Effects of adding Arbitrary Physical Nodes to a Mobile Ad-Hoc Network Utilizing an Anonymity System By Ian Cavitt

Arbitrary Physical Node Essentially a dummy node More Utility, Higher Cost Create hierarchy, obfuscate location information, addition to TAP countermeasures, increase cost of specific attacks

Project Goals Original Project Goal was to focus on increasing resilience to traffic analysis One of the first thing most anonymous routing protocols covered for a MANET was TA resilience

Project Goals- Issues with Original Goal Left is before adding a dummy node Thought was key node placement, would help create a network topology closer to what the neutral matrix assumed Hugely important because an attacker can derive physical locations and predict movements via traffic analysis Location privacy is one of the first things most anonymous routing protocols handle Done via location unlinkability Completely hiding location information

Project Goals Original Project Goal was to focus on increasing resilience to traffic analysis One of the first thing most anonymous routing protocols covered for a MANET was TA resilience Evolved Goals Analyze popular routing protocols used in MANETs Design solutions using APNs to strengthen the network Cannot be something that is already solved via changes or updates to the routing protocol Reason being is APNs are awkward to implement, and updating the protocol is likely cheaper

Arbitrary Physical Node Several different set ups Small network of them Multiple nodes scattered throughout MANET Single node Some may also have specialized antenna or algorithms not completely following the routing protocol Many cases this is simply analyzing what it would be like to get closer to an ideal network topology

Anonymous Routing Protocols Alarm AnoDR

Alarm Basics-Strengths Very robust system, few weaknesses Is Pro-Active – doesn’t use route discovery, knows destination locations Strengths No public node identities Location unlinkability-Appearances at a location cannot be linked to appearances at another Good performance Resistant to passive attacks

Alarm Basics-Weaknesses Not scalable Floods network with requests every t seconds, so all nodes know all other location information and can create a graph Weak to location fraud Active attack, where a compromised node falsifies its location info Predictive Mobility All location data is very easy to view for an attacker, along with knowledge of geography of area, can predict node movement and link appearances

Scalability Consider large MANET that needs to expand Use an APN with different protocol to extend to new area

Scalability Typically location information requests flood the entirety of the network, this allows every node to construct a graph of the entire network Not scalable APN doesn’t follow typical routing protocol Holds network information but doesn’t forward requests to new area APN also holds routing info for the second area as well

Scalability Communication through the APN Node first checks with APN if a node exists at/around desired location Sends its message to the APN which forwards it through the other area of the network

Gateway APN Pros/Cons Pro- flooding no longer goes throughout entire network Can be expanded further with more APN’s to further split up the network Con Single point of failure, being able to compromise APN that forwards requests could result in massive DoS Implementation overhead(con basically wherever one is used)

Location Fraud Active attack via a compromised node Because pseudonyms aren’t linkable, and appearance aren’t either doesn’t actually get much out of having network graph Assuming an arbitrary k out of n nodes are moving Compromised Node lies about its location information Either appears closer to certain nodes, who then more then often attempt route through it Appears further away so nodes don’t try to route through it

Location Fraud Unless admins of the network can predict the appearance of a compromised node an APN can’t do much Even in the case where the appearance is predicted, the compromised node can either spoof a new location or physically move Either case the APN fails to thwart the attack for very long

Predictive mobility Appearances on graph aren’t linkable to other appearances But if there are limited routes available to a node based on its surrounding area can predict it’s movement and link appearances on the graph Can be movement can be obfuscated in a few ways

Obfuscating Movement-Method 1 Standard alarm protocol assumes all nodes have the same broadcast range Using an APN with an extended antenna can create one way communication to completely hide a moving node The APN functions as a proxy that forwards messages to a general area that the hidden node will be in Any one that wants to communicate with it sends message to proxy APN Cons- specialized hardware, must know general area for hiding node/ hiding node is limited to certain area, and communication only in one direction Pro-node has complete location privacy

Obfuscating Movement-Method 2 Use an APN that does location fraud coordinate its spoofed locations with the moving node that could be linked one of two results Either meet the minimum k nodes for the n in area and appearances remain unlinkable Location linkability breaks down into an anonymity set based on nodes in area Similar idea is to have the APN dedicated to creating phantom nodes Only good if area around moving node is essentially empty, phantom nodes would create a DoS where real nodes would attempt and fail to route to them Even in this case have to implement measure so that phantom nodes are far enough from the moving node so that messages are forwarded correctly

Obfuscating Movement-Method 3 Small network of APNs- two antennas One standard for communication with the rest of network One short range antenna for broadcasting within network of APNs to coordinate between them The network of APNs would imitate movement by switching which ones have their location shared and all using the same pseudonym Worst case scenario reduces anonymity set to at least two Best: location are unlinkable again Cons- adversary in close physical proximity would detect control messages between APNs and figure out that they are essentially dummies, have to implement network of APNs ahead of time anticipating movement in a low population area Can mix this with Method 2 to increase the range of areas that it can obfuscate movement in

AnoDR One of the first anonymous routing protocols Often used as a comparative standard Most texts designing new protocols will recommend making adjustments to this instead Reasons are it is hugely resilient, and designed in such a way that different aspects of the algorithm aren’t tightly coupled Strengths Location privacy Dynamic pseudonyms Pseudonyms are created for each route the node participates in Receiver anonymity is guaranteed in all but the most extreme cases

Anodr Basics- Weaknesses No anonymity weaknesses under normal circumstances High computational overhead Each forwarding node(uses an routing similar to onion routing to discover routes) has to generate a new secret key pair for every RREQ(route request packet) Whenever a node decides to forward, has to decrypt (worst case) with every private key to determine where to forward to

Abnormal Circumstances Low Network Utilization and few nodes in network Like onion routing it needs “many” participants Still fairly resilient due to TA and active attacks Use APNs scattered through out network to artificially boost utilization Functioning only as dummy nodes here Generation of dummy packets falls to APNs to avoid inducing more computation on actual users Prioritize sending to other APNs, reduce cost on non-dummy nodes If it is known this network is set up with dummy nodes can slightly edit APN routing to include detours, this has to be known info so senders can add extra padding Traffic is further obfuscated For an external observer this doesn’t make much difference For an internal observer, they will have to have corrupted more nodes to gain info Attackers don’t gain any more info from longer route- even with a compromised node, or several, senders and receivers don’t know all the routing info

Conclusions High cost can cover certain weaknesses Depends on the routing protocol “Fixing” ALARM scalability simple and fairly low cost Mostly just awkward implementations, and need anticipation of own network behavior

Future Research Actually simulating the APNs “Solutions” I didn’t cover I didn’t cover fixes that had software implementation because I assumed they would be cheaper Actually comparing costs and effectiveness of APN vs updated protocol in simulation Effects of Adding them to a MANET without anonymous routing TA resistance Setting up some to act as mixes Many as many different mixes A network of them covering entire geographic area to provide weak location privacy

Sources Defrawy, K., & Tsudik, G. (2011). ALARM: Anonymous Location-Aided Routing in Suspicious MANETs. IEEE Transactions on Mobile Computing IEEE Trans. on Mobile Comput., 10(9), Retrieved December 6, Kong, J., & Hong, X. (n.d.). Anodr. Proceedings of the 4th ACM International Symposium on Mobile Ad Hoc Networking & Computing - MobiHoc '03. Newman, R., Moskowitz, I., Syverson, P., & Serjantov, A. (n.d.). Metrics for Traffic Analysis Prevention. Privacy Enhancing Technologies. Vargheses, S., & Raja, I. (n.d.). A Survey on Anonymous Routing Protocols in MANET. RECENT ADVANCES in NETWORKING, VLSI and SIGNAL PROCESSING. Vijayan, A., & Thomas, T. (2014). Anonymity, unlinkability and unobservability in mobile ad hoc networks International Conference on Communication and Signal Processing.