WIRELESS NETWORK SECURITY 155 tolerable, and this may vary with every route The source keeps track of number of

losses on a path. If this number exceeds the threshold, the source node initiates a binary search on the path, assuming a faulty link exists on the source-destination route, in an attempt to locate the faulty link.

The fault detection mechanism is best explained by an example shown in Figure 1. The source specifies two random intermediate nodes, A and B, on the route called probes, each of which must send an ack for the successfully received packet. The probes divide the route into non-overlapping continuous segments. In the example, probes A and B divide the path into SA, AB, and BD. Due to the presence of the faulty link, S does not receives an ack from node B. Thus S determines a fault on the segment AB. S inserts a new probe A’ in between that segment. The probe insertion and interval subdivision continues until the faulty interval narrows down to a single faulty link. in the example it is the link A’B’. Due to binary search, the source detects a faulty link after log(L) steps, L being the total number of nodes on the route.

Link Weight Management:When a node detects a faulty link, it uses a multiplicative increase scheme to double its weight. The higher the weight, the lower the probability of that link being on any further routes.

Thus using these techniques, route discovery with fault avoidance, Byzantine fault detection, and link weight management, nodes establish routes that are free of nodes known to be malicious and may attempt ‘Byzantine’ attacks.

5.

Security in position-based routing is a relatively new area, and to the best of authors knowledge, there is no secure position-based routing protocol in the literature so far. Thus, to keep the presentation simple, we discuss security issues related to position- based greedy forwarding and some possible counter measures to fight attacks in greedy- forwarding. Fundamental to greedy-forwarding is a neighbor discovery or a hello protocol using which nodes exchange their ID and position information periodically. However, malicious node may not follow the protocol properly, and may try to spoof their ID or location as explained in Section 3.

To prevent external attacks, nodes may employ an authentication mechanism like TESLA broadcast authentication as explained in Section 4.3, along with digital signa- tures to avoid attacks due to unauthorized external nodes. On the other hand, compro- mised internal nodes can pose severe threats to the greedy-forwarding. Zhou et al. [29] identified location spoofing, traffic abusing and forwarding misbehavior as three main internal attacks, and proposed the following counter measures.

Defense against location spoofing: A possible way to defend against location spoof- ing is to use the Time of Flight (ToF) of the message and the speed of signal to estimate the distance between the two nodes. Precisely, iftis the round-trip time andsis the speed of the signal, then the distancedbetween two communicating nodes should be less than(t×s)/2, i.e.,d≤(t×s)/2. However, this method does not provide an upper

156 VENKATA C. GIRUKA and MUKESH SINGHAL bound on the distance, as a malicious node can hold the probe message for a arbitrary time to increase the ToF value. By doing this, a malicious node succeeds in claiming a farther position than its true position.

To mitigate this problem, the basic distance estimation method described above can be augmented by using a neighbor monitoring scheme along with voting. The idea depends on the fact that a false-position reported by a node tends to be inconsistent among neighbors. However, the success of this method depends on the ability of the voting system to cope with false accusations.

Defense against traffic abusing: Traffic abusing may range from dropping packets to flooding the network with junk or meaningful data at high-rate. By doing this, an attacker may attempt to exhaust network resources or overwhelm a node to do lot of packet-processing. To mitigate this problem, one can use the following observation: when an attacker abuses a node X with traffic, neighboring nodes of X experience anomalous traffic even before X. Thus, neighboring nodes may choose to drop such packets to save the attacked node.

Further, nodes can choose an upper bound and lower bound on the traffic intensity to detect anomalous traffic behavior. If a node experiences a traffic intensity above a preset lower bound, then the node may simply stop processing packets. This method works even if a node is surrounded by a group of colluding malicious nodes.

Defense against forwarding misbehaviors: Another common problem in secure- routing is to deal with forwarding misbehavior. Forwarding misbehaviors are more serious due to compromised internal nodes or due to ‘selfish’ or malicious nodes. Such nodes may want to gain services from network, but may not want to ‘give’ services to save their limiting resources like battery. Note that a ‘selfish node’ may be not malicious because a selfish node may not harm the network. To keep up with our discussion, we consider malicious nodes for forwarding misbehaviors. However, readers interested in dealing with selfish nodes are referred to [4, 28] for more details.

A simple way to work around forwarding misbehaviors is to use multiple paths. Multi-path approach mitigates packet delivery failure, but incurs control overhead to have multiple paths. Another approach is to maintain two-hop neighbor table, in con- trast to one-hop neighbor table that is maintained in most position-base protocols, at each node, and employ a neighbor monitoring mechanism to verify the next hop trans- mission. For this approach nodes need to work in the promiscuous mode. In the promiscuous mode a node can overhear transmission for other nodes within its radio range. When a node A selects a next hop B using greedy forwarding, it starts a timer to check if B forwarded the packet correctly to one of its neighbors C selected using the greedy forwarding. If the timer expires before A hears a transmission from B, then A suspects B and takes necessary actions (like flooding an accusation message). Else, if A hears a transmission from B, it checks if B selected a proper next hop. Since A, as well as other nodes, maintains a two-hop neighbor table, it can verify the next hop selection of B. However, the neighbor monitoring in promiscuous mode is prone to error, and sometime malicious node may attempt to falsely accuse benign nodes. Thus, protocols that deal with such errors and false accusations [2] may help mitigate the problem.

WIRELESS NETWORK SECURITY 157