1. Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture 12: Distributed Trust Dr. Kemal Akkaya E-mail: kemal@cs.siu.edu

2. Kemal AkkayaWireless & Network Security 2 Trust Management in MANETs/WSNs  All participants actively contribute to network activities such as routing and packet forwarding  Special characteristics:  limited memory  perishable battery power  lower bandwidth  Two approaches:  Monitoring-based CONFIDANT Watchdog  Reputation-based CORE RFSN

3. Kemal AkkayaWireless & Network Security 3 Limitations of network security  Distributed collaborative data processing  Network security -> Make sure that only authenticated nodes participate.  Network security cannot -> Verify if nodes function properly  Distributed data gathering  Network security can -> message integrity, confidentiality, secure relaying.  Network security cannot -> data authentication. How do nodes trust each other? How do nodes trust the information provided by other nodes?

4. Kemal AkkayaWireless & Network Security 4 CONFIDANT  Buchegger, S. and Le Boudec, J. 2002. Performance analysis of the CONFIDANT protocol. In Proceedings of the 3rd ACM international Symposium on Mobile Ad Hoc Networking &Amp; Computing (Lausanne, Switzerland, June 09 - 11, 2002). MobiHoc '02. ACM, New York, NY, 226-236.  Detect, prevent, and/or discourage:  No forwarding (of control messages or data)‏  Traffic deviation Advertise many routes Advertise routes too often Advertise no routes  Route salvaging, rerouting to avoid a broken although no error has been observed  Lock of error messages, although an error has been observed (and vice versa)‏  Silent route change (tampering with message headers of either control or data packets)‏

5. Kemal AkkayaWireless & Network Security 5 Reputation Systems response to Attacks  A different method to handling attacks is to prevent them:  Only allow good nodes onto the network  Secure key to access network  Reputation systems detect misbehavior and then try to thwart attacks.  A good idea even if other methods have been used to prevent attacks and secure access  Inspiration of CONFIDANT: Richard Dawkin's The Selfish Gene  Suckers  Cheats  Grudgers

6. Kemal AkkayaWireless & Network Security 6 CONFIDANT built on top of DSR  Dynamic Source Routing (DSR)‏  Reactive/On-Demand routing  Nodes send a ROUTE REQUEST message  Neighbors add themselves to the source route and forward it on  If the receiving node is the destination or has a route to the destination it sends a REPLY message with the full route  First received ROUTE REPLY wins  Failed links can be salvaged by partial alternate route  Routes are cached for some period of time  Observed Behavior  'Neighborhood Watch' behavior that is directly observed, overheard, by the node.  Reported Behavior  Share experienced misbehavior and learn from friends.

7. Kemal AkkayaWireless & Network Security 7 CONFIDANT Components  The Monitor  Directly observes behavior  The Trust Manager  Sends and receives ALARMs  The Reputation System  Node Rating  The Path Manager  Route management based on Reputation  (Every nodes implements all of these components)‏

8. Kemal AkkayaWireless & Network Security 8 The Monitor  Directly observes behavior  no forward (only observation implemented in this simulation)‏  Packet alteration  Data packets  Routing packets  Consistent claim of neighboring nodes  Any other observable metric

9. Kemal AkkayaWireless & Network Security 9 The Trust Manager  Generate an alarm on experienced or observed misbehavior.  Forward alarm on received report of misbehavior.  Maintain trust table to determine trustworthiness of alarm  Determining trust level algorithm is an open question in paper  Table of nodes and their rating.  Weighted between past rating and newly observed behavior and reported reputation.  Only negative experience is counted  Positive change and timeout are not addressed yet.  Assume negative behavior is rare, and probably means node can never be trusted. The Reputation System

10. Kemal AkkayaWireless & Network Security 10 The Path Manager  Path re-ranking according to security metric (re-rank route based on reputation).  Deletion of paths containing malicious nodes.  Action on receiving a request for a route from a malicious node (ignore request).  Action on receiving request for a route containing a malicious node in the source route (ignore, alert source).

11. Kemal AkkayaWireless & Network Security 11 CONFIDANT Results

12. Kemal AkkayaWireless & Network Security 12 CONFIDANT Results

13. Kemal AkkayaWireless & Network Security 13 Watchdog and Pathrater  S. Marti, T.J. Giuli, K. Lai, and M. Baker, “Mitigating Routing Misbehavior in Mobile Ad Hoc Networks,” Proc. MobiCom '00.  Extra facilities added to the network to detect and mitigate routing behavior.  Two extensions to DSR:  Watchdog identifies misbehaving nodes by overhearing transmissions  Pathrater avoids routing packets through these nodes

14. Kemal AkkayaWireless & Network Security 14 Watchdog  The watchdog is implemented by  maintaining a buffer of recently sent packets  compare each overheard packet to buffered packets to see if there is a match. If so, the packet in the buffer in removed and forgotten.  A certain timeout indicates a failure tally – count it and see if it exceeds a bandwidth threshold. If so, send a message back to the source.  Advantages  It can detect misbehavior at the forwarding level  Disadvantages  It might not detect a misbehaving node, due to Ambiguous collisions Receiver collisions Limited transmission power False misbehavior Collusion Partial dropping

15. Kemal AkkayaWireless & Network Security 15 Disadvantages  Honest Nodes  Ambiguous collisions  Receiver collisions  Dishonest Nodes  Transmission power intentionally limited by a dishonest node  False misbehavior report by malicious node  Multiple dishonest nodes in collusion (groups of nodes)  Partial dropping by a dishonest node

16. Kemal AkkayaWireless & Network Security 16 PathRater  The pathrater, run by each node, combines knowledge of misbehaving nodes with link reliability data to pick the route.  Each node maintains a rating for every other node it knows about in the network  It calculates a path metric by averaging the node rating in the path. If there are multiple paths to the same destination, the path with the highest metric is chosen.

17. Kemal AkkayaWireless & Network Security 17 Simulation Results  Combined use of  WD – Watchdog  PR - PathRater  SRR – Extra Route Request  Two mobility scenarios  Performance Metrics  Throughput: The percentage of sent data packets actually received by the intended destinations  Overhead: The ratio of routing-related transmissions to data transmissions in a simulation  False positives: False positives occur when the Watchdog mechanism reports that a node is misbehaving when in fact it is not  Compromised nodes: from 0% to 40%

18. Kemal AkkayaWireless & Network Security 18 Throughput as % of misbehaving nodes

19. Kemal AkkayaWireless & Network Security 19 Throughput as % of misbehaving nodes

20. Kemal AkkayaWireless & Network Security 20 Overhead as % of misbehaving nodes

21. Kemal AkkayaWireless & Network Security 21 Overhead as % of misbehaving nodes

22. Kemal AkkayaWireless & Network Security 22 Throughput in presence of false detections

23. Kemal AkkayaWireless & Network Security 23 Reputation based Trust: CORE  CORE: A Collaborative Reputation Mechanism to enforce node cooperation in Mobile Ad hoc Networks”.  Proposed by Michiardi and Molva to enforce node cooperation in MANETs based on a collaborative monitoring technique  Nodes modeled as a members of a community  The reputation is formed and updated along the time.  assigns more weight to the past observations than the current observations  Three types of reputation  subjective reputation  indirect reputation  functional reputation

24. Kemal AkkayaWireless & Network Security 24 CORE Details  Has two protocol entities  Requester refers to a network entity asking for the execution of a function f  Provider refers to any entity supposed to correctly execute the function f  Each node maintains  An RT Table for each function f  An entry in RT has:  unique ID  recent subjective reputation  recent indirect reputation  composite reputation for a predefined function  RTs updated in two situations:  during the request phase  during the reply phase  Each node is also equipped with a watchdog mechanism for promiscuous observation.

25. Kemal AkkayaWireless & Network Security 25 Reputation based Trust in WSNs  S. Ganeriwal and M. Srivastava. Reputation-based framework for high integrity sensor networks. In proceedings of the 2nd ACM workshop on Security of ad hoc and sensor networks (SASN ’04), October 2004 pp. 66-77.  The first reputation and trustbased model designed and developed exclusively for sensor networks.  Distributed, symmetric reputation-based model that uses both first-hand and second-hand information for updating reputation values.  Nodes maintain the reputation and trust values for only nodes in their neighborhood.

26. Kemal AkkayaWireless & Network Security 26 Reputation based framework for sensor networks (RFSN) Embedded in every social network is a web of trust  How does human societies evolve?  Principle of reciprocal altruism Be nice to others who are nice to you  When faced with uncertainties Trust them who have the reputation of being trustworthy Proposed solution: Form a similar community of trustworthy nodes in the network over time

27. Kemal AkkayaWireless & Network Security 27  Sensor network already follow a community model  Individual nodes do not have any utility  Collaborative information gathering, data processing and relaying.  Missing element is trust….  Nodes are dumb and they collaborate with every node.  Internal adversaries exploit this very fact!  Faulty sensors results in equally detrimental effects.  RFSN incorporates intelligence into nodes  Exposes trust as an explicit metric!  Cooperate with ONLY those nodes that are trustworthy. Why this approach?

28. Kemal AkkayaWireless & Network Security 28 Architecture of RFSN n Observe the action of other nodes – Watchdog mechanism n Develop a perception of other nodes over time – Reputation n Share experiences to facilitate community growth – Second hand information n Predict their future behavior – Trust n Cooperate/Non-cooperate with trustworthy nodes – Behavior Watchdog mechanism Reputation TrustBehavior Second hand information

29. Kemal AkkayaWireless & Network Security 29 Integration of approaches Development of high integrity sensor networks will be a combination of techniques from different fields Watchdog mechanism Reputation TrustBehavior Second hand information Protocol Development Monitoring Data Analysis Statistics…. Cryptography Decision theory

30. Kemal AkkayaWireless & Network Security 30 Reputation representation  Probabilistic formulation  Use beta distribution to represent reputation of a node. Reputation of node j from the perspective of node i  Why beta distribution?  Simple to store: Just characterized by 2 parameters.  Intuitive: α and β represents magnitude of cooperation and non-cooperation.  Efficient: Easy reputation updates, integration, trust formulation.  Maintain reputation for just neighboring nodes  Use locality – Provides scalability.

31. Kemal AkkayaWireless & Network Security 31 Reputation propagation  What to propagate?  Constraints Information about good nodes – Saves from bad mouthing attacks Independent information – Critical to derivation in earlier slide

32. Kemal AkkayaWireless & Network Security 32 Simulation study - NESLsim  Simulation set up  Comparison with DUMB-RFSN Representative of heuristic based approaches. Metric : Trust between node i and j. Parameter choices : Threshold (0.9), Initialization (Beta(1,1)). Consistent data module i j Routing module

33. Kemal AkkayaWireless & Network Security 33 Bad Mouthing Attacks Attack: Propagate false bad reputation information about good nodes Countermeasure: Good Reputation System Set up: Node j cooperates fully Scenario 1: 1 malicious child DUMB-RFSN: Node i will conclude wrongly node j to be malicious. RFSN: Completely resilient.

34. Kemal AkkayaWireless & Network Security 34 Bad Mouthing Attacks (Contd..) Set up: Node j cooperates fully Scenario 2: 4 malicious children, 1 good child DUMB-RFSN: Performance is more worse. RFSN: Neglects bad nodes. Selectively takes advantage of 1 good node.

35. Kemal AkkayaWireless & Network Security 35 Ballot Stuffing Attack: Malicious nodes propagate false good reputation information. Countermeasure: Weight the second hand information appropriately Set up: Node j is malicious and colludes with malicious children nodes. Scenario 1: 1 malicious child RFSN: Completely resilient. DUMB-RFSN: Node i will conclude node j to be trustworthy.

36. Kemal AkkayaWireless & Network Security 36 Comparison MetricRFSNConfidantCoreE-bayPeerTrust ArchitectureDistributed CentralizedDistributed ContextSensor Networks Ad-hoc Networks InternetPeer-to-peer networks ScopeCompromise d / Faulty nodes Routing misbehavior Routing Misbehavior E-tradingChoosing the right peer FormulationBayesian formulation based on decision theory Heuristics/ Bayesian formulation based on game theory Heuristics based on game theory Heuristics Reputation propagation Only goodOnly badOnly goodBoth god and bad Both good and bad MaintenanceLocal Global