A Secure Mechanism Design-Based and Game Theoretical Model for MANETs

A Secure Mechanism Design-Based and Game Theoretical Model for MANETs
of 14
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
  Mobile Netw ApplDOI 10.1007/s11036-009-0164-7 A Secure Mechanism Design-Based and GameTheoretical Model for MANETs A. Rachedi  ·  A. Benslimane  ·  H. Otrok  · N. Mohammed  ·  M. Debbabi © Springer Science + Business Media, LLC 2009 Abstract  To avoid the single point of failure for thecertificate authority ( CA ) in MANET, a decentralizedsolution is proposed where nodes are grouped intodifferent clusters. Each cluster should contain at leasttwo confident nodes. One is known as  CA  and the ano-ther as register authority  RA . The Dynamic Demili-tarized Zone (DDMZ) is proposed as a solution forprotecting the CA node against potential attacks. It isformed from one or more RA node. The problemsof such a model are: (1) Clusters with one confidentnode,  CA , cannot be created and thus clusters’ sizesare increased which negatively affect clusters’ servicesand stability. (2) Clusters with high density of   RA can cause channel collision at the  CA . (3) Clusters’lifetime are reduced since  RA  monitors are alwayslaunched (i.e., resource consumption). In this paper,we propose a model based on mechanism design thatwill allow clusters with single trusted node ( CA ) to becreated. Our mechanism will motivate nodes that do A. Rachedi ( B )  ·  A. BenslimaneLIA/CERI, University of Avignon, AgroparcBP 1228, 84911 Avignon, Francee-mail: abderrezak.rachedi@univ-avignon.frA. Benslimanee-mail: abderrahim.benslimane@univ-avignon.frH. Otrok · N. Mohammed · M. DebbabiCIISE, Concordia University, Montréal,Québec, Canada, H3G 1M8e-mail: h_otrok@ciise.concordia.caN. Mohammede-mail: no_moham@ciise.concordia.caM. Debbabie-mail: not belong to the confident community to participateby giving them incentives in the form of trust, whichcan be used for cluster’s services. To achieve this goal,a  RA  selection algorithm is proposed that selects nodesbased on a predefined selection criteria function andlocation (i.e., using directional antenna). Such a modelis known as  moderate . Based on the security risk, more RA  nodes must be added to formalize a  robust   DDMZ.Here, we consider the tradeoff between security andresource consumption by formulating the problem asa nonzero-sum noncooperative game between the CAand attacker. Finally, empirical results are provided tosupport our solutions. Keywords  MANET security  ·  mechanism design  · certificate authority  ·  clustering 1 Introduction In wired/wireless infrastructure networks, a trustedthird party, known as Certification Authority ( CA ), isneeded to certify users’ digital certificate that containsusers’ public key and identity. It is needed to provide asecure communication among users and ensure somesecurity requirements, such as; authentication, confi-dentiality and integrity of transited data. In classicalPublic Key Infrastructure (PKI) [9], a Registration Au-thority ( RA ) is used to collect and analyze users’ re-quests before forwarding them to a  CA  to certify, issueand renew user’s digital certificate. In Mobile Ad hocNetworks (MANETs), a decentralized certificate au-thorityapproach[6,10,23]isproposed,duetoMANET characteristics, as a solution to avoid single point of failure, MANET attacks and consider nodes’ mobility.  Mobile Netw Appl To handle these requirements, a distributed clusteringalgorithm is proposed in [22] to cluster nodes basedon a set of trusted nodes that belong to a confidentcommunity. A head cluster is selected among trustednodes to play the role of   CA . To overcome a singlepoint of failure attack against  CA , a set of one-hopnodes,  RA , are selected from the set of trusted nodesto form a  Dynamic Demilitarized Zone (DDMZ) . Therole of these nodes, besides registration authority, is toprotect the  CA  by filtering  CA ’s incoming requests andmonitoring the behavior of nodes in the cluster. Theapproach is suitable once the confident community sizeis large enough to grant at least two trusted nodes percluster (i.e., one  CA  and another  RA ).The first limitation of the approach given in [22] isits inability to form clusters with single trusted nodeand to form the DDMZ from non-confident commu-nity. This will decrease the number of clusters andincrease clusters’ size which affect clusters’ services andMANET stability. The second limitation is clusters’lifetime since all selected  RA  nodes are required torun their monitor and consume resources. Moreover,a high density  DDMZ   can increase the probability of channel collision at  CA . Finally,  DDMZ   formation isa limitation since  RA  nodes are selected ignoring  CA coverage area. This violates the role of   DDMZ   since itallows an adversary to launch attacks against  CA  from RA ’s uncovered zones.To overcome these limitations, the  DDMZ   must bebuilt based on nodes from non-confident community.To build the  DDMZ   that can cover the  CA  coveragearea, nodes must be cooperative and selected by the CA  based on specific selection criteria where someof the parameters of the selection-criteria are consid-ered as private information. The limitations of such aproposition are: (1) Nodes might behave  selfishly  inorder not to be selected as  RA  and consume resources.This will be done by revealing a fake selection-criteriainformation. To solve such a problem, incentives mustbe given to nodes to motivate them to participate andserve as  RA . The problem that arises here is: Howto design the incentives to motivate nodes to partici-pate and reveal their truthful information to build the DDMZ  ? (2) To form the  DDMZ   that can cover the  CA coverage area, node’s location is required, which can beused maliciously. To solve such a problem, directionalantenna is used to divide the  CA  coverage area intodifferent sectors in which the  RA  nodes are selected.Such a model is called as  moderate  since few RA nodesare selected to filter the traffic of   CA . The question thatwe address here is: When to add more  RA  nodes toform a robust DDMZ   taking into consideration securityand resource consumption? We answer this question byformulating a nonzero-sum non-cooperative game be-tween the  CA  and attacker where the attacker identityis unknown. Bayesian game theory is used to solve sucha game where the CA ’s threshold value to step to robust DDMZ   is computed.In this paper, we design a unified model that is ableto: •  Motivate nodes from non-confident community toserve as  RA  and build a moderate  DDMZ  . •  Prevent nodes from revealing fake information bydesigning incentives based on Vickrey, Clarke andGroves(VCG)mechanismwheretruthtellingisthedominant strategy among all nodes. •  Increase the  CA  protection through the design of moderate  DDMZ   formation condition that can se-lect  RA  nodes based on their location. •  Increase the clusters’ lifetime by selecting the  RA nodes based on a specific selection-criteria func-tion. •  Increase the number of clusters and reduce thecluster’s size. This will help to efficiently serve thenodes of the cluster and effect network stability.Moreover, it increases the probability of detectingthe misbehaving nodes. •  Run the robust DDMZ mode according to thesecurity needs.The rest of the paper is organized as follows. InSection 2, we discuss the related work on certificationauthority in MANET and application of mechanismdesign to networks. In Section 3, we provide the prob-lem statement. In Section 4, MANET clustering andCA selection algorithm is given. The moderate  DDMZ  model is given in Section 5 where the RA electionmodel, selection criteria function, mechanism modeland RA election algorithm are illustrated followed byan example. Section 7 presents empirical results. Fi-nally, Section 8 concludes the paper. 2 Related work This section reviews related work on the distribution of the certificate authority in MANET. Moreover, mecha-nism design and game theory applications to networksare given.2.1 Certification authority in MANETIn [5], the authors proposed a system based on thedistributionofthecertificationauthorityamongspecific  Mobile Netw Appl nodes by using the threshold cryptography scheme [24]with several threshold levels to offer nodes flexibilityin selecting an appropriate security level for a givenapplication. With this approach the fault tolerant andhierarchical key management services are ensured. Un-fortunately, the approaches based on threshold cryp-tography have some drawbacks: Firstly, the  n  nodesmust be initialized by a trusted authority which isresponsible for introducing the partial secret of   CA role. On the other hand, an external administrationis necessary to configure the system and establish thearchitecture. Secondly, the number  k  must be a trade-off between availability and robustness, it must befrequently updated. Thirdly, the system overloads thenetwork since the node must send at least  k  requestsinstead of sending only one request to obtain a certifi-cate or revocation (i.e.,  k − 1  messages are needed).A few work tried to introduce the fully  CA  distri-bution without using the threshold cryptography. Wequote the Hubaux et al.’s [6] approach and Satizabalet al.’s [23] system. In these systems, each user is ableto generate a certificate for other users. Certificatesare stored and distributed by the users themselves.In this system, each user maintains a local certificaterepository. When two users want to check the publickeys of each other, they merge their local certificaterepositories to find appropriate certificate chains. Thedrawback of this approach is the assumption that trustis transitive and the system becomes more vulnerableto malicious nodes.Several work introduce the cluster concept for secu-rity in MANETs particularly for the CA distribution.Dong et al. [10] and Bechler et al. [4] propose the distribution of the  CA  service by using threshold cryp-tography and introduce the cluster structure. The clus-ter concept is adopted to provide the  CA  service andproactive secret shared update protocol. In Bechleret al.’s [4] approach, the certification of any guest nodemust possess a certain number  ( W  )  of warranty cer-tificates from warrantor nodes. Then, it must requestat least  ( k )  certificates from different cluster heads(CHs), whose association gives the network certificate.Unfortunately,thisapproachisnotrealisticbecausethewarrantor nodes do not have any information about thenew node to be guaranteed. To overcome this problem,the authors of [22] proposed a distributed architecturewhich divides the network into clusters and distributesthe  CA  in each cluster to secure the network. Theydefined a new trust model and new concept of DynamicDemilitarized Zone (DDMZ) to secure the  CA  node ineachclusteragainstasinglepointfailureandtomonitorthe nodes in the cluster.2.2 Mechanism design applicationMechanism design is a sub-field of microeconomics andgame theory [15]. It uses game theory tools to achieve adesired goal. The main difference between game theoryand mechanism design is that the former is used tostudy what could happen when independent players actselfishly, whereas mechanism design allows us to definethe game in such a way that the outcome of the game,known as the Social Choice Function (SCF), will beplayed by independent players according to the rulesset by the mechanism designer. Mechanism design hasbeenused in computerscience by Nisan andRonen[19]for solving least cost path and task scheduling prob-lems using algorithmic mechanism design. Distributedmechanism design based on VCG is first introduced in[11] to compute the lowest cost routes for all source-destination pairs and payments for transit nodes on allthe routes. It is a direct extension of Border GatewayProtocol (BGP), which causes modest increases in rout-ing table size and convergence time.Currently in MANET, mechanism design is mainlyused for routing purposes. In [2], the authors presenta truthful adhoc-VCG mechanism to find the mostcost-efficient route in the presence of selfish nodes.In [8], the authors provide an incentive compatibleauction scheme to enable packet forwarding servicein MANET using VCG. A continuous auction processruns to determine who should obtain how much of the bandwidth and at what price. Incentives are in theform of monetary rewards. On the other hand, mech-anism design is recently used for intrusion detectionin MANET [21]. The authors propose a distributedelection mechanism that selects the most cost efficientnode to play the role of leader IDS in a cluster. Tomotivate nodes to behave normally during the electionprocess, the authors design incentives, based on VCG,in the form of reputation where intrusion detectionservice is offered to nodes according to their repu-tation. To catch misbehaving leader after election, acatch an punish model is proposed. As an extension fortheir work, the authors proposed in [17] a distributedleader-IDS election mechanism that can elect the mostcost efficient leaders without running any clusteringalgorithm.2.3 Game theory applicationGametheory[18]hasbeensuccessfullyappliedtomanydisciplines including economics, political science, andcomputer science. Game theory usually considers amulti-player decision problem where multiple players  Mobile Netw Appl with different objectives can compete and interact witheach other. Game theory classifies games into twocategorizes: Non-cooperative and cooperative. Non-cooperative games are games with two or more playersthat are competing with each other. On the other hand,cooperative games are games with multi-players coop-erating with each other in order to achieve the greatestpossible total benefits. To predict the optimal strategyused by intruders to attack a network, the authors of [20] model a non-cooperative game-theoretic modelto analyze the interaction between intruders and theIDS in a wired infrastructure network. They solve theproblem using a zero-sum non-cooperative game withcomplete information about the intruder.In complete information game, the type, strategyspaces, and payoff functions of both players are known.In [1], the authors aim at demonstrating the suitabilityof game theory for development of various decision,analysis, and control algorithms in intrusion detection.They address some of the fundamental network secu-rity tradeoffs, and give illustrative examples in differentplatforms. They propose two different schemes basedon game theoretic techniques and consider a genericmodel of distributed IDSs equipped with a network of sensors. Bayesian Nash is used in [14] to analyze theinteraction between the intruder and defender in staticand dynamic scenarios. The authors provide a hybriddetection approach.These existing studies clearly show that game the-ory and mechanism design are strong candidates forproviding the much-needed mathematical frameworkfor analyzing the interaction between  CA  and intrudersand motivate the nodes to reveal truthfully their selec-tion criteria function. To the best of our knowledge,our work is among the first efforts on securing the CA . We use mechanism design to motivate the nodesto participate on being selected as  RA  to form the DDMZ  . A nonzero-sum noncooperative game basedon Bayesian Nash equilibrium is used to model theinteraction between the  CA  and intruder, taking intoconsideration that the precise identity of the intruder istypically unknown. The solution of such a game guidesthe  CA  to add more  RA  nodes according to the gamederived threshold. 3 Problem statement To protect the  CA  node, a set of trusted ( T  m  =  1 )nodes (one-hop) are selected to play the role of   RA and form the  Dynamic Demilitarized Zone (DDMZ) [22]. This is done by filtering the traffic of   CA  searchingfor attacks. Moreover, the role of these nodes is tomonitor the behavior of other nodes in the cluster. Theproblems facing this model are: First, the cluster forma-tion requires at least two trusted nodes which preventsclusters with one trusted node to be created. This willlead nodes to join other clusters which increases thenumber of nodes in the cluster and negatively affectthe cluster’s services (i.e., routing, intrusion detection,key distribution and certification). Second, all trustednodes are required to monitor and play the role of   RA to ensure security robustness which causes nodes toconsume a lot of resources and decrease the cluster’slifetime. Additionally, the more is the  RA , the moreis the probability of channel collision at  CA . Third,it is not granted that the  CA  coverage area is alwaysmonitored by the  RA nodes. This is because the  DDMZ  formation condition did not consider the  CA  coveragearea which can be violated by an attacker.Solving these problems will start by proposing asolution for cluster formation condition where clusterscan be created using one trusted node which is selectedas  CA . This proposition faces the following challenges:First, nodes that will be selected to play the role of   RA ,to form  DDMZ  , are no more belonging to the confidentcommunity which can lead nodes to behave  selfishly .We define  selfishnode as an economically rational nodewhose objective is to maximize its benefits (payoffs).Second,  RA  selection will be based on specific criteriasuch as energy level, trust level, mobility and connec-tivity degree. Some of these information are consideredas private where nodes can reveal fake information inorder not to be selected and preserve their resources.Incentives must be given in the form of trust in order tomotivate nodes to reveal their private information. Thequestion arises here is: How to design the incentive insuch a way where truth telling is the dominant strategyfor all nodes? Third, to increase the cluster’s lifetimeand to avoid channel collision, a specific number of nodes must be selected to form the  DDMZ  . Moreover,these nodes should be able to monitor the  CA  coveragearea by filtering all the  CA  traffic. The question that weaddress is: What is the minimum number of   RA  nodesneeded to achieve this goal? Such a model is knownas moderate since few nodes are selected to form the DDMZ  . Finally, to increase the security of the  DDMZ  , RA  nodes have to be added to the sector where theprobability of attacks is high. Such a model is known asrobust  DDMZ  . The question that arises here is: Whento step from moderate to robust  DDMZ  ? What is thesecurity threshold needed to step to robust  DDMZ  ?In this paper, we propose a new  DDMZ   formationcondition where  RA  nodes will be selected by the  Mobile Netw Appl CA  based on their selection-criteria function which isdefined in terms of nodes’ private information. Here,we assume that the  CA  is equipped with an antennathat can work as directional or omni-directional.  RA election algorithm is designed where the directionalantenna is used to create the  DDMZ   by selecting aset of   RA  nodes that meet the selection criteria. Thiswill increase the robustness of   DDMZ  . On the otherhand, omni-directional antenna is used to overhear the RA  nodes and monitor their behavior. Moreover, wepropose a model based on VCG mechanism [13] tomotivate nodes to reveal truthfully their private infor-mation. Payments are issued in the form of reputation(trust) to motivate nodes to say the truth. Finally, wemodel a nonzero-sum noncooperative game to find thesecurity threshold needed to step from moderate torobust  DDMZ  . These propositions will help to increasethe cluster’s security and lifetime and reduce channelcollision at the  CA . 4 MANET clustering and CA election algorithm In this section, we devise a clustering algorithm thatclusters MANET and elects a  CA  in each cluster. Toensure the security, it is assumed that set of the nodesbelong to a confident community. For clusters withmore than one trusted node, the  CA  is selected amongthese nodes based on node’s stability which increasescluster’slifetime.Furthermore,theclusteringalgorithmensures the authentication and integrity of the transiteddata during the election process.Each trusted node sends two successive  hello  mes-sage in order to calculate the Relative Mobility ( RM  ),after that, it announces itself as  CA  with a certaincluster’s size (k-hop). When a trusted node receivesa beacon, from one of its neighbors, it executes clus-tering algorithm 1 to change its status from cluster-head ( CA ) to cluster-member. The decision to changethe status from  CA  to cluster-member depends ontwo main parameters: Security and stability. A  CA is considered as more stable than others if it has alow relative mobility. Any trusted node with relativemobility more than a specific threshold is consideredas unstable and thus will not be considered during the CA  selection. The nodes situated between two adjacentclusters can become gateway (GW) [22]. Algorithm 1 isexecuted by each node that belongs to confident com-munity. where,  Packet  −  Authentication −  Integrity − checking ()  is the function which consists to check theintegrity and the authentication of the election packet. HopCount   indicates the hop number of the electionpacket. RM  i  is the relative mobility of node i and  DN  i is the degree of the neighbors nodes of the node i.Once the  CA  node is elected per cluster, it starts totransmit cluster’s beacon in order to inform the clus-ter’s member nodes about its availability. The cluster’snodes that are not receiving any beacon from a CA for apredefined period of time is considered as unavailable. 5 A moderate  DDMZ model In this section, we present our  RA  election mechanismfor truthfully electing the  RA  nodes that will serveas  DDMZ   and belong to non-confident community.In Subsection 5.1, we describe the  RA  election modelfollowed by the selection criteria function  F   for electing RA  nodes is given in Subsection 5.2. Subsection 5.3 for- mulates our mechanism model using with the paymentfunction followed by an example.5.1 RA election modelOnce the  CA  node of each cluster is selected, it elects aset of   RA  nodes that belongs to non-confident commu-nitywithacertaintrust-level.The  RA nodesarelocatedat one-hop from the  CA  node. The role of   RA  nodesis to protect  CA  node against attack from unknownnodes such as Denial of Service (DoS). Any packetdestined to  CA  node must be analyzed and filtered by RA  nodes. To achieve this goal, a moderate  DDMZ  should be created by selecting the best  RA  nodes basedon nodes’ selection criteria function and according tonodes location. This will increase the performance of  DDMZ   since the  CA  coverage area is protected by  RA nodes. Selecting  RA  nodes according to their locationrequires a secure localization algorithm [7]. To avoid
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks