Post on 04-Jan-2016
Detecting and Correcting Malicious Data in VANETs
Philippe Golle, Dan Greene, Jessica Staddon
Palo Alto Research Center
Presented by: Jacob Lynch
Table of Contents
IntroductionRelated WorkClassification of AttacksDistinguishabilityModelExampleConclusion
Introduction
Vehicular ad-hoc networks rely heavily on node-to-node communication Potential for malicious data
VANETs need a method for evaluating the validity of data
Nodes search for explanations for the data they receive and accept the data based on highest score Nodes can tell “at least some” other nodes apart from
one another Parsimony argument accurately reflects adversarial
behavior in a VANET
Introduction (2)
Each node builds a world view in an offline mode Rules: two vehicles cannot occupy the same
position at the same time, etc. Statistics: vehicles rarely travel faster than 100
MPH, etc.
Density combined with mobility supports parsimony
Related Work
Sybil attacks can foil many algorithms Resource testing (storage, computation,
communication) in MANETs Not appropriate for VANETs, attackers may
cheaply acquire resources
Node registration does not scale wellPosition verification can identify messages
coming from the same source
Classification of Attacks
Decisions based on likelihood of attack scenarios in a VANET, not accumulation of agreeing data
Distinguish attacks based on Nature Target Scope Impact
Attack Nature
Adversary may report False information about other parts of VANET False information about itself
Some attacks may be unpreventable If a node can only sense distance instead of
precise location, this gives an area that one node may successfully mount Sybil attacks
Attack Target
Local targets Close proximity to attacker Better for adversary because the likelihood of
conflicting data from neighbors is reduced Harder to maintain proximity, less likely
Remote targets Further away Data received from neighbor nodes may be
conflicting Easier for an adversary to setup
Attack Scope
Scope is measured by the area of nodes that have data of uncertain validity
Scope is limited if the area of affected nodes is small May be local or remote area to the malicious nodes
Extended attack if larger area of nodes is affected
Approach used is designed to slow local attacks growing into extended attacks by using information propagation
Attack Impact
Three outcomes of an attack Undetected
Attack is completely successful May occur when node is alone or completely surrounded
by malicious nodes Detected
Attack is detected but uncertain data remains Nodes have access to honest nodes, but insufficient
information to justify the risk in attempting to correct data Corrected
Attack is detected and corrected with no remaining uncertain data
Lots of honest nodes available, enough information to identify false information and correct the attack
Model Exploitation
Attacker may choose an attack whose effects are hidden by other incorrect explanations chosen to be more likely in the ordering relation of the model
Two ways to help prevent this Model shows these hidden attacks to be more costly
than simpler attacks Allow model to be changed, adjusts to short term and
long term changes Even though the possibility of a complicated
attack is included in the model, most attackers will use simple attacks, which makes the sophisticated attacker’s job easier
Distinguisability
In order to tell nodes apart there are four assumptions Node can bind observations of its local
environment with the communication it receives Node can tell its local neighbors apart Network is sufficiently dense Nodes can authenticate communication to one
another after coming close enough
Local Distinguishability
A node can distinguish local neighbors Node can associate a message with the physical source
of that message Node can measure relative position of the source of
message Example setup
Equip nodes with cameras and exchange messages using visible or infrared light
Estimate position by analyzing light, message tied to source because the node can tell where it came from
Also use time of arrival, angle of arrival, and received signal strength, which may be tampered with
Extended Distinguishability
Nodes will communicate local observations to nodes farther away
If multiple trusted nodes verify other further nodes as distinct, these nodes may be included in world view as distinct
Use private/public keys refreshed constantly to authenticate communication Distinguishability is lost once key is refreshed if
the node moves out of local neighborhood
Privacy
Trade-off between privacy and ability to detect and correct malicious data Changing keys increases privacy but hinders detection
and correction of malicious data An isolated node regularly reporting its position
changes its key Easy to assume the new key belongs to the same node
based on trajectories Suggestions for changing keys
Change keys at synchronized times Introduce gaps in data reported near key changes Change keys when nodes are near one another
Model
Nodes may record an observation if the location of the event is within their observation range the entire duration of the event
Assertions recorded by a node are instantaneously available to all other nodes Value of data declines the further away from the
event it is transmitted, dealing with a small area
Model (2)
To explain a set of events at a node Each event must be tagged with a hypothesis
Hypotheses are chosen from a set of hypotheses The set of hypotheses is partitioned into valid and
invalid based If all the hypotheses matched to the set of
events are valid, then the explanation is valid Explanations are ordered based on statistical
methods, for example, Occam’s razor
Example
Assume nodes are able to precisely sense the location of neighbors within communication range
There is a set of observed events K, which can included observations about nodes made by themselves
Model for the VANET will be valid if there is a reflexive observation for every node, and every non-reflexive observation agrees with the reflexive observations
Example (2)
Each node comes up with an explanation Label each observation in the set of events as
truthful, malicious, or spoof The observations made by the node constructing the
explanation are truthful Observers labeled as spoofs should not have any of
their observations recorded as truthful One added observation per reflexive observation
made be made that supplies correct location information consistent with other truthful observations
Example (3)
Score each explanation according to the number of distinct observers that are labeled malicious
The valid explanation with the fewest malicious nodes is considered the simplest and most plausible explanation
There may be enough information in the set of events to identify all the truthful and malicious nodes
Example (4)
When there are only a few malicious nodes, explanations can be computed by Treating truthful observations
as arcs in a graph and beginning a breadth first search starting at the nodes location, traverse arcs as long as the next node hasn’t been labeled as malicious
All unreached nodes will be labeled as spoofs
Algorithm terminates when it has found explanations consistent with VANET model with fewest malicious nodes
Example (5)
Second example of model included Nodes are not able to distinguish between
another nodes with the same precisionUse another breadth first search to
generate explanationsOrder explanations by looking for few
malicious nodes and a regular density as opposed to spare or dense patterns of nodes