Copyright © 2007 VDG, Sept 27, 2007 1 Handling New Adversaries in Secure MANETs Virgil D. Gligor Electrical and Computer Engineering University of Maryland.

VDG, Sept 27, 2007 1 Copyright © 2007

Handling New Adversaries in Secure MANETs

Virgil D. Gligor

Electrical and Computer Engineering University of Maryland

College Park, MD. [email protected]

ZISC Wireless Security WorkshopZurich

September 27-28, 2007

* based on joint work with S. F. Bahari


Overview

1. New Adversary: Different from DY and Byzantine Models- capabilities: node capture, replication

2. An Approach for Handling Node Capture - example of emergent property

3. Ongoing and Future Research


Approaches for Handling New Adversary

1. Detection and Recovery - Ex. Detection of node-replica attacks [Parno et al 2005]- Cost ? Traditional vs. Emergent Protocols - Advantage: always possible, good enough detection- Disadvantage: “when you’ve been had, you’ve been had by a

professional” [S. Lipner, cca. 1985]

2. Avoidance: early detection of node capture- Ex. Periodic monitoring (depending on node protection)- Cost vs. timely detection ? False positives ? Missed detection?- Advantage: avoids damage done by new adversary- Disadvantage: cannot always be used (e.g., disconnected nodes – are these really networked ?)

3. Future: “prevent” attacks- questionable proposition


Avoidance: Periodic Monitoring of Target Nodes

Observation: Access to Node State (e.g., keys, memory content) requires the node to be taken “off-line” for time X - X is a random variable depending on

- node security; e.g., quality of content obfuscation, physical protection- node overload; e.g., on-line attempts to access Node State- node failure; e.g., tampering with node while on-line leads to failure

Idea: Node Status (on-, off-line) Monitoring by Neighbors in time T- T < X, capture (i.e., node offline) is always detected- T >= X, capture is never detected

Key Design Parameters- cost (i.e., no. and frequency of messages) - false alarm rate- missed detection rate


32

1

8

9

104

5

6

7

CommunicationNeighborhood

monitoring target

Approach: Periodic Monitoring of Target Nodes

11

12

13

14propagate status

propagate st

atus

Keying Neighborhood


Pair-wise Monitoring Scheme

• Continuous network self monitoring in each neighborhood

- really bad idea ?

• Ping message in time

• Response message in time

• Interval assignment for pinging based on node’s ID,

i j

ji

j

d-1

d

i

2

1

, , , ;iji j nonce H k nonce

,,1,;1 ij jinonceHknonce

_ mod 1 1Interval no i i K 1 _ 1Interval no i K

time

eT

.. .... ...thn epoch

pT.. . .. .

_Interval no i

1 1 12 2 2K KK

pT

pT

K >> node degree


Pair-wise Monitoring Scheme

• Failure to respond appropriately to ping message in next Tp interval suggests node capture

• For example:

– delayed response past next Tp

– inappropriate message content

– packet loss, collision, or congestion

– physical damage or battery depletion of the node

• Detection interval T= MxTe helps distinguish node capture from response failures for other reasons

• Successful capture requires access to node’s internal states within T

• No response within T (i.e., after M retries) => alarm

• Larger T (or M) => increased vulnerability to capture

• Smaller T (or M) => increased false-alarm rate


Design Objectives – normal mode

• Missed Detection • Capture time X (pdf fX(x)) is smaller than detection interval T

• Minimize the probability of a missed detection Pm

• False Alarms: device did not respond properly in interval T but device is not captured

• Exchange messages are lost with probability pl

• Reach end of a T=MxTe interval without monitoring message (“pinging”)

• Maximize expected residual time-to-false-alarm of nodes Lf

• Cost: neighbor “pinging” rate; • pr = probability of sending a pinging message in Te

• Minimize pr


Markov Chain Model

• Detection (steady) state Sn (0 Sn M) of neighbor i w.r.t neighbor node j at epoch n:

• no. of successive Te epochs s (1 s M) in which node i does not ping node j (probability 1-pr)

• no. of successive epochs Te in which node i has not received any response

» communication errors with probability pl

» node j is captured and unable to respond

• probability of receiving a “ping” response Pe = pr(1-pl)

M M-2M-1 2 1 0

1 eP 1 eP 1 eP 1 eP 1 eP 1 eP

eP

eP

eP

eP

eP

1

. . .


Steady State Analysis

• Steady state probability of being at each state s

(no capture in progress)

M M-2M-1 2 1 0

1 eP 1 eP 1 eP 1 eP 1 eP 1 eP

eP

eP

eP

eP

eP

1

. . .

1

1 1

M s

e es M

e

p pP

p

1 s M


Probability of being at each state

• Increasing pr (and pe) leads to longer time to false alarm

• more concentration of mass in higher states, i.e. around the regenerative points

but incurs higher energy and communication costs

1e r lP p p Note:

where pl is constant


Missed Detection

• Probability of missed detection• Given a witness node is in state s, the capture time for an

adversary’s success on a target node should be X < T= sTe

• Therefore, n e X ep miss S s P X sT F sT

1

1

1 1

M sMe e

m X eMs e

p pP F sT

p

1

M

m n ss

P P miss S s P


Missed Detection

• Increasing detection interval T (or M) increases Pm

• longer detection interval => more time to complete node capture

• for a given detection interval T (or M), higher pr => higher Pm

- in the limit, the entire detection interval T is available to adversary


False Alarms

• Expected Residual time-to-false-alarm, Lf

• Ts = residual time-to-false-alarm at current state; i.e., time for transition to state 0, given in state s and no capture in progress

• False alarm rate = Inverse of expected residual time-to-false-alarm

1 1

1

1 1

M sM Me e

f s s sMs s e

p pL T P T

p

1 11 1s e s e e e M e e s e MT T T p p T T T p T p T


• Increasing pr increases Lf

• higher pr maintains nodes in higher states(i.e., longer time for non-captured nodes to reach false alarm state 0)

• Increasing M increases Lf

• Higher M (or T) => higher chance to go back to regenerative state M

False Alarms


• Sensitivity of Lf to pr

higher pr leads to more concentration of states around higher values with correspondingly larger Ts

False Alarms


Design Trade-offs

• Minimizing requires reducing and

• Maximizing requires increasing and

• Cost (e.g., energy) efficiency requires reducing

• Application is more sensitive to than

Tradeoffs for Determining and

• Cost analysis• Communication: message RX and TX per node per epoch

• Computation: MAC verifications and generations, and counter inc.

• Memory: registers per node (each associated with a neighbor)

• Probability of collision is upper-bounded by• Increase K s.t K>> d

mP MfL rp

rp

mP fL

rpM

rp

K

drp d

rp d

M

rp


Two Simplistic Examples

• Case 1: Weak node protection (e.g., obfuscation and physical security)

• Case 2: Strong node protection (e.g., obfuscation and physical security)

3

300sec

10

5sec

x

l

e

p

T

0.23

48rp

M

710 sec 116

0.2

f

m

L days

P

0.14

80rp

M

710 sec 116

0.2

f

m

L days

P

3

18000sec 5

10

5sec

x

l

e

hrs

p

T


• An Emergent Protocol• Goals

• Robustness of capture-detection scheme against faulty/malicious neighbors judgments about a common node

• Reducing the required energy (e.g., communication) costs for given node security

• Optimal parameters for given node security measures; e.g., pr, M, pr

q-node Probabilistic Pinging Scheme


j

d-1

d

i

1

j

d-1

d

i

1

22

q-node Probabilistic Pinging Scheme


q-node Probabilistic Pinging Scheme • each neighbor runs pair-wise probabilistic pinging protocol

with a (target) node independently

• each received alert flag increments the counter corresponding to the target node kept in all its neighbors

• counter= q => set revocation flag by q parties

(consensus among q neighbors about the target node)

• commit revocation flag and broadcast it by all q parties to the entire network

• each revocation flag expires after time T

and corresponding Markov chain is reset back to its initial state M


q-node Missed Detection

• missed detection:

- at least d-q+1 witness neighbors do not flag “node capture”

or equivalently, at most q-1 neighbors flag “node capture”

1 2( ) 1 21 11 2

q qq d q d q dm m m m m m

d d dP P P P P P

d q d q d


q-node Missed Detection- no. of parties, q < d (=20)

- lower Pm than in pair-wise case below threshold q (e.g., q<=14); higher above

Pair-wise case

Pair-wise case


Expected Residual Time to False Alarm

• False alarm: at least q neighbors inaccurately flag a target node as a “captured”

• Residual time-to-false-alarm the average time it takes for at least q neighbors to reach false alarm

• Lower bound on the expected residual time-to-false-alarm first q alarm flags arrive within time interval T

given( ) (1)qT T T ( ) *

( )min qf qL E T


Residual time-to-false-alarm• Ts vs s in q-level consensus

• note limited number of possibilities for having q-level consensus within time interval T


Probability of False Alarm• Probability of False-Alarm = Pr(q alerts come within T)

depends on q almost exponentially; i.e. exp(-q)

threshold values above which the prob. of false alarms is min. e.g., q>= 4


Rule of Thumb for Setting q

• Set the consensus level q as about 25% to 30% of the node degree in to minimize probability of a missed-detection probability of a false-alarm

• How robust is this “design rule” ?

• Overall cost ?


Ongoing and Future Research

1. Explore the design space for “pinging” protocol- vary model parameters within all practical values- derive design rules

2. Find semi-synchronous protocols - viz., revocation approach of H. Chan et al IEEE-TDSC 2005

3. Find other tell-tale signs of node capture and compose them with current approach.- other emergent properties

4. Extend approach to other networks; e.g., mesh nets

Copyright © 2007 VDG, Sept 27, 2007 1 Handling New Adversaries in Secure MANETs Virgil D. Gligor Electrical and Computer Engineering University of Maryland.

Documents

node state node failure

node status

node security

node detection interval

node degree slide

node protection cost

time t t x

detection rate slide