The Sybil Attack in Sensor Networks: Analysis & Defenses James Newsome, Elaine Shi, Dawn Song,...
-
date post
22-Dec-2015 -
Category
Documents
-
view
223 -
download
2
Transcript of The Sybil Attack in Sensor Networks: Analysis & Defenses James Newsome, Elaine Shi, Dawn Song,...
The Sybil Attack in Sensor The Sybil Attack in Sensor Networks: Analysis & DefensesNetworks: Analysis & Defenses
James Newsome, Elaine Shi, Dawn SoJames Newsome, Elaine Shi, Dawn Song, Adrian Perrigng, Adrian Perrig
Presenter: Yi XianPresenter: Yi Xian
OutlinesOutlines
IntroductionIntroductionThree Dimensions of Sybil Attack TaxonomyThree Dimensions of Sybil Attack TaxonomyAttacksAttacks– Known & New attacksKnown & New attacks
Defenses Defenses – Radio Resource TestingRadio Resource Testing– Random Key PredistributionRandom Key Predistribution– Other DefensesOther Defenses
DiscussionDiscussionConclusionConclusion
OutlinesOutlines
IntroductionIntroductionThree Dimensions of Sybil Attack TaxonomyThree Dimensions of Sybil Attack TaxonomyAttacksAttacks– Known & New attacksKnown & New attacks
Defenses Defenses – Radio Resource TestingRadio Resource Testing– Random Key PredistributionRandom Key Predistribution– Other DefensesOther Defenses
DiscussionDiscussionConclusionConclusion
IntroductionIntroduction
Security in Sensor NetworkSecurity in Sensor Network– Wireless network naturesWireless network natures– Sensor nodes constraintsSensor nodes constraints
Sybil AttacksSybil Attacks – First described in peer-to-peer First described in peer-to-peer
networks. networks. – An attack against identity.An attack against identity.– A particularly harmful attack in A particularly harmful attack in
sensor networks.sensor networks.
Definition of Sybil AttackDefinition of Sybil Attack
In this paperIn this paper– A malicious device A malicious device
illegitimately takes on illegitimately takes on multiple identities.multiple identities.
– The additional identities are The additional identities are called called Sybil nodesSybil nodes. .
Question:Question:– How does an attacker How does an attacker
create Sybil nodes and use create Sybil nodes and use them?them?
OutlinesOutlines
IntroductionIntroductionThree Dimensions of Sybil Attack TaxonomyThree Dimensions of Sybil Attack TaxonomyAttacksAttacks– Known & New attacksKnown & New attacks
Defenses Defenses – Radio Resource TestingRadio Resource Testing– Random Key PredistributionRandom Key Predistribution– Other DefensesOther Defenses
DiscussionDiscussionConclusionConclusion
Sybil Attack TaxonomySybil Attack Taxonomy
Dimension IDimension I – – Direct vs. IndirectDirect vs. Indirect CommunicationCommunication– Direct CommunicationDirect Communication
Legitimate nodes can communicate with Sybil Legitimate nodes can communicate with Sybil nodes directly.nodes directly.
– Indirect CommunicationIndirect CommunicationOne or more of the malicious devices claims to be One or more of the malicious devices claims to be able to reach the Sybil nodes. able to reach the Sybil nodes.
Messages sent to a Sybil node are Messages sent to a Sybil node are routedrouted through through one of these malicious nodes.one of these malicious nodes.
Sybil Attack TaxonomySybil Attack Taxonomy
Dimension IIDimension II – Fabricated vs. Stolen – Fabricated vs. Stolen IdentitiesIdentities– Fabricated Fabricated
Simply create arbitrary new Sybil identities.Simply create arbitrary new Sybil identities.– Stolen Stolen
Assign other legitimate identities to Sybil nodes.Assign other legitimate identities to Sybil nodes.May go undetected if attacker destroys or disable May go undetected if attacker destroys or disable them. them.
Identity Replication AttackIdentity Replication Attack TThe same identity is used many times and exists in multiple placeshe same identity is used many times and exists in multiple places in the network. in the network. Is it a Sybil Attack??? Is it a Sybil Attack???
Sybil Attack TaxonomySybil Attack Taxonomy
Dimension IIIDimension III – Simultaneity – Simultaneity– SimultaneousSimultaneous
All Sybil identities participate in the network at All Sybil identities participate in the network at once. once.
– Non-SimultaneousNon-SimultaneousOnly act as a smaller number of identities at any Only act as a smaller number of identities at any given time given time by: by:
– Letting different identities join and leaveLetting different identities join and leave– Or only using each identity once. Or only using each identity once. – Having several physical devices swap identities.Having several physical devices swap identities.
Each device may present different identities at different times!
OutlinesOutlines
IntroductionIntroductionThree Dimensions of Sybil Attack TaxonomyThree Dimensions of Sybil Attack TaxonomyAttacksAttacks– Known & New attacksKnown & New attacks
Defenses Defenses – Radio Resource TestingRadio Resource Testing– Random Key PredistributionRandom Key Predistribution– Other DefensesOther Defenses
DiscussionDiscussionConclusionConclusion
AttacksAttacks
How the Sybil Attack can be used in How the Sybil Attack can be used in wireless sensor networks? wireless sensor networks?
Known AttacksKnown Attacks
Distributed StorageDistributed Storage– Defeat replication and fragmentation Defeat replication and fragmentation
mechanismsmechanisms
RoutingRouting– Attack routing algorithmAttack routing algorithm– Geographic routing Geographic routing – Evade misbehavior detection mechanismsEvade misbehavior detection mechanisms
New AttacksNew Attacks
Data AggregationData Aggregation– With enough Sybil nodes, an attacker may be With enough Sybil nodes, an attacker may be
able to completely alter the aggregate able to completely alter the aggregate reading.reading.
VotingVoting– Depending on the number of identities the Depending on the number of identities the
attacker owns, he may be able to determine attacker owns, he may be able to determine the outcome of any vote. the outcome of any vote.
Either claim a legitimate node is misbehaving or Either claim a legitimate node is misbehaving or Sybil nodes can vouch for each other…Sybil nodes can vouch for each other…
New AttacksNew Attacks
Fair Resource AllocationFair Resource Allocation– Using Sybil attack, a malicious node can obtain an unfUsing Sybil attack, a malicious node can obtain an unf
air share of any resource shard in per-node manner.air share of any resource shard in per-node manner.– Consequently, cause DoS to legitimate node, and alsConsequently, cause DoS to legitimate node, and als
o give the attacker more resources to perform attacks.o give the attacker more resources to perform attacks.
Misbehavior DetectionMisbehavior Detection– Sybil nodes could “spread the blame” .Sybil nodes could “spread the blame” .– Even action is taken to revoke the offending nodes, thEven action is taken to revoke the offending nodes, th
e attacker can continue using new Sybil identities to e attacker can continue using new Sybil identities to misbehave. misbehave.
OutlinesOutlines
IntroductionIntroductionThree Dimensions of Sybil Attack TaxonomyThree Dimensions of Sybil Attack TaxonomyAttacksAttacks– Known & New attacksKnown & New attacks
DefensesDefenses – Radio Resource TestingRadio Resource Testing– Random Key PredistributionRandom Key Predistribution– Other DefensesOther Defenses
DiscussionDiscussionConclusionConclusion
DefensesDefenses
How can we defend against the How can we defend against the Sybil Attack??Sybil Attack??
DefensesDefenses
Two types of ways Two types of ways to validate an to validate an identityidentity– Direct validateDirect validate
– Indirect validateIndirect validate
DefensesDefenses
Previous DefensePrevious Defense– Resource testingResource testing
By verifying that each identity has as much of By verifying that each identity has as much of the tested resource as a physical device.the tested resource as a physical device.
Computation, storage Computation, storage
and communicationand communication
Unsuitable for wireless sensor networksUnsuitable for wireless sensor networks– WHYWHY??
The attacker may use a The attacker may use a physical device with much physical device with much
higher computation and higher computation and storage ability!storage ability!
The replies converging at the The replies converging at the verifier will result in that verifier will result in that
part of network becoming part of network becoming congested!!! congested!!!
New Defenses in this paperNew Defenses in this paper
Radio Resource TestingRadio Resource Testing
Random Key PredistributionRandom Key Predistribution
RegistrationRegistration
Position VerificationPosition Verification
Code Attestation Code Attestation
New Defenses in this paperNew Defenses in this paper
Radio Resource TestingRadio Resource Testing
Random Key PredistributionRandom Key Predistribution
RegistrationRegistration
Position VerificationPosition Verification
Code AttestationCode Attestation
Radio Resource TestingRadio Resource Testing
Direct validationDirect validationAssumptionsAssumptions– Any physical device has only one radioAny physical device has only one radio– A radio is incapable of simultaneously sending or A radio is incapable of simultaneously sending or
receiving on more than one channel.receiving on more than one channel.
The basic idea:The basic idea:– A node assigns each of its n neighbors a different A node assigns each of its n neighbors a different
channel.channel.– By challenging a neighbor node on the exclusively By challenging a neighbor node on the exclusively
assigned channel, a sensor node can detect Sybil assigned channel, a sensor node can detect Sybil nodes with a certain probability. nodes with a certain probability.
Radio Resource Testing with Radio Resource Testing with enough channelsenough channels
Suppose:Suppose: – ss Sybil nodes out of Sybil nodes out of nn neighbors. neighbors.– One channel for each neighbor.One channel for each neighbor.
Pr Pr (choose a channel is not (choose a channel is not being transmitted on) being transmitted on)
==
PrPr (not detecting a Sybil node) (not detecting a Sybil node)
==
Repeat test for r roundRepeat test for r round
Pr Pr (no Sybil nodes being (no Sybil nodes being detected) detected)
= =
Radio Resource Testing with Radio Resource Testing with limited channelslimited channels
In case of limited channels, only subset of its In case of limited channels, only subset of its neighbors can be tested at one time.neighbors can be tested at one time.
Suppose : Suppose : – nn neighbors, neighbors, s s Sybil nodes, Sybil nodes, mm malicious nodes, and malicious nodes, and gg good good
nodes.nodes.– only only cc neighbors are tested at once, of which there are neighbors are tested at once, of which there are SS Sybil Sybil
nodes, nodes, MM malicious nodes, and malicious nodes, and GG good nodes. good nodes.
The probability of a Sybil node being detected isThe probability of a Sybil node being detected is : :
A malicious node not in the subset being tested can cover for a Sybil node that is
being tested by transmitting on the channel that the Sybil node is supposed to be
transmitting on…
Radio Resource Testing with Radio Resource Testing with limited channelslimited channels
Repeating this test for Repeating this test for r r roundsrounds
The probability of a Sybil node being detecThe probability of a Sybil node being detected is ted is
Effective defense against simultaneous direct-communication
Variant of the Sybil attack.
New Defenses in this paperNew Defenses in this paper
Radio Resource TestingRadio Resource Testing
Random Key PredistributionRandom Key Predistribution
RegistrationRegistration
Position VerificationPosition Verification
Code Attestation Code Attestation
Random Key PredistributionRandom Key Predistribution
Random Key PredistributionRandom Key Predistribution– Each node is assigned a random set of keys Each node is assigned a random set of keys
or key-related information.or key-related information.– In key set-up phase, each node can discover In key set-up phase, each node can discover
or compute the common key it shares with its or compute the common key it shares with its neighbors…neighbors…
– Node-to-node secrecy.Node-to-node secrecy.
Random Key PredistributionRandom Key Predistribution
Key ideas:Key ideas:– Associating the node identity with the keys assigned tAssociating the node identity with the keys assigned t
o the node.o the node.– Key validation, i.e., the network being able to verify paKey validation, i.e., the network being able to verify pa
rt or all of the keys that an identity claims to have.rt or all of the keys that an identity claims to have.Direct or Indirect Validation?Direct or Indirect Validation?
Different variants Different variants – Key poolKey pool– Single-space pairwise key distributionSingle-space pairwise key distribution– Multi-space pairwise key distributionMulti-space pairwise key distribution
Key PoolKey Pool
Key Pool SchemeKey Pool Scheme– Randomly assigns Randomly assigns kk keys to each node from a keys to each node from a
pool of pool of mm keys. keys. – During the initialization phase, any two During the initialization phase, any two
neighbors sharing neighbors sharing qq common keys can common keys can establish a secret link. establish a secret link.
– SupposeSuppose Each node’s identity is the indices in sorted Each node’s identity is the indices in sorted order of keys that it holds.order of keys that it holds.
What’s the problem?What’s the problem? with multiple compromised keys, with multiple compromised keys, the attacker can use any combination the attacker can use any combination of the compromised keys of the compromised keys to generate new identity!!!!to generate new identity!!!!
Key PoolKey Pool
An Extension An Extension – Let be the set of keys Let be the set of keys
assigned toassigned to ID ID, , ID is the identity of the node, and is the index of its iID is the identity of the node, and is the index of its i th th key key in the key pool,in the key pool,
– The set of keys that node The set of keys that node IDID possesses are possesses are determined by:determined by:
where where HH is a hash function, and is a hash function, and PRF PRF is a pseudo random is a pseudo random function.function.
– The index of a node’s The index of a node’s iithth key, is determined by a key, is determined by a pseudo random functionpseudo random function with with H(ID)H(ID) as the function’s as the function’s key, and key, and ii as its input. as its input.
Key PoolKey Pool
An exampleAn example– Node ID = 30Node ID = 30
– Key set = { KKey set = { K11, K, K88, K, K1212, K, K7878, …}, …}
– Rule: pick the 3Rule: pick the 3rdrd indices indices
– How to validate this node ID (= 30) ??How to validate this node ID (= 30) ??
Test whether PRF Test whether PRF H(30)H(30) (3) = 12 ?? (3) = 12 ??
– What properties does this scheme have?What properties does this scheme have?
Given 12, it is hard to find the Given 12, it is hard to find the key, H(30), for PRF to yield key, H(30), for PRF to yield exactly 12.exactly 12.
Even known the value of Even known the value of H(30), it s still hard to find H(30), it s still hard to find
that ID = 30. that ID = 30.
Key PoolKey Pool
What can the attacker do?What can the attacker do?– Capture legitimate nodes and read off the keys,Capture legitimate nodes and read off the keys,– Build up a compromised key pool Build up a compromised key pool SS,,– Fabricate Fabricate usable Sybil identitiesusable Sybil identities ID’ID’ to use in Sybil to use in Sybil
attack, which means attack, which means ID’ID’ must be able to pass the must be able to pass the validation by other nodesvalidation by other nodes. .
Question: Question: – Given a set of compromised keys SGiven a set of compromised keys S– How difficult for an attacker to generate a usable Sybil How difficult for an attacker to generate a usable Sybil
identity?identity?– How to evaluate the difficulty?How to evaluate the difficulty?
Key PoolKey Pool
How to evaluate the difficulty? How to evaluate the difficulty? – TheThe time complexitytime complexity to generate a usable Sybil node to generate a usable Sybil node
ID given a set of compromised nodes could be ID given a set of compromised nodes could be expressed in terms of theexpressed in terms of the probability probability pp that a that a random identity is a usable Sybil identity.random identity is a usable Sybil identity.
– So,So, the expected number of timesthe expected number of times an attacker has an attacker has to try to find a usable Sybil identity isto try to find a usable Sybil identity is 1/p1/p..
Notation:Notation:
Key PoolKey Pool
In Full validation case…In Full validation case…– Verify every key the identity claims to have.Verify every key the identity claims to have.– How does the randomly generated identity How does the randomly generated identity ID’ID’
survive the full validation?survive the full validation?– ID’ has to satisfy : ID’ has to satisfy :
– Therefore…Therefore…
Key PoolKey Pool
In case each identity is challenged by In case each identity is challenged by dd nodes.nodes.Condition over Condition over tt, where , where
Key PoolKey Pool
Each identity is challenged by Each identity is challenged by dd nodes. nodes.
Key Pool Key Pool
If tolerate threshold is 2If tolerate threshold is 2--
6464 , , • Full validation: 150 nodes;Full validation: 150 nodes;• Partial validation with d = 30, Partial validation with d = 30,
only 30 nodes.only 30 nodes.
However…However…– No node-to-node No node-to-node
authentication authentication – An attacker may An attacker may
compromise a sufficient compromise a sufficient fraction of keysfraction of keys
Random Key PredistributionRandom Key Predistribution
In contrast, Pairwise key distribution In contrast, Pairwise key distribution – Assigns a unique key to each pair of nodes…Assigns a unique key to each pair of nodes…
– Single-space Pairwise Key Distribution Single-space Pairwise Key Distribution – Multi-space Pairwise Key DistributionMulti-space Pairwise Key Distribution
Single-space Pairwise Key DistributionSingle-space Pairwise Key Distribution
A sensor node A sensor node ii stores - stores - unique public informatunique public information ion UUii and and private information private information VVii, ,
In bootstrapping phaseIn bootstrapping phase– nodes exchange public information, nodes exchange public information, – node node i i compute its key with node compute its key with node jj with f( with f(VVi, i, UUjj) ,) ,
where f(where f(VVi, i, UUjj) = f() = f(VVj, j, UUii) )
-secure property -secure property ((Given c compromised nodes)Given c compromised nodes)
if c <= , a simple direct validation is sufficient;if c <= , a simple direct validation is sufficient;if c > , prone to the Sybil attack.if c > , prone to the Sybil attack.
With Perfect resilience With Perfect resilience • Sensor node’s memory constraintSensor node’s memory constraint
Multi-space Pairwise Key DistributionMulti-space Pairwise Key Distribution
To further enhance the security of single-To further enhance the security of single-space…space…In this scheme, each sensor node will be In this scheme, each sensor node will be assigned assigned kk out of the out of the mm key spaces. key spaces. Key computationKey computation– Use single-space scheme, if they have one or more Use single-space scheme, if they have one or more
key spaces in common. key spaces in common.
PropertiesProperties– Without validationWithout validation
Prone to the indirect-communication Sybil attack.Prone to the indirect-communication Sybil attack.– With validationWith validation
Indirect validation is necessary to ensure a globally Indirect validation is necessary to ensure a globally consistency..consistency..
Random Key Predistribution Random Key Predistribution – – Multiple-space Pairwise Key DistributionMultiple-space Pairwise Key Distribution
Probability of fabricating Sybil identities Probability of fabricating Sybil identities with the multispace scheme.with the multispace scheme.SSii – the event that space – the event that space ii be compromised be compromised
Then, given Then, given cc compromised nodes, compromised nodes,
So, we have: So, we have:
Summary of Random Key Summary of Random Key PredistributionPredistribution
Key PoolKey Pool– One-way functionOne-way function– Indirect validationIndirect validation
Single-space pairwise key distributionSingle-space pairwise key distribution– -secure property-secure property– Direct validation ensures globally consistent outcome.Direct validation ensures globally consistent outcome.
Multi-space pairwise key distributionMulti-space pairwise key distribution– Has to compromise far more than nodes to comprHas to compromise far more than nodes to compr
omise one spaceomise one space– And compromise k spaces with a probability of around And compromise k spaces with a probability of around
0.05. 0.05. – The best among these three approaches.The best among these three approaches.
New Defenses in this paperNew Defenses in this paper
Radio Resource TestingRadio Resource Testing
Random Key PredistributionRandom Key Predistribution
RegistrationRegistration
Position VerificationPosition Verification
Code AttestationCode Attestation
Other DefensesOther Defenses
Identity RegistrationIdentity Registration– Based on a trusted central authorityBased on a trusted central authority– However, However,
Attacker may be able to control the good list.Attacker may be able to control the good list.Need maintain the deployment informationNeed maintain the deployment information
Position VerificationPosition Verification– Assume network is immobile.Assume network is immobile.– Verify the physical position of each node.Verify the physical position of each node.– How to securely verify a node’s exact position is still How to securely verify a node’s exact position is still
an open question.an open question.– Mobile attacker’s identity needs to be verified Mobile attacker’s identity needs to be verified
simultaneously. simultaneously.
Other DefensesOther Defenses
Code AttestationCode Attestation– Code running on a malicious node must be difCode running on a malicious node must be dif
ferent form that on a legitimate node. ferent form that on a legitimate node. – The technique is not readily applicable to wirelThe technique is not readily applicable to wirel
ess network.ess network.High costHigh cost
Energy consumptionEnergy consumption
OutlinesOutlines
IntroductionIntroductionThree Dimensions of Sybil Attack TaxonomyThree Dimensions of Sybil Attack TaxonomyAttacksAttacks– Known & New attacksKnown & New attacks
Defenses Defenses – Radio Resource TestingRadio Resource Testing– Random Key PredistributionRandom Key Predistribution– Other DefensesOther Defenses
DiscussionDiscussionConclusionConclusion
Comparison and Discussion Comparison and Discussion
All these Sybil Defenses…All these Sybil Defenses…
* Assume that nodes can only verify the position that they directly * Assume that nodes can only verify the position that they directly communicate with;communicate with;
** Key predistribution can not stop an attacker from using stolen identities… ** Key predistribution can not stop an attacker from using stolen identities… but it does make it more difficult for the attacker to steal identities in the but it does make it more difficult for the attacker to steal identities in the
first place.first place.
OutlinesOutlines
IntroductionIntroductionThree Dimensions of Sybil Attack TaxonomyThree Dimensions of Sybil Attack TaxonomyAttacksAttacks– Known & New attacksKnown & New attacks
Defenses Defenses – Radio Resource TestingRadio Resource Testing– Random Key PredistributionRandom Key Predistribution– Other DefensesOther Defenses
DiscussionDiscussionConclusionConclusion
ConclusionsConclusions
The first paper that systematically The first paper that systematically analyzes the Sybil attack and its analyzes the Sybil attack and its defenses in sensor networks.defenses in sensor networks.
It introduces a taxonomy of the It introduces a taxonomy of the different forms of the Sybil attack.different forms of the Sybil attack.
Several new defenses are proposed. Several new defenses are proposed.
ConclusionsConclusions
In radio resource testingIn radio resource testing– Based on the assumption that each node has only one channel Based on the assumption that each node has only one channel
and can’t send and receive simultaneously on more than one chand can’t send and receive simultaneously on more than one channel.annel.
– How a sensor node assigns the radio channels to its neighbors?How a sensor node assigns the radio channels to its neighbors?– The testing process may consumes a lot of battery powerThe testing process may consumes a lot of battery power
In random key predistributionIn random key predistribution – If some keys are compromised, the attacker may be able to falseIf some keys are compromised, the attacker may be able to false
ly claim the identities of many non-compromised sensor nodes. ly claim the identities of many non-compromised sensor nodes. – It’s not practical in a mobile wireless network environment. It’s not practical in a mobile wireless network environment.
Other defensesOther defenses– Have their own drawbacks and not very applicable in wireless seHave their own drawbacks and not very applicable in wireless se
nsor networks…nsor networks…