copyright © 2007 vdg, sept 27, 2007 1 handling new adversaries in secure manets virgil d. gligor...

VDG, Sept 27, 2007 1 Copyright © 2007

Handling New Adversaries in Secure MANETs

Virgil D. Gligor

Electrical and Computer Engineering University of Maryland

College Park, MD. [email protected]

ZISC Wireless Security WorkshopZurich

September 27-28, 2007

* based on joint work with S. F. Bahari


Overview

1. New Adversary: Different from DY and Byzantine Models- capabilities: node capture, replication

2. An Approach for Handling Node Capture - example of emergent property

3. Ongoing and Future Research


Approaches for Handling New Adversary

1. Detection and Recovery - Ex. Detection of node-replica attacks [Parno et al 2005]- Cost ? Traditional vs. Emergent Protocols - Advantage: always possible, good enough detection- Disadvantage: “when you’ve been had, you’ve been had by a

professional” [S. Lipner, cca. 1985]

2. Avoidance: early detection of node capture- Ex. Periodic monitoring (depending on node protection)- Cost vs. timely detection ? False positives ? Missed detection?- Advantage: avoids damage done by new adversary- Disadvantage: cannot always be used (e.g., disconnected nodes – are these really networked ?)

3. Future: “prevent” attacks- questionable proposition


Avoidance: Periodic Monitoring of Target Nodes

Observation: Access to Node State (e.g., keys, memory content) requires the node to be taken “off-line” for time X - X is a random variable depending on

- node security; e.g., quality of content obfuscation, physical protection- node overload; e.g., on-line attempts to access Node State- node failure; e.g., tampering with node while on-line leads to failure

Idea: Node Status (on-, off-line) Monitoring by Neighbors in time T- T < X, capture (i.e., node offline) is always detected- T >= X, capture is never detected

Key Design Parameters- cost (i.e., no. and frequency of messages) - false alarm rate- missed detection rate


32

1

8

9

104

5

6

7

CommunicationNeighborhood

monitoring target

Approach: Periodic Monitoring of Target Nodes

11

12

13

14propagate status

propagate st

atus

Keying Neighborhood


Pair-wise Monitoring Scheme

• Continuous network self monitoring in each neighborhood

- really bad idea ?

• Ping message in time

• Response message in time

• Interval assignment for pinging based on node’s ID,

i j

ji

j

d-1

d

i

2

1

, , , ;iji j nonce H k nonce

,,1,;1 ij jinonceHknonce

_ mod 1 1Interval no i i K 1 _ 1Interval no i K

time

eT

.. .... ...thn epoch

pT.. . .. .

_Interval no i

1 1 12 2 2K KK

pT

pT

K >> node degree


Pair-wise Monitoring Scheme

• Failure to respond appropriately to ping message in next Tp interval suggests node capture

• For example:

– delayed response past next Tp

– inappropriate message content

– packet loss, collision, or congestion

– physical damage or battery depletion of the node

• Detection interval T= MxTe helps distinguish node capture from response failures for other reasons

• Successful capture requires access to node’s internal states within T

• No response within T (i.e., after M retries) => alarm

• Larger T (or M) => increased vulnerability to capture

• Smaller T (or M) => increased false-alarm rate


Design Objectives – normal mode

• Missed Detection • Capture time X (pdf fX(x)) is smaller than detection interval T

• Minimize the probability of a missed detection Pm

• False Alarms: device did not respond properly in interval T but device is not captured

• Exchange messages are lost with probability pl

• Reach end of a T=MxTe interval without monitoring message (“pinging”)

• Maximize expected residual time-to-false-alarm of nodes Lf

• Cost: neighbor “pinging” rate; • pr = probability of sending a pinging message in Te

• Minimize pr


Markov Chain Model

• Detection (steady) state Sn (0 Sn M) of neighbor i w.r.t neighbor node j at epoch n:

• no. of successive Te epochs s (1 s M) in which node i does not ping node j (probability 1-pr)

• no. of successive epochs Te in which node i has not received any response

» communication errors with probability pl

» node j is captured and unable to respond

• probability of receiving a “ping” response Pe = pr(1-pl)

M M-2M-1 2 1 0

1 eP 1 eP 1 eP 1 eP 1 eP 1 eP

eP

eP

eP

eP

eP

1

. . .


Steady State Analysis

• Steady state probability of being at each state s

(no capture in progress)

M M-2M-1 2 1 0

1 eP 1 eP 1 eP 1 eP 1 eP 1 eP

eP

eP

eP

eP

eP

1

. . .

1

1 1

M s

e es M

e

p pP

p

1 s M


Probability of being at each state

• Increasing pr (and pe) leads to longer time to false alarm

• more concentration of mass in higher states, i.e. around the regenerative points

but incurs higher energy and communication costs

1e r lP p p Note:

where pl is constant


Missed Detection

• Probability of missed detection• Given a witness node is in state s, the capture time for an

adversary’s success on a target node should be X < T= sTe

• Therefore, n e X ep miss S s P X sT F sT

1

1

1 1

M sMe e

m X eMs e

p pP F sT

p

1

M

m n ss

P P miss S s P


Missed Detection

• Increasing detection interval T (or M) increases Pm

• longer detection interval => more time to complete node capture

• for a given detection interval T (or M), higher pr => higher Pm

- in the limit, the entire detection interval T is available to adversary


False Alarms

• Expected Residual time-to-false-alarm, Lf

• Ts = residual time-to-false-alarm at current state; i.e., time for transition to state 0, given in state s and no capture in progress

• False alarm rate = Inverse of expected residual time-to-false-alarm

1 1

1

1 1

M sM Me e

f s s sMs s e

p pL T P T

p

1 11 1s e s e e e M e e s e MT T T p p T T T p T p T


• Increasing pr increases Lf

• higher pr maintains nodes in higher states(i.e., longer time for non-captured nodes to reach false alarm state 0)

• Increasing M increases Lf

• Higher M (or T) => higher chance to go back to regenerative state M

False Alarms


• Sensitivity of Lf to pr

higher pr leads to more concentration of states around higher values with correspondingly larger Ts

False Alarms


Design Trade-offs

• Minimizing requires reducing and

• Maximizing requires increasing and

• Cost (e.g., energy) efficiency requires reducing

• Application is more sensitive to than

Tradeoffs for Determining and

• Cost analysis• Communication: message RX and TX per node per epoch

• Computation: MAC verifications and generations, and counter inc.

• Memory: registers per node (each associated with a neighbor)

• Probability of collision is upper-bounded by• Increase K s.t K>> d

mP MfL rp

rp

mP fL

rpM

rp

K

drp d

rp d

M

rp


Two Simplistic Examples

• Case 1: Weak node protection (e.g., obfuscation and physical security)

• Case 2: Strong node protection (e.g., obfuscation and physical security)

3

300sec

10

5sec

x

l

e

p

T

0.23

48rp

M

710 sec 116

0.2

f

m

L days

P

0.14

80rp

M

710 sec 116

0.2

f

m

L days

P

3

18000sec 5

10

5sec

x

l

e

hrs

p

T


• An Emergent Protocol• Goals

• Robustness of capture-detection scheme against faulty/malicious neighbors judgments about a common node

• Reducing the required energy (e.g., communication) costs for given node security

• Optimal parameters for given node security measures; e.g., pr, M, pr

q-node Probabilistic Pinging Scheme


j

d-1

d

i

1

j

d-1

d

i

1

22

q-node Probabilistic Pinging Scheme


q-node Probabilistic Pinging Scheme • each neighbor runs pair-wise probabilistic pinging protocol

with a (target) node independently

• each received alert flag increments the counter corresponding to the target node kept in all its neighbors

• counter= q => set revocation flag by q parties

(consensus among q neighbors about the target node)

• commit revocation flag and broadcast it by all q parties to the entire network

• each revocation flag expires after time T

and corresponding Markov chain is reset back to its initial state M


q-node Missed Detection

• missed detection:

- at least d-q+1 witness neighbors do not flag “node capture”

or equivalently, at most q-1 neighbors flag “node capture”

1 2( ) 1 21 11 2

q qq d q d q dm m m m m m

d d dP P P P P P

d q d q d


q-node Missed Detection- no. of parties, q < d (=20)

- lower Pm than in pair-wise case below threshold q (e.g., q<=14); higher above

Pair-wise case

Pair-wise case


Expected Residual Time to False Alarm

• False alarm: at least q neighbors inaccurately flag a target node as a “captured”

• Residual time-to-false-alarm the average time it takes for at least q neighbors to reach false alarm

• Lower bound on the expected residual time-to-false-alarm first q alarm flags arrive within time interval T

given( ) (1)qT T T ( ) *

( )min qf qL E T


Residual time-to-false-alarm• Ts vs s in q-level consensus

• note limited number of possibilities for having q-level consensus within time interval T


Probability of False Alarm• Probability of False-Alarm = Pr(q alerts come within T)

depends on q almost exponentially; i.e. exp(-q)

threshold values above which the prob. of false alarms is min. e.g., q>= 4


Rule of Thumb for Setting q

• Set the consensus level q as about 25% to 30% of the node degree in to minimize probability of a missed-detection probability of a false-alarm

• How robust is this “design rule” ?

• Overall cost ?


Ongoing and Future Research

1. Explore the design space for “pinging” protocol- vary model parameters within all practical values- derive design rules

2. Find semi-synchronous protocols - viz., revocation approach of H. Chan et al IEEE-TDSC 2005

3. Find other tell-tale signs of node capture and compose them with current approach.- other emergent properties

4. Extend approach to other networks; e.g., mesh nets

copyright © 2007 vdg, sept 27, 2007 1 handling new adversaries in secure manets virgil d. gligor...

Documents

node state node failure

node status

node security

node detection interval

node degree slide

node protection cost

time t t x

detection rate slide