The model

Our model has been developed with a view to form an honest opinion about the trustworthiness of the nodes with collaborative effort from their neighbors. The underlying assumptions in developing the model are the existence of shared bi-directional wireless channels, promiscuous opera- tion of the ad-hoc nodes, and the existence of an on-demand routing proto- col on top of which our proposed model can be built. In the following sec- tion we analyze different malicious behavior and quantify them to gradually develop the model.

4.3.2.1 Trust Model Against Selfish Behavior

The development of the model to punish a node for selfish behavior is based on the Secure and Objective Reputation-based Incentive (SORI) scheme proposed in (He et al. 2004) with several modifications. We will elaborate more on these modifications as we describe the trust model. The parameters are described below:

(i) NNL_N= Neighbor Node List (each node maintains a list of its neighbors, either by receiving Hello messages, or by learning from over- hearing).

(ii) RFN

( )

X (Request for Forwarding) = total number of packets node N

has forwarded to node X for further forwarding.

(iii) HFN

( )

X (Has Forwarded) = total number of packets that have been

forwarded by X and noticed by N.

We are not discussing the details of updating these parameters, which can be found in (He et al. 2004). With the above parameters, node N can

A Framework for Computing Trust in Mobile Ad-Hoc Networks 71

create a local evaluation record (denoted byLERN

( )

X ) about X. The re-

cord LERN

( )

X consists of two parameters shown below:

( )

X

LERN = Local Evaluation Record of node N of node X. It reflects

the evaluation of the behavior of node X by another node N. where,

( )

X

GN = Forwarding ratio of node N on node X.

( )

X

CN = Confidence level of N on X.

The confidence level CN(X) is computed as below:

( )

=

_∑

_∑

t N t N N X HF X RF X C ( )/ ( ) (4.1)

Node N computes its confidence level on X after sending packets to X over a time period t .

We propose a similar propagation model proposed in SORI. Each node updates its local evaluation record (LER) and sends it to its neighbors. When a node N receives the LERi(X) from node i, it computes the overall

evaluation record of X (denoted by OERN(X)), as given below:

( )

( )

_{( )}( )_{( )}( )

∑

∑

≠ ∈ ≠ ∈ ∗ ∗ ∗ = X i NNL i i N X i NNL i i i N N X C i C X G X C i C X OER , , (4.2)

where, CN(i) = confidence level of node N on node i from which it re-

ceives LER_i(X)

Ci(X) = confidence level of node i on node X

Gi(X) = forwarding ratio of node i on X

4.3.2.2 Trust Model Against Malicious Accuser

The calculation of confidence level in equation 4.1 is based only on the nodes’ decision to forward packets, and does not take into account the ma- licious accusation of a node about another node. We foresee a threat where a node falsely accuses another node of not forwarding its packets, eventu- ally to isolate the later as an untrustworthy node. This malicious act should also be reflected in the trust computation, where every node should be given a chance to defend itself. Equation 4.3 below shows the calculation

of confidence level taking into account both selfish behavior and false ac- cusation.

( )

=(

∑

( )/

∑

( )) t N t N N X HF X RF X C ∗ _X

( )

N (4.3)

where, _x(N) = accusation index of N by X 0; if X falsely accuses N =

1; otherwise

Node N keeps a track of the packets it received from X and packets it forwarded. If N finds out that X is falsely accusing it for non-cooperation, it recomputes its confidence level on X by taking into account the accusa- tion index. It then broadcasts the new LER_N(X) with new C_N(X), thus re- sulting in computation of a new OER_N(X), which is low enough to punish X. Thus, any sort of malicious behavior of X by falsely accusing other nodes gets punished eventually.

4.3.2.3 Conflict Resolution

It may so happen that two nodes come up with conflicting views of each other. This can be a common problem in ad-hoc networks as the nodes are forced to communicate with near-strangers without any prior information about their trustworthiness. To resolve such conflicting views and compute an honest opinion of a node’s trustworthiness, we need to consider three scenarios.

• Scenario I: Two nodes have mutual high trust of each other: this scenario does not lead to a conflicting opinion, and can be treated as the normal and expected behavior. However, if two nodes collude with each other and come up with high mutual trust, while not cooperating with other nodes, this can lead to an untrustworthy situation that severely affects network performance and security. However, the discussion and analysis of colluding threats are beyond the scope of this paper.

• Scenario II: Two nodes have mutual low trust of each other: if both the nodes are to be believed, then they are to be isolated as malicious and non-cooperating nodes. The network will be safer, but the decision will affect network performance. This can be viewed as a conservative approach.

• Scenario III: Two nodes have conflicting opinions about each other: this scenario can lead to two different cases. First, if both the nodes are right in assessing each other, then one of them is not cooperating;

72 Ghosh et al.

α α

A Framework for Computing Trust in Mobile Ad-Hoc Networks 73

and second, if one of them is falsely accusing the other, that will lead to the malicious accusation scenario discussed earlier. However, both these two cases will ultimately lead to scenario II, as the node getting accused (falsely or rightly) will eventually accuse its accuser, and both will have low trust of each other.

Resolving this type of conflict is non-trivial. When a node receives mutual low confidence of other nodes, it has two clear choices: either to believe both, or to believe one of them. If both nodes are to be believed, then they are barred from taking part in the route selection process, essentially isolat- ing them from participating in the normal network operation. This ap- proach is viewed as extremely conservative, and, although secure, will de- grade the network performance as more nodes start getting isolated. However, we have a different approach to solve the conflicting situation. In our approach when a node receives mutual low confidence of other nodes, it will put both of them in quarantine, and will monitor their behav- ior without changing their confidence levels. However, if the quarantined nodes persist with mutual low trust, and their assessment by other nodes start getting low, they are eventually isolated. On the other hand, if the nodes change their mutual opinions, they are removed from the quarantine. This acts as an incentive to a malicious accuser for not accusing other nodes falsely, because that will eventually isolate the accuser too, which will defy its purpose of accusing other nodes. The amount of time the nodes will be in quarantine is a critical design parameter that will affect the overall network performance, the discussion of which is beyond the scope of this paper.

4.3.2.4 Trust Model Against Malicious Topology Change

A node may engage in route flapping, where it forces the network topology to change frequently by putting itself in active route and then withdrawing and putting itself back. This will generate a large number of route request packets, essentially slowing down the network operation. If such a behav- ior is detected, the confidence level must be changed in order to punish the malicious node. However, detection of such a behavior is not easy, as any such topology change can be viewed as a normal characteristic of an ad- hoc network. We have tried to capture such a malicious act by modeling the action and reflecting it in the computation of trust.

To develop the model, we require each node to maintain a table called a neighbor remove table, where it keeps track of any node moving out of the path. The table is populated by successive Hello misses in AODV (Perkins and Royer 1999), or from the unreachable node address field in the RERR

packet in DSR (Johnson and Maltz 1999). A snapshot of the table is shown below:

Table 4.1. Snapshot of Neighbor Remove Table

Node Address Time of Leaving Time Difference

X T1 t0 = 0

X T2 t1 = T2 – T1

X T3 t2 = T3 – T2

X T4 t3 = T4 – T3

Mean = μ_t

Each node periodically scans the table to find whether any particular node is leaving at frequent intervals. It computes the mean, μ_t of the time difference of any particular node leaving the network. If μ_t is found lower than a threshold value (denoted by t_threshold), then the node is identified as malicious and the confidence level is computed as follows:

( )

=(

∑

( )/

∑

( ))

t N

t N

N X HF X RF X

C ∗m

( )

X (4.4)

where, m(X) = malicious index of node X

0; if μ_t <= t_threshold =

1; otherwise

The choice of the threshold value can be selected based on the applica- tion for which the ad-hoc network is deployed. A network that demands frequent topology change can have a higher threshold to accommodate the normal network behavior. The choice is not discussed in this paper and is left for future consideration.

Finally, to combine all the malicious behavior discussed earlier and to reflect those behavior in trust computation, the confidence level of node N on X is computed as shown below:

( )

=(

∑

( )/

∑

( ))

t N

t N

N X HF X RF X

C ∗α_X

( ) ( )

N ∗m X (4.5)

The final overall evaluation record (OER), when computed based on the local LERs, will reflect the different malicious behavior of a node as

A Framework for Computing Trust in Mobile Ad-Hoc Networks 75

lly any malicious act gets detected and punished.

In document Mobile & Wireless Network Security & Privacy pdf (Page 83-88)