Improvement To Trust Based Cross Layer Computer Science Essay

Published Date: 02 Nov 2017

Chapter 4

4.1 Introduction

Many security mechanisms are based on specific assumptions of identity and are vulnerable to attacks when these assumptions are violated. Impersonation is the well-known consequence when authenticating credentials are stolen by a third party. Another attack on identity occurs when credentials for one identity are purposely shared by multiple individuals, for example to avoid paying twice for a service. Such shared accounts are common in practice: friends exchange iTunes passwords to share purchased music; BugMeNot.com is a community that shares website registration passwords; and network address translation devices allow multiple users to pay for a single IP address which is then shared among them [135].

Many distributed applications and everyday services assume each participating entity controls exactly one identity. When this assumption is unverifiable or unmet, the service is subject to attack and the results of the application are questionable if not incorrect. A concrete example of this would be an online voting system where one person can vote using many online identities. Notably, this problem is currently only solved if a central authority, such as the administrator of a certificate authority, can guarantee that each person has a single identity represented by one key; in practice, this is very difficult to ensure on a large scale and would require costly manual attention.

4.1.1 Sybil Attacks

The Sybil attack can be defined as an attack performed by forging identities in Peer-to-Peer (P2P) networks. The name was derived based on a book Sybil, which is written as a case study of a woman whose health problems were diagnosed with dissociative identity disorder. Brian Zill of Microsoft Research suggested the name. Pseudospoofing was suggested earlier by Detweiler on the mailing list related to Cypherpunks and it was used in Peer-to-Peer systems for similar types of attacks before the year 2002.

A Sybil attack may create a huge number of fake identities which can be used by the malicious users to create a disproportionate influence to a large extent. A reputation system can be vulnerable to a Sybil attack based on

identities that are generated cheaply,

the degree of inputs from entities accepted, that may not have a chain of trust used to link them to a trusted entity which are accepted by the reputation system, and

all entities are treated identically by the reputation system.

An entity can be software which has access to resources available locally. An entity advertises itself using its identity. The multiple identities of entities can be used for different purposes such as resource sharing, redundancy, reliability and integrity. The identity of an entity is used as an abstraction to create awareness for a remote entity without the knowledge of the correspondence of identities to local entities.

An adversary may present multiple identities to appear and behave as multiple distinct nodes and thus can act malicious and then eavesdrop. Furthermore the adversary can masquerade by using multiple identities, and the network can be controlled.

One of the techniques used to prevent Sybil attacks is validation approach which can minimize entity masquerading. A local entity may need ensuring of a one-to-one correspondence between identities from a central authority to accept a remote identity and may also provide a reverse lookup if needed.

The validation of an entity may be done directly or indirectly.

the central authority validates the remote identities based on the queries submitted by the local entity in case of a direct validation.

the local entity may rely on already accepted identities which can be used further to test the validity of the remote identity in case of an indirect validation.

Identity based validation techniques uses the anonymous behavior to provide accountability. The validation authority may refuse to perform reverse lookups to preserve users' anonymity. The problem with this approach makes the validation authority to become a prime target for the attacker.

4.2 Sybil Prevention Techniques

Sybil prevention techniques that use the connectivity characteristics of social graphs may also limit the amount of damage caused by a Sybil attacker while preserving anonymity. It is a severe and pervasive problem in many areas.

It is possible to rig Internet polls by using multiple IP addresses to submit votes [136].

A Sybil attack can be used

by companies that increase the Google Page Rank rating of the pages of their customers [139],

to link particular search terms to unexpected results for political commentary as discussed in News [140].

Reputation systems are a common target for Sybil attacks [141], including real-world systems like eBay, Bhattacharjee [142].

Spammers can use this attack to gain access to multiple accounts on free email systems. Peer-to-peer computing systems which use voting to verify correct answers, such as SETI@home, are susceptible to accepting false solutions from a Sybil attacker [143].

Ad hoc mobile network routing can be manipulated when a Sybil attacker appears to be many different mobile nodes at once [1].

In systems that provide anonymity between peers, such as Tor, the Sybil attack is generally capable of revealing the initiator of a connection [144].

Formal analysis has been done in the context of Peer-to-Peer applications. Proposed solutions most commonly use resource testing, though this cannot prevent the attack in practical situations [33].

4.2.1 General Approaches

Trusted Certification- Trusted certification [33] is the only approach that has the potentiality to completely eliminate Sybil attacks. Accordingly, it is cited as the most common solution. However, trusted certification relies on a centralized authority that must ensure each entity is assigned exactly one identity, as indicated by possession of a certificate. In fact, [33] offers no method of ensuring such uniqueness, and in practice it must be performed by a manual or in-person process. This may be costly or may create a performance bottleneck in large-scale systems. Moreover, to be effective, the certifying authority must ensure that lost or stolen identities are discovered and revoked. If the performance and security implications can be solved, then this approach can eliminate the Sybil attack.

Resource Testing - The goal of resource testing is to attempt to determine, if number of identities possess fewer resources than would be expected if they were independent. These tests include checks for computing ability, storage ability, and network bandwidth, as well as limited IP addresses.

[147] and [148] specifically proposed testing for IP addresses in different domains or autonomous systems. Requiring heterogeneous IP addresses prevents some attacks but does not discourage others (such as zombie networks) and limits the usability of an application.

[33] has proved the ineffectiveness of resource tests, but a number of researchers suggest them as a minimal Sybil attack defense. In these cases the stated goal is to discourage rather than prevent Sybil attacks, and the number of identities an attacker can have is, in theory, limited. For many applications this is insufficient if an attacker can obtain enough identities for a successful attack, even if it is expensive.

[144] proposed a communication system named as TOR, which needs only two identities for an attack on anonymity.

Recurring Costs And Fees - Identities are re-validated using resource tests at regular intervals of time. This approach limits the number of Sybil attacker with constrained resources can introduce in a period of time. However, as we noted above, in many applications very few Sybil identities are required for an effective attack.

Computational power mostly involves a one-time cost (for example, the purchase of computing hardware), so an attacker could recover over time even a high initial cost of claiming a large number of identities.

[149] suggest the use of Turing tests, such as CAPTCHAs, to impose recurring fees.

[150] require certification of identities, but this certification is not trusted; rather, it is seen as a way of imposing identity creation costs.

[151] proposed to use Sufficiently Secure Peer-to-Peer Networks which is economic, and applied game-theoretical approach to study the cost-effective nature of attacks on censorship resistant networks.

[152] proved that charging a recurring fee for each participating identity is quantitatively more effective as a disincentive against successful Sybil attacks than charging one-time fees. For many applications, recurring fees can incur a cost to the Sybil attack that increases linearly with the total number of identities participating; one-time fees incur only a constant cost.

Trusted devices - In defense related trusted certification authorities, entities in an application can be linked in a secure fashion to a specific hardware device. Analogous to any central authority handing out cryptographic certificates, there are no special methods of preventing an attacker from obtaining multiple devices other than manual intervention. The cost of acquiring multiple devices may be high.

4.3 DAS: An approach to defend against Sybil attacks

In the present work a mechanism known as DAS is proposed to limit the Sybil attacks from

the malicious influence

misuse of IP harvesting.

Figure 4.1: A Network with Honest and Sybil nodes [125].

The nodes in the graph represent identities and the trust relations established by humans are represented by undirected edges. All the edges created by honest nodes form an honest region and the edges created by malicious users (Sybil identities) form the Sybil region. These edges are also known as attack edges.

The number of attack edges in the present work is assumed to be independent on the number of Sybil identities, and the number of trust relation pairs formed between honest users and malicious users may limit the attack edges.

4.3.1 Social Network and Attack Edges:

DAS restricts the number and size of a Sybil group by using the existing human-established trust relationships between the users. The social network is comprised of all the honest nodes and Sybil nodes (Figure 4.1). If the two corresponding nodes have strong social connectivity then an undirected edge exists between the two nodes and trust relationship is established between them to prevent a Sybil attack being launched. Two users are said to be friends, when connected by an edge. The connecting edge also indicates the strength of trust. The existence of an edge between an honest node and a Sybil node is possible when an honest user (Alice) is fooled by a malicious user (Bob) for trusting. Such type of an edge is said to be an attack edge and the total number of such attack edges are denoted by g.

A symmetric key is shared between each pair of friends which is also called as the edge key. The edge key serves as the authentication mechanism of messages shared between the two friends. The edge key can be revoked by a node by discontinuing its use and discards it later.

As the value of n grows, the node degree is expected to be small due to the fact that DAS assumes strong trust between the friends in the social network. Each honest node limits its degree to a constant value (e.g., 30), which prevents malicious user from the number of attack edges (g) being increased by compromising high-degree honest nodes.

Whenever a node changes its IP address, the same is communicated to its friends, to facilitate continuous communication across the network. Furthermore depending on the availability of DNS and DNS names, the DNS records are updated.

4.3.2 DAS Funcionalities

DAS is completely decentralized.

DAS guarantees that an honest node accepts another honest node with a high probability, and the same node is also accepted by other honest nodes with high probability in order to obtain/provide service from/to other honest nodes.

DAS also guarantees that a restricted number of Sybil nodes are accepted by an honest node.

The set of accepted nodes for a node V1 will differ from those that are accepted by a node V2 due to the decentralized nature of DAS.

DAS further enables the accepted nodes to be partitioned into equivalence groups so that only a few of those groups may contain Sybil nodes.

[124] has proposed that availability of sufficient number of equivalence groups will avoid wastage of resources. A small quotient cut was observed in the graph when the malicious users create too many Sybil identities, i.e., the removal of a small set of attack edges disconnects a large number of Sybil identities.

4.4 Model & Problem Formulation

Identities are also called as nodes, and the terms "identity" and "node" can be used interchangeably. The system has n honest users, and one or more malicious users. Each honest user has a single identity and each malicious user has one or more identities. When all the malicious users are under the control of an adversary they may collude.

Nodes participate in the system to provide and receive service as peers. To defend Sybil attacks the present system aims to provide a mechanism for V to decide whether to accept or reject S. In order to receive service from S, the node V accepts the node S. The defense system must ensure that only honest nodes are accepted by V.

4.4.1 Restricting the Number of Sybil Groups

An Equivalence relation among accepted nodes is suggested in [4]. All accepted nodes are partitioned into equivalence classes, known as equivalence groups. One or more Sybil nodes in an equivalence group form a Sybil group. The defense system guarantees on the number of Sybil groups, without the knowledge of which groups are Sybil. The equivalence classes are defined according to network coordinates. In this scheme, all nodes with similar network coordinates are considered to be equivalent and thus can be accepted. Thus, the number of Sybil groups is the number of distinct network locations that are under the control of adversary.

The goal is to make sure that all replicas are not placed on Sybil nodes. If the number of Sybil groups is g, then the defense system guarantees that placing the file on nodes which are obtained from g+1 different equivalence groups will yield one good copy of the file at least.

4.4.2 Restricting the Size of Sybil Groups

The restriction imposed on the number of Sybil groups may depend on the effectiveness of adversary. The adversary can make honest users to act maliciously with intent of more Sybil groups to be accepted by the defense system. The number of nodes accepted may be further restricted into each of the g Sybil groups. A node will accept g . w Sybil identities, if each Sybil group contains ‘w’ number of nodes. If g · w is smaller than n (number of honest nodes), it can be inferred from Chernoff bounds that the number of replicas formed will increase the probability of having large portion of the replicas on honest nodes by 1.0 exponentially [23].

In most of the decentralized distributed systems it is not difficult to choose uniformly random nodes as replicas. DHT-based (Distributed Hash Table) systems place replicas of the files on a random set of nodes.

4.4.3 Side-Effects on Honest Nodes

One of the side-effects of restricting the number and size of Sybil groups is that some of the honest nodes may be rejected by the defense system;

two or more distinct honest nodes may be considered as equivalent;

4.5 Random Routes and Route Intersection

Random walks also known as random routes, in the social network are used in DAS. At each hop, the current node selects a uniform random edge for the walk to proceed. A pre-computed random permutation is used by each node as a one-to-one mapping. From the convergence property it can be inferred that two random routes that enter an honest node will tend to exit along the same edge. The outgoing edge can determines the incoming edge so as enable the random routes to be back-traced. This property is known as the back-traceable property.

Each node is assumed to perform a random walk of a length w (e.g., w is nearly 5000 for the one-million node topology). These random routes form the basis of DAS which helps the verifier to decide whether or not to accept the suspect. The verifier accepts a suspect node if its random route intersects with random route of the suspect (Figure 4.2). The verifier’s route remains entirely inside the honest region with a high probability, due to the fact that the number of attack edges is limited, with appropriate w.

Figure 4.2: A scenario of Verifier accepting the suspect [125]

4.6 Restriction on Number and Size of Sybil Groups

The random route of a Sybil identity must traverse one of the attack edges to intersect with the random route of the verifier. The random routes from Sybil identities must merge completely after they traverse the attack edge, if a single attack edge exists as shown in Figure 4.3 (convergence property). The edge e1 in the Figure 4.3 represents that all these routes have a common intersection with the verifier’s route. All of these nodes are considered to be in the same equivalence group by the verifier, and resulting in a single Sybil group. The number of Sybil groups is also restricted to g based on the attack edges. DAS further restricts the size of equivalence groups to be less than w.

The ith such route traverses a given edge in its ith hop. The verifier node can accept exactly one identity for each of the w hop numbers for every intersection point and an edge that is adjacent to the intersection point.

Figure 4.3: Scenario showing the merge of all Random Routes Traversed along the same edge [125]

4.7 Guarantees on Honest Nodes

For honest nodes, it can be shown that with appropriate w, the random route of an honest node intersects with the verifier’s route. An honest node will never compete again for the same hop number with any of the other honest nodes including Sybil identities. In the present all the honest nodes are partitioned into z different equivalence groups, where z is computed from the sum of the degrees of w nodes that lie on the verifier’s route.

4.8 Limiting the Number of Attack Edges

The effectiveness of DAS is realized from the limited number of attack edges (g). The malicious user might attempt to increase g in different ways:

Social trust is established by the malicious users to convince more number of honest users in the system under consideration.

A malicious user (Bob) convinces an honest user (Alice) to become a friend and creates many Sybil identities, and then tries to convince John to also be friends with these Sybil identities. Bob holds a single edge key to the edge between Alice and Bob. Hence all messages are authenticated using that edge key and are considered by John to come from the same edge. In this case the number of attack edges remains unaltered.

The malicious user may also compromise a single honest node of degree d. In this case the value of g is increased by a constant because d was already constrained within some constant by the user. On the other hand, creation of further attack edges is not possible for the malicious user due to the fact that addition of an edge to another honest user may require out-of-band verification by that honest user.

A botnet may be created by the malicious user by compromising a large number of computers. The upper bound of g is increased based on the number of compromised computers. The total size of the botnet does not affect this increase.

4.9 Random Routes

The randomized routing table helps a node to choose the next hop. For a node A with d neighbors a permutation "x1, x2, . . . , xd" is uniformly randomly chosen among all permutations of 1,2, . . . ,d. A uses an edge xi as the next hop, if the ith edge can form a random route i.e., i=xi for some i.

A node’s routing table will change when the degree of it changes. Using such a randomized routing table may introduce correlation in the random choices if the same node is visited multiple times by a random route. It is also possible that random routes become repeated loops.

4.10 Problematic Routes and Redundancy

A random route is problematic if either

A loop is formed or

it enters the Sybil region.

The loops formed will repeatedly visit many nodes and reduces the probability of route intersection. The random routes that lie in a Sybil region will be under the control of the malicious user. If such a route is used by the verifier, it may likely accept a restricted number of Sybil nodes. In case of a loop formation, the starting point makes a decision of forwarding the route along the first edge.

4.11 Design of Secure and Decentralized Random Routes

Each node maintains two local data structures namely registry tables and witness tables. These tables are propagated to direct neighbors.

4.11.1 Registration Process

In DAS, each node S has a degree d. The node S performs d random routes of w hops each. All the w nodes formed on each of its routes need to be registered to avoid S from submitting false information about its routes. A node Q permits S to register, if S may be one of the nodes that can be reached in w hops "upstream". In this process, each node is required to use un-forgeable token based on which it is accepted.

In the present work public key cryptography was used for the tokens. Each honest node has a public/private key pair. Malicious nodes may create multiple sets of public/private key pairs. The private key of each node serves as the unforgeable token. The public key shall be registered along all the random routes which can be used as a proof of ownership of the token. The registration process is performed in a secure and completely decentralized manner because DAS uses two tables namely registry tables and witness tables.

4.11.2 Registry Tables

Figure 4.4: Registry Table Maintenance [37]

A registry table is built at each node I, for each of its edges as shown in Figure 4.4. The ith entry in the table for an edge e gives the public key of the corresponding node whose random route enters I along the edge e at the ith hop. In Figure 4.4 the registry table entry on C for edge e3 shows one of B’s random routes, B →C → D using edge e3 and e4 respectively. In the first hop, B enters C via edge e3 and the public key of B can be determined from the first entry in the table. The second entry corresponds to A’s public key, and so on. The registry table has w entries of public keys of the w nodes upstream. Registry tables are updated only when social trust relationships change. Thus, the bandwidth consumption is expected to be quite acceptable.

4.11.3 Witness Tables

Each node should have the knowledge of the entire set of nodes that are formed on its random routes. This can be achieved by maintaining a witness table at each node along with its edges. The public key or its hash value can be obtained from the ith entry in the table, along with the IP address of the node at ith hop of the random route.

The process of propagating and updating a witness table is similar to that of a registry table. When it propagates "backward", a node will have the knowledge of the w "downstream" nodes available on its random routes. Witness tables are updated when the IP address of a node changes.

4.11.4 Verification

In this process of a node V tries to verify another node S. This needs V to obtain an intersection between its random routes and all the random routes formed by S. For this purpose, all of the witness tables of S are forwarded to V along with the public key of S. Standard optimizations such as Bloom Filters [14] can be applied to reduce the communication overhead. The (hashed) public key is determined of the first intersection point X on V’s route. The recorded IP address is used by V to contact X. Further V authenticates X, using its private key.

A hash values is calculated from the hashed keys and public key of X, which is compared with the stored hash value at V to authenticate X. If an entry for X is not found using the IP address recorded, V may obtain X’s IP address from neighbor nodes in the witness table. In this case vulnerability is not possible because V authenticates X based on its public key. If the public key of S is present in one of the routing tables, then that route from V accepts S.

4.11.5 Key Revocation

A node can revoke its public/private key pair and then start using a new public key pair to propagate its registry table and witness table.

4.11.6 Sybil Nodes

DAS is secure against Sybil attacks. If all the honest nodes are assumed to be of same degree d then a registry table will have (n · d · w) entries.

If a malicious node M is connected to an honest node using the attack edge then, M propagates a registry table to A, which affects w entries in A’s registry table to be polluted. Later when A’s registry table is forwarded to B, w −1 entries in B’s registry table also get polluted. Similarly it can be always seen that a single attack edge enables a malicious node M to control w+(w−1)+. . .+1≈ w2/2 entries. As g . w tend to approach n, the total number of polluted entries (gw2/2) are likely to be less than half the total number of entries (n · d · w).

4.12 Designing the Length of Random Routes

The length of the random routes in DAS has an assumption on the value of w, that it must be sufficiently small to ensure that

the random route of a verifier remains completely within the honest region and

the size of Sybil groups is not very large.

The results are obtained for random walks used in DAS.

4.13 Dealing nodes in DAS

The social network assumed to be static in the present work. In decentralized distributed systems, the node corresponding to a user may join or leave the network i.e., they may be online or offline. A critical problem faced in DHTS is dealing with the frequent node join/leave (or "churn") events.

DAS is designed in such a way that it responds to user creation/deletion, but not to node churn. Many of the nodes in the network can go offline at any given point of time.

4.13.1 Dealing with Offline Nodes

A node needs to communicate with other nodes only when

a verification of another node is required,

or when the registry and witness tables are propagated to its neighbors

A single route formed by V and a single route formed by S is likely to have multiple intersections. The verification of a node is possible as long as large portion of V’s routes have one intersection point online.

Previous studies on P2P systems [134] showed that despite high churn rates of nodes, user creation/deletion occurs infrequently.

Figure 4.5: Incremental Maintenance of Routing Tables

The example in Figure 4.5 assumes that d = 3 and k = 2. After the edge e4 is added, the routes entering via edge e2 only need to be redirected.

A simple lookahead routing table design was proposed by Yu et al., [129] to bypass some offline nodes. For a given node with its edge adjacent to it, the lookahead routing table records which nodes of the route should be traversed on the next k hops.

4.13.2 Incremental Routing Table Maintenance

The routing tables are updated whenever users and edges are added or deleted into the social network. The node A has to update its routing table entries when a new edge is added in between A and B.

In this algorithm, whenever a new edge is added to A, the node A has the ability to choose a uniform random integer k (1<k<d +1). If k = d +1, then the new routing table of A will be "x1,x2, . . . , xd,d +1". If 1 ≤ k ≤ d, the new routing table of A will be "x1,x2, . . . ,xk−1,d+1,xk+1, . . . ,xd, xk".

Similarly process is used for edge deletion. If the original routing table of A is "x1,x2, . . . , xd,d +1" at some point of time and an edge d +1 is deleted, such that xk =d +1, then A’s new routing table is updated to "x1,x2, . . . , xd" after deletion.

The resulting routing table is a uniformly random permutation [129] for the routes entering A via edge k in case of both insertion and deletion.

Figure 4.6: A scenario of Potential Attack by M

4.13.3 Attacks Exploiting Node Dynamics

Suppose each node performs only a single random route. In figure 4.6, the malicious node M’s random route is M →A→B→C for w=3. The public key of M, key1 is recorded in the registry tables of A, B, and C record. At this moment if another honest node D joins, and establishes edges with A and E. The routing table of node A is updated accordingly. The malicious node M, can launch an attack by changing its public key to key2 which is recorded in A, D, and E registry tables respectively. In this situation key1 is registered on w−1 nodes, and key2 is registered on w nodes. Both the keys can be successfully verified with good probability.

When the routing table of A is changed, the system should revoke key1 from registry tables of B and C since M’s random route no longer passes through these nodes. This situation serves the attacker as a point of vulnerability. Revoking stale entries is likely to introduce considerable amount of complexity for the reason B and C may be offline.

4.14 Evaluation

The NS2 simulator is used to evaluate the guarantees of DAS. This model can be used to instantiate three different graphs with parameters as shown in Table 5.1.

Table 5.1: Simulation Parameters

No of nodes

Average degree

1 million

24

10000

24

100

12

4.14.1 Results with No Malicious Users

Without malicious users, the only property concerned is whether an honest node accepts an honest node.

Figure 4.7: Probability of Intersection

Figure 4.7 shows the probability of V successfully accepting S, as a function of w (length of the random routes). The following observations were made from the above graph:

Probability of an honest node being successfully accepted

Case 1: With Redundancy >=10

For a verifier V to accept the suspect S, the preliminary condition is that the routes formed by them must intersect each other and at least one of the intersections formed must be online.

It is assumed that as long as there are 10 intersections the verification succeeds.

When the length of the random routes (w) is nearly 300, V accepts S with a probable chance of 0.81.

When the value of w increases from 200 to 400, V accepts S with a probable chance of 0.85.

When the value of w increases from 400 to 600, V accepts S with probable chance of 0.91.

When the value of w increases from 600 to 1750, V accepts S with a steady probable chance of 0.95

When the value of w changes from 1750 to 2250 the probable chance of V accepting chance decreases from 0.95 to 0.91 and further drops to 0.8.

Hence it can be concluded that as long as there are 10 intersections the verification succeeds

Case 2: With Redundancy >=1

For a verifier V to accept the suspect S, the preliminary condition is that the routes formed by them must intersect each other and at least one of the intersections formed must be online.

It is assumed that as long as there is 1 intersection the verification succeeds.

When the length of the random routes (w) is nearly 400, V accepts S with a negligible chance of 0.02.

When the value of w increases from 400 to 600, V accepts S with a probable chance of 0.04.

When the value of w increases from 600 to 800, V accepts S with a probable chance of 0.06.

This trend is observed and there is a small increase is in V accepting S, till the length of the random routes increase to 2500.

Hence it can be concluded that with 1 intersection the verification succeeds.

Case 3: No Redundancy >=10

If redundancy is not exploited, the needed length will be much higher for V to accept S.

When the value of w is nearly 200 there chance of V accepting S is almost zero.

When the value of w is nearly 400, the chance of V accepting S increases from 0 to 0.1

When the value of w is between 400 and 800, the chances of V accepting S increases from 0.2 to 0.3.

This trend continues as the length of the random routes increases from 800 to 2250.

The probable chance of V accepting remains constant when the value of w changes from 2250 to 2500.

Hence it can be concluded no redundancy the verification success is a difficult achievement.

Case 4: No Redundancy >=1

If the number of intersections are almost zero then this is the worst case scenario for V accepting S and hence the length of the random route must be very high. In other words if redundancy is not exploited, the needed length will be much higher.

When the length (w) of random route is between 0 and 2250 there is no chance of V accepting S.

But the situation slightly becomes better when the value of w is between 2250 and 2500.

Hence it can be concluded no redundancy the verification success is a difficult achievement and the value of w must be very large enough to make the verification succeed.

For the 10000-node topology, w=30 yields a 99.29% chance of at least 10 intersections are formed. For the 100-node topology, w=15 yields a probable chance of 10 intersections.

4.14.2 Results with Sybil Attackers

Sybil attackers influence the system by creating attack edges. There are clearly many possibilities regarding where the attack edges are in the graph are positioned, and two extremes in the present experiments were considered. In random, uniformly random nodes in the graph are picked as Sybil attackers, until the total number of attack edges reaches a certain value. In cluster, we start from a "seed" node and perform a breadth first search (BFS) from the seed. Nodes encountered are marked as Sybil attackers, until the total number of attack edges reaches a certain value.

All the results below are based on random placement, unless explicitly mentioned. All corresponding results for cluster are obtained as well, which are always slightly better but the difference is usually negligible. The reason for better results under cluster is that the random routes are more likely to cross attack edges randomly.

For the experiments based on the million-node graph, the number of attack edges (g) is varied from 0 to 5000.

When g = 2500, there are roughly 100 nodes marked as Sybil attackers. It is crucial to understand that just having 100 Sybil attackers in the system will not necessarily result in 2500 attack edges. On average, each attacker must be able to convince 25 nodes to be its friend in a close proximity.

When g = 5000, there are roughly 200 nodes marked as Sybil attackers. It is crucial to understand that just having 200 Sybil attackers in the system will not necessarily result in 5000 attack edges. On average, each attacker must be able to convince 50 nodes to be its friend in a close proximity.

DAS relies on hardness of creating these social links. In the presence of Sybil attackers, we are concerned with several measures of "goodness":

the probability that an honest node accepts more than g · w Sybil nodes;

the probability that an honest node accepts another honest node; and

the impact of Sybil nodes on estimating w.

Probability of an honest node accepting more than g · w Sybil nodes

Routes from an honest verifier V may enter the Sybil region, and the adversary can then direct the routes to intersect with the routes of all Sybil nodes. DAS uses redundant routes and majority voting to limit the influence of such problematic routes. The curve labeled "majority routes" in Figure 4.8 shows the probability that the majority of an honest node’s routes remain entirely in the honest region.

Figure 4.8: Probability of routes remaining entirely within the honest region

The following observations can be derived from the above graph plotted.

Case 1: Majority Routes

If a majority of the routes are in the honest region, then the remaining routes will not constitute a majority, and the adversary will not be able to fool the node into accepting more than g ·w Sybil nodes.

It can be observed that with majority routes, the probability is always almost nearly 1 when the no of attack edges (g) are varied from zero to 5000.

There are only 0.2% of the nodes which are not protected by DAS.

Hence it can be concluded that with majority routes the adversary cannot fool the node in accepting more than g . w Sybil nodes.

Case 2: Single Route

When the no. of attack edges is between zero and 500 almost 99.8% of the nodes tend to lie in the honest region.

When the no. of attack edges increase from 500 to 1000, 99.6% of the nodes are in honest region.

There is a steep decrease in the no. of nodes being in the honest region when the no. of attack edges is between 1000 and 2500.

The decrease is further increasing in a high manner as the no. of attack edges is increasing from 2500 to 5000.

Hence it can be concluded that with single routes the adversary has a chance to the node in accepting more than g . w Sybil nodes.

For the 10000-node topology and the 100-node topology, g = 204 and g = 11 will result in 0.4% and 5.1% nodes unprotected, respectively.

Probability of an honest node being successfully accepted

Figure 4.9: Probability of an honest node accepting another honest node (i.e., having at least a target number of intersections).The legends are the same as in Figure 4.7, and DAS corresponds to "with redundancy (>= 10)".

In the presence of Sybil nodes, the probability that an honest verifier V accepts another honest suspect S decreases.

First, the routes from S may enter the Sybil region, and the adversary can prevent these routes from intersecting with V’s routes. The same is true for V’s routes.

Second, the presence of Sybil nodes necessitates the technique of majority voting. This means that among the d routes from V, at least d/2 routes need to successfully accept S before V can accept S.

To capture the worst case scenario, it is assumed that after a route (from V or S) enters the Sybil region, the rest of the route can no longer be used for verification/intersection. In some sense, the presence of Sybil nodes "prunes" the routes. We assume that a "pruned" route from V accepts S if it has at least 10 distinct intersections with S’s "pruned" routes. Finally, V successfully accepts S if a majority of V’s routes accept S.

Figure 4.9 presents the probability of an honest node (V) accepting another honest node (S), as a function of the number of attack edges g.

Case 1: With Redundancy >=20

For a verifier V to accept the suspect S, the preliminary condition is that the routes formed by them must intersect each other and at least one of the intersections formed must be online.

It is assumed that as long as there are 20 intersections the verification succeeds.

This probable chance of V accepting S remains constant i.e., 0.99 with no. of attack edges ranging from zero to 5000, which is quite satisfactory.

Hence it can be concluded that probability of an honest node accepting another honest node is quite satisfactory with 20 intersections.

Case 2: With Redundancy >=10

For a verifier V to accept the suspect S, the preliminary condition is that the routes formed by them must intersect each other and at least one of the intersections formed must be online.

It is assumed that as long as there are 10 intersections the verification succeeds.

This probable chance of V accepting S remains constant i.e., 0.95 with no. of attack edges ranging from zero to 5000, which is quite satisfactory.

Hence it can be concluded that probability of an honest node accepting another honest node is quite satisfactory with 10 intersections.

Case 1: No Redundancy >=1

For a verifier V to accept the suspect S, the preliminary condition is that the routes formed by them must intersect each other and at least one of the intersections formed must be online.

When the no. of attack edges is between zero and 500, almost 99.5% of the nodes tend to lie in the honest region.

When the no. of attack edges increase from 500 to 1000, 99.2% of the nodes are in honest region which is slightly less than above (by 0.3%).

There is a steep decrease in the no. of nodes being in the honest region when the no. of attack edges is between 1000 and 2500.

The decrease is further increasing as the no. of attack edges is increasing from 2500 to 5000.

Hence it can be concluded that probability of an honest node accepting another honest node is not quite satisfactory with 1 intersection.

For the 10000-node topology and 100-node topology, g = 204 and g = 11 give probabilities of 99.6% and 87.7%, respectively. It can be noted that 87.7% probability does not mean that 12.3% of the nodes will not be accepted by the system. It only means that given a verifier, 12.3% of the nodes will not be accepted by that verifier. Each honest node, on average, should still be accepted by 87.7% of the honest nodes (verifiers).

4.15 Summary/Conclusion

Collaboration among distributed entities is a measure in evaluating the performance of distributed networks. To enhance security in ad hoc networks, the trustworthiness of participating entities plays a vital role. The trust-based security-protocol based on a cross-layer approach attains confidentiality and authentication of packets in both routing and link layers of MANETs but it doesn’t address few attacks like Bad Mouthing Attack, On-Off Attack, and Conflicting Behavior Attack, Sybil Attack and Newcomer Attack. In this work DAS has been proposed, a protocol for reducing of the corruptive/malicious influences of Sybil attacks. Malicious users in general may create multiple identities with few trust relationships. Hence there is a disproportionately small gap in the graph between the honest nodes and the Sybil identities. DAS exploits this property so as to restrict the number of Sybil identities created by a malicious user. The effectiveness of DAS both analytically and experimentally was simulated. This work tried to reduce the corruptive influences of Sybil attacks.

DAS relies on properties of the users’ underlying social network, namely that

the honest region of the network is fast mixing, and

malicious users may create many nodes but relatively few attack edges.

In all the simulation experiments with one million nodes, DAS ensured that

the number and size of Sybil groups are properly restricted for 99.8% of the honest users, and

an honest node can accept, and be accepted by, 99.8% of all other honest nodes.

Still a lot more dimensions have to be worked on and the future work is still wide open.

Note: Related to this work a paper has been published in Journal of Computer Engineering and Intelligent Systems, www.iiste.org

R. Naveen Kumar, V Bapuji, Dr A Govardhan, Prof SSVN Sharma, " An Improvement to Trust Based Cross-Layer Security Protocol Against Sybil Attacks (DAS)", Journal of Computer Engineering and Intelligent Systems, www.iiste.org, Impact Factor : 6.39, ISSN 2222-1719(Print), ISSN 2222-2863(Online), VOL 3, No. 6 2012.