PgNet2006

download PgNet2006

of 6

Transcript of PgNet2006

  • 8/7/2019 PgNet2006

    1/6

    Testimony-based Isolation: New Approach To

    Overcome Packet Dropping Attacks in MANET

    Djamel Djenouri1, Nadjib Badache2

    1: CERIST Center of Research, Algiers 16030, Algeria.

    2: USTHB University, Algiers, Algeria.Emails: [email protected], [email protected]

    Abstract Attackers could take advantage of the cooperativenature of MANETs routing protocols, by participating in theroute discovery procedure to include themselves in routes, thensimply drop data packets during the forwarding phase, aimingat a DoS (Denial of Service) attack. In this paper we deal withthe detection and isolation of such malicious nodes. We firstpropose a monitoring technique different from the promiscuousoverhearing (watchdog) used by almost all the current solutions,that overcomes many watchdogs shortcomes. After that wepropose a testimony-based isolation protocols basing on ourmonitoring technique.

    I. INTRODUCTION

    Security in MANET attracts more and more researchers,

    with its variety of fields, problems, and challenges arisen from

    the features of this infrastructureless environment [1]. One of

    the complex problems is detecting and isolating nodes that

    drop packets they receive to forward. Current secure routing

    protocols [2] aim at protecting the route discovery and route

    maintenance procedures. However, the packet dropping attack

    is launched during the forwarding phase. Although it could

    be launched easily, it is difficult to detect it. In the context of

    selfish nodes detection and isolation, many solutions have been

    proposed [1]. Selfish nodes also drop data packet, they only

    differ from them with respect to their purpose. Like maliciousnodes, selfish nodes drop packets to save their resource, they

    do not aim damaging others. Still, all the detective solutions

    could be used in the context of malicious nodes. All these

    solutions, however, relay on the watchdog technique, thus

    inherent all its drawbacks.

    The principle of the watchdog is that each node in the

    source route monitors its successor after it sends it a packet

    to forward, by overhearing the channel. A monitor accuses a

    monitored node as misbehaving when it detects that this latter

    drops more than a given number (threshold) of packets. This

    basic technique of monitoring has no overhead when nodes do

    not misbehave. Nevertheless, it suffers from some problems,

    especially when using the transmission power control tech-nique employed by some new power-aware routing protocols

    following the watchdogs proposal, such as [3].

    Assume three aligned nodes: A, B and C, such that A sends

    B a packet and monitors its forwarding to C, and lets assume

    that B uses the power control technique. When A is closer

    to B than C, B could circumvent the watchdog by using a

    transmission power strong enough to reach A but less than the

    one required to reach C, which is power efficient for B. On

    the other hand, when C is closer to B than A, and B behaves

    correctly but uses the power control technique, A could not

    overhear Bs forwarding to C and will wrongly notice a packet

    dropping, which might result in false detections when the

    number of packets falsely detected exceeds the configured

    threshold. Further, packet collisions either at C or A during the

    monitoring could cause false detections, and after a collision at

    C, B could circumvent to A by not retransmitting the packet.

    In this proposal we suggest a novel monitoring approach to

    overcome the watchdogs problems with reasonable overhead.

    We also propose a Baysien approach for nodes accusation,that enables nodes redemption before judgment. Finally, we

    suggest a social-based approach to approve detections and

    safely isolate guilty nodes. This approachs aim is to consider

    and avoid false accusation attacks (rumors) vulnerability, as

    well as decreasing false positives that might be caused by

    channel conditions and nodes mobility. In contrast to the

    current solutions [4], [5], where each node unilaterally isolates

    nodes it judges as misbehaving, our isolation mechanism

    safely enables that all nodes together isolate the attacker.

    Unilateral isolation could cause problems as we will see later.

    The remainder of the paper is organized as follows: Next,

    our solution will be presented, followed by some analysis and

    discussions in section 3. Section 4 will be devoted to thesimulation study, and finally the last section will conclude the

    paper, and sketches our perspectives.

    I I . SOLUTION OVERVIEW

    Our solution consists of three related steps: the monitoring

    step, in which nodes control each other when forwarding

    packets. The judgment step, in which nodes decide about the

    behavior of each monitored node basing on the result of the

    previous step. And finally an isolation step, in which a detector

    node launch the execution of a testimony-based protocol to

    isolate the detected node.

    A. Monitoring

    Like the watchdog, in our solution each node A in the source

    route 1 monitors its successor B, and checks whether this latter

    forwards to C each packet it provides. We define a new kind

    of feedbacks we call two-hop ACK, an ACK that travels two

    hops. Node C acknowledges packets sent from A by sending

    this latter via B a two-hop ACK. Node B could, however,

    escape from the monitor without being detected by simply

    1like the watchdog, our protocol is also implemented with DSR [6]

  • 8/7/2019 PgNet2006

    2/6

    sending A a falsified two-hop ACK. Note that performing in

    this way is power economic for B, since sending a short packet

    like an ACK consumes too less energy than a data packet. To

    get over this vulnerability we use an asymmetric cryptography

    based strategy as follows:

    Node A generates a random number and encrypts it with Cs

    public key (PK), then appends it in the packets header. When

    C receives the packet it retrieves the number, decrypts it using

    its secret key (SK), encrypts it using As PK, and puts it in a

    two-hop ACK it sends back to A via B. In the first hop (C,B),

    the ACK is piggybacked to the ordinary MAC ACK (using

    a cross-layer implementation) , instead of being transmitted

    in a separate packet. When A receives the ACK it decrypts

    the random number and checks whether the number within

    the packet matches with the one it has generated, to validate

    Bs forwarding regarding the appropriate packet. However, if

    B does not forward the packet A will not receive the two-hop

    ACK, and it will be able to detect this malicious after a time

    out. This strategy needs a security association between each

    pair of nodes to ensure that nodes share their PK with each

    other. This requires a key distribution mechanisms, which canbe achieved by continuously appending public keys to route

    request (RREQ) and route reply (RREP) packets during each

    route discovery of DSR [6] until all public keys reach every

    node. To ensure authenticity of keys, a mechanism like the

    chain of trust [7] can be used. Note that the same keys could

    be employed for other security purposes at other layers.

    The watchdogs problems related to detection are mitigated

    with this approach, as long as Bs forwarding validation at A

    is not only related to Bs transmission, but to Cs reception.

    Nevertheless, the problem with this first solution is that it

    requires a two-hop ACK for each packet on each coupe of

    hops, which might result in important overhead.

    To decrease this cost we propose to randomize the ACK ask,viz. A does not ask C an ACK for each packet, but upon

    sending a packet to forward it randomly decides whether it

    asks an ACK or not, with a probability p, then it conceal thisdecision in the packet. A simple way to conceal the decision

    is to exploit the random number. For instance, when the node

    decides to ask an ACK it selects an even number, and an odd

    number when it decides to not ask the ACK. This random

    selection strategy prevents the monitored node from deducting

    which packets contain ACK requests. Note that getting such

    information allows a misbehaving to drop packets with no

    requests without being detected.

    The probability p is continuously updated as follows:

    It is set to 1 (the initial value) when a timeout exceeds withoutreceiving the requested ACK, and set to ptrust upon receivingthe requested ACK.

    This way more trust is given to well-behaving nodes, and

    by setting p to 1 the ACK request is enforced after a lack ofACK, which allows to achieve all by the same performance in

    misbehaving true detections (true positives) like the ordinary

    two-hop ACK as we will see later.

    B. Judgment

    The new monitoring method (random two-hop ACK) allows

    to confirm the correct forwarding of packets. Though, when a

    monitoring node notices that some packet has been dropped

    over a link it should not directly accuse the monitored

    as misbehaving, since this dropping could be caused by

    collisions or nodes mobility. Indeed, a threshold of tolerance

    should be fixed. In the following we propose a Bayesianapproach allowing nodes to decide about the behavior of

    each other. In our approach, the threshold is not constant but

    increases with the nodes well-behaving.

    The Bayesian approach [8] is a mathematical estimation

    method, that consists of estimating a parameter the

    observations of which follow a Bernouli distribution by

    a Beta distribution. The Bayesian approach for nodes

    reputation regarding packet forwarding in MANET has

    already been used by Buchegger and Le-Boudec [4], but

    their solution requires periodic transmissions of huge control

    packets.

    Since misbehaving is usually exception rather than the

    norm, information exchange in our solution is limited tonegative impressions, thereby it is simpler and engenders no

    overhead when nodes well-behave. Hereafter, we describe

    our Bayesian-based approach.

    Each node i thinks that each other node j misbehaves with

    probability j , which is a random variable estimated bya Beta distribution Beta(a, b). For brevity we remove theindices in the following, and simply denote this probability by

    . Initially with no prior information, is assumed uniformin [0,1], which is idem to Beta(1,1). As observations, that

    follow a Bernoulli distribution with parameter , are made, aand b are updated as follows: a = a + u, b = b + 1 uwhere u=1 if the observation consists of a dropping, and

    0 otherwise. A dropping in our solution is a lack of a

    required two-hop ACK. If the monitor does not ask a two-hop

    ACK, the observation is considered as non-dropping. After

    as many observations as the decision could be made (could be approximated by the mathematical expectation

    E(Beta(a, b))), j will be judged. This point is denotedby the decision point, and the number of observations is

    expressed by a+b. j will be accused as misbehavior as soon

    as: E(Beta(a, b)) > Emax.Note that: E(Beta(a, b)) = a/(a + b).

    Emax could be fixed to 0.5, or for more efficiency it should

    be estimated empirically for each network as follows:1) Make simulations with no misbehaving and compute E

    at each node for different scenarios that estimate the

    network.

    2) Retrieve the maximum value in all scenarios from the

    decision point then consider it as Emax

    In Bucheggers approach [4], every node periodically broad-

    casts in its neighborhood each j . Nodes used this information(known as second hand information) to update their own

    opinion on nodes behavior. To decide about the acceptance

  • 8/7/2019 PgNet2006

    3/6

    of a provided information, each node performs complicated

    tests on the trustworthiness of the provider. The problem

    with this proactive solution is the important overhead, even

    if nodes well-behave. Our approach is rather reactive, thus no

    such information are exchanged. Indeed, each node performs

    monitoring separately and informs the others in order to isolate

    the attacker as soon as it judges it, as we will see in the

    following with more details.

    C. Isolation

    Isolating a misbehaving node means:

    do not route packets through it, to avoid losing them

    do not forward packets for it, to punish it

    A node X that judges some other node Y as misbehaving

    should not isolate it unilaterally, but it must ensure its isolation

    by all nodes. This because when X unilaterally isolates Y, the

    others could consider X as misbehaving when they realize that

    it does not forward packets for Y.

    In social life, a person that accuses another for a crime must

    show proofs. One possible way to do so is to get a witness

    against the accused person.Identically, we suggest a testimony-based protocol to isolate a

    detected node. Upon a detection, the detector informs nodes

    in its neighborhood about the dropper (the accused), and asks

    for witnesses by broadcasting a WREQ (Witness REQuest)

    packet. It also put the detected node in a special nodes set we

    call suspicious set. Each node receiving WREQ immediately

    sends a signed WREP (Witness REPly) packet to the accuser

    in the following two cases:

    if its suspicious set includes the accused

    if the accuseds misbehaving expectation is close to Emaxand/or the number of control packets detected dropped is

    close to the configured maximum thresholdOtherwise, when it has not enough experience with the ac-

    cused, and if it is its neighbor then it asks the successor of

    the accused node whether it has received packets forwarded

    from this latter, by sending an ACREQ (ACcusation REQuest)

    packet using a route that does not include the accused. But

    first, in order to ovoid false accusations, the investigator should

    ensure that the accuser has really sent a packet to the accused

    to be forwarded to the appropriate successor. One possible

    way to do this is to check whether such a packet has been

    recently overheard using the promiscuous mode. The node

    also should check whether the accused has sent the accuser an

    ACK just after overhearing the data, to ensure that it has really

    received the packet and that the accuser is not impressing it, asit will be illustrated later. Note that unlike the watchdog, the

    information provided from the promiscuous mode are not used

    for the monitoring, but only for testifying, aiming at improving

    efficiency on detections.

    If the accuseds successor has not recently received any

    packet forwarded from the accused, it sends a signed ACREP

    (ACcusation REPly) packet to the investigator, then this latter

    testifies to the accusation and sends the accuser a signed

    WREP (Witness REPly) packet. When the detector collects

    k validation from its neighbors, with at least one providedby direct experience (without asking the successor of the ac-

    cused), it broadcasts in the network an accusation packet (AC),

    containing signatures of all validating nodes. The requirement

    of at least one direct witness will be argued later. Each node

    receiving such a valid accusation isolates the guilty. Otherwise,

    if the detector fails to collect k validation it does not isolatethe detected node, but keeps it in the suspicious set.

    III. ANALYSIS

    Getting rid of the promiscuous mode based monitoring

    makes our monitoring solution independent of transmission

    powers, and resolves the watchdog false detection problem

    related to the employment of the power-control technique.

    Moreover, our solution resolves some watchdogs problems

    related to collisions.

    If we assume the average path length is H hops, the average

    communication complexity of our monitoring technique for

    n packet is: O( (1+ptrust)

    2

    (H 1) n) two-hop ACKtransmissions, it converges to O(ptrust (H 1) n)when all nodes on the route well-behave. This reduces the

    communication complexity of the ordinary two hop ACK (our

    first monitoring solution) which is O((H 1) n). That isby a factor of 1/Ptrust.

    Now, we discuss the efficiency in detection of the random

    two-hop ACK vs. the ordinary two-hop ACK. We assume

    that there is no packet loss. Later in our simulation study

    we will make more investigations of more realistic scenarios

    with mobility and collusion. Like in the Bayesien judgment,

    we suppose that the monitored node misbehaves (drop the

    packet) with a probability , i.e the behavior of the node for

    each packet follows a Bernoulli distribution with a parameter. Monitoring n packets could be considered as simply therepetition of the previous operation (monitoring one packet)

    n times. Therefore, the number of packets dropped (pdr) forn packets is a random variable that is the sum of n random

    variables which follows a Bernoulli distribution with param-

    eter , thus follows a Binomial distribution with expectation:E(pdr) = n.Theoretically, the ordinary two hop ACK detects all this

    number of packets (when the assumption of no packet loss

    is held). The purpose now is to asses the number of packets

    dropped and detected (pd) by the random two hop ACK, i.e

    E(pd).

    The probability of requesting an ACK is continuously updated,it differs from one operation (monitoring one packet) to

    another according to the result of the previous operation and

    the previous behavior.

    We denote the algorithms probability of requesting an

    ACK for a packet i (the value of p set by the algorithm for the

    packet i, which is a random variable) by Pi. Consequently,The real probability (in the execution) of asking an ACK for

    packet i + 1 would be expressed by E(Pi). Pi is fixed to1 if in the previous operation the packet was dropped and

  • 8/7/2019 PgNet2006

    4/6

    detected, that is with the probability 2 E(Pi1), sincethe events dropping the ithpacket and requesting ACK forthe (i 1)th packet are independent. Otherwise, it is fixedto Ptrust, i.e with probability 1 E(Pi1). Therefore,the mathematical expectation of Pi could be expressed by:1 E(Pi1) + Ptrust(1 E(Pi1)). Hence:E(Pi) = Ptrust + (1 Ptrust)E(Pi1)......(1)

    The number of packets detected by the random strategy

    (pd) also follows a Binomial distribution, since it is the resultsof repeating a Bernoulli operation n times with parameterPi, but the only difference from the continuous requestingis that in this latter strategy (Pi) is not constant. We have:

    E(pd) =

    n

    i=1

    E(Pi) = n

    i=1

    E(Pi)......(2)

    Not that P1 = 1.

    Lemma 1: i 1,

    E(Pi) = i1(1 Ptrust)i + Ptrust

    i1

    j=0

    j(1 Ptrust)j

    Proof:

    We prove this lemma by recurrence on i.

    For i=1. We simply replace i by 1 in the formula, then we

    get E(P1) = 1 which is correct.Now assume the formula is held for i-1 then we will prove it

    for i. Hence by assumption:

    E(Pi1) = i2(1 Ptrust)

    i1 + Ptrust

    i2

    j=0

    j(1 Ptrust)j

    By replacing this expression of E(Pi1) in (1) we obtain:

    E(Pi) = Ptrust + (1 Ptrust) (i2(1 Ptrust)

    i1 +

    Ptrust

    i2X

    j=0

    j(1 Ptrust)

    j) = Ptrust + i1(1 Ptrust)

    i +

    Ptrust

    i1X

    j=1

    j(1 Ptrust)

    j =

    i1(1 Ptrust)

    i + Ptrust(1 +

    i1X

    j=1

    j(1 Ptrust)

    j).

    Since 0(1 Ptrust)0 = 1 , we conclude:

    E(Pi) = i1(1 Ptrust)

    i + Ptrust

    i1

    j=0

    j(1 Ptrust)j

    Using this lemma, formula 2 could be developed into:

    E(pd) = Ptrust1(1Ptrust) n + (1Ptrust)1n(1Ptrust)n1(1Ptrust)

    (1 Ptrust1(1Ptrust) )......(3)

    The steps of simplification are removed due to space

    limitation.

    This probability depends on many parameters, we will try

    2The probability of detection is the probability of asking an ACK in the(i 1)th operation

    0.2

    0.3

    0.4

    0.5

    0.6

    0.7

    0.8

    0.9

    1

    0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

    DetectionRation

    Theta

    Ptrust=1/4Ptrust=1/2Ptrust=3/4

    Fig. 1. Detection Ratio

    to investigate it vs some usual values of Ptrust.For Ptrust = 1/4, E(pd)

    43

    n

    for Ptrust = 1/2, E(pd)

    2 n

    and finally, for Ptrust = 3/4: E(pd) 34

    n

    Figure 1 illustrates the approximated detection ratio accord-

    ing to . We mean by detection ratio E(pd)/E(pdr)

    Ptrust = 0.5 strikes a balance between efficiency andcost. It decreases the complexity overhead as much as half,

    while keeping the detection ratio good enough. Contrary to

    Ptrust = 0.25 that has too low values for low and averagemisbehaving, and to Ptrust = 0.75 that does not reducesthe overhead enough. Thus, we fix Ptrust = 0.5 later in oursimulation study.

    As illustrated, authentication of the two-hop ACK packet is

    ensured by employing encreption/decreption operations on the

    random number generated by the monitor and piggybacked

    to the monitored packet. For this, we propose to use the ECC

    encryption algorithm [9], which is more time-efficient than

    the standard RSA. The encryption time completely depends

    on the computation power of nodes and the length of keys.

    Anyway, our encryption operations have minor impact, sincethey are applied merely on the random number and not on

    the whole packet holding it.

    Because a packet dropping might be unintentional due to

    nodes mobility and channel conditions, accusation should not

    be made upon one dropping detection, but more observations

    must be noted. We have proposed a Bayesian approach

    to make such a judgment, where each node estimates

    each others misbehavior with a probability that follows a

    Beta(a,b) distribution, whose parameters (a,b) are updated

    as observations are made. When enough observations with

    regard to a given monitored node are collected such that

    the judgment point is reached, the monitoring node will

    accuse the monitored one as soon as the estimated probability(E(Beta(a, b))) exceeds the configured maximum tolerance,i.e E(Beta(a, b)) > Emax.

    E(Beta(a, b)) > Emax a

    a+b> Emax a >

    bEmax1Emax

    :

    This latter ( bEmax1Emax ) represents the tolerable number ofpackets, which is proportional to b, the number of packets

    forwarded. More the node forward packets, more its tolerable

    threshold increases.

  • 8/7/2019 PgNet2006

    5/6

    Forwarding packets after an unintentional or intentional drop-

    pings that does not results in accusation would decrease E,which allows redemption before accusation. This redemption

    could not be possible when setting the tolerable threshold to

    a fixed number of packets.

    Note that the strategy of dropping up to the tolerable threshold

    is not efficient for an attacker, since it cannot know whether

    and how much the monitor will notice false observations due

    to channel conditions or nodes mobility.

    Upon the detection of a misbehaving, the detector launches

    locally in its neighborhood a call for witnesses using a

    broadcast control packet. This costs only one transmission.

    Neighbors that considers the accused as suspicious, or those

    that are monitoring the accused node and whose misbehaving

    estimations against it are close to the tolerable threshold testify

    against it by sending the requestor a signed reply packet. Those

    which have not enough experience with the accused investigate

    this accusation and ask the accuseds successor whether it

    has recently received packets from the accused. But first, they

    ensure that the accuser really sent the packet to the accused

    to forward to the claimed successor. To do this they must beneighbor of the accused, otherwise they do not testify. The

    following example illustrates and analyzes the investigation:

    Assume three aligned nodes A, B and C, and another node

    D in As range, as illustrated in figure 2. When A accuses B

    to not forward packets to C and sends a call for witnesses, D

    investigates the issue. But before asking C it ensures that A

    has really sent the packet and B has received it, by checking

    the data packet and ACK overheard. If it has recently received

    the data packet, D could not ensure that B has received it. For

    instance, if D is closer to A than B, A (attempting a DoS attack

    against B) could send the packet in a power strong enough

    to be overhead by D, but not by B. Requiring the ACK 3

    reception from B just after the data ensures that B has reallyreceived the data from A. To do this, D simply safeguards

    the overheard packets (their headers) during a short period.

    This way, a node that asks the accuseds successor has no

    doubt that the accused has received a data packet to forward

    to the successor in question. Any collision at D prevents it

    from testifying, but has no effect on false detections.

    Upon the reception of the ACREQ, the asked node (C) replies

    with a signed ACREP packet if it has not received any

    packet from B. A coincidental collision at C at that moment,

    however, would result in a false reply if A is attempting

    a DoS attack, then in a false testimony. Nevertheless, the

    requirement of at least one direct testimony (provided from a

    direct experience) mitigates wrong accusation caused by thiskind of false testimonies.

    The signature of the packets prevents their spoofing, thus no

    node could testify using the ID of another.

    The accuser have to collect k different signatures to approveits accusation. Theoretically, k1 is the maximum number ofmisbehaving nodes that could exists at any time. In practice,

    3The source of this ACK should be authenticated at the MAC level, toprevent spoofing MAC addresses

    Fig. 2. Example of a nodes connections

    however, it is hard to determine such a number, so it shouldbe fixed to strike a balance between efficiency and robustness.

    Setting k to a high value increases the robustness of theprotocol against false detections and rumors, but decreases

    its efficiency regarding true detections. On the other hand,

    a low value of k allows high detections, but opens thevulnerability of rumors and increases the unintentional false

    detections (false positives), since k nodes could collude toaccuse maliciously any node, or could wrongly accuse it. This

    issue related to k will be investigated later in our simulations.Once the accuser collects k valid signatures, it broadcastsan accusation packet including all signatures through the

    network to isolate the guilty. This broadcast is costly, but

    it is not performed until a node is detected and approved

    as misbehaving. Expect for monitoring, our solution requires

    no overhead as long as nodes well-behave, as no opinions

    are exchanged periodically. This makes our solution reactive,

    unlike the current solutions reputation-based solutions [1].

    Regarding monitoring, the randomization of the two-hop ACK

    reduces dramatically the overhead, as it will be shown in the

    following section. Also, the inclusion of two-hop ACK in the

    ordinary ACK for each first hop reduces the number of two-

    hop ACK packets as much as half compared with a separate

    transmission on each hop.

    IV. SIMULATION-BASED ASSESSMENT

    To asses the performance of our solution in mobile envi-

    ronment, we have driven a GloMoSim-based [10] simulation

    study we present hereafter.

    We have simulated a network of 50 nodes, located in an area of

    15001000m2, where they move following the random way-point model during the 900 seconds of simulation time. To

    generate traffic, we used three CBR sessions between remote

    nodes, each session consists of continually sending a 512 bytes

    data packet each second. On each hop, each data packet is

    transmitted using a controlled power according to the distance

    between the transmitter and the receiver. In these conditions

    we remarked many link changes and collisions.

    First, we remarked that our monitoring approach improvesdramatically the detection rate compared to the watchdog, i.e

    decreases the false detections and increases the true detections.

    We also remarked that the random version reduces the over-

    head while keeping the efficiency to close to the ordinary two-

    hop ACK. Figure 3 shows the false detection rate of the two

    versions of our monitoring approach and the watchdog vs the

    rate of misbehaving nodes. Figures regarding the true detection

    and the overhead are omitted because of space limitation.

    To investigate the impact of the parameter k (the required

  • 8/7/2019 PgNet2006

    6/6

    0.06

    0.08

    0.1

    0.12

    0.14

    0.16

    0.18

    0.2

    0.22

    0.24

    0 5 10 15 20 25 30 35 40 45 50

    Detection

    Misbehaving nodes rate

    False Detection rate

    2HopACKRandom2HopACK

    WD

    Fig. 3. False detection vs. Misbehaving rate

    0

    0.2

    0.4

    0.6

    0.8

    1

    2 4 6 8 10 12 14 16 18 20

    Truepositiverate

    Misbehaving monitored nodes rate

    True positive rate

    2Witness1Witness

    Fig. 4. True detection vs. Misbehaving rate

    number of witnesses) we compare two versions, respectively

    denoted by one witness and two witness (the first with k = 1while the second with k = 2).As illustrated in figure 4 and 5, two witness considerably

    improves (decreases) false positive rate, but losses a little bit

    on true positive rate compared with one witness, especially

    when misbehaving rate exceeds 10%.False detections in our scenarios are due to nodes mobility

    and collisions. The one-witness version has unacceptable val-

    ues with respect of this metric, particulary when misbehavingrate is low. Two-witness mitigates this shortcoming, and also

    cut down the vulnerability of collusive false accusation attack

    compared with one-witness, since more than two nodes have

    to collude to isolate a node.

    The parameter k could be increased to be less toleranton false detections and false accusations attacks, but should

    depend on nodes connectivity to not loss efficiency on de-

    tections. In networks with low connectivity, it should not be

    increased lots, because this would prevent nodes from finding

    witnesses, and consequently reduces the detection efficiency.

    V. CONCLUSION

    In this work we have proposed a solution to monitor andsafely isolate malicious nodes that drop packets in MANET.

    Instead of relying the promiscuous monitoring (the watchdog),

    used by all the current solutions, our monitor is based on

    an efficient technique (namely random two hop ACK) that

    gets over the watchdogs limitations. Simulation results also

    show that the random requesting reduces the overhead, while

    keeping the efficiency on detection good enough. After detec-

    tion, we proposed a testimony-based protocol, that enforces

    the detector to collect at least k witnesses before isolating the

    0

    0.05

    0.1

    0.15

    0.2

    0.25

    0.3

    0 5 10 15 20

    Falsepositiverate

    Misbehaving monitored nodes rate

    False positive rate

    2Witness1Witness

    Fig. 5. False detection vs. Misbehaving rate

    detected node. Fixing k is a trade-off problem, high valuesmitigates rumors aiming DoS attacks as well false detections

    (especially for control packets with which we have been more

    sever), but reduces the efficiency on detections, contrary to

    low values. In our simulation, the protocol with two witnesses

    showed considerable improvement regarding false accusation

    while keeping the true detection good enough. This parameter

    could be risen to ensure more robustness, but should depend

    on the connectivity to keep efficiency.In this proposal we have focused on data packets. As

    perspective, we plan to complete the solution to deal with

    selfishness misbehavior. Contrary to an attacker, a selfish

    dropper is not interested in dropping only data packets, but also

    control packets, to exclude itself from routes. We especially

    aim at proposing solutions for control packets.

    REFERENCES

    [1] D. Djenouri, L. Khalladi, and N. Badache, A survey of security issuesin mobile ad hoc and sensor networks, IEEE Communications Surveysand Tutorials, vol. 7, no. 4, pp. 228, 2005.

    [2] Y.-C. Hu and A. Perrig, A survey of secure wireless ad hoc routing, IEEE Security and Privacy, vol. 2, no. 3, pp. 2839, 2004.

    [3] D. Djenouri and N. Badache, New power-aware routing for mobile adhoc networks, The International Journal of Ad Hoc and UbiquitousComputing (Inderscience), vol. 1, no. 3, 2005.

    [4] S. Buchegger and J.-Y. Le-Boudec, A robust reputation system for p2pand mobile ad-hoc networks, in Second Workshop on the Economics ofPeer-to-Peer Systems, Barkeley, CA, USA, June 2004.

    [5] P. Michiardi and R. Molva, CORE: A collaborative reputation mecha-nism to enforce node cooperation in mobile ad hoc networks, in Com-munication and Multimedia Security Conference, Portoroz, Slovenia,September 26-27 2002.

    [6] B. David and A. David, Dynamic source routing in ad hoc wirelessnetworks, in Mobile Computing. Kluwer Academic, 1996, vol. 353,pp. 153181.

    [7] S. Capkun, L. Buttyan, and J.-P. Hubaux, Self-organized public-keymanagement for mobile ad hoc networks, IEEE Transactions on MobileComputing, vol. 2, no. 1, pp. 5264, January 2003.

    [8] A. Davison, Bayesian Models, Chapter 11 in Manuscript. Springer,

    2000.[9] V. Miller and N. Koblitz, Elliptic curve cryptosystems, Mathematicsof Computation, pp. 203209, 1985.

    [10] X. Zeng, R. Bagrodia, and M. Gerla, Glomosim: A library for theparallel simulation of large-scale wireless networks, in The 12th Work-shop on Parallel and distributed Simulation. PADS98, Banff, Alberta,Canada, May 1998, pp. 154161.