• No results found

Secure Forwarding in Personal Ad Hoc Networks

N/A
N/A
Protected

Academic year: 2021

Share "Secure Forwarding in Personal Ad Hoc Networks"

Copied!
100
0
0

Loading.... (view fulltext now)

Full text

(1)

Secure Forwarding in

Personal Ad Hoc Networks

Master Thesis

Author:

Qi Xu

Supervisors:

Dr.ir. Sonia Heemstra de Groot (INF-DACS/WMC) Dr.ir. Pieter-Tjerk de Boer (INF/DACS)

Assed Jehangir M.Sc. (INF/DACS) ir. Simon Oosthoek (WMC)

Design and Analysis of Communication Systems

Faculty of Electrical Engineering, Mathematics and Computer Science University of Twente

(2)
(3)

Abstract

This thesis focuses on secure packet forwarding in ad hoc networks and proposes a new reputation-based solution to mitigate the effects of adverse situations caused by misbehaving nodes. The new solution consists of three necessary parts: detection, prevention and reaction. An objective and effective dynamic detection mechanism is introduced. It could be used to detect misbehaving nodes through performing neighbor monitoring and local reputation exchange in a fully distributed way. A new prevention approach based on reputation information of intermediate nodes is also described. This prevention mechanism exploits all well-behaving nodes’ local knowledge to bypass misbehaving nodes, evaluate path quality and choose the most reliable path for data forwarding. In addition, some reaction approaches have been mentioned which could be used to enforce cooperation in ad hoc networks. Furthermore, the packet delivery ratio is primary evaluated in different scenarios.

(4)
(5)

Acknowledgement

This thesis is the result of my work in WMC for the master final project. Many people contributed to the completion of this thesis. I would like to express my gratitude to all these people who gave me help and support during this period of time.

The first person I would like to express my acknowledgement is my direct supervisor Sonia Heemstra de Groot who helped me whenever I had problems during the research. Her valuable guidance and technical advices enabled me to complete this project.

I want to express my gratitude to Assed Jehangir who kept close to the process of my work and always was available when I needed his help, and provided me with much information and support. I am very grateful to my committee members Pieter-Tjerk de Boer and Simon Oosthoek for their valuable comments and recommendations. Thanks to Bram van Zeist and Malohat Kamilova with whom we had pleasant and fruitful discussions while working on the project. I am grateful to people in WMC for the fine working atmosphere and for their supports.

My absolute acknowledgement is dedicated to my parents, who gave me great encouragement and inspiration throughout my study. Their support enabled me to complete this thesis and finish my education in UT.

(6)
(7)

Table of Contents

Abstract ...I Acknowledgement...III 1 Introduction ... 1 1.1 Background... 1 1.1.1 WLAN ... 2 1.1.2 WPAN... 2 1.1.3 PN ... 2

1.1.4 Mobile Ad Hoc Network ... 7

1.2 Research Objective... 11

1.3 Other Relevant Technologies... 12

1.4 Thesis Structure ... 12

2 Secure Data Forwarding in Mobile Ad Hoc Networks... 13

2.1 Secure Routing Challenges and Solutions... 13

2.1.1 Challenges ... 13

2.1.2 Secure Routing Protocols ... 14

2.2 Secure Data Forwarding Challenges and Solutions... 15

2.2.1 Challenges ... 16

2.2.2 Secure Data Forwarding Solutions ... 16

3 A New Reputation-based Secure Forwarding Solution... 22

3.1 Motivations... 22 3.1.1 Reputation Requirements... 23 3.1.2 Solution Features ... 23 3.2 Assumptions ... 24 3.3 Solution Overview... 25 3.3.1 Detection... 25 3.3.2 Prevention... 26 3.3.3 Reaction... 26

4 Dynamic Misbehaving Node Detection ... 29

4.1 Neighbor Sensing ... 29

4.2 Neighbor Monitoring Rules... 30

4.2.1 Packet Forwarding Monitoring... 30

4.2.2 Data Packet Forwarding Rules ... 31

4.2.3 Route Packet Forwarding Rules ... 32

4.3 Detection Mechanism Description ... 35

4.3.1 Neighbor Sensing Implementation ... 35

4.3.2 Neighbor Table ... 36

4.3.3 Neighbor Monitoring and Local Reputation Calculation ... 37

4.3.4 Weaknesses of Neighbor Monitoring... 42

4.3.5 Possible Optimizations ... 44

(8)

5 Prevention Technique and Optimal Route Discovery... 51

5.1 Motivation ... 51

5.1.1 Bypassing Misbehaving Nodes... 51

5.1.2 Optimal Route Discovery ... 52

5.1.3 Local Reputation... 52

5.2 Overview ... 53

5.3 Detailed Operations ... 55

5.3.1 Originating a Route Request Packet ... 55

5.3.2 Processing a Received Route Request Packet ... 56

5.3.3 Originating a Route Reply Packet ... 59

5.3.4 Processing a Received Route Reply Packet... 61

5.3.5 Optimal Route Selection... 63

5.4 Analysis ... 65

5.4.1 Performance for Various Misbehaving Nodes ... 65

5.4.2 Limitations... 66

6 Performance Evaluation ... 69

6.1 Network Simulator Introduction... 69

6.2 DSR in NS-2... 70

6.2.1 Mobile Node Architecture ... 70

6.2.2 DSR Mobile Node Architecture ... 71

6.2.3 DSR Implementation in NS-2... 72 6.3 Simulation Setup ... 73 6.3.1 Simulation Configuration ... 73 6.3.2 Movement Model ... 74 6.3.3 Communication Model ... 74 6.3.4 Misbehaving Nodes ... 75

6.4 Simulation Result Analysis... 75

6.4.1 Mobility Influence ... 76

6.4.2 Misbehaving Nodes ... 77

6.4.3 Bypassing Misbehaving Nodes... 80

6.4.4 Optimal Route Discovery ... 81

7 Future Work... 84

8 Conclusion ... 85

Reference ... 86

(9)

1

Introduction

In recent years, rapid growth in wireless communications has stimulated numerous researches in this field. Many new wireless technologies have been developed, such as WiFi, HiperLAN, Bluetooth, ZigBee, UWB and WiMax. This chapter gives the corresponding background introduction and the objective of this assignment.

Section 1.1 presents the background information in which Personal Network and mobile ad hoc network are primarily introduced. Section1.2 describes the objective of this assignment. Section1.3 briefly introduces the other relevant technologies investigated and discussed during this period of time. And section 1.4 gives the structure of this thesis.

1.1 Background

Wireless technologies have many advantages compared with their wired competitors, such as flexibility, robustness, mobility and scalability. Therefore, many wireless technologies have been developed recently for various purposes. The following table shows some well-known wireless technologies.

(10)

1.1.1 WLAN

A wireless local area network (WLAN) is one in which a mobile device can connect to a local area network through a wireless connection. WLAN technologies have created a fast-growing market currently. It also introduces the flexibility of wireless access into office, home, and other various environments. In addition, many infrastructure providers have been building Wireless LAN hot spots in public areas such as airports, railroads, and hotels, to enable people to perform data communication in a more convenient way.

The IEEE 802.11 [4] standards specify the technologies for wireless LANs. Currently standard-based wireless LANs can operate at high speeds. For example, the majority of WLAN products (802.11b) today are able to communicate at speeds up to 11 megabits per second, new WLAN standards (802.11a and 802.11g) are able to provide up to 54 Mbps transmission, and 802.11n [9] is expected to support transmission rate at least 100 Mbps. Some other standards within 802.11x family are recently proposed for different requirements. For example, 802.11e is intended to enhance the 802.11 MAC to improve and manage Quality of Service (QoS), 802.11i defines strong authentication and access control mechanisms to provide improved security, and 802.11k defines radio resource measurement mechanism.

1.1.2 WPAN

Personal Area Networks (PANs) [3] also have received much interest in the research community recently. The trend is due to the rapid development of personalized devices and the growing user-centric communication and computing applications. A wireless personal area network (WPAN) is a short-range wireless ad hoc communication system built in the vicinity of a person. WPANs can be used for data communications among the personal devices, or for connecting these devices to a higher level network or the Internet.

IEEE 802.15 standards specify the wireless technologies for WPANs, such as low layers of Bluetooth [5] and Zigbee [7]. Power consumption, complexity, size and cost constrains are considered carefully in these technologies in order to design short-range, low-cost wireless devices. These wireless technologies have different purposes: 802.15.3 (WiMedia) [6] is intended to support fast transmission rates, and is suitable for home networks. 802.15.4 (Zigbee) is designed for sensor networks and targets low power consumption and low cost.

1.1.3 PN

1.1.3.1 Introduction

More and more small but powerful mobile devices are produced and becoming popular in recent years, person-centric applications and services are getting more attractive. As a consequence, many researchers are working in this field to develop new networks to meet the increasing requirements. A personal network (PN) [1,2] is a new concept related to pervasive computing with a strong user-focused view, which extends a person’s Personal Area Network

(11)

(PAN) with remote devices and services. The extension could be made via infrastructure-based networks or multi-hop ad hoc networks. PN is now being developed within the IST MAGNET project [10].

A PN connects a person's Personal Nodes together by using direct local wired or wireless connections as well as infrastructure-based connections and multi-hop ad hoc networks (connecting geographically dispersed Personal Nodes). By integrating all of a person’s devices and resources into a person’s PN, not only the devices within the person’s vicinity could be used, but also those far away are available at any moment. Communication with other persons’ Personal Networks as well as independent Foreign Nodes are also considered. For example, in figure 1, the PN includes the nodes in the core PAN (Private-PAN) around the user, and nodes in remote networks (clusters), such as the home network, and the corporate network. The geographically dispersed clusters could be interconnected through a variety of available networks, such as the Internet, UMTS, and ad hoc networks. Therefore, a person can make use of all his/her devices and relevant services regardless of the current location. Besides, communications among different persons’ nodes could also be performed at the same time.

Figure 1. An example of a PN [1]

A PN must be self-configuring and self-organizing to adapt to the changes in surroundings, user’s context, location and other conditions, so that ordinal users can operate their Personal Networks in an efficient and simple way. And due to the fact that a PN could incorporate all possible devices of a person, not only the portable devices are included, but also the devices at home, in the car and in the office should also be considered. Therefore, on the network layer, all these devices and networks should be integrated into one PN.

(12)

1.1.3.2 Abstraction levels

Figure 2. Three-level PN architecture [38]

As shown in figure 2, a proposed PN architecture has been given in the IST MAGNET project [37, 38]. The first level is called the service abstraction level, which addresses the problems related to discovering services inside or outside a PN. The second level is the network abstraction level addressing the problems related to the network and transport layers. The third level is called the connectivity abstraction lever, which specifies and implements PAN radio interfaces.

1.1.3.3 Communication in PNs

Secure routing and forwarding is the research objective of this assignment, so some routing issues in PNs are introduced in this section. The network layer is the place where the whole PN for a particular person is constructed and maintained. It is concerned with issues such as addressing, routing and self-organization. Communications in PNs could be classified into several domains.

1.1.3.3.1 Communication in P-PAN

The advantage of secure data communication in a P-PAN is that all nodes within this network belong to the same user. Therefore, trust relationship could be easy to be established among these nodes. Mobile ad hoc networks are suitable for P-PAN. Either proactive or reactive routing protocols could be used in a P-PAN depending on the concrete scenarios. Routing protocols designed for mobile ad hoc networks are introduced in the section 1.1.4.4.

(13)

Figure 3. Communication in P-PAN 1.1.3.3.2 Intra-cluster Communication

Intra-cluster communication has the similar characteristics with P-PAN communication. However, it is likely that less communication happened in a cluster than that in a P-PAN, a reactive routing protocol may be more suitable.

Figure 4. Intra-cluster communication 1.1.3.3.3 Inter-cluster Communication

In each cluster, one (or multiple) node is selected as gateway that is responsible for handling all traffic to or from the nodes in this cluster. If a node wants to communicate with another node in a different cluster, it first needs to send data to the gateway. Inter-cluster communication depends on the interconnection structure to connect different clusters. If an infrastructure network is applied as the interconnection structure, IPsec could be used to provide security using tunnel, authentication and encryption mechanisms. If the interconnection structure is an ad hoc network, more security problems will appear, for example, intermediate nodes could drop packets or modify routing information to launch a variety of attacks.

(14)

Figure 5. Inter-cluster communication

1.1.3.3.4 Communication with foreign nodes

The lack of trust relationship gives big challenges for secure communication in this scenario. In infrastructure networks, central agents (Certification Authority) could be used to support establishment of trust relationship. However, it is possible that no such CA is available in some situations. Several solutions are mentioned in [80] to address this problem, such as SUCV [81] and pre-authentication.

Figure 6. Communication with foreign nodes

A mobile ad hoc network could be a quite suitable network to be applied in PNs, not only for communications among Personal Nodes in a P-PAN, but also for interconnecting geographically dispersed nodes that belong to multiple clusters (Figure 5, 6). In order to route packets among Personal Nodes as well as to and from Foreign Nodes, routing schemes [38, 39] must be investigated in PNs.

In order to make the research more general, in this project, we investigate routing and data forwarding security in a mobile ad hoc network in which trust relationships only exist between sender nodes and destination nodes.

(15)

1.1.4 Mobile Ad Hoc Network

Mobile ad hoc networks could be important network architectures in PNs due to their unique characteristics, such as infrastructure-independence, self-organization. Within a P-PAN or cluster, a mobile ad hoc network is quite suitable for data exchange among devices due to its simplicity and dynamic topology. When inter-cluster communication is considered, each cluster is regarded as a small mobile network. All these networks could be interconnected through mobile ad hoc networks. In other words, all cluster gateway nodes can communicate with each other to form a mobile ad hoc network. This is useful especially for communication with other persons’ PNs.

1.1.4.1 Introduction

During the past decade, mobile computing and wireless communication technologies have been developing extremely fast due to the proliferation of inexpensive, widely available wireless devices. Current cellular systems have reached a high penetration rate, enabling worldwide mobile communication and Internet access. In addition, more and more wireless LAN hot spots are emerging, allowing people to surf the Internet in airports, railways, hotels and other public areas with their portable devices, such as laptops.

All these networks are conventional networks which depend on fixed network infrastructure and central administration. These networks require a large investment before they are operational and useful. Furthermore, updating these networks to meet continuously growing requirements, such as bandwidth, has proven to be quite expensive and slow.

And at the same time, more and more digital devices are produced which could be equipped with relatively short-range wireless transmission interfaces. These devices are becoming smaller, cheaper, and more popular and powerful. In order to enable multiple small portable devices to interconnect with each other without any fixed infrastructure, a new alternative network architecture has been designed, in which all devices form a self-organizing and self-administering wireless network, called a mobile ad hoc network [8, 27].

The emergence of mobile ad hoc networks enables network accessing and data communication in an area where no fixed infrastructure exists or existing infrastructure is not available. Because ad hoc networks do not rely on any existing infrastructure and are self-organizing, this kind of networks is quite suitable for communication in very diverse environments. For example, mobile ad hoc networks can be used in battlefield as well as in remote areas where infrastructure is not available and building infrastructure in such area is too expensive or time consuming. They also can be used in an area suffering from natural disaster.

1.1.4.2 Common Network Architectures

There are two common architectures of a mobile ad hoc network:

(16)

other sub-networks through its gateways. All traffic to and from a sub-network must pass through its gateways. It could be a feasible network model for PNs, in which multiple clusters belonged to same or different persons could form big mobile ad hoc networks dynamically. An example of such mobile ad hoc networks is shown in figure 7.

Figure 7. A two-tier mobile ad hoc network

z Flat network Architecture: In this architecture, all nodes are treated equally, and there is no gateway in a cluster. An example of flat mobile ad hoc networks is shown in figure 8.

Figure 8. A flat mobile ad hoc network

1.1.4.3 Characteristics of Mobile Ad Hoc Networks

(17)

Characteristics

y Infrastructure-independence y Multi-hop

y Dynamic network topology y Energy constrained operation y Bandwidth constrained y Limited physical security y Network scalability

y Decentralized control and management

y self-organization and self-configuration

Table 2. Characteristics of mobile ad hoc networks 1.1.4.4 Routing Protocols

Within a mobile ad hoc network, a node's radio transmission range typically can not cover the whole network. In order to enable a node to communicate with other nodes out of its radio coverage, a route generally contains several intermediate nodes, and this is why ad hoc networks are also referred to as multi-hop networks.

For data communication in a network, a node must depend on routing protocols to discover routes to the specific destinations. A mobile device is generally limited by its available resources, such as computation capability and memory capacity. Moreover these devices are likely to be battery powered, so energy constraint is another important issue that must be considered. Because of these resource limitations, routing protocols designed for mobile ad hoc networks must take special requirements into account.

Therefore, the existing routing protocols designed for wired networks are not suitable for mobile ad hoc networks, and new routing protocols have been designed recently. Some routing protocols are introduced here.

1. Proactive routing protocols

For proactive routing protocols, the routing control information is exchanged in the network periodically to enable each node to get a good knowledge of network topology. The advantage of this kind of routing protocols is that the routes are available immediately when a node wants to communicate with other nodes.

z DSDV

Destination-Sequenced Distance-Vector (DSDV) [28] was developed 1994 by C. Perkins and it is a proactive distance-vector routing protocol. Its difference from traditional distance vector routing protocols is that each entry in routing table or a routing update message is tagged with a sequence number, which is generated by the destination. The sequence number is used to guarantee loop free and to prevent stale routing information being used. Only routing information with higher destination sequence numbers or same destination sequence but better metric will be used to update

(18)

routing table. This technique promises that only newest routing information will be used.

z OLSR

Optimized Link State Routing Protocol (OLSR) [29, 30] is an optimization over a pure link state routing protocol, and utilizes a multicast-like mechanism to reduce control traffic overhead. Each node declares a subset of its symmetric 1-hop neighbors as its multipoint relays (MPRs), through which all its symmetric 2-hop neighbors can be reached. OLSR minimizes the flooding of control traffic in the network by using only these MPRs to retransmit control messages. This technique significantly reduces the number of retransmissions required to flood a message to all nodes in the network. Furthermore, OLSR requires a node to broadcast only a part of its link state information about its neighbors.

z TBRPF

Topology Dissemination Based on Reverse-Path Forwarding (TBRPF) routing protocol [74] is another proactive, link state routing protocol designed for mobile ad hoc networks. Each node reports part of its source tree to its neighbors to minimize overhead. A modification of Dijkstra’s algorithm is used to calculate a source tree and only partial topology information in the topology table is used. Both periodic and differential updates are used to enable all neighbors to obtain full or additional topology information.

2. Reactive routing protocols

For reactive routing protocols, they work in an on-demand way. Routing information is only transmitted in the network when a node has something to send but no suitable route is available. This kind of routing protocol is suitable for large networks, and necessary route control traffic is smaller than that of reactive routing protocols.

z AODV

Ad hoc On-Demand Distance Vector (AODV) [31] routing protocol is a reactive routing protocol specially designed for mobile ad hoc networks. It enables mobile nodes to obtain routes quickly for new destinations, and do not require nodes to maintain routes to those destinations that are not in active communication. AODV builds routes using a route request / route reply query cycle. Each node keeps a next-hop routing table containing the destinations to which it currently has a route. AODV makes use of a destination sequence number for each route entry to guarantee loop free.

z DSR

Dynamic Source Routing (DSR) [32] protocol is another well-know reactive routing protocol designed for mobile ad hoc networks with various efficiency improvements. DSR is one of the most preferred protocols due to its simplicity and efficiency. It enables the network to be completely self-organizing and self-configuring. DSR also employs

(19)

route request / route reply packets in the route discovery phase to discover routes on-demand. And each node keeps a routing table that contains full paths to some specific destinations. In the data packet forwarding phase, a complete path is included in each data packet.

3. Hybrid routing protocols

For hybrid routing protocols, both proactive and reactive mechanisms are applied.

z ZRP

Zone routing protocol (ZRP) [33] is a hybrid routing protocol that combines both the proactive and the reactive routing mechanisms. The route discovery phase can be divided into an intra-zone discovery and an inter-zone discovery. Intra-zone discovery involves all the nodes whose distance from the sender is in a certain number of hops, and it is executed in a proactive way. And inter-zone discovery operates using a reactive approach. The tradeoff between proactive and reactive routing protocols defines the optimal zone radius in a specific network.

Besides the routing protocols mentioned above, many other routing protocols have been proposed, such as Temporally-Ordered Routing Algorithm (TORA) [34], Dynamic MANET On-demand Routing Protocol (DYMO) [35], and Ariadne [36].

1.2 Research Objective

The ad hoc nature of PNs brings serious security challenges. Research in the field of secure routing could be divided into two complementary parts: secure route discovery and secure data forwarding. This thesis addresses the problems on secure data forwarding.

In ad hoc networks each node functions as a router and forwards packets for other nodes. Here, we study the impact of misbehaving nodes on packet forwarding. Most existing routing protocols designed for ad hoc networks typically assume a trusted and non-adversarial environment where each node is assumed to be cooperative and well-behaving. This assumption is not true in a hostile environment. The existence of misbehaving nodes may significantly disrupt the network operation and degrade the network performance. For example, if a misbehaving node on an active route drops data packets, then a large number of packets will be lost. Simulation results show that the average packet delivery ratio of DSR [11] degrades by 30%, when 20% nodes are misbehaving nodes [12].

The main objective of this research is to investigate security issues in the context of PNs based on mobile ad hoc networks, analyze the benefits and weaknesses of currently existing solutions, and find new and effective solutions for the purpose of secure data forwarding in mobile ad hoc networks.

(20)

1.3 Other Relevant Technologies

During the process of doing this assignment, in additional to the investigation of security challenges, corresponding secure routing and forwarding techniques, other relevant technologies have also been studied to evaluate their applicability and adaptability in PNs. Security in Bluetooth [13, 14, 15] and 802.11i [16] was analyzed to see whether these security mechanisms could be used in PNs to provide link-level security for data communication. Link-level authentication and encryption, initial key establishment, and security weaknesses were primarily studied. IPsec [17, 18] was analyzed to see how to employ it to support secure packet exchange on the network layer in PNs, especially for communication between different clusters. Some related protocols and techniques are studied, such as AH [22], ESP [23], IKE [18], and HMAC [21]. Mobile IP [24, 25] and Network Mobility (NEMO) [26] have also been studied for the purpose of defining possible network layer architecture of PNs. Address auto-configuration, mobility management and relevant protocols have been investigated.

1.4 Thesis Structure

The remainder of this report is organized as follows: chapter 2 discusses the security problems related to routing and forwarding in mobile ad hoc networks, and some proposed solutions are classified and analyzed. Chapter 3 introduces a new reputation-based solution for secure data forwarding containing three components: prevention, detection and reaction. Chapter 4 specifically describes the detection mechanism of this solution, which is used to detect misbehaving nodes in the network. Chapter 5 introduces the prevention mechanism of the solution, which is used to bypass misbehaving nodes and discover the optimal routes. Chapter 6 presents and analyzes the simulation results to show the effect caused by various misbehaving nodes, and the network performance improvement if the prevention techniques is applied. Chapter 7 gives the future research in this area and chapter 8 gives the conclusion of the thesis.

(21)

2 Secure Data Forwarding in Mobile Ad Hoc

Networks

Characteristics of mobile ad hoc networks such as infrastructure-independence and self-organization make this kind of networks very flexible. However, at the same time some new security challenges specific to this new technology appear. In this chapter, the challenges related to routing and data forwarding in mobile ad hoc networks are discussed. Some proposed solutions are introduced and analyzed. Section 2.1 is related to secure routing, and section 2.2 is related to secure data forwarding.

2.1 Secure Routing Challenges and Solutions

In this section, the security challenges related routing in mobile ad hoc networks are discussed, and some corresponding solutions are described briefly, which are primarily used to guarantee the acquisition of correct routing information.

2.1.1 Challenges

The provision of security in mobile ad hoc networks faces a set of challenges. Unique characteristics of mobile ad hoc networks, such as open network architecture, shared medium, highly dynamic network topology, lack of infrastructure and authorization facilities and decentralized control [40, 41, 59, 60], introduce many new security challenges.

The infrastructure-independence feature of mobile ad hoc networks extends the application scope of this kind of networks, but it makes network control and management more difficult compared to traditional networks. Many efficient and effective network management schemes such as central network control and authentication mechanisms can not be directly implemented in mobile ad hoc networks. Absence of infrastructure also impedes the popular operation of establishing a line of defense. As a consequence, it increases the difficulty of detecting attacks.

Dynamic network topology is another important characteristic of mobile ad hoc networks. All nodes in such networks are allowed to move arbitrarily at any time. And each node could join and leave the network independently. The network topology of a mobile ad hoc network is likely to change dynamically. Therefore, it is difficult to have a clear global view of an ad hoc network.

(22)

Trust relationships among nodes may also change dynamically in some scenarios due to the flexibility of ad hoc networks. Furthermore, in large-sized mobile ad hoc networks, it is possible that there is no trust relationship among the majority of nodes. For example, when an ad hoc network is used as the interconnection structure for communication among a large number of users, it is possible that no trust relationship is available. As a consequence, security solutions with static configuration are not suitable for mobile ad hoc networks.

Routing in wired networks is usually performed on dedicated devices such as switches, routers and gateways. But in mobile ad hoc networks, each node works as router and is responsible for forwarding packets for other nodes. This feature significantly complicates the network management and makes the network very vulnerable to attacks. If a misbehaving node on an active route begins to drop data packets, it is obvious that a large number of packets will be lost. Therefore, all nodes in a mobile ad hoc network are required to behave cooperatively to support the network operation.

Mobile devices generally have limited resources, such as computational capability and memory capacity. They are also constrained by energy since they are more likely to be battery powered. Therefore, complicated and expensive solutions, such as advanced authentication or encryption/decryption operations performed on each packet, are not very suitable for this kind of networks.

When these factors mentioned above are considered, it is difficult to promise that no misbehaving nodes exist in mobile ad hoc networks. Moreover, compared to traditional infrastructure-based networks, it is much easier for misbehaving nodes to perform some harmful activities in mobile ad hoc networks, especially for operations related to routing and forwarding. For example, a malicious node could claim that it is one hop away from a specific destination to cause all routes to that destination to pass through it. Fabricating false routing information or modifying transmitted routing messages could cause data to be lost. A small number of misbehaving nodes could degrade the network performance significantly.

Furthermore, mobile ad hoc networks require not only the correct execution of network operations such as routing and data forwarding by each node, but also fair distribution of these operations among all network nodes. The latter requirement is a big challenge and difficult to realize, but it is quite important and has received much attention recently.

2.1.2 Secure Routing Protocols

Most of the routing protocols designed for mobile ad hoc networks generally assume all nodes in the network are cooperative and well-behaving. But this assumption does not hold in many scenarios, in which routing information is vulnerable and misbehaving nodes could easily change the routing information to disrupt the network. Therefore, a number of secure routing protocols have been proposed to prevent a set of attacks that attempt to compromise the route discovery. These protocols could be used to guarantee the acquisition of correct network

(23)

topological information. Some proposed protocols are introduced briefly below. z ARIADNE

Ariadne [51] is a new secure on-demand routing protocol and is based on DSR. Authentication of routing messages in Ariadne could be performed through three modes: shared secrets between each pair of nodes, shared secrets between communicating nodes together with broadcast authentication, or digital signatures. TESLA [53] is a widely accepted broadcast authentication protocol which relies on synchronized clocks. It is a very suitable authentication mechanism for Ariadne.

z SEAD

Secure Efficient Ad hoc Distance vector (SEAD) routing protocol [54] is based on destination-sequence distance vector (DSDV) routing protocol. It makes use of one-way hash functions rather than expensive asymmetric cryptographic operations to protect routing information. It is quite efficient and can be employed by mobile nodes that constrained with resources. In SEAD, hop counts and sequence numbers are protected by hash chains.

z SRP

Secure Routing Protocol (SRP) [50, 52] is based on DSR. SRP could guarantee the acquisition of correct routing information. No assumption is made to intermediate nodes in SRP. Its only requirement is that a security association (SA) exists between endpoints of a path, which is used for Message Authentication Code (MAC) calculation. MAC is used to support data integrity and message originator authenticity of route request/reply packets.

z SAODV

Secure AODV (SAODV) [55] is a security extension to the AODV routing protocol. It can be used to protect routing information and provide security features like data integrity, originator authenticity and non-reputation. The protocol employs two schemes, digital signatures and hash chains. Digital signatures are used to protect non-mutable fields of messages, and hash chains are used to protect hop count information.

2.2 Secure Data Forwarding Challenges and Solutions

Data forwarding is the next phase of route discovery. Obtaining correct routing information does not guarantee that packets could reach their destinations. In this section, the security problems related to data forwarding in mobile ad hoc networks are discussed. Some proposed solutions for secure data forwarding are presented and analyzed.

(24)

2.2.1 Challenges

The secure routing protocols mentioned in 2.1.2 are primarily designed for routing information protection. They depend on various authentication mechanisms to provide routing data integrity and originator authenticity. However, even in case all obtained routing information is correct, misbehaving nodes can still launch various attacks in the data forwarding phase. For example, a misbehaving node could behave cooperatively during the route discovery phase, but drop data packets later (Denial of Service attack). Moreover, if misbehaving nodes simply drop all packets including routing related packets, all these solutions can not detect and prevent such attacks, as they focus only on the detection of modification of routing control traffic or fabricating false routing information.

Generally, attacks in mobile ad hoc networks can be divided into two kinds: passive attacks and active attacks. Passive attacks such as eavesdropping give an adversary access to secret information, since the promiscuous mode is usually required by many protocols. Active attacks, such as replay attacks and DoS attacks, are launched by an adversary to propagate false information, impersonate other nodes, or disrupt the network operation.

Besides these traditional attacks, in mobile ad hoc networks, a new type of attack is emerging which is less dramatic but more subtle. In mobile ad hoc networks, nodes are generally battery powered, so they have limited power available. As a consequence, a new type of misbehaving nodes called selfish nodes appeared in research papers [41, 42, 44, 61]. A selfish node does not intend to attack or jeopardize other nodes, but it refuses to spend its own resources such as energy on forwarding packets for other nodes. Its intension is to save energy to prolong its own life time. However, if there are a larger number of selfish nodes in a mobile ad hoc network, the network performance will degrade and well-behaving nodes’ burdens will increase significantly.

In order to deal with these security challenges related to data forwarding, especially for malicious packet dropping and selfishness, some solutions have been proposed recently. In the following section, these solutions are introduced and analyzed.

2.2.2 Secure Data Forwarding Solutions

2.2.2.1 SMT

In [47], the secure message transmission (SMT) protocol is proposed, which could be used to protect the data transmission against arbitrary malicious behavior of misbehaving nodes. Different from some detection mechanisms, this protocol takes advantage of topology and transmission redundancies to achieve secure data transmission.

SMT consists of four elements: end-to-end secure and robust feedback mechanism, dispersion of the transmitted data, simultaneous usage of multiple paths, and adaptation to the network changing conditions. It requires a security association between endpoints of a communication.

(25)

A sender node disperses each message into a number of pieces according to a certain algorithm. This operation introduces redundancy to each message. And then each piece is transmitted over different path to the destination. At the destination node, a message could be reconstructed even if some message pieces are lost or corrupted.

Each dispersed message piece carries a message authentication code (MAC) to provide integrity and authenticity of its origin. A security association between sender and destination is necessary. The destination node acknowledges the successfully received messages through feedback messages which are also protected.

The main problem of this solution is that it is difficult to guarantee the required number of available routes for message pieces delivery. This is due to many factors, such as node mobility, congestion and transmission impairments. And another problem is that it needs much computation for MAC calculation and message division/reconstruction.

2.2.2.2 Watchdog and Pathrater

This solution [41] is used to address packet lost problem caused by misbehaving nodes in mobile ad hoc networks. Two extensions are introduced to DSR to mitigate the effects of misbehaving nodes. The watchdog is in charge of monitoring neighbors to identify misbehaving nodes, and the pathrater try to prevent packets being delivered through these nodes.

After a node forwards a packet, its watchdog checks whether the next node on the path forwards the packet cooperatively. The watchdog performs this operation by listening promiscuously to the next node's transmissions. If the number of packets a neighboring node drops exceeds a threshold, that neighbor will be regarded as a misbehaving node. The watchdog needs to know the next two hops in order to monitor the next node's data forwarding behaviors. Therefore, watchdog is implemented based on DSR.

The pathrater in each node selects the most likely reliable route according to knowledge of misbehaving nodes and link reliability information. It calculates the route metric by averaging the rating of all nodes on a path and chooses the path with the highest metric. In this solution, the node rating is calculated in terms of link reliability rather than neighbor monitoring results.

The pathrater only assigns and updates rating of nodes which are currently in use. In each interval, it increases a node's rating if the link is normal by 0.01 and decreases a node's rating by 0.05 if the link is broken during the data forwarding phase. The detected misbehaving node is reported to all nodes that are transmitting data through this node. And those sender nodes assign an extreme negative rating value to this reported misbehaving node. As a consequence, the routes containing this misbehaving node will have a negative value and will not be chosen.

(26)

Misbehaving nodes can be detected by watchdog and prevented by pathrater. However, there are some weaknesses of this solution. First, the transmission of reports about misbehaving nodes is vulnerable. In a network without trust relationship in most of the nodes, it is easy for a malicious node to give a report to claim that the next node is misbehaving. Secondly, the watchdog scheme is based on the assumption that misbehaving nodes behave cooperatively during the route discovery phase. But if these nodes drop all packets, they will not be detected.

2.2.2.3 BMR

In [42], Xue and Nahrstedt propose a solution named BMR (Bypassing Misbehaving nodes Routing), which is able to bypass misbehaving nodes and select a good path to route packets. BMR algorithm is based on DSR, and includes two phases: the testing phase and the delivery phase. In the testing phase, packets are transmitted to the intended destination node on each available route, and end-to-end performance is measured on each path. Routes with low packet loss rate and small delivery delay are regarded as good path. Routes are evaluated according to the ascending order of their length until a good path is found or all paths have been tested. In the delivery phase, the sender node chooses a good path or the path with the highest metric for data delivery.

By making routing decision according to end-to-end performance, BMR provides an efficient solution to address the problems caused by misbehaving nodes. However, BMR can only work under the assumption that misbehaving nodes behave consistently during the test phase and the delivery phase, because no end-to-end performance will be measured during the delivery phase. Another problem is that BMR only works well under lightly-loaded networks. Otherwise, good path and bad path may not be distinguished due to network congestion. Node mobility also gives a challenge to BMR. Furthermore, the test phase is time-consuming and a certain number of data packets are required for this purpose.

2.2.2.4 CONFIDANT

In CONFIDANT [43, 44], several components (figure 9) are combined together in each node. They interact with each other to detect and isolate misbehaving nodes, and to discipline each node to work cooperatively. In this protocol, a node only concerns with the abnormal behaviors of its neighbors, which means that only the negative reputation values will be considered and propagated. This reputation system is based on negative experience rather than positive impressions.

(27)

Figure 9. Trust architecture and finite state machine within each node [44]

The monitor in each node is responsible for monitoring behavior of neighbors. If a suspicious event is detected, relevant information will be reported to the reputation system. Incoming alarm messages from other nodes are first delivered to the trust manager. In that component they are checked for trustworthiness according to their originators' credibility, and are processed accordingly. If there is sufficient evidence to show that the node reported in alarm messages is misbehaving, relevant information will be sent to the reputation system.

The reputation system is responsible for analyzing and calculating a node's reputation. The reported suspicious events from alarm messages and direct observation are weighted and processed to calculate reputation. The reputation will only be changed if there is sufficient evidence of abnormal behavior (evidence exceeds the predefined threshold that is high enough to distinguish malicious behavior from simple coincidences such as collisions). When the rating becomes intolerable, the report is sent to the path manager, which deletes all routes containing discovered misbehaving nodes from the routing table. At the same time, an alarm message will be sent to all nodes in its friend list.

This protocol has a good performance for malicious and selfish node detection because it only concerns with negative experience. However, due to this nature, it is less tolerant to failing nodes. These nodes may be regarded as misbehaving nodes for some inevitable reasons, such as network congestion or shortage of energy. Therefore, the preset threshold is quite important and needs to be considered carefully to prevent such situations. Another problem is that this protocol is vulnerable to low reputation attack. Such attack could be launched by malicious nodes through propagating false low reputation values. Because a well-behaving node’s good performance is not rewarded or maintained, it is easier for a malicious node to launch this attack, especially for a malicious node with high reputation (behaving cooperatively first). And friend relationships used in this solution are also difficult to measure.

(28)

2.2.2.5 CORE

CORE [45] is another reputation-based solution. The authors regard a mobile ad hoc network as a community, in which only ones contributing own resources are entitled to use shared resources. In CORE, three types of reputations are employed. Subjective reputation values are obtained directly from a node's own observation of behavior of its neighbors. Contrary to CONFIDANT, more weight is assigned to past observations to prevent false detection caused by link breaks or collisions. Indirect reputation values are obtained from other nodes, and only positive values are considered to avoid denial of service attack (broadcasting negative ratings for legitimate nodes). Function reputation values are related to certain functions like routing and data forwarding. And global reputations are calculated in terms of subjective reputation and indirect reputation on different functions.

In CORE, there are two types of protocol entities, requestors and providers. It works as follows: a requestor asks for service to a provider, if the provider refuses to cooperate or provide service, the CORE scheme of the requestor will react by decreasing the reputation of that provider. And the requestor will be excluded from the network if its non-cooperative behavior persists.

Reputation can be updated in two different situations, the request phase and the reply phase. During the request phase, only the subjective reputation value is updated. It means if the provider did not behave cooperatively, a negative rating factor will be assigned to the observation and that node’s reputation value will decrease. If the provider is well-behaving, its reputation does not change. During the second phase, only indirect reputation value is updated. In CORE, the reply message from the destination node contains a list of entities that correctly behaved. As a consequence, these entities' indirect reputation values are positive and their reputation values of course will increase.

CORE is tolerant of sporadically bad behavior because it puts more weight on past behavior and good behavior is rewarded by increasing reputation. But CORE is less sensitive to misbehavior than CONFIDANT due to its natures. Reputation increase in the reply phase depends on other nodes’ feedback. However, these reply messages are vulnerable.

2.2.2.6 Pricing-based Solutions

Pricing-based solutions [56, 57, 58] are another kind of solutions. These solutions do not try to detect misbehaving nodes to take corresponding measures such as punishment or isolation, but treat packet forwarding as a service that can be priced. Virtual currency is introduced in these mechanisms to stimulate each node to behave cooperatively. In [56], tamper resistant hardware is used to process nuglet (virtual currency). And in [57], a central agent called Credit Clearance Service (CCS) is introduced to process credit (virtual currency) issues. However, these solutions have some problems. First, traffic in mobile ad hoc networks is likely to be unevenly distributed. So it may be difficult for some nodes to earn enough credits to transmit their own packets even if they always behave cooperatively, and there may be the

(29)

case where some nodes could get sufficient credits easily, even if they do not behave cooperatively sometimes (dropping some packets). Secondly, some solutions require the existence of a central control agent, which is not applicable in a pure ad hoc network. Thirdly, they are relatively difficult to implement due to some security problems, such as nuglet initialization, transition and maintenance.

2.2.2.7 Other Solutions

In [46], Dewan and Dasgupta propose a solution also based on reputation, which is similar to BMR. End-to-end performance is measured to evaluate path quality. In [48], the Secure and Objective Reputation-based Incentive (SORI) scheme is proposed to encourage packet forwarding and discipline selfish behavior. In this solution, a node’s reputation is quantified by objective measurements, and reputation values are propagated in a secure way. A punishment scheme is used to penalize selfish nodes. In [75], the REliable and efficient forwarding (REEF) is described. In this solution, each intermediate node decides the next hop to a certain destination according to the available routes and next node’s reputation. ACK packets from the destination are used to update the next node’s reputation.

(30)

3 A New Reputation-based Secure Forwarding

Solution

In this chapter, a new reputation-based secure forwarding solution is introduced which consists of three components: detection, prevention and reaction. The detection component is responsible for misbehaving node detection, the prevention component is used to bypass misbehaving nodes and discover optimal routes, and the reaction component provides different service qualities based on reputations. Section 3.1 describes the solution motivations and features. Section 3.2 presents some assumptions of this solution. And section 3.3 introduces different parts of the solution briefly.

3.1 Motivations

From the analysis of some proposed solutions for secure data forwarding in chapter 2, we can find that reputation-based solutions are quite suitable for mobile ad hoc networks and have good performances if they are well designed.

Due to lack of a clear line of defense, a complete security solution for mobile ad hoc networks should encompass three components: prevention, detection, and reaction [40] (figure 10). The prevention component could deter misbehaving nodes’ attacks by preventing them participating in the network operations, such as routing and packet forwarding. The detection component is responsible for monitoring and detecting misbehaving nodes in the network. And the reaction component takes corresponding actions to punish misbehaving nodes or even exclude them from the network. The prevention component as well as the reaction component is based on reputation information derived from the detection result, therefore, reputation value is the basis of this solution and needs to be considered comprehensively.

(31)

Figure 10. Solution components

3.1.1 Reputation Requirements

In order to make this kind of schemes more effective and effective, the reputation value should precisely reflect the current state of each node. For example, if a well-behaving node is compromised and begins to behave abnormally, this node should be detected as soon as possible. There are several requirements for reputation-based solutions.

z Reputations should be obtained in an efficient way, which means the detection mechanism could be implemented easily.

z Reputations can be used to evaluate a node's behavior objectively and correctly. Sporadically bad behavior or inevitable problems such as collision should be tolerable, but misbehaving nodes should be detected effectively.

z Reputation processing and transmission overheads should be limited in an acceptable scope due to mobile device’s resource constraint.

z In an environment without trust relationships in the majority of the nodes, some mechanisms must be performed to guarantee that reputation is propagated in a secure way.

3.1.2 Solution Features

In order to make full advantage of reputation information to handle the problems caused by misbehaving nodes, this reputation-based secure forwarding solution has the following features.

First, a node’s reputation is measured and evaluated in a quantitive and objective way. In this solution, both data packets and route control traffic are monitored respectively according to different but specific requirements. Therefore, misbehaving nodes can be detected more

(32)

effectively.

Secondly, fully selfish nodes could also be detected. In this thesis, a fully selfish node means a node that never relays any packets for other nodes, but requires other nodes to transmit its own packets. Malicious nodes refer to those nodes that promise to forward packets but later drop packets. Due to the requirement of the reaction mechanism that a well-behaving node never forwards packets from a node which does not claim its existence, each node must first claim its presence to its neighbors if it wants to communicate with other nodes.

Thirdly, the prevention mechanism is completely performed in the route discovery phase. In many proposed solutions, route test or bad route exclusion is operated in the data delivery phase, consequently, some data packets are still transmitted on bad routes. In this solution, before data packets are going to be transmitted, all discovered misbehaving nodes have already been excluded from the available routes.

Finally, reputation information is not only used to detect misbehaving nodes, but also could be used to measure path quality. For well-behaving nodes, some other factors influence the network performance. Mobility has a great impact on data forwarding. For a node moving rapidly and continuously in the network, it is more likely that the link between this node and other nodes will be broken. A node's resources such as CPU capability, energy, and memory size also influence its forwarding behavior. Generally nodes with larger buffer size and more energy are more reliable for data forwarding. In this solution, this aspect is also considered. Routes are evaluated according to hop counts as well as their qualities.

3.2 Assumptions

In order to make this solution feasible, there are some assumptions for this solution.

z Not all nodes in mobile ad hoc networks are well-behaving. In this thesis, the primary concern of secure data forwarding is to guarantee that a packet could reach its destination correctly. We only consider packet dropping problem, because other security problems such as confidentiality could be implemented by upper layers. Here, misbehaving nodes are divided into two types: malicious nodes and selfish nodes. Malicious nodes refer to nodes that forward route request/reply packets, but later drop data packets. Selfish nodes want to save power and prolong battery lifetime for their own communications. Therefore, they refuse to provide forwarding services to other nodes. It means it may drop route control packets to exclude itself from discovered routes.

z Different mobile devices may use different wireless technologies. In order to enable communication and monitoring in mobile ad hoc networks, we suppose that all nodes have the same physical layer.

(33)

z Bidirectional communication on each link is required in this solution. Bidirectional communication means if node A is able to receive a message from node B, node B is also able to receive a message from node A at the same time. This assumption is possible since many wireless MAC layer protocols, including MACA [62], MACAW [63], IEEE802.11 [4], Bluetooth [5] and Zigbee [6], require bidirectional communication for reliable transmission, for example, RTS / CTS packets exchange needs bidirectional communication, and link layer acknowledgement also needs it. Bidirectional links are also assumed in many routing algorithms designed for mobile ad hoc networks. However, many algorithms are incapable of functioning properly over unidirectional links, such as AODV and SRP.

z Each node in mobile ad hoc networks supports promiscuous mode, which is necessary for the detection part in this solution. Promiscuous mode means that if node A is in the radio transmission coverage of node B, A can overhear packets from B even if the packets are not directly related to A. So a node can listen to every packet sent by its neighbors to realize monitoring operation. This assumption also could be possible, because most current network hardware has the ability to operate the network interface in “promiscuous” mode. This mode enables hardware to deliver every received packet to the network driver software without filtering based on link-layer destination address.

z A security association (SA) exists between each pair of endpoints of a path. How to initialize or distribute keys and how to create specific purpose keys such as session keys, authentication keys or encryption keys is beyond the scope of this report. A security association is primarily used to protect routing and reputation information by including a Message Authentication Code (MAC) in each route control packet.

3.3 Solution Overview

This section provides an overview of this reputation-based solution which consists of three parts: detection, prevention and reaction.

3.3.1 Detection

The objective of the detection mechanism is to discover misbehaving nodes in mobile ad hoc networks. This is realized by neighbor monitoring and reputation propagation. The detailed description and analysis can be found in chapter 4.

Dynamic network topology and lack of central management agent cause that the monitoring operation can only be performed in a local scope by each available node in mobile ad hoc networks. Each node is responsible for monitoring its neighbors’ behaviors in order to detect misbehaving nodes. Routing control traffic and data packets are monitored according to

(34)

different requirements. Obtained reputations based on a node’s own observation are called local reputations.

In order to share its experience with other nodes to make reputation evaluation more objective and precise, each node broadcasts its local reputation reports. But due to the fact that no trust relationships exist among the majority of nodes, the reputation propagation is also limited to a local scope. This means reputation reports are only broadcasted to immediate neighbors. Global reputations are calculated based on one’s own observation and reputation reports from other nodes. The credibility of a report is evaluated in terms of the performance of its originator.

3.3.2 Prevention

The prevention mechanism could realize two functions: bypassing misbehaving nodes and choosing optimal routes. The first one is used to exclude misbehaving nodes from discovered routes, and the second one is used to select routes according to hop counts as well as path qualities. This scheme is based on the detection result at each node in the network, and is performed in the route discovery phase. In chapter 5, the prevention mechanism will be introduced in detail.

DSR is employed to perform the basic routing operations, but some extensions are performed on DSR. Misbehaving nodes are bypassed in such a way that each node guarantees that the next node on the route is not a misbehaving node based on its reputation information. Some techniques are used to make this operation be executed in a secure way. Reputation values of all intermediate nodes of any discovered routes are available at sender nodes. So a sender node is able to evaluate all discovered routes according to both hop counts and path qualities.

3.3.3 Reaction

The reaction mechanism is relatively simple in this solution and is not the primary part of the report. But in order to make the solution complete and operational, this part is also necessary. It is responsible for punishing misbehaving nodes by providing different forwarding service qualities according to reputations. In this section, this component is described briefly.

3.3.3.1 Reasons for Reaction Mechanism

This mechanism is a necessary part of a complete solution due to several reasons. First, if only the prevention technique is employed, it does increase each well-behaving node’s throughput and reduce packet delivery delay. However, all misbehaving nodes also enjoy these benefits as well, and all these benefits are achieved at the cost of more workloads on well-behaving nodes. From the simulation results in chapter 6, it is obvious that well-behaving nodes’ forwarding burdens increase significantly with the increase of misbehaving nodes in the network.

(35)

Secondly, the prevention mechanism can not handle fully selfish nodes, because this kind of nodes has already excluded from the discovered routes by themselves. The only useful mechanism for selfish nodes is to force them to behave cooperatively. In price-based mechanisms mentioned in the previous chapter, virtual money is used to stimulate selfish nodes to behave cooperatively. In this solution, necessary punishment and disciplinary measures are taken for the same purpose.

3.3.3.2 Reaction Requirements of this Solution

In order to discipline misbehaving nodes and stimulate their cooperation, there are some indispensable reaction operations in this solution.

z A node only provides forwarding service to its neighbors that claim their existences. As a consequence, a node must claim its existence in order to ask other nodes to forward its own packets. If a node declares its presence, its behavior will be monitored by its neighbors. Without this requirement, a selfish node can always keep silence for all route request packets to prevent itself being included in any routes.

z Each well-behaving node should refuse to provide forwarding service to misbehaving neighbors. But this requirement is difficult to realize. For example, if node A detects that its neighbor B is a misbehaving node, and begins to drop packets originated from B. But it is quite possible that in a mobile ad hoc network B will move outside of the radio transmission coverage of node A later. If A still drops packets from B, other nodes may think that A is a misbehaving node. If A forwards B’s packets, the misbehaving nodes can not be punished effectively. It is one of the difficulties of the solution. If B returns to A’s radio coverage after some interval, A’s action to B depends on whether B’s record is still in A’s neighbor table. If B’s record is still valid, A will keep on dropping B’s packets. Otherwise, A will assign an initial reputation value to B and begin to monitor B’s behavior.

3.3.3.3 Other Possible Implementations

Several proposed reaction operations could be employed.

z If a misbehaving node is detected, the relevant report will be sent to those sender nodes that transmit packets over the routes containing this misbehaving node. The sender nodes can delete these routes from their routing tables. This is one of the general reaction operations used in many solutions. But security is a big problem for this operation. A sender node has no idea about whether to trust this kind of reports if there are no trust relationships between them.

z A node punishes misbehaving nodes according to their behaviors [48]. More severe a node behaves uncooperatively, more percentage of its packets are dropped.

(36)

z Priority-based mechanism for packet forwarding [75] (figure 11). The key idea of this solution is to differentiate the quality of service to other nodes according to the way they behave with others. Packets from reliable neighbors (high reputation) are forwarded with higher priority than packets from neighbors with lower reliability (low reputation).

(37)

4 Dynamic Misbehaving Node Detection

In this chapter, the detection component of this reputation-based solution is introduced in detail. Section 4.1 describes neighbor sensing, which is the precondition of local monitoring. Section 4.2 gives the rules for packet forwarding monitoring based on packet type. And section 4.3 introduces the detailed description of detection mechanism that consists of neighbor sensing, local monitoring, local reputation calculation, local reputation propagation and global reputation calculation.

4.1 Neighbor Sensing

Neighbor sensing is used to detect immediate neighbors of a node, and is the precondition of neighbor behavior monitoring and reputation calculation. There are several reasons for neighbor sensing.

1. Due to lack of a central management agent, only fully distributed monitoring and management techniques can be employed in mobile ad hoc networks. Therefore each node should be responsible for monitoring its neighboring nodes in order to detect any abnormal behaviors. To perform this kind of operations, a node must know exactly which nodes are its immediate neighbors to be able to monitor their behaviors. For example, in this solution, when a node broadcasts a route request packet, it needs to monitor all its well-behaving neighbors to check whether or not these nodes relay the packet.

2. In the reaction part of this solution, a node is only permitted to punish its immediate misbehaving neighbors. As a consequence, the node must keep track of its neighboring nodes to know which nodes it has right to punish if they do not behave cooperatively. The reason why a node can only punish its neighboring nodes is because we want to limit the punishment measures to a local scope to avoid the situation in which malicious nodes broadcast false information to disrupt the network, and to prevent the problem mentioned in 3.3.3.2.

3. In order to prevent selfish nodes keeping silent (dropping all packets) to save energy, in the reaction mechanism, a node only provides packet forwarding service to its current neighbors that claim their existences. It means that if a node wants its neighbors to forward its own packets, it has to first claim its existence to its neighbors. As a consequence, each node in the network can be detected and monitored by other

(38)

nodes. Otherwise, a selfish node could always require other nodes to relay its packets, but never forwards any route request packets (for DSR), so it will never be included in any discovered routes. This node does not need to relay any data packets and will never be detected by its neighboring nodes. We should avoid such situations.

4.2 Neighbor Monitoring Rules

The characteristics of mobile ad hoc networks, such as infrastructure-independence, dynamic network topology, lack of central management agent and trust relationship, determine that monitoring can only be performed in a fully distributed way. Each node should be responsible for monitoring its neighbors’ behaviors in order to detect misbehaving nodes. This kind of monitoring mechanisms has been employed in many research projects [40, 43] and is quite suitable for mobile ad hoc networks due to its specific and unique characteristics. But most of them do not give very detailed description on how to perform monitoring operations and how to process detected data. In this solution, we give the detailed description about these issues. In this section, neighbor monitoring rules are first introduced which are directly related to packet type.

4.2.1 Packet Forwarding Monitoring

Each node independently performs the monitoring operation within its ratio transmission range. In theory, a variety of neighbors’ behaviors can be monitored and corresponding detected data can be maintained and processed to discover misbehaving nodes.

However, to make the neighbor monitoring mechanism effective and suitable for mobile ad hoc networks, the monitoring mechanism should be based on the frequent and primary behaviors of mobile nodes. For mobile ad hoc networks, its unique characteristic is that each node is responsible for forwarding packets for other nodes. And for secure data forwarding in mobile ad hoc networks, the most important requirement is to ensure that every data packet can reach its destination, which means that each intermediate node must behave cooperatively to forward packets to the next correct node. Only when the requirement that packets can reach destinations is realized, other secure requirements such as data integrity and confidentiality will be useful and make sense.

Therefore, the packet forwarding behavior is the most important behavior in mobile ad hoc network, and should be monitored primarily. And it is also the only thing that can be used to detect selfish nodes in mobile ad hoc networks. And also due to limited available resources of each mobile device, such as memory, energy, in order to decrease the corresponding computation and transmission overhead caused by monitoring operation, other behaviors are not considered in this solution currently.

References

Related documents

The focus of this dissertation is to understand the role that self-efficacy plays in retaining students, particularly women, in physics. I focus on the introductory course as it

I shall investigate how in the case of Ireland, anti-abortion activists have manipulated the religious foundations of the Roman Catholic Church in order to influence public opinion

10, the UK’s biggest design and build event company, UK Construction Week is the strongest trade event the building and construction industry has ever seen. uk

També hem pogut concloure que el terme apareix prou abundosa- ment en el DECat de Joan Coromines però la seva delimitació concep- tual no acaba de quedar ben establerta,

In the second step of our proposed LSFA-IoT method, the malicious nodes producing fake RREQ packets in the network are detected.. As mentioned earlier, to run this step,

The environmental impacts of dye based textile inks mainly come from the energy required for pre-treatment, fixation, post treatment and wash off procedures, with associated

Objectives: The study assessed: the frequency of use of internet and internet for health information; the nature of the health information accessed; the search engines and

Rosmarinus and lavender essentials on anxiety, fatigue, and mood among 1044 adult subjects, reported positive effect of Rosmarinus on subjects’ cognitive power and mood,