Non-Cooperative Behavior in Wireless Networks Márk Félegyházi (EPFL) May 2007.
Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi,...
-
Upload
joan-stafford -
Category
Documents
-
view
214 -
download
0
Transcript of Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi,...
Revocation Games inEphemeral Networks
Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux
CCS 2008
Misbehavior in Ad Hoc Networks
• Packet forwarding• Routing
AM
B
• Large scale• High mobility• Data dissemination
2
Traditional ad hoc networks Ephemeral networks
Reputation systems ? Solution to misbehavior:
Reputation vs. Local Revocation
• Reputation systems:– Often coupled with routing/forwarding– Require long-term monitoring– Keep the misbehaving nodes in the system
• Local Revocation– Fast and clear-cut reaction to misbehavior– Reported to the credential issuer– Can be repudiated
3
Tools of the Revocation Trade
• Wait for:– Credential expiration– Central revocation
• Vote with:– Fixed number of votes– Fixed fraction of nodes (e.g., majority)
• Suicide:– Both the accusing and accused nodes are revoked
Which tool to use?4
How much does it cost?
• Nodes are selfish• Revocation costs• Attacks cause damage
How to avoid the free rider problem?
Game theory can help:models situations where the decisions of players affect each other
5
Example: VANET
• CA pre-establishes credentials offline
• Each node has multiple changing pseudonyms
• Pseudonyms are costly
• Fraction of detectors =
6
dp
Revocation Game
• Key principle: Revoke only costly attackers• Strategies:– Abstain (A)– Vote (V): votes are needed– Self-sacrifice (S)
• benign nodes, including detectors• attackers• Dynamic (sequential) game
n
dp NN
M
7
Game with fixed costs1
3
2
A V
VS
S
A
3
2
VSA
3
VSAVSAVSA
( , , )c c c (0,0, 1)
( , , )c c v c
(0, 1,0)
( , , )c v c c (0, , 1)v
(0, , )v v
( 1,0,0)
( , 1,0)v ( , ,0)v v
( ,0, )v v
( ,0, 1)v ( , , )v c c c
Cost of abstaining
Cost of self-sacrifice
Cost of voting
All costs are in keys/message 8
A: AbstainS: Self-sacrificeV: Vote
Assumptions: c > 1
1
3
2
A V
VS
S
A
3
2
VSA
3
VSAVSAVSA
( , , )c c c (0,0, 1)
( , , )c c v c
(0, 1,0)
( , , )c v c c (0, , 1)v
(0, , )v v
( 1,0,0)
( , 1,0)v ( , ,0)v v
( ,0, )v v
( ,0, 1)v ( , , )v c c c
Equilibrium
Game with fixed costs: Example 1
9
Back
war
d in
ducti
on
Assumptions: v < c < 1, n = 2
1
3
2
A V
VS
S
A
3
2
VSA
3
VSAVSAVSA
( , , )c c c (0,0, 1)
( , , )c c v c
(0, 1,0)
( , , )c v c c (0, , 1)v
(0, , )v v
( 1,0,0)
( , 1,0)v ( , ,0)v v
( ,0, )v v
( ,0, 1)v ( , , )v c c c
Equilibrium
Game with fixed costs: Example 2
10
Theorem 1: For any given values of ni, nr, v, and c, the strategy of player i that results in a subgame-perfect equilibrium is:
Theorem 1: For any given values of ni, nr, v, and c, the strategy of player i that results in a subgame-perfect equilibrium is:
ni = Number of remaining nodes that can participate in the game
nr = Number of remaining votes that is required to revoke
Game with fixed costs: Equilibrium
Revocation is left to the end, doesn’t work in practice11
Game with variable costs
S
( 1,0,0)
1
2
A V
V
3
2
SA
S
2 2 2( , , 1 )c c c
1 1 1( , 1 , )c c c 1 1 1( , , )v c v c c
, lim , j jj
c j c v
12Number of stages Attack damage
Theorem 2: For any given values of ni, nr, v, and δ, the strategy of player i that results in a subgame-perfect equilibrium is:
Theorem 2: For any given values of ni, nr, v, and δ, the strategy of player i that results in a subgame-perfect equilibrium is:
Game with variable costs: Equilibrium
Revocation has to be quick
13
Optimal number of voters
• Minimize: MC n
n
Duration of attack Abuse by attackers
14
Optimal number of voters
• Minimize: MC n
n
min{ , }opt a dn p p N M
Fraction of active players
Duration of attack Abuse by attackers
15
RevoGame
Estimation of parameters
Choice of strategy
16
Evaluation
• TraNS, ns2, Google Earth, Manhattan
• 303 vehicles, average speed = 50 km/h
• Fraction of detectors • Damage/stage • Cost of voting• False positives• 50 runs, 95 % confidence
intervals
0.8dp
410fpp
0.1 0.02v
17
Revoked attackers
18
Revoked benign nodes
19
Social cost
20
Maximum time to revocation
21
Global effect of local revocations
22
How many benign nodes ignore an attacker?
False positives and abuse
23
How many benign nodes ignore a benign node?
Conclusion
• Local revocation is a viable mechanism for handling misbehavior in ephemeral networks
• The choice of revocation strategies should depend on their costs
• RevoGame achieves the elusive tradeoff between different strategies
24