witness-based detection of forwarding misbehavior in wireless networks

UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST • MHERST • Department of Computer Science Department of Computer ScienceUUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST • MHERST • Department of Computer Science Department of Computer Science

Witness-based Detection of Forwarding

Misbehavior in Wireless Networks

Sookhyun Yang, Sudarshan Vasudevan, Jim Kurose

University of Massachusetts Amherst

UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST • MHERST • Department of Computer Science Department of Computer Science

Outline

Introduction Witness-based detection:

approach Witness-based detection:

properties Detection accuracy with

unreliable links

Motivation In a wireless ad-hoc network, an authenticated

node on forwarding path can be compromised

Goal: verify that each node on data forwarding path is correctly forwarding packets

Control-plane verification: against routing control disruption

Data-plane verification: against forwarding misbehavior

This paper: witness-based detection to verify correct (data-plane) forwarding, identify source(s) of forwarding misbehavior.

Problem Statement

Reliable hop-by-hop data forwarding in a wireless ad hoc network

Source Destination

S A B C Dackackackack

data data data data

Problem Statement

Reliable hop-by-hop data forwarding in a wireless ad hoc network

Source Destination

S A B C Dackackackack

data data data data

Question: How to verify that node B correctly forwards frame to Con S-A-B-C-D path?

Prior Work: Neighborhood Watch

Node B’s transmission rangeNode A’s

transmission range

Witness node W overhears A and B, decides B’s forwarding correctness based on mismatch

rate between incoming and outgoing data packets at B.

Decision is error-prone so approach depends on long-term or cumulative observation for high

accuracy!

Prior Work: Data-path-based Detection

ACKACK

Without witness nodes, upstream node A decides node B’s forwarding correctness based on node C’s ACK packet forwarded by node B.

Decision is also error prone: node C can be compromised and a reverse path from node C to

node A can be unreliable!

Outline

unreliable links

Our Work: Witness-based Detection

Upstream node A decides node B’s forwarding correctness based on “tamper-proof evidence”

transmitted through diverse paths.

Node C’s transmission rangeNode B’s

transmission range

Evidence

Tamper-proof Evidence B-signed message checksum:

Timestamp t

KB( )Private key of

a data forwarder,

node B

MessageM

Address of a data

recipient, node C

|addr(C)H[ ]

Node B says “I sent message M to node C.”

Node C’s Evidence Generation

Data = M | B-Signed message checksum

KC( ) , tc

, H[M|addr(C)]

Node C says “I received message M at tc from node B.”

B-Signed message checksum

“ACK-based Evidence”

Node W’s Evidence Generation

Data = M | B-Signed message checksum

1. W generates “Data-based evidence”: KW(B-Signed message checksum, H[M|

addr(C)], tW)

Node W says “I overheard message M at tw from node B.”

2. W relays “ACK-based evidence:W

ACK-based evidence

Node W says “I overheard node C saying it (node C) received message M at tc

from node B”

Node A’s Decision Algorithm on Node B

Initially assume that once evidence is successfully generated, evidence does not fail to reach node A.

Lemma1: No evidence implies that node B does not correctly forward a data packet to node C.

Lemma2: Consistent evidence implies node B correctly forwards a data packet to node C.

For deriving whether evidence is consistent, upstream node A knows the correct checksum and message order.

If the checksum and message order of evidence do not have difference from node A’s, we call that evidence consistent.

Outline

unreliable links

When Node B is Compromised Packet drop: no evidence received at A

Acompromised

When Node B is Compromised Fake forwarding: inconsistent Data-

based evidence received from witness node W and no ACK-based evidence from node C

compromised

Inconsistent evidence

What if Node W or C is Compromised?

Badmouthing: W or C is compromised W or C can generate fake inconsistent evidence

for falsely accusing uncompromised node B. If there is at least one uncompromised node,

node A can receive consistent evidence from that node.

If there is no collusion, node A can recognize node W is compromised.

B CAData packet

WcompromisedInconsistent evidence

Consistent evidence

When Multiple Nodes Are Compromised

Node B is not compromised If there is at least one uncompromised

node, node A receives consistent evidence as well as inconsistent evidence.

compromised

Inconsistent evidence

Consistent evidence

When Multiple Nodes Are Compromised

Node B is compromised If node B and node W1 do not

collude, consistent evidence cannot exist.

compromised

Outline

unreliable links

Detection Accuracy in Lossy Links

With reliable links, witness-based detection has no detection errors.

Using an analytical model, we compare data-path-based detection with witness-based detection in lossy links.

ploss: the loss probability that a node fails to receive or overhear a packet from its one-hop neighbor

pc: the probability that a node is compromised Λ: the expected number of witness nodes based on

2D-Poisson distribution Metric

FPP (False Positive Probability) FNP (False Negative Probability): Without collusion, FNP is

equal to 0 in both detection schemes.

Data-path-based detection

pc=0.5Consistent evidence can be lost in lossy links.

As density of witness nodes (Λ) grows, FPP decreases by enhancing the availability of

consistent evidence.

When a link is reliable, case 2 (badmouthing)

dominates FPP.

When a link is unreliable, FPP by case 1 increases,

but FPP by case 2 decreases.

UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST • MHERST • Department of Computer Science Department of Computer Science 24

Conclusion Witness-based detection makes

instantaneous decision more precise by using witness nodes, rather than longterm or cumulative observation.

Witness-based detection supports error-free detection under various threat scenarios in reliable links.

Using an analytical model, we showed that witness-based detection can support low FPP and no FNP even in the presence of lossy wireless links.

Open Questions

Collusion Evaluation of Communication

Overhead

UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST • MHERST • Department of Computer Science Department of Computer ScienceUUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST • MHERST • Department of Computer Science Department of Computer Science

Thank you!Q&A

witness-based detection of forwarding misbehavior in wireless networks

Documents

detection of routing misbehavior in manets

phy layer access misbehavior in wlan networks

domestic tourism challenges: tourist misbehavior

causes of pupil misbehavior

beyond hospital misbehavior: an alternative account of

lvt design - ways to deal with misbehavior

unethical culture, suspect ceos and corporate misbehavior

a light-weight countermeasure to forwarding misbehavior in...

mistake and misbehavior in bankruptcy

juvenile court jurisdiction over noncriminal misbehavior

selﬁsh mac layer misbehavior in wireless...

on reputation and data-centric misbehavior detection

cross-layer analysis for detecting wireless misbehavior

overcoming misbehavior mobile ad hoc networks

misbehavior in organizations: a motivational...

mitigating routing misbehavior in mobile ad-hoc networks...

typical misbehavior of children.pptx

scientific misbehavior jiunn-ren roan fall 2006. what is...

misbehavior, suspensions, and security measures in...

overlapping communities for identifying misbehavior in...