230 likes | 373 Views
Trust Based Link Selection Presented by: Sindhu Karthikeyan Date: August 20 th 2004. Introduction. In routing protocols for sensor networks Untrustworthy nodes can send malicious routing messages to its neighbors, which would negatively affect the routing protocol.
E N D
Trust Based Link Selection Presented by: Sindhu Karthikeyan Date: August 20th 2004.
Introduction In routing protocols for sensor networks Untrustworthy nodes can send malicious routing messages to its neighbors, which would negatively affect the routing protocol. So in this paper they have proposed a Trust metric which would assist nodes in making routing decisions. Trust is a composition of the age of a node and the observed behavior of a node. Age of a node: The amount of time that the node has been known to exist by the observer. Behavior of a node can be quantified by maintaining a behavior metric for each node.
Assumptions and notations A general distance vector routing protocol is considered. A sensor network is composed of two types of nodes namely: sensors and sinks Sink: The Destination node. Messages in the network are classified as either routing messages or data messages Routing messages are used to form network topology and data messages are send to the sink utilizing the network topology.
Assumptions (contd.) Nodes maintain a table of potential next hops to forward messages to the sink. Nodes select next hop by evaluating the distance metric of neighboring nodes Secure communication between nodes is not presumed even if it may exist. Malicious nodes may impersonate honest nodes, and would have resources similar to other nodes in the network. No nodes can suppress the ability of any two nodes to communicate with each other. Malicious nodes cannot selectively alter the packets in transit.
Notations • Notations: 1. A network is a set of nodes X = {x1,x2,…..,xn}. 2. Message M send by xj, to node xi with return address xk is given as xj(xk) → xi|M. The reception of message at a node is known as message event. 3. xj(xj) → xi|M, implies the sender of the node has not forged the return address, which can also be abbreviated as xj→ xi|M. 4. The set of xi’s neighbor’s is labeled as Xi 5. Malicious node is denoted by αЄXi 6. A node xi maintains 2 set of tables for neighbors designated as Ti, Ui,whereTi € Ui.
Notations 7. For a field “z” in Ui , the field’s value is denoted by Ui.z(xj) 8. Number of entries in Ui at a particular moment is |Ui|, and is bounded by a maximum size of |Ui|max. 9. Table Ti is a trusted subset of Ui. 10. The current time given by a node’s local clock is time(now). 11. A node can perform a specified action as the result of the local clock reaching a specified time, this action is known as timer event. 12. XiЄ Ti, indicates that the table Ti contains an entry for node Xi.
Trust-Based Link Selection Trust-Based Link Selection uses a trust metric for next hop selection in addition to the common metrics such as the distance to the sink. Trust is viewed as a composition of age and behavior metrics.
Trust Based link selector acts as filter for routing protocol as seen in the figure. Incoming messages are passed thru it and passed to the router mechanism with indication of trust with sender. • Then the routing protocol uses distance and link quality metrics to decide favorable next hops from the nodes that are trustworthy. • The routing protocol chooses links from nodes in Ti, and link selector updated trust metrics for nodes in Ui.
Age metrics Age metrics: An age metric relates a node to a time of known existence. Every entry in Ui has 2 fields the age of the node (am), and the time the node was last heard (l).
Age metrics (contd.) Age Calculation: This sequence of action occurs when a node xj intially enters in Ui: • Ui.am(xj) = 0 • Ui.l(xj) = time(now). When a message xk(xj) → xi|M event occurs at xi, • Ui.am(xj) = Ui.am(xj) + (time(now) - Ui.l(xj)) • Ui.l(xj) = time(now).
Aging Constrains Aging Constrains: this can either be absolute or relative. The absolute aging constrain is given as: C(xj, Ti) = (Ui.am(xj) > va) Where va is some age threshold. Relative age constrain is given as: C(xj, Ti) = (Ui.am(xj) > (β.f(ages(Ti)))) Where 0 ≤β ≥ 1, and ages() returns a set of ages for nodes in Ti.
Age based Trust Example • Let’s assume |Ui|max = 6,and |Ti|max = 3, as shown in the figure. d = distance in number of hops to the sink. q = Quality metric in range [0,100]. am = age field shown in minutes and, l = last heard from node given with a timestamp value. The aging constrain is chosen as: C(xj, Ti) = Ui.am(xj) > (0.9) . Avg(ages(Ti)) Which means when a node exceds 90% of the average age of nodes in Ti, the node temporarily becomes Trustworthy.
Now when a Malicious node α arrives as shown in the above figure. Given that the avg age of node in Ti is 110 when α arrives, we can have the age constrain fulfilled when: Ui.am(x7) > (0.9) . Avg(ages(Ti)) > (0.9) . (Ui.am(x7) + 110) Thus x7 is considered as the next hop only after 990 minutes has elapsed.
Behavioral Metrics Behavior based trust is realized through the use of a behavioral metric (bm). The nodes in Ui is augmented with the field bm, which ranges from [0, bmmax], where bmmax is 255. This property is described and checked using a modified finite state machine model called a MESSAGE MONITORING FINITE STATE MACHINE (MMFSM)
MMFSM The above figure checks the property of whether or not a node forwards messages that the observer xob sends to it. When xob sends a message M to an arbitary node xj, xob notes the current time, the message msg and proceeds to l1. • If timeout seconds have passed and xob is verifying xj in location l1, location l4 is entered and xob updates the field. Uob.bm(xj) = Uob.bm(xj) - m4.
MMFSM • The transition to location l3 represents the case when xj forwards the message M’ as a result of reception of message M, but the content of M’ has been corrupted and violates the content of message. • The transition to location l2 occurs when xj correctly forwards the message M’, the function satifies() checks for the consistency of the 2 messages M and M’ message.
Trust based Link selection Trust metric is defined as a composition of age and Behavioral metrics. For a node xj, the trust metric is given as: C(am(xj), bm(xj)) = 1 if (am(xj).bm(xj) ≥ Λ) = 0 otherwise For a chosen value Λ, where Λ = β.f1(ages(Ti)).f2(behaviors(Ti)) • f1, f2 are aggregate functions, • ages(Ti) = set of age values in Ti, • behaviors(Ti) = set of behavior metrics in Ti.
The above figure shows a plot of bm(xj) vs am(xj) for a node xj and a chosen value Λ. For new neighbors, age is small, and behavioral metrics are assumed equal, so Λ is small and node can quickly form a topology. When a node knows its neighbor for a long time, and the nodes are honest, the age and Behavioral metrics are high and also the value of Λ is high as well.
Link Selection Policy Adding and deleting nodes from the tables Ti and Ui. For a network event: xk(xj) → xl|M at a node xob, And ifxj ¢ Ui, we have the following cases for adding the nodes in the table. Case 1: If |Ui| < |Ui|max , the node xj is added to Ui, and the age and behavioral metrics are intialized. Case 2: If |Ui| = |Ui|max , then the node in Ui – Ti that is least desirable in terms of distance and link quality is removed from Ui, and xj is added to the table Ui.
Evaluation Resource Requirement: The computational requirements of age based link selection is considered negligible as the routing metrics also need the similar requirements. No additional messages in the network is required thus power requirements is also negligible. Behavior based link selection is entirely passive and thus doesn’t require any extra messages in the network.
Evaluation (contd.) Security Analysis: Age checking is considered to be effective if a malicious node is chosen as a next hop only after it has met the age constraint. 1. If the malicious node α can silence the older nodes in Ui, so that they get all evicted, then it can gain entry into Ti, because xi will now have a new topology. But as our assumption states this capability is not possible by the malicious node. 2. Malicious node α can artificially raise its own age so that it meets the aging constrain, but such attacks require that α first meets the age constrain before being placed in Ti.
Evaluation (contd.) 3. Impersonating attacks are not meaningful with respect to age metrics, since the age of nodes in Ti periodically increases with the clock of xi. 4. If α impersonates many nodes to flood the tables at xi, then even thou the impersonated nodes are stored in Ui – Ti, these nodes will gain entry into Ti only after they meet the aging constrain. 5. Behavioral monitoring is dependent upon chosen properties, so behavioral metrics does not provide hard security guarantees, but reduces the effect of simple attack.
Conclusions • Nodes select neighbors based on trust metric, which is a composition of age and behavioral metric. • Trust based link selection requires modest resources and can be implemented largely independent of the routing protocol. • It provides enhanced security to a broad class of routing protocols at a minimal cost.