Saurabh Ganeriwal saurabhee'ucla'edu

1
Reputation-based Framework for High Integrity
Sensor Networks

• Saurabh Ganeriwal saurabh_at_ee.ucla.edu
• Mani B. Srivastava mbs_at_ee.ucla.edu

Presenter Sean MIST Group
2
High Integrity Sensor Networks
How can the end-user rely on the information
provided to it by the sensor network?
3
Why does misbehavior takes place?
Information returned may be distorted
Malicious attacks (External attacker,
compromised nodes)

• Noise unavoidable
• In sensing
• In communication

Fault Persistent,transient,intermittent
malfunction
4
Where does misbehavior takes place?
Collaborative and local data processing
Sensing
Networking
Cryptography Key Establishment Cryptographic
frameworks Secure routing
Is Network Security enough?
5
Decentralized decision making
6
Limitations of network security

• Distributed collaborative data processing
• Network security -gt Make sure that only
  authenticated nodes participate.
• Network security cannot -gt Verify if nodes
  function properly
• Distributed data gathering
• Network security can -gt message integrity,
  confidentiality, secure relaying.
• Network security cannot -gt data authentication.

Compromise nodes have access to valid keys!
7
Solution
How do nodes trust each other? How do nodes trust
the information provided by other nodes?

• Trust
• Expectation of one person about the actions of
  others
• Reference to make a choice for action
• Reputation
• Perception that a person has of anothers
  intentions
• Solve uncertainty

8
Reputation based framework for sensor networks
(RFSN)
Proposed solution Form a similar community of
trustworthy nodes in the network over time
9
Why this approach?

• Sensor network already follow a community model
• Individual nodes do not have any utility
• Collaborative information gathering, data
  processing and relaying.
• Missing element is trust.
• Nodes are dumb and they collaborate with every
  node.
• Internal adversaries exploit this very fact!
• Faulty sensors results in equally detrimental
  effects.
• RFSN incorporates intelligence into nodes
• Exposes trust as an explicit metric!
• Cooperate with ONLY those nodes that are
  trustworthy.

10
Architecture of RFSN

• Observe the action of other nodes Watchdog
  mechanism
• Develop a perception of other nodes over time
  Reputation
• Share experiences to facilitate community growth
  Second hand information
• Predict their future behavior Trust
• Cooperate/Non-cooperate with trustworthy nodes
  Behavior

11
Integration of approaches
Development of high integrity sensor networks
will be a combination of techniques from
different fields
12
Reputation representation

• Probabilistic formulation
• Use beta distribution to represent reputation of
  a node.

Reputation of node j from the perspective of node
i

• Why beta distribution?
• Simple to store Just characterized by 2
  parameters.
• Intuitive a and ß represents magnitude of
  cooperation and non-cooperation.
• Efficient Easy reputation updates, integration,
  trust formulation.
• Maintain reputation for just neighboring nodes
• Use locality Provides scalability.

13
Reputation updates

• Problem formulation
• Node i wants to update Rij Beta(aj, ßj) based
  on r cooperative and s non-cooperative
  observations about j.
• Approach

Old reputation, Beta(aj, ßj)
New reputation, ??
????
14
Update algorithm

• Implications
• Simple, efficient and strong foundation to
  statistic.
• Diversity No restrictions on (r, s)
• Not necessarily has to be integers
• Beta distribution still well defined.
• Nodes can give higher rating to critical events.
• Allow partial ratings.

15
Reputation integration

• Problem formulation
• Node i receives reputation information about node
  j through node k.
• Represented by (ajk ,ßjk).

16
Trust

• Problem formulation
• What is the expectation of its next action being
  cooperative?

• Approach
• Want to estimate ?, future behavior of node j
• Prior knowledge None - Uniform in (0,1).
• Observations aj as cooperative, ßj as
  non-cooperative - Binomial

17
Behavior

• How to classify nodes as good/bad?
• Use a simple thresholding technique on trust

• What is Bij ?
• An abstract quantity.
• Node i further action will decide on this
• Dont route packet through j.
• Dont send sensor data to j.
• Choosing threshold
• Flexible
• Allow for dynamic configurability by the user.
• Diverse
• Can be application specific.
• Reflect the security needed by that application.

18
Reputation propagation

• What to propagate?
• Constraints
• Information about good nodes Saves from bad
  mouthing attacks
• Independent information Critical to derivation
  in earlier slide

19
Simulation study - NESLsim

• Simulation set up
• Comparison with DUMB-RFSN
• Representative of heuristic based approaches.
• Metric Trust between node i and j.
• Parameter choices Threshold (0.9),
  Initialization (Beta(1,1)).

j
i
20
Bad Mouthing Attacks
Attack Propagate false bad reputation
information about good nodes Countermeasure
Good Reputation System Set up Node j cooperates
fully
Scenario 1 1 malicious child
RFSN Completely resilient.
DUMB-RFSN Node i will conclude wrongly node j
to be malicious.
21
Bad Mouthing Attacks (Contd..)
Set up Node j cooperates fully
Scenario 2 4 malicious children, 1 good
child
RFSN Neglects bad nodes. Selectively takes
advantage of 1 good node.
DUMB-RFSN Performance is more worse.
22
Ballot Stuffing
Attack Malicious nodes propagate false good
reputation information. Countermeasure Weight
the second hand information appropriately Set up
Node j is malicious and colludes with malicious
children nodes.
Scenario 1 1 malicious child
DUMB-RFSN Node i will conclude node j to be
trustworthy.
RFSN Completely resilient.
23
Conclusions

• Generalized
• Can handle malicious as well as non-malicious
  misbehavior.
• Can handle misbehavior in networking, sensing as
  well as data processing.
• Scalable
• Maintain reputation only about neighboring nodes.
• Diverse
• Security can be tuned to meet application demands
• Events can be rated at completely arbitrary
  scales
• Reconfigurable
• All our design choices are governed by this
  criteria.

BUT LOTS OF WORK STILL NEEDS TO BE DONE.
24
Ongoing research work Watchdog Mechanism
Watchdog mechanism is the heart of RFSN

• Generalized watchdog mechanism is not feasible!
• Modules developed will be context specific.
• Designing individual modules
• Outlier detection schemes, Consensus based
  protocols, .
• Key is the scale!
• Relies on redundancy and consistency in a local
  neighborhood.

25
Watchdog Mechanism
Enable
Enable

• Collection of modules.
• Example Consistent data module
• Checks for consistency of data such as
  temperature, humidity etc.
• Imposes a constraint on the system to gather
  extra data in order to learn the system dynamics.
• Resource-Security tradeoff
• Efficient choice is the key to success.

Enable
Enable
passive
data
passive
data
gathering
listening
gathering
listening
Observations
Control
Loop
Routing
Consistent
Consistent
Consistent
Consistent
Routing
Module
data
Processing
data
Processing
Decision
Feedback
State
(r, s)
26
Watchdog Mechanism (Contd.)

• Limits to which a framework based on homogeneous
  resources can work
• Find out these limits?
• Can introducing heterogeneous resources help?
• For example a trusted sensor -gt equivalent to an
  access point.
• Problem is much simpler for the non-malicious
  case -gt faulty nodes and noise.
• Malicious attacker can act completely
  arbitrarily!
• Ongoing work Fault tolerant temperature
  monitoring system using mica motes

27
Open problems

• Bootstrapping network.
• How does trust gets established?
• Intelligent adversaries
• Cooperate and non-cooperate periodically.
• Context aware reputation
• Is node with a bad temperature sensor bad for
  routing?
• Multilayered RFSN seems like a feasible solution.

28
Related work

• Trust Establishment
• PolicyMaker
• KeyNote
• Internet commercial usage
• E-bay
• Yahoo auctions
• Routing misbehavior in ad-hoc networks
• Confidant
• Core
• Peer-to-peer networks
• PeerTrust

29
Comparison
30
Questions?