In today’s presentation, I am going to show you the chemistry between watchdog and coding when they meet each other.
Being the last presentation in this session, I think there is not need for me to stress more on the importance of security in communication networks. When we talk about security, there are usually three aspects of requirements.The first one is confidentiality. We want confidential information be only revealed to the designated receiver.The second requirement is authentication. Which mean we should be able to verify the identity of the other end of communication.The last one is integrity. Integrity means that data cannot be modified without authorization. In other words, any un-authorized modification on the data must be detected or corrected.
In the kingdom of error detection in communication networks, there are two big families.The first family is coding, which mainly handles detection at the destination.In coding theory, we have this singleton bound for block codes. The singleton bound says that with a block length of C bits, in order to detect any error of no more than t bits, we can’t encode more than c-t bits of information in this code.The singleton bound is generalized to network coding by Yeung and Cai. They show the capacity for detection in a network is also C-t, while C being the mincut between source and destination, and t being the maximum number of unit capacity links that the adversary can attack. And the capacity can be achieved with linear network codes. It is proven later, that this secure capacity can be achieved with high probability with the well known random linear network code.I have to point out that in both works, it is assumed that the adversary attacks on t unit capacity links. As we will see later, the capacity is dramatically changed when the adversary attacks nodes in the network instead of links.
The second large family in the kingdom of error detection is the watchdog family, which focus on detection inside the network. Wachdog mechanisms take advantage of the broadcast nature of the wireless medium.Since data are being broadcasted, it is not only received by the designated relay, but also by some neighbors of the transmitter. So the misbehaving nodes can be monitored by its neighbors.
Let’s first look at the theoretical aspect of the watchdog problem, which is usually the focus of the coding family.Here we show the smallest example of a watchdog problem. Both S and A has a broadcast link with capacity R. And W has a unicast capacity to D of KLet me ask a question: what is the capacity for detection in this example when the adversary can attack either A or W?If we just apply the singleton bound, with mincut C=R, and since the adversary can attack A and inject R errors, t=R. Then the singleton bound tells us the capacity for detection is R. Is this true? The answer is NO. The capacity is actually R. It can be achieved by ………It is easy to show that if only linear operations are allowed at both A and W, we can only achieve rate of K in order to detect. This implies that, when nodes in the network, instead of links, are under attacked, non-linear network coding is necessary. In this example, the comparison at the W can be considered as a non-linear operation.
On the other hand, in practice, the watchdog can’t compare the packets from source and relay all the time. Due to reasons such as fading, collision, interference, etc. only a fraction of transmissions are overheard.This leads to the problem that the probability of detection can be very low if the adversary injects error in frequently.
In this talk, we will focus on the practical aspect of the problem.
Our idea is very simple. Intuitively, watchdogs can’t detect effectively if the number of bad packets injected is less than some threshold_w. So in order to improve the performance of the watchdog, we have to force the attacker to produce more bad packets.This is actually not hard to achieve. We just use source coding. With error detecting code across packets, the attackers must tamper at least a certain number of packets, otherwise it will be detected by the decoder.So to avoid being detected,
Sam is from the coding family, and his girl-friend Wendy is from the watchdog family.Sam wants to send some data to duck with the help of relay R. R is not so reliable as it may change the data it forwards. So Sam turns to his girlfriend-Wendy for help to monitor R’s behavior.Here we assume that time is slotted, link SR and RD are reliable, using channel coding or retransmissions. Transmission rate is 1 packets per slot. And with probability q, Wendy receives both transmissions of a packet.
To help Wendy with the monitoring, Sam encodes k data packets in to n coded packets,with a (n,k) MDS code.Then the probability of not being detected is just the probability that Wendy doesn’t overhear both transmissions of each of the n-k+1 tampered packets
Ok, now it sounds very good. The detection probability goes to 1 and coding rate goes to 1. It seems that Sam and Wendy can live together happily ever after.
However, things become a little more complicated when more than two person are involved in a romance relationship. And here comes Simon CowellIn this example, with two flows. If there is no requirement of security, the two flows from Sam and Simon are independent, and don’t interfere with each other. However, everybody who watches American idol would agree with me that Simon Cowell is mean. He doesn’t care about Sam’s communication with duck1. And transmits whenever he wants. Now there is an artificial contention between Sam and Simon, since the transmissions of their data flows will collide at Wendy, and reduce Wendy’s ability of monitoring R1.
Here we study the tradeoff of throughput and security under the assumption of slotted aloha.
Now Sam is cheating, he’s dating both Wendy and Winnie at the same time. And he is shameless enough to ask both girls to help him with the communication with Duck. Since Sam is cheating, the girls may take revenge on Sam by sending wrong notifications. But lets assume at most one of Wendy, Winnie and R can be malicious.
Backgrounds<br />Security requirements<br />Confidentiality<br />Authenticity<br />Integrity<br />Why integrity? Why detection?<br />Least requirement for communication to make sense.<br />: detection<br />
Coding: the Theorists(detection at destination)<br />Coding theory: C-t (Singleton bound)<br />Network coding:<br />Capacity=C-t, achieved with linear network codes [Yeung&Cai’06]<br />Achieved with random linear network coding, w.h.p. [Jaggi et al.’07]<br />Assumption: the adversary can attack any t unit capacity links<br />
Watchdogs: the Practitioners(detection in the network)<br />Wireless multihop networks [Marti et al.’00]<br />Broadcast nature of wireless medium<br />Misbehaving nodes are monitored by neighboring nodes<br />
Coding: Theoretical Aspect<br />A<br />S<br />D<br />xyz<br />R<br />abc<br />R<br />K<R<br />Attack!<br />W<br />≠<br />abc<br />xyz<br />What is the capacity for detection?<br />C=R, t=R, so C-t=0?<br />Linear codes can only achieve K <br />Non-linear network coding is necessary<br />No! Capacity is R!<br />
Watchdog: Practical Aspect<br />Only a fraction of transmissions are overheard by the watchdog<br />fading, collision, interference, etc.<br />Problem: probability of detection can be very low if attacks infrequently<br />
Our Idea: Coding + Watchdog<br />Observation: watchdogs can’t detect if #bad pkts < threshold_w<br />Error detecting code to force the attacker to tamper more pkts<br />#bad pkts must > threshold_c to avoid detected by the decoder<br />To avoid being detected<br />threshold_c <#bad pkts < threshold_w<br />If threshold_c < threshold_w, detected w.h.p.<br />
Base Case<br />Duck<br />Sam<br />Assumptions:<br />Time slotted<br />Link SR, RD reliable<br />1 pkt per slot<br />With probability q, W overhears both transmissions of a packet<br />Wendy<br />
(n,k) MDS (Maximum Distance Separable) code at source<br />Attack is detected if no more than n-k pkts altered<br />“Smart” attacker: tamper at least n-k+1 pkts<br />Probability of not being detected<br />
Construct a (n,k) MDS code such that<br />Then<br />Example: <br />
Tradeoff: Throughput and Security<br />If a watchdog monitors more than one flow, contention at the watchdog.<br />Duck1<br />Duck2<br />Sam<br />Wendy<br />Simon<br />
Tradeoff under Slotted ALOHA<br />Slotted ALOHA: access probability<br />Throughput<br />Probability of overhearing both transmissions<br />
Construct a (n,k) MDS code such that<br />Effective throughput<br />
Not detecting the attack<br />Effective throughput<br />
Locating Misbehaving Node<br />The watchdog may be the one that misbehaves in reality<br />A misbehaving watchdog may raise false alarms any time<br />Need at lease 3 nodes to identify 1 bad node<br />
W1/W2 send 1 if attack detected, 0 otherwise<br />ML decision rule:<br />00: no bad node<br />11: R is bad<br />10: W1 is bad<br />01: W2 is bad<br />Winnie<br />Duck<br />Sam<br />Wendy<br />
Note: a misbehaving watchdog will always be correctly located. The attacker has no incentive to attack watchdogs.<br />If relay is under attack<br />
Accusing a good watchdog<br />Not detecting the attack<br />
Conclusion<br />Misbehavior (tampering attack) detection<br />Source coding + watchdog<br />Error detection codes prevents attackers from evading watchdogs<br />Watchdogs prevent attacker from evading of error detection codes<br />Simple and easy to implement<br />can be added to any existing watchdog mechanisms<br />
Watchdog and coding live together happily ever after…<br />