Security and Cooperation in Wireless NetworksSecurity and Cooperation in Wireless Networks Georg-August University Göttingen
Selfishness in packet forwarding/Selfishness in packet forwarding/Secure protocols for behavior enforcementSecure protocols for behavior enforcement
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement
Part I: Selfishness in packet forwarding the operation of multi-hop wireless networks requires the nodes
to forward data packets on behalf of other nodes however, such cooperative behavior has no direct benefit for
the forwarding node, and it consumes valuable resources (battery)
hence, the nodes may tend to behave selfishly and deny cooperation
if many nodes defect, then the operation of the entire network is jeopardized
question:– When a node is requested to forward a packet by one of its
neighbors, will it do so, if no mechanism enforces this cooperation behavior?
2
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement 3
Modeling packet forwarding as a game
time0time slot:
1 t
Strategy: cooperation level
mC(0) mC(1) mC(t)
• Players: nodes• In each time slot t, each node I chooses a cooperation level mi(t) ϵ [0,1]; 0
represents full defection and 1 means full cooperation.
Benefit (of node i as the source on route r): proportion of packets sent by node i (as the source) on route r reaching their destination = the throughput experienced by i as a source
• So mi(t) would represent the fraction of traffic routed through i at time t that i cooperatively forwards.
• TS : constant amount of traffic sent by source S
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement 4
Benefit function
, ( ) ( ) ( )A E Cr t T r m t m t
1
, ( ) ( )k
l
s fk
r t T r m t
where: s – sourcer – route on which s is a sourcet – time slotfk – forwarders for smfk – cooperation level of forwarder fk
bi – benefit function
Experienced throughput :
A E C D
TA mE(t) mC(t)r (A→D):
Example :
benefit function :
bS
Normalized throughput:
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement 5
Cost function
Example :
{ , }
ˆ , ( ) ( ) ( )kC f E C
k E C
r t m t m t m t
ˆ, ( ) ,C A jc r t T r C r t
A E C D
TA mE(t) mC(t)r (A→D):
1
ˆ , ( )k
j
j fk
r t m t
Normalized throughput at forwarder fj :
where: r – route on which fk is a forwarder t – time slot fk – forwarders on route r mfk – cooperation level of forwarder fk
ˆ, ( ) ,jf s jc r t T r C r t
Cost for forwarder fj on route r: where: Ts(r) – traffic sent by source s on route r C – unit cost of forwarding (cost of forwarding one packet)
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement 6
Total payoff
( ) ( )
, ,i i
i i iq S t r F t
u t b q t c r t
The goal of each node is to maximize its total payoff over the game:
Payoff = Benefit - Cost
where: Si(t) – set of routes on which i is a source Fi(t) – set of routes on which i is a forwarder
0
ti
t
u t
where: – discounting factort – time
time0time slot: 1 t
Payoff: uA(0) uA(1). uA(t). t
Example :
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement 7
Representation of the nodes as players
• Node i is playing against the rest of the network (represented by the box denoted by A-i )• : strategy function of node I• The strategy of node I is defined by its strategy function and its initial cooperation level
mi(0) • Node I chooses its strategy (cooperation level) at time t based on the normalized
throughput it experienced in time slot t-1 on the route where it is a source
yi
xi
A-i i
Strategy function for node i:
where:(r,t) – experienced throughput of route r at time t
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement 8
Examples of strategies
1)( ii y
iii xy )(
0)( ii y
StrategyFunctionInitial
cooperation level
AllD (always defect)
AllC (always cooperate)
TFT (Tit-For-Tat) (mimics the strategy of its opponent in the previous time slot)
0
1
1
non-reactive strategies: the output of the strategy function is independent of
the input (example: AllD and AllC) reactive strategies:
the output of the strategy function depends on the input (example: TFT)
where yi stands for the input
iii yy )(
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement 9
Concept of dependency graphdependency: the benefit of each source is dependent on the behavior of its forwarders•Figure (a) shows a network with 5 routes•Figure (b) shows the correspondent dependency graph (an arrow from I to j means behavior of I has an effect on the benefit of j = I is an intermediate node for source j)
dependency loop
A Dependency loop L of node I is a sequence (I,v1),(v1,v2),…,(v(l-1),vl),(vl,i) of edges in the dependency graph.
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement
dependency loops There exist two kinds of dependency loops:
– Reactive dependency loop:• A dependency loop of I in which all nodes other than I
play reactive strategies.– Non-Reactive dependency loop
• A dependency loop of I in which all nodes other than I play non-reactive strategies.
It is interesting to find possible Nash equlibria of packet forwarding strategies– In such strategy profiles the nodes would be better off by
cooperating
10
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement 11
Analytical Results (1/2)
0)( IF
Theorem 1: If node i does not have any dependency loops, then its best strategy is AllD.
Theorem 2: If node i has only non-reactive dependency loops, then its best strategy is AllD.
Corollary 1: If every node plays AllD, it is a Nash-equilibrium.
0)( IE
node i
node playing a non-reactive strategy
other nodes
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement 12
Analytical results (2/2)
Corollary 2: If Theorem 3 holds for every node, it is a Nash-equilibrium.
Theorem 3 (simplified): Assuming that node i is a forwarder, its best strategy will be to cooperate only if it has a dependency loop with each of its sources
Example in which Corollary 2 holds:
A B
C
A B
C
Network Dependency graph
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement 13
Classification of scenarios
D: Set of scenarios, in which every node playing AllD is a Nash equilibrium
• set of all possible scenarios (from Corollary 1)
C: Set of scenarios, in which a Nash equilibrium based on cooperation is not
excluded by Theorem 1
C2: Set of scenarios, in which cooperation is based on the conditions expressed in
Corollary 2
• A classification of scenarios from the cooperation perspective
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement 14
Simulation settings
Number of nodes 100, 150, 200
Area size 1500x1500m, 1850x1850m, 2150x2150m
Radio range 200 m
Distribution of the nodes random uniform
Number of routes originating at each node
1-10
Route selection shortest path
Number of simulation runs 1000
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement 15
Simulation results
• The scenarios in set C in the classification (see slide 13) • Result: the necessary condition expressed by theorem 1 is a strong requirement for
cooperation in realistic settings (i.e. for a reasonably low no. of routes per node)
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement 16
Part I: Summary Analytical results:
– If everyone drops all packets, it is a Nash-equilibrium– In theory, given some conditions, a cooperative Nash-
equilibrium can exist ( i.e., each forwarder forwards all packets )
Simulation results: – In practice, the conditions for cooperative Nash-equilibria
are very restrictive : the likelihood that the conditions for cooperation hold for every node is extremely small
Consequences:– Cooperation cannot be taken for granted– Mechanisms that stimulate cooperation are necessary
• incentives based on virtual currency• reputation systems
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement
Part II: Secure protocols for behavior enforcement Motivation:
17
Packet forwarding consumes resources– Nodes are rational => Maximize their own payoff– We have seen that cooperation does not happen naturally for
packet forwarding in self-organized networks– Cooperation must be encouraged
Provide incentive to cooperate within Routing and Forwarding protocols
using a game theoretic approach
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement
Part II: Outline• Introduction
– Incentives– System Model
• Model– Dominant action/subaction– Cooperation optimal protocol
• Protocols– VCG payments with correct link cost establishment– Forwarding protocol with block confirmation
• Conclusion
18
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement
Introduction Routing protocol
– Discover efficient routing paths
Packet forwarding protocol– Forward packets for other sources– A micropayment system is required to provide
incentives to the nodes after they relay packets fro others
19
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement
Possible incentives Possible incentive strategies:
– Punish: Reputation, Jamming, Isolation– Reward: Virtual currency
Possible incentives:– Internally: With intrinsic mechanisms (e.g., deny
communication, jam)– Externally: by dedicated protocols
20
Incentive
Punish Reward
Internal External Internal External
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement
System Model
iii cbu
21
Ad-hoc networks as non-cooperative strategic games • Called “Ad Hoc Games”
Nodes can withhold, replace or send a message
Nodes can transmit at discrete power levels Pi
Channel model: • Packet successfully transmitted if Ptransmission >= Pmin
– Pmin = minimum power to reach receiver• No errors (BER = 0)
We define the payoff of a node as:– bi = benefit (reward, by micro-payment)– ci = cost of forwarding (energy, overhead,…)
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement
Formal Model
iiiiii aauaau ,,
22
Dominant Action: – A dominant action is one that maximizes player i
payoff, no matter what actions other players choose
Example: Joint packet forwarding game
– Imperfect information– Message from S to D– Two players: p1 and p2
• p1 has no dominant action• p2’s dominant action is F
p1\p2 F D
F (1-c,1-c) (-c,0)
D (0,0) (0,0)
S P1 P2 D
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement
Formal Model
,r fi i ia a a
23
Each node action is comprised of two parts: is node i’s subaction in the routing stage
(what it is supposed to do in the routing stage) is node i’s subaction in the forwarding stage (what it really does in the forwarding stage)
fia
ria
• Routing decision R: determined by the routing subactions of all nodes • A node’s prospective payoff is determined by R and by the nodes’ subactions :
ra fia
• Given a routing decision R, a node’s prospective routing payoff, is the payoff that it achieves under the routing decision assuming that all nodes are faithful in their packet forwarding subaction to the one they have declared in the routing subaction, would be:
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement
Routing stage
, ,R r r R r ri i i i i iu a a u a a
24
Dominant subaction:– In a routing stage, a dominant subaction of a node
is one that maximizes its prospective payoff no matter what subactions other players choose in this stage:
A routing protocol is a routing-dominant protocol to the routing stage if following the protocol is a dominant subaction of each potential forwarding node in the routing stage
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement
Forwarding stage
p1\p2 F D
F (1-c,1-c) (-c,0)
D (0,0) (0,0)
25
A forwarding protocol is a forwarding-optimal protocol to the forwarding stage under routing decision R if– All packets are forwarded to their destinations– Following the protocol is a subgame perfect equilibrium under
R in the forwarding stage.
A path is said to be a subgame perfect equilibrium if it is a Nash equilibrium for every subgame
Node 1
Node 2
Last node
forward
forward
forward
drop
drop
drop
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement
Cooperation-Optimal Protocol
A protocol is a cooperation-optimal protocol to an ad-hoc game if
– Its routing protocol is a routing-dominant protocol to the routing stage
– For a routing decision R, its forwarding protocol is a forwarding optimal protocol to the forwarding stage
26
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement
Protocol for routing stage Two required fundamental operations:
1. To estimate how much should be paid for node’s cooperation each link of the route the appropriate reward level• Should take into account how much energy the nodes
have to spend to do the operation • It is also interesting to consider in calculating the reward
for a node that what the price would be if that node was not included in the route
2. How to make sure that the nodes cannot cheat about these estimate
27
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement
VCG for routing protocols We use VCG: Vickrey, Clarke, and Groves
Nodes independently compute and declare their packet transmission cost to destination
Destination computes Lowest Cost Path (LCP)
Source rewards the nodes – declared cost + added value
The added value is the difference between LCP with the node and without it– Incentive to declare the true price => Truthful
28
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement
Example of VCG
29
Least cost path from S to D:LCP(S,D) = S, v2, v3, Dwith cost(LCP(S,D)) = 5 + 2 + 3 = 10 Least cost path without node v2:LCP(S,D;−v2) = S, v1, v4, Dwith cost(LCP(S,D);−v2) = 7 + 3 + 4 = 14
Least cost path without node v3:LCP(S,D;−v3) = S, v2, v4, D with cost(LCP(S,D);−v3) = 5 + 3 + 4 = 12.
VCG payments:bi=cost(LCP(S,D;-i))-cost(LCP(S,D)-{i})=cost(LCP(S,D;-i))-cost(LCP(S,D))+cost({i})
•LCP(S,D): ;-i): the path with the lowest cost claimed from S to D •LCP(S,D;-i): the path with the lowest cost claimed from S to D that does not include i •cost({i}): the cost of the link on LCP(S,D) starting from i
b2 = 14 − 10 + 2 = 6b3 = 12 − 10 + 3 = 5These values represent the unit payment (the payment for one forwardeddata packet) to nodes v2 and v3, respectively.
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement
Cheating about the power level Assume mutual computation of link cost:
– Nodes i and j both are involved in measuring Pi,j– Pi,j is the minimum power level required to transmit packets from i
to j
Consider a node i and its neighbor j1. Node i cheats by making Pi,j larger:
– Node j is less likely to be on LCP– Node j’ s payment will decrease.
2. Node j can respond by cheating and making Pi,j smaller:– Node j would be more likely to be on LCP– Node j increases its payment
VCG is thus not truthful in this case
30
i jPi,j
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement
Prevent cheating about link costs Computation of link cost (computing transmission costs between
neighboring nodes) using TESTSIGNAL messages TESTSIGNAL messages are sent by a node, i, to its neighbors at different
power levels (in an increasing order) The neighbors, j, will receive only the ones sent with a power equal or
higher than the minimum required power
Any neighbor, j, will inform the rest of the network (and therefore the destination) about the observed power levels by sending ROUTEINFO messages
The destination builds up a matrix of all costs of the links to compute the lowest cost path
31
i j[cost3]K¦HMAC D[cost2]K¦HMAC
[cost1]K¦HMAC
[cost4]K¦HMAC
[cost3]K¦HMAC
[cost4]K¦HMAC
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement
Prevent cheating about link costs A node, after receiving the first TESTSIGNAL message for a route (a source-
destination pair) will perform the same operation for estimation of the power needed to reach its own neighbors.
Both TESTSIGNAL and ROUTEINFO message need to be cryptographically protected to prevent any forwarding nodes from altering the power levels
– Nodes share a symmetric key with D – Nodes send an encrypted and signed test signal at increasing power levels containing
cost information– Messages are protected from forging with HMAC– The power information in TESTSIGNAL is encrypted by the node initiating it and will be
re-encrypted by the neighbor receiving it and inserted in the ROUTEINFO message; therefore the second node can not modify the power level needed to reach it (can not increase it chance of being on the selected route or to increase its payment)
– Complexity (computation at the destination): O(N^3)
Once the destination has decided about the lowest cost path, it will send a message back along the path informing the intermediate nodes being on the path and also about the power with which each intermediate node must forward the data packets
32
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement
Conclusion on the routing stage
33
Theorem 1: If the destination is able to collect all involved link costs as described above, then the described protocol is a routing dominant protocol to the routing stage.
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement
Protocol for forwarding stage
rrH 32
34
In the transmission phase the source and the intermediate nodes forward the packets at the power levels identified in the routing phase
S bundles messages in blocks
With mth block, S sends confirmation rn-m encrypted with the key shared between S and D, where n is the number of blocks
After receiving a block, the destination decrypts rn-m and send it back in clear text along the path
r is made public by source in an authenticated way Nodes can verify the confirmation by applying the hash function m
times on it– For example, the destination should confirm block 2 by sending r5-2=r3
– Nodes can verify:
r1
m1 m2 m3 m4 m5 m6 m7 m8 m9
b1 b2 b3 b4 b5
Hr0 H Hr2 r=r5H
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement
Theorems
35
Theorem 2: Given a routing decision R, assuming that the computed payment is greater than the cost, the reverse hash chain based forwarding protocol is a forwarding optimal protocol.
Theorem 3: The complete protocol (routing protocol and packet forwarding protocol) is a cooperation-optimal protocol to AdHocGames.
Georg-August University GöttingenSelfishness in packet forwarding/behavior enforcement
Part II: Summary We considered selfishnesh in both routing and
forwarding phases of ad hoc networks
We have seen how the problem could be studied using game theory
It was described how protocols aiming at simulating cooperation can be secured by appropriate cryptographic protocols
Cooperation optimal protocol– Routing dominant + Forwarding optimal– Routing based on VCG– Forwarding based on Reverse Hash Chain
36