Minimum Cost Forwarding

We first briefly describe the protocol and review its security weaknesses. Minimum Cost Forwarding [YCLZ01] is a simple routing technique, which indirectly constructs minimum spanning tree routing structure. The rout- ing is based oncost fields (cost of the optimal path from node to the base station) established by periodic broadcast of beacons. The process starts at base station, which broadcasts its cost fields 0. Nodes in the range of the broadcast set theircost field to the sum of their own cost (e.g. remaining energy, latency, ...) and the broadcastedcost field. Then they broadcast their owncost field. It is obvious each node receives multiple differentcost fields. The node only accepts suchcost field, that is equal or lower then previous one. In that case, the node modifies its cost field and starts a new broad- cast. After some time, all nodes have theircost fieldsequal to the cost of the optimal path to the base station.

When the node generates new message, it assigns a credit to that mes- sage. The credit equals to the node’scost field minus the cost of the node. Message is then broadcasted to all neighboring nodes. One of these nodes has the cost equal to the message credit. This node lies on the optimal path and thus forwards the message. First, it modifies the credit of the message and then rebroadcasts it.

The routing does not require IDs of the nodes for the routing purposes. The path of the message is optimal with respect to the costs of the nodes. Hence the routing structure forms a minimum spanning tree rooted at the base station. The initial flooding can be reduced by forcing the nodes to wait some time before rebroadcasting the beacon. They can obtain lower cost during this time interval.

Karlof and Wagner [KW03] have analyzed the security of this protocol. It is obvious, that attacker can claim itself to be a base station and attract all traffic. Also HELLO flood attack is possible. The missing authentication is critical in this case.

We suggest to use ARMS protocol for authentication of local broadcast. This could prevent HELLO floods, because each node knows its neighbors and messages are authenticated. It could also discourage the outsider at- tacker. If a node is compromitted, it can easily advertise extremely low cost path also in case that ARMS is implemented. However, such node could be somehow detected by its neighbors and eliminated from the network. This possibility can be subject of further research. Ideas of algorithm SeRINS and itsneighbor report systemcould be helpful.

5. AUTOMATIC DESIGN OF ATTACK STRATEGY Several basic attacks were discovered by our mechanism.

Forging beacons

The generated attack strategy exploited the fundamental weakness of the algorithm. Attacker based on this strategy impersonated the base station by sending the beacon packet withcost field equal to 0. We consider this result as trivial, because one of the instructions was SEND BEACON with parametercost field. However attacker understood the need of broadcast- ing the low cost field. This attack was extremely powerful and stopped further evolution. New individuals were always getting back to this so- lution. We thus decided to ban broadcastingcost field 0, but attacker kept broadcasting as lowcost field as possible. Finally we banned the instruc- tion SEND BEACON completely. Attacker, who was not able to generate fake beacons, came up with replay attack. After obtaining a beacon from his neighbor, he immediately forwarded it without proper modification of thecost field. Hence he was able to decrease its realcost field. In this case, the impact on routing was not so dramatic.

Selective forwarding

Evolution also generated attack strategy capable of dropping messages pass- ing through his malicious nodes. This can be classified as a selective for- warding or blackhole attack. Attacker found out several techniques for drop- ping messages. The basic one is using simple DROP MESSAGE instruction from the set of elementary rules. But he was also able to find more compli- cated mechanism for dropping messages. He first stored the message into a memory slot, without its forwarding. Subsequently he overwrote the mem- ory slot with another message. This approach is complicated and unneces- sary indeed, but it demonstrates the capabilities of evolutionary algorithms to come up with several procedures to achieve the same goal.

Dropping messages occurred in strategies, whose evolution used the fit- ness functions based on number of delivered messages. This result was ex- pected. However, it became also the basic principal of the strategies which tried to extend the path of the messages. This holds for both fitness func- tions including the length of path.

Attacker tried to maximize the average length of the path by dropping messages which traveled only short distances. To evolve these attack strate- gies, we have used three basic settings. First settings has fixed network topology and the message flows. Thus the attacker is able to identify mes-

sages witch travel only short distances by trying to drop them. Fitness value provides him with the feedback on how the average length has changed. In the next generation, attacker can try to drop another message. The attacker is thus learning the flows of data during the evolution. The ability of at- tacker to adapt the strategy for the concrete topology and traffic pattern can be classified as success. There can be applications with a priori known and fixed data flows and topology. In such scenario, attacker can optimize itself to achieve optimal results.

Another settings used random topology and data flow for each attack strategy. This setting was not suitable for evolution. The fitness value achieved by an individual was highly dependant on the topology generated. Hence even poor individual was able to achieve good fitness value in the specific run of simulator. This led to varying fitness values and elimination of good individuals.

Last settings uses the set of multiple different topologies and data flows for evaluation of a single attack strategy. We expected the downgrade of the fitness value, because evolution could not optimize the strategy for spe- cific pattern. This expectation was confirmed. However the evolution was still able to find at least some strategy for dropping the messages which improved its fitness value.

These results have confirmed the predominating opinion, that evolution algorithms are primarily suitable for simple optimization problems. We see the great potential in this. We should focus more on optimization-like prob- lems in the future.

Attacks revealed by evolution has confirmed the weakness of IGF, which is the missing authentication of messages and check of their integrity. Re- play attack also drew the attention to the problem of message freshness. Possible countermeasures were discussed above.