revocation games in ephemeral networks maxim raya, mohammad hossein manshaei, márk félegyházi,...
TRANSCRIPT
![Page 1: Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux CCS 2008](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e445503460f94b37b01/html5/thumbnails/1.jpg)
Revocation Games inEphemeral Networks
Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux
CCS 2008
![Page 2: Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux CCS 2008](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e445503460f94b37b01/html5/thumbnails/2.jpg)
Misbehavior in Ad Hoc Networks
• Packet forwarding• Routing
AM
B
• Large scale• High mobility• Data dissemination
2
Traditional ad hoc networks Ephemeral networks
Reputation systems ? Solution to misbehavior:
![Page 3: Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux CCS 2008](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e445503460f94b37b01/html5/thumbnails/3.jpg)
Reputation vs. Local Revocation
• Reputation systems:– Often coupled with routing/forwarding– Require long-term monitoring– Keep the misbehaving nodes in the system
• Local Revocation– Fast and clear-cut reaction to misbehavior– Reported to the credential issuer– Can be repudiated
3
![Page 4: Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux CCS 2008](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e445503460f94b37b01/html5/thumbnails/4.jpg)
Tools of the Revocation Trade
• Wait for:– Credential expiration– Central revocation
• Vote with:– Fixed number of votes– Fixed fraction of nodes (e.g., majority)
• Suicide:– Both the accusing and accused nodes are revoked
Which tool to use?4
![Page 5: Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux CCS 2008](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e445503460f94b37b01/html5/thumbnails/5.jpg)
How much does it cost?
• Nodes are selfish• Revocation costs• Attacks cause damage
How to avoid the free rider problem?
Game theory can help:models situations where the decisions of players affect each other
5
![Page 6: Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux CCS 2008](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e445503460f94b37b01/html5/thumbnails/6.jpg)
Example: VANET
• CA pre-establishes credentials offline
• Each node has multiple changing pseudonyms
• Pseudonyms are costly
• Fraction of detectors =
6
dp
![Page 7: Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux CCS 2008](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e445503460f94b37b01/html5/thumbnails/7.jpg)
Revocation Game
• Key principle: Revoke only costly attackers• Strategies:– Abstain (A)– Vote (V): votes are needed– Self-sacrifice (S)
• benign nodes, including detectors• attackers• Dynamic (sequential) game
n
dp NN
M
7
![Page 8: Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux CCS 2008](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e445503460f94b37b01/html5/thumbnails/8.jpg)
Game with fixed costs1
3
2
A V
VS
S
A
3
2
VSA
3
VSAVSAVSA
( , , )c c c (0,0, 1)
( , , )c c v c
(0, 1,0)
( , , )c v c c (0, , 1)v
(0, , )v v
( 1,0,0)
( , 1,0)v ( , ,0)v v
( ,0, )v v
( ,0, 1)v ( , , )v c c c
Cost of abstaining
Cost of self-sacrifice
Cost of voting
All costs are in keys/message 8
A: AbstainS: Self-sacrificeV: Vote
![Page 9: Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux CCS 2008](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e445503460f94b37b01/html5/thumbnails/9.jpg)
Assumptions: c > 1
1
3
2
A V
VS
S
A
3
2
VSA
3
VSAVSAVSA
( , , )c c c (0,0, 1)
( , , )c c v c
(0, 1,0)
( , , )c v c c (0, , 1)v
(0, , )v v
( 1,0,0)
( , 1,0)v ( , ,0)v v
( ,0, )v v
( ,0, 1)v ( , , )v c c c
Equilibrium
Game with fixed costs: Example 1
9
Back
war
d in
ducti
on
![Page 10: Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux CCS 2008](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e445503460f94b37b01/html5/thumbnails/10.jpg)
Assumptions: v < c < 1, n = 2
1
3
2
A V
VS
S
A
3
2
VSA
3
VSAVSAVSA
( , , )c c c (0,0, 1)
( , , )c c v c
(0, 1,0)
( , , )c v c c (0, , 1)v
(0, , )v v
( 1,0,0)
( , 1,0)v ( , ,0)v v
( ,0, )v v
( ,0, 1)v ( , , )v c c c
Equilibrium
Game with fixed costs: Example 2
10
![Page 11: Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux CCS 2008](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e445503460f94b37b01/html5/thumbnails/11.jpg)
Theorem 1: For any given values of ni, nr, v, and c, the strategy of player i that results in a subgame-perfect equilibrium is:
Theorem 1: For any given values of ni, nr, v, and c, the strategy of player i that results in a subgame-perfect equilibrium is:
ni = Number of remaining nodes that can participate in the game
nr = Number of remaining votes that is required to revoke
Game with fixed costs: Equilibrium
Revocation is left to the end, doesn’t work in practice11
![Page 12: Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux CCS 2008](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e445503460f94b37b01/html5/thumbnails/12.jpg)
Game with variable costs
S
( 1,0,0)
1
2
A V
V
3
2
SA
S
2 2 2( , , 1 )c c c
1 1 1( , 1 , )c c c 1 1 1( , , )v c v c c
, lim , j jj
c j c v
12Number of stages Attack damage
![Page 13: Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux CCS 2008](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e445503460f94b37b01/html5/thumbnails/13.jpg)
Theorem 2: For any given values of ni, nr, v, and δ, the strategy of player i that results in a subgame-perfect equilibrium is:
Theorem 2: For any given values of ni, nr, v, and δ, the strategy of player i that results in a subgame-perfect equilibrium is:
Game with variable costs: Equilibrium
Revocation has to be quick
13
![Page 14: Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux CCS 2008](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e445503460f94b37b01/html5/thumbnails/14.jpg)
Optimal number of voters
• Minimize: MC n
n
Duration of attack Abuse by attackers
14
![Page 15: Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux CCS 2008](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e445503460f94b37b01/html5/thumbnails/15.jpg)
Optimal number of voters
• Minimize: MC n
n
min{ , }opt a dn p p N M
Fraction of active players
Duration of attack Abuse by attackers
15
![Page 16: Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux CCS 2008](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e445503460f94b37b01/html5/thumbnails/16.jpg)
RevoGame
Estimation of parameters
Choice of strategy
16
![Page 17: Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux CCS 2008](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e445503460f94b37b01/html5/thumbnails/17.jpg)
Evaluation
• TraNS, ns2, Google Earth, Manhattan
• 303 vehicles, average speed = 50 km/h
• Fraction of detectors • Damage/stage • Cost of voting• False positives• 50 runs, 95 % confidence
intervals
0.8dp
410fpp
0.1 0.02v
17
![Page 18: Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux CCS 2008](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e445503460f94b37b01/html5/thumbnails/18.jpg)
Revoked attackers
18
![Page 19: Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux CCS 2008](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e445503460f94b37b01/html5/thumbnails/19.jpg)
Revoked benign nodes
19
![Page 20: Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux CCS 2008](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e445503460f94b37b01/html5/thumbnails/20.jpg)
Social cost
20
![Page 21: Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux CCS 2008](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e445503460f94b37b01/html5/thumbnails/21.jpg)
Maximum time to revocation
21
![Page 22: Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux CCS 2008](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e445503460f94b37b01/html5/thumbnails/22.jpg)
Global effect of local revocations
22
How many benign nodes ignore an attacker?
![Page 23: Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux CCS 2008](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e445503460f94b37b01/html5/thumbnails/23.jpg)
False positives and abuse
23
How many benign nodes ignore a benign node?
![Page 24: Revocation Games in Ephemeral Networks Maxim Raya, Mohammad Hossein Manshaei, Márk Félegyházi, Jean-Pierre Hubaux CCS 2008](https://reader035.vdocuments.us/reader035/viewer/2022062801/56649e445503460f94b37b01/html5/thumbnails/24.jpg)
Conclusion
• Local revocation is a viable mechanism for handling misbehavior in ephemeral networks
• The choice of revocation strategies should depend on their costs
• RevoGame achieves the elusive tradeoff between different strategies
24