The Sybil Attack in Sensor Networks: Analysis & Defenses James Newsome, Elaine Shi, Dawn Song,...

The Sybil Attack in Sensor The Sybil Attack in Sensor Networks: Analysis & DefensesNetworks: Analysis & Defenses

James Newsome, Elaine Shi, Dawn SoJames Newsome, Elaine Shi, Dawn Song, Adrian Perrigng, Adrian Perrig

Presenter: Yi XianPresenter: Yi Xian

OutlinesOutlines

IntroductionIntroductionThree Dimensions of Sybil Attack TaxonomyThree Dimensions of Sybil Attack TaxonomyAttacksAttacks– Known & New attacksKnown & New attacks

Defenses Defenses – Radio Resource TestingRadio Resource Testing– Random Key PredistributionRandom Key Predistribution– Other DefensesOther Defenses

DiscussionDiscussionConclusionConclusion

IntroductionIntroduction

Security in Sensor NetworkSecurity in Sensor Network– Wireless network naturesWireless network natures– Sensor nodes constraintsSensor nodes constraints

Sybil AttacksSybil Attacks – First described in peer-to-peer First described in peer-to-peer

networks. networks. – An attack against identity.An attack against identity.– A particularly harmful attack in A particularly harmful attack in

sensor networks.sensor networks.

Definition of Sybil AttackDefinition of Sybil Attack

In this paperIn this paper– A malicious device A malicious device

illegitimately takes on illegitimately takes on multiple identities.multiple identities.

– The additional identities are The additional identities are called called Sybil nodesSybil nodes. .

Question:Question:– How does an attacker How does an attacker

create Sybil nodes and use create Sybil nodes and use them?them?

OutlinesOutlines




Sybil Attack TaxonomySybil Attack Taxonomy

Dimension IDimension I – – Direct vs. IndirectDirect vs. Indirect CommunicationCommunication– Direct CommunicationDirect Communication

Legitimate nodes can communicate with Sybil Legitimate nodes can communicate with Sybil nodes directly.nodes directly.

– Indirect CommunicationIndirect CommunicationOne or more of the malicious devices claims to be One or more of the malicious devices claims to be able to reach the Sybil nodes. able to reach the Sybil nodes.

Messages sent to a Sybil node are Messages sent to a Sybil node are routedrouted through through one of these malicious nodes.one of these malicious nodes.


Dimension IIDimension II – Fabricated vs. Stolen – Fabricated vs. Stolen IdentitiesIdentities– Fabricated Fabricated

Simply create arbitrary new Sybil identities.Simply create arbitrary new Sybil identities.– Stolen Stolen

Assign other legitimate identities to Sybil nodes.Assign other legitimate identities to Sybil nodes.May go undetected if attacker destroys or disable May go undetected if attacker destroys or disable them. them.

Identity Replication AttackIdentity Replication Attack TThe same identity is used many times and exists in multiple placeshe same identity is used many times and exists in multiple places in the network. in the network. Is it a Sybil Attack??? Is it a Sybil Attack???


Dimension IIIDimension III – Simultaneity – Simultaneity– SimultaneousSimultaneous

All Sybil identities participate in the network at All Sybil identities participate in the network at once. once.

– Non-SimultaneousNon-SimultaneousOnly act as a smaller number of identities at any Only act as a smaller number of identities at any given time given time by: by:

– Letting different identities join and leaveLetting different identities join and leave– Or only using each identity once. Or only using each identity once. – Having several physical devices swap identities.Having several physical devices swap identities.

Each device may present different identities at different times!

OutlinesOutlines




AttacksAttacks

How the Sybil Attack can be used in How the Sybil Attack can be used in wireless sensor networks? wireless sensor networks?

Known AttacksKnown Attacks

Distributed StorageDistributed Storage– Defeat replication and fragmentation Defeat replication and fragmentation

mechanismsmechanisms

RoutingRouting– Attack routing algorithmAttack routing algorithm– Geographic routing Geographic routing – Evade misbehavior detection mechanismsEvade misbehavior detection mechanisms

New AttacksNew Attacks

Data AggregationData Aggregation– With enough Sybil nodes, an attacker may be With enough Sybil nodes, an attacker may be

able to completely alter the aggregate able to completely alter the aggregate reading.reading.

VotingVoting– Depending on the number of identities the Depending on the number of identities the

attacker owns, he may be able to determine attacker owns, he may be able to determine the outcome of any vote. the outcome of any vote.

Either claim a legitimate node is misbehaving or Either claim a legitimate node is misbehaving or Sybil nodes can vouch for each other…Sybil nodes can vouch for each other…

New AttacksNew Attacks

Fair Resource AllocationFair Resource Allocation– Using Sybil attack, a malicious node can obtain an unfUsing Sybil attack, a malicious node can obtain an unf

air share of any resource shard in per-node manner.air share of any resource shard in per-node manner.– Consequently, cause DoS to legitimate node, and alsConsequently, cause DoS to legitimate node, and als

o give the attacker more resources to perform attacks.o give the attacker more resources to perform attacks.

Misbehavior DetectionMisbehavior Detection– Sybil nodes could “spread the blame” .Sybil nodes could “spread the blame” .– Even action is taken to revoke the offending nodes, thEven action is taken to revoke the offending nodes, th

e attacker can continue using new Sybil identities to e attacker can continue using new Sybil identities to misbehave. misbehave.

OutlinesOutlines


DefensesDefenses – Radio Resource TestingRadio Resource Testing– Random Key PredistributionRandom Key Predistribution– Other DefensesOther Defenses


DefensesDefenses

How can we defend against the How can we defend against the Sybil Attack??Sybil Attack??

DefensesDefenses

Two types of ways Two types of ways to validate an to validate an identityidentity– Direct validateDirect validate

– Indirect validateIndirect validate

DefensesDefenses

Previous DefensePrevious Defense– Resource testingResource testing

By verifying that each identity has as much of By verifying that each identity has as much of the tested resource as a physical device.the tested resource as a physical device.

Computation, storage Computation, storage

and communicationand communication

Unsuitable for wireless sensor networksUnsuitable for wireless sensor networks– WHYWHY？？

The attacker may use a The attacker may use a physical device with much physical device with much

higher computation and higher computation and storage ability!storage ability!

The replies converging at the The replies converging at the verifier will result in that verifier will result in that

part of network becoming part of network becoming congested!!! congested!!!

New Defenses in this paperNew Defenses in this paper

Radio Resource TestingRadio Resource Testing

Random Key PredistributionRandom Key Predistribution

RegistrationRegistration

Position VerificationPosition Verification

Code Attestation Code Attestation






Code AttestationCode Attestation


Direct validationDirect validationAssumptionsAssumptions– Any physical device has only one radioAny physical device has only one radio– A radio is incapable of simultaneously sending or A radio is incapable of simultaneously sending or

receiving on more than one channel.receiving on more than one channel.

The basic idea:The basic idea:– A node assigns each of its n neighbors a different A node assigns each of its n neighbors a different

channel.channel.– By challenging a neighbor node on the exclusively By challenging a neighbor node on the exclusively

assigned channel, a sensor node can detect Sybil assigned channel, a sensor node can detect Sybil nodes with a certain probability. nodes with a certain probability.

Radio Resource Testing with Radio Resource Testing with enough channelsenough channels

Suppose:Suppose: – ss Sybil nodes out of Sybil nodes out of nn neighbors. neighbors.– One channel for each neighbor.One channel for each neighbor.

Pr Pr (choose a channel is not (choose a channel is not being transmitted on) being transmitted on)

==

PrPr (not detecting a Sybil node) (not detecting a Sybil node)

==

Repeat test for r roundRepeat test for r round

Pr Pr (no Sybil nodes being (no Sybil nodes being detected) detected)

= =

Radio Resource Testing with Radio Resource Testing with limited channelslimited channels

In case of limited channels, only subset of its In case of limited channels, only subset of its neighbors can be tested at one time.neighbors can be tested at one time.

Suppose : Suppose : – nn neighbors, neighbors, s s Sybil nodes, Sybil nodes, mm malicious nodes, and malicious nodes, and gg good good

nodes.nodes.– only only cc neighbors are tested at once, of which there are neighbors are tested at once, of which there are SS Sybil Sybil

nodes, nodes, MM malicious nodes, and malicious nodes, and GG good nodes. good nodes.

The probability of a Sybil node being detected isThe probability of a Sybil node being detected is : :

A malicious node not in the subset being tested can cover for a Sybil node that is

being tested by transmitting on the channel that the Sybil node is supposed to be

transmitting on…

Radio Resource Testing with Radio Resource Testing with limited channelslimited channels

Repeating this test for Repeating this test for r r roundsrounds

The probability of a Sybil node being detecThe probability of a Sybil node being detected is ted is

Effective defense against simultaneous direct-communication

Variant of the Sybil attack.






Code Attestation Code Attestation


Random Key PredistributionRandom Key Predistribution– Each node is assigned a random set of keys Each node is assigned a random set of keys

or key-related information.or key-related information.– In key set-up phase, each node can discover In key set-up phase, each node can discover

or compute the common key it shares with its or compute the common key it shares with its neighbors…neighbors…

– Node-to-node secrecy.Node-to-node secrecy.


Key ideas:Key ideas:– Associating the node identity with the keys assigned tAssociating the node identity with the keys assigned t

o the node.o the node.– Key validation, i.e., the network being able to verify paKey validation, i.e., the network being able to verify pa

rt or all of the keys that an identity claims to have.rt or all of the keys that an identity claims to have.Direct or Indirect Validation?Direct or Indirect Validation?

Different variants Different variants – Key poolKey pool– Single-space pairwise key distributionSingle-space pairwise key distribution– Multi-space pairwise key distributionMulti-space pairwise key distribution

Key PoolKey Pool

Key Pool SchemeKey Pool Scheme– Randomly assigns Randomly assigns kk keys to each node from a keys to each node from a

pool of pool of mm keys. keys. – During the initialization phase, any two During the initialization phase, any two

neighbors sharing neighbors sharing qq common keys can common keys can establish a secret link. establish a secret link.

– SupposeSuppose Each node’s identity is the indices in sorted Each node’s identity is the indices in sorted order of keys that it holds.order of keys that it holds.

What’s the problem?What’s the problem? with multiple compromised keys, with multiple compromised keys, the attacker can use any combination the attacker can use any combination of the compromised keys of the compromised keys to generate new identity!!!!to generate new identity!!!!

Key PoolKey Pool

An Extension An Extension – Let be the set of keys Let be the set of keys

assigned toassigned to ID ID, , ID is the identity of the node, and is the index of its iID is the identity of the node, and is the index of its i th th key key in the key pool,in the key pool,

– The set of keys that node The set of keys that node IDID possesses are possesses are determined by:determined by:

where where HH is a hash function, and is a hash function, and PRF PRF is a pseudo random is a pseudo random function.function.

– The index of a node’s The index of a node’s iithth key, is determined by a key, is determined by a pseudo random functionpseudo random function with with H(ID)H(ID) as the function’s as the function’s key, and key, and ii as its input. as its input.

Key PoolKey Pool

An exampleAn example– Node ID = 30Node ID = 30

– Key set = { KKey set = { K11, K, K88, K, K1212, K, K7878, …}, …}

– Rule: pick the 3Rule: pick the 3rdrd indices indices

– How to validate this node ID (= 30) ??How to validate this node ID (= 30) ??

Test whether PRF Test whether PRF H(30)H(30) (3) = 12 ?? (3) = 12 ??

– What properties does this scheme have?What properties does this scheme have?

Given 12, it is hard to find the Given 12, it is hard to find the key, H(30), for PRF to yield key, H(30), for PRF to yield exactly 12.exactly 12.

Even known the value of Even known the value of H(30), it s still hard to find H(30), it s still hard to find

that ID = 30. that ID = 30.

Key PoolKey Pool

What can the attacker do?What can the attacker do?– Capture legitimate nodes and read off the keys,Capture legitimate nodes and read off the keys,– Build up a compromised key pool Build up a compromised key pool SS,,– Fabricate Fabricate usable Sybil identitiesusable Sybil identities ID’ID’ to use in Sybil to use in Sybil

attack, which means attack, which means ID’ID’ must be able to pass the must be able to pass the validation by other nodesvalidation by other nodes. .

Question: Question: – Given a set of compromised keys SGiven a set of compromised keys S– How difficult for an attacker to generate a usable Sybil How difficult for an attacker to generate a usable Sybil

identity?identity?– How to evaluate the difficulty?How to evaluate the difficulty?

Key PoolKey Pool

How to evaluate the difficulty? How to evaluate the difficulty? – TheThe time complexitytime complexity to generate a usable Sybil node to generate a usable Sybil node

ID given a set of compromised nodes could be ID given a set of compromised nodes could be expressed in terms of theexpressed in terms of the probability probability pp that a that a random identity is a usable Sybil identity.random identity is a usable Sybil identity.

– So,So, the expected number of timesthe expected number of times an attacker has an attacker has to try to find a usable Sybil identity isto try to find a usable Sybil identity is 1/p1/p..

Notation:Notation:

Key PoolKey Pool

In Full validation case…In Full validation case…– Verify every key the identity claims to have.Verify every key the identity claims to have.– How does the randomly generated identity How does the randomly generated identity ID’ID’

survive the full validation?survive the full validation?– ID’ has to satisfy : ID’ has to satisfy :

– Therefore…Therefore…

Key PoolKey Pool

In case each identity is challenged by In case each identity is challenged by dd nodes.nodes.Condition over Condition over tt, where , where

Key PoolKey Pool

Each identity is challenged by Each identity is challenged by dd nodes. nodes.

Key Pool Key Pool

If tolerate threshold is 2If tolerate threshold is 2--

6464 , , • Full validation: 150 nodes;Full validation: 150 nodes;• Partial validation with d = 30, Partial validation with d = 30,

only 30 nodes.only 30 nodes.

However…However…– No node-to-node No node-to-node

authentication authentication – An attacker may An attacker may

compromise a sufficient compromise a sufficient fraction of keysfraction of keys


In contrast, Pairwise key distribution In contrast, Pairwise key distribution – Assigns a unique key to each pair of nodes…Assigns a unique key to each pair of nodes…

– Single-space Pairwise Key Distribution Single-space Pairwise Key Distribution – Multi-space Pairwise Key DistributionMulti-space Pairwise Key Distribution

Single-space Pairwise Key DistributionSingle-space Pairwise Key Distribution

A sensor node A sensor node ii stores - stores - unique public informatunique public information ion UUii and and private information private information VVii, ,

In bootstrapping phaseIn bootstrapping phase– nodes exchange public information, nodes exchange public information, – node node i i compute its key with node compute its key with node jj with f( with f(VVi, i, UUjj) ,) ,

where f(where f(VVi, i, UUjj) = f() = f(VVj, j, UUii) )

-secure property -secure property ((Given c compromised nodes)Given c compromised nodes)

if c <= , a simple direct validation is sufficient;if c <= , a simple direct validation is sufficient;if c > , prone to the Sybil attack.if c > , prone to the Sybil attack.

With Perfect resilience With Perfect resilience • Sensor node’s memory constraintSensor node’s memory constraint

Multi-space Pairwise Key DistributionMulti-space Pairwise Key Distribution

To further enhance the security of single-To further enhance the security of single-space…space…In this scheme, each sensor node will be In this scheme, each sensor node will be assigned assigned kk out of the out of the mm key spaces. key spaces. Key computationKey computation– Use single-space scheme, if they have one or more Use single-space scheme, if they have one or more

key spaces in common. key spaces in common.

PropertiesProperties– Without validationWithout validation

Prone to the indirect-communication Sybil attack.Prone to the indirect-communication Sybil attack.– With validationWith validation

Indirect validation is necessary to ensure a globally Indirect validation is necessary to ensure a globally consistency..consistency..

Random Key Predistribution Random Key Predistribution – – Multiple-space Pairwise Key DistributionMultiple-space Pairwise Key Distribution

Probability of fabricating Sybil identities Probability of fabricating Sybil identities with the multispace scheme.with the multispace scheme.SSii – the event that space – the event that space ii be compromised be compromised

Then, given Then, given cc compromised nodes, compromised nodes,

So, we have: So, we have:

Summary of Random Key Summary of Random Key PredistributionPredistribution

Key PoolKey Pool– One-way functionOne-way function– Indirect validationIndirect validation

Single-space pairwise key distributionSingle-space pairwise key distribution– -secure property-secure property– Direct validation ensures globally consistent outcome.Direct validation ensures globally consistent outcome.

Multi-space pairwise key distributionMulti-space pairwise key distribution– Has to compromise far more than nodes to comprHas to compromise far more than nodes to compr

omise one spaceomise one space– And compromise k spaces with a probability of around And compromise k spaces with a probability of around

0.05. 0.05. – The best among these three approaches.The best among these three approaches.






Code AttestationCode Attestation

Other DefensesOther Defenses

Identity RegistrationIdentity Registration– Based on a trusted central authorityBased on a trusted central authority– However, However,

Attacker may be able to control the good list.Attacker may be able to control the good list.Need maintain the deployment informationNeed maintain the deployment information

Position VerificationPosition Verification– Assume network is immobile.Assume network is immobile.– Verify the physical position of each node.Verify the physical position of each node.– How to securely verify a node’s exact position is still How to securely verify a node’s exact position is still

an open question.an open question.– Mobile attacker’s identity needs to be verified Mobile attacker’s identity needs to be verified

simultaneously. simultaneously.

Other DefensesOther Defenses

Code AttestationCode Attestation– Code running on a malicious node must be difCode running on a malicious node must be dif

ferent form that on a legitimate node. ferent form that on a legitimate node. – The technique is not readily applicable to wirelThe technique is not readily applicable to wirel

ess network.ess network.High costHigh cost

Energy consumptionEnergy consumption

OutlinesOutlines




Comparison and Discussion Comparison and Discussion

All these Sybil Defenses…All these Sybil Defenses…

* Assume that nodes can only verify the position that they directly * Assume that nodes can only verify the position that they directly communicate with;communicate with;

** Key predistribution can not stop an attacker from using stolen identities… ** Key predistribution can not stop an attacker from using stolen identities… but it does make it more difficult for the attacker to steal identities in the but it does make it more difficult for the attacker to steal identities in the

first place.first place.

OutlinesOutlines




ConclusionsConclusions

The first paper that systematically The first paper that systematically analyzes the Sybil attack and its analyzes the Sybil attack and its defenses in sensor networks.defenses in sensor networks.

It introduces a taxonomy of the It introduces a taxonomy of the different forms of the Sybil attack.different forms of the Sybil attack.

Several new defenses are proposed. Several new defenses are proposed.

ConclusionsConclusions

In radio resource testingIn radio resource testing– Based on the assumption that each node has only one channel Based on the assumption that each node has only one channel

and can’t send and receive simultaneously on more than one chand can’t send and receive simultaneously on more than one channel.annel.

– How a sensor node assigns the radio channels to its neighbors?How a sensor node assigns the radio channels to its neighbors?– The testing process may consumes a lot of battery powerThe testing process may consumes a lot of battery power

In random key predistributionIn random key predistribution – If some keys are compromised, the attacker may be able to falseIf some keys are compromised, the attacker may be able to false

ly claim the identities of many non-compromised sensor nodes. ly claim the identities of many non-compromised sensor nodes. – It’s not practical in a mobile wireless network environment. It’s not practical in a mobile wireless network environment.

Other defensesOther defenses– Have their own drawbacks and not very applicable in wireless seHave their own drawbacks and not very applicable in wireless se

nsor networks…nsor networks…

The Sybil Attack in Sensor Networks: Analysis & Defenses James Newsome, Elaine Shi, Dawn Song,...

Documents

Transcript of The Sybil Attack in Sensor Networks: Analysis & Defenses James Newsome, Elaine Shi, Dawn Song,...