reputation and trust-based systems for wireless self-organizing networks jaydip sen presenter...
TRANSCRIPT
Reputation and Trust-Based Systems for
Wireless Self-Organizing Networks
Jaydip Sen
Presenter Gicheol Wang
presented by gcwang
Chapter Outline
Wireless self-organizing networks MANETs and WSNs Trust and Reputation -- Definitions Types of trust Trust constructs Inter-relationship among trust constructs Characteristics of trust Goals and properties of reputation systems Classification of trust and reputation systems Issues in reputation systems Some examples of trust and reputation systems Open problems Conclusion
23年 4月 19日 2
presented by gcwang
Wireless Self-Organizing Networks
A self-organizing network is a network that can automatically extend, change, configure and optimize its topology, coverage, capacity, cell size, and channel allocation, based on changes in location, traffic pattern, interference, and the situation or environment.
Wireless ad hoc networks is a special class self-organizing network, where capabilities or existence of links, capabilities or availabilities of nodes or network services are considered as a random function of time. Examples: MANETs and WSN.
A Mobile Ad hoc NETwork (MANET) is a collection of mobile nodes that can has no fixed or predetermined topology, with mobile nodes and dynamic membership changes.
A Wireless Sensor Network (WSN) is a highly distributed network consisting of a large number of tiny, low cost, light-weight wireless nodes deployed to monitor an environment or system.
23年 4月 19日 3
presented by gcwang
MANETs and WSNs
MANETs due to complete autonomy of the member nodes, and lack of any centralized infrastructure are particularly vulnerable to different types of attacks and security threats.
In addition, due to resource constraint, there is an incentive for a node to act in a selfish manner without cooperating with other nodes.
In WSNs, the nodes can be physically tampered and mis-configured by an external or an insider attacker.
Cryptography and other intrusion prevention mechanisms cannot prevent such as security threats.
Reputation and Trust are two important tools that can used to detect and defend against these attacks.
23年 4月 19日 4
presented by gcwang
Node Misbehavior in MANETs and WSNs
In MANETs and WSNs, nodes may exhibit various types of misbehavior. Node misbehavior may be categorized into two broad types:
Malicious behavior intention is to attack and damage the network. Selfish behavior intention is to save power, memory and CPU cycle.
Malicious misbehavior can be of two types:
Forwarding misbehavior packet dropping, modification, fabrication, timing attack, silent route change etc.
Routing misbehavior route salvaging, dropping of error messages, fabrication of error messages, unusually frequent route updates, sleep deprivation, blackhole, grayhole, wormhole etc.
Selfish misbehavior can be of two types:
Self-exclusion Non-forwarding
23年 4月 19日 5
MANET Routing
presented by gcwang
Node Misbehavior in MANETs and WSNs (contd..)
Timing misbehavior a malicious node delays packet forwarding to ensure that time-to-live (TTL) of the packets are expired so that the packets do not reach the destination.
Silent route change attack a malicious node forwards a packet through a different route than it was intended to go through.
Route salvaging attack a malicious node reroutes packets to avoid a broken link, although no error actually has taken place.
Sleep deprivation attack a malicious node sends excessive number of packets to another node so as to consume computation and memory resources of the latter.
Blackhole attack a malicious node claims to have the shortest path; but when asked to forward the packets, it drops them.
23年 4月 19日 6
presented by gcwang
Node Misbehavior in MANETs and WSNs (contd..)
Grayhole attack a variation of Blackhole attack, in which a malicious node selectively drops the packets.
Wormhole attack a malicious node sends packets from one part of the network to another part of the network where they are replayed.
Self-exclusion attack a selfish node does not participate when route discovery protocol is executed to save its own power.
Non-forwarding attack a selfish node participates in the route discovery process but drops data packets in the routing phase.
23年 4月 19日 7
presented by gcwang
Node Misbehavior in MANETs and WSNs (contd..)
Packet Dropping
Modification
Fabrication
Timing Misbehavior
Silent Route Changes
Forwarding Misbehavior
Blackhole Attack
Grayhole AttackWormhole Attack
Routing Misbehavior
Malicious: Mount Attacks
Self Exclusion
Non-Forwarding
Selfish: Save Resources -Battery, CPU Cycles, Memory
Misbehavior
23年 4月 19日 8
presented by gcwang
Trust - Definition
Trust is a particular level of subjective probability with which an agent will perform a particular action, both before [we] can monitor such action (or independently of his capacity of ever to be able to monitor it) and in a context which it affects [our] action – Gambetta.
Trust is the firm belief in the competence (reliability, timeliness, honesty and integrity) of an entity to act as expected such that this firm belief is not a fixed value associated with the entity but rather it is subject to the entity’s behavior and applied only within a specific context at a given time. – Azzedin and Maheswaran.
23年 4月 19日 9
presented by gcwang
Reputation - Definition
Reputation of an entity is an expectation of its behavior based on other entities’ observations or information about the entity’s past behavior within a specific context at a given time. – Azzedin and Maheswaran.
23年 4月 19日 10
presented by gcwang
Types of Trust
Three types of Trust:
Basic: it is based on previous experience of a node. If two nodes A and B in a network are to communicate with each other, the basic trust is not the trust that A has on B; rather it is the general dispositional trust that node A has on other nodes.
General: it is the trust that node A has on node B, which is not dependent on a particular situation.
Situational: it is the trust that node A has on node B in a particular situation. In most of the cases, we are concerned with this type of trust between nodes in wireless self-organizing networks such as MANETs and WSNs.
23年 4月 19日 11
presented by gcwang
Trust Constructs
Six types of trust constructs in self-organizing networks:
Trusting intention of a node
Trusting behavior of a node
Trusting beliefs in nodes
System trust in nodes
Dispositional trust of a node
Situational decision to trust a node
23年 4月 19日 12
presented by gcwang
Trust Constructs (contd..)
Trusting intention of a node willingness of a node to depend on the information provided by another node in spite of having knowledge about the risk involved.
Trusting behavior of a node voluntary dependence of one node on another node in a specific situation with risk associated in it.
Trusting beliefs in nodes confidence and belief of one node that the other node is trustworthy in a specific situation.
System trust in nodes occurs when nodes believe that proper frameworks are in place to encourage successful interaction between them.
Dispositional trust of a node general expectation of a node about the trustworthiness of other nodes under different situations.
Situational decision to trust a node occurs when a node intends to depend on another node in a given situation. Example: node B wants to communicate with node A; therefore, it communicates with a trusted third party trust management system, which is trusted by node A also.
23年 4月 19日 13
presented by gcwang
Inter-Relationship among Trust Constructs
Trusting Behavior of a Node
Trusting Intention of a Node
Trusting Beliefs in a Node
Dispositional Beliefs in a Node
Situ
ational D
ecision to T
rust a N
ode
System
Tru
st in
a Nod
e
23年 4月 19日 14
presented by gcwang
Characteristics of Trust
Sun et al have identified some characteristics of trust metric from wireless self-organizing network perspective:
Trust is a relationship between two entities for a specific action. One entity (subject) believes that the other entity (agent) will perform an action.
Trust is a function of uncertainty.
The level of trust can be measured by a continuous real number, referred to as the trust value.
Different subjects may have different trust values with the same agent for the same action.
Trust is not necessarily symmetric. A trusts B does not necessarily imply that B should trust A.
23年 4月 19日 15
presented by gcwang
Goals and Properties of Reputation Systems The goals of a reputation system are:
To provide information that allows nodes to distinguish between trustworthy and untrustworthy nodes in a network.
To encourage the nodes in the network to cooperate with each other and become trustworthy.
To discourage the untrustworthy nodes to participate in the network activities.
To cope with any kind of observable misbehavior.
To minimize the damage caused by any insider attack.
The properties of a reputation system are:
The system must have long-lived entities that inspire expectations for future interactions.
The system must be able to capture and distribute feedbacks about current interactions among its components and such information must be available in future.
The system must use feedbacks to guide trust decisions.
23年 4月 19日 16
presented by gcwang
Classification of Trust & Reputation Systems
Trust and Reputation systems can be classified on the following issues:
Initializations of the systems
Type of observations used
Method of information access
Method of information distribution in the network
23年 4月 19日 17
presented by gcwang
Method of Initialization
Most of the trust and reputation systems are initialized in one of the following three ways:
All nodes are initially assumed to be trustworthy. The reputation of a node decreases with each bad encounter that the node experiences with its neighbors.
Every node is considered to be untrustworthy. No node trusts other nodes initially. The reputations of nodes increase with every good encounter.
Every node is considered to be neither trustworthy nor untrustworthy. All nodes start with a neutral reputation value. With every good or bad behavior, the reputation is increased or decreased respectively.
23年 4月 19日 18
presented by gcwang
Type of Information Used
Based on type of information used trust and reputation systems can be classified into two categories:
Systems using first-hand information
Systems using both first-hand and second-hand information
Systems using only first-hand information collected by the nodes are robust against rumor spreading. Example: OCEAN and Pathrater.
Most of the systems use both first-hand and second-hand information. Examples: CORE, CONFIDANT etc.
In some systems such as DRBTS, some sensor nodes (SNs) use only second-hand information.
23年 4月 19日 19
presented by gcwang
Method of Information Access
Reputation systems are broadly categorized into two types depending on the manner in which nodes access reputation information in the network:
Symmetric systems all nodes in the network have access to the same level of information (i.e., first-hand and second-hand information)
Asymmetric systems all nodes do not have the access to same amount of information. Example: in DRBTS, sensor nodes do not have the same amount of information as possessed by the beacon nodes.
23年 4月 19日 20
presented by gcwang
Method of Information Distribution
Reputation systems are categorized into two types based on the manner in which reputation information is distributed in the network:
Centralized one central entity maintains the reputation information of all nodes in the network. Examples: eBay and Yahoo auctions.
Distributed each node maintains reputation of all other nodes within its communication range in the network. Examples: MANETs and WSNs.
In centralized systems, the central entity may become a source of security vulnerability and performance bottleneck.
In distributed systems, memory overhead for storing reputation information is shared by all the nodes. It also eliminates the problem of ‘single-point-of-failure’. However, data replication is an issue in such systems.
23年 4月 19日 21
presented by gcwang
Issues in Reputation Systems
Information gathering
Information dissemination
Redemption and weighting of time
Weighting of second-hand information
23年 4月 19日 22
presented by gcwang
Information Gathering
Information gathering is the process in which a node collects information about other nodes. This is also called first-hand information gathering.
In CONFIDANT protocol, two types of first-hand information are categorized:
Personal experience – information gathered by a node through one-to-one interactions with its neighbors.
Direct observation – information gathered by a node by its direct observation.
Most of the systems use watchdog mechanism to monitor neighborhood activities of nodes. However, watchdog is ineffective if directional antennas or spread spectrum technology is used.
23年 4月 19日 23
presented by gcwang
Information Dissemination
Information dissemination is done by exchange of information among the nodes. Information received by a node from other nodes is also known as second-hand information.
Advantages in using second-hand information:
Reputation of nodes builds up fast due to the ability of the nodes to learn from the mistakes of others.
Over a period of time, a consistent local view stabilizes in the system.
Disadvantage second-hand information exchange leads to the possibility of false report attack, where an honest node may be falsely accused or a dishonest node praised.
False report attack may be controlled by using limited information sharing - using either positive or negative information.
23年 4月 19日 24
presented by gcwang
Information Dissemination (contd..)
Disadvantages of sharing only the positive information: False praise attack – colluding malicious nodes may survive for longer time Nodes cannot share bad experiences
Sharing only negative information prevents false praise attack. However it has the following disadvantages: Nodes cannot share good experiences Malicious nodes can launch bad mouth attacks on honest nodes
CONFIDANT uses negative second-hand information.
Context-aware detection accepts negative second-hand information if at least four nodes provide such report.
OCEAN does not allow any information (positive or negative) exchange. It build reputation purely on individual observations of the nodes. Advantage: robust against rumor spreading Disadvantage: time required to build reputation is high, and malicious nodes can stay in
the system for longer time misusing the resources.
23年 4月 19日 25
presented by gcwang
Information Dissemination (contd..)
DRBTS and RFSN allow sharing of both positive and negative information.
The negative effects of information sharing can be mitigated in these systems by appropriately incorporating first-hand and second-hand information into the reputation metric by using different weighting functions for different information.
Information dissemination scheme has three issues: Dissemination frequency Dissemination locality Dissemination content
Two types of systems with respect to dissemination frequency: Proactive dissemination nodes communicate reputation information during each
dissemination interval even if there is no change in the reputation values since the last dissemination interval.
Reactive dissemination nodes publish only when there is a pre-defined amount of the reputation values they store or when an event of interest occurs.
23年 4月 19日 26
presented by gcwang
Information Dissemination (contd..)
Reactive dissemination reduces communication overhead in situation where reputations of nodes do not change frequently. It may, however, cause congestion in networks where network activity is high.
Proactive dissemination is more suitable for busy and dense networks.
Communication overhead may be reduced by piggybacking the reputation information with other network traffic:
In CORE, reputation info is piggbacked on reply messages.
In DRBTS, it is piggybacked on location info messages.
23年 4月 19日 27
presented by gcwang
Information Dissemination (contd..)
Information dissemination locality:
Local information information in published with one-hop neighborhood by unicast, broadcast or multicast.
Global information information is propagated to nodes outside the radio range of the node publishing the information. This is more suitable for networks with higher mobility.
DRBTS uses local dissemination though broadcast enabling beacon nodes to update their reputation table.
Information dissemination content:
Raw: information published by a node is its first-hand information.
Processed: node publishes composite reputation after considering second-hand information from other nodes.
23年 4月 19日 28
presented by gcwang
Redemption and Weighting of Time
Assignment of suitable weights to past and current reputation values for computing the composite reputation metric is an important issue.
CORE assigns more weight to past behavior Wrong observations or rare behavior changes cannot influence reputation rating
CONFIDANT and RFSN discounts past behavior by assigning less weight. A node cannot leverage on its past good performance and start misbehaving without
being punished.
In periods of low network activity, a benign node may get penalized. DRBTS resolves this problem by generating network traffic through beacon nodes in regions and periods of less network traffic.
OCEAN and Context-aware detection do not assign differential weights on past and current ratings.
CONFIDANT assigns more weight to first-hand information than second-hand information.
23年 4月 19日 29
presented by gcwang
Redemption and Weighting of Time (contd..)
CONFIDANT does redemption of misbehaving and misclassified nodes by reputation fading. In reputation fading, past behavior is discounted even in the absence of testimonials and observations. A node that has been isolated from the network due to misbehavior, always gets a chance to rejoin after some time.
In CORE, a node previously isolated from the network due to misbehavior, cannot redeem itself until there is a sufficient number of new nodes in the network those have no past experience with the node.
OCEAN relies on a timeout of reputation. Pathrater and Context-aware detection system have no provision of redemption.
23年 4月 19日 30
presented by gcwang
Weighting of Second-Hand Information
The schemes using second-hand information must have to administer the trust level of the sources of such information.
Deviation test a method to validate the credibility of the sources of second-hand information.
Different schemes use different techniques for handling second-hand information:
Dempster-Shafer theory Discounting belief principle Beta distribution most widely used. RFSN uses it.
CONFIDANT assigns weights on second-hand information based on the trustworthiness of the source node. The source must have a minimum level of trust for its information to be considered by other nodes in the network.
In RRS, trust of a node is measured by the consistency between the first- and second-hand information. Higher weights are assigned to the first-hand information of the nodes.
23年 4月 19日 31
presented by gcwang
Detection Mechanisms
Reputation systems require a tangible object of observation that can be identified by as either good or bad.
In MANETS, nodes promiscuously overhear the communications to/from their neighbors Monitor, Watchdog and NeighborWatch.
Passive acknowledgments nodes register themselves to get notified when their next-hop neighbors on a given route have attempted to forward their packets.
Problems with Wathdog it is difficult to unambiguously identify whether the inability of a node to forward packets is due to its maliciousness or due to collisions and/or limited battery power.
CORE does not rely on promiscuous mode of operation of its Watchdog. It judges the outcome of request by rating the end-to-end communication path.
CONFIDANT uses passive ACKs to verify whether the neighbor node forwards without any modification.
23年 4月 19日 32
presented by gcwang
Response Mechanisms
Except Watchdog and Pathrater, almost all reputation systems have a punishment mechanism for misbehaving nodes.
Two steps in punishment mechanisms:
Nodes are avoided while discovering the routing paths.
Nodes are not allowed to access network resources.
It is essential to make sure that the malicious nodes are not allowed to access the networks resources; otherwise, just avoiding them in routing will effectively provide more motivation towards their malicious behavior as the nodes can freely use the network resources while saving their energy and other resources.
23年 4月 19日 33
presented by gcwang
Examples of Reputation & Trust Mechanisms
Watchdog and Pathrater Context-aware inference mechanism Trust-based relationship of nodes in MANETs Trust aggregation schemes Trust management in ad hoc networks Trusted routing schemes CORE Collaborative REputation mechanism in mobile ad hoc networks CONFIDANT Cooperation of Nodes – Fairness In Dynamic Ad hoc
NeTwarks OCEAN Observation-based Cooperation Enhancement in Ad hoc
Networks RRS Robust Reputation System RFSN Reputation-based Framework for high integrity Sensor Networks DRBTS Distributed Reputation-Based Beacon Trust Systems
23年 4月 19日 34
presented by gcwang
Watchdog
Proposed by Marti et al to mitigate routing misbehavior in MANETs.
Watchdog determines node misbehavior by copying packets to be forwarded into a buffer and monitoring the behavior of the neighboring nodes with respect to packet forwarding.
Watchdog checks whether the neighboring nodes forward packets without modifications.
If the snooped packets match with those in the buffer, they are discarded. Packets that stay in the buffer of monitor nodes beyond a threshold period of
time are flagged as having been dropped or modified.
Nodes responsible for forwarding packets are marked as suspicious nodes. If the number of such failures exceeds a pre-determined threshold value, the
offending node is identified as a malicious node. Information about the malicious nodes is passed to the Pathrater component.
23年 4月 19日 35
presented by gcwang
Watchdog (contd..)
DCBAS
Node B intends to transmit a packet to node C.
Node A could overhear this transmission
23年 4月 19日 36
presented by gcwang
Pathrater
Pathrater component in each node makes a rating of all known nodes the network.
Nodes start with a neutral rating and update the ratings of each neighbor based on the feedback received from the Watchdog component.
Misbehavior of a node is identified on the basis of its packet mishandling and modification activities. Unreliability of a node is determined on the basis of its link errors.
Simulation results have shown that Watchdog and Pathrater significantly improve the throughput with DSR protocol.
The scheme does not penalize the misbehaving nodes, it only avoids them in
routing and effectively relieves them from the burden of forwarding packets of other nodes. This encourages the malicious nodes to continue with their misbehavior.
23年 4月 19日 37
Pathrater
presented by gcwang
Context-Aware Inference Mechanism
The mechanism proposed by Paul and Westhoff, in which accusations are related to the context of a unique route discovery process and a stipulated time period.
A combined detection mechanism is used that involves unkeyed hash verification of routing messages and comparison of cached packets with the overheard ones.
Trust of a node is computed based on several factors: Accusations of other nodes Number of such accusations Level knowledge of the topology of the network A context-aware inference mechanism
If a node has to be identified as malicious, accusations have to come from a certain minimum number of nodes. If a single node accuses a particular node, the former is identified as malicious.
23年 4月 19日 38
presented by gcwang
Trust-Based Relationship in MANETs
Pirzada and Mcdonald proposed an approach for building trust relationships among nodes in a MANET which has the following features:
Each nodes passively monitor the packets received and forwarded by other nodes. Receiving and forwarding of packets are called events.
Events are assigned weights depending on the applications.
The trust values of all the events from a node are combined to compute an aggregate trust value of the node. The compound trust values are used as link weights for computation of weights.
For routing, the most trustworthy links are used to find the end-to-end path.
Sun et al have proposed a scheme where trust has been modeled as a measure of uncertainty. Using theory of entropy trust values are computed for nodes from certain observations. An entropy-based computation is presented for multi-path trust propagation problem in MANETs.
23年 4月 19日 39
presented by gcwang
Trust Aggregation Scheme
Liang and Shi have carried out extensive work on development of models and evaluating robustness and security of various aggregation algorithms in open and untrusted environment.
They have also presented a comprehensive analytical and inference model of trust for aggregation of various ratings received by a node from the neighbors in a WSN.
The simulation results have shown that it is computationally more efficient approach to treat the ratings received from different evaluators (i.e. nodes)
with equal weights and compute the average to arrive at the final trust value.
23年 4月 19日 40
presented by gcwang
Trust Management in MANETs
Yan et al have proposed a security based on trust framework to ensure data protection, secure routing and other security features in MANETs.
Ren et al have proposed a mechanism for trust relationships among nodes in MANETs. A secret dealer is introduced only at the system bootstrapping phase to initiate the trust propagation in the network. A fully self-organized trust establishment approach is adopted to conform to the dynamic membership changes.
Zhu et al. have proposed an approach to compute trust in wireless network by treating individual mobile device as a delegation graph G and mapping a delegation path from a source node S to a target node T into an edge in the corresponding transitive closure of the graph G. From the edges of the transitive closure of G, the trust values of the wireless links are computed.
Davis has presented a trust management scheme based on a structural hierarchical model which incorporates revocation of certificates. It is robust against false accusation by a malicious node.
23年 4月 19日 41
presented by gcwang
Trusted Routing Scheme
Jarett and Ward have presented a trusted routing scheme that extends AODV protocol.
The protocol known as TCAODV (Trusted Computing Ad hoc On-demand Distance Vector) uses a public key certificate stored in each node.
Each node broadcasts its certificate along with the hello messages. The neighbors first verify the authenticity of the certificate by verifying its signature. If the signature verification is successful, the nodes store the certificate as the public key of the issuing node.
In all subsequent routing packet exchanges, the nodes verify the authenticity of the signature and then forward the packets.
Every routing packet is also encrypted using the symmetric key of the pair of nodes exchanging the packet.
The protocol has a very low overhead an ideally suited for trusted routing in MANETs and WSNs.
23年 4月 19日 42
AODV
presented by gcwang
CORE
Proposed by Mirchiardi and Molva, this protocol enforces cooperation among the nodes in a MANET.
Three types of reputation are used to compute the final reputation metric:
Subjective reputation (observations) Indirect reputation (positive reports by others) Functional reputation (task-specific behavior)
Two types of nodes are considered:
Requester: it is a network entity that requests execution of a function. A requestor may have one or more providers within its transmission range.
Provider: network entity that correctly executes the function.
Higher weights are assigned to past observations than the current observations.
23年 4月 19日 43
presented by gcwang
CORE (contd..)
The reputation values (lying between -1 and +1) are stored in a reputation table (RT) in each node. Each entry in the RT has four fields: Unique ID of the node Recent subjective reputation: Recent indirect reputation: Composite reputation
RTs are updated during the request and reply phase.
Reputation computed from first-hand information is referred to as subjective reputation. The subjective reputation is updated only during the request phase.
If a provider does not cooperate with a requester’s request, then a negative
value is assigned to the rating factor of the observation. It automatically reduces the reputation of the provider.
CORE uses functional reputation to evaluate the trustworthiness of a node with respect to different functions. Functional reputation is computed by combining functional and indirect reputation for different functions.
23年 4月 19日 44
presented by gcwang
CORE (contd..)
The combined reputation value for each node is computed by combining three types of reputation with suitable weights.
The positive reputation values are decremented with time to ensure that nodes cooperate and contribute on a continuous basis. This prevents a node to build up a very good reputation and then start misbehaving after some time and still surviving in the network.
When a node has to make a decision on whether or not to execute a function for a requestor, it checks the reputation value of the latter. If the reputation is positive, the function is executed. If the reputation is negative, the function is not executed.
False accusation attacks are prevented since only the positive information is shared for indirect reputation updates. However, it provides an opportunity to launch false praise attacks.
23年 4月 19日 45
presented by gcwang
CORE (contd..)
An inherent problem is to compute the combined reputation metric a malicious node may hide its misbehavior with respect to certain functions while behaving cooperatively with respect to other functions. A node may choose to not cooperate for functions that consume resources like memory and power and choose to cooperate for functions that don’t require much resource.
However, the reputation computation in CORE is an elegant process and minimizes false detection and increases probability of detection of misbehaving nodes.
23年 4月 19日 46
presented by gcwang
COFIDANT
Proposed by Buchegger and Boudec, it is a mechanism to encourage cooperation among the nodes in a MANET.
It is a distributed, symmetric reputation model that uses both first-hand as well as second-hand information.
It assumes DSR as the routing protocol and works on promiscuous mode of operation of the nodes.
Misbehaving nodes are identified and punished by not allowing them to access the network resources.
CONFIDANT is based on the principle that reciprocal altruism is beneficial for every ecological system when favors are returned simultaneously because of instant gratification. In other words, there may not be any benefit of behaving well if there is a delay in granting a favor and getting back the repayment.
23年 4月 19日 47
presented by gcwang
COFIDANT (contd..)
Each node in CONFIDANT protocol runs four components:
Monitor
Trust manager
Reputation system
Path manager
Monitor passively observes the activities of the nodes within its 1-hop neighborhood. If any misbehavior is detected in terms of non-forwarding or modification of packets by any neighbor, the monitor module reports this to the reputation system and the trust manager for the evaluation of the new reputation value of the misbehaving node.
23年 4月 19日 48
presented by gcwang
COFIDANT (contd..)
Trust manager it handles all incoming and outgoing ALARM messages. Incoming ALARM messages can originate from any node. Trustworthiness of the source of an ALARM messages is checked before triggering a
reaction. The outgoing ALARM messages are generated by the node itself after having
experienced, observed, or received a report of malicious behavior. The recipient of these ALARM messages are called friend nodes, the list of which is maintained in the node.
Trust manager consists of three components: Alarm table contains information about received alarms Trust table maintains trust records of each node to determine trustworthiness of
an incoming alarm message Friend list contains list of all nodes to which the node has to send alarm when it
detects any malicious activity
23年 4月 19日 49
presented by gcwang
COFIDANT (contd..)
Trust Manager
tolerance exceeded
within tolerance threshold
exceeded
below threshold
not significant
event detected
ALARM received
not trusted
enough evidencetrustedEvaluating trust
Updating ALARM
Monitoring
Initial state
Sending ALARM
Evaluating alarm
Updating event count
RatingManaging path
Reputation System
Monitor
Path Manager
Interactions among the components of CONFIDANT
23年 4月 19日 50
presented by gcwang
COFIDANT (contd..)
Reputation system it maintains a table that consists of records of other
nodes and their corresponding reputation values. Reputation rating of a node is updated only when there is sufficient evidence of
malicious behavior of that node at least for a threshold minimum number of occasions.
The rating is changed using a function that assigns the highest weight on personal experience, a lesser weight for observations in a neighborhood and an even lesser weight to reported experience.
If the computed reputation value of a node falls below a predetermined threshold, the path manager is invoked for further action.
23年 4月 19日 51
presented by gcwang
COFIDANT (contd..)
Path manager it is the decision making component of CONFIDANT protocol. It makes a ranking of the paths based on their trust values. It deletes paths containing misbehaving nodes and is also responsible for taking
necessary actions upon receiving a request for a route from a misbehaving node.
In CONFIDANT only negative information is exchanged between the nodes. This makes the system vulnerable to false accusation attacks by malicious nodes on honest nodes.
Unlike CORE, even without collusion, malicious nodes may benefit by falsely accusing benign nodes. Colluding malicious nodes can make the situation unmanageable.
False praise attack is not possible since positive information is not exchanged.
Nodes that are excluded from the network due to their misbehavior, are allowed to recover after a certain timeout. This allows a malicious node to re-enter the network and attack repeatedly.
Faulty nodes are treated in the same way as the malicious nodes.
23年 4月 19日 52
presented by gcwang
OCEAN
Proposed by Bansal and Baker, OCEAN is an security extension of the DSR protocol.
It consist of two essential components: Monitoring system Reputation system
To avoid vulnerabilities arising due to false accusations and second-hand reputation exchanges, nodes in OCEAN rely only on their own observations (i.e. first-hand information).
OCEAN categorizes routing misbehavior into two types: Misleading a node participates in the route discovery process but does not forward
data packets. Selfish a node does not participate in the route discovery process
Depending of the forwarding activity of a neighbor node, its reputation value is computed.
If the reputation of a node falls below a threshold value, the node is added to a faulty list. The faulty list is appended to the route request message as a list of nodes to be avoided in routing.
A timeout is used to allow faulty nodes to rejoin the network.23年 4月 19日 53
presented by gcwang
RRS
Buchegger and Boudec have proposed an improved version of CONFIDANT called a Robust Reputation System (RRS).
It uses a Bayesian framework with Beta distribution to update reputation values.
It uses both positive and negative reputation values in the second-hand information.
It is robust to false rating- both accusation and praise.
Every node maintains two metrics: Reputation used to classify nodes as either normal or misbehaving Trust used to classify nodes as either trustworthy or untrustworthy
First-hand information is exchanged periodically. Second-hand information received from another node is put under a deviation test. If the deviation of the received reputation value does not exceed beyond a threshold from the node’s own opinion, then new reputation value is accepted and the composite reputation value is updated.
Unlike CORE, RRS assigns more weight to current behavior.
To accelerate the detection of misbehaving nodes, selected second-hand information from trusted nodes and information that has passed deviation test are used.
23年 4月 19日 54
presented by gcwang
RFSN
Ganeriwal and Srivastava have proposed a distributed, symmetric reputation-based framework for high-integrity WSN. This scheme is called Reputation-based Framework for Sensor Networks (RFSN).
It classifies actions of a node as either cooperative or non-cooperative and uses both first-hand and second-hand information for computing reputation values of the nodes.
Beta distribution is used for reputation representation, storing and updates. Each node maintains reputation values of its neighbors.
RFSN distinguishes between trust and reputation and computes these metrics
for each node so as to develop a security framework for a WSN.
23年 4月 19日 55
presented by gcwang
RFSN (contd..)
WatchdogMechanism Reputation Trust Behavior
Second-HandInformation
Architecture of RFSN system
23年 4月 19日 56
presented by gcwang
RFSN (contd..)
Summary of operating principle: First-hand information from the Watchdog and the second-hand information are
combined to compute the reputation of each node. The trust level of each neighbor is computed from its reputation value. Based on the computed trust value of each neighbor, the node determines its strategy
if the trust value of a neighbor is above a threshold value, then the node cooperates with the neighbor, otherwise it does not cooperate.
In RFSN, only the positive information is shared among the nodes. Higher weights are assigned to second-hand information provided by the nodes with higher reputation values. In fact, the weights assigned to second hand information are functions of the reputation values of their sources.
RFSN uses Beta distribution for reputation computation.
More weights are assigned to the recent observations than the past.
To compute the combined reputation value of a node using first-hand and second-hand observations, Dempster-Shafer theory and belief discounting theory are utilized.
23年 4月 19日 57
presented by gcwang
RFSN (contd..)
The effectiveness of RFSN is based on the assumption that the majority of nodes in any neighborhood of a WSN are trustworthy. Trust assessment is used to flush out the bad nodes.
Since RFSN uses only positive second-hand information exchange, bad mouthing attack is not possible.
However, exchange of only positive information reduces the efficiency of the system as the nodes cannot exchange their bad experiences.
23年 4月 19日 58
presented by gcwang
DRBTS
Srinivasan, Teitelbaum and Wu have proposed DRBTS scheme for detecting and revoking malicious beacon nodes that provide misleading location information in a WSN.
It is distributed security protocol that uses both first-hand and second-hand information.
Two types of nodes are distinguished: Beacon node (BN) Sensor node (SN)
Functions of the BNs: Every BN monitors its next-hop neighborhood for any possible misbehaving BNs and
updates the reputation values of the neighbor nodes in the respective reputation table. BNs use second-hand information for updating the reputation of their neighbors after
the second-hand information passes a deviation test.
23年 4月 19日 59
presented by gcwang
DRBTS (contd..)
Functions of SNs: The SNs use neighbor reputation table to determine whether or not to use a given BN’s
location information based on a simple majority voting scheme.
DRBTS is a symmetric information exchange model from the perspective of the BNs but asymmetric from the perspective of the SNs. BNs are capable of determining their locations and must pass this information to the SNs. Without the knowledge of the locations of the BNs, it is impossible for SNs to determine whether a BN is giving false report about its location information.
Using a simple majority voting scheme the SNs determine whether a particular BN is malicious from its report of location information.
For location, BNs use first-hand information while the SNs use second-hand information only.
DRBTS also includes a method by which BNs can send out location requests as if they are coming from SNs during the periods of low network activities and traffic.
23年 4月 19日 60
presented by gcwang
DRBTS (contd..)
Unlike CONFIDANT, DRBTS does not distinguish between two types of first-hand information – personal experiences and direct observations.
In DRBTS, the nodes can share both positive and negative information. This ensures a quick learning time for the nodes.
DRBTS addresses malicious behavior of BNs. The unique problem that this scheme solves though very important in WSN research, is not encountered frequently.
However, the idea of the scheme can be suitably extended to other problem domain.
23年 4月 19日 61
presented by gcwang
Comparisons of Trust and Reputation Schemes
Techniques Watchdog/Pathrater
CONFIDANT CORE RFSN DRBTS OCEAN
Architecture Distributed and cooperative Standalone
Type of data collection Reputation Reputation Reputation Reputation Reputation Reputation
Data distribution Negative to source node
Negative to friends
Positive from RREP
√ BN to BN BN to SN
X
Observation Self –to- neighbor
√ √ √ √ √ √
Neighbor to neighbor
X √ X √ √ √
Misbehavior detection
Selfish-routing
X √ √ √ √ √
Selfish-packet
forwarding
√ √ √ √ √ √
Malicious-routing
X √ X √ √ X
Malicious-packet
forwarding
√ √ X √ √ X
Punishment X √ √ √ √ √
Avoid misbehaving node in route discovery
X X X √ √ √
23年 4月 19日 62
presented by gcwang
Some Open Problems
Trust modeling problem is inherently complicated due to uncertainties involved. Bayesian probability, Beta distribution are some of the tools that have been proposed to solve it. However, design of a reliable and robust trust framework for self-organizing networks like MANETs and WSN is still an open problem.
Bootstrapping problem: most of the existing systems require considerable time to build trust among the nodes. Developing an effective and efficient solution to minimize this latency is a big challenge.
Devising a suitable defense against an intelligent adversary strategy is another issue. Game theoretic modeling may be used for this purpose.
Designing algorithms for revocation of trust in the nodes is another challenge. Expelling a node due to misbehavior is a decision problem under uncertainty and requires a formal mathematical approach to solve. Most of the existing approaches solves it in an ad hoc manner.
Development of a robust scheme that motivates the nodes to publish their ratings honestly is another open problem. This is particularly challenging in MANETs as the nodes often do not belong to the same interest group.
23年 4月 19日 63
presented by gcwang
Conclusion
Reputation and Trust have emerged as two very important tools to facilitate distributed decision making in cooperative wireless networks.
This chapter has provided a detailed discussion on reputation and trust-based systems both from the perspectives of MANETs and WSNs.
Many aspects of the reputation and trust-based systems including their goals, properties, initialization process, and classification are discussed.
Various important design issues of reputation and trust-based systems, comprehensive review of some important models, and their comparative analysis are also presented.
Finally, some open problems in design of reputation and trust-based systems are discussed.
23年 4月 19日 64
presented by gcwang6523年 4月 19日
Route Discovery in DSR(1/6)
B
A
S E
F
H
J
D
C
G
IK
Z
Y
Represents a node that has received RREQ for D from S
M
N
L
presented by gcwang6623年 4月 19日
Route Discovery in DSR(2/6)
B
A
S E
F
H
J
D
C
G
IK
Represents transmission of RREQ
Z
YBroadcast transmission
M
N
L
[S]
[X,Y] Represents list of identifiers appended to RREQ
presented by gcwang6723年 4月 19日
Route Discovery in DSR(3/6)
B
A
S E
F
H
J
D
C
G
IK
• Node H receives packet RREQ from two neighbors: potential for collision
Z
Y
M
N
L
[S,E]
[S,C]
presented by gcwang6823年 4月 19日
Route Discovery in DSR(4/6)
B
A
S E
F
H
J
D
C
G
IK
• Node C receives RREQ from G and H, but does not forward it again, because node C has already forwarded RREQ once
Z
Y
M
N
L
[S,C,G]
[S,E,F]
presented by gcwang6923年 4月 19日
Route Discovery in DSR(5/6)
B
A
S E
F
H
J
D
C
G
IK
Z
Y
M
• Nodes J and K both broadcast RREQ to node D• Since nodes J and K are hidden from each other, their transmissions may collide
N
L
[S,C,G,K]
[S,E,F,J]
presented by gcwang7023年 4月 19日
Route Discovery in DSR(6/6)
B
A
S E
F
H
J
D
C
G
IK
Z
Y
• Node D does not forward RREQ, because node D is the intended target of the route discovery
M
N
L
[S,E,F,J,M]
presented by gcwang7123年 4月 19日
Route Reply in DSR
B
A
S E
F
H
J
D
C
G
IK
Z
Y
M
N
L
RREP [S,E,F,J,D]
Represents RREP control message
presented by gcwang7223年 4月 19日
Data Delivery in DSR
B
A
S E
F
H
J
D
C
G
IK
Z
Y
M
N
L
DATA [S,E,F,J,D]
Packet header size grows with route length
presented by gcwang
Route Requests in AODV
B
A
S E
F
H
J
D
C
G
IK
Z
Y
Represents a node that has received RREQ for D from S
M
N
L
23年 4月 19日 73
presented by gcwang
Route Requests in AODV
B
A
S E
F
H
J
D
C
G
IK
Represents transmission of RREQ
Z
YBroadcast transmission
M
N
L
23年 4月 19日 74
presented by gcwang
Route Requests in AODV
B
A
S E
F
H
J
D
C
G
IK
Represents links on Reverse Path
Z
Y
M
N
L
23年 4月 19日 75
presented by gcwang
Reverse Path Setup in AODV
B
A
S E
F
H
J
D
C
G
IK
• Node C receives RREQ from G and H, but does not forward it again, because node C has already forwarded RREQ once
Z
Y
M
N
L
23年 4月 19日 76
presented by gcwang
Reverse Path Setup in AODV
B
A
S E
F
H
J
D
C
G
IK
Z
Y
M
N
L
23年 4月 19日 77
presented by gcwang
Reverse Path Setup in AODV
B
A
S E
F
H
J
D
C
G
IK
Z
Y
• Node D does not forward RREQ, because node D is the intended target of the RREQ
M
N
L
23年 4月 19日 78
presented by gcwang
Route Reply in AODV
B
A
S E
F
H
J
D
C
G
IK
Z
Y
Represents links on path taken by RREP
M
N
L
23年 4月 19日 79
presented by gcwang
Forward Path Setup in AODV
B
A
S E
F
H
J
D
C
G
IK
Z
Y
M
N
L
Forward links are setup when RREP travels alongthe reverse path
Represents a link on the forward path23年 4月 19日 80
presented by gcwang
Data Delivery in AODV
B
A
S E
F
H
J
D
C
G
IK
Z
Y
M
N
L
Routing table entries used to forward data packet.
Route is not included in packet header.
DATA
23年 4月 19日 81
presented by gcwang
Pathrater
Operation Each node gives a rate to its known nodes Each node computes an average rate of intermediate nodes
on the route If there are multiple routes, select one with a high average
rate
A
B
E
C
D
F
A 1.0
B 0.5
C 0.5
D 0.5
E 0.5
F 0.5
route from A to D[A, E, C, D]
1.0
1.0
…
1.0
23年 4月 19日 82
presented by gcwang
Pathrater
Route Selection of Pathrater(1/4) Increase the rate of well behaved nodes on the route by 0.01
A
B
E
C
D
FA 1.0
B 0.5
C 0.51
D 0.51
E 0.51
F 0.5
route from A to D[A, E, C, D]
A 1.0
B 0.5
C 0.5
D 0.5
E 0.5
F 0.5
23年 4月 19日 83
presented by gcwang
Pathrater
Route Selection of Pathrater(2/4) Decrease the rate of an unreachable node by 0.05 Preserve the rate of an unused node
A
B
E
C
D
FA 1.0
B 0.5
C 0.5
D 0.5
E 0.5
F 0.5
route from A to D[A, E, C, D]
A 1.0
B 0.5
C 0.45
D 0.5
E 0.5
F 0.5
23年 4月 19日 84
presented by gcwang
Pathrater
Route Selection of Pathrater(3/4) If a node is notified as a malicious node by Watchdog, set the
node’s rate to -100
A
B
E
C
D
FA 1.0
B 0.5
C 0.5
D 0.5
E 0.5
F 0.5
route from A to D[A, E, C, D]
A 1.0
B 0.5
C -100
D 0.52
E 0.55
F 0.5
C is malicious
23年 4月 19日 85
presented by gcwang
Pathrater
Route Selection of Pathrater(4/4) When there are multiple paths, exclude a route having the
nodes with negative rate If needed, discover the new route
A
B
E
C
D
F
route from A to D[A, E, C, D] and[A, B, G, D]
A 1.0
B 0.5
C -100
D 0.5
E 0.5
F 0.5
G 0.5
C is malicious
G
23年 4月 19日 86