THE SYBIL ATTACK IN SENSOR NETWORK

Presented By: Hossen Mustafa

References

J. Newsome, E. Shi, D. Song and A. Perrig. The Sybil Attack in Sensor Network: Analysis & Defenses. In IPSN04 M. Demirbas and Y. Song. An RSSI-based Scheme for Sybil Attack Detection in Wireless Sensor Networks.

Outline

Definition of Sybil Attack Sybil Attack Taxonomy Sybil Attacks in Sensor Network Defense Mechanisms Conclusion

What is Sybil Attack?

The Sybil attack is defined as a malicious device illegitimately taking on multiple identities.
I am Alice

I am Bob

I am Casey

I am Dan

Eve

Sybil Attack Taxonomy

1.
2. 3.

Three Dimensional Taxonomy Direct vs. Indirect Communications Fabricated vs. Stolen Identities Simultaneity

Direct vs. Indirect Communications

Direct Communication:
Sybil

Nodes communicates directly with legitimate nodes

Indirect Communication
Legitimate

nodes are not able to communicate directly with Sybil node, communicates through malicious nodes

Fabricated vs. Stolen Identities

Fabricated Identities
Attacker

creates arbitrary new

identities

Stolen Identities
Attacker

assigns legitimate identities to Sybil nodes

Simultaneity

Simultaneous
Attacker

participates with all his identities at once

presents a large number of identities over a period of time

Non-Simultaneous
Attacker

Types of Attack

Distributed Storage Routing Data Aggregation Voting Fair Resource Allocation Misbehavior Detection

Distributed Storage

Attack on replication and fragmentation mechanism

Process 1 1 2 3 M

Process
2 3

Routing

In multipath or disparity routing in, seemingly disjoint paths could in fact go through a single malicious node presenting Sybil identities.
1 3 5 y 6

S
2 4

Data Aggregation

Some sensor network protocols aggregate the reading of sensors in order to conserve energy rather than returning individual readings. By Sybil attack, one malicious node may able to alter the reading
1 2

3
2 1 1

5 y 6 7

5 6 5 2

20 2

Voting

2 types of attack
5 y 6 7 1 x 1 J y 1 x wins x

x
x

y 2

y
J y

x wins

y
2 3

Stuff the ballot box

Blackmail attack

Fair Resource Allocation

Sybil attack can be used in fair resource allocation which will allow a malicious node to obtain unfair share of resources.
5 y 6 7 x x A x

Misbehavior Detection

Sybil nodes can be used to spread the blame in a misbehavior detection network.
5
y 6 x x x x x x J Node 1 misbehaved

7
1

Defense Mechanism

There are two mechanisms for validating the identity of a node:

Direct

Validation: A node directly tests whether another node is valid or not Indirect Validation: A node that has been verified are allowed to vouch for or refute other nodes

Previous Defenses against Sybil Attack

Resource

Testing

Assumption

is that each entity is limited in some resource Verifier tests that each identity has as much of physical resources as a physical device Computation, storage and communication are proposed to be used as resources

Previous Defenses against Sybil Attack

Resource
But,

Testing

computation and storage are unsuitable for wireless sensor networks because attacker may have larger resources For testing communication, it is proposed to broadcast a request for identities and then accept replies within a given time interval This is also unsuitable for wireless sensor network as it will make part of the network congested

Defenses

Radio Resource Testing Random Key Pre-distribution Registration Position Verification RSSI-based Detection scheme Code Attestation

Radio Resource Testing

Assumption:
Any

physical device has only one radio Radio is incapable of simultaneously sending or receiving on more than one channel

Radio Resource Testing

n channels, n nodes, s sybil nodes

1 2 3 v 1 2 3 Prob. of detection = s/n

Prob. of non-detection = (n-s)/n

For r rounds: Prob. of non-detection = ((n-s)/n)r

Radio Resource Testing

Probability of Sybil Node Detection for n = 15 channel = 15 s = 1/2/3

Radio Resource Testing

Probability of Sybil Node Detection for n = 15 s=5 m=5 channel = variable

Random Key Predistribution (RKP)

Radom key predistribution technique allows wireless nodes to establish secure links to other nodes Random set of keys is assigned to each sensor node so that it can compute common key to ensure node-to-node secrecy

Random Key Pre-distribution (RKP)

The key ideas are:

1.

2.

Associate each node with the keys assigned to the node Key validation
Verify part or all of the keys that an identity claims to have. Indirect and direct validation

RKP: Key Pool

A set of k keys are assigned randomly to each node from a pool of m keys During initialization phase, if two nodes share q common keys, they can establish a link
1
K_2, K_4, K_5 K_4

2
K_3, K_4, K_7

k=3 q=1

RKP: Key Pool

Usable Sybil Identity: The ID that can participate in the sensor network without being detected in the key initialization phase
S

K_1, K_4, K_8

RKP: Key Pool Validation

Direct Validation
5 K_1, K_3, K_9 S K_1, K_4, K_8 2 K_3, K_4, K_7 k=3 q=1

Indirect Validation
5
K_1, K_3, K_9

S
K_1, K_4, K_8

2
K_3, K_4, K_7

k=3 q=1

RKP: Key Pool Validation

Full validation is not done as it would result excessive communication overhead and potential DOS attack Validation can be limited to within the vicinity of the node being validated

RKP: Key Pool

Probability a randomly generated Sybil node is usable in the key pool scheme with Pool size = 20,000 Key ring size = 200

RKP: Single Space Pairwise Key Distribution

This scheme assigns a unique key to each pair of nodes. Each sensor node i stores unique public info Ui and private info Vi
1 V1, U1, U2

2 V2, U1, U2

k = f(V1, U2) = f(V2, U1 )

RKP: Single Space Pairwise Key Distribution

This scheme ensures - secure property which means:

Pairwise key calculation requires + 1 memory space in each node Network is secured even if c nodes are compromised, as long as c <=

A direct validation scheme suffices to prevent both direct and indirect Sybil attacks

RKP: Multi-space Pairwise Key Distribution

This scheme can be viewed as a combination of key pool scheme and single space approach The setup server randomly generates a pool of m keys, each having unique private info Each sensor node is assigned k key spaces If two nodes have at least one common key space, they can compute their pairwise key

RKP: Multi-space Pairwise Key Distribution

Probability that an attacker can fabricate Sybil identities with the multi-space scheme Pool m = 50 Space/node k = 4 = 49

Registration

In some sensor networks, a trusted central authority may be available for managing the network. It can:
Poll

the network and compare the result to known deployment

Any node can check the list of registered node in the central authority

Position Verification

Applies to immobile sensor network only Sybil node will be detected as the position of the malicious node will be same

RSSI-based Detection

It uses localization algorithm Upon receiving a message, the four detector nodes compute the location of sender and associate this location with the sender-ID included in the message But location calculation is costly

D1

D2

D3

D4

RSSI-based Detection

Let M is a malicious node and at time t1 its forged ID is S1 D2, D3 and D4 report the received RSSI value to representative D1 D1 computes and stores the ratios at t1

D1

S1
D2

D3

D4

t1

RSSI-based Detection

Let at time t2 its forged ID is S2 Similarly, D1 computes and stores the ratios at t2
D2

D1

M S2
D4

D3

By comparing the values at t1 and t2, D1 can detect Sybil node

t2

RSSI-based Detection
D1 D1 D1

D2

D3

s
s
D2

D4

4-Detector Setup 100% Detection 0% False-positive

2-Detector Setup 100% Detection 3% False-positive

1-Detector Setup 99% Detection 25% False-positive

Code Attestation

The basic idea is to exploit the fact that the code running on a malicious node must be different from that on a legitimate node Node can be validated by comparing its memory content

Future Work

Find out new Sybil Attack and propose existing or new defense mechanism Scheme for Code Attestation Effective scheme for indirect validation

QUESTIONS??