Wireless Network Security 18-639: Spring 2011 Arjun Athreya March 3, 2011 Survey: Trust Evaluation
A scenario LOBOS Management Co A CMU grad student new to Pittsburgh is looking for housing options in Squirrel Hill, so he has 3 options for choosing a rental company Student enquires about the following from the company and other grad students Prompt service Adequate heating Recovery of rental deposits!
Theme: Trust Evaluation Notion of Trust: A set of relations among entities that participate in a protocol. Relations are dependant on evidence generated by previous interactions with the participating entities. Trust evaluation is dependant on the application where the protocol is being used. Evaluation Approach: node-centric or data-centric. Trust values influence decision making for access control, establishing trusted path, accepting public keys etc.
PAPERS Node-Centric Trust Pietro Michiardi and Refic Molva, CORE: A Collaborative Reputation Mechanism to enforce node cooperation in Mobile Ad Hoc Networks - Proceedings of the IFIP TC6/TC11 Sixth Joint Working Conference on Communications and Multimedia Security: Advanced Communications and Multimedia Security Data-Centric Trust Raya et all, On Data-Centric Trust Establishment in Ephemeral Ad Hoc Networks INFOCOM 2008 Trust models and trust evaluation metrics George Theodorakopoulos and John Baras, On Trust Models and Trust Evaluation Metrics for Ad Hoc Networks IEEE Journal on Selected Areas in Communication 2006
CORE [Michiardi and Molva] Goal: A generic mechanism based on reputation to enforce cooperation among nodes in a MANET to prevent selfish behavior. Integration of CORE with network functions such as forwarding, route discovery, network management and location management. Approach Each entity keeps track of other entities collaboration using a technique defined in the paper as reputation Reputation computation depends on data monitored by local entity and information from other nodes involved in network operation
Assumptions Reputation Concept Nodes in a network share a common resource (Physical Medium) Nodes are unrelated to each other and have no priori information of each other Reputation is updated timely through direct and indirect observations and hence the evaluation is compositional Definition Amount of trust inspired by particular member of a community in a specific setting or domain of interest Expected result from using the reputation concept Nodes that are inherently selfish due to energy conservation should not be treated as a malicious node Evaluation scheme must take into account sporadic misbehavior
Reputation Evaluation Subjective Reputation: Calculated directly from subject s observation. More relevance given to past observations. Subjective reputation is given by Indirect Reputation : Information provided by other nodes in the network and is represented as Functional Reputation: Subjective and indirect reputation calculated with respect to different functions f such as routing, forwarding etc. Reputation Calculation is done using information from subjective reputation and indirect reputation
THE CORE SCHEME Request Update result Monitor Performance A provider can check the reputation value of the requester and decide to act on the requested function Each node maintains a reputation table (RT), the RT stores UID, Subjective observation, Indirect observation and value of reputation. WATCHDOG MECHANISM Requester triggers a watchdog (WD) mechanism to validate the performance of the Provider. If WD sees that Provider performed the function correctly by verifying the expected result. If the result is not as expected a negative rating is assigned and the RT s are updated accordingly
Reputation Table operations and Cooperation Enforcement Negative values of reputation are evaluated locally and only positive values of reputation is distributed because it Prevents DoS!! Reputation values are decremented along time, to prevent silent nodes that cooperate only whey they have something to communicate RT is updated only in the reply phase because only the indirect reputation values are updated. The CORE assumes that reply message contains a list of all entities that behaved correctly. Nodes are forced to cooperate else the negative ratings of reputation will not allow them to access any of the resources or participate in the network
CORE - Limitations The CORE logic has no essence of mobility in its discussions. CORE logic works well in very small networks where the diameter of the network should not be more than 2 or 3 hops. Watchdog mechanism assumes that the watchdog can monitor a whole network or atleast a complete path. May not scale!
On Data Centric Trust Establishment in Ephemeral Ad Hoc Networks Raya et all Goal: Establish trust in data rather than nodes in data centric and ephemeral networks such as VANETS. Approach Dynamic factors such time, location are used to derive data trust relations Trust relations must be establishment and reestablishment frequently Trust must not stem from a single source of data and trust must be established from multiple pieces of evidence A logic derived by the authors weighs each individual piece of evidence and the data itself is used to output level of trust in these data Use of Bayesian inference and Dempster-Shafer
General framework Composite events in a network are unions of multiple basic events Nodes are given a default trust worthiness (a range in 0 and 1) based on the type Event specific trustworthiness is based on nodes of certain types and their default trustworthiness Security status whether a node is revoked or legitimate Dynamic trust metric functions are defined where for each attribute a real value in [0,1] is calculated. Trustworthiness of slow evolving information is captured by default values and dynamically changing information s trustworthiness is captured by the dynamic metrics. The function combining both of these will return a value in [0,1]
Data centric trust establishment framework
Evidence evaluation Majority Voting (MV): The combined trust level of an event is given by the sum of evidence values reported. if the evidence of the event is reported else the value is 0 Most Trusted Report (MTR): Outputs a trust level equal to the maximum value of the trust levels assigned to reports about the event Weighted Voting (WV) : sums up all the votes supporting an event with each vote weighted by the corresponding trust level
Evidence evaluation Bayesian Inference: Combined trust level of an event is the posterior probability of the event given by the new evidence set of independent events. = Dempster-Shafer Theory: Requires no prior information, and the probability is replaced by an uncertainty interval.
Experimental setup VANET s is used as a case study for the proposed trust evaluation scheme Nodes are vehicles and RSU s, Authorities are public agencies or corporations. Fraction of affected network is bounded by small fraction of nodes being adversaries. Vehicle A wants to communicate to vehicle B, and are several communication hops away. Event for A to evaluate trust is There is accident at location Lb, attacker sends the opposite of the event data. What to look for? How many reports needed and time in which the decision logic converges. Study the effect of % of false reports, prior knowledge, uncertainty and evolution in time on the probability of attack success.
Results Discussion No decision logic is a clear choice for all attacker models If uncertainly in the network is low the BI is shown to be resilient to false reports If availability of prior knowledge is high then BI is most resilient If uncertainty in network is high DST performs consistently better than other methods.
On Trust Models and Trust Evaluation Metrics for Ad Hoc Networks (George Theodorakopoulos and John Baras) Goal: Evaluation of trust evidence in ad hoc networks. Assumptions and Constraints: 1. No pre-established infrastructure i.e. no centralized PKI, CA s etc 2. Evidence is uncertain and incomplete. Uncertain because evidence is created on the fly and incomplete because all friendly nodes may not be reachable in the presence of adversaries 3. Trust metric cannot impose unrealistic communication or computation requirements Approach: 1. Evaluation process is modeled as a path problem on a directed graph with nodes represented by entities and edges as trust relations
Semiring-based trust evaluation System Model metrics - Trust inference model is viewed as a generalized shortest path problem on a weighted directed graph G(V,E). A weighted edge from vertex I to vertex j corresponds to the opinion that entity i. - Opinion: Is made of a trust value and a confidence value - Trust value is an estimate of trust s trustworthiness - Confidence is the accuracy of the trust value assignment
Trust inference problem formalization Version 1: Finding the trust-confidence value that a source node A should assign to a destination node B, based on the intermediate node s trust-confidence values. Important in deciding whether to grant access to a node or not. DISTANCE SEMIRING Version 2: Finding out the most trusted path between nodes A and B. Important in establishing a trusted path even though we trust the destination node. PATH SEMIRING
Semirings A semiring is an algebraic structure where S is a set with the two binary operators.
Trust Semirings Opinion deteriorates along a path given by the difference operator Opinion quality across paths are expected to improve, but if negative opinions exist then more confident one weighs heavier Associativity: Allows incremental calculation for results. Helps in cases such as trust evaluation in multiple paths or concatenation of paths. Order of aggregation is not relevant! Distributivity: Even though it allows incremental calculation, it ignores the opinion dependence while aggregating. Real topology Trust topology as perceived by the source
Path semiring Opinion space is S = [0,1] X [0,1] and the trust is evaluated as This semiring essentially computes trust distance along the most confident trust path to the destination If trust value turns out to be high, then we have discovered a trusted path to the destination
Distance semiring Expectation semiring is used with opinion space (t,c) pair is mapped to (c/t, c) Zero trust value in either opinion results in resulting opinion having zero trust and an infinite trust causes the corresponding opinion to disappear from the result. Since aggregation across paths is a harmonic mean, trust is biased more towards the one with highest value.
Generic single source shortest distance calculation d(i) holds the current estimate of the shortest distance from s to i. S is a que that contains vertices to be examined for their contribution to the shortest path weights
Experimental setup A small world type topology of 100 nodes. Some nodes are good and some nodes are bad. Only good nodes are allowed to vote in trust decision making process. At each round of the algorithm 1) direct opinions of each node for his neighbors reach the correct opinion and 2) the good node calculates the indirect opinion for all other nodes. If trust evidence is insufficient, then no decision is made on a node. 3 runs of the experiment for 10%, 50% and 90% percentage of bad nodes.
EXPERIMENTAL RESULTS 50% Bad nodes in round 30 50% bad nodes in round 70 Node classification, 10%-50%-90% bad nodes
Conclusion CORE essentially proposes a node centric trust evaluation scheme. But how does one implement a watchdog in a mobile network? In-fact CORE has no facts in the paper supporting mobility. The proposal on data-centric trust evaluation seems to be more viable than CORE, but do decision logics always converge in time? Trust evaluation metric proposed by George and Baras is more generic and assumes it gets details from the lower and upper layers to make decision at the network layer. A more generic mechanism suitable to either of the trust evaluation mechanisms. So, in a mobile ad-hoc network trust evaluation is as trickier as it can get. It is as hard as coming up with one standard routing protocol for mobile ad-hoc networks.
THANK YOU HAVE A NICE DAY!