Computer Science and Engineering 1

Mobile Computing and Security

Mobile DevicesMobile Devices

• Traditional computing and networking vs. mobile devices (smart phones, internet tables, etc.)

• Widely accepted consumerization: individuals and organizations

• Huge amount of sensitive data (personal and corporate) • Security and privacy threats

Computer Science and Engineering 2

Trust Management for Trust Management for Mobile Ad-Hoc NetworksMobile Ad-Hoc Networks

• Mobile Ad-hoc networks:– Increased connectivity– Improved information sharing– Collaboration, distributed decision making

• Issues: – Temporary network– Resource constraints: bandwidth, battery life, memory, etc.– Openness, rapid changes, hostile environment– Trust in the components

Computer Science and Engineering 3

What is Trust?What is Trust?

• Degree of subjective belief about the behaviors of a particular entity

• Trust Management: approach for specifying and interpreting security policies, credentials, and relationships

• MANET trust issues: establish a network with an acceptable level of trust relationships among the nodes– Trust information gathering– Trust evidence gathering

Computer Science and Engineering 4

• Uncertainty• Incomplete evidence

Computer Science and Engineering 5

Types of TrustTypes of Trust

• Trust in sociology• Trust in economics• Trust in philosophy• Trust in psychology• Trust in organizational management• Trust in autonomic computing• Trust in communications and networking

Computer Science and Engineering 6

Trust CharacteristicsTrust Characteristics

• Trust should be established based on potential risks• Trust should be context-dependent• Trust should be based on each party’s own interest• Trust is learned• Trust may represent system reliability

Computer Science and Engineering 7

Trust, Trustworthiness, Trust, Trustworthiness, and Riskand Risk

Computer Science and Engineering 8

Trustworthiness

Trust

0.5

0.5

1

1

Trust = Trustworthiness

Misplaced Trust

Misplaced mistrust

From:  Cho et al., A Survey on Trust Management for Mobile Ad Hoc Networks

Risk and TrustRisk and Trust

Computer Science and Engineering 9

Trust

Stake

0.5

0.5

1

1

Low risk

High risk

Medium risk

From:  Cho et al., A Survey on Trust Management for Mobile Ad Hoc Networks

Risk value: determined based on stake

Opportunity and positiveconsequences

Trust in MANETTrust in MANET

• Dynamic • Subjective • Not necessarily transitive • Context-dependent

Computer Science and Engineering 10

Trust vs. ReputationTrust vs. Reputation

• Trust: a node’s belief in the trust qualities of a peer– Emphasizes risk and incentives

• Reputation: the perception that peers form about a node– Past actions that influence perception

• Recommendation: an attempt at communicating a party’s reputation from one context to another context

Computer Science and Engineering 11

Trust Management Trust Management ApproachesApproaches

• Policy-based trust management– Based on strong and objective security schemes– Verifiable properties– Binary decision – E.g., Charles C. Zhang, Marianne Winslett: Distributed

Authorization by Multiparty Trust Negotiation• Reputation-based trust management

– Trust is calculated by collecting, aggregating, and disseminating reputation among the entities

– E.g., vendor evaluation for online shopping

Computer Science and Engineering 12

Trust Management Trust Management ApproachesApproaches

• Evidence-based trust management– Considers anything that proves trust relationships

among nodes (e.g., keys, identity, address), or – any evidence that any node can generate (e.g., a

challenge and response process)• Monitoring-based trust management

– Rates the trust level of each participating node based on direct information (e.g., observing the behavior)

Computer Science and Engineering 13

Trust Management Trust Management ApproachesApproaches

• Certificate-based vs. behavior-based framework– pre-deployment knowledge of trust vs. continuous

monitoring (reactive)• Hierarchical vs. distributed framework

– Hierarchy based on capabilities or level of trust (e.g., certificate authorities, trusted third parties)

Computer Science and Engineering 14

Attacks on Trust Attacks on Trust ManagementManagement

• Routing based: routing loop attacks, wormhole attacks, blackhole attacks, grayhole attacks

• Availability: DoS attacks• Integrity: false information or false recommendation,

incomplete information, packet modification/insertion • Authenticity: newcomer attacks, Sybil attacks, replay

attacks• Other: seective misbehaving attacks, on-off attacks,

conflicting behavior attack

Computer Science and Engineering 15

MANET Trust MANET Trust Management Management

• Secure routing• Authentication• Access control• Key management• Trust evaluation• Trust computation• General trust level identification

Computer Science and Engineering 16

Next ClassNext Class

• Web Application Security– The software

Computer Science and Engineering 17