whitewashing: Leave and come back later with a new ID
Packet injection: Generates additional communication overhead
Image credit: Google Image Search

10. Content Background System Models PROVEST Experiment Trust Evaluation
SPN Modeling
Experiment
- I will introduce these concepts separately and put them together when we come to PROVEST.

11. PROVEST - Trust Evaluation
Multidimensional Trust
Availability, Integrity, Competence
Trust Management
Trust is evaluated in a peer-to-peer fashion
Each message embeds indirect evidence of trust evaluation
From Provenance Info (PI) to Evidence of Trust
PI Provided by Node 𝑖: 𝑃 𝑖,𝑘 =[𝑖,𝑘, 𝑂 𝑖,𝑘 (𝑡)]
𝑘: ID of the previous Message Carrier (MC)
𝑂 𝑖,𝑘 (𝑡)
Node 𝑖’s opinion towards the attack behaviors and energy level of 𝑘
Includes the # of positive evidence 𝑟 and # of negative evidence 𝑠
A typical message received by a Destination Node (DN) 𝑗:
𝑀𝑀, 𝑃 0,Φ 𝑘 𝑛 , 𝑃 1,0 𝑘 𝑛−1 , 𝑃 2,1 𝑘 𝑛−2 ,…, 𝑃 𝑚,m−1 𝑘 𝑛−𝑚 𝐾 𝑆,𝑡
Mission Message (MM): a control message used for mission execution
PROVEST: a DTN node collects indirect evidence information through provenance information embedded in messages. The first to consider its use in a provenance-based trust model in DTN environments.
Availability is affected by congestion, mobility, and limited resources available at the node.
Integrity measures how well a node complies with a given protocol, without exhibiting attack behaviors.
Competence reflects a node’s remaining battery lifetime (a surrogate for resources available at the node) plus cooperativeness (contributing to reliable packet delivery).
Peer-to-Peer fashion: No need of a TA for centralized trust management.
𝑶 𝒊,𝒌 (𝒕): includes # of positive evidence 𝑟 and negative evidence 𝑠 for each behavior category.

12. PROVEST - Trust Aggregation
Two Sources of Evidence
Direct evidence: mutual observation when two nodes encounter
Indirect evidence : the PI one node receives about another node
Bayesian Update
Upon receiving an evidence about 𝑘 (direct or indirect) with 𝑟 and 𝑠
Then estimate the trust of 𝑘 by 𝐸 𝑡𝑟𝑢𝑠𝑡 =𝑟/(𝑟+𝑠)
To Handle Uncertain Evidence
PROVEST-Pessimistic: uncertainty  negative
PROVEST-Optimistic: uncertainty  positive
PROVEST-Realistic: uncertainty  not considered
PROVEST-Hybrid: uncertainty  dealt based on historical patterns
Bayesian update for each trust dimension
Uncertain evidence: The indirect trust evidence enclosed in the PI are detected as false and thus cannot be directly used

13. Attack Model Revisited
Assumption on Attack Behaviors
Provenance information (PI) messages can be dropped, modified, or forged by attackers or compromised nodes
MM contains control information of the

14. PROVEST - Evidence Gathering
Trust Computation
Node 𝑖  trustor, Node 𝑗  trustee
( 𝒓 𝒊,𝒋 ′ , 𝒔 𝒊,𝒋 ′ , 𝒖 𝒊,𝒋 ′ )
For Direct Evidence
(when 𝑖, 𝑗 encounter)
For Indirect Evidence
(when 𝑖 receives PI about 𝑗)
Availability
(1,0,0) if 𝑗 replies to 𝑖;
(0,1,0) if 𝑗 doesn’t reply to 𝑖 ⋯①
(0,0,1) if no evidence of 𝑗;
(1,0,0) else if condition A is met;
(0,1,0) else;
Integrity
0,0,0 if ① is met;
𝑟,𝑠,𝑢 , 𝑟+𝑠+𝑢=3 depending on the detection of 3 attacks of 𝑗 from observation
0,0,0 if there is no evidence of 𝑗;
𝑟,𝑠,𝑢 , 𝑟+𝑠+𝑢=3
depending on the estimation of 3 attacks of 𝑗 based on the PI
Competence
0,0,2 if ① is met;
𝑟,𝑠,𝑢 , 𝑟+𝑠+𝑢=2 depending on 𝑗’s energy level and cooperativeness from observation
0,0,2 if there is no evidence of 𝑗;
Direct integrity trust is measured based on whether a node exhibits three attack behaviors: identity attack (no ID or fake ID inserted in PI), fake recommendation attack (i.e., good mouthing and ballot stuffing attacks), and message modification attack.
Direct competence trust is assessed by a node’s energy status and cooperativeness behavior, and thus is measured based on two pieces of evidence.
Condition A: 1) j’s ID is in PI, 2) j’s ID is authentic, and 3) the previous MC trusts j (> 𝑇 𝑚𝑖𝑛 )
𝑇 𝑚𝑖𝑛 : minimum trust threshold

15. PROVEST - SPN Modeling Why SPN PROVEST SPN Large number of states
The underlying model Continuous Time (semi-)Markov Chain
Hierarchical SPN technique can be used to derive interactions or trust relationships
PROVEST SPN
The marks (# of tokens in places) indicates the state of a node
Mark(LOC): = 1
Mark(ENERGY): hours of battery life
Mark(UNAVA): 1  unavailable, 0  available
Each transition bar indicates the rate at which the corresponding event is triggered
Mark(place) is the number of tokens in that place
The LOC subnet, ENERGY subnet, UNAVA subnet

16. PROVEST – SPN Subnets 1) Location Subnet 2) Energy Subnet
To compute the probability that node 𝑖 is in a particular grid area 𝑘 at time 𝑡, and the encounter interval between two nodes
𝑅𝑎𝑡𝑒(𝑇_𝐿𝑂𝐶)= 𝑣 𝑖 / 𝑅 𝑡
𝑣 𝑖 : node 𝑖’s average speed
𝑅 𝑡 : radio range at time 𝑡
2) Energy Subnet
To obtain each node’s energy lifetime
𝑅𝑎𝑡𝑒(𝑇_𝐸𝑁𝐸𝑅𝐺𝑌)= 𝑇 𝑒 𝑖𝑓 𝑚𝑎𝑟𝑘 𝑈𝑁𝐴𝑉𝐴 >0 1 𝑇 𝑒 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒
𝑇 𝑒 : Time to consume one energy token (1 hour)
𝑅 𝑡
Location Subnet: Since node movements are assumed to be independent. To compute the encounter interval between two nodes: take the product of two probabilities and take the reciprocal
Energy Subnet: Unavaible  energy consumption halved.

17. PROVEST – SPN Subnets 3) Unavailability Subnet 𝒌 ′
𝑅𝑎𝑡𝑒(𝑇_𝑈𝑁𝐴𝑉𝐴)= 𝑃 𝑢𝑟 / 𝑇 𝑖 𝑒𝑛𝑐
𝑃 𝑢𝑟 : probability of link unreliability
𝑇 𝑖 𝑒𝑛𝑐 = 𝑗∈𝐿 𝑅 𝑡 ( 𝑃 𝑖 𝑘 𝑃 𝑗 𝑘 ′ )( 𝑣 𝑖 + 𝑣 𝑗 )
The average interval before node 𝑖 encounters
another node
𝐿: set of legitimate nodes of the network
𝑅 𝑡 : radio range
𝑃 𝑖 𝑘 : probability that node 𝑖 is in area 𝑘
𝑘 ′ : neighboring areas of 𝑘 where node 𝑖 and 𝑗 can communicate directly
𝑃 𝑗 𝑘 ′ : sum of probabilities that node 𝑗 is in 𝑘 ′
𝑅𝑎𝑡𝑒(𝑇_𝑅𝐸𝑆𝐸𝑇)=1/ 𝑇 𝑖 𝑒𝑛𝑐
𝑅 𝑡
𝒌 ′
𝑷 𝒊 𝒌 𝑷 𝒋 𝒌 ′ : because of the independence
𝑹𝒂𝒕𝒆(𝑻_𝑹𝑬𝑺𝑬𝑻): The rate for a token to be out, indicating availability of node 𝑖

18. Content Background System Models PROVEST Experiment
- I will introduce these concepts separately and put them together when we come to PROVEST.

19. Metrics Trust Mias ( 𝐵 𝑋 ) Mission Message Correctness (𝑅)
𝑟: pos. evidence
𝑠: neg. evidence
Trust Mias ( 𝐵 𝑋 )
𝐵 𝑋 = 𝑡=0 𝐿𝑇 𝐵 𝑋 (𝑡) 𝐿𝑇  𝐵 𝑋 𝑡 = 𝑖≠𝑗 𝑇 𝑗 𝑋 𝑡 − 𝑇 𝑖,𝑗 𝑋 (𝑡) 𝐿 −  𝑇 𝑗 𝑋 𝑡 = 𝑟 𝑗 𝑋 (𝑡) 𝑟 𝑗 𝑋 𝑡 + 𝑠 𝑗 𝑋 (𝑡)
Mission Message Correctness (𝑅)
𝑅= 𝑚∈𝐿 𝑘∈𝐾 𝑅 𝑘,𝑚 (𝑡) 𝐼  𝑅 𝑘,𝑚 =1 if 𝑘 did not modify 𝑚
𝐾: set of nodes that makes the route of the MM
Message Delay (𝐷)
𝐷= 𝑚∈𝐿 𝐷 𝑚 𝐼  𝐷 𝑚 is the delay for message 𝑚 to be delivered
Communication Cost (𝐶)
𝐶= 𝑡=0 𝐿𝑇 𝐶 𝑒 𝑡 + 𝐶 𝑑 (𝑡) 𝐿𝑇  𝐶 𝑒 𝑡 :# of trust evaluation messages per sec
𝐶 𝑑 𝑡 :# of delivery messages per sec
trust accuracy and routing performance.
Refer to table 2 for key default design parameter values

20. Schemes to Evaluate Four variants of PROVEST Encounter-based Epidemic
Using a Bayesian estimation of trust only based on evidence collected upon an encountering event
Epidemic
Flooding a message to encounters
PRoPHET
Also flooding based; But selecting the next hop based on the degree of connectivity estimated by historical mobility patterns
Iterative Trust and Reputation Mechanism (ITRM)
Node A collects ratings from nodes (acting as raters) it encounters about node B and the rater that deviates the most from other raters is flagged as malicious
This process runs in a iterative fashion
Iterative fashion: Update rating collection upon encountering every new rater

21. Experiment Setup Data Gathering Parameters
Simulated data: from SPN model
Real data: from CRAWDAD dataset of real human mobility traces
Parameters
# of nodes 
minimum trust threshold 
node speed 
detection error upper bound 
prob. of attack intensity 
# of msgs each SN sends 
# of msg copies sent by a SN 
a decay parameter in PRoPHET 
consistency threshold in ITRM 
 grid size
 system lifetime
 % of compromised nodes
 prob. of link unreliability
 prob. of packet forwarding
 # of source-destination pairs
 initial energy level
 a decay parameter in PRoPHET
CRAWDAD is based on daily GPS track log collected from Disney World, Florida, USA every 30 seconds.

22. Result: Trust Bias of PROVEST
Observation
Higher 𝑇 𝑚𝑖𝑛 reduces integrity trust bias except for the Pessimistic
The Hybrid works fairly well
Hybrid wins
Realistic wins
Realistic wins
Pessimistic fails
Optimistic fails
In particular, the accurate estimation of integrity trust is critical to successful correct message delivery
PROVEST-Pessimistic performs significantly worse than other counterparts because it takes uncertain evidence as negative evidence.
PROVEST-Optimistic performs badly showing significantly high trust bias when estimating a bad node’s trust.

23. Result: Performance of PROVEST
Observation
All schemes incur equally high communication overhead with high 𝑇 𝑚𝑖𝑛 except for Pessimistic
For R: The Pessimistic performs fairly well with low 𝑇 𝑚𝑖𝑛 , while Realistic and Hybrid work well with high 𝑇 𝑚𝑖𝑛 (Pessimistic is conservative when it comes to message correctness).
For D: Optimistic and Hybrid perform fairly well unless 𝑇 𝑚𝑖𝑛 is too high.
For C: A higher message delivery rate can also lead to higher communication overhead. Except for Pessimistic.

24. Result: Comparison to Other Schemes (1/3)
Observation
Overall, PROVEST-Hybrid achieves the highest 𝑅 with the lowest 𝐶
Message delay is high with high 𝑇 𝑚𝑖𝑛 except for Epidemic
Epidemic guarantees the maximum message delivery but does not ensure the maximum delivery of ‘correct’ messages

25. Result: Comparison to Other Schemes (2/3)
Observation
Encounter-based, ITRM, PROVEST-Hybrid perform equally well in 𝑅
The rise of attacks significantly affects 𝑅, but not 𝐷 or 𝐶
𝐷 slightly decreases as a result of attacks dropping packets
PROVEST-Hybrid outperforms ITRM and Encounter-based in 𝐶
This is a sensitivity analysis
These three are all trust based.
As 𝑃 𝑐𝑝 increases, R decreases as there are more attackers in the network
Under a less hostile environment (i.e., Pcp = 0:1), more messages are delivered thus there is more traffic.

26. Result: Comparison to Other Schemes (3/3)
Observation
Basically the same pattern as increasing the attacker percentage 𝑃 𝑐𝑝
PROVEST-Hybrid outperforms ITRM and Encounter-based in 𝐷 significantly and in 𝐶 slightly

27. Result: Validation using Real Mobility Traces
Matched! This implies that the SPN model work great.
CRAWDAD dataset
- This
Previous result

28. Summary Trust Evaluation in DTN PROVEST Experiment
It is hard because of high node mobility and unstable communication channels
PROVEST
A provenance-based trust evaluation model
Trust evaluation based on Bayesian updates with positive and negative evidences digested from provenance information
Four variants: Pessimistic, Optimistic, Realistic, Hybrid
Experiment
PROVEST-Hybrid significantly reduces the communication cost while maintaining a high correct message delivery ratio, compared to Epidemic, ITRM, Encounter-based, and PRoPHET

29. My Takeaways
SPN is useful for Markov models with a large state space
Intuition behind PROVEST’s superior performance
Provenance information - a new (finer-grained) angle for trust evaluation
PROVEST-Hybrid can handle uncertain information in a subtle way and utilize historic patterns
More Adversarial Scenarios
Replay attack?
DDOS attack?
Fault-tolerance property?
As the simulated data from SPN matches the CRAWDAD data.
Thanks!