Documentos de Académico
Documentos de Profesional
Documentos de Cultura
VOL. 9,
INTRODUCTION
495
496
AND
VOL. 9,
497
compute the difference between two probability distributions, we use the information-theoretic metric KullbackLeibler (KL)-divergence that is known to be suited for this
computation [3]. Specifically, let us assume that us
generated information follows a probability distribution
with mean and standard deviation and falls within the
range c; c with probability p, where c is a
constant value. Moreover, we assume that the information
sent and processed to u by us neighbors falls within the
range c; c with probability q. Node u computes
KL-divergence D as follows:
p
1p
D p ln 1 p ln
;
q
1q
such that p > 12 and p q.
1
It then computes neighborhood-trust nu min1; 1D
.
This definition of neighborhood-trust is reasonable in the
sense that neighborhood-trust is inversely proportional to D
and thus it will be one if two probability distributions
exactly match with each other. The main rationale behind
the restriction of p > 12 is to make the majority of the
information generated by u fall within the expected range,
leading to better accuracy in neighborhood-trust measurement than the case of p 12 . Also, nu is a neighborhood-trust
calculated from the perspective of u and accordingly it has
its maximum value of one when p q. Thus, it is reasonable
to set p q. Since p q should hold, in case that q > p,
node u calculates D after resetting q p.
The values of p and q are based on the distribution of
the sensed data and can be precomputed in advance by
the network operator. For example, if the sensed data are
expected to follow a normal distribution, then we can use
the empirical rule for c 1, 2, and 3 (p 0:68; 0:95, and
0.997, respectively). Finding the corresponding range is
simply a matter of calculating the average and standard
deviation of the sensed or transmitted data. Ranges for
distributions like the exponential and Pareto can be easily
calculated for fixed values of p and q by using a CDF
based on the mean.
We note that the KL-divergence is computed over the
data from a single time slot, and therefore only the
information collected for one time slot needs to be stored.
Moreover, the mean and standard deviation of the information processed per time slot can be incrementally calculated
in such a way that the mean and standard deviation are
updated each time a piece of information is processed.
Let node v be the TA in time slot Ti . Node u sends v a
neighborhood-trust report that is defined as fuknu k
MACKuv uknu g, where MAC stands for Message Authentication Code and Kuv is the shared secret key between the
nodes u and v. Upon receiving a neighborhood-trust report
from u, node v verifies the authenticity of us neighborhood-trust report with Kuv and discards the report if it is
not authentic. v collects the neighborhood-trust reports that
were measured during Ti from all nodes in zone Z and
aggregates the received neighborhood-trusts by using the
mean function. We call the aggregated version of neighborhood-trusts the zone-trust. v sends the base station Zs zonetrust report, defined as fvksv kZktkMACKv vksv kZktg,
where sv is a time stamp indicating the generation time of
report, t is Zs zone-trust, and Kv is the shared secret key
between v and the base station.
498
1
0
PrB1 ; . . . ; Bn jH1
:
PrB1 ; . . . ; Bn jH0
VOL. 9,
Qn
n
PrBi jH1 X
PrBi jH1
:
Ln ln Qi1
ln
n
PrBi jH0
PrB
jH
i
0
i1
i1
Let !n denote the number of times that Bi 1 in the
n samples. Then, we have
Ln !n ln
1
1 1
n !n ln
;
0
1 0
where 0 PrBi 1jH0 ; 1 PrBi 1jH1 . The rationale behind the configuration of 0 and 1 is as follows: 0
should be configured in accordance with the likelihood of
the occurrence that the trustworthy zone is determined to
have low-trust value due to neighborhood-trust measurement error; 1 should be configured to take into consideration the likelihood of the occurrence that an untrustworthy
zone is determined to have low-trust value.
On the basis of the log-probability ratio Ln , the SPRT for
H0 against H1 is given as follows:
!n 0 n : accept H0 and terminate the test.
!n 1 n : accept H1 and terminate the test.
0 n < !n < 1 n : continue the test process with
another observation.
Where:
.
.
.
0 n
10
ln 1
0 n ln 1
1
1
ln 10 ln 1
10
; 1 n
10
ln 1
0 n ln 11
1
ln 10 ln 1
10
Our scheme should be robust to unreliable communication in zone-trust report process. If zone-trust reports are
frequently lost due to unreliable communication between
trust aggregators and the base station, it will badly affect
the decision process. For example, it could lead to a delay in
decision process. Also, it could make the base station
misidentify untrustworthy (respectively trustworthy) zone
as trustworthy (respectively untrustworthy). To some
extent, this issue is orthogonal to our problem; secure
routing and robust packet delivery schemes [11], [24] are
likely to be necessary in a sensor network with serious
security concerns. However, we note that the attacker can
aim to block honest reports from reaching the base station.
To address this, we have the base station track the reporting
from each TA in the zone; this is also necessary for ensuring
equal reporting frequency. If the multiple nodes in a zone
are having their reports blocked, the base station will treat
the zone as untrustworthy and initiate software attestation
on the zone. If, during software attestation, the nonreporting TAs are found to be malfunctioning or out of power, the
base station can remove them from the list of TAs to prevent
future false positives.
499
n>
ln 1
0
1
;
10
1
P ln 0 ln 1
10 ln 11
and
P >
0
ln 1
11
1
ln 10 ln 1
10
0 < fc
fcmax
10
ln 1
0 n ln 11
1
1
:
1
nP ln 0 ln 1
10
n
X
P rBi 1 n1 fc P :
i1
500
VOL. 9,
TABLE 1
Notations in Our Game-Theoretic Analysis
501
Otherwise,
Gk
Nz
X
0
1 qi;k
A0i;k 1 qi;k Ai;k
i1
0
qi;k
A0i;k qi;k Ai;k
Nz
X
0
1 2qi;k
A0i;k 1 2qi;k Ai;k :
i1
in
accordance
with
whether
the
z
Nz ;k
z ;k
trust aggregator is malicious. When the TA is compromised in
q A
the kth time slot such that !k1 < 1 k 1, qi;k
Ai;kmaxi;k and
Ai;k Amax . Recall that Bi indicates whether the zone-trust
report is below the trust threshold and that the SPRT does
not decide that the zone is untrustworthy until the condition
for H1 acceptance, !k 1 k holds. We assume, as a worst
case, that the attacker can accurately simulate the base
stations SPRT based on his injected false information. Then,
when the TA is not compromised in the kth time slot such that
!k1 < 1 k 1, we define qi;k
and Ai;k as follows:
8
qi;k Ai;k
>
>
if !k < 1 k holds when simulating
>
>
>
< Amax
Bk 1 in the k 1th time slot:
qi;k
>
>
>
if !k 1 k holds when simulating
pi;k
>
>
:
Bk 1 in the k 1th time slot:
8
Amax
if !k < 1 k holds when simulating
>
>
>
>
<
Bk 1 in the k 1th time slot:
Ai;k
1qi;k
>
if !k 1 k holds when simulating
> Ai;k 1pi;k
>
>
:
Bk 1 in the k 1th time slot:
502
TABLE 2
Strategies and Limit-of-Means Payoffs of the Players
fc ;
T
1X
Gk :
T !1 T
k1
min U lim
VOL. 9,
qi;k
A0i;k
Ai;k
Ai;k q0 qi;k
i;k
. By plugging into
and accordingly 1q
0
i;k
0
Ai;k Ai;k , we obtain
!
1 qi;k
1 qi;k
0
:
A
Ai;k Ai;k
i;k
0
1 qi;k
1 pi;k
0
By Definition 3.1, the values of qi;k
and A0i;k that make
Gk have maximum value while making !k < 1 k hold
and Ai;k , respectively. Recall
in the three subcases are qi;k
that 1 ; 2 ; . . . ; k ; . . . . Therefore, is the optimal
strategy for the attacker.
u
t
When the attacker and defender follow their respective
optimal strategies, Ik 0 holds for all k 1 because
malicious zone will never be determined as untrustworthy.
Thus, the attackers payoff under the Nash Equilibrium is,
per time slot
T
1X
Gk
T !1 T
k1
lim
Nz
T X
1X
1 2qi;k
Ai;k 1 2qi;k Ai;k :
T !1 T
k1 i1
lim
lim
1 2qi;k Ai;k :
Since pi;k and qi;k are defined such that pi;k > 12 and pi;k qi;k in
1q
1 2qi;k Ai;k 0 holds in
Section 3.1, 1 2pi;k 1pi;k
i;k
subcase 3. Thus, subcase 3 actually represents the loss for the
attacker. As a consequence, the attacker obtains
P P z
fcmax fT limT !1 T1 Tk1 N
i1 Amax Ai;k gain in the best
case where there is zero loss in subcase 3. Since the best case in
the attackers gain is the worst case to the defender and the
worst case analysis is efficient and effective to evaluate the
defenders resilience under the Nash Equilibrium, we perform analysis with
instead of
. In the Nash Equilibrium,
Bk 1 holds in subcase 2. Thus, fT T indicates the number
of time slots in which Bk 1. Since the zone should not be
detected as untrustworthy in the Nash Equilibrium, !T
fT T < 1 T should hold. Accordingly, 0 < fT < 1TT should
hold. In the Nash Equilibrium, we investigate how much the
attacker gains under different values of fcmax , fT , and
Nz
T X
1X
Ai;k :
AT lim
T !1 T
k1 i1
AT
Nz Amax decreases as Nz Amax increases. This means that the
smaller the gap between AT and Amax , the less gain the
attacker gets. In particular, the attackers normalized gain
will be kept under half of the maximum gain as long as AT is
more than half of Nz Amax , irrespective of fT . We also see
that a decrease in fT leads to a decline in Nz
Amax . This means
that the attacker will gain less as the likelihood of subcase 2
decreases. The attacker can achieve high fT 0:5 if he can
503
set the duty time slots of the compromised TAs in such a way
that the duty time slot of a compromised TA is immediately
followed by the one of the benign TAs, leading to an increase
in the likelihood of the occurrence of !k < 1 k. However,
each TAs duty time slots are determined in a pseudorandom manner; it is thus difficult for the attacker to control the
duty time slots of the compromised nodes in such a way as to
fulfill high fT 0:5. Therefore, the attackers normalized
gain under the Nash Equilibrium will be substantially
limited due to relatively low values of fT .
ELn
E ln
PrBi jH1
PrBi jH0
i:
EnjH0
1
0
1 0 ln 1
0 ln 0
1
0 ln 10 1 0 ln 1
10
0
EnjH1
1
0
0 ln 1
0 1 ln 0
1
1 ln 10 1 1 ln 1
10
;
4
504
communication
overhead
of
O
N
per
attestation,
for a
p
total of ON N . Our overheads are the same, but multiplied by the constant . For 0:01, this is a reduction of
two orders of magnitude.
2. If the common case is that nodes are frequently compromised, many
nodes will need to be revoked or manually restored regardless of the
detection and revocation method. In such a scenario, the network would be
prohibitively expensive to operate securely.
VOL. 9,
p
systems, b and N are comparable and thus b > N
holds, in which case our systems communication overhead
is much less than the decentralized technique.
The main reason why our scheme outperforms the related
works in terms of attestation overhead is because our
scheme performs attestations only against nodes in zones
that appear to be compromised, while the related works
perform unconditional attestation against every node.
BIASED-SPRT
1
1 1
n !n ln
:
0
1 0
505
0 n
10
ln 1
0 n ln 1
1
11
ln 01 ln 1
0
0
1 n
10
ln 1
0 n ln 11
11
ln 01 ln 1
0
Fig. 3. versus h.
506
VOL. 9,
Fig. 7. Nz
Amax versus NzAATmax when 2, fcmax 0:66, 0 0:01 and
0 0:01, 0 0:1 and 1 0:9.
fcmax
10
ln 1
0 n ln 1
1
1
11
nP ln 01 ln 1
0
0
ln1
0
1
1
P ln 1 ln1 1 ln 10
1
0
0
10
ln
ln 01
11
11
ln 1
0
and
Fig. 8. Nz
Amax versus NzAATmax when 3, fcmax 0:74, 0 0:01 and
0 0:01, 0 0:1 and 1 0:9.
EnjH0
1
0
1 0 ln 1
0 ln 0
EnjH1
11
0 ln 01 1 0 ln 1
0
1
0
0 ln 1
0 1 ln 0
11
1 ln 01 1 1 ln 1
0
TABLE 3
Simulation Parameter Values
;
7
507
SIMULATION STUDY
508
VOL. 9,
Fig. 12. Average number of reports versus error rate (
) in case of the
Biased-SPRT with false zone-trust report attack.
Fig. 10. Average number of reports versus error rate (
) in case of the
Biased-SPRT without false zone-trust report attack.
(respectively SPRT). Untrustworthy zones were misidentified as trustworthy with at most probability of 0.01
(respectively 0.036) in the Biased-SPRT (respectively SPRT).
Hence, both the Biased-SPRT and the SPRT achieve high
detection accuracy, while the former enhances the detection
accuracy of the latter.
Second, we present the results of the average number of
reports for two cases. One case is that there are no
compromised nodes (fc 0:0) in a zone and this zone is
determined to be trustworthy. We call this case trueNegative.
The other case is that there are compromised nodes
(fc > 0:0) in a zone, and this zone is determined to be
untrustworthy. We call this case truePositive. In the
trueNegative case, the average number of reports were
between 3.0 and 3.475 in the SPRT. The average one was 3.0,
2.0 in the Biased-SPRT with 2; 3, respectively. This
indicates that both the SPRT and the Biased-SPRT require a
few number of reports on an average to decide on the
untrustworthy zones. Figs. 9 and 10 show the results of the
truePositive cases in the SPRT and the Biased-SPRT when
there is no false zone-trust report attack. Figs. 11 and 12
show the same results when there is false zone-trust report
attack. In the truePositive case, the average number of
reports was at most 8.830 (respectively 4.115) in case of the
SPRT (respectively Biased-SPRT) without false zone-trust
report attack. It was at most 9.425 (respectively 4.399) in
case of the SPRT (respectively Biased-SPRT) with false
zone-trust report attack.
Fig. 11. Average number of reports versus error rate (
) in case of the
SPRT with false zone-trust report attack.
RELATED WORK
509
CONCLUSIONS
ACKNOWLEDGMENTS
This work was supported by a special research grant from
Seoul Womens University (2012). This work was supported
in part by the US National Science Foundation (NSF) under
award numbers IIS-0326505, CNS-0721951, and CNS0916221, and the Air Force Office of Scientific Research
under award number A9550-08-1-0260. The work of S.K. Das
is also supported by (while serving at) the US National
Science Foundation. Any opinion, findings, and conclusions
or recommendations expressed in this material are those of
the authors and do not necessarily reflect the views of the
National Science Foundation.
510
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
[23]
[24]
[25]
VOL. 9,
[26] W. Zhang, M. Tran, S. Zhu, and G. Cao, A Random PerturbationBased Scheme for Pairwise Key Establishment in Sensor Networks, Proc. ACM Mobihoc, Sept. 2007.
[27] Y. Zhang, J. Yang, L. Jin, and W. Li, Locating Compromised
Sensor Nodes through Incremental Hashing Authentication,
Proc. Intl Conf. Distributed Computing in Sensor Systems (DCOSS),
June 2006.
Jun-Won Ho received the BS degree from the
Department of Computer Science at Yonsei
University, Seoul, South Korea, MS degree from
the Department of Electrical and Computer
Engineering at University of Wisconsin at Madison, and the PhD degree from the Department
of Computer Science at the University of Texas
at Arlington in May, 2010. He is an assistant
professor at the Seoul Womens University. His
dissertation work focuses on the detection and
prevention of wide-spread node compromise in wireless sensor
networks. His current research interests include security in wireless
sensor networks. He is a member of the IEEE Computer Society.
Matthew Wright received the BS degree in
computer science at Harvey Mudd College, and
the MS degree in 2002 and the PhD degree in
May, 2005 both from the Department of Computer Science at the University of Massachusetts.
He is an associate professor at the University of
Texas at Arlington. His dissertation work addresses the robustness of anonymous communications. His other interests include intrusion
detection, security and privacy in mobile and
ubiquitous systems, and the application of incentives to security and
privacy problems. He is a recipient of the Outstanding Paper Award at the
2002 Symposium on Network and Distributed System Security. He is a
member of the IEEE.
Sajal K. Das received the BS degree in
computer science from Calcutta University,
Kolkata, India, in 1983, the MS degree in
computer science from the Indian Institute of
Science, Bangaluru, India, in 1984, and the PhD
degree in computer science from the University
of Central Florida, Orlando, in 1988. He is
currently with the Department of Computer
Science and Engineering, the University of
Texas at Arlington, where he is a distinguished
scholar professor of Computer Science and Engineering and the
founding director of the Center for Research in Wireless Mobility and
Networking (CReWMaN). He is the author of more than 400 published
papers and more than 35 invited book chapters. He is a senior member
of the IEEE.