Dealing with Liars: Misbehavior
Identification via Rényi-Ulam Games
William Kozma Jr., and Loukas Lazos
Dept. of Electrical and Computer Engineering
University of Arizona
Routing in Ad Hoc Networks
Ad hoc networks lack a network infrastructure
Limited communication range
Nodes rely on multi-hop routes to communicate
Any node may act as a router
n3
n1
n2
n4
D
n5
S
r
Routing implemented on the basis of collaboration
Implicit trust placed on intermediate routers
William Kozma Jr. and Loukas Lazos,
SecureComm 2009
2
Node Misbehavior
Nodes may be compromised physically or remotely
Sophisticated users - alter software/hardware of their device
Adversaries with intimate knowledge of node operation
One type of misbehavior is packet dropping
Selfishness – Refuse to forward packets to conserve energy
Maliciousness – Refuse to forward packets to degrade network performance
n3
n1
n2
n4
D
n5
S
William Kozma Jr. and Loukas Lazos,
SecureComm 2009
3
The Misbehavior Identification Problem
Given a path PSD from source S to destination D, identify
misbehaving nodes that drop packets, in a resource efficient
manner
n3
n1
n2
n4
D
n5
S
William Kozma Jr. and Loukas Lazos,
SecureComm 2009
4
Current Solutions
Acknowledgment-Based Schemes (e.g., 2ACK, Liu et. al., Byzantine
fault detection, Awerbuch et. al.)
Packets acknowledged 2 hops or more upstream
Reputation-Based (e.g., CONFIDANT, , Buchegger et. al.)
Rely on message overhearing to verify forwarding
Credit-Based (e.g., Sprite, Zhong et. al.))
Provide incentive for a node to cooperate
n$2
S
$
n1
n$4
$
n6$
D
n5$
n3
All schemes incur overhead on a per-packet basis
William Kozma Jr. and Loukas Lazos,
SecureComm 2009
5
Research Goal
Per-packet behavior evaluation is too expensive in
Energy (operating in promiscuous mode)
Performance (must observe instead of sleeping or communicating concurrently)
Communication (may consume more bandwidth)
Critical questions
Can we perform per-packet evaluation without per-packet
monitoring (or very low per-packet overhead)?
What is the penalty we have to tradeoff?
William Kozma Jr. and Loukas Lazos,
SecureComm 2009
6
Implicit Node Monitoring
Nodes record a proof of packets they receive/forward
Some nodes are audited to provide proof of behaving
Multiple proofs are combined to identify misbehavior
Use the honest to identify the malicious
Audit Reply
n2
Audit Request
n4
S
n1
n6
Audit Reply
D
n5
n3
William Kozma Jr. and Loukas Lazos,
SecureComm 2009
7
Analogy to Rényi-Ulam Games
The process of combining multiple audits to identify a
misbehaving node is analogous to Rényi-Ulam games
Rényi-Ulam game: the game of 20 questions
Question
Questioner
q
Search space
Responder
Reply
Ω = [1, 2, ω
…,n]
Secret Value: ω
ℓ
Questioner wins if ω is determined in at most q questions
Responder has a limited number of lies ℓ
Winning strategy: a strategy that wins regardless of how lies
occur
William Kozma Jr. and Loukas Lazos,
SecureComm 2009
8
Misbehavior Identification as a Rényi-Ulam Game
Rényi-Ulam Game:
ω≤y?
Questioner
Responder
Yes
Secret Value: ω in Ω
Misbehaving Node Identification:
Questioner
S
Question
Responder
ω
n1
n2
n3
n5
Did you see
packets X?
Yes || Proof Search
Response
n4
D
Space
William Kozma Jr. and Loukas Lazos,
SecureComm 2009
9
Types of Rényi-Ulam Games
Two questioning modes:
Batch
Adaptive
QQ
1 1
QR
21
QQ
3 2
Questioner
2
RR
1
RQ3
Responder
2
RR
3 3
Two types of questions:
Q: Is ω  Q:
A =Is{4,
{3,
ω 5,
4,
≤ 2?
8?
6}?
5, 6, 7,A:
8}?
A:No
Yes A: Yes
No
Ω = [3,
[1, 7,
2, 8]
4,
3,
5, 4,
6, 5,
7, 8]
6, 7, 8]
8, 9, 10]
Cut questions
Membership questions
Goal: Devise a strategy to always find ω in the
least number of questions
William Kozma Jr. and Loukas Lazos,
SecureComm 2009
10
Implementing Cut Questions
Xi : Set of packets forwarded by node ni
Is the misbehavior node upstream of audited node ni ( ω ≤ y )?
|XS ∩ Xi| ≈ |XS|: ni claims misbehavior occurs downstream (ω ≥ y )
|XS ∩ Xi| << |XS|: ni claims misbehavior occurs upstream (ω ≤ y)
n2
n4
S
n6
D
n5
Behaving Node
n1
n3
William Kozma Jr. and Loukas Lazos,
SecureComm 2009
Suspicious Node
11
Adaptive Auditing with Cut Questions
Pelc’s questioning strategy [Pelc ‘89]:
Binary search requiring log2k questions; determine value ω'
ℓ questions on if ω' = ω; total # of questions log2k + ℓ
Auditing Strategy:
V = PSD = {n1,…,nk}
|XS ∩ Xi| ≈ |XS|: V = {ni,…,nk}
|XS ∩ Xi| << |XS|: V = {n1,…,nk}
Winning strategy: q = log2|PSD | + 2 (|M| + 1) audits
Misbehaving Link
n2
n4
S
n6
D
n5
Behaving Node
n1
n3
William Kozma Jr. and Loukas Lazos,
SecureComm 2009
Suspicious Node
12
Node Identification
One misbehaving node
Path division: exclude nodes in turn
Path expansion: add node to remove misbehaving link
Multiple misbehaving nodes
Identification process repeated |M| + 1 times
nβ
n2
n4
S
n6
D
n5
Behaving Node
n1
n3
nα
William Kozma Jr. and Loukas Lazos,
SecureComm 2009
Suspicious Node
13
How About Colluders?
Colluding nodes can cause incorrect convergence
To avoid framing n3, n4 are simultaneously audited
Since |X3 ∩ X4| ≈ |X3|, then |M|≥2
Partition PSD into PSn33, Pn4 D; search independently
n2
n4
S
n6
D
n5
Behaving Node
n1
n3
William Kozma Jr. and Loukas Lazos,
SecureComm 2009
Suspicious Node
14
Adaptive Auditing with Membership Questions
Dhagat’s questioning strategy [ Dhagat ‘92]:
Perform a binary-based search while checking for contradicting answers
Let Vi = Ω = {1,…,k}; divide Vi into two equal subsets A = {1,…,k/2}, B =
{k/2,…,k}
“Is ω  A?” then Vi+1 = A
“Is ω  B?” then Vi+1 = B
Else contradiction among answers; return to previous stage (Vi-1)
Is ω  B
A = {9,
{1,
{6, 10}?
2,
7, 3,
8}?
8, 4,
9, 5}?
10}?
Questioner
No
Yes
Responder
ω=9
V = {1,
{6, 2,
7, 3,
8, 4,
9, 5,
10}6, 7, 8, 9, 10}
Winning strategy if q =
William Kozma Jr. and Loukas Lazos,
SecureComm 2009
15
Adaptive Auditing with Membership Questions
Membership questions constructed from two audits
U
“Is nM  A = {n1,…,n4}?” implies |X1
?
X4| << |X1|
Auditing Strategy
V1 = PSD = {n1,…,nk}; A = {n1,…,ni}, B = {ni,…,nk}
If |X1 ∩ Xi| << |X1|, Vi+1 = A, else
If |Xi ∩ Xk| << |Xi|, Vi+1 = B, else
Return to previous stage if contradiction found (Vi-1)
Select a new ni to prevent repetitive lies
Worst case: q ≤ 4 log2 (|PSD|) + 2 (|M| + 1) audits
n2
n4
S
n6
D
n5
Behaving Node
n1
n3
William Kozma Jr. and Loukas Lazos,
SecureComm 2009
Suspicious Node
16
Creating Audit Replies
Commit to a claim of a set of packets Xi received/forwarded
Bloom filters provide a compact representation of a membership
set Xi
0
1
0
x
x
h1
h2
0
0
0
x
…
hk
1
0
1
0
0
0
0
v: m-bit vector
William Kozma Jr. and Loukas Lazos, SecureComm 2009
17
Evaluating Responses (1)
Source sends audit request
Defines the duration and starting packet number
Audited node adds packets to its Bloom filter
Signs filter with its private key and sends it back to the source
Signed Bloom filter acts as a commitment to packets forwarded
Source computes:
sig
X4(X4)
n2
Audit Request
n4
S
n1
n6
D
n5
n3
Per packet evaluation without per-packet overhead; Only
m-bit vector
sent
to source
William Kozma
Jr. and Loukas
Lazos,
SecureComm 2009
18
Impact of Mobility
Addition/Removal of an honest node does not affect REAct
Misbehaving node added to PSD
Added to V; as if there from start of search
Added outside of V; as if two colluding nodes existed in PSD
Misbehaving node removed from PSD
Performance resumed
nα
nα
n1
n2
n3
n4
S
n5
D
William Kozma Jr. and Loukas Lazos,
SecureComm 2009
19
Performance Evaluation
Metrics of interest:
Communication Overhead
Identification Delay
Compared our scheme to:
CONFIDANT (reputation-based scheme)
2ACK (acknowledgment-based scheme)
AWERBUCH (acknowledgment-based scheme)
For CONFIDANT, defined energy for overhearing as 0.5 times
the energy for transmission
For 2ACK, varied percent of packets acknowledged, p = {1,
0.5, 0.1}
William Kozma Jr. and Loukas Lazos,
SecureComm 2009
20
Communication Overhead for 1 Misbehaving Node
William Kozma Jr. and Loukas Lazos,
SecureComm 2009
24
Communication Overhead as a Function of Audit Size
William Kozma Jr. and Loukas Lazos,
SecureComm 2009
25
Identification Delay
William Kozma Jr. and Loukas Lazos,
SecureComm 2009
26
Communication Overhead
William Kozma Jr. and Loukas Lazos,
SecureComm 2009
27
Take Away Remarks
For resource-constrained networks, per-packet behavior
evaluation is too resource demanding
We can trade identification delay for communication and energy
efficiency
Showed a logarithmic increase in # of transmitted messages with path size
Showed small increase in identification delay compared to savings
Differentiation of maliciousness from bad channel conditions,
congestion and collisions is not yet clear (or an easy problem to
solve)
William Kozma Jr. and Loukas Lazos,
SecureComm 2009
28