On the use of radio resource tests in wireless ad hoc networks
1. 1 28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
Distributed Systems Group - INESC-ID
technology
from seed
On the Use of Radio Resource Tests in Wireless ad hoc
Networks
Diogo Mónica, João Leitão, Luís Rodrigues, Carlos Ribeiro
INESC-ID/IST
{diogo.monica, joao.c.leitao, ler, carlos.ribeiro} @ist.utl.pt
2. Introduction
Radio Resource Tests
Analysis
Summary
2
Distributed Systems Group - INESC-ID
technology
from seed
Road Map
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
3. 3
Distributed Systems Group - INESC-ID
technology
from seed
Introduction – Wireless ad hoc
Networks
Securing Wireless ad hoc Networks is
particularly difficult
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
• Denial-of-service
• Eavesdropping
• Node hijacking
• Impersonation
- Sybil
Attack
4. 4
Distributed Systems Group - INESC-ID
technology
from seed
Introduction – The Sybil Attack
The sybil identity can be generated by the malicious node, or
stolen from an existing correct node
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
A Sybil attack happens when a malicious node
participates with multiple identities in a system
5. 5
Distributed Systems Group - INESC-ID
technology
from seed
Introduction – The Sybil Attack
The sybil identity can be generated by the malicious node, or
stolen from an existing correct node
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
A Sybil attack happens when a malicious node
participates with multiple identities in a system
6. 6
Distributed Systems Group - INESC-ID
technology
from seed
Introduction – The Sybil Attack
The sybil identity can be generated by the malicious node, or
stolen from an existing correct node
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
A Sybil attack happens when a malicious node
participates with multiple identities in a system
7. 7
Distributed Systems Group - INESC-ID
technology
from seed
Introduction – The Sybil Attack
Easily defeats quorum systems, or other voting
schemes
In order to obtain a majority in a network with 5 correct nodes,
a malicious node has to create 5 sybil identities
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
8. 8
Distributed Systems Group - INESC-ID
technology
from seed
Introduction – Resource Tests
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
In resource testing we determine if a set of
identities possess fewer aggregated
resources than would be expected
• Computational Power
• Storage
• Network Bandwidth
• …
• Radio Resource
9. Introduction
Radio Resource Tests
Analysis
Summary
9
Distributed Systems Group - INESC-ID
technology
from seed
Road Map
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
10. 10
Distributed Systems Group - INESC-ID
technology
from seed
Radio Resource Tests
Radio Resource Tests (RRTs) assume that each
node has access to a single radio device, and
builds upon the limitations of these devices
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
The first RRT was introduced by Newsome et. al
2004
We will call it Sender Test
11. 11
Distributed Systems Group - INESC-ID
technology
from seed
Radio Resource Tests – Sender Test
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
• The Sender Test is based on the assumption that nodes
cannot simultaneously transmit in more than one channel
Sender Test (SST)
12. 12
Distributed Systems Group - INESC-ID
technology
from seed
Radio Resource Tests – Sender Test
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
Sender Test (SST)
• The Sender Test is based on the assumption that nodes
cannot simultaneously transmit in more than one channel
13. 13
Distributed Systems Group - INESC-ID
technology
from seed
Radio Resource Tests – Detection
Probability
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
• Denoting by h the number of simultaneously tested
identities, and by pd the probability of detection of a Sybil
Identity in a test, we have
The challenger is unable listen in more than
one channel at the same time, so we repeat
the test r times
14. 14
Distributed Systems Group - INESC-ID
technology
from seed
Radio Resource Tests – Contribution
We introduce two new tests and an
optimization for the Sender Test
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
• Optimized Sender Test (oSST)
• Receiver Test (SRT)
• Collision Test (FCT)
15. 15
Distributed Systems Group - INESC-ID
technology
from seed
Radio Resource Tests - Framework
Each RRT is characterized by a set of
parameters, RRT(h, c, w)
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
• h – Size of the set of simultaneously tested identities
• c – Number of challenger identities actively participating in
the test
• w – Number of tester nodes that extract information from
the test
16. 16
Distributed Systems Group - INESC-ID
technology
from seed
Radio Resource Tests – Sender Test
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
• h is limited by the number of available channels (K)
• c is one, since the challenger needs to assign in which
channel identities transmit in
• w is one since only the challenger extracts information
from the test
The Sender Test is a RRT(K,1,1)
17. 17
Distributed Systems Group - INESC-ID
technology
from seed
Radio Resource Tests – Optimized
Receiver Test
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
• h is limited by the number of available channels (K)
• c is zero, since the channels can be chosen
deterministically
• w is N – K, since every node not participating in the test
can extract information from it
The Optimized Sender Test is a RRT(K,0,N-K)
18. 18
Distributed Systems Group - INESC-ID
technology
from seed
Radio Resource Tests – Receiver Test
Receiver Test
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
• The Simultaneous Receiver Test is based on the assumption that
nodes cannot simultaneously listen in more than one channel
19. 19
Distributed Systems Group - INESC-ID
technology
from seed
Radio Resource Tests – Receiver Test
Receiver Test
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
• The Simultaneous Receiver Test is based on the assumption that
nodes cannot simultaneously listen in more than one channel
20. 20
Distributed Systems Group - INESC-ID
technology
from seed
Radio Resource Tests – Receiver Test
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
• h is limited by the number of available channels K
• c is one, since the challenger needs to send a challenge
on one of the channels
• w is one since only the challenger can extract information
from the test (no other node knows the chosen channel)
The Receiver Test is a RRT(K,1,1)
21. Introduction
Radio Resource Tests
Analysis
Summary
21
Distributed Systems Group - INESC-ID
technology
from seed
Road Map
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
22. 22
Distributed Systems Group - INESC-ID
technology
from seed
Radio Resource Tests - Analysis
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
• Vulnerability to collusion
• Message cost
• Resource consumption
• Synchronization requirements
• Number of messages needed to achieve
a desired probability of detection
We compared the tests using the following
metrics
23. 23
Distributed Systems Group - INESC-ID
technology
from seed
Analysis – Optimized Sender Test –
Vulnerability to collusion
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
Vulnerability to collusion
24. 24
Distributed Systems Group - INESC-ID
technology
from seed
Analysis – Optimized Sender Test –
Vulnerability to collusion
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
The Optimized Sender Test Handles at most h – 1 colluding
malicious nodes (m)
Vulnerability to collusion
25. 25
Distributed Systems Group - INESC-ID
technology
from seed
Analysis – Optimized Sender Test –
Message Cost
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
Message Cost
26. 26
Distributed Systems Group - INESC-ID
technology
from seed
Analysis – Optimized Sender Test –
Message Cost
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
In the Optimized Sender Test, tested nodes send a total
of h messages per round
Message Cost
27. 27
Distributed Systems Group - INESC-ID
technology
from seed
Analysis – Optimized Sender Test –
Resource Consumption
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
Resource Consumption (DoS Opportunity)
28. 28
Distributed Systems Group - INESC-ID
technology
from seed
Analysis – Optimized Sender Test –
Resource Consumption
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
In the Optimized Sender Test, when there is a malicious
tester, Δ = rh – 1.
Resource Consumption (DoS Opportunity)
29. 29
Distributed Systems Group - INESC-ID
technology
from seed
Analysis – Optimized Sender Test –
Synchronization Requirements
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
Synchronization Requirements
30. 30
Distributed Systems Group - INESC-ID
technology
from seed
Analysis – Optimized Sender Test –
Synchronization Requirements
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
In the Optimized Sender Test, tested nodes are required
to transmit simultaneously
Synchronization Requirements
31. 31
Distributed Systems Group - INESC-ID
technology
from seed
Analysis – Comparison Table
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
Metric Tests
Optimized
Sender Test
Receiver Test Collision Test
Collusion h - 1 h - 1 1
Message Cost h 2 2
Resource
Consumption
(malicious tester)
Synchronization Strong Strong Weak
32. Metric Tests
Optimized
Sender Test
Receiver Test Collision Test
Collusion h - 1 h - 1 1
Message Cost h 2 2
Resource
Consumption
(malicious tester)
Synchronization Strong Strong Weak
32
Distributed Systems Group - INESC-ID
technology
from seed
Analysis – Comparison Table
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
33. 33
Distributed Systems Group - INESC-ID
technology
from seed
Analysis – Testing a Population of
Nodes
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
Every node in the one-hop neighborhood has to test every
other node
Testing a group of nodes
34. 34
Distributed Systems Group - INESC-ID
technology
from seed
Analysis – Testing a Population of
Nodes
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
Every node in the one-hop neighborhood has to test every
other node
Testing a group of nodes
35. 35
Distributed Systems Group - INESC-ID
technology
from seed
Analysis – Testing a Population of
Nodes
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
Every node in the one-hop neighborhood has to test every
other node
Testing a group of nodes
36. 36
Distributed Systems Group - INESC-ID
technology
from seed
Analysis – Testing a Population of
Nodes
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
Every node in the one-hop neighborhood has to test every
other node
Testing a group of nodes
37. 37
Distributed Systems Group - INESC-ID
technology
from seed
Analysis – Testing a Population of
Nodes
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
Every node in the one-hop neighborhood has to test every
other node
Testing a group of nodes
38. 38
Distributed Systems Group - INESC-ID
technology
from seed
Radio Resource Tests - Performance
Performance in number of messages
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
For a probability of sybil detection of 0.95.
39. 39
Distributed Systems Group - INESC-ID
technology
from seed
Radio Resource Tests - Performance
Performance with collusion tolerance
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
For a network with 20 nodes and a probability of sybil
detection of 0.95.
Higher collusion
40. 40
Distributed Systems Group - INESC-ID
technology
from seed
Radio Resource Tests – Application
Scenarios
Application Scenarios
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
Test Best Performance Context
Optimized
Sender Test
No DoS threat
Receiver Test High collusion and/or DoS threat
Collision Test One Channel
41. Introduction
Radio Resource Tests
Analysis
Summary
41
Distributed Systems Group - INESC-ID
technology
from seed
Road Map
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
42. 42
Distributed Systems Group - INESC-ID
technology
from seed
Summary
28/06/09On the Use of Radio Resource Tests in Wireless ad hoc Networks
• Radio Resource Tests are a viable mechanism for
detecting sybil identities in Wireless ad hoc Networks
• We presented two new RRTs and an optimization to an
existing RRT
• We presented a framework to compare the RRTs
• We analyzed all the tests both in isolation, and when used
to test a one-hop neighborhood.
• We have shown that each test is best adapted to a specific
scenario, which we described.
43. 43 10/08/2008Thwarting the Sybil Attack in Wireless Ad Hoc Networks
Distributed Systems Group - INESC-ID
technology
from seed
technology
from seed
Editor's Notes
Overview of the road map.
TEMPO: 10s
We will start to talk about the environment (Wireless ad hoc networks)
We will then talk about the problem we wish to address
And then we will briefly introduce the generic class of solutions
Then we will talk about our specific solution – radio resource tests
About the framework we created to be able to compare them
And the analysis of all the tests according to a set of relevant metrics
Finally we will conclude our presentation
This work is focused on the development of security mechanisms for wireless ad hoc networks. These networks are particularly difficult to protect due to a series of characteristics
First of all we have the communication medium, in this case the air, which is more vulnerable than the cable communications
The nodes are also vulnerable since they are normally more exposed than in conventional networks
The absence of infrastructure makes the usage of centralized security mechanism much more difficult, since there is no centralized resource in ad hoc networks
The Sybil attack is in its essence a impersonation attack, and happens when a malicious user is able to participate with multiple identities in a system
This way, we assume that a correct entity is always associated with one identity, in contrary to malicious entities that can present multiple identities simultaneously, whether it is by stealing other nodes identities, or simply generating new ones
For example, in this figure, the malicious entity represented in red can present a series of distinct identities. It presents identity a, but it can also present
Tempo:30s
Identity b
Tempo:30s
Or even identity C
If a malicious entity is able to present multiple valid identities to a system, its said that it successfully did a sybil attack
What are the disadvantages of a sybil attack, what does the attacker gain in doing one.
Tempo:30s
One attack to which this attack is effective is against quorum systems (or other systems based on voting)
As shown in this figure, a malicious entity can vote multiple times, with different identities, being able to deterministically alter the final outcome
TEMPO:30s
In resource tests…
Tempo:45s
The way in which this assumption is explored is by requesting identities to transmit some message on distinct channels
If these identities belong in fact to distinct nodes, they will be able to do so
While working in these radio resource tests, we realized there were some distinguishing parameters in all the tests, that allowed us to caracterize them, and compare them with each other. So, we devised a framework with these parameters.
Tempo:30s
We are now going to apply this framework to the previously described sender test.
Tempo:30s
The sender test is a RRT with h equal to K, c equal to one, and w equal to 1.
The number of identities that are tested simultaneously in the test h, is limited by the number of available channels. If we only have two channels, we can only have two identities communicating simultaneously.
Regarding the number of active challengers, we have that the challenger node assigns the frequencies to every tested identity, so, there is only one active challenger.
Finally, regarding the parameter w, since only the challenger node knows in which frequencies each identity is transmiting, there is only one node that can extract information from the test.
Repetir: As said before, we devised an optimization for this test, that is based on the exact same assumptions: no node possesses more than one radio device, and no radio device is able to transmit simultaneously on two distinct frequencies.
Tempo:30s
There are essentially two main differences:
First, we realized that channel assignment can be done deterministically. This removes the need for an explicit channel assignment from a challenger node.
Also, this also increases the number of witnesses w, since now, and due to the deterministic channel assignment, every non-participating node is able to extract information from the test.
One other test that we devised was the Receiver Test.
Tempo:30s
This test is based on a different assumption than the previous two. Instead of assuming nodes cannot simultaneously transmit in two distinct channels, we assume that they cannot listen simultaneously, on more than one channel.
Tempo:30s
As before, we also have to repeat the test for a certain number of Rounds, to be able to increase the probability of detection.
Now applying our framework for the Receiver Test
Tempo:30s
With all these tests, we analyzed and compared them for a series of metrics
With these metrics, lets go back to our first example, the osst.
Tempo:30s
The first metric analyzed is the vulnerability to collusion.
The problem with colluding nodes is the following, imagine if we have a malicious node in the network. If this node presents two identities to the network and is tested, at least one of the identities will be excluded as a sybil identity. However, if there is another malicious node, and both of them are colluding, the node not being tested could defend the sybil identity by simply transmitting in the corresponding channel.
The first metric analyzed is the vulnerability to collusion.
The problem with colluding nodes is the following, imagine if we have a malicious node in the network. If this node presents two identities to the network and is tested, at least one of the identities will be excluded as a sybil identity. However, if there is another malicious node, and both of them are colluding, the node not being tested could defend the sybil identity by simply transmitting in the corresponding channel.
The different tests have a different assymetry in the resource spent by the nodes beeing tested, and the tester,. For example, If a malicious node is able to ask for several tests, it could make an effective denial-of-service, requiring the nodes to do unecessary tests
So, we use resource consumption essentially as a metric of the denial of service threat of the tests.
The different tests have a different assymetry in the resource spent by the nodes beeing tested, and the tester,. For example, If a malicious node is able to ask for several tests, it could make an effective denial-of-service, requiring the nodes to do unecessary tests
So, we use resource consumption essentially as a metric of the denial of service threat of the tests.
In practice, nodes are not required to have a perfect synchronization; it is enough to ensure that the time to transmit a message is orders of magnitude larger than the allowed amount of desynchronization among nodes (such that a node cannot leverage on the desynchronization to send a message on both channels)
In practice, nodes are not required to have a perfect synchronization; it is enough to ensure that the time to transmit a message is orders of magnitude larger than the allowed amount of desynchronization among nodes (such that a node cannot leverage on the desynchronization to send a message on both channels)
Until now we analyzed each test individually. However, one has to consider the application of this test to a group of nodes.
From this we can conclude the following application scenarios for our test examples
Tempo:30s
We can also analyse the number of messages in relation to the number of nodes in the network
Tempo:30s
Meter FCT
Tempo:30s
With all these tests, we analyzed and compared them for a series of metrics
Tempo:30s
Chegamos assim, ao fim da nossa apresentação, muito obrigado pela atenção.
Se tiverem alguma questão…