Handling New Adversaries in Secure MANETs
Virgil D. Gligor
Electrical and Computer Engineering
University of Maryland
College Park, MD. 20742
gligor@umd.edu
ZISC Wireless Security Workshop
Zurich
September 27-28, 2007
* based on joint work with S. F. Bahari
VDG, Sept 27, 2007
Copyright © 2007
1
Overview
1. New Adversary: Different from DY and Byzantine Models
- capabilities: node capture, replication
2. An Approach for Handling Node Capture
- example of emergent property
3. Ongoing and Future Research
VDG, Sept 27, 2007
Copyright © 2007
2
Approaches for Handling New Adversary
1. Detection and Recovery
-
-
Ex. Detection of node-replica attacks [Parno et al 2005]
Cost ? Traditional vs. Emergent Protocols
Advantage: always possible, good enough detection
Disadvantage: “when you’ve been had, you’ve been had by a
professional” [S. Lipner, cca. 1985]
2. Avoidance: early detection of node capture
-
Ex. Periodic monitoring (depending on node protection)
Cost vs. timely detection ? False positives ? Missed detection?
Advantage: avoids damage done by new adversary
Disadvantage: cannot always be used
(e.g., disconnected nodes – are these really networked ?)
3. Future: “prevent” attacks
- questionable proposition
VDG, Sept 27, 2007
Copyright © 2007
3
Avoidance: Periodic Monitoring of Target Nodes
Observation:
Access to Node State (e.g., keys, memory content) requires
the node to be taken “off-line” for time X
- X is a random variable depending on
- node security; e.g., quality of content obfuscation, physical protection
- node overload; e.g., on-line attempts to access Node State
- node failure; e.g., tampering with node while on-line leads to failure
Idea: Node Status (on-, off-line) Monitoring by Neighbors in time T
- T < X, capture (i.e., node offline) is always detected
- T >= X, capture is never detected
Key Design Parameters
- cost (i.e., no. and frequency of messages)
- false alarm rate
- missed detection rate
VDG, Sept 27, 2007
Copyright © 2007
4
Approach: Periodic Monitoring of Target Nodes
Keying
Neighborhood
monitoring
target
Communication
Neighborhood
4
10
3
2
8
14
5
11
1
7
12
VDG, Sept 27, 2007
13
9
6
Copyright © 2007
5
Pair-wise Monitoring Scheme
• Continuous network self monitoring in each neighborhood
- really bad idea ?
• Ping message in T p time
i  j i, j,  nonce  , H  kij ; nonce 
• Response message in T p timeij

1

d
 j, i,  nonce 1 , H k ; nonce 1
j i
2
j
d-1
• Interval assignment for pinging based on node’s ID,
Interval _ no  i   i mod  K  1   1
1  Interval _ no i   K 1
Interval _ no i 
...
1
2
. . .
Tp
K
1
2
Te
VDG, Sept 27, 2007
. . .
i
K >> node degree
K
1
2
. . .
K
...
time
n thepoch
Copyright © 2007
6
Pair-wise Monitoring Scheme
• Failure to respond appropriately to ping message in next Tp
interval suggests node capture
• For example:
– delayed response past next Tp
– inappropriate message content
– packet loss, collision, or congestion
– physical damage or battery depletion of the node
• Detection interval T= MxTe helps distinguish node capture from
response failures for other reasons
•
•
•
•
VDG, Sept 27, 2007
Successful capture requires access to node’s internal states within T
No response within T (i.e., after M retries) => alarm
Larger T (or M) => increased vulnerability to capture
Smaller T (or M) => increased false-alarm rate
Copyright © 2007
7
Design Objectives – normal mode
• Missed Detection
• Capture time X (pdf fX(x)) is smaller than detection interval T
• Minimize the probability of a missed detection Pm
• False Alarms: device did not respond properly in interval T
but device is not captured
• Exchange messages are lost with probability pl
• Reach end of a T=MxTe interval without monitoring message (“pinging”)
• Maximize expected residual time-to-false-alarm of nodes Lf
• Cost: neighbor “pinging” rate;
• pr = probability of sending a pinging message in Te
• Minimize pr
VDG, Sept 27, 2007
Copyright © 2007
8
Markov Chain Model
• Detection (steady) state Sn (0  Sn  M) of neighbor i w.r.t neighbor
node j at epoch n:
• no. of successive Te epochs s (1 s  M) in which node i does not ping node
j (probability 1-pr)
• no. of successive epochs Te in which node i has not received any response
» communication errors with probability pl
» node j is captured and unable to respond
• probability of receiving a “ping” response Pe = pr(1-pl)
Pe
Pe
1
Pe
Pe
M
M-1
1  Pe
VDG, Sept 27, 2007
...
Pe
M-2
1  Pe
1  Pe
2
1  Pe
1
1  Pe
0
1  Pe
Copyright © 2007
9
Steady State Analysis
Pe
Pe
1
Pe
Pe
...
Pe
M
M-1
1  Pe
M-2
1  Pe
1  Pe
2
1  Pe
1
1  Pe
0
1  Pe
• Steady state probability of being at each state s
(no capture in progress)
Ps 
VDG, Sept 27, 2007
pe 1  pe 
M s
1  1  pe 
M
1 s  M
Copyright © 2007
10
Probability of being at each state
• Increasing pr (and pe) leads to longer time to false alarm
• more concentration of mass in higher states, i.e. around the
regenerative points
but incurs higher energy and communication costs
Note:
Pe  pr 1  pl 
where pl is constant
VDG, Sept 27, 2007
Copyright © 2007
11
Missed Detection
• Probability of missed detection
• Given a witness node is in state s, the capture time for an
adversary’s success on a target node should be X < T= sTe
• Therefore,
p  miss Sn  s   P  X  sTe   FX  sTe 
M
Pm   P  miss Sn  s  Ps
s 1
M
pe 1  pe 
s 1
1  1  pe 
Pm  
VDG, Sept 27, 2007
M s
M
FX  sTe 
Copyright © 2007
12
Missed Detection
• Increasing detection interval T (or M) increases Pm
• longer detection interval => more time to complete node capture
• for a given detection interval T (or M), higher pr => higher Pm
- in the limit, the entire detection interval T is available to adversary
VDG, Sept 27, 2007
Copyright © 2007
13
False Alarms
• Expected Residual time-to-false-alarm, Lf
• Ts = residual time-to-false-alarm at current state; i.e., time for
transition to state 0, given in state s and no capture in progress
Ts  Te  Ts 1 1  pe   pe Te  TM   Te  1  pe  Ts 1  peTM
M
M
pe 1  pe 
s 1
1  1  pe 
L f   Ts Ps  
s 1
M s
M
Ts
• False alarm rate = Inverse of expected residual time-to-falsealarm
VDG, Sept 27, 2007
Copyright © 2007
14
False Alarms
• Increasing pr increases Lf
• higher pr maintains nodes in higher states(i.e., longer time for noncaptured nodes to reach false alarm state 0)
• Increasing M increases Lf
• Higher M (or T) => higher chance to go back to regenerative state M
VDG, Sept 27, 2007
Copyright © 2007
15
False Alarms
• Sensitivity of Lf to pr
 higher pr leads to more concentration of states around higher values with
correspondingly larger Ts
VDG, Sept 27, 2007
Copyright © 2007
16
Design Trade-offs
•
•
•
•
Minimizing Pm requires reducing M and pr
Maximizing L f requires increasing pr and M
Cost (e.g., energy) efficiency requires reducing pr
Application is more sensitive to Pm than L f
Tradeoffs for Determining
M and pr
• Cost analysis
• Communication: pr d message RX and TX per node per epoch
• Computation: pr d MAC verifications and generations, and counter inc.
• Memory: d registers per node (each associated with a neighbor)
• Probability of collision is upper-bounded by
• Increase K s.t K>> d
VDG, Sept 27, 2007
pr
K
Copyright © 2007
17
Two Simplistic Examples
• Case 1: Weak node protection (e.g., obfuscation and physical security)
x  300sec
pl  10
3
Te  5sec
L f  10 sec  116days
pr  0.23
Pm  0.2
M  48
7
• Case 2: Strong node protection (e.g., obfuscation and physical
security)
x  18000sec  5hrs
pl  103
L f  107 sec  116days
pr  0.14
Te  5sec
Pm  0.2
M  80
VDG, Sept 27, 2007
Copyright © 2007
18
q-node Probabilistic Pinging Scheme
• An Emergent Protocol
• Goals
• Robustness of capture-detection scheme against
faulty/malicious neighbors judgments about a common node
• Reducing the required energy (e.g., communication) costs for
given node security
• Optimal parameters for given node security measures; e.g.,
pr, M, pr
VDG, Sept 27, 2007
Copyright © 2007
19
q-node Probabilistic Pinging Scheme
1
d
2
j
d-1
i
VDG, Sept 27, 2007
Copyright © 2007
20
q-node Probabilistic Pinging Scheme
• each neighbor runs pair-wise probabilistic pinging protocol
with a (target) node independently
• each received alert flag increments the counter
corresponding to the target node kept in all its neighbors
• counter= q => set revocation flag by q parties
(consensus among q neighbors about the target node)
• commit revocation flag and broadcast it by all q parties to the
entire network
• each revocation flag expires after time T
and corresponding Markov chain is reset back to its initial
state M
VDG, Sept 27, 2007
Copyright © 2007
21
q-node Missed Detection
• missed detection:
- at least d-q+1 witness neighbors do not flag “node capture”
or equivalently, at most q-1 neighbors flag “node capture”
(q)
m
P
d
 d  d q 1

 d q 2
d  d
q 1
q 2

1  Pm   
1  Pm         Pm
 Pm
 Pm
 d  q  1
 d  q  2
d 
VDG, Sept 27, 2007
Copyright © 2007
22
q-node Missed Detection
- no. of parties, q < d (=20)
- lower Pm than in pair-wise case below threshold q (e.g., q<=14); higher above
Pair-wise case
Pair-wise case
VDG, Sept 27, 2007
Copyright © 2007
23
Expected Residual Time to False Alarm
• False alarm:
 at least q neighbors inaccurately flag a target node as a “captured”
• Residual time-to-false-alarm
 the average time it takes for at least q neighbors to reach false alarm
• Lower bound on the expected residual time-to-falsealarm
 first q alarm flags arrive within time interval T
(q)
f
min L
VDG, Sept 27, 2007
*

 E T( q ) 
given

(q)

(1)
T T  T
Copyright © 2007
24
Residual time-to-false-alarm
• Ts vs s in q-level consensus
• note limited number of possibilities for having q-level
consensus within time interval T
VDG, Sept 27, 2007
Copyright © 2007
25
Probability of False Alarm
• Probability of False-Alarm = Pr(q alerts come within T)
 depends on q almost exponentially; i.e. exp(-q)
 threshold values above which the prob. of false alarms is min. e.g., q>= 4
VDG, Sept 27, 2007
Copyright © 2007
26
Rule of Thumb for Setting q
• Set the consensus level q as about 25% to 30% of the node
degree in to minimize
 probability of a missed-detection
 probability of a false-alarm
• How robust is this “design rule” ?
• Overall cost ?
VDG, Sept 27, 2007
Copyright © 2007
27
Ongoing and Future Research
1. Explore the design space for “pinging” protocol
- vary model parameters within all practical values
- derive design rules
2. Find semi-synchronous protocols
- viz., revocation approach of H. Chan et al IEEE-TDSC 2005
3. Find other tell-tale signs of node capture and
compose them with current approach.
- other emergent properties
4. Extend approach to other networks; e.g., mesh nets
VDG, Sept 27, 2007
Copyright © 2007
28