Download presentation
Presentation is loading. Please wait.
Published byAllison Stone Modified over 6 years ago
1
PROVEST: Provenance-based Trust Model for Delay Tolerant Networks
A Review of PROVEST: Provenance-based Trust Model for Delay Tolerant Networks Authors: Jin-Hee Cho, Ing-Ray Chen Yang Xiao
2
Content Background System Models PROVEST Experiment
Delay Tolerant Networking (DTN) Trust Evaluation Provenance System Models PROVEST Experiment - I will introduce these concepts separately and put them together when we come to PROVEST.
3
Delay Tolerant Networking (DTN)
DTN Features No guarantee of end-to-end connectivity High delay & disruption Examples Environment monitoring Emergence response Mobile ad-hoc network (MANET) Vehicular ad-hoc network (VANET) Routing is Essential Establishing a complete end-to-end path Store-and-forward Used in DTN Flooding Opportunistic routing DTN: Often nodes are highly mobile and the communication channel is unstable. No continuous network connectivity. Causes: Limits of wireless range, sparsity of mobile nodes, limits of energy source, the interference from attackers and noise. Store-and-forward: Every message will be temporally buffered in a node, then forwarded to the next hop when possible. message will eventually reach its destination Flooding: Opportunistic routing: Image credit: Google Image Search
4
Trust Evaluation What is Trust What to trust in DTN?
My understanding: A composite measurement of a system’s efficacy, which often includes security, robustness, performance, and other beneficial attributes What to trust in DTN? Nodes in DTN What are They Trusted for? Competence Energy saving QoS (eg: low routing delay) Security Availability, reliability Not compromised by attackers This is my definition. As Compromised network nodes may do a variety of bad things, such as dropping, intentionally keep and reply a message, or modifying messages and insert misleading content. Image credit: Google Image Search
5
Provenance Provenance in Original Meaning
All the paperwork about an artwork that records its ownership changes Provenance in Computer Science Data lineage, which often includes authenticity and integrity, sometimes auditability of traces of data operation or transfer Used for bug finding or responsibility tracing Provenance has been used to verify trust, trustworthiness, or correctness of information in many research areas. Image credit: Google Image Search
6
Content Background System Models PROVEST Experiment DTN Network Model
Key Management Attack Model PROVEST Experiment - I will introduce these concepts separately and put them together when we come to PROVEST.
7
DTN Network Model Node Behavior Join and Leave Random-walk speed
𝑣 𝑖 ←𝑈[𝑣,𝑣′] Energy level Initial: 𝑒 𝑖 ←𝑈[𝑒,𝑒′] Detection error: false pos/neg 𝑃 𝑓𝑝 , 𝑃 𝑓𝑛 ← 0, 𝑃 𝑟 , 𝑃 𝑟 ←(0,1] Behavior seeds A malicious node forwards message with probability 𝑃 𝑓 ←[0,1] For block hole and grey hole attacks A malicious node randomly attacks with intensity 𝑃 𝑎 ←[0,1] For fake/no identity, false recommendation, message modification attacks Join and Leave Node join rate: 𝜆 Node leave rate: 𝜇 A node randomly moves to one of five locations (i.e., north, west, south, east, and current location) in accordance with its speed. Energy represents the capability or competence of node j to do the basic routing function. 𝑃 𝑓 : Probability of packet forwarding 𝑃 𝑎 : Probability of attack intensity Network join rate: 𝑃 𝜆 =𝜆/(𝜆+𝜇)
8
Key Management Group Communication Key: 𝐾 𝑆,𝑡
To counter outsider attacks All group members communicate internally with 𝐾 𝑆,𝑡 Trusted Authorities (TAs) Assign 𝐾 𝑆,𝑡 for the group nodes To be rekeyed periodically, as 𝑡 changes Different TAs should act according for users from the same group The symmetric keys issued at the same time t by multiple TAs are the same so that all legitimate nodes can communicate with the same key. All group members contributing to the group key generation based on Diffie-Hellman key exchange WON’T work in sparse DTN
9
Attack Model General Assumption Attack Vectors
Messages can be dropped, modified, or forged by attackers or compromised nodes All by compromised insiders Attack Vectors Control Based Attacks No/fake identity Black hole Grey hole Whitewashing Packet injection Content Based Attacks Fake recommendation Message Modification In order to prevent this newcomer attack, the authenticity of a node is ensured through private/public key pairs which were given in network deployment. To counter message modification: micro-TESLA. Some of the attacks can not be effective countered, which will later be the adversarial behavior, which once detected will be used to lower the compromised parties’ trust score. No/fake Identity: Hide real ID in message Fake recommendation: Giving misleading opinion Message modification: Change essential message content Block hole attack: Persistently drop packets to perform DoS attack Grey hole attack: Randomly drop packets to perform DoS attack Whitewashing: Leave and come back later with a new ID Packet injection: Generates additional communication overhead Image credit: Google Image Search
10
Content Background System Models PROVEST Experiment Trust Evaluation
SPN Modeling Experiment - I will introduce these concepts separately and put them together when we come to PROVEST.
11
PROVEST - Trust Evaluation
Multidimensional Trust Availability, Integrity, Competence Trust Management Trust is evaluated in a peer-to-peer fashion Each message embeds indirect evidence of trust evaluation From Provenance Info (PI) to Evidence of Trust PI Provided by Node 𝑖: 𝑃 𝑖,𝑘 =[𝑖,𝑘, 𝑂 𝑖,𝑘 (𝑡)] 𝑘: ID of the previous Message Carrier (MC) 𝑂 𝑖,𝑘 (𝑡) Node 𝑖’s opinion towards the attack behaviors and energy level of 𝑘 Includes the # of positive evidence 𝑟 and # of negative evidence 𝑠 A typical message received by a Destination Node (DN) 𝑗: 𝑀𝑀, 𝑃 0,Φ 𝑘 𝑛 , 𝑃 1,0 𝑘 𝑛−1 , 𝑃 2,1 𝑘 𝑛−2 ,…, 𝑃 𝑚,m−1 𝑘 𝑛−𝑚 𝐾 𝑆,𝑡 Mission Message (MM): a control message used for mission execution PROVEST: a DTN node collects indirect evidence information through provenance information embedded in messages. The first to consider its use in a provenance-based trust model in DTN environments. Availability is affected by congestion, mobility, and limited resources available at the node. Integrity measures how well a node complies with a given protocol, without exhibiting attack behaviors. Competence reflects a node’s remaining battery lifetime (a surrogate for resources available at the node) plus cooperativeness (contributing to reliable packet delivery). Peer-to-Peer fashion: No need of a TA for centralized trust management. 𝑶 𝒊,𝒌 (𝒕): includes # of positive evidence 𝑟 and negative evidence 𝑠 for each behavior category.
12
PROVEST - Trust Aggregation
Two Sources of Evidence Direct evidence: mutual observation when two nodes encounter Indirect evidence : the PI one node receives about another node Bayesian Update Upon receiving an evidence about 𝑘 (direct or indirect) with 𝑟 and 𝑠 Then estimate the trust of 𝑘 by 𝐸 𝑡𝑟𝑢𝑠𝑡 =𝑟/(𝑟+𝑠) To Handle Uncertain Evidence PROVEST-Pessimistic: uncertainty negative PROVEST-Optimistic: uncertainty positive PROVEST-Realistic: uncertainty not considered PROVEST-Hybrid: uncertainty dealt based on historical patterns Bayesian update for each trust dimension Uncertain evidence: The indirect trust evidence enclosed in the PI are detected as false and thus cannot be directly used
13
Attack Model Revisited
Assumption on Attack Behaviors Provenance information (PI) messages can be dropped, modified, or forged by attackers or compromised nodes MM contains control information of the
14
PROVEST - Evidence Gathering
Trust Computation Node 𝑖 trustor, Node 𝑗 trustee ( 𝒓 𝒊,𝒋 ′ , 𝒔 𝒊,𝒋 ′ , 𝒖 𝒊,𝒋 ′ ) For Direct Evidence (when 𝑖, 𝑗 encounter) For Indirect Evidence (when 𝑖 receives PI about 𝑗) Availability (1,0,0) if 𝑗 replies to 𝑖; (0,1,0) if 𝑗 doesn’t reply to 𝑖 ⋯① (0,0,1) if no evidence of 𝑗; (1,0,0) else if condition A is met; (0,1,0) else; Integrity 0,0,0 if ① is met; 𝑟,𝑠,𝑢 , 𝑟+𝑠+𝑢=3 depending on the detection of 3 attacks of 𝑗 from observation 0,0,0 if there is no evidence of 𝑗; 𝑟,𝑠,𝑢 , 𝑟+𝑠+𝑢=3 depending on the estimation of 3 attacks of 𝑗 based on the PI Competence 0,0,2 if ① is met; 𝑟,𝑠,𝑢 , 𝑟+𝑠+𝑢=2 depending on 𝑗’s energy level and cooperativeness from observation 0,0,2 if there is no evidence of 𝑗; Direct integrity trust is measured based on whether a node exhibits three attack behaviors: identity attack (no ID or fake ID inserted in PI), fake recommendation attack (i.e., good mouthing and ballot stuffing attacks), and message modification attack. Direct competence trust is assessed by a node’s energy status and cooperativeness behavior, and thus is measured based on two pieces of evidence. Condition A: 1) j’s ID is in PI, 2) j’s ID is authentic, and 3) the previous MC trusts j (> 𝑇 𝑚𝑖𝑛 ) 𝑇 𝑚𝑖𝑛 : minimum trust threshold
15
PROVEST - SPN Modeling Why SPN PROVEST SPN Large number of states
The underlying model Continuous Time (semi-)Markov Chain Hierarchical SPN technique can be used to derive interactions or trust relationships PROVEST SPN The marks (# of tokens in places) indicates the state of a node Mark(LOC): = 1 Mark(ENERGY): hours of battery life Mark(UNAVA): 1 unavailable, 0 available Each transition bar indicates the rate at which the corresponding event is triggered Mark(place) is the number of tokens in that place The LOC subnet, ENERGY subnet, UNAVA subnet
16
PROVEST – SPN Subnets 1) Location Subnet 2) Energy Subnet
To compute the probability that node 𝑖 is in a particular grid area 𝑘 at time 𝑡, and the encounter interval between two nodes 𝑅𝑎𝑡𝑒(𝑇_𝐿𝑂𝐶)= 𝑣 𝑖 / 𝑅 𝑡 𝑣 𝑖 : node 𝑖’s average speed 𝑅 𝑡 : radio range at time 𝑡 2) Energy Subnet To obtain each node’s energy lifetime 𝑅𝑎𝑡𝑒(𝑇_𝐸𝑁𝐸𝑅𝐺𝑌)= 𝑇 𝑒 𝑖𝑓 𝑚𝑎𝑟𝑘 𝑈𝑁𝐴𝑉𝐴 >0 1 𝑇 𝑒 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒 𝑇 𝑒 : Time to consume one energy token (1 hour) 𝑅 𝑡 Location Subnet: Since node movements are assumed to be independent. To compute the encounter interval between two nodes: take the product of two probabilities and take the reciprocal Energy Subnet: Unavaible energy consumption halved.
17
PROVEST – SPN Subnets 3) Unavailability Subnet 𝒌 ′
𝑅𝑎𝑡𝑒(𝑇_𝑈𝑁𝐴𝑉𝐴)= 𝑃 𝑢𝑟 / 𝑇 𝑖 𝑒𝑛𝑐 𝑃 𝑢𝑟 : probability of link unreliability 𝑇 𝑖 𝑒𝑛𝑐 = 𝑗∈𝐿 𝑅 𝑡 ( 𝑃 𝑖 𝑘 𝑃 𝑗 𝑘 ′ )( 𝑣 𝑖 + 𝑣 𝑗 ) The average interval before node 𝑖 encounters another node 𝐿: set of legitimate nodes of the network 𝑅 𝑡 : radio range 𝑃 𝑖 𝑘 : probability that node 𝑖 is in area 𝑘 𝑘 ′ : neighboring areas of 𝑘 where node 𝑖 and 𝑗 can communicate directly 𝑃 𝑗 𝑘 ′ : sum of probabilities that node 𝑗 is in 𝑘 ′ 𝑅𝑎𝑡𝑒(𝑇_𝑅𝐸𝑆𝐸𝑇)=1/ 𝑇 𝑖 𝑒𝑛𝑐 𝑅 𝑡 𝒌 ′ 𝑷 𝒊 𝒌 𝑷 𝒋 𝒌 ′ : because of the independence 𝑹𝒂𝒕𝒆(𝑻_𝑹𝑬𝑺𝑬𝑻): The rate for a token to be out, indicating availability of node 𝑖
18
Content Background System Models PROVEST Experiment
- I will introduce these concepts separately and put them together when we come to PROVEST.
19
Metrics Trust Mias ( 𝐵 𝑋 ) Mission Message Correctness (𝑅)
𝑟: pos. evidence 𝑠: neg. evidence Trust Mias ( 𝐵 𝑋 ) 𝐵 𝑋 = 𝑡=0 𝐿𝑇 𝐵 𝑋 (𝑡) 𝐿𝑇 𝐵 𝑋 𝑡 = 𝑖≠𝑗 𝑇 𝑗 𝑋 𝑡 − 𝑇 𝑖,𝑗 𝑋 (𝑡) 𝐿 − 𝑇 𝑗 𝑋 𝑡 = 𝑟 𝑗 𝑋 (𝑡) 𝑟 𝑗 𝑋 𝑡 + 𝑠 𝑗 𝑋 (𝑡) Mission Message Correctness (𝑅) 𝑅= 𝑚∈𝐿 𝑘∈𝐾 𝑅 𝑘,𝑚 (𝑡) 𝐼 𝑅 𝑘,𝑚 =1 if 𝑘 did not modify 𝑚 𝐾: set of nodes that makes the route of the MM Message Delay (𝐷) 𝐷= 𝑚∈𝐿 𝐷 𝑚 𝐼 𝐷 𝑚 is the delay for message 𝑚 to be delivered Communication Cost (𝐶) 𝐶= 𝑡=0 𝐿𝑇 𝐶 𝑒 𝑡 + 𝐶 𝑑 (𝑡) 𝐿𝑇 𝐶 𝑒 𝑡 :# of trust evaluation messages per sec 𝐶 𝑑 𝑡 :# of delivery messages per sec trust accuracy and routing performance. Refer to table 2 for key default design parameter values
20
Schemes to Evaluate Four variants of PROVEST Encounter-based Epidemic
Using a Bayesian estimation of trust only based on evidence collected upon an encountering event Epidemic Flooding a message to encounters PRoPHET Also flooding based; But selecting the next hop based on the degree of connectivity estimated by historical mobility patterns Iterative Trust and Reputation Mechanism (ITRM) Node A collects ratings from nodes (acting as raters) it encounters about node B and the rater that deviates the most from other raters is flagged as malicious This process runs in a iterative fashion Iterative fashion: Update rating collection upon encountering every new rater
21
Experiment Setup Data Gathering Parameters
Simulated data: from SPN model Real data: from CRAWDAD dataset of real human mobility traces Parameters # of nodes minimum trust threshold node speed detection error upper bound prob. of attack intensity # of msgs each SN sends # of msg copies sent by a SN a decay parameter in PRoPHET consistency threshold in ITRM grid size system lifetime % of compromised nodes prob. of link unreliability prob. of packet forwarding # of source-destination pairs initial energy level a decay parameter in PRoPHET CRAWDAD is based on daily GPS track log collected from Disney World, Florida, USA every 30 seconds.
22
Result: Trust Bias of PROVEST
Observation Higher 𝑇 𝑚𝑖𝑛 reduces integrity trust bias except for the Pessimistic The Hybrid works fairly well Hybrid wins Realistic wins Realistic wins Pessimistic fails Optimistic fails In particular, the accurate estimation of integrity trust is critical to successful correct message delivery PROVEST-Pessimistic performs significantly worse than other counterparts because it takes uncertain evidence as negative evidence. PROVEST-Optimistic performs badly showing significantly high trust bias when estimating a bad node’s trust.
23
Result: Performance of PROVEST
Observation All schemes incur equally high communication overhead with high 𝑇 𝑚𝑖𝑛 except for Pessimistic For R: The Pessimistic performs fairly well with low 𝑇 𝑚𝑖𝑛 , while Realistic and Hybrid work well with high 𝑇 𝑚𝑖𝑛 (Pessimistic is conservative when it comes to message correctness). For D: Optimistic and Hybrid perform fairly well unless 𝑇 𝑚𝑖𝑛 is too high. For C: A higher message delivery rate can also lead to higher communication overhead. Except for Pessimistic.
24
Result: Comparison to Other Schemes (1/3)
Observation Overall, PROVEST-Hybrid achieves the highest 𝑅 with the lowest 𝐶 Message delay is high with high 𝑇 𝑚𝑖𝑛 except for Epidemic Epidemic guarantees the maximum message delivery but does not ensure the maximum delivery of ‘correct’ messages
25
Result: Comparison to Other Schemes (2/3)
Observation Encounter-based, ITRM, PROVEST-Hybrid perform equally well in 𝑅 The rise of attacks significantly affects 𝑅, but not 𝐷 or 𝐶 𝐷 slightly decreases as a result of attacks dropping packets PROVEST-Hybrid outperforms ITRM and Encounter-based in 𝐶 This is a sensitivity analysis These three are all trust based. As 𝑃 𝑐𝑝 increases, R decreases as there are more attackers in the network Under a less hostile environment (i.e., Pcp = 0:1), more messages are delivered thus there is more traffic.
26
Result: Comparison to Other Schemes (3/3)
Observation Basically the same pattern as increasing the attacker percentage 𝑃 𝑐𝑝 PROVEST-Hybrid outperforms ITRM and Encounter-based in 𝐷 significantly and in 𝐶 slightly
27
Result: Validation using Real Mobility Traces
Matched! This implies that the SPN model work great. CRAWDAD dataset - This Previous result
28
Summary Trust Evaluation in DTN PROVEST Experiment
It is hard because of high node mobility and unstable communication channels PROVEST A provenance-based trust evaluation model Trust evaluation based on Bayesian updates with positive and negative evidences digested from provenance information Four variants: Pessimistic, Optimistic, Realistic, Hybrid Experiment PROVEST-Hybrid significantly reduces the communication cost while maintaining a high correct message delivery ratio, compared to Epidemic, ITRM, Encounter-based, and PRoPHET
29
My Takeaways SPN is useful for Markov models with a large state space Intuition behind PROVEST’s superior performance Provenance information - a new (finer-grained) angle for trust evaluation PROVEST-Hybrid can handle uncertain information in a subtle way and utilize historic patterns More Adversarial Scenarios Replay attack? DDOS attack? Fault-tolerance property? As the simulated data from SPN matches the CRAWDAD data. Thanks!
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.