A Game Theoretic Analysis of Delay Attacks against
Time Synchronization Protocols
Tal Mizrahi
Marvell Yokneam, Israel [email protected]
Abstract—Time synchronization protocols have become very common in packet networks, and are consequently exposed to various security attacks. One of the most effective attacks against synchronization protocols is the delay attack, in which a man-in-the-middle attacker selectively delays the time protocol packets. This attack is exceptionally effective, as it cannot be prevented by conventional security measures such as authentication or encryption. In this paper we introduce a new approach to analyzing the delay attack, using a game theoretic model. We analyze the possible strategies of the attacker and attackee, and introduce a novel strategy for mitigating delay attacks using multiple paths between the master and slave clocks. We also discuss the Nash equilibria in our model and their connection to the possible outcomes of real-life attacks.
Keywords: Time synchronization, security, game theory, IEEE 1588, NTP, PTP, delay attack, pulse-delay.
1 INTRODUCTION
Time synchronization protocols in packet switched networks serve various purposes and applications: computer clocks, mobile backhaul, audio/video applications, industrial automation, and others. The Network Time Protocol (NTP) [2] has been commonly deployed for many years, and with the appearance of the IEEE 1588-2008 standard [1], time synchronization has become even more common.
With their growing popularity, time synchronization protocols have also become more exposed to security threats. Security challenges in time synchronization protocols have been thoroughly analyzed, e.g., in [3], [4], [6], and [8]. Undoubtedly, the most exasperating attack described in these analyses is the delay attack, also known in sensor networks as the pulse-delay attack. In this attack, illustrated in Figure 1, a malicious man-in-the-middle adversary selectively adds delay to time synchronization protocol packets sent between nodes in the network, preventing the nodes from correctly measuring the network delay. This paper focuses on delay attacks, and thus in order to isolate the problem at hand we assume that the attacker does not attempt to perform other types of attacks.
Various countermeasures have been proposed to mitigate delay attacks:
• A possible method to detect a delay attack, described in [4], [7], and [5], is by measuring the round trip delay of protocol packets, and comparing it to a predetermined threshold. If the round trip delay exceeds the threshold, an attack is detected. In this paper we thoroughly analyze this method.
• Encryption and authentication of time protocol packets cannot help in detecting or preventing delay attacks (see [6]). However, encryption of protocol traffic (as suggested in [16]) can help in making the attack more difficult to implement, since the attacker cannot unambiguously identify time protocol packets.
• The analysis in [8] suggested that a node can detect a delay
attack when the measured delays appear irregular or inconsistent. However, we note that delay attacks in their simplest form can be implemented by simply adding a constant delay to all packets, in which case no irregular delay patterns are observed by nodes in the network.
• The usage of multiple clock sources can be used to detect and ignore false sources. By combining the information from the various sources, abnormal timing information can be detected and ignored. Specifically, timing information that arrives through a delay attacker is detected as false timing information, since it is inconsistent with information from other sources. Different variants of this approach were suggested in [17], [2], and [8].
Figure 1. The Delay Attack
• Game theory has been used in a wide range of applications, from economics to politics. Game theory has also been applied to networking (e.g. [9]) and to networking security (e.g. [10], [11]).
In this paper we perform a game theoretic analysis of delay attacks. The main contributions of this paper are as follows:
• We introduce a game theoretic model for analyzing delay attacks.
• We analyze the possible strategies of the players in the game.
• We introduce a novel method to mitigate the delay attack using multiple paths between the master and slave clocks1.
• We present the possible Nash equilibria, and discuss the intuition behind them and the connection to the possible outcomes of real-life attacks.
The remainder of this paper is organized as follows. The model of the analyzed system is presented in Section 2. Section 3 analyzes the possible strategies of the players, and Section 4 presents the possible outcomes of the delay attack game by analyzing its Nash equilibria. Section 5 discusses the
1
While the usage of multiple clock sources to mitigate security attacks is a well-known approach (e.g. [2]), to the best of our knowledge the usage of multiple paths between the master and
slave has not been previously discussed. The multiple path approach is also presented in [12] as a means to improve the
effect of the protocol exchange model on the delay attack game. Concluding remarks and future work are discussed in Section 6.
2 DEFINING THE MODEL
2.1 Protocol Packet Exchange
The time synchronization protocol in our model is executed by means of exchanging protocol messages conveying timestamps, as in [2] and [1]. The protocol message exchange procedure in our model is illustrated in Figure 2, and follows the NTP message exchange scheme. The protocol proceeds in periodic message handshakes. We define two nodes, Alice and Bob. Alice functions as the master clock (also known in NTP as a time server), and Bob as the slave (also known as a client). Alice, being the master, maintains the accurate time, and uses protocol messages to distribute its time to Bob. For the purpose of our analysis we define a single exchange as two subsequent protocol messages, a message from Bob to Alice, and its corresponding response from Alice to Bob. The times of transmission and reception of each message are denoted T1, T2,
T3, T4, as shown in Figure 2, and are known to Bob at the end of
an exchange. This two-way-handshake serves two purposes; it allows Alice to communicate her current time to Bob, and allows Bob to compute the round trip delay of the path to Alice.
We assume Ti∈R for 1≤i≤4, where R is the set of real numbers. Thus, (T1, T2, T3, T4)∈Tspace, where Tspace=R×R×R×R.
Figure 2. Protocol Message Exchange
In our game theoretic analysis, each game is a single exchange, where each player chooses a strategy and receives a payoff.
2.2 Players
Two players take part in our game, M and B.2 Our attacker M, is located in a position that allows him to store and forward protocol packets after a maliciously computed delay. In our analysis we isolate the delay attack from other possible attacks. Hence, we assume that all protocol messages between Alice and Bob are secured, preventing Mallory from modifying or replaying them. We also assume that Mallory is not interested in a “simple” Denial-of-Service attack, and is focused at attacking by delaying protocol messages. We denote δBA and δAB the delays imposed by Mallory, as illustrated in Figure 2. We assume that both delay values, δBA and δAB are real numbers in the range [0, DM].
The second player B, can be viewed as a security process employed by Bob to detect delay attacks. Player B has 2 possible actions at the end of an exchange, “Pass” or “Drop”. We assume that Bob also uses a synchronization process, which performs the slave clock computations based on the received timestamp values, T1, T2, T3 and T4. Player B uses these
2
We semantically distinguish between the nodes in the network, referred to as Mallory and Bob, and the players in the
game, referred to as M and B.
timestamp values for its decision whether to pass or drop a received protocol packet. If the decision is Pass, the synchronization process uses the timestamps from the current exchange for updating the slave time and frequency, whereas if the decision is Drop the current exchange is ignored.
We assume that both M and B are rational players. Network delay has a stochastic nature, and thus we assume incomplete
information with respect to the network delay between Alice
and Bob, modeled by a third player, L, representing nature’s decision. L chooses the network delay values, εBA and εAB. Each of the two network delay values is a real number that is randomly distributed with the following distribution functions: PεBA(x) and PεAB(x). For the sake of simplicity we assume that the two functions are identical, although in a given exchange εBA
and εAB are chosen by L independently, and are thus not necessarily identical.
We assume that M and B share a common knowledge about the system setting and the possible payoffs, including the distribution functions PεAB(x) and PεBA(x). While B chooses his action based on the time measurements, T1, T2, T3 and T4, we
assume for simplicity that M has no knowledge of any time measurement values3, and thus takes his decision purely based on his knowledge of the game setting.
2.3 Slave Synchronization Algorithm
As mentioned above, we assume Bob uses a security process, and a process that performs the synchronization algorithm. It should be noted that the synchronization process is not a player in the game. This allows the analysis to focus on the defensive security policy, represented by the player B, while keeping the quality of the time synchronization algorithm out of the scope of the game analysis.
Typical time synchronization algorithms use information from the current exchange, as well as from previous ones to update the clock. For the sake of our analysis we assume a simple synchronization process which uses the information from the current exchange, T1, T2, T3 and T4.
At the end of the exchange the synchronization process computes the round trip delay:
dRT = (T4-T1)-(T3-T2) (1)
The time synchronization process then updates the slave time, Ts, as follows:
Ts = Ts + (T4-T3-½dRT) (2)
At the end of the computation in Eq. (2), we denote ∆ the absolute value of the slave time error, i.e., the difference between the master’s time and the slave’s time. If the network delay in the exchange is symmetric, Bob accurately computes the time of day, and ∆=0. Otherwise, by Eq. (2) ∆ is equal to the delay asymmetry in the path between Alice and Bob during the exchange.
The consequences of the “Drop” action are outside the scope of the game theoretic analysis, and depend on the properties of the system. For example, it can be assumed that Bob has a local clock, and when the “Drop” action is selected Bob uses its local clock rather than information received from the master. Another possible scheme is the multiple path scheme (see 3.4), where if the “Drop” action is applied to path i, then Bob’s time is based on information received from other paths.
3
This is a fair assumption on the resource of the attacker. Performing real-time measurements and delaying the protocol packets according to these real-time measurements is feasible,
2.4 Defining the Game
As previously noted, the game we analyze captures a single exchange in the time synchronization protocol. Our game is a non-cooperative sequential game, where M is the first to choose his action, followed by nature’s decision, and finally B’s decision. Note that while M and L take their decisions independently, B’s decision is based on the 4 timestamps, and is thus a function of M and L’s actions. We represent the game in
extensive form, illustrated by the game tree in Figure 3.
Figure 3. A Tree Representation of the Delay Attack Game
The root of the tree represents M, and each outgoing edge from the root represents one of M’s actions, in the form (δAB,
δBA). Each outgoing edge from the root is directed to a node labeled “L”, representing nature’s choice. Nature’s actions are represented by outgoing edges from the nodes labeled “L”. Each edge from a node labeled “L” is directed to a node labeled “B”, denoting player B’s choice. Finally, the leaves of the tree denote the payoffs of players M and B respectively.
2.5 Strategy Space
We denote M’s strategy set SM, where each strategy
represents a pair of delays (δBA, δBA).
After M and L make their moves, B has the 4 timestamp values, T1, T2, T3 and T4, and can compute the round trip delay
of the exchange, dRT, as defined in Eq. (1).
B does not precisely know M and L’s actions, but it takes its decision based on the 4 timestamps. Thus, B’s strategy is a function that maps the 4 timestamp values to a Pass/Drop decision.
The strategy sets for M, B and L are defined as follows:
SM = { (δBA, δAB) | 0≤δBA≤DM and 0≤δAB≤DM}
SB = { f | f: Tspace{Pass, Drop} }
SL = { (εBA, εAB) | εBA≥0, εAB≥0 }
The strategy space is given by S=SM×SB×SL
2.6 Payoff Functions
As defined above, ∆ is Bob’s time error after updating its time of day at the end of the exchange. Obviously Bob does not know the value of ∆, but we assume that if ∆ exceeds a threshold ∆ERR, the application requiring the time service experiences an “error”4, and notifies player B. Intuitively, M’s attack is considered successful if ∆>∆ERR.
For a strategy s={sM, sB, sL} we define the payoff functions,
also known as the utility functions, as follows:
0, if B plays “Drop”
uM(s) = uERR, if B plays “Pass” and ∆>∆ERR (3)
0, if B plays “Pass” and ∆≤∆ERR
4
For example, cellular Long Term Evolution (LTE) base station synchronization requires ∆<1.5 usec ( [18]) to function
correctly.
uFA, if B plays “Drop” and sM=(0,0)
uB(s) = 0, if B plays “Drop” and sM≠(0,0) (4)
-uERR, if B plays “Pass” and ∆>∆ERR
0, if B plays “Pass” and ∆≤∆ERR
M’s payoff function rewards M for a successful attack with a positive payoff uERR. If the attack is detected by B, M is
punished with the payoff 0.
B’s payoff is a nonpositive value. From B’s perspective, sM≠(0,0) means that M attacks. Thus, a successful detection of
M’s attack is rewarded with the highest possible payoff, 0, while a false alarm yields the negative payoff uFA. When B plays
“Pass” his payoff depends on the value of ∆; ∆>∆ERR indicates
a misdetection of an effective attack by M, and receives the negative payoff –uERR, while if ∆≤∆ERR the payoff is 0.
Note that the sum of the two functions uM(s) and uB(s) is 0
except for the case where B plays “Drop” and sM=(0,0),
representing a false alarm scenario. Intuitively, the attacker M and the security agent B have conflicting interests, modeled by the zero sum. However, our game is not a zero-sum-game, since the false alarm scenario punishes B for failing as a security agent, but does not reward M, since the false alarm does not necessarily compromise Bob’s time keeping process.
3 ATTACKER AND ATTACKEE STRATEGIES
3.1 Attacker Strategy 1: Unsuccessful Attack
Assume that M’s strategy is sM1=(δ1, δ1) for δ1≤DM, and that
nature’s play is sL={ε1,ε1}.
The resulting network delays in both directions, BA and AB are δ1+ε1, and the round trip delay measured by B is dRT = δBA+εBA+δAB+εAB = 2(δ1+ε1). Since B knows that the forward and reverse path are identically distributed, it takes the one-way delay to be half of the round trip delay, i.e., ½dRT = δ1+ε1. Thus,
in this scenario B’s computation of the one-way delay is accurate, and assuming that B plays “Pass”, the time synchronization process can accurately align Bob’s time to the master’s time, yielding an error ∆=0.
Hence, a strategy of the form sM1=(δ1, δ1), which adds a
symmetric delay to the exchange, is an ineffective attack by M.
3.2 Attacker Strategy 2: Successful Attack
We now assume M’s strategy is sM2=(δ2, 0) for δ2>∆ERR, and nature’s choice is sL={ε2,ε2}. Following the
analysis in 3.1, if B plays “Pass”, the error is ∆=δ2, rewarding M with the payoff uERR.
The following observation follows:
Observation 1. A successful delay attack manipulates the delay asymmetry.
Obviously, B’s best response to sM2 is to play “Drop”,
improving his payoff from -uERR to 0. The trouble is that B has
no way to directly measure M’s malicious delay, and thus is not necessarily aware that he is under attack. Following Observation 1, B can benefit from measuring the delay asymmetry. The delay asymmetry can be computed by comparing T4-T3 to T2-T1,
however, that requires Alice and Bob to have a synchronized clock, and our assumption is that B has no knowledge about whether Alice and Bob’s clocks are synchronized or not.
3.3 Attackee Strategy 1: The Drop Threshold Strategy
At the end of an exchange B computes the round trip delay, dRT, shown in Eq. (1). As discussed in Section 1 the delay attack
Player B’s drop threshold strategy is defined as follows:
sDT= Pass, if dRT≤DRT (5)
Drop, if dRT>DRT
The underlying assumption in the drop threshold strategy is that B knows PεBA(x) and PεAB(x), and that based on this familiarity with the network delay behavior B can determine an upper bound on the round trip time. If the delay exceeds the upper bound, B assumes a delay attack is in progress.
The drawback of sDT is that it may trigger a false alarm for
large symmetric delays caused by nature, even when M does not attack. Network delays are typically modeled with an exponential or a gamma distribution (see [14]). Consequently, network delays are often modeled as unbounded, and can thus exceed any threshold DRT determined by the drop threshold
strategy.
Furthermore, if the attacker from 3.2 can perform a successful attack with a relatively small value δ2, player B obviously cannot detect this attack with the drop threshold strategy, since the attack has a small impact on the round trip time. Intuitively, if ∆ERR<<Var(εBA) and ∆ERR<<Var(εBA),5 then M can use δAB=∆ERR without the attack being detected by the drop threshold strategy.
Observation 2. The Drop Threshold Strategy is ineffective when ∆ERR<<Var(εBA) and ∆ERR<<Var(εBA).
Hence, the drop threshold strategy is not applicable to all systems. An example to an application that can benefit from the drop threshold strategy is an Audio/Video Bridging (AVB) network using the IEEE 802.1AS [15], where all bridges take part in the synchronization protocol, and hence the link between two adjacent clocks is a single-hop layer 2 link, with a very low delay variation. Since the round trip delay between two adjacent nodes has a low variance, a drop threshold strategy is effective in detecting delay attacks in AVB networks.
3.4 Attackee Strategy 2: Using Multiple Paths
We now introduce a novel method that uses multiple paths in the network to detect and prevent delay attacks. Assume that Alice and Bob are connected through N independent paths. Alice and Bob concurrently run the synchronization protocol through the N paths, and consequently Bob computes N corresponding values of the TOD (Time of Day). Assuming that Mallory is a man-in-the-middle who can only attack one of the paths, the other N-1 paths are not subjected to the attack. In this paper we focus on the simple case in which at most one of the paths is under attack, but the extension to m attacked paths is straightforward.
In Section 1 we discussed a somewhat similar approach that uses N clock source. The advantage of the multiple path method is that it does not require multiple clock nodes, but rather utilizes the redundant paths provided by the network.
In both the multiple path approach and the multiple clock source approach Bob maintains N instances of the TOD, and if one of these values appears irregular it is assumed to be the result of an attack, and is ignored.
We shall now formally analyze the multiple path approach6 in the context of our model. Assume that Alice and Bob are connected through N paths, and that Mallory is located somewhere along path 0. Our game focuses on path 0, although
5
Recent work by the ITU-T [13] confirms this concern. It shows that a desirable level of accuracy can be achieved even
when 99% of the traffic has a delay variation that is significantly greater than the desirable accuracy.
6
The analysis applies to the multi-clock-source scheme as well.
in practice the same game is concurrently played for all N paths. Thus, in this context we assume that player B monitors path 0, and takes a Pass/Drop decision with respect to the exchange through path 0.
At the end of the exchange through path 0, B uses the timestamp information from the exchange to decide whether to pass or drop the exchange. We define a strategy for player B that is based on the CNV algorithm from [17]. At the end of the exchange B computes TOD0, and has access to the TODk values
for all k≠0. We define TAVG= Averagek≠0(TODk). We note that
TOD0 is computed based on the four timestamps, T1, T2, T3, and
T4.
We define the multiple path strategy as follows:
sMP= Pass, if |TOD0-TAVG|≤TTH (6)
Drop, if |TOD0-TAVG|>TTH
If player B plays “Pass” the time synchronization algorithm computes the overall TOD as Averagek(TODk), and if player B
plays “Drop”, the overall TOD is assigned TAVG.
The threshold TTH determines the maximal allowed
difference between the TOD information from the attacked path, and the combined TOD from the other paths. The threshold TTH
must be determined in a way that prevents the total TOD error from exceeding ∆ERR. In 4.3 we shall see an example of such a threshold.
It should be noted that the number of paths, N, is of significant importance. For example, for N=2, it is easy to see that if the two paths produce significantly different TOD values, the sMP strategy causes Bob to discard the data from both paths.
The analysis in [17] shows that if there are at most m malicious clock sources, then N must satisfy N>3m to allow successful detection of the misleading sources. Thus, in the multiple path scheme with 1 attacker, sMP is effective for N>3. For N≤3 other
approaches can be taken. One possible approach is to arbitrarily choose one of the paths, and use a drop threshold strategy (Section 3.3) to decide whether to switch to an alternate path. A specific case of this approach is to use the path with the minimal round trip delay, which inherently applies a drop threshold strategy. It should be noted that the two latter approaches suffer from a similar limitation to the one in Observation 2.
4 NASH EQUILIBRIA
In this section we present three Nash equilibria, and discuss the intuition behind them.
4.1 Nash Equilibrium 1 – Always Drop
Consider the following strategies:
sB,N1 = Drop for all dRT
SM,N1 = SM \ {(0,0)}
Lemma 4.1. If sM∈SM,N1 and sL∈SL, then the strategy profile
s={sB,N1, sM, sL} is a Nash equilibrium.
Proof. By definition of SM,N1, we have that sM≠(0,0), and
since player B plays “Drop”, his payoff is uB(s)=0. As this is the
highest possible payoff for B, he has no interest to change his strategy. Since B plays “Drop”, uM(s)=0 independently of M’s
action, and thus M has no interest to change his strategy either.
■
Nash equilibrium 1 represents a scenario where B plays “Drop” regardless of the timestamp values he receives. B plays a blindly defensive strategy, and since M indeed attacks, sM≠(0,0), both players receive a payoff 0 and have no interest to
receive protocol message from Alice. This counter-intuitive equilibrium results from the fact that the interests of the security process B and the network node “Bob” are not necessarily aligned: from Bob’s perspective the ideal scenario is that B plays “Pass” and ∆≤∆ERR, while from player B’s perspective an equally satisfactory scenario is to successfully detect an attack and play “Drop”, regardless of the prospective value of ∆ had he decided to play “Pass”.
Note that Nash Equilibrium 1 is not a subgame perfect
equilibrium. For example, if M decides to play (0,0), then sB,N1
does not provide the best possible payoff for B, and hence B has an interest to change his strategy. Our analysis in this paper focuses on Nash Equilibria in general, and not necessarily on subgame perfect equilibria.
4.2 Nash Equilibrium 2 – Drop Threshold
Define sB,N2 as a drop threshold strategy with a threshold
DRT.
sB,N2 = Pass if dRT≤DRT
Drop if dRT>DRT
We define SL,N2 such that nature’s choice of the network
delay is in the range [εmin, εmax] for both εBA and εAB.
SL,N2 = { (εBA, εAB) | εmin≤εBA≤εmax, εmin≤εAB≤εmax }
Lemma 4.2. If 2εmax≤DRT≤∆ERR+2εmin, sM∈ SM and sL∈
SL,N2, then the strategy profile s={sB,N2, sM, sL} is a Nash
equilibrium.
Proof. For sM=(δBA, δAB), we define δ=δBA+δAB. By
definition of dRT we have 2εmin+δ≤ dRT ≤ 2εmax+δ. We consider
two distinct cases:
• dRT≤DRT:
As mentioned in Section 2.3, ∆ is equal to the delay asymmetry, and thus we have:
∆≤dRT-2εmin≤DRT-2εmin≤(∆ERR+2εmin)-2εmin= ∆ERR. Hence, ∆≤∆ERR. By definition of sB,N2 B plays “Pass”, and thus
uB(s)=uM(s)=0. • dRT>DRT:
Since dRT ≤ 2εmax+δ, we have 2εmax≤DRT <dRT≤2εmax+δ, and
thus δ>0. By definition of sB,N2 B plays “Drop”, and since δ>0 we obtain uB(s)=uM(s)=0.
In both possible cases the payoffs for both players are 0. Player B does not have an interest to change his strategy because he has the highest possible payoff. Player M receives a payoff 0 regardless of his strategy, and thus has no interest to change his strategy either. Since both players do not have an interest to change their strategies, this is a Nash equilibrium.
■
As mentioned in Section 2.4, the drop threshold strategy is not effective when the network delays are unbounded. Thus, the upper bound εmax on the network delays allows an effective value of DRT. The requirement DRT≤∆ERR+2εmin guarantees that
the threshold is low enough to detect an effective attack. However, in the general case such a threshold value DRT does
not necessarily exist. It exists when the network delays are confined to the range [εmin, εmax], satisfying 2εmax≤ ∆ERR+2εmin.
The latter inequality implies that if ∆ERR is small compared to the network delay, B cannot detect the attack, which is intuitively consistent with Observation 2.
The intuition in Nash Equilibrium 2 is that player B defines an optimal value of DRT, allowing to detect M’s attacks.
Consequently, regardless of M’s strategy the payoffs are always (0,0). This equilibrium illustrates the case where player B succeeds in defining an effective security policy that detects all possible attacks.
4.3 Nash Equilibrium 3 – Multiple Paths
Assume we use the multiple path scheme with N paths, and that Mallory has access only to path 0.
Let sMP be a strategy as defined in (6) with TTH= ∆ERR.
Define TAVG= Averagek≠0(TODk), and denote ∆AVG the time
error of TAVG.
Lemma 4.3. If ∆AVG < ∆ERR·(N-1)/N, then s={sMP, sM, sL} is
a Nash equilibrium.
Proof. Let TOD0 be the time of day computed by B at the
end of the exchange. We distinguish between two cases:
• |TOD0 – TAVG|≤∆ERR:
Since ∆i < ∆ERR·(N-1)/N, it follows that the time error of TAVG is also less than ∆ERR·(N-1)/N.
Since the difference between TOD0 and TAVG does not
exceed ∆ERR, it follows that ∆0, i.e., the difference between TOD0 and the master time, is at most (1+(N-1)/N)·∆ERR.
Since |TOD0 – TAVG|≤∆ERR, player B plays “Pass”, and we
have Averagei(TODi)=(1/N)·TOD0+((N-1)/N)·TAVG, and
thus the time error of the total TOD, ∆, satisfies
∆<(1/N)·(1+(N-1)/N)·∆ERR+((N-1)/N)·(N-1)/N·∆ERR, which yields ∆<∆ERR.
Thus, player B plays “Pass”, and both players receive a payoff of uB(s)=uM(s)=0.
• |TOD0 – Averagek≠0(TODk)|>∆ERR:
In this case, since player B plays “Drop” both players receive a payoff of 0. Player M does not have an interest to alter his strategy, since regardless of his strategy when B plays “Drop” M’s payoff is 0. Player B does not have an interest to change his strategy, since his payoff is the maximal payoff, 0.
In both cases the players do not have an interest to change their strategies, and hence we have a Nash equilibrium.
■
Intuitively, Nash equilibrium 3 represents a scenario where:
• B uses multiple paths, and the time information from the paths not under attack, i.e., paths i≠0, satisfy ∆AVG < ∆ERR·(N-1)/N. Intuitively, the Law of Large Numbers guarantees that as N increases ∆AVG has a lower variance, hence the justification for assuming that ∆AVG can be
bounded by a well-known upper bound. Note, that in real-life scenarios a large value of N may be difficult to deploy. Thus, our usage of the Law of Large Numbers is not strictly a formal claim, but rather an intuition for assuming an upper bound on ∆AVG.
• B defines a correct drop criterion which guarantees that all effective attacks are met with a “Drop” action. Thus, both players have a payoff 0, and none of the players has an interest to change his strategy.
5 REVISITING THE PROTOCOL EXCHANGE MODEL
In the previous sections we used NTP as the reference model for the protocol packet exchange. As mentioned in Section 2.1, this two-way-handshake serves two purposes: time distribution from Alice to Bob, and round trip delay measurement by Bob. A straightforward observation follows:
Observation 3. Every delay attack in the setting illustrated in Figure 2 directly affects the round trip delay measurement.
exchange, or use the 4 timestamps to compute the time of day. However, this key property of NTP does not necessarily apply to all time synchronization protocols. For example, the delay measurement scheme in the Precision Time Protocol (PTP) [1] has two variants, the end-to-end scheme, and the peer-to-peer scheme. Throughout this paper, and specifically in the peer-to-peer scheme, we assume for simplicity that there are no intermediate Transparent Clocks between Alice and Bob. It is straightforward to extend our analysis to the case where Alice and Bob are connected through several Transparent Clocks, in which case the analysis in this paper is applied on each hop between Alice and Bob. Figure 4 illustrates the two variants.
Figure 4. PTP Delay Measurement Exchange: (1) End-to-end (2) Peer-to-peer
The peer-to-peer scheme uses a dedicated two-way-handshake for delay measurement, independently of the Sync messages used for time distribution. As a result, a very convenient strategy set for our attacker M, is to delay only Sync messages, preventing player B from detecting the attack using the round trip time value.
The end-to-end scheme uses a three-way-handshake, at the end of which Bob is equipped with the 4 timestamps that are used for the delay computation, as well as the time of day computation. However, the standard does not specify whether Bob should update its local clock after receiving the Sync message, or wait until it receives the Delay_Resp message. Moreover, as defined in [1], Bob can choose to invoke the Delay_Req+Delay_Resp handshake at a lower rate than the Sync transmission rate. Thus, some of the Sync messages are sent without a corresponding delay measurement, allowing the same attacker strategy described for the peer-to-peer variant.
Hence, a key factor in the detection of the delay attack is the coupling between time distribution and delay measurement. Specifically for PTP [1], an important counter measure in the context of the delay attack is using the end-to-end delay paradigm, performing the delay measurement procedure for every Sync message, and performing the slave clock computations only after receiving the Delay_Resp message.
6 CONCLUSION
In this paper we used game theoretic tools to analyze delay attacks. We presented a few Nash equilibria which provide an intuition to the possible outcomes of delay attacks. Specifically, the Nash equilibria analysis shows that:
• The Drop Threshold Strategy can be effective in detecting delay attacks. However, an effective threshold for this strategy exists only in specific systems where the round trip delay is bounded by a well-known value. Thus, the effectiveness of this strategy depends greatly on the behavior of the network latency.
• We introduce the multiple path strategy. We show that if the network topology allows multiple paths between the master and slave clocks, the path redundancy can be used to
detect and mitigate delay attacks. The analysis shows that by carefully choosing the drop criterion, the attack can be successfully prevented, and a Nash equilibrium is reached. Our analysis shows that increasing the number of paths improves the ability to detect and mitigate the attack.
Our analysis also shows that a key to the detection of delay attacks is coupling the time distribution scheme with the delay measurement scheme, as defined in NTP, for example. We show that a similar coupling can be achieved in PTP when the end-to-end delay scheme is used, provided that the delay request rate is equal to the Sync message rate.
Our analysis focused on a single game with pure strategies. It would be interesting to explore the possible outcomes of using mixed strategies. Moreover, the results in this paper can be extended to repeated games, capturing the repetitive nature of time synchronization protocol exchanges.
REFERENCES
[1] IEEE TC 9 Test and Measurement Society 2000, “1588 IEEE Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems Version 2”, IEEE Standard, 2008. [2] D. Mills, U. Delaware, J. Martin, J. Burbank, W. Kasch, “Network Time
Protocol Version 4: Protocol and Algorithms Specification”, IETF, RFC 5905, 2010.
[3] A. Treytl, G. Gaderer, B. Hirschler and R. Cohen, “Traps and pitfalls in secure clock synchronization”, International Symposium for Precision Clock Synchronization for Measurement, Control and Communication, ISPCS 2007, pp. 18-24, 2007.
[4] M. Ullmann, M. Vogeler, “Delay Attacks - Implication on NTP and PTP Time Synchronization”, International Symposium for Precision Clock Synchronization for Measurement, Control and Communication, ISPCS 2009, pp. 1-6, 2009.
[5] S. Ganeriwal, C. Popper, S. Capkun,, M. B. Srivastava, “Secure Time Synchronization in Sensor Networks”, ACM Trans. Info. and Sys. Sec., Volume 11, Issue 4, July 2008.
[6] T. Mizrahi, “Time synchronization security using IPsec and MACsec”, in Proceedings of the International IEEE Symposium on Precision Clock Synchronization for Measurement, Control and Communication, ISPCS, pp. 38-43, 2011.
[7] J.-C. Tournier, O. Goerlitz, “Strategies to secure the IEEE 1588 protocol in digital substation automation”, Fourth International Conference on Critical Infrastructures, CRIS 2009, pp. 1-8, 2009.
[8] J. Tsang, K. Beznosov, “A security analysis of the precise time protocol (short paper),” 8th International Conference on Information and Communication Security (ICICS 2006), pp. 50–59, 2006.
[9] M. Felegyhazi and J.-P. Hubaux, “Game theory in wireless networks: A tutorial,” EPFL Laboratory for Computer Communications and Applications, Lausanne, Switzerland, Tech. Rep. LCA-REPORT-2006-002, June 2006.
[10] T. Alpcan and T. Basar. “A game theoretic approach to decision and analysis in network intrusion detection”, In Proceeding of the 42nd IEEE Conference on Decision and Control (CDC), pp. 2595 - 2600, 2003. [11] T. Alpcan, T. Basar, “Network Security: A Decision and Game Theoretic
Approach”, Cambridge University Press, 2011.
[12] T. Mizrahi, “Slave Diversity: Using Multiple Paths to Improve the Accuracy of Clock Synchronization Protocols”, accepted, to appear in Proceedings of the International IEEE Symposium on Precision Clock Synchronization for Measurement, Control and Communication, ISPCS, 2012.
[13] ITU-T G.8261.1, “Packet Delay Variation Network Limits applicable to Packet Based Methods (Frequency Synchronization)”, 2012.
[14] A. Mukherjee, “On the Dynamics and Significance of Low Frequency Components of Internet Load,” Internetworking: Research and Experience, Vol. 5, pp. 163-205, December 1994.
[15] IEEE 802.1AS, “Timing and Synchronization for Time-Sensitive Applications in Bridged Local Area Networks”, IEEE, 2011.
[16] T. Mizrahi, K. O’Donoghue, “TICTOC Security Requirements”, IETF, draft-ietf-tictoc-security-requirements, work in progress, 2011.
[17] L. Lamport, P. M. Melliar-Smith, “Synchronizing Clocks in the Presence of Faults”, Journal of the ACM (JACM), Volume 32, Issue 1, 1985. [18] ITU-T G.8271, “Time and Phase Synchronization Aspects in Packet
