Trust Based Link Selection

1

• Trust Based Link Selection
• Presented by Sindhu Karthikeyan
• Date August 20th 2004.

2
Introduction

• In routing protocols for sensor networks
  Untrustworthy nodes can send malicious routing
  messages to its neighbors, which would negatively
  affect the routing protocol.
• So in this paper they have proposed a Trust
  metric which would assist nodes in making routing
  decisions.
• Trust is a composition of the age of a node and
  the observed behavior of a node.
• Age of a node The amount of time that the node
  has been known to exist by the observer.
• Behavior of a node can be quantified by
  maintaining a behavior metric for each node.

3
Assumptions and notations

• A general distance vector routing protocol is
  considered.
• A sensor network is composed of two types of
  nodes namely sensors and sinks
• Sink The Destination node.
• Messages in the network are classified as either
  routing messages or data messages
• Routing messages are used to form network
  topology and data messages are send to the sink
  utilizing the network topology.

4
Assumptions (contd.)

• Nodes maintain a table of potential next hops to
  forward messages to the sink.
• Nodes select next hop by evaluating the distance
  metric of neighboring nodes
• Secure communication between nodes is not
  presumed even if it may exist.
• Malicious nodes may impersonate honest nodes, and
  would have resources similar to other nodes in
  the network.
• No nodes can suppress the ability of any two
  nodes to communicate with each other.
• Malicious nodes cannot selectively alter the
  packets in transit.

5
Notations

• Notations
• 1. A network is a set of nodes X
  x1,x2,..,xn.
• 2. Message M send by xj, to node xi with return
  address xk is given as xj(xk) ? xiM.
• The reception of message at a node is known as
  message event.
• 3. xj(xj) ? xiM, implies the sender of the node
  has not forged the return address, which can also
  be abbreviated as xj ? xiM.
• 4. The set of xis neighbors is labeled as Xi
• 5. Malicious node is denoted by a ? Xi
• 6. A node xi maintains 2 set of tables for
  neighbors designated as Ti, Ui,where Ti Ui.

6
Notations

• 7. For a field z in Ui , the fields value is
  denoted by Ui.z(xj)
• 8. Number of entries in Ui at a particular moment
  is Ui, and is bounded by a maximum size of
  Uimax.
• 9. Table Ti is a trusted subset of Ui.
• 10. The current time given by a nodes local
  clock is time(now).
• 11. A node can perform a specified action as the
  result of the local clock reaching a specified
  time, this action is known as timer event.
• 12. Xi ? Ti, indicates that the table Ti contains
  an entry for node Xi.

7
Trust-Based Link Selection

• Trust-Based Link Selection uses a trust metric
  for next hop selection in addition to the common
  metrics such as the distance to the sink.
• Trust is viewed as a composition of age and
  behavior metrics.

8

• Trust Based link selector acts as filter for
  routing protocol as seen in the figure. Incoming
  messages are passed thru it and passed to the
  router mechanism with indication of trust with
  sender.
• Then the routing protocol uses distance and link
  quality metrics to decide favorable next hops
  from the nodes that are trustworthy.
• The routing protocol chooses links from nodes in
  Ti, and link selector updated trust metrics for
  nodes in Ui.

9
Age metrics

• Age metrics
• An age metric relates a node to a time of known
  existence.
• Every entry in Ui has 2 fields the age of the
  node (am), and the time the node was last heard
  (l).

10
Age metrics (contd.)

• Age Calculation
• This sequence of action occurs when a node xj
  intially enters in Ui
• Ui.am(xj) 0
• Ui.l(xj) time(now).
• When a message xk(xj) ? xiM event occurs at xi,
• Ui.am(xj) Ui.am(xj) (time(now) - Ui.l(xj))
• Ui.l(xj) time(now).

11
Aging Constrains

• Aging Constrains this can either be absolute or
  relative.
• The absolute aging constrain is given as
• C(xj, Ti) (Ui.am(xj) gt va)
• Where va is some age threshold.
• Relative age constrain is given as
• C(xj, Ti) (Ui.am(xj) gt (ß.f(ages(Ti))))
• Where 0 ß 1, and ages() returns a set of ages
  for nodes in Ti.

12
Age based Trust Example

• Lets assume Uimax 6,and Timax 3, as
  shown in the figure.
• d distance in number of hops to the sink.
• q Quality metric in range 0,100.
• am age field shown in minutes and,
• l last heard from node given with a timestamp
  value.
• The aging constrain is chosen as
• C(xj, Ti) Ui.am(xj) gt (0.9) . Avg(ages(Ti))
• Which means when a node exceds 90 of the average
  age of nodes in Ti, the node temporarily becomes
  Trustworthy.

13

• Now when a Malicious node a arrives as shown in
  the above figure.
• Given that the avg age of node in Ti is 110 when
  a arrives, we can have the age constrain
  fulfilled when
• Ui.am(x7) gt (0.9) . Avg(ages(Ti))
• gt (0.9) . (Ui.am(x7) 110)
• Thus x7 is considered as the next hop only after
  990 minutes has elapsed.

14
Behavioral Metrics

• Behavior based trust is realized through the use
  of a behavioral metric (bm).
• The nodes in Ui is augmented with the field bm,
  which ranges from 0, bmmax, where bmmax is 255.
• This property is described and checked using a
  modified finite state machine model called a
• MESSAGE MONITORING FINITE STATE MACHINE (MMFSM)

15
MMFSM

• The above figure checks the property of whether
  or not a node forwards messages that the observer
  xob sends to it.
• When xob sends a message M to an arbitary node
  xj, xob notes the current time, the message msg
  and proceeds to l1.
• If timeout seconds have passed and xob is
  verifying xj in location l1, location l4 is
  entered and xob updates the field.
• Uob.bm(xj) Uob.bm(xj) - m4.

16
MMFSM

• The transition to location l3 represents the case
  when xj forwards the message M as a result of
  reception of message M, but the content of M has
  been corrupted and violates the content of
  message.
• The transition to location l2 occurs when xj
  correctly forwards the message M, the function
  satifies() checks for the consistency of the 2
  messages M and M message.

17
Trust based Link selection

• Trust metric is defined as a composition of age
  and Behavioral metrics.
• For a node xj, the trust metric is given as
• C(am(xj), bm(xj)) 1 if (am(xj).bm(xj) ?)
• 0 otherwise
• For a chosen value ?, where
• ? ß.f1(ages(Ti)).f2(behaviors(Ti))
• f1, f2 are aggregate functions,
• ages(Ti) set of age values in Ti,
• behaviors(Ti) set of behavior metrics in Ti.

18

• The above figure shows a plot of bm(xj) vs am(xj)
  for a node xj and a chosen value ?.
• For new neighbors, age is small, and behavioral
  metrics are assumed equal, so ? is small and node
  can quickly form a topology.
• When a node knows its neighbor for a long time,
  and the nodes are honest, the age and Behavioral
  metrics are high and also the value of ? is high
  as well.

19
Link Selection Policy

• Adding and deleting nodes from the tables Ti and
  Ui.
• For a network event xk(xj) ? xlM at a node xob,
• And if xj Ui, we have the following cases for
  adding the nodes in the table.
• Case 1 If Ui lt Uimax , the node xj is added
  to Ui, and the age and behavioral metrics are
  intialized.
• Case 2 If Ui Uimax , then the node in Ui
  Ti that is least desirable in terms of distance
  and link quality is removed from Ui, and xj is
  added to the table Ui.

20
Evaluation

• Resource Requirement
• The computational requirements of age based link
  selection is considered negligible as the routing
  metrics also need the similar requirements.
• No additional messages in the network is required
  thus power requirements is also negligible.
• Behavior based link selection is entirely passive
  and thus doesnt require any extra messages in
  the network.

21
Evaluation (contd.)

• Security Analysis
• Age checking is considered to be effective if a
  malicious node is chosen as a next hop only after
  it has met the age constraint.
• 1. If the malicious node a can silence the older
  nodes in Ui, so that they get all evicted, then
  it can gain entry into Ti, because xi will now
  have a new topology.
• But as our assumption states this capability is
  not possible by the malicious node.
• 2. Malicious node a can artificially raise its
  own age so that it meets the aging constrain, but
  such attacks require that a first meets the age
  constrain before being placed in Ti.

22
Evaluation (contd.)

• 3. Impersonating attacks are not meaningful with
  respect to age metrics, since the age of nodes in
  Ti periodically increases with the clock of xi.
• 4. If a impersonates many nodes to flood the
  tables at xi, then even thou the impersonated
  nodes are stored in Ui Ti, these nodes will
  gain entry into Ti only after they meet the aging
  constrain.
• 5. Behavioral monitoring is dependent upon chosen
  properties, so behavioral metrics does not
  provide hard security guarantees, but reduces the
  effect of simple attack.

23
Conclusions

• Nodes select neighbors based on trust metric,
  which is a composition of age and behavioral
  metric.
• Trust based link selection requires modest
  resources and can be implemented largely
  independent of the routing protocol.
• It provides enhanced security to a broad class of
  routing protocols at a minimal cost.