Title: Building A Trustworthy, Secure, And Privacy Preserving Network
1Building A Trustworthy, Secure, And Privacy
Preserving Network
- Bharat Bhargava
- CERIAS Security Center
- CWSA Wireless Center
- Department of CS and ECE
- Purdue University
- Supported by NSF IIS 0209059, NSF IIS 0242840 ,
- NSF ANI 0219110, CISCO, Motorola, IBM
2Research Team
- Faculty Collaborators
- Dongyan Xu, middleware and privacy
- Mike Zoltowski, smart antennas, wireless security
- Sonia Fahmy, Internet security
- Ninghui Li, trust
- Cristina Nita-Rotaru, Internet security
- Postdoc
- Lezsek Lilien, privacy and vulneribility
- Xiaoxin Wu, wireless security
- Jun Wen, QoS
- Mamata Jenamani, privacy
- Ph.D. students
- Ahsan Habib, Internet Security
- Mohamed Hefeeda, peer-to-peer
- Yi Lu, wireless security and congestion control
- Yuhui Zhong, trust management and fraud
- Weichao Wang, security of ad hoc networks
- More information at http//www.cs.purdue.edu/peopl
e/bb
3Motivation
- Lack of trust, privacy, security, and reliability
impedes information sharing among distributed
entities. - San Diego supercomputer center detected 13,000
DoS attacks in a three-week period eWeek, 2003 - Internet attacks in February, 2004 caused an
estimated 68 billion to 83 billion in damages
worldwide British Computer Security Report - Business losses due to privacy violations
- Online consumers worry about revealing personal
data - This fear held back 15 billion in online revenue
in 2001 - 52,658 reported system crashes caused by software
vulnerabilities in 2002 Express Computers 2002
4- Research is required for the creation of
knowledge and learning in secure networking,
systems, and applications.
5Goal
- Enable the deployment of security sensitive
applications in the pervasive computing and
communication environments.
6Problem Statement
- A trustworthy, secure, and privacy preserving
network platform must be established for trusted
collaboration. The fundamental research problems
include - Trust management
- Privacy preserved interactions
- Dealing with a variety of attacks and frauds in
networks - Intruder identification in ad hoc networks (focus
of this seminar)
7Applications/Broad Impacts
- Guidelines for the design and deployment of
security sensitive applications in the next
generation networks - Data sharing for medical research and treatment
- Collaboration among government agencies for
homeland security - Transportation system (security check during
travel, hazardous material disposal) - Collaboration among government officials, law
enforcement and security personnel, and health
care facilities during bio-terrorism and other
emergencies
8Scientific Contributions
- Trust formalization
- Privacy preservation in interactions
- Network tomography techniques for DoS attacks
- Intrusion detection and intruder identification
in ad hoc networks - Vulnerability analysis and threat assessment
9A. Trust Formalization
- Problem
- Dynamically establish and update trust among
entities in an open environment. - Research directions
- Handling uncertain evidence
- Modeling dynamic trust
- Formalization and detection of fraud
- Challenges
- Uncertain information complicates the inference
procedure. - Subjectivity leads to various interpretations
toward the same information. - The multi-faceted and context-dependent
characteristics of trust require tradeoff between
representation comprehensiveness and computation
simplicity of the trust model.
10Uncertain Evidence
- Probability-based approach to evaluate the
uncertainty of a logic expression given a set of
uncertain evidence - Atomic formula Bayes network causal inference
conditional probability interpretation of
opinion - AND/OR expressions rule defined by J?sang
J?sang'01 - Subjectivity is realized using discounting
operator proposed by Shafer Shafer'76
11Dynamic Trust
- Trust production based on direct interaction
- Identify behavior patterns and their
characteristic features - Determine which pattern is the best match of an
interaction sequence - Develop personalized trust production algorithms
considering behavior patterns - Reputation aggregation
- Global reputation vs. personalized reputation
- Personalized reputation aggregation
- Determine the subset of trust information useful
for a specific trustor by using collaborative
filters - Translate trust information into the scale of a
specific trustor
12Trust Enhanced Role Assignment (TERA) Prototype
- Trust enhanced role mapping (TERM) server
assigns roles to users based on - Uncertain subjective evidence
- Dynamic trust
- Reputation server
- Dynamic trust information repository
- Evaluate reputation from trust information by
using algorithms specified by TERM server
Prototype and demo are available at
http//www.cs.purdue.edu/homes/bb/NSFtrust/
13 TERA Architecture
14Trust Enhanced Role Mapping (TERM) Server
- Evidence rewriting
- Role assignment
- Policy parser
- Request processor inference engine
- Constraint enforcement
- Policy base
- Trust information management
- User behavior modeling
- Trust production
15TERM Server
16Fraud Formalization and Detection
- Model fraud intention
- Uncovered deceiving intention
- Trapping intention
- Illusive intention
- Fraud detection
- Profile-based anomaly detection
- Monitor suspicious actions based upon the
established patterns of an entity - State transition analysis
- Build an automaton to identify activities that
lead towards a fraudulent state
17Model Fraud Intentions
- Uncovered deceiving intention
- Satisfaction ratings are stably low.
- Ratings vary in a small range over time.
18Model Fraud Intentions
- Trapping intention
- Rating sequence can be divided into two phases
preparing and trapping. - A swindler behaves well to achieve a trustworthy
image before he conducts frauds.
19Model Fraud Intentions
- Illusive intention
- A smart swindler attempts to cover the bad
effects by intentionally doing something good
after misbehaviors. - Process of preparing and trapping is repeated.
20B. Private and Trusted Interactions
- Problem
- Preserve privacy, gain trust, and control
dissemination of data - Research directions
- Dissemination of private data
- Privacy and trust tradeoff
- Privacy metrics
- Challenges
- Specify policies through metadata and establish
guards as procedures - Efficient implementation
- Estimate privacy depending on who will get this
information, possible uses of this information,
and information disclosed in the past - Privacy metrics are usually ad hoc and customized
Detail slides at http//www.cs.purdue.edu/homes/bb
/priv_trust_cerias.ppt
21Preserving Privacy in Data Dissemination
- Design self-descriptive private objects
- Construct a mechanism for apoptosis of private
objects - apoptosis clean self-destruction
- Develop proximity-based evaporation of private
objects - Develop schemes for data distortions
22Privacy-Trust Tradeoff
- Gain a certain level of trust with the least loss
of privacy - Build trust based on digital credentials of users
that contain private information - Formulate the privacy-trust tradeoff problem
- Estimate privacy loss due to disclosing a set of
credentials - Estimate trust gain due to disclosing a set of
credentials - Develop algorithms that minimize privacy loss for
required trust gain
23Privacy Metrics
- Determine the degree of data privacy
- Size of anonymity set metrics
- Entropy-based metrics
- Privacy metrics should account for
- Dynamics of legitimate users
- Dynamics of violators
- Associated costs
24Size of Anonymity Set Metrics
- The larger set of indistinguishable entities, the
lower probability of identifying any one of them - Can use to anonymize a selected private
attribute value within the domain of its all
possible values
Hiding in a crowd
Less anonymous (1/4)
25Dynamics of Entropy
- Decrease of system entropy with attribute
disclosures (capturing dynamics) - When entropy reaches a threshold (b), data
evaporation can be invoked to increase entropy by
controlled data distortions - When entropy drops to a very low level (c),
apoptosis can be triggered to destroy private
data - Entropy increases (d) if the set of attributes
grows or the disclosed attributes become less
valuable e.g., obsolete or more data now
available
H
Entropy Level
All attributes
Disclosed attributes
(a)
(b)
(c)
(d)
26Private and Trusted System (PRETTY) Prototype
(4)
(1)
(2)
2c2
(3) User Role
2a
2b 2d
2c1
TERA Trust-Enhanced Role Assignment
27Information Flow for PRETTY
- User application sends query to server
application. - Server application sends user information to TERA
server for trust evaluation and role assignment. - If a higher trust level is required for query,
TERA server sends the request for more users
credentials to privacy negotiator. - Based on servers privacy policies and the
credential requirements, privacy negotiator
interacts with users privacy negotiator to build
a higher level of trust. - Trust gain and privacy loss evaluator selects
credentials that will increase trust to the
required level with the least privacy loss.
Calculation considers credential requirements and
credentials disclosed in previous interactions. - According to privacy policies and calculated
privacy loss, users privacy negotiator decides
whether or not to supply credentials to the
server. - Once trust level meets the minimum requirements,
appropriate roles are assigned to user for
execution of his query. - Based on query results, users trust level and
privacy polices, data disseminator determines
(i) whether to distort data and if so to what
degree, and (ii) what privacy enforcement
metadata should be associated with it.
28Experimental Studies
- Private object implementation
- Validate and evaluate the cost, efficiency, and
the impacts on the dissemination of objects - Study the apoptosis and evaporation mechanisms
for private objects - Tradeoff between privacy and trust
- Study the effectiveness and efficiency of the
probability-based and lattice-based privacy loss
evaluation methods - Assess the usability of the evaluator of trust
gain and privacy loss - Location-based routing and services
- Evaluate the dynamic mappings between trust
levels and distortion levels
29C. Tomography Research
- Problem
- Defend against denial of service attacks
- Optimize the selection of data providers in
peer-to-peer systems - Research Directions
- Stripe based probing to infer individual link
loss by edge-to-edge measurements - Overlay based monitoring to identify congested
links by end-to-end path measurement - Topology inference to estimate available
bandwidth by path segment measurements
30Defeating DoS Attacks in Internet
31Overlay-based Monitoring
- Do not need individual link loss to identify all
congested links - Edge routers form an overlay network for probing.
Each edge router probe part of the network - Problem statement
- Given topology of a network domain, identify
which links are congested and possibly under
attack
32Attack Scenarios
Delay (ms)
Loss Ratio
Time (sec)
Time (sec)
(a) Changing delay pattern due to attack
(b) Changing in loss pattern due to attack
33Identified Congested Links
Loss Ratio
Loss Ratio
Time (sec)
Time (sec)
(a) Counter clockwise probing
(b) Clockwise probing
Probe46 in graph (a) and Probe76 in graph (b)
observe high losses, which means link C4 ? E6 is
congested.
34Probing Simple Method
Congested link
35Analyzing Simple Method
- Lemma 1. If P and P are probe paths in the first
and the second round of probing respectively,
P P 1 - Theorem 1. If only one probe path P is shown to
be congested in any round of probing, the simple
method successfully identifies status of each
link in P - Performs better if edge-to-edge paths are
congested - The average length of the probe paths in the
Simple method is 4
36Performance Simple Method
- Theorem 2. Let p be the probability of a link
being congested in any arbitrary overlay network.
The simple method determines the status of any
link of the topology with probability at least
2(1-p)4-(1-p)7p(1-p)12
Detection Probability
Frac of actual congested links
37Advanced Method
- AdvancedMethod()
- begin
- Conduct Simple Method. E is the unsolved
equation set - for Each undecided variable Xij of E do
- node1 FindNode(Tree T, vi, IN)
- node2 FindNode(Tree T, vj , OUT)
- if node1 ? NULL AND node2 ? NULL then
- Probe(node1, node2). Update equation set E
- end if
- Stop if no more probe exists
- endfor
- end
38Analyzing Advanced Method
- Lemma 2. For an arbitrary overlay network with n
edge routers, on the average a link lies on b
edge-to-edge paths - Lemma 3. For an arbitrary overlay network with n
edge routers, the average length of all
edge-to-edge paths is d - Theorem 3. Let p be the probability of a link
being congested. The advanced method can detect
the status of a link with probability at least
(1-(1-(1-p)d)b)
39- D. Intruder Identification in Adhoc On-demand
Distance Vector (AODV) - Problem
- AODV are vulnerable to various attacks such as
false distance vector, false destination
sequence, and wormhole attacks - Detecting attacks without identifying and
isolating the malicious hosts leaves the security
mechanisms in a passive mode - Challenges
- Locate the sources of attacks in a self-organized
infrastructure - Combine local decisions with knowledge from other
hosts to achieve consistent conclusions on the
malicious hosts
40Attacks on Routing in Mobile Ad Hoc Networks
Attacks on routing
Active attacks
Passive attacks
Packet silent discard
Routing information hiding
Routing procedure
Flood network
Route request
Route broken message
False reply
Wormhole attacks
41- Related Work
- Vulnerability model of ad hoc routing protocols
Yang et al., SASN 03 - A generic multi layer integrated IDS structure
Zhang and Lee, MobiCom 00 - IDS combining with trust Albert et al., ICEIS
02 - Information theoretic measures using entropy
Okazaki et al., SAINT 02 - SAODV adopts both hash chain and digital
signature to protect routing information Zapata
et al, WiSe03 - Security-aware ad hoc routing Kravets et al,
MobiHOC01
42Ideas
- Monitor the sequence numbers in the route request
packets to detect abnormal conditions - Apply reverse labeling restriction to identify
and isolate attackers - Combine local decisions with knowledge from other
hosts to achieve consistent conclusions - Combine with trust assessment methods to improve
robustness
43Introduction to AODV
- Introduced in 97 by Perkins at NOKIA, Royer at
UCSB - 12 versions of IETF draft in 4 years, 4 academic
implementations, 2 simulations - Combines on-demand and distance vector
- Broadcast Route Query, Unicast Route Reply
- Quick adaptation to dynamic link condition and
scalability to large scale network - Support multicast
44Route Discovery in AODV (An Example)
D
S1
S3
S2
S4
S
Route to the source
Route to the destination
45Attacks on AODV
- Route request flooding
- query non-existing host (RREQ will flood
throughout the network) - False distance vector
- reply one hop to destination to every request
and select a large enough sequence number - False destination sequence number
- select a large number (even beat the reply from
the real destination) - Wormhole attacks
- tunnel route request through wormhole and attract
the data traffic to the wormhole - Coordinated attacks
- The malicious hosts establish trust to frame
other hosts, or conduct attacks alternatively to
avoid being identified
46Impacts of Attacks on AODV
We simulate the attacks and measure their impacts
on packet delivery ratios and protocol overhead
47False Destination Sequence Attack
D
S3
S
S1
S2
M
Packets from S to D are sinking at M. Node
movement breaks the path from S to M (trigger
route rediscovery).
48During Route Rediscovery, False Destination
Sequence Attack Is Detected
(1). S broadcasts a request that carries the old
sequence 1 21
(2) D receives the RREQ. Local sequence is 5, but
the sequence in RREQ is 21. D detects the false
desti-nation sequence attack.
D
S3
RREQ(D, 21)
S
S1
S2
M
S4
Propagation of RREQ
49Reverse Labeling Restriction (RLR)
- Blacklists are updated after an attack is
detected. - Basic Ideas
- Every host maintains a blacklist to record
suspicious hosts. Suspicious hosts can be
released from the blacklist. - The destination host will broadcast an INVALID
packet with its signature when it finds that the
system is under attack on sequence. The packet
carries the hosts identification, current
sequence, new sequence, and its own blacklist. - Every host receiving this packet will examine its
route entry to the destination host. If the
sequence number is larger than the current
sequence in INVALID packet, the presence of an
attack is noted. The previous host that provides
the false route will be added into this hosts
blacklist.
50D
S3
INVALID ( D, 5, 21, , SIGN )
S
S1
S2
M
S4
D broadcasts INVALID packet with current sequence
5, new sequence 21. S3 examines its route
table, the entry to D is not false. S3 forwards
packet to S1. S1 finds that its route entry to D
has sequence 20, which is gt 5. It knows that the
route is false. The hop which provides this false
route to S1 was S2. S2 will be put into S1s
blacklist. S1 forwards packet to S2 and S. S2
adds M into its blacklist. S adds S1 into its
blacklist. S forwards packet to S4. S4 does not
change its blacklist since it is not involved in
this route.
Correct destination sequence number is
broadcasted. Blacklist at each host in the path
is determined.
51D1
D2
S3
M
S4
M
M
D4
D3
M
M
S2
S1
M attacks 4 routes (S1-D1, S2-D2, S3-D3, and
S4-D4). When the first two false routes are
detected, D3 and D4 add M into their blacklists.
When later D3 and D4 become victim destinations,
they will broadcast their blacklists, and every
host will get two votes that M is malicious host.
Hosts closer to malicious site are in blacklists
of multiple hosts. In the above figure, M is in
four blacklists.
52Combine Local Decisions with Knowledge from Other
Hosts
- When a host is destination of a route and is
victim by any malicious host, it will broadcast
its blacklist. - Each host obtains blacklists from victim hosts.
- If M is in multiple blacklists, M is classified
as a malicious host based on certain threshold. - Intruder is identified.
- Trust values can be assigned to other hosts based
on past information.
53Acceleration in Intruder Identification
D3
D3
D2
D2
D1
D1
M2
M3
M2
M3
M1
M1
S2
S2
S1
S3
S3
S1
Routing topology
Reverse labeling procedure
Multiple attackers exist in the network. More
routes are under attack. When the false routes
are detected, more blacklists will be
broadcasted.
54Reverse Labeling Restriction
- Update Blacklist by INVALID Packet
- Next hop on the invalid route will be put into
local blacklist, a timer starts, and a counter
increases. The time duration that the host stays
in blacklist is exponential to the counter value. - Labeling process will be conducted in the reverse
direction of the false route. - When timer expires, the suspicious host will be
released from the blacklist and routing
information from it will be accepted.
55Deal With Hosts in Blacklist
- Packets from hosts in blacklist
- Route request If the request is from suspicious
hosts, ignore it. - Route reply If the previous hop is suspicious
and the query destination is not the previous
hop, the reply will be ignored. - Route error will be processed as usual. RERR
will activate re-discovery, which will help to
detect attacks on destination sequence. - INVALID if the sender is suspicious, the packet
will be processed but the blacklist will be
ignored.
56Attacks of Malicious Hosts on RLR
- Attack 1 Malicious host M sends false INVALID
packet - Because the INVALID packets are signed, it cannot
send the packets in other hosts name - If M sends INVALID in its own name
- If the reported sequence number is greater than
the real sequence number, every host ignores this
attack - If the reported sequence number is less than the
real sequence number, RLR will converge at the
malicious host. M is included in blacklist of
more hosts. M accelerated the intruder
identification directing towards M.
57- Attack 2 Malicious host M frames other innocent
hosts by sending false blacklist - If the malicious host has been identified, the
blacklist will be ignored - If the malicious host has not been identified,
this operation can only make the threshold lower.
If the threshold is selected properly, it will
not impact the identification results. - Combining trust can further limit the impact of
this attack.
58- Attack 3 Malicious host M only sends false
destination sequence about some special host - The special host will detect the attack and send
INVALID packets. - Other hosts can establish new routes to the
destination by receiving the INVALID packets.
59Experimental Studies of RLR
- The experiments are conducted using ns2.
- Various network scenarios are formed by varying
the number of independent attackers, number of
connections, and host mobility. - The examined parameters include
- Packet delivery ratio
- Identification accuracy false positive and false
negative ratio - Communication and computation overhead
60Simulation Parameter
61Experiment 1 Measure the Changes in Packet
Delivery Ratio
- Purpose investigate the impacts of host
mobility, number of attackers, and number of
connections on the performance improvement
brought by RLR - Input parameters host pause time, number of
independent attackers, number of connections - Output parameters packet delivery ratio
- Observation When only one attacker exists in the
network, RLR brings a 30 increase in the
packet delivery ratio. When multiple attacker
exist in the system, the delivery ratio will not
recover before all attackers are identified.
62Increase in Packet Delivery Ratio Single Attacker
X-axis is host pause time, which evaluates the
mobility of host. Y-axis is delivery ratio. 25
connections and 50 connections are considered.
RLR brings a 30 increase in delivery ratio. 100
delivery is difficult to achieve due to network
partition, route discovery delay and buffer.
63Increase in Packet Delivery Ratio Multiple
Attackers
X-axis is number of attackers. Y-axis is delivery
ratio. 25 connections and 50 connections are
considered. RLR brings a 20 to 30 increase in
delivery ratio.
64Experiment 2 Measure the Accuracy of Intruder
Identification
- Purpose investigate the impacts of host
mobility, number of attackers ,and connection
scenarios on the detection accuracy of RLR - Input parameters number of independent
attackers, number of connections, host
pause time - Output parameters false positive alarm ratio,
false negative alarm ratio - Observation The increase in connections may
improve the detection accuracy of RLR. When
multiple attackers exist in the network, RLR has
a high false positive ratio.
65Accuracy of RLR Single Attacker
The accuracy of RLR when there is only one
attacker in the system
66Accuracy of RLR Multiple Attackers
The accuracy of RLR when there are multiple
attackers
67Experiment 3 Measure the Communication Overhead
- Purpose investigate the impacts of host
mobility and connection scenarios on the
overhead of RLR - Input parameters number of connections, host
pause time - Output parameters control packet overhead
- Observation When no false destination sequence
attacks exist in the network, RLR introduces
small packet overhead into the system.
68Control Packet Overhead
X-axis is host pause time, which evaluates the
mobility of host. Y-axis is normalized overhead
( of control packet / of delivered data
packet). 25 connections and 50 connections are
considered. RLR increases the overhead slightly.
69Research Opportunities Improve Robustness of RLR
- Protect the good hosts from being framed by
malicious hosts - The malicious hosts can frame the good hosts by
putting them into blacklist. - By lowering the trust values of both complainer
and complainee, we can restrict the impacts of
the gossip distributed by the attackers. - Adopting the trust management scheme proposed by
Aberer and Despotovic CIKM01 to determine the
lowering speed.
70- Avoid putting every host into blacklist
- Combining the host density and movement model, we
can estimate the time ratio that two hosts are
neighbors - The counter for a suspicious host decreases as
time passes - Adjusting the decreasing ratio to control the
average percentage of time that a host stays in
the blacklist of another host
71- Defend against coordinated attacks
- The behaviors of collusive attackers show
Byzantine manners. The malicious hosts may
establish trust to frame other hosts, or conduct
attacks alternatively to avoid being identified. - Look for the effective methods to defend against
such attacks. Possible research directions
include - Apply classification methods to detect the hosts
that have similar behavior patterns - Study the behavior histories of the hosts that
belong to the same group and detect the pattern
of malicious behavior (time-based, order-based)
72An Architecture of Intruder Identification Agent
73- Intruder identification can be applied to detect
more attacks in ad hoc networks - DoS attacks
- Malicious discard
- Trust abuse and privacy violation
- Reverse labeling mechanism can be applied to
identify the attackers that - Disseminate false routing information
- Discard data packets
- Generate gossip to destroy other hosts reputation
74Conclusions on Intruder Identification
- False destination sequence attacks can be
detected by the anomaly patterns of the sequence
numbers - Reverse labeling method can reconstruct the false
routing tree - Isolating the attackers brings a sharp increase
in network performance - On going research will improve the robustness of
the mechanism and the accuracy of identification
75Related Ongoing Research
- Detecting wormhole attacks
- Position-based private routing in ad hoc networks
- Fault tolerant authentication in movable base
station systems - Congestion avoidance routing in ad hoc networks
76Detecting Wormhole Attacks
- Problem statement
- The malicious nodes can eavesdrop the packets,
tunnel them to another location in the network,
and retransmit them. This generates a false
scenario that the original sender is in the
neighborhood of the remote location.
wireless node 1
wireless node 2
attacker 1
attacker 2
77- Research challenges
- Detect wormholes when the malicious host can be
the legal member of the network - Control the overhead introduced by wormhole
detection to avoid the hosts being overwhelmed
78Classification of Wormholes
- the wormholes are divided into 3 groups
- Closed
- Half open
- Open
79The Approach End-to-End Mechanism
- Assumption
- The hosts have the positioning devices and
loosely synchronized clocks - Pair-wise keys have been deployed
- Ideas
- The source and the intermediate hosts will attach
the lttime, positiongt pairs that record the
receiving and forwarding events - The attached information is protected by message
authentication codes (MAC) - The neighbor relation validations are conducted
by the destination
80Validation at the Destination
- The MAC codes are calculated correctly
- The neighbor hosts are within the radio range
when the packet is passed - The average moving speed between the lttime,
positiongt pairs from the same host does not
exceed the maximum value.
81Controlling Overhead Cell-based Open Tunnel
Avoidance
- Divide the area into same-sized cells and the
time into same-length slots - Require a constant storage space and linear
computation operations for every intermediate
host - Have a configurable wormhole detection capability
82Computation Efficiency
- The experiments are conducted on a iPAQ 3630 with
206M Hz CPU and 64M RAM - The computation overhead of wormhole detection
for one 10-hop route consumes less than 0.5 of
its CPU. - The computation resource of a real PDA can
support wormhole detection using COTA without
trouble.
83Conclusions
- The end-to-end mechanism can detect half open and
open wormholes in ad hoc networks - As a position information management scheme, COTA
requires constant storage space and linear
computation resource for every intermediate host - The proposed mechanism can be adopted by real
mobile devices
84B. Position-based Private Routing in Ad Hoc
Networks
- Problem statement
- To hide the identities of the nodes who are
involved in routing in mobile wireless ad hoc
networks. - Challenges
- Traditional ad hoc routing algorithms depend on
private information (e.g., ID) exposure in the
network. - Privacy solutions for P2P networks are not
suitable in ad hoc networks.
85Weak Privacy for Traditional Position-based Ad
Hoc Routing Algorithm
- Position information of each node has to be
locally broadcast periodically. - Adversaries are able to obtain node trajectory
based on the position report. - Adversaries can estimate network topology.
- Once a match between a node position and its real
ID is found, a tracer can always stay close to
this node and monitor its behavior.
86AO2P Ad Hoc On-Demand Position-based Private
Routing
- Position of destination is the information
exposed in the network for routing discovery. - A receiver-contention scheme is designed to
determine the next hop in a route. - Pseudo IDs are used instead of real IDs for data
packet delivery after a route is built up. - Route with a smaller number of hops will be used
for better end-to-end throughput. -
87AO2P Routing Privacy and Accuracy
- Only the position of destination is revealed in
the network for routing discovery. The privacy of
the destination relies on the difficulty of
matching a position to a node ID. - Node mobility enhances destination privacy
because a match between a position to a node ID
is temporary. - The privacy for the source and the intermediate
forwarders is well preserved. - Routing accuracy relies on the fact that at a
specific time, only one node can be at a
position. Since the pseudo ID for a node is
generated from its position and the time it is at
that position, the probability that more than one
node have the same pseudo ID is negligible.
88Privacy Enhancement R-AO2P
- The position of reference point is carried in
rreq instead of the position of the destination. - The reference point is on the extended line from
the sender to the destination. It can be used for
routing discovery because generally, a node that
processes the rreq closer to the reference point
will also process the rreq closer to the
destination. - The position of the destination is only disclosed
to the nodes who are involved in routing.
Reference point in R-AO2P
89Illustrated Results
- Average delay for next hop determination
90Illustrated Results
91Conclusions
- AO2P preserves node privacy in mobile ad hoc
networks. - AO2P has low next hop determination delay.
- Compared to other position-based ad hoc routing
algorithm, AO2P has little routing performance
degradation.
92- C. Fault Tolerant Authentication in Movable Base
Station System - Problem
- To ensure security and prevent theft of resources
(like bandwidth), all the packets originating
inside the network should be authenticated. - Authentication may become unreliable when base
station fails or node moves from one cell to
another. - Challenge
- How to design fault tolerant authentication
methods that are robust in the above conditions - How to design the protocols adaptable and
re-configurable
93Proposed Schemes
- We propose two schemes to solve the problem.
- Virtual Home Agent
- Hierarchical Authentication
- They differ in the architecture and the
responsibilities that the Mobile Nodes and Base
Stations (Agents) hold.
94Virtual Home Agent Scheme
95Advantages of Proposed Scheme
- Has only 3 states and hence the overhead of state
maintenance is negligible. - Very few tasks need to be performed in each state
(outlined in the tech report). - Flexible there could be multiple VHAs in the
same LAN and a MHA could be a BHA for another
VHA, a BHA could be a BHA for more than one VHA
at the same time.
96Disadvantages of Virtual HA Solution
- Not scalable if every packet has to be
authenticated - Ex huge audio or video data
- BHA (Backup Home Agents) are idle most of the
time (they just listen to MHAs advertisements. - Central Database is still a single point of
failure.
97Hierarchical Authentication Scheme
- Multiple Home Agents in a LAN are organized in a
hierarchy (like a tree data structure). - A Mobile Node shares a key with each of the
Agents above it in the tree (Multiple Keys). - At any time, highest priority key is used for
sending packets or obtaining any other kind of
service.
98Hierarchical Authentication Scheme
99Hierarchical Authentication Scheme
- Key Priority depends on several factors and
computed as cumulative sum of weighted priorities
of each factors - Example Factors
- Communication Delays
- Processing Speed of the Agents
- Key Usage
- Life Time of the Key
100D. Congestion Avoidance Routing in Ad Hoc Networks
- Objective
- To bring the consideration of congestion in the
design of the routing protocols. - Thrust
- To avoid congestion by minimizing contention for
channel access. - Challenges
- The global coupling effect of wireless channel
access in ad hoc networks. - Quantification of congestion without exchanging
messages with neighbors.
101Intermediate Delay (IMD)
- IMD is a routing metric that characterizes the
impacts of channel contention, the length of the
route, and the traffic load at individual nodes. - IMD estimates the delay introduced by the
intermediate nodes along the route using the sum
of delays from each node.
102Ad Hoc Routing Based on IMD
- Simplification of delay computation
- If channel capacity is C and packet size is P,
delay is P/C. - If n nodes are in contention for a channel, each
node gets C/n share of the channel capacity. The
delay is nP/C.
Adapt to changes in traffic and network topology
103Delay Estimation
- A mobile node is modeled as a single server
queuing system. - Total delay includes the delay for transmitting a
packet and the delay in the queue. - The key is to estimate the delay for transmitting
a packet. - Node with active traffic
- Use the mean value to estimate the delay.
- Node without active traffic
- Study the procedure of packet transmission to
obtain the expectation of the delay.
104IEEE 802.11 DCF (Distributed Coordination
Function)
ETsuccTRTSTCTSTDATATACK3TSIFSETbackoff E
TfailTRTSTtimeoutETbackoff
105SAGA Self-Adjusting Congestion Avoidance Routing
Protocol
- SAGA is a distance vector routing protocol.
- use IMD instead of hop count as the distance
- bypass hop spots where contention is intense
- Lazy route query uses special route advertisement
for local route discovery. - Approach to reduce the oscillation of IMD and
prevent a node from switching back and forth
among alternative routes.
106Experimental Evaluation
- Objective
- Study the performance of SAGA, AODV, DSR, and
DSDV under congestion. - Performance metrics
- Throughput, delivery ratio, protocol overhead,
and end-to-end delay - Method
- Simulation using the network simulator ns2
- Two types of UDP traffic constant bit rate (CBR)
and pareto on/off (POO) - The offered traffic load is taken as the input
parameter - Six experiments by varying the maximum speed of
movement of nodes and the number of connections - Five independent runs with random scenarios for
each experiment
10730 CBR Connections, Low Mobility (4m/s)
10810 POO Connections, High Mobility (20m/s)