Revocation Games inEphemeral Networks

Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux

CCS 2008

Misbehavior in Ad Hoc Networks

• Packet forwarding• Routing

AM

B

• Large scale• High mobility• Data dissemination

2

Traditional ad hoc networks Ephemeral networks

Reputation systems ? Solution to misbehavior:

Reputation vs. Local Revocation

• Reputation systems:– Often coupled with routing/forwarding– Require long-term monitoring– Keep the misbehaving nodes in the system

• Local Revocation– Fast and clear-cut reaction to misbehavior– Reported to the credential issuer– Can be repudiated

3

Tools of the Revocation Trade

• Wait for:– Credential expiration– Central revocation

• Vote with:– Fixed number of votes– Fixed fraction of nodes (e.g., majority)

• Suicide:– Both the accusing and accused nodes are revoked

Which tool to use?4

How much does it cost?

• Nodes are selfish• Revocation costs• Attacks cause damage

How to avoid the free rider problem?

Game theory can help:models situations where the decisions of players affect each other

5

Example: VANET

• CA pre-establishes credentials offline

• Each node has multiple changing pseudonyms

• Pseudonyms are costly

• Fraction of detectors =

6

dp

Revocation Game

• Key principle: Revoke only costly attackers• Strategies:– Abstain (A)– Vote (V): votes are needed– Self-sacrifice (S)

• benign nodes, including detectors• attackers• Dynamic (sequential) game

n

dp NN

M

7

Game with fixed costs1

3

2

A V

VS

S

A

3

2

VSA

3

VSAVSAVSA

( , , )c c c (0,0, 1)

( , , )c c v c

(0, 1,0)

( , , )c v c c (0, , 1)v

(0, , )v v

( 1,0,0)

( , 1,0)v ( , ,0)v v

( ,0, )v v

( ,0, 1)v ( , , )v c c c

Cost of abstaining

Cost of self-sacrifice

Cost of voting

All costs are in keys/message 8

A: AbstainS: Self-sacrificeV: Vote

Assumptions: c > 1

1

3

2

A V

VS

S

A

3

2

VSA

3

VSAVSAVSA

( , , )c c c (0,0, 1)

( , , )c c v c

(0, 1,0)

( , , )c v c c (0, , 1)v

(0, , )v v

( 1,0,0)

( , 1,0)v ( , ,0)v v

( ,0, )v v

( ,0, 1)v ( , , )v c c c

Equilibrium

Game with fixed costs: Example 1

9

Back

war

d in

ducti

on

Assumptions: v < c < 1, n = 2

1

3

2

A V

VS

S

A

3

2

VSA

3

VSAVSAVSA

( , , )c c c (0,0, 1)

( , , )c c v c

(0, 1,0)

( , , )c v c c (0, , 1)v

(0, , )v v

( 1,0,0)

( , 1,0)v ( , ,0)v v

( ,0, )v v

( ,0, 1)v ( , , )v c c c

Equilibrium

Game with fixed costs: Example 2

10

Theorem 1: For any given values of ni, nr, v, and c, the strategy of player i that results in a subgame-perfect equilibrium is:

Theorem 1: For any given values of ni, nr, v, and c, the strategy of player i that results in a subgame-perfect equilibrium is:

ni = Number of remaining nodes that can participate in the game

nr = Number of remaining votes that is required to revoke

Game with fixed costs: Equilibrium

Revocation is left to the end, doesn’t work in practice11

Game with variable costs

S

( 1,0,0)

1

2

A V

V

3

2

SA

S

2 2 2( , , 1 )c c c

1 1 1( , 1 , )c c c 1 1 1( , , )v c v c c

, lim , j jj

c j c v

12Number of stages Attack damage

Theorem 2: For any given values of ni, nr, v, and δ, the strategy of player i that results in a subgame-perfect equilibrium is:

Theorem 2: For any given values of ni, nr, v, and δ, the strategy of player i that results in a subgame-perfect equilibrium is:

Game with variable costs: Equilibrium

Revocation has to be quick

13

Optimal number of voters

• Minimize: MC n

n

Duration of attack Abuse by attackers

14

Optimal number of voters

• Minimize: MC n

n

min{ , }opt a dn p p N M

Fraction of active players

Duration of attack Abuse by attackers

15

RevoGame

Estimation of parameters

Choice of strategy

16

Evaluation

• TraNS, ns2, Google Earth, Manhattan

• 303 vehicles, average speed = 50 km/h

• Fraction of detectors • Damage/stage • Cost of voting• False positives• 50 runs, 95 % confidence

intervals

0.8dp

410fpp

0.1 0.02v

17

Revoked attackers

18

Revoked benign nodes

19

Social cost

20

Maximum time to revocation

21

Global effect of local revocations

22

How many benign nodes ignore an attacker?

False positives and abuse

23

How many benign nodes ignore a benign node?

Conclusion

• Local revocation is a viable mechanism for handling misbehavior in ephemeral networks

• The choice of revocation strategies should depend on their costs

• RevoGame achieves the elusive tradeoff between different strategies

24