Dealing with Liars: Misbehavior Identification via R

1
Dealing with Liars Misbehavior Identification
via Rényi-Ulam Games

• William Kozma Jr., and Loukas Lazos
• Dept. of Electrical and Computer Engineering
• University of Arizona

2
Routing in Ad Hoc Networks

• Ad hoc networks lack a network infrastructure
• Limited communication range
• Nodes rely on multi-hop routes to communicate
• Any node may act as a router

Routing implemented on the basis of
collaboration Implicit trust placed on
intermediate routers
3
Node Misbehavior

• Nodes may be compromised physically or remotely
• Sophisticated users - alter software/hardware of
  their device
• Adversaries with intimate knowledge of node
  operation
• One type of misbehavior is packet dropping
• Selfishness Refuse to forward packets to
  conserve energy
• Maliciousness Refuse to forward packets to
  degrade network performance

4
The Misbehavior Identification Problem

• Given a path PSD from source S to destination D,
  identify misbehaving nodes that drop packets, in
  a resource efficient manner

5
Current Solutions

• Acknowledgment-Based Schemes (e.g., 2ACK, Liu et.
  al., Byzantine fault detection, Awerbuch et. al.)
• Packets acknowledged 2 hops or more upstream
• Reputation-Based (e.g., CONFIDANT, , Buchegger
  et. al.)
• Rely on message overhearing to verify forwarding
• Credit-Based (e.g., Sprite, Zhong et. al.))
• Provide incentive for a node to cooperate

D

n6
n2


n4
n5



S
n1
n3
All schemes incur overhead on a per-packet basis
6
Research Goal

• Per-packet behavior evaluation is too expensive
  in
• Energy (operating in promiscuous mode)
• Performance (must observe instead of sleeping or
  communicating concurrently)
• Communication (may consume more bandwidth)
• Critical questions
• Can we perform per-packet evaluation without
  per-packet monitoring (or very low per-packet
  overhead)?
• What is the penalty we have to tradeoff?

7
Implicit Node Monitoring

Nodes record a proof of packets they
receive/forward Some nodes are audited to provide
proof of behaving Multiple proofs are combined to
identify misbehavior Use the honest to identify
the malicious
D
Audit Reply
n6
Audit Reply
n2
n4
Audit Request
Audit Request
n5
S
n1
n3
8
Analogy to Rényi-Ulam Games
The process of combining multiple audits to
identify a misbehaving node is analogous to
Rényi-Ulam games

• Rényi-Ulam game the game of 20 questions
• Questioner wins if ? is determined in at most q
  questions
• Responder has a limited number of lies
• Winning strategy a strategy that wins
  regardless of how lies occur

Search space
Responder
O 1, 2, ,n
?
Questioner
Secret Value ?
q
l
l
9
Misbehavior Identification as a Rényi-Ulam Game

• Rényi-Ulam Game
• Misbehaving Node Identification

? y ?
Questioner
Responder
Yes
Secret Value ? in O
Responder
?
S
D
Questioner
n1
n2
n3
n4
n5
Did you see packets X?
Question
Search Space
Yes Proof
Response
10
Types of Rényi-Ulam Games

• Two questioning modes
• Batch
• Adaptive
• Two types of questions
• Cut questions
• Membership questions

O 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
O 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
Goal Devise a strategy to always find ? in the
least number of questions
11
Implementing Cut Questions

• Xi Set of packets forwarded by node ni
• Is the misbehavior node upstream of audited node
  ni ( ? y )?
• XS n Xi XS ni claims misbehavior occurs
  downstream (? y )
• XS n Xi ltlt XS ni claims misbehavior occurs
  upstream (? y)

12
Adaptive Auditing with Cut Questions

• Pelcs questioning strategy Pelc 89
• Binary search requiring log2k questions
  determine value ?'
• l questions on if ?' ? total of questions
  log2k l
• Auditing Strategy
• V PSD n1,,nk
• XS n Xi XS V ni,,nk
• XS n Xi ltlt XS V n1,,nk
• Winning strategy q log2PSD 2 (M 1)
  audits

Misbehaving Link
13
Node Identification

• One misbehaving node
• Path division exclude nodes in turn
• Path expansion add node to remove misbehaving
  link
• Multiple misbehaving nodes
• Identification process repeated M 1 times

nß
na
14
How About Colluders?

• Colluding nodes can cause incorrect convergence
• To avoid framing n3, n4 are simultaneously
  audited
• Since X3 n X4 X3, then M2
• Partition PSD into PSn3, Pn4D search
  independently

3
4
15
Adaptive Auditing with Membership Questions

• Dhagats questioning strategy Dhagat 92
• Perform a binary-based search while checking for
  contradicting answers
• Let Vi O 1,,k divide Vi into two equal
  subsets A 1,,k/2, B k/2,,k
• Is ? ? A? then Vi1 A
• Is ? ? B? then Vi1 B
• Else contradiction among answers return to
  previous stage (Vi-1)
• Winning strategy if q

16
Adaptive Auditing with Membership Questions

• Membership questions constructed from two audits
• Is nM ? A n1,,n4? implies X1 X4 ltlt
  X1
• Auditing Strategy
• V1 PSD n1,,nk A n1,,ni, B
  ni,,nk
• If X1 n Xi ltlt X1, Vi1 A, else
• If Xi n Xk ltlt Xi, Vi1 B, else
• Return to previous stage if contradiction found
  (Vi-1)
• Select a new ni to prevent repetitive lies
• Worst case q 4 log2 (PSD) 2 (M 1)
  audits

U
?
17
Creating Audit Replies

• Commit to a claim of a set of packets Xi
  received/forwarded
• Bloom filters provide a compact representation of
  a membership set Xi

x
x
x

h1
h2
hk
1
1
1
18
Evaluating Responses (1)

• Source sends audit request
• Defines the duration and starting packet number
• Audited node adds packets to its Bloom filter
• Signs filter with its private key and sends it
  back to the source
• Signed Bloom filter acts as a commitment to
  packets forwarded
• Source computes

D
n6
X4
sig4(X4)
n2
n4
Audit Request
n5
S
n1
n3
Per packet evaluation without per-packet
overhead Only m-bit vector sent to source
19
Impact of Mobility

• Addition/Removal of an honest node does not
  affect REAct
• Misbehaving node added to PSD
• Added to V as if there from start of search
• Added outside of V as if two colluding nodes
  existed in PSD
• Misbehaving node removed from PSD
• Performance resumed

20
Performance Evaluation

• Metrics of interest
• Communication Overhead
• Identification Delay
• Compared our scheme to
• CONFIDANT (reputation-based scheme)
• 2ACK (acknowledgment-based scheme)
• AWERBUCH (acknowledgment-based scheme)
• For CONFIDANT, defined energy for overhearing as
  0.5 times the energy for transmission
• For 2ACK, varied percent of packets acknowledged,
  p 1, 0.5, 0.1

21
Communication Overhead
22
Communication Overhead for 2 Misbehaving Nodes
23
Identification Delay
24
Communication Overhead for 1 Misbehaving Node
25
Communication Overhead as a Function of Audit Size
26
Identification Delay
27
Communication Overhead
28
Take Away Remarks

• For resource-constrained networks, per-packet
  behavior evaluation is too resource demanding
• We can trade identification delay for
  communication and energy efficiency
• Showed a logarithmic increase in of transmitted
  messages with path size
• Showed small increase in identification delay
  compared to savings
• Differentiation of maliciousness from bad channel
  conditions, congestion and collisions is not yet
  clear (or an easy problem to solve)