Revocation Games in
Ephemeral Networks
Maxim Raya, Mohammad Hossein Manshaei,
Márk Félegyházi, Jean-Pierre Hubaux
CCS 2008
Misbehavior in Ad Hoc Networks
Traditional ad hoc networks
A
Ephemeral networks
B
M
• Packet forwarding
• Routing
• Large scale
• High mobility
• Data dissemination
Solution to misbehavior:
Reputation systems
?
2
Reputation vs. Local Revocation
• Reputation systems:
– Often coupled with routing/forwarding
– Require long-term monitoring
– Keep the misbehaving nodes in the system
• Local Revocation
– Fast and clear-cut reaction to misbehavior
– Reported to the credential issuer
– Can be repudiated
3
Tools of the Revocation Trade
• Wait for:
– Credential expiration
– Central revocation
• Vote with:
– Fixed number of votes
– Fixed fraction of nodes (e.g., majority)
• Suicide:
– Both the accusing and accused nodes are revoked
Which tool to use?
4
How much does it cost?
• Nodes are selfish
• Revocation costs
• Attacks cause damage
How to avoid the free
rider problem?
Game theory can help:
models situations where the decisions of players affect
each other
5
Example: VANET
• CA pre-establishes
credentials offline
• Each node has
multiple changing
pseudonyms
• Pseudonyms are
costly
• Fraction of
detectors = pd
6
Revocation Game
• Key principle: Revoke only costly attackers
• Strategies:
– Abstain (A)
– Vote (V): n votes are needed
– Self-sacrifice (S)
• N benign nodes, including pd N detectors
• M attackers
• Dynamic (sequential) game
7
Game with fixed costs
1
A: Abstain
S: Self-sacrifice
V: Vote
A
S
2
A
A
S
A
V
A
S
V
(c, c, c) (c, c, v  c) (c, v  c, c) (0, v, v)
(0, 0, 1)
Cost of
abstaining
S
3
3
(0, 1, 0)
V
2
( 1, 0, 0)
S
3
V
A
S
(  v  c,  c,  c )
(0, v, 1)
(v, 1, 0)
V
(v, v, 0)
V
(v, 0, v)
(v, 0, 1)
Cost of
self-sacrifice
All costs are in keys/message
Cost of
voting
8
1
A
S
2
A
A
S
A
V
A
S
V
(c, c, c) (c, c, v  c) (c, v  c, c) (0, v, v)
(0, 0, 1)
(0, v, 1)
S
3
3
(0, 1, 0)
V
2
( 1, 0, 0)
S
3
V
A
(v, 1, 0)
S
(  v  c,  c,  c )
V
V
(v, v, 0)
Backward induction
Game with fixed costs: Example 1
(v, 0, v)
(v, 0, 1)
Equilibrium
Assumptions: c > 1
9
Game with fixed costs: Example 2
1
A
S
2
A
A
S
A
V
A
S
V
(c, c, c) (c, c, v  c) (c, v  c, c) (0, v, v)
(0, 0, 1)
S
3
3
(0, 1, 0)
V
2
( 1, 0, 0)
S
3
V
A
S
(  v  c,  c,  c )
(0, v, 1)
(v, 1, 0)
V
(v, v, 0)
V
(v, 0, v)
(v, 0, 1)
Equilibrium
Assumptions: v < c < 1, n = 2
10
Game with fixed costs: Equilibrium
Theorem 1: For any given values of ni, nr, v, and c, the strategy of
player i that results in a subgame-perfect equilibrium is:
ni = Number of remaining nodes that can participate in the game
nr = Number of remaining votes that is required to revoke
Revocation is left to the end, doesn’t work in practice
11
Game with variable costs
1
A
2
A
3
S
V
( 1, 0, 0)
2
S
V
(v  c1 , v  c1 , c1 )
(c1 , 1  c1 , c1 )
S
(c2 , c2 , 1  c2 )
c j  j   , lim c j  , v  
j 
Number of stages
Attack damage
12
Game with variable costs:
Equilibrium
Theorem 2: For any given values of ni, nr, v, and δ, the strategy of
player i that results in a subgame-perfect equilibrium is:
Revocation has to be quick
13
Optimal number of voters
• Minimize:
M
C  n
n
Duration of attack
Abuse by attackers
14
Optimal number of voters
• Minimize:
M
C  n
n
Duration of attack
Abuse by attackers
nopt  min{ pa pd N , M }
Fraction of active players
15
RevoGame
Estimation of
parameters
Choice of
strategy
16
Evaluation
• TraNS, ns2, Google Earth,
Manhattan
• 303 vehicles, average speed
= 50 km/h
• Fraction of detectors pd  0.8
• Damage/stage   0.1
• Cost of voting v  0.02
4
• False positives p fp  10
• 50 runs, 95 % confidence
intervals
17
Revoked attackers
18
Revoked benign nodes
19
Social cost
20
Maximum time to revocation
21
Global effect of local revocations
How many benign nodes ignore an attacker?
22
False positives and abuse
How many benign nodes ignore a benign node?
23
Conclusion
• Local revocation is a viable mechanism for
handling misbehavior in ephemeral networks
• The choice of revocation strategies should
depend on their costs
• RevoGame achieves the elusive tradeoff
between different strategies
24