On the Use of Radio Resource Tests in Wireless ad hoc Networks

Transcription

1 Tecnical Report RT/29/2009 On te Use of Radio Resource Tests in Wireless ad oc Networks Diogo Mónica João Leitão Luis Rodrigues Carlos Ribeiro May 2009

2

3 Abstract Sybil identities are a major treat to te dependable operation of wireless ad oc networks. Tis paper defines a framework to assess te power and performance of radio resource tests (RRT), a tecnique tat allows te detection of Sybil identities. Several RRTs are analyzed and compared using tis framework, including two novel RRTs and an optimization of a RRT previously proposed in te literature. Finally, we sow ow tese tests can be used to detect te presence of Sybil identities in an one-op population, and conclude tat different tests are suitable for different network scenarios.

4 .

5 On te Use of Radio Resource Tests in Wireless ad oc Networks Diogo Mónica João Leitão Carlos Ribeiro Luís Rodrigues Abstract Sybil identities are a major treat to te dependable operation of wireless ad oc networks. Tis paper defines a framework to assess te power and performance of radio resource tests (RRT), a tecnique tat allows te detection of Sybil identities. Several RRTs are analyzed and compared using tis framework, including two novel RRTs and an optimization of a RRT previously proposed in te literature. Finally, we sow ow tese tests can be used to detect te presence of Sybil identities in an one-op population, and conclude tat different tests are suitable for different network scenarios. 1. Introduction Te Sybil Attack is a relevant treat to te secure and dependable operation of wireless ad oc networks. Te name for tis attack was first coined by Douceur in [6]. It consists in aving a malicious node simultaneously assuming multiple identities, commonly called sybil identities. Suc a node can easily disrupt te operation of distributed protocols, suc as distributed storage, routing, data aggregation, voting, intrusion detection, and resource saring [11, 7]. A radio resource test (RRT) is a tecnique tat allows detection of Sybil identities and, terefore, is a fundamental building block for developing dependable arcitectures for wireless ad oc networks. RRTs are a particular case of te more general class of arbitrary resource tests. Resource tests operate under te assumption tat it is possible to establis a bound to te resources available to a single node. Two non-sybil identities must, terefore, be capable of demonstrating tat tey own more aggregate resources tan tose available to a single node. Different kinds of resources can be tested, including computational power, storage capacity, and network bandwidt. Different tests ave tus been proposed in te past [10, 11, 4, 1]. RRTs assume tat eac node as access to a single radio device and builds upon te limitations of tese devices. RRTs ave te potential to support protocols tat do not require pre-configuration, nor pre-sared secrets, improving te scalability of te network. Tis paper makes te following contributions: i) we propose a framework to assess te power and performance of RRTs; ii) we propose a number of novel RRTs; iii) we make a comparative analysis of different RRTs; iv) we discuss ow tese tests can be used to test a population of identities, and determine te cost of suc combined test. Te remainder of tis paper is organized as follows: Section 2 introduces te assumptions made in tis paper and describes te radio resource tests tat will be studied. Section 3 discusses te power and performance of Tis work was partially supported by FCT under grant PTDC/EIA/65588/2006, and by LEMe in te context of project WiMes.

6 different RRTs. Section 4 addresses te use of RRTs for testing larger populations of identities. Section 5 provides a discussion of adequate scenarios for te use of different RRTs. Section 6 concludes te paper and establises some directions for future work. 2. Radio Resource Tests 2.1. Assumptions A radio resource test is typically based on te following assumptions about radio devices [7]: A1) Eac node in te network owns at most a single radio device; A2) Eac device can operate over, at most, K different cannels; A3) No radio device can simultaneously transmit on two different cannels; A4) No radio device can listen simultaneously on two different cannels; A5) A node cannot detect a collision wile transmitting. Eac particular test may use only a subset of tese assumptions. Nodes wit more tan two radio devices can be modeled as multiple colluding nodes. Eac RRT is caracterized by a set of parameters RRT (, c, w) as follows. Parameter is te size of te set S = {s 1,s 2,..., s } of distinct identities tat can be tested simultaneously, in a single test. Parameter c is te number of callenger identities (not in S) tat need to actively participate in te test. Parameter w is te number of tester nodes tat can extract information from te test Tests Being Analyzed Simultaneous Sender Test (SST) Newsome el al. [7] proposed a RRT based on aving te entities to be tested transmit simultaneously on different cannels. In teir original paper, te autors only call teir test radio resource test but, ere, we dubbed it Simultaneous Sender Test (SST) to distinguis it from oter tests. As originally proposed, SST is a RRT (K, 1, 1), i.e., a test tat allows a single node to test simultaneously as many identities as te number of cannels available to te radio devices. Te test operates as follows: Te callenger assigns a different cannel to eac identity being tested. Ten, tese identities start transmitting simultaneously. According to A3, sybil identities will be unable to simultaneously transmit on teir assigned cannels. Te callenger can ten listen to a cannel at random, to verify if te corresponding identity is actually transmitting. If one of te tested identities does not transmit on te assigned cannel, it is assumed to be a sybil identity. Since te callenger can only ceck one cannel at a time, te reply transmissions ave to be repeated r times, to acieve te desired probability of detection. Te required number of rounds r will be derived at a later section. Optimized Simultaneous Sender Test (osst) As te name implies, te Optimized Simultaneous Sender Test (osst) is an optimization of SST. Altoug tis optimization is not referred in any way in [7], we do not list tis test as a novel test, since te optimization is incremental (altoug powerful, as we will see later). Te osst is based on te fact tat te test proposed in [7] can be used as a RRT (K, 0,N K), were N is te number of nodes in te one-op neigborood of te nodes being tested. In fact: i) for a set of k identities (k < N) to be tested, it is possible to devise a deterministic cannel assignment algoritm, tus avoiding te need for an explicit callenger (c =0), and; ii) any node in te one-op neigborood of te nodes being tested can be a tester, i.e. several nodes can detect, at te same time, te existence (or nonexistence) of sybil identities in te set being tested. Simultaneous Receiver Test (SRT) Bot te SST and te osst ave te disadvantage of being very asymmetrical in resource usage: all te tested identities need to transmit during te test. A set of malicious nodes may,

7 terefore, drain te power resources of te network by issuing successive callenges, possibly wit distinct sybil identities. Te Simultaneous Receiver Test (SRT) is a novel RRT (K, 1, 1), tat we now propose. As wit SST, te callenger (wose need may be avoided) assigns a different cannel to eac of te K tested identities. However, in te SRT test, tested identities ave to listen in tose cannels. Te callenger ten sends a message in one of tese cannels, cosen at random. Te corresponding identity is ten required to eco tis message. If one or more of te identities being tested are sybil, accordingly to A4, tey will be unable to listen in all cannels simultaneously, and tere is a probability tat te message will not be ecoed. As before, te callenger may need to perform multiple rounds, to ensure tat sybil identities can be reliably detected. Forced Collision Test (FCT) All te tests described so far require te radio devices to operate in more tan one cannel (i.e., K 2). We now propose a test tat can be performed in settings were radio devices are limited to a single cannel. Te test is based on assumption A5, a known limitation of radio devices [2]. Te Forced Collision Test (FCT) is a RRT (2, 1, 1), were one callenger can test two different identities, s 1 and s 2. Te test operates as follows: s 1 is required to transmit a message M to s 2. If s 2 receives M, it sould retransmit it. During te transmission of M by s 1, te callenger randomly decides to i) cause a collision on te wireless medium, or ii) listen to te medium to verify compliance of s 1. If s 1 and s 2 are different identities, s 2 will be able to retransmit M if tere was no collision, and unable to do so oterwise. If s 1 and s 2 are sybil identities, te malicious node tat controls tem will ave to guess if a collision was generated or not. As in all previous tests, te test must ave r rounds, in order to be conclusive Oter Tests In [8], a somewat different kind of test was proposed. Contrarily to te SST, tis test is completely passive, in te sense tat it does not require te active participation of nodes. Despite tis difference, te main assumptions remain te same. Te autors proposed a protocol, named PASID-GD, tat identifies sybil identities, by comparing te number of expected and observed collisions. However, tis kind of passive approac as a practical problem: it allows te normal participation of sybil identities in te network until tey are detected. Tis means tat an attacker can continuously generate new sybil identities to take te place of tose tat are detected, tereby continuously participating in te network wit multiple identities. Conversely, te use of active tests, suc as te RRTs, allow us to guarantee tat no sybil identities participate in te network before being properly tested. Additionally, a number of tecniques tat rely on location information to detect sybil identities ave been proposed [3, 5, 8, 9]. Suc information can be eiter inferred using radio signal strengt indication [5], or by relying on external components to provide suc information e.g. GPS [9]. Wile te existence of external location sources is plausible for veicular networks, tey are not typical for ad oc networks 1. On te oter and, radio strengt based approaces can be easily attacked, by varying te transmission power, leading to inaccurate detection of sybil identities. 3. Analysis We now discuss te power and performance of eac of te four tests presented earlier: SST, osst, SRT and FCT. Tis analysis considers te following metrics: vulnerability to collusion, message cost, ratio of resource consumption between legitimate and sybil nodes, and syncronization requirements. 1 For instance, it is not typical for laptops to be equipped wit GPS receivers.

8 3.1. Vulnerability to Collusion Collusion appens wen two or more malicious nodes coordinate teir efforts to protect one or more sybil identities. For instance, some malicious nodes may vouc for te sybil identities of oter malicious nodes being tested, making it impossible to identify suc identities as being sybil. Intuitively, one can circumvent colluding nodes by testing simultaneously more identities tan te existing number of colluding nodes. Tis would ensure tat, in tese tests, all colluding nodes would ave to vouc for one of teir own identities, and, tus, all remaining sybil identities would eventually be identified as so. More precisely, to ensure tat a radio resource test RRT (, c, w) operates correctly in environments wit at most m colluding identities 2, we must ave m. Due to tis fact, SST, osst, and SRT can tolerate as many as 1 colluding nodes. Notice tat tese protocols are limited by parameter, wic depends on te total number of radio cannels available to nodes. On sarp contrast, because FCT can only be performed on a pair of nodes, tis protocol cannot operate correctly in te presence of colluding nodes. A single pair of colluding nodes can vouc for an arbitrary large number of sybil identities Message Cost We now discuss te message cost of eac test. We also derive te number of rounds (r) required to detect sybil identities wit a given target probability. Before discussing r, let us look at te cost of a single round for eac test (mt). In SST and osst, eac round requires every tested node to send one message (mt = ). In SRT, at most two messages (mt =2) are excanged (one from te callenger and its eco from te tested node). In FCT, two messages are generated (mt =2), one from one of te tested nodes and anoter from te oter tested node (no forced collision) or from te callenger (forced collision case). Te probability of detecting a given sybil identify in S after r rounds of a RRT (, c, w) test (p d ) is given by: ( p d =1 1 1 ) r Solving in order to r, one can calculate te number of rounds required to attain a specific detection probability: 3.3. Resource consumption r = log (1 p d) log ( 1 1 ) We now discuss te onus tat a RRT (, c, w) test imposes on legitimate nodes wen a malicious node is involved in te test. Te malicious node can be te callenger or te owner of one sybil identity being tested. In tis context, we define te resource consumption cost as te difference between te number of messages sent by correct nodes and messages sent by te malicious node. Notice tat RRTs wit iger cost levels are more vulnerable to denial of service (DoS) attacks. In SST, if te callenger is malicious, it sends a single message to initiate te test and ten eac of te correct nodes send a message on te assigned cannel. Since tere are r transmission rounds, te value of is r 1. If bot te malicious node and its sybil identity are in S, tan te sybil will not reply to te callenger query and, terefore, = r +1 3r. If a malicious node is being tested, but its sybil is not in S, ten = r +1 2r. In SRT, if te malicious node is te callenger, ten as a value of 0 (zero), since te callenger as to send a message for eac reply. If bot a malicious node and its sybil identity are being tested, = 2 3 malicious node is being tested, but its sybil is not, ten = 2 2 r. 2 Notice tat, in scenarios witout colluding nodes: m =1. r. If a

9 Finally, for FCT, as a value of r, if te malicious node is te callenger, 0.5 r if bot te malicious node and its sybil are being tested, and 0.5 r if a malicious node is being tested but its sybil is not. Tus, we ave tat te SST as te worst cost of all te tests, since it is possible for an attacker to consume a large number of network resources, wit a low corresponding effort Syncronization Requirements All RRTs compared in tis paper assume tat te participants in te test ave exclusive access to te medium for te duration of te test. Oterwise, nonparticipating nodes in te test may generate an unbound number of collisions tat, in turn, would make te tests inconclusive. Also, some tests (suc as SST and osst) require nodes to transmit simultaneously. However, in practice, nodes are not required to ave a perfect syncronization; it is enoug to ensure tat te time to transmit a message is orders of magnitude larger tan te allowed amount of desyncronization among nodes (suc tat a node cannot leverage on te desyncronization to send a message on bot cannels). 4. Using te RRTs for Population Control For any RRT (, c, w), K. Naturally, te number of identities tat need to be tested may be greater tan. Terefore, to test a population P composed of N identities, one as to execute a given RRT (, c, w) several times. Tus, te final cost of using a given RRT to test an entire population depends on bot te cost of eac individual test and also of te number of required tests. It will assumed tat all nodes in te system are in radio range (i.e. a single op scenario), and tat a common Time Division Multiple Access (TDMA) sceduler exists, to avoid collision and simplify te sceduling of individual tests. In order to ceck if tere are any sybil identities in P, eac node n must test every group of size ( < N) in P \ {n}. However, detection of a sybil identity can only occur in groups tat include all te colluding malicious nodes (m <) and teir sybil identities. Tere are G suc groups, were: ( ) N m 2 G(N,, m) =. m 1 Taking tis into consideration, te probability tat a callenger node detects a particular sybil identity becomes: p + d =1 ( 1 1 ) r.g(n,,m). (1) Notice tat p + d p d for te same r. In order to ensure a consistent view of P by all non-malicious nodes in P, we require eac sybil identity to be detected by every non-malicious node. Te overall probability of detection of a particular sybil identity is tus given by: p d =(p+ d )N m 1. (2) One could avoid requiring all nodes to perform all te tests, since a node could, upon detecting a sybil identity, simply broadcast a warning. Tat would make te remaining nodes ignore te sybil identity and avoid furter testing. Unfortunately, altoug tis approac allows large improvements on te performance of RRTs, one as to consider tat it also creates te opportunity for a simple attack against te group membersip of correct participants. If a malicious node broadcasts sybil notifications concerning correct participants tey will be expelled from te group, wic can be used at a later time by te malicious node to attack te system (e.g. to attack some majority based protocol being executed in te system).

10 = 2 = 6 = 8 = Probability of detection Number of rounds Figure 1. Probability of detection (p d ) as a function of te number of rounds (r) Figure 1 sows te value of p d for a network composed of 10 identities (N = 10) for distinct values of r and. For reference we also represent P d =0.95 wic is te value we will use in following sections 3. Solving equations (1) and (2) for r allows te specification of te number of rounds required for a desired probability of detection. ( ) log 1 r = R(N,, m, p N m 1 d )= p d G(N,, m).log ( 1 1 ) 4.1. Number of Tests We now express te total number of tests (NT) as a function of N,, m and p d. As previously described, eac node will perform r rounds of tests to all possible combinations of identities of all remaining nodes in te system (N 1). Considering tis, one can easily derive function NT for tis protocol as being: ( ) N 1 NT(N,, m, p d )=R(N,, m, p d ) N However, considering te optimization of SST (osst), te total number of tests decreases substantially, since nodes can avoid testing combinations of identities tat ave already been monitored wen oter nodes performed teir tests. If, on eac test, tere are 0 <w N tester nodes (te callenger node and te passive tester nodes), te function tat describes NT becomes: ( ) N 1 NT(N,, m, w, p d )=R(N,, m, p d ) = R(N,, m, p d ) ( N N w ) N w 3 Altoug we consider p d 0.95 as a case study, tests can be configured to any desired target value of p d.

11 Tis equation clearly sows te advantage of osst, wen configured wit te maximum allowable value for w (i.e. w = N ), in relation to te remaining RRTs (were w =1), for te number of required tests: 4.2. Total Message Cost NT SST/SRT/F CT = NT osst (N ) Te message cost of a RRT is defined as te total number of messages transmitted to complete te protocol. Tis metric is closely associated wit te energy consumption in te system due to execution of eac RRT. Te number of messages transmitted by eac protocol (MT ) can be expressed as te product between te number of tests NT and te number of messages transmitted on eac test (mt): MT (N,, m, w, mt, p d )=NT(N,, m, w, p d ) mt Number of transmissions 2.5 x SST SRT Optimized SST Number of identities in eac test () Figure 2. Total number of message transmissions (MT ) as a function of te number of simultaneously tested identities (). Comparison Table 1 parameterizes te MT function for eac type of test, given te specificities of teir operation. In SST, SRT and FCT te test is only carried by one callenger at a time, w =1. On te oter and, in te optimized version of SST (osst) every node not being tested is testing te group (w = N ). FCT can only test two nodes at a time ( =2) and, tus, can not andle collusion (m =1). Figure 2 plots te functions in Table 1 as a function of (FCT is not plotted because it cannot andle 2), wit N = 20,m=1and p d =0.95. All tree plots sow te same beavior. Te number of transmitted messages is iger for intermediate values of. Terefore, te number of simultaneously tested identities () sould be eiter very low ( =2) or very ig ( = N 1). However, te coice of is also dependent on te maximum number of colluding nodes (m) tat we want to tolerate, and te number of cannels K available (m K). Te non-optimized version of SST is always worse tan te remaining two, but te optimized version (osst) is better tan SRT for < 2N 3 and worse oterwise. Terefore, SRT is better for ig collusion scenarios (m > 2N 3 ) and osst is better for scenarios were fewer cannels are available.

12 Test Messages transmitted Test parameters SST MT (N,, m, 1,, p d ) w =1, mt = osst MT (N,, m, N,, p d ) w = N, mt = SRT MT (N,, m, 1, 2,p d ) w =1, mt =2 FCT MT (N,2, 1, 1, 2,p d ) =2, w =1,m =1, mt =2 Table 1. Number of transmissions per test Figure 3 plots te MT in table 1 as a function of N wit m =1, p d =0.95 and = N 1 for SRT, and =2 for te oters (best case of eac of tem). FCT is always worse tan te oter tree. As expected, for =2, te optimized version of SST beaves better tan te remaining tests. Number of transmissions SST SRT Optimized SST FCT Number of nodes (n) Figure 3. Total number of message transmissions (MT ) as a function of te number nodes (N). 5. Discussion None of te proposed solutions is better tan all te oters in every scenario. Table 2 caracterizes te scenarios were eac solution performs better, wen compared wit oter RRTs. Te optimized version of SST (osst) is most adequate for scenarios wit low and medium collusion and were tere is no danger of denial of service attacks, because it requires te lowest number of messages of all RRT. SRT is te best one for scenarios wit ig levels of collusion (m > 2N 3 ), or were denial of service attacks need to be taken into account, because it as te lowest resource cost level. Finally, FCT is best suited for scenarios were tere is only one cannel available, since all te oter RRT require te simultaneous use of more tan one cannel. 6. Conclusions and Future Work Radio Resource Tests are a viable mecanism for detecting sybil identities in a wireless ad oc network. In tis paper we proposed a framework to compare te power and performance of RRTs. We ave also proposed two novel RRTs and an optimization to a RRT previously proposed in te literature. Furtermore, we ave analyzed

13 Test osst SRT FCT Best application context Low collusion and no DoS treat Hig collusion and/or DoS treat One cannel Table 2. Best application context for eac test tese tests bot in isolation and wen used to test an one-op population. We ave sown tat eac radio resource test is best adapted to a different specific scenario, wic we described. As future work, we would like to explore te idea of aving more sopisticated algoritms to test an entire population, leveraging on different cooperation algoritms among correct nodes. We also plan to explore te possibilities of extending te knowledge gained wit radio resource tests to multi-op networks. References [1] J. Aspnes, C. Jackson, and A. Krisnamurty. Exposing computationally-callenged Byzantine impostors. Tecnical Report YALEU/DCS/TR-1332, Yale University Department of Computer Science, July [2] R. Bar-Yeuda, O. Goldreic, and A. Itai. Efficient emulation of single-op radio network wit collision detection on multi-op radio network wit no collision detection. Distrib. Comput., 5(2):67 71, [3] R. A. Bazzi and G. Konjevod. On te establisment of distinct identities in overlay networks. In PODC 05: Proceedings of te twenty-fourt annual ACM symposium on Principles of distributed computing, pages , New York, NY, USA, ACM. [4] M. Castro, P. Druscel, A. Ganes, A. Rowstron, and D. S. Wallac. Secure routing for structured peer-to-peer overlay networks. SIGOPS Oper. Syst. Rev., 36(SI): , [5] M. Demirbas and Y. Song. An rssi-based sceme for sybil attack detection in wireless sensor networks. In WOWMOM 06: Proceedings of te 2006 International Symposium on on World of Wireless, Mobile and Multimedia Networks, pages , Wasington, DC, USA, IEEE Computer Society. [6] J. R. Douceur and J. S. Donat. Te sybil attack. In Proceedings for te 1st International Worksop on Peer-to-Peer Systems, pages , Cambridge, MA, USA, Mar [7] J. Newsome, E. Si, D. Song, and A. Perrig. Te sybil attack in sensor networks: analysis & defenses. In Information Processing in Sensor Networks, IPSN Tird International Symposium on, pages , [8] C. Piro, C. Sields, and B. N. Levine. Detecting te sybil attack in mobile ad oc networks. Securecomm and Worksops, 2006, pages 1 11, Sept [9] B. Xiao, B. Yu, and C. Gao. Detection and localization of sybil nodes in vanets. In DIWANS 06: Proceedings of te 2006 worksop on Dependability issues in wireless ad oc networks and sensor networks, pages 1 8, New York, NY, USA, ACM. [10] H. Yu, P. Gibbons, M. Kaminsky, and F. Xiao. Sybillimit: A near-optimal social network defense against sybil attacks. In Security and Privacy, SP IEEE Symposium on, pages 3 17, May [11] H. Yu, M. Kaminsky, P. B. Gibbons, and A. Flaxman. Sybilguard: defending against sybil attacks via social networks. SIGCOMM Comput. Commun. Rev., 36(4): , 2006.