Beruflich Dokumente
Kultur Dokumente
References
J. Newsome, E. Shi, D. Song and A. Perrig. The Sybil Attack in Sensor Network: Analysis & Defenses. In IPSN04 M. Demirbas and Y. Song. An RSSI-based Scheme for Sybil Attack Detection in Wireless Sensor Networks.
Outline
Definition of Sybil Attack Sybil Attack Taxonomy Sybil Attacks in Sensor Network Defense Mechanisms Conclusion
The Sybil attack is defined as a malicious device illegitimately taking on multiple identities.
I am Alice
I am Bob
I am Casey
I am Dan
Eve
1.
2. 3.
Three Dimensional Taxonomy Direct vs. Indirect Communications Fabricated vs. Stolen Identities Simultaneity
Direct Communication:
Sybil
Indirect Communication
Legitimate
nodes are not able to communicate directly with Sybil node, communicates through malicious nodes
Fabricated Identities
Attacker
identities
Stolen Identities
Attacker
Simultaneity
Simultaneous
Attacker
Non-Simultaneous
Attacker
Types of Attack
Distributed Storage Routing Data Aggregation Voting Fair Resource Allocation Misbehavior Detection
Distributed Storage
Process
2 3
Routing
In multipath or disparity routing in, seemingly disjoint paths could in fact go through a single malicious node presenting Sybil identities.
1 3 5 y 6
S
2 4
Data Aggregation
Some sensor network protocols aggregate the reading of sensors in order to conserve energy rather than returning individual readings. By Sybil attack, one malicious node may able to alter the reading
1 2
3
2 1 1
5 y 6 7
5 6 5 2
20 2
Voting
2 types of attack
5 y 6 7 1 x 1 J y 1 x wins x
x
x
y 2
y
J y
x wins
y
2 3
Blackmail attack
Sybil attack can be used in fair resource allocation which will allow a malicious node to obtain unfair share of resources.
5 y 6 7 x x A x
Misbehavior Detection
Sybil nodes can be used to spread the blame in a misbehavior detection network.
5
y 6 x x x x x x J Node 1 misbehaved
7
1
Defense Mechanism
Validation: A node directly tests whether another node is valid or not Indirect Validation: A node that has been verified are allowed to vouch for or refute other nodes
Testing
Assumption
is that each entity is limited in some resource Verifier tests that each identity has as much of physical resources as a physical device Computation, storage and communication are proposed to be used as resources
Testing
computation and storage are unsuitable for wireless sensor networks because attacker may have larger resources For testing communication, it is proposed to broadcast a request for identities and then accept replies within a given time interval This is also unsuitable for wireless sensor network as it will make part of the network congested
Defenses
Radio Resource Testing Random Key Pre-distribution Registration Position Verification RSSI-based Detection scheme Code Attestation
Assumption:
Any
physical device has only one radio Radio is incapable of simultaneously sending or receiving on more than one channel
Radom key predistribution technique allows wireless nodes to establish secure links to other nodes Random set of keys is assigned to each sensor node so that it can compute common key to ensure node-to-node secrecy
2.
Associate each node with the keys assigned to the node Key validation
Verify part or all of the keys that an identity claims to have. Indirect and direct validation
A set of k keys are assigned randomly to each node from a pool of m keys During initialization phase, if two nodes share q common keys, they can establish a link
1
K_2, K_4, K_5 K_4
2
K_3, K_4, K_7
k=3 q=1
Usable Sybil Identity: The ID that can participate in the sensor network without being detected in the key initialization phase
S
Direct Validation
5 K_1, K_3, K_9 S K_1, K_4, K_8 2 K_3, K_4, K_7 k=3 q=1
Indirect Validation
5
K_1, K_3, K_9
S
K_1, K_4, K_8
2
K_3, K_4, K_7
k=3 q=1
Full validation is not done as it would result excessive communication overhead and potential DOS attack Validation can be limited to within the vicinity of the node being validated
This scheme assigns a unique key to each pair of nodes. Each sensor node i stores unique public info Ui and private info Vi
1 V1, U1, U2
2 V2, U1, U2
A direct validation scheme suffices to prevent both direct and indirect Sybil attacks
This scheme can be viewed as a combination of key pool scheme and single space approach The setup server randomly generates a pool of m keys, each having unique private info Each sensor node is assigned k key spaces If two nodes have at least one common key space, they can compute their pairwise key
Probability that an attacker can fabricate Sybil identities with the multi-space scheme Pool m = 50 Space/node k = 4 = 49
Registration
In some sensor networks, a trusted central authority may be available for managing the network. It can:
Poll
Any node can check the list of registered node in the central authority
Position Verification
Applies to immobile sensor network only Sybil node will be detected as the position of the malicious node will be same
RSSI-based Detection
It uses localization algorithm Upon receiving a message, the four detector nodes compute the location of sender and associate this location with the sender-ID included in the message But location calculation is costly
D1
D2
D3
D4
RSSI-based Detection
Let M is a malicious node and at time t1 its forged ID is S1 D2, D3 and D4 report the received RSSI value to representative D1 D1 computes and stores the ratios at t1
D1
S1
D2
D3
D4
t1
RSSI-based Detection
Let at time t2 its forged ID is S2 Similarly, D1 computes and stores the ratios at t2
D2
D1
M S2
D4
D3
t2
RSSI-based Detection
D1 D1 D1
D2
D3
s
s
D2
D4
Code Attestation
The basic idea is to exploit the fact that the code running on a malicious node must be different from that on a legitimate node Node can be validated by comparing its memory content
Future Work
Find out new Sybil Attack and propose existing or new defense mechanism Scheme for Code Attestation Effective scheme for indirect validation
QUESTIONS??