Title: Universe Detectors for Sybil Defense in Ad Hoc Wireless Networks
1Universe Detectors for Sybil Defense in Ad Hoc
Wireless Networks
- Adnan Vora
- Mikhail NesterenkoSébastien Tixeuil
- Sylvie Delaët
- Detroit, Michigan
- November 21, 2008
2Sybil Attack and Ad Hoc Wireless Networks
- Sybil attack Doceur02 faulty node (or
attacker) compromisesthe system by creating
multiple identities that system perceives as
separate - attacker can
- overwhelm systems resources by turning attack
into denial-of-service - subvert routing infrastructure, message
transmission, etc. - problem is related to Byzantine fault tolerance
(faulty node behaves arbitrarily) and straddles
fault-tolerance and security domains - Ad Hoc wireless networks potential target
- ad hoc no initial topological knowledge
- wireless - broadcast medium allows identity
creation - Sybil defense is lumped together with DoS,
considered intractable and seldom addressed
3Sybil in Wireless What to Do?
- critical aspects
- asynchrony allows faulty node to create
arbitrary number of identities - broadcast medium difficulty to ascertain sender
identity -
- problematic solution approaches
- cryptography e.g. sender digitally signs
messages, receiver verifies and discards
incorrect ids problem - needs key-based infrastructure
- requires nodes to handle cryptographic operations
- reputation nodes observe each other, if one
deviates from protocol, others notice and report - implicitly presumes reliable identify recognition
- wireless features that enable Sybil defense
- broadcast medium message is received by all
nodes in vicinity - received signal strength (RSS) allows distance
estimation - note that faulty node may change transmission
signal strength (TSS) - need to only discover nodes in range further
topology discovery is already possible NT06
4Outline
- model and notation
- problem definition
- impossibility of standalone solution
- universe detectors
- bounds on detectors
- necessary node density
- necessary transmission range
- Sybil attack resilient neighborhood discovery
algorithm SAND - detector interface issues
- algorithm description
- detector optimality
- related work
- extensions and further work
5Outline
- model and notation
- problem definition
- impossibility of standalone solution
- universe detectors
- bounds on detectors
- necessary node density
- necessary transmission range
- Sybil attack resilient neighborhood discovery
algorithm SAND - detector interface issues
- algorithm description
- detector optimality
- related work
- extensions and further work
6Model
- asynchronous execution model (faulty node can
create infinitely many ids) - all nodes know their geographic coordinates, no
other ids - nodes
- real - either correct or faulty
- fictitious introduced by faulty nodes
- neighborhood of node u set of nodes within
distance d of u - free space model of signal propagation R cT/r2
- Tr - fixed TSS at which correct nodes broadcast,
TSS of faulty nodes - arbitrary - Rmin minimum RSS at which signal is received
- nodes can accurately measure the RSS above Rmin,
- on basis of RSS and assuming Tr can compute
distance to sender, range rt max legit
distance to receive message - conflict - distance does not match nodes id
(coordinates) - message receipt is reliable, every message
contains senders id - universe subset of nodes (transmissions) that
do not conflict - real no fictitious nodes
- complete contains all correct nodes
- locality - each process ignores messages from
nodes out for range rt and outside its
neighborhood distance d
rt
u
dn
7The Neighborhood Discovery Problem
- each correct node u needs to output a set of its
neighbors - safety a set contains all correct neighbors and
no fictitious ones - liveness eventually, u outputs a set containing
all correct neighbors - problem variants
- strong (SNDP) safety and liveness as above
- weak (WNDP) safety is relaxed to allow a subset
of correct neighbors - eventual (?NDP) safety satisfied only
eventually - a solution to ?NDP is a solution WNDP which in
turn is a solution to SNDP
8Outline
- model and notation
- problem definition
- impossibility of standalone solution
- universe detectors
- bounds on detectors
- necessary node density
- necessary transmission range
- Sybil attack resilient neighborhood discovery
algorithm SAND - detector interface issues
- algorithm description
- detector optimality
- related work
- extensions and further work
9Neighborhood Discovery Is Impossible
- Theorem 1. In an asynchronous system, none of the
three variants of the neighborhood discovery
problem are deterministically solvable in the
presence of a single Byzantine fault.
- intuition two cases k is real, k is
fictitious. - f ensures u gets the same sequence of messages
with the same RSS forcing u to make identical
decision
f
f
k
k
u
u
dn
dn
10Abstract Universe Detectors
- need to augment the model to make the problem
solvable - correct node may detect conflicts and separate
nodes into universes however cannot decide which
universe is real - universe detector points to real universe
- properties
- completeness if computation contains a suffix
where node outputs a real and complete universe
in every state, this computation also contains a
suffix where the detector points to it - accuracy if a detector points to the universe,
it is real and complete - detector classes
- strongly perfect (SPU) both completeness and
accuracy as above - weakly perfect (WPU) may point to real
universe even if it is incomplete - eventually perfect (?PU) completeness and
accuracy only eventual - SPU ? WPU ? ?PU
- solution is conflict aware if two nodes that do
not conflict always belong to the same universe - disallows trivial solution node creates all
possible combinations of nodes that is it is
aware of one of the universes has to be real
and complete
11Outline
- model and notation
- problem definition
- impossibility of standalone solution
- universe detectors
- bounds on detectors
- necessary node density
- necessary transmission range
- Sybil attack resilient neighborhood discovery
algorithm SAND - detector interface issues
- algorithm description
- detector optimality
- related work
- extensions and further work
12Snare
- a retinue Ef of a faulty node f is assignment of
correct nodes if x belongs to Ef , then every
node y such that yf lt xf also belongs to Ef - deception field of a retinue Ef is an area where
f can place fictitious nodes without retinue
members detecting conflicts - snare - a point k in the neighborhood of u such
that - exists retinue assignment to faulty nodes in the
neighborhood - the intersection of the deception fields contains
k - perfect snare all correct neighborhood
nodesare in retinues
retinue of f1
retinue of f2
retinue of f1
retinue of f2
f1
y
y
f1
f2
f2
x
x
z
z
u
dn
u
dn
ab/(b-a)
deception field
z
f
fz
x
a
min(fy,fx)
b
y
f
min(rt,dn)
x
y
min(rt,dn)
fz
deception field
min(rt,dn)
deception field
13Necessary Node Density
- Theorem 2. There is no conflict aware well-formed
deterministic solution to any of the neighborhood
discovery problems despite the availability of
the universe detectors if one of the considered
layouts contains a perfect snare.
- intuition a faulty node may place a fictitious
node in the snare
ab/(b-a)
deception field
z
f
fz
x
a
min(fy,fx)
b
y
f
min(rt,dn)
x
y
min(rt,dn)
fz
deception field
min(rt,dn)
deception field
14Necessary Transmission Range
- Theorem 3. There is no conflict-aware
deterministic solution for any of the
neighborhood discovery problems despite the
availability of universe detectors and lack of
snares if the node transmission range rt is less
than double the neighborhood distance dn. - intuition faulty node may force separation of
correct nodes into different universes
if f1 invents node k, y conflicts with k forcing
x to put k and y into separate universes
f2 sends the same message as f1 making y to
issue a conflict andforcing x to separate k and y
f1
rt
rt
f2
k
k
y
y
dn
dn
x
x
fictitious
real
15Outline
- model and notation
- problem definition
- impossibility of standalone solution
- universe detectors
- bounds on detectors
- necessary node density
- necessary transmission range
- Sybil attack resilient neighborhood discovery
algorithm SAND - detector interface issues
- algorithm description
- detector optimality
- related work
- extensions and further work
16Detector Interface Issues
- encoding universes
- every conflict message may potentially split
existing universes ? naïve encoding produces
exponential size input for detector - pass conflicts themselves instead, detector can
reconstruct universes - impossible to ascertain sender, detector has to
handle it - ? detector has to output universes rather than
justpoint to them
universe U
conflict between x and y
conflict between u and v
17SAND Sybil attack resilient neighborhood
discovery algorithm
- message receipt properties
- receives announce from every correct node in the
neighborhood - announce from each correct node is confirmed by
every correct node in the neighborhood - messages from correct nodes do not conflict
- a message from a fictitious node is always gets a
conflict from a correct node - DEP
- matches each message with confirm or conflict
- note
- matching may not be unique
- there may not be an original message to match
- there may be cycles
- DEP may grow infinitely
- algorithm SAND
- messages announce, confirm, conflict
- confirm and conflict sent in
reply and carry initiating
messages information - once send announce
- receive message ?
- if message from inside the range and about the
- node in the neighborhood then
- if correct announce then send confirm
- if incorrect message then send conflict
- update dependency graph DEP
- universe detector points to a universe ? output
universe
18Concrete Detectors
- define concete detectors that accept DEP and
output universes as abstract ones - cSPU always outputs real and complete universe
- cWPU may output incomplete universe, but
eventually outputs complete - ?cPU eventually outputs real and complete
- Theorem 4. Assuming absence of simple snares and
assuming that transmission range is at least
twice as large as neighborhood distance SAND
provide a conflict-aware deterministic solution
to the Neighborhood Discovery Problem as follows
SNDP if cSPU detector is used WNDP if cWPU is
used, ?NDP if ? cPU is used. - Chandra et al CHT96 defined weakest detector U
to solve a problem P. Similar reasoning can be
applied to universe detectors. - there is an algorithm A that uses U to solve P
(this is due to theorem 4) - there is another algorithm B that uses an
arbitrary solution S to P to implement U - output of a neighborhood discovery problem can be
immediately used to implement the corresponding
detector - ? Proposition 1 Concrete universe detectors
cSPU, cWPU and ?cPU are the weakest detectors
required to solve SNDP, WNDP and ?NDP
respectively.
19Related Work
- Demirbas and Song DS06 describe an experiment
of using RSS for Sybil attack detection. - Delaet et al DMRT08 and Hwang et al HHK07
consider Sybil attack in synchronous wireless
networks - Nesterenko and Tixeuil NT06 study how, despite
Byzantine faults, each node can discover the
complete topology of the system once all the
neighborhoods are known. - There is a large body of literature on secure
location identification CH06, KZ03, LPC05,
SSW03, VN06. Secure communication between
identifying correct nodes is assumed.
20Detector Implementation and Future Research
- implementation may vary depending on application
properties - bounds of faulty nodes speed, transmission power
- selective use of security
- exploiting topological knowledge of network (e.g.
all nodes know it is a grid) - future research
- what are the properties of SAND? can it provide
more info to detectors? We suspect not - extend discussion to more realistic radio models
- comparing fault and universe detectors
- fault detectors is all that is necessary to solve
consensus - universe detectors need topological constraints
21Thank You