Page 1
VDG, Sept 27, 2007 1 Copyright © 2007
Handling New Adversaries in Secure MANETs
Virgil D. Gligor
Electrical and Computer Engineering University of Maryland
College Park, MD. [email protected]
ZISC Wireless Security WorkshopZurich
September 27-28, 2007
* based on joint work with S. F. Bahari
Page 2
VDG, Sept 27, 2007 2 Copyright © 2007
Overview
1. New Adversary: Different from DY and Byzantine Models- capabilities: node capture, replication
2. An Approach for Handling Node Capture - example of emergent property
3. Ongoing and Future Research
Page 3
VDG, Sept 27, 2007 3 Copyright © 2007
Approaches for Handling New Adversary
1. Detection and Recovery - Ex. Detection of node-replica attacks [Parno et al 2005]- Cost ? Traditional vs. Emergent Protocols - Advantage: always possible, good enough detection- Disadvantage: “when you’ve been had, you’ve been had by a
professional” [S. Lipner, cca. 1985]
2. Avoidance: early detection of node capture- Ex. Periodic monitoring (depending on node protection)- Cost vs. timely detection ? False positives ? Missed detection?- Advantage: avoids damage done by new adversary- Disadvantage: cannot always be used (e.g., disconnected nodes – are these really networked ?)
3. Future: “prevent” attacks- questionable proposition
Page 4
VDG, Sept 27, 2007 4 Copyright © 2007
Avoidance: Periodic Monitoring of Target Nodes
Observation: Access to Node State (e.g., keys, memory content) requires the node to be taken “off-line” for time X - X is a random variable depending on
- node security; e.g., quality of content obfuscation, physical protection- node overload; e.g., on-line attempts to access Node State- node failure; e.g., tampering with node while on-line leads to failure
Idea: Node Status (on-, off-line) Monitoring by Neighbors in time T- T < X, capture (i.e., node offline) is always detected- T >= X, capture is never detected
Key Design Parameters- cost (i.e., no. and frequency of messages) - false alarm rate- missed detection rate
Page 5
VDG, Sept 27, 2007 5 Copyright © 2007
32
1
8
9
104
5
6
7
CommunicationNeighborhood
monitoring target
Approach: Periodic Monitoring of Target Nodes
11
12
13
14propagate status
propagate st
atus
Keying Neighborhood
Page 6
VDG, Sept 27, 2007 6 Copyright © 2007
Pair-wise Monitoring Scheme
• Continuous network self monitoring in each neighborhood
- really bad idea ?
• Ping message in time
• Response message in time
• Interval assignment for pinging based on node’s ID,
i j
ji
j
d-1
d
i
2
1
, , , ;iji j nonce H k nonce
,,1,;1 ij jinonceHknonce
_ mod 1 1Interval no i i K 1 _ 1Interval no i K
time
eT
.. .... ...thn epoch
pT.. . .. .
_Interval no i
1 1 12 2 2K KK
pT
pT
K >> node degree
Page 7
VDG, Sept 27, 2007 7 Copyright © 2007
Pair-wise Monitoring Scheme
• Failure to respond appropriately to ping message in next Tp interval suggests node capture
• For example:
– delayed response past next Tp
– inappropriate message content
– packet loss, collision, or congestion
– physical damage or battery depletion of the node
• Detection interval T= MxTe helps distinguish node capture from response failures for other reasons
• Successful capture requires access to node’s internal states within T
• No response within T (i.e., after M retries) => alarm
• Larger T (or M) => increased vulnerability to capture
• Smaller T (or M) => increased false-alarm rate
Page 8
VDG, Sept 27, 2007 8 Copyright © 2007
Design Objectives – normal mode
• Missed Detection • Capture time X (pdf fX(x)) is smaller than detection interval T
• Minimize the probability of a missed detection Pm
• False Alarms: device did not respond properly in interval T but device is not captured
• Exchange messages are lost with probability pl
• Reach end of a T=MxTe interval without monitoring message (“pinging”)
• Maximize expected residual time-to-false-alarm of nodes Lf
• Cost: neighbor “pinging” rate; • pr = probability of sending a pinging message in Te
• Minimize pr
Page 9
VDG, Sept 27, 2007 9 Copyright © 2007
Markov Chain Model
• Detection (steady) state Sn (0 Sn M) of neighbor i w.r.t neighbor node j at epoch n:
• no. of successive Te epochs s (1 s M) in which node i does not ping node j (probability 1-pr)
• no. of successive epochs Te in which node i has not received any response
» communication errors with probability pl
» node j is captured and unable to respond
• probability of receiving a “ping” response Pe = pr(1-pl)
M M-2M-1 2 1 0
1 eP 1 eP 1 eP 1 eP 1 eP 1 eP
eP
eP
eP
eP
eP
1
. . .
Page 10
VDG, Sept 27, 2007 10 Copyright © 2007
Steady State Analysis
• Steady state probability of being at each state s
(no capture in progress)
M M-2M-1 2 1 0
1 eP 1 eP 1 eP 1 eP 1 eP 1 eP
eP
eP
eP
eP
eP
1
. . .
1
1 1
M s
e es M
e
p pP
p
1 s M
Page 11
VDG, Sept 27, 2007 11 Copyright © 2007
Probability of being at each state
• Increasing pr (and pe) leads to longer time to false alarm
• more concentration of mass in higher states, i.e. around the regenerative points
but incurs higher energy and communication costs
1e r lP p p Note:
where pl is constant
Page 12
VDG, Sept 27, 2007 12 Copyright © 2007
Missed Detection
• Probability of missed detection• Given a witness node is in state s, the capture time for an
adversary’s success on a target node should be X < T= sTe
• Therefore, n e X ep miss S s P X sT F sT
1
1
1 1
M sMe e
m X eMs e
p pP F sT
p
1
M
m n ss
P P miss S s P
Page 13
VDG, Sept 27, 2007 13 Copyright © 2007
Missed Detection
• Increasing detection interval T (or M) increases Pm
• longer detection interval => more time to complete node capture
• for a given detection interval T (or M), higher pr => higher Pm
- in the limit, the entire detection interval T is available to adversary
Page 14
VDG, Sept 27, 2007 14 Copyright © 2007
False Alarms
• Expected Residual time-to-false-alarm, Lf
• Ts = residual time-to-false-alarm at current state; i.e., time for transition to state 0, given in state s and no capture in progress
• False alarm rate = Inverse of expected residual time-to-false-alarm
1 1
1
1 1
M sM Me e
f s s sMs s e
p pL T P T
p
1 11 1s e s e e e M e e s e MT T T p p T T T p T p T
Page 15
VDG, Sept 27, 2007 15 Copyright © 2007
• Increasing pr increases Lf
• higher pr maintains nodes in higher states(i.e., longer time for non-captured nodes to reach false alarm state 0)
• Increasing M increases Lf
• Higher M (or T) => higher chance to go back to regenerative state M
False Alarms
Page 16
VDG, Sept 27, 2007 16 Copyright © 2007
• Sensitivity of Lf to pr
higher pr leads to more concentration of states around higher values with correspondingly larger Ts
False Alarms
Page 17
VDG, Sept 27, 2007 17 Copyright © 2007
Design Trade-offs
• Minimizing requires reducing and
• Maximizing requires increasing and
• Cost (e.g., energy) efficiency requires reducing
• Application is more sensitive to than
Tradeoffs for Determining and
• Cost analysis• Communication: message RX and TX per node per epoch
• Computation: MAC verifications and generations, and counter inc.
• Memory: registers per node (each associated with a neighbor)
• Probability of collision is upper-bounded by• Increase K s.t K>> d
mP MfL rp
rp
mP fL
rpM
rp
K
drp d
rp d
M
rp
Page 18
VDG, Sept 27, 2007 18 Copyright © 2007
Two Simplistic Examples
• Case 1: Weak node protection (e.g., obfuscation and physical security)
• Case 2: Strong node protection (e.g., obfuscation and physical security)
3
300sec
10
5sec
x
l
e
p
T
0.23
48rp
M
710 sec 116
0.2
f
m
L days
P
0.14
80rp
M
710 sec 116
0.2
f
m
L days
P
3
18000sec 5
10
5sec
x
l
e
hrs
p
T
Page 19
VDG, Sept 27, 2007 19 Copyright © 2007
• An Emergent Protocol• Goals
• Robustness of capture-detection scheme against faulty/malicious neighbors judgments about a common node
• Reducing the required energy (e.g., communication) costs for given node security
• Optimal parameters for given node security measures; e.g., pr, M, pr
q-node Probabilistic Pinging Scheme
Page 20
VDG, Sept 27, 2007 20 Copyright © 2007
j
d-1
d
i
1
j
d-1
d
i
1
22
q-node Probabilistic Pinging Scheme
Page 21
VDG, Sept 27, 2007 21 Copyright © 2007
q-node Probabilistic Pinging Scheme • each neighbor runs pair-wise probabilistic pinging protocol
with a (target) node independently
• each received alert flag increments the counter corresponding to the target node kept in all its neighbors
• counter= q => set revocation flag by q parties
(consensus among q neighbors about the target node)
• commit revocation flag and broadcast it by all q parties to the entire network
• each revocation flag expires after time T
and corresponding Markov chain is reset back to its initial state M
Page 22
VDG, Sept 27, 2007 22 Copyright © 2007
q-node Missed Detection
• missed detection:
- at least d-q+1 witness neighbors do not flag “node capture”
or equivalently, at most q-1 neighbors flag “node capture”
1 2( ) 1 21 11 2
q qq d q d q dm m m m m m
d d dP P P P P P
d q d q d
Page 23
VDG, Sept 27, 2007 23 Copyright © 2007
q-node Missed Detection- no. of parties, q < d (=20)
- lower Pm than in pair-wise case below threshold q (e.g., q<=14); higher above
Pair-wise case
Pair-wise case
Page 24
VDG, Sept 27, 2007 24 Copyright © 2007
Expected Residual Time to False Alarm
• False alarm: at least q neighbors inaccurately flag a target node as a “captured”
• Residual time-to-false-alarm the average time it takes for at least q neighbors to reach false alarm
• Lower bound on the expected residual time-to-false-alarm first q alarm flags arrive within time interval T
given( ) (1)qT T T ( ) *
( )min qf qL E T
Page 25
VDG, Sept 27, 2007 25 Copyright © 2007
Residual time-to-false-alarm• Ts vs s in q-level consensus
• note limited number of possibilities for having q-level consensus within time interval T
Page 26
VDG, Sept 27, 2007 26 Copyright © 2007
Probability of False Alarm• Probability of False-Alarm = Pr(q alerts come within T)
depends on q almost exponentially; i.e. exp(-q)
threshold values above which the prob. of false alarms is min. e.g., q>= 4
Page 27
VDG, Sept 27, 2007 27 Copyright © 2007
Rule of Thumb for Setting q
• Set the consensus level q as about 25% to 30% of the node degree in to minimize probability of a missed-detection probability of a false-alarm
• How robust is this “design rule” ?
• Overall cost ?
Page 28
VDG, Sept 27, 2007 28 Copyright © 2007
Ongoing and Future Research
1. Explore the design space for “pinging” protocol- vary model parameters within all practical values- derive design rules
2. Find semi-synchronous protocols - viz., revocation approach of H. Chan et al IEEE-TDSC 2005
3. Find other tell-tale signs of node capture and compose them with current approach.- other emergent properties
4. Extend approach to other networks; e.g., mesh nets