Selfishness in packet forwarding/ Secure protocols for behavior - - PowerPoint PPT Presentation

Security and Cooperation in Wireless Networks

Georg-August University Göttingen

Selfishness in packet forwarding/ Secure protocols for behavior enforcement

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

Part I: Selfishness in packet forwarding

• the operation of multi-hop wireless networks requires the nodes to

forward data packets on behalf of other nodes

• however, such cooperative behavior has no direct benefit for the

forwarding node, and it consumes valuable resources (battery)

• hence, the nodes may tend to behave selfishly and deny cooperation
• if many nodes defect, then the operation of the entire network is

jeopardized

• question:

– When a node is requested to forward a packet by one of its neighbors, will it do so, if no mechanism enforces this cooperation behavior?

2

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

3

Modeling packet forwarding as a game

time time slot: 1 t

Strategy: cooperation level

mC(0) mC(1) mC(t)

• Players: nodes
• In each time slot t, each node I chooses a cooperation level mi(t) ϵ [0,1]; 0

represents full defection and 1 means full cooperation. Benefit (of node i as the source on route r): proportion of packets sent by node i (as the source) on route r reaching their destination = the throughput experienced by i as a source 

• So mi(t) would represent the fraction of traffic routed

through i at time t that i cooperatively forwards.

• TS : constant amount of traffic sent by source S

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

4

Benefit function  

, ( ) ( ) ( )

A E C

r t T r m t m t      

1

, ( ) ( )

k

l s f k

r t T r m t 



 

where: s – source

r – route on which s is a source t – time slot fk – forwarders for s mfk – cooperation level of forwarder fk bi – benefit function

Experienced throughput :

A E C D

TA mE(t) mC(t) r (A→D): Example : benefit function :

bS Normalized throughput:

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

5

Cost function

Example :

 

{ , }

ˆ , ( ) ( ) ( )

k

C f E C k E C

r t m t m t m t 



  



   

ˆ , ( ) ,

C A j

c r t T r C r t     

A E C D

TA mE(t) mC(t) r (A→D):

 

1

ˆ , ( )

k

j j f k

r t m t 





Normalized throughput at forwarder fj :

where: r – route on which fk is a forwarder

t – time slot fk – forwarders on route r mfk – cooperation level of forwarder fk

   

ˆ , ( ) ,

j

f s j

c r t T r C r t     

Cost for forwarder fj on route r:

where:

Ts(r) – traffic sent by source s on route r C – unit cost of forwarding (cost of forwarding one packet)

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

6

Total payoff

   

 

 

( ) ( )

, ,

i i

i i i q S t r F t

u t b q t c r t 

 

 

 

The goal of each node is to maximize its total payoff over the game: Payoff = Benefit - Cost where: Si(t) – set of routes on which i is a source

Fi(t) – set of routes on which i is a forwarder

 

t i t

u t 

 





where: – discounting factor

t – time

time time slot: 1 t Payoff: uA(0) uA(1). uA(t). t

Example :

 



Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

7

Representation of the nodes as players

• Node i is playing against the rest of the network (represented by the box denoted by A-i )
• : strategy function of node I
• The strategy of node I is defined by its strategy function and its initial cooperation level

mi(0)

• Node I chooses its strategy (cooperation level) at time t based on the normalized

throughput it experienced in time slot t-1 on the route where it is a source

yi xi A-i i

Strategy function for node i:

where:  (r,t) – experienced throughput of route r at time t

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

8

Examples of strategies

1 ) ( 

i i y



i i i

x y  ) ( 

) ( 

i i y



Strategy Function Initial cooperation level AllD (always defect) AllC (always cooperate)

TFT (Tit-For-Tat) (mimics the strategy of its

• pponent in the previous

time slot)

1 1

• non-reactive strategies:

the output of the strategy function is independent of the input (example: AllD and AllC)

• reactive strategies:

the output of the strategy function depends on the input (example: TFT) where yi stands for the input

i i i

y y  ) ( 

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

9

Concept of dependency graph

dependency: the benefit of each source is dependent on the behavior of its forwarders

• Figure (a) shows a network with 5 routes
• Figure (b) shows the correspondent dependency graph

(an arrow from I to j means behavior of I has an effect on the benefit of j = I is an intermediate node for source j)

dependency loop

A Dependency loop L of node I is a sequence (I,v1),(v1,v2),…,(v(l-1),vl),(vl,i)

• f edges in the dependency graph.

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

dependency loops

• There exist two kinds of dependency loops:

– Reactive dependency loop:

• A dependency loop of I in which all nodes other than I play

reactive strategies. – Non-Reactive dependency loop

• A dependency loop of I in which all nodes other than I play non-

reactive strategies.

• It is interesting to find possible Nash equlibria of packet

forwarding strategies

– In such strategy profiles the nodes would be better off by cooperating

10

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

11

Analytical Results (1/2)

) (  I

F

 Theorem 1: If node i does not have any dependency loops, then its best strategy is AllD. Theorem 2: If node i has only non- reactive dependency loops, then its best strategy is AllD. Corollary 1: If every node plays AllD, it is a Nash-equilibrium.

) (  I

E



node i node playing a non-reactive strategy

• ther nodes

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

12

Analytical results (2/2)

Corollary 2: If Theorem 3 holds for every node, it is a Nash-equilibrium. Theorem 3 (simplified): Assuming that node i is a forwarder, its best strategy will be to cooperate only if it has a dependency loop with each of its sources Example in which Corollary 2 holds: A B C A B C

Network Dependency graph

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

13

Classification of scenarios

D: Set of scenarios, in which every node playing AllD is a Nash equilibrium

• set of all possible scenarios (from Corollary 1)

C: Set of scenarios, in which a Nash equilibrium based on cooperation is not excluded by Theorem 1 C2: Set of scenarios, in which cooperation is based on the conditions expressed in Corollary 2

• A classification of scenarios from the cooperation perspective

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

14

Simulation settings

Number of nodes 100, 150, 200 Area size 1500x1500m, 1850x1850m, 2150x2150m Radio range 200 m Distribution of the nodes random uniform Number of routes originating at each node 1-10 Route selection shortest path Number of simulation runs 1000

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

15

Simulation results

• The scenarios in set C in the classification (see slide 13)
• Result: the necessary condition expressed by theorem 1 is a strong requirement for

cooperation in realistic settings (i.e. for a reasonably low no. of routes per node)

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

16

Part I: Summary

• Analytical results:

– If everyone drops all packets, it is a Nash-equilibrium – In theory, given some conditions, a cooperative Nash-equilibrium can exist ( i.e., each forwarder forwards all packets )

• Simulation results:

– In practice, the conditions for cooperative Nash-equilibria are very restrictive : the likelihood that the conditions for cooperation hold for every node is extremely small

• Consequences:

– Cooperation cannot be taken for granted – Mechanisms that stimulate cooperation are necessary

• incentives based on virtual currency
• reputation systems

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

Part II: Secure protocols for behavior enforcement

• Motivation:

17

Packet forwarding consumes resources

– Nodes are rational => Maximize their own payoff – We have seen that cooperation does not happen naturally for packet forwarding in self-organized networks – Cooperation must be encouraged

Provide incentive to cooperate within Routing and Forwarding protocols using a game theoretic approach

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

Part II: Outline

• Introduction

– Incentives – System Model

• Model

– Dominant action/subaction – Cooperation optimal protocol

• Protocols

– VCG payments with correct link cost establishment – Forwarding protocol with block confirmation

• Conclusion

18

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

Introduction

• Routing protocol

– Discover efficient routing paths

• Packet forwarding protocol

– Forward packets for other sources – A micropayment system is required to provide incentives to the nodes after they relay packets fro others

19

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

Possible incentives

• Possible incentive strategies:

– Punish: Reputation, Jamming, Isolation – Reward: Virtual currency

• Possible incentives:

– Internally: With intrinsic mechanisms (e.g., deny communication, jam) – Externally: by dedicated protocols

20

Incentive Punish Reward Internal External Internal External

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

System Model

i i i

c b u  

21

• Ad-hoc networks as non-cooperative strategic games
• Called “Ad Hoc Games”
• Nodes can withhold, replace or send a message
• Nodes can transmit at discrete power levels Pi
• Channel model:
• Packet successfully transmitted if Ptransmission >= Pmin

– Pmin = minimum power to reach receiver

• No errors (BER = 0)
• We define the payoff of a node as:

– bi = benefit (reward, by micro-payment) – ci = cost of forwarding (energy, overhead,…)

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

Formal Model    

i i i i i i

a a u a a u

 

  , ,

22

• Dominant Action:

– A dominant action is one that maximizes player i payoff, no matter what actions other players choose

Example: Joint packet forwarding game – Imperfect information – Message from S to D – Two players: p1 and p2

• p1 has no dominant action
• p2’s dominant action is F

p1\p2 F D F (1-c,1-c) (-c,0) D (0,0) (0,0)

S P1 P2 D

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

Formal Model

   

 

,

r f i i i

a a a 

23

• Each node action is comprised of two parts:

is node i’s subaction in the routing stage (what it is supposed to do in the routing stage) is node i’s subaction in the forwarding stage (what it really does in the forwarding stage)

 

f i

a

 

r i

a

• Routing decision R: determined by the routing subactions of all nodes
• A node’s prospective payoff is determined by R and by the nodes’

subactions :

 

r

a

 

f i

a

• Given a routing decision R, a node’s prospective routing payoff, is the

payoff that it achieves under the routing decision assuming that all nodes are faithful in their packet forwarding subaction to the one they have declared in the routing subaction, would be:

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

Routing stage

     

 

     

 

, ,

R r r R r r i i i i i i

u a a u a a

 



24

• Dominant subaction:

– In a routing stage, a dominant subaction of a node is one that maximizes its prospective payoff no matter what subactions other players choose in this stage:

• A routing protocol is a routing-dominant protocol to the

routing stage if following the protocol is a dominant subaction of each potential forwarding node in the routing stage

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

Forwarding stage

p1\p2 F D F (1-c,1-c) (-c,0) D (0,0) (0,0) 25

A forwarding protocol is a forwarding-optimal protocol to the forwarding stage under routing decision R if

– All packets are forwarded to their destinations – Following the protocol is a subgame perfect equilibrium under R in the forwarding stage.

• A path is said to be a subgame

perfect equilibrium if it is a Nash equilibrium for every subgame

Node 1 Node 2 Last node

forward forward forward drop drop drop

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

Cooperation-Optimal Protocol

• A protocol is a cooperation-optimal protocol to

an ad-hoc game if

– Its routing protocol is a routing-dominant protocol to the routing stage – For a routing decision R, its forwarding protocol is a forwarding optimal protocol to the forwarding stage

26

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

Protocol for routing stage

• Two required fundamental operations:

1. To estimate how much should be paid for node’s cooperation each link of the route  the appropriate reward level

• Should take into account how much energy the nodes have to

spend to do the operation

• It is also interesting to consider in calculating the reward for a

node that what the price would be if that node was not included in the route 2. How to make sure that the nodes cannot cheat about these estimate

27

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

VCG for routing protocols

• We use VCG: Vickrey, Clarke, and Groves
• Nodes independently compute and declare their packet

transmission cost to destination

• Destination computes Lowest Cost Path (LCP)
• Source rewards the nodes

– declared cost + added value

• The added value is the difference between LCP with the

node and without it

– Incentive to declare the true price => Truthful

28

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

Example of VCG

29

Least cost path from S to D: LCP(S,D) = S, v2, v3, D with cost(LCP(S,D)) = 5 + 2 + 3 = 10 Least cost path without node v2: LCP(S,D;−v2) = S, v1, v4, D with cost(LCP(S,D);−v2) = 7 + 3 + 4 = 14 Least cost path without node v3: LCP(S,D;−v3) = S, v2, v4, D with cost(LCP(S,D);−v3) = 5 + 3 + 4 = 12. VCG payments: bi=cost(LCP(S,D;-i))-cost(LCP(S,D)-{i})=cost(LCP(S,D;-i))-cost(LCP(S,D))+cost({i})

• LCP(S,D): ;-i): the path with the lowest cost claimed from S to D
• LCP(S,D;-i): the path with the lowest cost claimed from S to D that does not include i
• cost({i}): the cost of the link on LCP(S,D) starting from i

b2 = 14 − 10 + 2 = 6 b3 = 12 − 10 + 3 = 5 These values represent the unit payment (the payment for one forwarded data packet) to nodes v2 and v3, respectively.

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

Cheating about the power level

• Assume mutual computation of link cost:

– Nodes i and j both are involved in measuring Pi,j – Pi,j is the minimum power level required to transmit packets from i to j

• Consider a node i and its neighbor j
• 1. Node i cheats by making Pi,j larger:

– Node j is less likely to be on LCP – Node j’ s payment will decrease.

• 2. Node j can respond by cheating and making Pi,j smaller:

– Node j would be more likely to be on LCP – Node j increases its payment

• VCG is thus not truthful in this case

30

i j Pi,j

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

Prevent cheating about link costs

• Computation of link cost (computing transmission costs between neighboring

nodes) using TESTSIGNAL messages

• TESTSIGNAL messages are sent by a node, i, to its neighbors at different power

levels (in an increasing order)

• The neighbors, j, will receive only the ones sent with a power equal or higher

than the minimum required power

• Any neighbor, j, will inform the rest of the network (and therefore the

destination) about the observed power levels by sending ROUTEINFO messages

• The destination builds up a matrix of all costs of the links to compute the lowest

cost path

31

i j [cost3]K¦HMAC D [cost2]K¦HMAC [cost1]K¦HMAC [cost4]K¦HMAC [cost3]K¦HMAC [cost4]K¦HMAC

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

Prevent cheating about link costs

• A node, after receiving the first TESTSIGNAL message for a route (a source-destination

pair) will perform the same operation for estimation of the power needed to reach its own neighbors.

• Both TESTSIGNAL and ROUTEINFO message need to be cryptographically protected to

prevent any forwarding nodes from altering the power levels

– Nodes share a symmetric key with D – Nodes send an encrypted and signed test signal at increasing power levels containing cost information – Messages are protected from forging with HMAC – The power information in TESTSIGNAL is encrypted by the node initiating it and will be re- encrypted by the neighbor receiving it and inserted in the ROUTEINFO message; therefore the second node can not modify the power level needed to reach it (can not increase it chance of being

• n the selected route or to increase its payment)

– Complexity (computation at the destination): O(N^3)

• Once the destination has decided about the lowest cost path, it will send a message back

along the path informing the intermediate nodes being on the path and also about the power with which each intermediate node must forward the data packets

32

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

Conclusion on the routing stage

33

Theorem 1: If the destination is able to collect all involved link costs as described above, then the described protocol is a routing dominant protocol to the routing stage.

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

Protocol for forwarding stage

 

r r H 

3 2

34

• In the transmission phase the source and the intermediate nodes forward the packets at

the power levels identified in the routing phase

• S bundles messages in blocks
• With mth block, S sends confirmation rn-m encrypted with the key shared between S and D,

where n is the number of blocks

• After receiving a block, the destination decrypts rn-m and send it back in clear text along the

path

• r is made public by source in an authenticated way
• Nodes can verify the confirmation by applying the hash function m times on it

– For example, the destination should confirm block 2 by sending r5-2=r3 – Nodes can verify: r1 m1 m2 m3 m4 m5 m6 m7 m8 m9 b1 b2 b3 b4 b5

H

r0

H H

r2 r=r5

H

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

Theorems

35

Theorem 2: Given a routing decision R, assuming that the computed payment is greater than the cost, the reverse hash chain based forwarding protocol is a forwarding optimal protocol. Theorem 3: The complete protocol (routing protocol and packet forwarding protocol) is a cooperation-optimal protocol to AdHocGames.

Georg-August University Göttingen

Selfishness in packet forwarding/behavior enforcement

Part II: Summary

• We considered selfishnesh in both routing and forwarding

phases of ad hoc networks

• We have seen how the problem could be studied using game

theory

• It was described how protocols aiming at simulating

cooperation can be secured by appropriate cryptographic protocols

• Cooperation optimal protocol

– Routing dominant + Forwarding optimal – Routing based on VCG – Forwarding based on Reverse Hash Chain

36