effects of adding arbitrary physical nodes to a mobile ad-hoc network utilizing an anonymity system...
TRANSCRIPT
Effects of adding Arbitrary Physical Nodes to a Mobile Ad-
Hoc Network Utilizing an Anonymity System
By Ian Cavitt
Arbitrary Physical Node
• Essentially a dummy node• More Utility, Higher Cost
• Create hierarchy, obfuscate location information, addition to TAP countermeasures, increase cost of specific attacks
Project Goals
• Original Project Goal was to focus on increasing resilience to traffic analysis
• One of the first thing most anonymous routing protocols covered for a MANET was TA resilience
Project Goals- Issues with Original Goal
• Left is before adding a dummy node• Thought was key node placement, would help create a network topology closer to what the
neutral matrix assumed• Hugely important because an attacker can derive physical locations and predict movements via traffic analysis
• Location privacy is one of the first things most anonymous routing protocols handle• Done via location unlinkability• Completely hiding location information
Project Goals
• Original Project Goal was to focus on increasing resilience to traffic analysis
• One of the first thing most anonymous routing protocols covered for a MANET was TA resilience
• Evolved Goals• Analyze popular routing protocols used in MANETs• Design solutions using APNs to strengthen the network
• Cannot be something that is already solved via changes or updates to the routing protocol
• Reason being is APNs are awkward to implement, and updating the protocol is likely cheaper
Arbitrary Physical Node
• Several different set ups• Small network of them• Multiple nodes scattered throughout MANET• Single node• Single node
• Some may also have specialized antenna or algorithms not completely following the routing protocol
• Many cases this is simply analyzing what it would be like to get closer to an ideal network topology
Anonymous Routing Protocols
• Alarm• AnoDR
Alarm Basics-Strengths
• Very robust system, few weaknesses• Is Pro-Active – doesn’t use route discovery, knows destination
locations• Strengths
• No public node identities• Location unlinkability-Appearances at a location cannot be linked to
appearances at another• Good performance• Resistant to passive attacks
Alarm Basics-Weaknesses
• Not scalable• Floods network with requests every t seconds, so all nodes know all other
location information and can create a graph
• Weak to location fraud• Active attack, where a compromised node falsifies its location info
• Predictive Mobility• All location data is very easy to view for an attacker, along with knowledge of
geography of area, can predict node movement and link appearances
Scalability
• Consider large MANET that needs to expand• Use an APN with different protocol to extend to new area
Scalability
• Typically location information requests flood the entirety of the network, this allows every node to construct a graph of the entire network
• Not scalable• APN doesn’t follow typical routing protocol• Holds network information but doesn’t forward requests to new area• APN also holds routing info for the second area as well
Scalability
• Communication through the APN• Node first checks with APN if a node exists at/around desired location• Sends its message to the APN which forwards it through the other area of the
network
Gateway APN Pros/Cons
• Pro- • flooding no longer goes throughout entire network• Can be expanded further with more APN’s to further split up the network
• Con• Single point of failure, being able to compromise APN that forwards requests
could result in massive DoS• Implementation overhead(con basically wherever one is used)
Location Fraud
• Active attack via a compromised node• Because pseudonyms aren’t linkable, and appearance aren’t either
doesn’t actually get much out of having network graph• Assuming an arbitrary k out of n nodes are moving
• Compromised Node lies about its location information• Either appears closer to certain nodes, who then more then often attempt
route through it• Appears further away so nodes don’t try to route through it
Location Fraud
• Unless admins of the network can predict the appearance of a compromised node an APN can’t do much
• Even in the case where the appearance is predicted, the compromised node can either spoof a new location or physically move
• Either case the APN fails to thwart the attack for very long
Predictive mobility
• Appearances on graph aren’t linkable to other appearances• But if there are limited routes available to a node based on its
surrounding area can predict it’s movement and link appearances on the graph
• Can be movement can be obfuscated in a few ways
Obfuscating Movement-Method 1
• Standard alarm protocol assumes all nodes have the same broadcast range• Using an APN with an extended antenna can create one way communication
to completely hide a moving node• The APN functions as a proxy that forwards messages to a general area that
the hidden node will be in• Any one that wants to communicate with it sends message to proxy APN• Cons- specialized hardware, must know general area for hiding node/ hiding
node is limited to certain area, and communication only in one direction• Pro-node has complete location privacy
Obfuscating Movement-Method 2
• Use an APN that does location fraud coordinate its spoofed locations with the moving node that could be linked
• one of two results• Either meet the minimum k nodes for the n in area and appearances remain
unlinkable• Location linkability breaks down into an anonymity set based on nodes in area
• Similar idea is to have the APN dedicated to creating phantom nodes• Only good if area around moving node is essentially empty, phantom nodes
would create a DoS where real nodes would attempt and fail to route to them• Even in this case have to implement measure so that phantom nodes are far enough
from the moving node so that messages are forwarded correctly
Obfuscating Movement-Method 3
• Small network of APNs- two antennas• One standard for communication with the rest of network• One short range antenna for broadcasting within network of APNs to coordinate between
them
• The network of APNs would imitate movement by switching which ones have their location shared and all using the same pseudonym
• Worst case scenario reduces anonymity set to at least two• Best: location are unlinkable again
• Cons- adversary in close physical proximity would detect control messages between APNs and figure out that they are essentially dummies, have to implement network of APNs ahead of time anticipating movement in a low population area
• Can mix this with Method 2 to increase the range of areas that it can obfuscate movement in
AnoDR
• One of the first anonymous routing protocols• Often used as a comparative standard• Most texts designing new protocols will recommend making adjustments to
this instead• Reasons are it is hugely resilient, and designed in such a way that different aspects of the
algorithm aren’t tightly coupled
• Strengths• Location privacy• Dynamic pseudonyms
• Pseudonyms are created for each route the node participates in• Receiver anonymity is guaranteed in all but the most extreme cases
Anodr Basics- Weaknesses
• No anonymity weaknesses under normal circumstances• High computational overhead
• Each forwarding node(uses an routing similar to onion routing to discover routes) has to generate a new secret key pair for every RREQ(route request packet)
• Whenever a node decides to forward, has to decrypt (worst case) with every private key to determine where to forward to
Abnormal Circumstances
• Low Network Utilization and few nodes in network• Like onion routing it needs “many” participants
• Still fairly resilient due to TA and active attacks• Use APNs scattered through out network to artificially boost utilization
• Functioning only as dummy nodes here• Generation of dummy packets falls to APNs to avoid inducing more computation on actual users
• Prioritize sending to other APNs, reduce cost on non-dummy nodes• If it is known this network is set up with dummy nodes can slightly edit APN routing to include
detours, this has to be known info so senders can add extra padding• Traffic is further obfuscated
• For an external observer this doesn’t make much difference• For an internal observer, they will have to have corrupted more nodes to gain info
• Attackers don’t gain any more info from longer route- even with a compromised node, or several, senders and receivers don’t know all the routing info
Conclusions
• High cost can cover certain weaknesses• Depends on the routing protocol• “Fixing” ALARM scalability simple and fairly low cost• Mostly just awkward implementations, and need anticipation of own network
behavior
Future Research
• Actually simulating the APNs• “Solutions” I didn’t cover
• I didn’t cover fixes that had software implementation because I assumed they would be cheaper
• Actually comparing costs and effectiveness of APN vs updated protocol in simulation
• Effects of Adding them to a MANET without anonymous routing• TA resistance• Setting up some to act as mixes
• Many as many different mixes• A network of them covering entire geographic area to provide weak location privacy
Sources
Defrawy, K., & Tsudik, G. (2011). ALARM: Anonymous Location-Aided Routing in Suspicious MANETs. IEEE Transactions on Mobile Computing IEEE Trans. on Mobile Comput., 10(9), 1345-1358. Retrieved December 6, 2015.
Kong, J., & Hong, X. (n.d.). Anodr. Proceedings of the 4th ACM International Symposium on Mobile Ad Hoc Networking & Computing - MobiHoc '03.
Newman, R., Moskowitz, I., Syverson, P., & Serjantov, A. (n.d.). Metrics for Traffic Analysis Prevention. Privacy Enhancing Technologies.
Vargheses, S., & Raja, I. (n.d.). A Survey on Anonymous Routing Protocols in MANET. RECENT ADVANCES in NETWORKING, VLSI and SIGNAL PROCESSING. Vijayan, A., & Thomas, T. (2014). Anonymity, unlinkability and unobservability in mobile ad hoc networks.
2014 International Conference on Communication and Signal Processing.