1. 1 Robust Trust Establishment for MANETs by Charikleia Zouridaki ECE Dept., George Mason University Fairfax, VA 22030 Joint work with: Brian L. Mark, Marek Hejmo (GMU) Roshan K. Thomas (SPARTA, Inc.) Network/Computer Security Workshop 2006 Lehigh University, Bethlehem, PA May 15-16, 2006

2. 2 Agenda 1.Introduction – Problem Statement 2.Preliminaries: Overview of Hermes* 3.Trust Evaluation using Acknowledgements 4.Formulation of Opinions 5.Security Analysis 6.Simulation Results 7.Conclusions * C. Zouridaki, B. L. Mark, M. Hejmo, R. K. Thomas, A Quantitative Trust Establishment Framework for Reliable Data Packet Delivery in MANETs. In Proc. 3rd ACM SASN’05, pp. 1-10, November 2005

3. 3 Mobile Ad hoc NETworks (MANETs) vs. infrastructured wireless networks Each computer can communicate with every wireless enabled computer One of the computers is the “bridge” to the wired LAN Each mobile node gets connected to an access point The access point “bridges” the wireless LAN to a wired LAN MANET IETF definition: a MANET is an autonomous system of mobile routers (and associated hosts) connected by wireless links; the union of which forms an arbitrary graph

4. 4 Key Issues and Our Scope Source node S must rely on other nodes to forward its packets on multi-hop routes to destination node D Secure and reliable handling of packets by intermediate nodes is difficult to ensure A malicious node within a route may drop packets Hermes improves the reliability of packet forwarding over multi-hop routes in the presence of malicious nodes both with respect to packet forwarding and trust propagation Hermes accurately computes T i,j Under the assumption that the behavior of a given node with respect to propagating trust is no worse than its behavior in forwarding packets We extend Hermes to relax this assumption  3 types of misbehavior are considered

5. 5 Hermes Overview Collect Observation Data Utilize Information (collected in Phase 1) To form opinion P for each node Use opinions P (derived in Phase 2) To find the most “trusted” Route to D Phase 1Phase 2Phase 3 Hermes does not differentiate malicious packet forwarding behavior from packet loss due to congestion or link breakage.

6. 6 Hermes Overview - detailed observation data trust t confidence c Trustworthiness T Opinion P Averaged opinion Routing opinion V R Between neighbor nodes i, j Between any pair of nodes i, m Application of opinion metric to routing Neighbors: nodes in transmission/reception range t є [0, 1] degree to which a neighbor can be trusted c є [0, 1] measure of statistical dispersion of t T є [0, 1] = f (t, c) P є [0, 1] = f (T) є [0, 1] = f (P) over observation windows V R є [0, 1] = f ( )

7. 7 First-Hand Trust Evaluation Bayesian Framework: Random variable R k є [0, 1], represents a notion of trust over an observation window W : m k = # of forwarded packets, n k = total # of packets Suppose a prior pdf for R k-1 : Then: so: At t = 0: Trust & confidence,, are computed as: At t = 0: beta(20, 20) beta(180, 20)

8. 8 Trustworthiness T / Accumulation of Evidence (x,y)-ellipses in the unit square determine the set of (t,c) pairs that are mapped to T as: θ: [-π/2, 0] and (x,y) determine the mapping from (t, c) to T Accumulation of Evidence nodes snoop all received frames at the MAC layer & record packet delivery statistics of neighbor nodes Windowing mechanisms, systematically expire old observation data to: improve the accuracy of the opinion metric maintain the responsiveness of the system

9. 9 Extension: Trust Evaluation using Acknowledgements Motivation: obtain first-hand information for non-neighbor nodes ACK scheme: uses ACKs, timeouts, NACKs Nodes collect information about downstream nodes si1i1 i3i3 dinin ACK i2i2 si1i1 i3i3 dinin i2i2 NACK si1i1 i3i3 dinin i2i2 FIN

10. 10 si1i1 i3i3 dinin ACK i2i2 si1i1 i3i3 dinin i2i2 NACK DataMAC s,d MAC s,n MAC s,2 MAC s,1 packet ACKr 1 d (k|0)r 1 n (k|0)r 1 2 (k|0)r 1 1 (k|0) ACK packet ACKr 1 2 (k|1)r 1 1 (k|1) NACK packet Authentication of data and ACK/NACK packets

11. 11 Authentication of ACK/NACK packets Let's consider a path R = {s, i 1, i 2,…, i n-1, i n = d}, where n>1, a packet p of sequence number k, the shared key K j,s an one-way hash function h(.) source constructs (n-1)+(n-2) hash chains, each of length three (n-1) for ACK authentication (n-2) for NACK authentication to ensure that malicious intermediate nodes cannot discard the MAC field of another node without being detected r 0 j (k|0) = (Kj,s|| k|| 0): first element for node a i for ACK auth. r 0 j (k|1) = (Kj,s|| k|| 1): first element for node a i for NACK auth. r 1 j (k|0), r 1 j (k|1) & r 2 j (k|0), r 2 j (k|1) are constructed by applying h(.) For S: Data = data||k||r 2 1 (k|0)|| r 2 2 (k|0)|| r 2 3 (k|0)||…||r 2 n (k|0)|| r 2 d (k|0)||r 2 1 (k|1)|| r 2 2 (k|1)|| r 2 3 (k|1)||…||r 2 n (k|1)

12. 12 Trust Evaluation for Forwarding node X keeps packet delivery statistics for all nodes y  compute first-hand t X,y and c X,y according to the Bayesian framework  mapped to T X,y : allows for fine-grained node comparison Good nodes = T > T def, bad nodes = T ≤ T def Goal of the scheme: to identify bad nodes even if it means a good node might temporarily appear as faulty by sending valid NACKs We assume that if node X forwards packet p, it will also forward the corresponding ACK or NACK of p

13. 13 Extended Hermes: without Recommendations Collect Data MAC layer snooping for neighbors ACK scheme for non-neighbors Update Record Packet delivery statistics Update Trustworthiness Tx Opinion Formulation Calculate Routing Opinion Route Selection Px=Tx

14. 14 Recommendations Recommendations accelerate the convergence of the trust establishment procedures Node i asks for recommendations to: establish trust opinion for node m, when T i,m < T accept, evaluate node j as a recommender Good recommender: T R > T def, bad recommender: T R ≤ T def Node i asks for d recommendations: Good recommenders, nodes for which T R < T R accept, Bad recommenders if necessary

15. 15 Algorithm of Recommendations for node i while recommendations for node m are sought do choose recommender set D; obtain f ≤ d recommendations; if T i,m <T accept then temporarily place T tmp i,m = max{T j,m :j in D}; end if run RC-test for recommendation T j,m, for every j in D; update recommender trustworthiness T R i,j, for every j in D; form opinion P i,m ; end while

16. 16 Trustworthiness of Recommendations node i has T i,m and received T j,m from node j The trustworthiness of the recommendation is evaluated as: RC-test: |T i,m -T j,m | ≤ thrthr = threshold The RC-test outcome determines how the trustworthiness of the recommender is updated Exception: j is the upstream neighbor of m, m has initiated more than thr*100% NACKs iji3i3 dinin m NACK

17. 17 Trustworthiness of Recommenders Recommender Trustworthiness T R i,j is the trustworthiness that i places to j in respect to reliable propagation of trustworthiness values T T R is updated according to the Bayesian framework as ~ beta(γ, δ) γ k = γ k-1 + η & δ k = δ k-1 + η η = 1, when RC-test succeeds 0, when RC-test succeeds t R k, c R k, T R k are computed as functions of γ k and δ k

18. 18 Definition of Opinion Generalize the notion of trustworthiness  opinion First-hand & second-hand information max: because trustworthiness T increases with the number of network observations is of bigger value when it has not been propagated many times in the network as recommendation

19. 19 Extended Hermes: with Recommendations Calculate Opinion Combine first-hand trustworthiness & second-hand opinion Run RC-test Update Recommender Trustworthiness Choose Recommender Set Collect Data MAC layer snooping for neighbors ACK scheme for non-neighbors Update Record Packet delivery statistics Update Trustworthiness Tx Trustworthiness Formulation Calculate Routing Opinion Route Selection Opinion Formulation

20. 20 Security Properties of Extended Hermes Ability to model independence in malicious behaviors Robustness against multiple false recommendations Convergence in the identification of bad nodes Resilience against multiple, concurrent and colluding attacks Independence from attack probability and placement Resilience against duplication and replay

21. 21 Simulation Results 10 nodes randomly placed in a 500 x 500 m area wireless radio transmission range = 250 m traffic flows are generated randomly, as a function of number of network nodes min and max allowed number of nodes on a route  one or more attackers may participate per flow  attackers may be neighbors or non-neighbors Nodes (randomly chosen) exhibit four types of behavior: Type I: Good nodes and good recommenders; Type II: Bad nodes and good recommenders; Type III: Good nodes and bad recommenders; Type IV: Bad nodes and bad recommenders.

22. 22 Simulation 1: Network View 8 random traffic flows, along different paths number of nodes on a route: min=4, max = 7 Nodes 1, 3, 4, 5, 8, 9, 10: Type I Node 7: Type II: forwards 20% of packets Node 6: Type III: propagates recommendations of P = 0.5 Node 2: Type IV: forwards 20% of packets, propagates recommendations of P = 0.5 Source nodes send 100 data packets/round trustworthiness parameters are set as x = sqrt(2) and y = sqrt(9) threshold thr=0.1

23. 23 Simulation 1: Opinion of good node/recommender for all other nodes after (a) 1, (b) 3, (c) 10, (d) 30 rounds

24. 24 Simulation 1: Network view P i,j, T R i,j (a) Opinion P i,j (b) Trustworthiness T R i,j

25. 25 Simulation 1: Network View P i,j (a) with (b) without Recommendations (b)

26. 26 Simulation 1: Node Behavior Changes nodes 1, 4, 5, 8, 9, 10: Type I nodes 2, 6: bad recommenders, propagating P = 0,5 node 3: Type II node 2 is good: rounds 1-5, bad: 6-50 (Type III  Type IV) node 7 is bad: rounds 1-10, good 11-50 (Type II  Type I) node 6: Type III Good nodes = forward 100% packets Bad nodes = forward 20% packets Threshold thr = 0,1

27. 27 Simulation 2: Convergence Comparison BN-recognition %: the % of all bad nodes that are recognized as bad by all the members of the network nodes 1, 3, 4, 5, 8, 9, 10: Type I node 7: Type II node 6: Type III node 2: Type IV Good nodes: forward 100% of packets Bad nodes 20% Good recommenders propagate valid trust values Bad recommenders send P = 0,5 Initially: 1 flow, add: 1 flow/round number of nodes on a route = 5 Threshold thr = 0.1 Trustworthiness parameters: x = sqrt(2), y=sqrt(9)

28. 28 Simulation 3: Hermes 2 vs. Hermes 10 nodes, 5 traffic flows Node 9: Bad, forwards 20% of packets Hermes: bad nodes = bad recommenders  T def used for trustworthiness calculation of nodes downstream of bad node We simulated that: node 9 = bad recommender that propagates P = T def Other nodes forward 90% of packets

29. 29 Conclusion Main contributions of extended Hermes: an acknowledgement scheme for first-hand trust information with respect to non-neighbor nodes a recommendation scheme that is robust against the propagation of false trust information Summary of extensions to Hermes: allows nodes to form accurate opinions for any network node models the independence of malicious behavior with respect to packet forwarding and trust propagation identifies the effect of attacks by individual or colluding malicious nodes

30. 30 Thank you! Questions?