witness-based detection of forwarding misbehavior in wireless networks

UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST • MHERST • Department of Computer Science Department of Computer ScienceUUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST • MHERST • Department of Computer Science Department of Computer Science

Witness-based Detection of Forwarding

Misbehavior in Wireless Networks

Sookhyun Yang, Sudarshan Vasudevan, Jim Kurose

University of Massachusetts Amherst

UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST • MHERST • Department of Computer Science Department of Computer Science

Outline

Introduction Witness-based detection:

approach Witness-based detection:

properties Detection accuracy with

unreliable links

2


Motivation In a wireless ad-hoc network, an authenticated

node on forwarding path can be compromised

Goal: verify that each node on data forwarding path is correctly forwarding packets

Control-plane verification: against routing control disruption

Data-plane verification: against forwarding misbehavior

This paper: witness-based detection to verify correct (data-plane) forwarding, identify source(s) of forwarding misbehavior.

3


Problem Statement

4

Reliable hop-by-hop data forwarding in a wireless ad hoc network

Source Destination

S A B C Dackackackack

data data data data


Problem Statement

5

Reliable hop-by-hop data forwarding in a wireless ad hoc network

Source Destination

S A B C Dackackackack

data data data data

Question: How to verify that node B correctly forwards frame to Con S-A-B-C-D path?


Prior Work: Neighborhood Watch

6

data

Node B’s transmission rangeNode A’s

transmission range

data

Witness node W overhears A and B, decides B’s forwarding correctness based on mismatch

rate between incoming and outgoing data packets at B.

Decision is error-prone so approach depends on long-term or cumulative observation for high

accuracy!

A B C

W


Prior Work: Data-path-based Detection

7

Data

ACKACK

Without witness nodes, upstream node A decides node B’s forwarding correctness based on node C’s ACK packet forwarded by node B.

Decision is also error prone: node C can be compromised and a reverse path from node C to

node A can be unreliable!

A B C


Outline




unreliable links

8


Our Work: Witness-based Detection

9

Data

Upstream node A decides node B’s forwarding correctness based on “tamper-proof evidence”

transmitted through diverse paths.

A B C

Node C’s transmission rangeNode B’s

transmission range

W

WACK

Evidence

Evidence

Evidence


Tamper-proof Evidence B-signed message checksum:

Timestamp t

10

KB( )Private key of

a data forwarder,

node B

MessageM

Address of a data

recipient, node C

|addr(C)H[ ]

Node B says “I sent message M to node C.”


Node C’s Evidence Generation

11

Data = M | B-Signed message checksum

KC( ) , tc

B C

W

, H[M|addr(C)]

Node C says “I received message M at tc from node B.”

B-Signed message checksum

“ACK-based Evidence”


Node W’s Evidence Generation

12

Data = M | B-Signed message checksum

1. W generates “Data-based evidence”: KW(B-Signed message checksum, H[M|

addr(C)], tW)

B C

W

Node W says “I overheard message M at tw from node B.”

2. W relays “ACK-based evidence:W

ACK-based evidence

Node W says “I overheard node C saying it (node C) received message M at tc

from node B”


Node A’s Decision Algorithm on Node B

Initially assume that once evidence is successfully generated, evidence does not fail to reach node A.

Lemma1: No evidence implies that node B does not correctly forward a data packet to node C.

Lemma2: Consistent evidence implies node B correctly forwards a data packet to node C.

For deriving whether evidence is consistent, upstream node A knows the correct checksum and message order.

If the checksum and message order of evidence do not have difference from node A’s, we call that evidence consistent.

13


Outline




unreliable links

14


When Node B is Compromised Packet drop: no evidence received at A

15

B C

W

Acompromised


When Node B is Compromised Fake forwarding: inconsistent Data-

based evidence received from witness node W and no ACK-based evidence from node C

16

B C

W

A

?

compromised

Inconsistent evidence


What if Node W or C is Compromised?

Badmouthing: W or C is compromised W or C can generate fake inconsistent evidence

for falsely accusing uncompromised node B. If there is at least one uncompromised node,

node A can receive consistent evidence from that node.

If there is no collusion, node A can recognize node W is compromised.

17

B CAData packet

WcompromisedInconsistent evidence

Consistent evidence


When Multiple Nodes Are Compromised

Node B is not compromised If there is at least one uncompromised

node, node A receives consistent evidence as well as inconsistent evidence.

18

B C

W1

A

W2

compromised

compromised



Consistent evidence


When Multiple Nodes Are Compromised

Node B is compromised If node B and node W1 do not

collude, consistent evidence cannot exist.

19

B C

W1

A

W2

compromised

compromised


Outline




unreliable links

20


Detection Accuracy in Lossy Links

With reliable links, witness-based detection has no detection errors.

Using an analytical model, we compare data-path-based detection with witness-based detection in lossy links.

ploss: the loss probability that a node fails to receive or overhear a packet from its one-hop neighbor

pc: the probability that a node is compromised Λ: the expected number of witness nodes based on

2D-Poisson distribution Metric

FPP (False Positive Probability) FNP (False Negative Probability): Without collusion, FNP is

equal to 0 in both detection schemes.

21



22

Data-path-based detection

pc=0.5Consistent evidence can be lost in lossy links.

As density of witness nodes (Λ) grows, FPP decreases by enhancing the availability of

consistent evidence.



23

When a link is reliable, case 2 (badmouthing)

dominates FPP.

When a link is unreliable, FPP by case 1 increases,

but FPP by case 2 decreases.

UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST • MHERST • Department of Computer Science Department of Computer Science 24

Conclusion Witness-based detection makes

instantaneous decision more precise by using witness nodes, rather than longterm or cumulative observation.

Witness-based detection supports error-free detection under various threat scenarios in reliable links.

Using an analytical model, we showed that witness-based detection can support low FPP and no FNP even in the presence of lossy wireless links.


Open Questions

Collusion Evaluation of Communication

Overhead

25

UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST • MHERST • Department of Computer Science Department of Computer ScienceUUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST • MHERST • Department of Computer Science Department of Computer Science

Thank you!Q&A

witness-based detection of forwarding misbehavior in wireless networks

Documents