Upload
briana-singleton
View
217
Download
0
Tags:
Embed Size (px)
Citation preview
1
◊
Securing Information through Trust Management in
Wireless Networks
Mohit Virendra, Shambhu Upadhyaya
Computer Science and Engineering
The State University of New York at Buffalo
Buffalo, NY
Sep 24, 2004
CEISARE @2
Trust Schemes: Wireless Domain
Wireless Wireless Network Network
ClassificationClassification1.Independent Ad-hoc
2. Central Authority
Trust-based Trust-based Security Security SchemesSchemes
a. Independently Mutual information exchange between
the nodes
b. Using a Trusted Central Authority
CEISARE @3
Trust based Admission Control scheme with a Trust based Admission Control scheme with a first yesfirst yes policy for WLANs policy for WLANs
Trust monitoring through Intent Graphs in wireless Trust monitoring through Intent Graphs in wireless domaindomain
Actual Condition Review-Actual Condition Review-basedbased Peer MonitoringPeer Monitoring SchemeScheme
Trust based security scheme for ad-hoc networks: Trust based security scheme for ad-hoc networks: Physical and Logical Security DomainsPhysical and Logical Security Domains
Trust management through Trust management through Domain Heads Domain Heads in ad-hoc in ad-hoc networksnetworks
Overview
Defining trust schemes for securing information in Defining trust schemes for securing information in WLANs and Ad-hoc networks WLANs and Ad-hoc networks
Problem Statement:Problem Statement:
Contributions:Contributions:
CEISARE @4
CA Assisted Scenario: WLAN model
WLAN Architecture: WLAN Architecture: Two servers on the Distribution System: (a) Two servers on the Distribution System: (a) Admission Controller (AC), (b) Global Monitor (GM)Admission Controller (AC), (b) Global Monitor (GM)
Trust Based Admission ControlTrust Based Admission Control
admission time trust establishment admission time trust establishment
Optimistic Approach: Optimistic Approach: Trust everyone until misbehavior detected Trust everyone until misbehavior detected
Intent query scheme between Intent query scheme between AC and the new nodeAC and the new node
Admission decision depends on “trust Admission decision depends on “trust value” and “intent” of the new nodevalue” and “intent” of the new node
Perfunctory check policy for Perfunctory check policy for node with unknown trustnode with unknown trust
““First Yes Policy”:First Yes Policy”: Node proves and maintains trust value to be Node proves and maintains trust value to be in session. Trust verified while node is in the systemin session. Trust verified while node is in the system
Looks Naïve!Looks Naïve! But very effective in selective admission controlBut very effective in selective admission control
CEISARE @5
WLAN model: Trust Establishment
Nodes use symmetric key pairs for communication with AP, key Nodes use symmetric key pairs for communication with AP, key duration dependent on trust value and “incrementing” trust alsoduration dependent on trust value and “incrementing” trust also
Trust Levels: Trust Levels: Used to (dis)allow a Used to (dis)allow a node to perform certain operations node to perform certain operations
During the operation, AC/GM monitors node usingDuring the operation, AC/GM monitors node using GHMS GHMS [10][10], checks , checks againstagainst Intent Map Intent Map and buildsand builds itsits Trust History Trust History
Three Trust Levels: Three Trust Levels: Low, Low, Medium and HighMedium and High
Intent Map (Graph) Generation:Intent Map (Graph) Generation: models node’s intended behaviormodels node’s intended behavior
FSM FSM based on resources based on resources required & steps to be followedrequired & steps to be followed
Benign transactions increase node’s trust valueBenign transactions increase node’s trust value
Relationship between transactions completed and trust Relationship between transactions completed and trust value depicted by graph on next slidevalue depicted by graph on next slide
Operations
Tru
st Valu
eMisbehavior Threshold
High
Medium
Low/ Unknown
(Benign)(Malicious)
(Intrusion Flagged)
Trust Value vs.
Operations
CEISARE @7
Intent Graphs and ACR generation
Tolerance in Intent GraphsTolerance in Intent Graphs Tolerance Level and Misbehavior ThresholdTolerance Level and Misbehavior Threshold
Dealing with excess data rates: calculating threshold as an incremental Dealing with excess data rates: calculating threshold as an incremental percentage or probability as a function of data rates [11]percentage or probability as a function of data rates [11]
Flagging an intrusion == premature Flagging an intrusion == premature expiration of the session key between node expiration of the session key between node
and APand AP
Each deviation => closer Each deviation => closer to threshold ~ severity of to threshold ~ severity of
misbehaviormisbehavior
Trust Values help in Trust Values help in Leader SelectionLeader Selection
Peer Trust Monitoring: Actual Condition Peer Trust Monitoring: Actual Condition Review (ACR) report generation schemeReview (ACR) report generation scheme
FORWARD MONITORING: APs generate ACRs about nodes FORWARD MONITORING: APs generate ACRs about nodes
REVERSE MONITORING: Nodes generate ACRs about APsREVERSE MONITORING: Nodes generate ACRs about APs
SELF MONITORING: Nodes forced to submit their own progress report SELF MONITORING: Nodes forced to submit their own progress report
Result: A self correcting trust monitoring systemResult: A self correcting trust monitoring system
CEISARE @9
Independent Ad-hoc Networks
Grouping nodes with similar Grouping nodes with similar trust parameters and interests trust parameters and interests
Defining Qualitative Trust Defining Qualitative Trust Parameters and Quantifying Trust Parameters and Quantifying Trust
Trust Based DomainsTrust Based Domains
A ~> B and B ~> C, then A =~> C using B’s trust as a verifier A ~> B and B ~> C, then A =~> C using B’s trust as a verifier
More comprehensive schemes if A and C don’t trust a common node More comprehensive schemes if A and C don’t trust a common node
Encryption Schemes proposed by Zhou et al. [17], [18]Encryption Schemes proposed by Zhou et al. [17], [18]
Node may share trust interests with nodes belonging to two or more Node may share trust interests with nodes belonging to two or more domains: “Border Nodes” domains: “Border Nodes”
Membership in a domain a collective decision (e.g. secure Membership in a domain a collective decision (e.g. secure polling)polling)
Mutual Information Exchange Based TrustMutual Information Exchange Based Trust
CEISARE @10
Domains
Nodes in a Domain share a common Nodes in a Domain share a common
DOMAIN KEY DOMAIN KEY
Physical Trust Domains (PTDs) and Logical Trust Domains (LTDs)Physical Trust Domains (PTDs) and Logical Trust Domains (LTDs)
All inter and intra-domain communication uses symmetric pair-wise keysAll inter and intra-domain communication uses symmetric pair-wise keys
Domain Heads: Domain Heads: Election and RotationElection and Rotation
Domain Heads can establish pair-wise symmetric keys with each Domain Heads can establish pair-wise symmetric keys with each other on the fly for trust negotiationother on the fly for trust negotiation
Nodes preloaded with keying material: establish pair-wise symmetric Nodes preloaded with keying material: establish pair-wise symmetric keys on the fly with domain memberskeys on the fly with domain members
Overlapping PTDs Overlapping PTDs
Non-overlapping PTDsNon-overlapping PTDs
Overlapping LTDs Overlapping LTDs
Non-overlapping LTDsNon-overlapping LTDs
CEISARE @13
Non Trusted Regions and Hierarchical Trust
Communication between non-trusted regions: End to end tunnelsCommunication between non-trusted regions: End to end tunnels
Tradeoff between: Tradeoff between:
Information Security and Information Relevance LifetimeInformation Security and Information Relevance Lifetime
Sending information along multiple routes: Sending information along multiple routes:
Minimum Trust ValueMinimum Trust Value of a route of a route
Hierarchical Trust and Super DomainsHierarchical Trust and Super Domains
Addressing Scalability and Reduce Control Overhead of Head NodesAddressing Scalability and Reduce Control Overhead of Head Nodes
Hierarchical Trust :Hierarchical Trust :
But, requires extra degree of protection for domain heads and super But, requires extra degree of protection for domain heads and super domain heads against attacks targeted at Central Authority domain heads against attacks targeted at Central Authority
Would help if a domain head (hence all domain members) are compromised Would help if a domain head (hence all domain members) are compromised
CEISARE @14
Conclusion and Discussion
Introduced trust based schemes for wireless networksIntroduced trust based schemes for wireless networks
Trust based security model for WLANs Trust based security model for WLANs
Idea of Physical and Logical Trust Domains in ad-hoc networksIdea of Physical and Logical Trust Domains in ad-hoc networks
Conceptual paper: describes new paradigms Conceptual paper: describes new paradigms and concepts, require deeper investigationand concepts, require deeper investigation
Studying control overheads of the schemes introduced by usStudying control overheads of the schemes introduced by us
Continuing Research:Continuing Research:
Extending the ACR generation scheme to ad-hoc networks Extending the ACR generation scheme to ad-hoc networks
Formalizing the “first yes” admission control schemeFormalizing the “first yes” admission control scheme
CEISARE @15
References
1. A.Rahman and S. Hailes, “A Distributed Trust Model”, New Security Paradigms Workshop 1997, ACM, 1997.2. D. Balfanz, D. Smetters, P. Stewart and H. Wong, “Talking to Strangers: Authentication in Ad-hoc Wireless Networks”, NDSS, San
Diego, 2002.3. L. Eschenauer, V.Gligor and J. Baras, “On Trust Establishment in Mobile Ad-Hoc Networks”, Proc. 10th International Workshop of
Security Protocols, Springer Lecture Notes in Computer Science (LNCS), Apr. 2002.4. J. Kong, H. Luo, K. Xu, D. L. Gu, M. Gerla, and S. Lu, “Adaptive security for multi-layer ad-hoc networks,” in Special Issue of
Wireless Communications and Mobile Computing. Wiley Interscience Press, Aug. 2002.5. T. Hughes, J. Denny, P. Muckelbauer, J. Etzl, "Dynamic Trust Applied to Ad Hoc Network Resources", Autonomous Agents & Multi-
Agent Systems Conference, Melbourne, Australia, 2003.6. J. Kong, P. Zerfos, H. Luo, S. Lu and L. Zhang, “Providing Robust and Ubiquitous Security Support for Mobile Ad-hoc Networks”,
ICNP, Riverside, CA, 2001.7. L. Zhou and Z. J. Haas, “Securing ad hoc networks,” IEEE Network Magazine, vol. 13, no. 6, pp. 24–30, Nov.’99.8. C. Davis, "A localized trust management scheme for ad-hoc networks", Proc. 3rd International Conference on Networking
(ICN'04), Mar. 2004.9. H. Debar, M.Dacier, A. Wespi and S. Lampart, “An Experimentation Workbench for Intrusion Detection Systems”, Research
Report, IBM Research Division, Zurich Research Laboratory, Switzerland, 1982.10. M. Virendra, S. Upadhyaya, X. Wang, “ GSWLAN: A New Architecture Model for a Generic and Secure Wireless LAN System”, 5th
Annual IEEE Information Assurance Workshop, West Point, NY, June 2004.11. M. Molloy, “Performance analysis using Stochastic Petri Nets”, IEEE Trans. On Computers, vol. 39, no 9, pp. 913-917.12. Y. Huang and W. Lee, “A Cooperative Intrusion Detection System for Ad Hoc Networks”, ACM CCS SASN Worskhop, Oct. 2003.13. Y. Huang, W. Fan, W. Lee, and P. Yu, “Cross-feature analysis for detecting ad-hoc routing anomalies”, 23rd International
Conference on Distributed Computing Systems, Providence, May 2003.14. S. Upadhyaya, R. Chinchani, K. Kwiat, "An Analytical Framework for Reasoning about Intrusions", Symposium on Reliable
Distributed Systems (SRDS’01), New Orleans, Oct. 200115. L. Zhou, F. Schneider, R. van Renesse, “COCA: A secure distributed on-line certification authority”, ACM Transactions on
Computer Systems 20, Nov. 2002, pp. 329–368.16. H. Debar, M.Dacier, A. Wespi, S. Lampart, “An Experimentation Workbench for Intrusion Detection Systems”, Research Report,
IBM Research Division, Zurich Research Laboratory, Switzerland, 1982.17. S. Zhu, S. Xu, S. Setia and S. Jajodia, “Establishing Pair-wise Keys for Secure Communication in Ad Hoc Networks”, 11th IEEE
International Conference on Network Protocols (ICNP’03), Atlanta, Nov. 2003.18. S. Zhu, S. Xu, S. Setia, S. Jajodia and P. Ning, “An Interleaved Hop-by-Hop Authentication Scheme for Filtering of Injected False
Data in Sensor Networks”, IEEE Symposium on Security and Privacy, Oakland, May 200419. Y. Ko , N. Vaidya, “Location-aided routing (LAR) in mobile ad hoc networks”, Proc. 4th annual ACM/IEEE international conference
on Mobile computing and networking, pp.66-75, Dallas, Oct. 1998