PgNet2006
Transcript of PgNet2006
-
8/7/2019 PgNet2006
1/6
Testimony-based Isolation: New Approach To
Overcome Packet Dropping Attacks in MANET
Djamel Djenouri1, Nadjib Badache2
1: CERIST Center of Research, Algiers 16030, Algeria.
2: USTHB University, Algiers, Algeria.Emails: [email protected], [email protected]
Abstract Attackers could take advantage of the cooperativenature of MANETs routing protocols, by participating in theroute discovery procedure to include themselves in routes, thensimply drop data packets during the forwarding phase, aimingat a DoS (Denial of Service) attack. In this paper we deal withthe detection and isolation of such malicious nodes. We firstpropose a monitoring technique different from the promiscuousoverhearing (watchdog) used by almost all the current solutions,that overcomes many watchdogs shortcomes. After that wepropose a testimony-based isolation protocols basing on ourmonitoring technique.
I. INTRODUCTION
Security in MANET attracts more and more researchers,
with its variety of fields, problems, and challenges arisen from
the features of this infrastructureless environment [1]. One of
the complex problems is detecting and isolating nodes that
drop packets they receive to forward. Current secure routing
protocols [2] aim at protecting the route discovery and route
maintenance procedures. However, the packet dropping attack
is launched during the forwarding phase. Although it could
be launched easily, it is difficult to detect it. In the context of
selfish nodes detection and isolation, many solutions have been
proposed [1]. Selfish nodes also drop data packet, they only
differ from them with respect to their purpose. Like maliciousnodes, selfish nodes drop packets to save their resource, they
do not aim damaging others. Still, all the detective solutions
could be used in the context of malicious nodes. All these
solutions, however, relay on the watchdog technique, thus
inherent all its drawbacks.
The principle of the watchdog is that each node in the
source route monitors its successor after it sends it a packet
to forward, by overhearing the channel. A monitor accuses a
monitored node as misbehaving when it detects that this latter
drops more than a given number (threshold) of packets. This
basic technique of monitoring has no overhead when nodes do
not misbehave. Nevertheless, it suffers from some problems,
especially when using the transmission power control tech-nique employed by some new power-aware routing protocols
following the watchdogs proposal, such as [3].
Assume three aligned nodes: A, B and C, such that A sends
B a packet and monitors its forwarding to C, and lets assume
that B uses the power control technique. When A is closer
to B than C, B could circumvent the watchdog by using a
transmission power strong enough to reach A but less than the
one required to reach C, which is power efficient for B. On
the other hand, when C is closer to B than A, and B behaves
correctly but uses the power control technique, A could not
overhear Bs forwarding to C and will wrongly notice a packet
dropping, which might result in false detections when the
number of packets falsely detected exceeds the configured
threshold. Further, packet collisions either at C or A during the
monitoring could cause false detections, and after a collision at
C, B could circumvent to A by not retransmitting the packet.
In this proposal we suggest a novel monitoring approach to
overcome the watchdogs problems with reasonable overhead.
We also propose a Baysien approach for nodes accusation,that enables nodes redemption before judgment. Finally, we
suggest a social-based approach to approve detections and
safely isolate guilty nodes. This approachs aim is to consider
and avoid false accusation attacks (rumors) vulnerability, as
well as decreasing false positives that might be caused by
channel conditions and nodes mobility. In contrast to the
current solutions [4], [5], where each node unilaterally isolates
nodes it judges as misbehaving, our isolation mechanism
safely enables that all nodes together isolate the attacker.
Unilateral isolation could cause problems as we will see later.
The remainder of the paper is organized as follows: Next,
our solution will be presented, followed by some analysis and
discussions in section 3. Section 4 will be devoted to thesimulation study, and finally the last section will conclude the
paper, and sketches our perspectives.
I I . SOLUTION OVERVIEW
Our solution consists of three related steps: the monitoring
step, in which nodes control each other when forwarding
packets. The judgment step, in which nodes decide about the
behavior of each monitored node basing on the result of the
previous step. And finally an isolation step, in which a detector
node launch the execution of a testimony-based protocol to
isolate the detected node.
A. Monitoring
Like the watchdog, in our solution each node A in the source
route 1 monitors its successor B, and checks whether this latter
forwards to C each packet it provides. We define a new kind
of feedbacks we call two-hop ACK, an ACK that travels two
hops. Node C acknowledges packets sent from A by sending
this latter via B a two-hop ACK. Node B could, however,
escape from the monitor without being detected by simply
1like the watchdog, our protocol is also implemented with DSR [6]
-
8/7/2019 PgNet2006
2/6
sending A a falsified two-hop ACK. Note that performing in
this way is power economic for B, since sending a short packet
like an ACK consumes too less energy than a data packet. To
get over this vulnerability we use an asymmetric cryptography
based strategy as follows:
Node A generates a random number and encrypts it with Cs
public key (PK), then appends it in the packets header. When
C receives the packet it retrieves the number, decrypts it using
its secret key (SK), encrypts it using As PK, and puts it in a
two-hop ACK it sends back to A via B. In the first hop (C,B),
the ACK is piggybacked to the ordinary MAC ACK (using
a cross-layer implementation) , instead of being transmitted
in a separate packet. When A receives the ACK it decrypts
the random number and checks whether the number within
the packet matches with the one it has generated, to validate
Bs forwarding regarding the appropriate packet. However, if
B does not forward the packet A will not receive the two-hop
ACK, and it will be able to detect this malicious after a time
out. This strategy needs a security association between each
pair of nodes to ensure that nodes share their PK with each
other. This requires a key distribution mechanisms, which canbe achieved by continuously appending public keys to route
request (RREQ) and route reply (RREP) packets during each
route discovery of DSR [6] until all public keys reach every
node. To ensure authenticity of keys, a mechanism like the
chain of trust [7] can be used. Note that the same keys could
be employed for other security purposes at other layers.
The watchdogs problems related to detection are mitigated
with this approach, as long as Bs forwarding validation at A
is not only related to Bs transmission, but to Cs reception.
Nevertheless, the problem with this first solution is that it
requires a two-hop ACK for each packet on each coupe of
hops, which might result in important overhead.
To decrease this cost we propose to randomize the ACK ask,viz. A does not ask C an ACK for each packet, but upon
sending a packet to forward it randomly decides whether it
asks an ACK or not, with a probability p, then it conceal thisdecision in the packet. A simple way to conceal the decision
is to exploit the random number. For instance, when the node
decides to ask an ACK it selects an even number, and an odd
number when it decides to not ask the ACK. This random
selection strategy prevents the monitored node from deducting
which packets contain ACK requests. Note that getting such
information allows a misbehaving to drop packets with no
requests without being detected.
The probability p is continuously updated as follows:
It is set to 1 (the initial value) when a timeout exceeds withoutreceiving the requested ACK, and set to ptrust upon receivingthe requested ACK.
This way more trust is given to well-behaving nodes, and
by setting p to 1 the ACK request is enforced after a lack ofACK, which allows to achieve all by the same performance in
misbehaving true detections (true positives) like the ordinary
two-hop ACK as we will see later.
B. Judgment
The new monitoring method (random two-hop ACK) allows
to confirm the correct forwarding of packets. Though, when a
monitoring node notices that some packet has been dropped
over a link it should not directly accuse the monitored
as misbehaving, since this dropping could be caused by
collisions or nodes mobility. Indeed, a threshold of tolerance
should be fixed. In the following we propose a Bayesianapproach allowing nodes to decide about the behavior of
each other. In our approach, the threshold is not constant but
increases with the nodes well-behaving.
The Bayesian approach [8] is a mathematical estimation
method, that consists of estimating a parameter the
observations of which follow a Bernouli distribution by
a Beta distribution. The Bayesian approach for nodes
reputation regarding packet forwarding in MANET has
already been used by Buchegger and Le-Boudec [4], but
their solution requires periodic transmissions of huge control
packets.
Since misbehaving is usually exception rather than the
norm, information exchange in our solution is limited tonegative impressions, thereby it is simpler and engenders no
overhead when nodes well-behave. Hereafter, we describe
our Bayesian-based approach.
Each node i thinks that each other node j misbehaves with
probability j , which is a random variable estimated bya Beta distribution Beta(a, b). For brevity we remove theindices in the following, and simply denote this probability by
. Initially with no prior information, is assumed uniformin [0,1], which is idem to Beta(1,1). As observations, that
follow a Bernoulli distribution with parameter , are made, aand b are updated as follows: a = a + u, b = b + 1 uwhere u=1 if the observation consists of a dropping, and
0 otherwise. A dropping in our solution is a lack of a
required two-hop ACK. If the monitor does not ask a two-hop
ACK, the observation is considered as non-dropping. After
as many observations as the decision could be made (could be approximated by the mathematical expectation
E(Beta(a, b))), j will be judged. This point is denotedby the decision point, and the number of observations is
expressed by a+b. j will be accused as misbehavior as soon
as: E(Beta(a, b)) > Emax.Note that: E(Beta(a, b)) = a/(a + b).
Emax could be fixed to 0.5, or for more efficiency it should
be estimated empirically for each network as follows:1) Make simulations with no misbehaving and compute E
at each node for different scenarios that estimate the
network.
2) Retrieve the maximum value in all scenarios from the
decision point then consider it as Emax
In Bucheggers approach [4], every node periodically broad-
casts in its neighborhood each j . Nodes used this information(known as second hand information) to update their own
opinion on nodes behavior. To decide about the acceptance
-
8/7/2019 PgNet2006
3/6
of a provided information, each node performs complicated
tests on the trustworthiness of the provider. The problem
with this proactive solution is the important overhead, even
if nodes well-behave. Our approach is rather reactive, thus no
such information are exchanged. Indeed, each node performs
monitoring separately and informs the others in order to isolate
the attacker as soon as it judges it, as we will see in the
following with more details.
C. Isolation
Isolating a misbehaving node means:
do not route packets through it, to avoid losing them
do not forward packets for it, to punish it
A node X that judges some other node Y as misbehaving
should not isolate it unilaterally, but it must ensure its isolation
by all nodes. This because when X unilaterally isolates Y, the
others could consider X as misbehaving when they realize that
it does not forward packets for Y.
In social life, a person that accuses another for a crime must
show proofs. One possible way to do so is to get a witness
against the accused person.Identically, we suggest a testimony-based protocol to isolate a
detected node. Upon a detection, the detector informs nodes
in its neighborhood about the dropper (the accused), and asks
for witnesses by broadcasting a WREQ (Witness REQuest)
packet. It also put the detected node in a special nodes set we
call suspicious set. Each node receiving WREQ immediately
sends a signed WREP (Witness REPly) packet to the accuser
in the following two cases:
if its suspicious set includes the accused
if the accuseds misbehaving expectation is close to Emaxand/or the number of control packets detected dropped is
close to the configured maximum thresholdOtherwise, when it has not enough experience with the ac-
cused, and if it is its neighbor then it asks the successor of
the accused node whether it has received packets forwarded
from this latter, by sending an ACREQ (ACcusation REQuest)
packet using a route that does not include the accused. But
first, in order to ovoid false accusations, the investigator should
ensure that the accuser has really sent a packet to the accused
to be forwarded to the appropriate successor. One possible
way to do this is to check whether such a packet has been
recently overheard using the promiscuous mode. The node
also should check whether the accused has sent the accuser an
ACK just after overhearing the data, to ensure that it has really
received the packet and that the accuser is not impressing it, asit will be illustrated later. Note that unlike the watchdog, the
information provided from the promiscuous mode are not used
for the monitoring, but only for testifying, aiming at improving
efficiency on detections.
If the accuseds successor has not recently received any
packet forwarded from the accused, it sends a signed ACREP
(ACcusation REPly) packet to the investigator, then this latter
testifies to the accusation and sends the accuser a signed
WREP (Witness REPly) packet. When the detector collects
k validation from its neighbors, with at least one providedby direct experience (without asking the successor of the ac-
cused), it broadcasts in the network an accusation packet (AC),
containing signatures of all validating nodes. The requirement
of at least one direct witness will be argued later. Each node
receiving such a valid accusation isolates the guilty. Otherwise,
if the detector fails to collect k validation it does not isolatethe detected node, but keeps it in the suspicious set.
III. ANALYSIS
Getting rid of the promiscuous mode based monitoring
makes our monitoring solution independent of transmission
powers, and resolves the watchdog false detection problem
related to the employment of the power-control technique.
Moreover, our solution resolves some watchdogs problems
related to collisions.
If we assume the average path length is H hops, the average
communication complexity of our monitoring technique for
n packet is: O( (1+ptrust)
2
(H 1) n) two-hop ACKtransmissions, it converges to O(ptrust (H 1) n)when all nodes on the route well-behave. This reduces the
communication complexity of the ordinary two hop ACK (our
first monitoring solution) which is O((H 1) n). That isby a factor of 1/Ptrust.
Now, we discuss the efficiency in detection of the random
two-hop ACK vs. the ordinary two-hop ACK. We assume
that there is no packet loss. Later in our simulation study
we will make more investigations of more realistic scenarios
with mobility and collusion. Like in the Bayesien judgment,
we suppose that the monitored node misbehaves (drop the
packet) with a probability , i.e the behavior of the node for
each packet follows a Bernoulli distribution with a parameter. Monitoring n packets could be considered as simply therepetition of the previous operation (monitoring one packet)
n times. Therefore, the number of packets dropped (pdr) forn packets is a random variable that is the sum of n random
variables which follows a Bernoulli distribution with param-
eter , thus follows a Binomial distribution with expectation:E(pdr) = n.Theoretically, the ordinary two hop ACK detects all this
number of packets (when the assumption of no packet loss
is held). The purpose now is to asses the number of packets
dropped and detected (pd) by the random two hop ACK, i.e
E(pd).
The probability of requesting an ACK is continuously updated,it differs from one operation (monitoring one packet) to
another according to the result of the previous operation and
the previous behavior.
We denote the algorithms probability of requesting an
ACK for a packet i (the value of p set by the algorithm for the
packet i, which is a random variable) by Pi. Consequently,The real probability (in the execution) of asking an ACK for
packet i + 1 would be expressed by E(Pi). Pi is fixed to1 if in the previous operation the packet was dropped and
-
8/7/2019 PgNet2006
4/6
detected, that is with the probability 2 E(Pi1), sincethe events dropping the ithpacket and requesting ACK forthe (i 1)th packet are independent. Otherwise, it is fixedto Ptrust, i.e with probability 1 E(Pi1). Therefore,the mathematical expectation of Pi could be expressed by:1 E(Pi1) + Ptrust(1 E(Pi1)). Hence:E(Pi) = Ptrust + (1 Ptrust)E(Pi1)......(1)
The number of packets detected by the random strategy
(pd) also follows a Binomial distribution, since it is the resultsof repeating a Bernoulli operation n times with parameterPi, but the only difference from the continuous requestingis that in this latter strategy (Pi) is not constant. We have:
E(pd) =
n
i=1
E(Pi) = n
i=1
E(Pi)......(2)
Not that P1 = 1.
Lemma 1: i 1,
E(Pi) = i1(1 Ptrust)i + Ptrust
i1
j=0
j(1 Ptrust)j
Proof:
We prove this lemma by recurrence on i.
For i=1. We simply replace i by 1 in the formula, then we
get E(P1) = 1 which is correct.Now assume the formula is held for i-1 then we will prove it
for i. Hence by assumption:
E(Pi1) = i2(1 Ptrust)
i1 + Ptrust
i2
j=0
j(1 Ptrust)j
By replacing this expression of E(Pi1) in (1) we obtain:
E(Pi) = Ptrust + (1 Ptrust) (i2(1 Ptrust)
i1 +
Ptrust
i2X
j=0
j(1 Ptrust)
j) = Ptrust + i1(1 Ptrust)
i +
Ptrust
i1X
j=1
j(1 Ptrust)
j =
i1(1 Ptrust)
i + Ptrust(1 +
i1X
j=1
j(1 Ptrust)
j).
Since 0(1 Ptrust)0 = 1 , we conclude:
E(Pi) = i1(1 Ptrust)
i + Ptrust
i1
j=0
j(1 Ptrust)j
Using this lemma, formula 2 could be developed into:
E(pd) = Ptrust1(1Ptrust) n + (1Ptrust)1n(1Ptrust)n1(1Ptrust)
(1 Ptrust1(1Ptrust) )......(3)
The steps of simplification are removed due to space
limitation.
This probability depends on many parameters, we will try
2The probability of detection is the probability of asking an ACK in the(i 1)th operation
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
DetectionRation
Theta
Ptrust=1/4Ptrust=1/2Ptrust=3/4
Fig. 1. Detection Ratio
to investigate it vs some usual values of Ptrust.For Ptrust = 1/4, E(pd)
43
n
for Ptrust = 1/2, E(pd)
2 n
and finally, for Ptrust = 3/4: E(pd) 34
n
Figure 1 illustrates the approximated detection ratio accord-
ing to . We mean by detection ratio E(pd)/E(pdr)
Ptrust = 0.5 strikes a balance between efficiency andcost. It decreases the complexity overhead as much as half,
while keeping the detection ratio good enough. Contrary to
Ptrust = 0.25 that has too low values for low and averagemisbehaving, and to Ptrust = 0.75 that does not reducesthe overhead enough. Thus, we fix Ptrust = 0.5 later in oursimulation study.
As illustrated, authentication of the two-hop ACK packet is
ensured by employing encreption/decreption operations on the
random number generated by the monitor and piggybacked
to the monitored packet. For this, we propose to use the ECC
encryption algorithm [9], which is more time-efficient than
the standard RSA. The encryption time completely depends
on the computation power of nodes and the length of keys.
Anyway, our encryption operations have minor impact, sincethey are applied merely on the random number and not on
the whole packet holding it.
Because a packet dropping might be unintentional due to
nodes mobility and channel conditions, accusation should not
be made upon one dropping detection, but more observations
must be noted. We have proposed a Bayesian approach
to make such a judgment, where each node estimates
each others misbehavior with a probability that follows a
Beta(a,b) distribution, whose parameters (a,b) are updated
as observations are made. When enough observations with
regard to a given monitored node are collected such that
the judgment point is reached, the monitoring node will
accuse the monitored one as soon as the estimated probability(E(Beta(a, b))) exceeds the configured maximum tolerance,i.e E(Beta(a, b)) > Emax.
E(Beta(a, b)) > Emax a
a+b> Emax a >
bEmax1Emax
:
This latter ( bEmax1Emax ) represents the tolerable number ofpackets, which is proportional to b, the number of packets
forwarded. More the node forward packets, more its tolerable
threshold increases.
-
8/7/2019 PgNet2006
5/6
Forwarding packets after an unintentional or intentional drop-
pings that does not results in accusation would decrease E,which allows redemption before accusation. This redemption
could not be possible when setting the tolerable threshold to
a fixed number of packets.
Note that the strategy of dropping up to the tolerable threshold
is not efficient for an attacker, since it cannot know whether
and how much the monitor will notice false observations due
to channel conditions or nodes mobility.
Upon the detection of a misbehaving, the detector launches
locally in its neighborhood a call for witnesses using a
broadcast control packet. This costs only one transmission.
Neighbors that considers the accused as suspicious, or those
that are monitoring the accused node and whose misbehaving
estimations against it are close to the tolerable threshold testify
against it by sending the requestor a signed reply packet. Those
which have not enough experience with the accused investigate
this accusation and ask the accuseds successor whether it
has recently received packets from the accused. But first, they
ensure that the accuser really sent the packet to the accused
to forward to the claimed successor. To do this they must beneighbor of the accused, otherwise they do not testify. The
following example illustrates and analyzes the investigation:
Assume three aligned nodes A, B and C, and another node
D in As range, as illustrated in figure 2. When A accuses B
to not forward packets to C and sends a call for witnesses, D
investigates the issue. But before asking C it ensures that A
has really sent the packet and B has received it, by checking
the data packet and ACK overheard. If it has recently received
the data packet, D could not ensure that B has received it. For
instance, if D is closer to A than B, A (attempting a DoS attack
against B) could send the packet in a power strong enough
to be overhead by D, but not by B. Requiring the ACK 3
reception from B just after the data ensures that B has reallyreceived the data from A. To do this, D simply safeguards
the overheard packets (their headers) during a short period.
This way, a node that asks the accuseds successor has no
doubt that the accused has received a data packet to forward
to the successor in question. Any collision at D prevents it
from testifying, but has no effect on false detections.
Upon the reception of the ACREQ, the asked node (C) replies
with a signed ACREP packet if it has not received any
packet from B. A coincidental collision at C at that moment,
however, would result in a false reply if A is attempting
a DoS attack, then in a false testimony. Nevertheless, the
requirement of at least one direct testimony (provided from a
direct experience) mitigates wrong accusation caused by thiskind of false testimonies.
The signature of the packets prevents their spoofing, thus no
node could testify using the ID of another.
The accuser have to collect k different signatures to approveits accusation. Theoretically, k1 is the maximum number ofmisbehaving nodes that could exists at any time. In practice,
3The source of this ACK should be authenticated at the MAC level, toprevent spoofing MAC addresses
Fig. 2. Example of a nodes connections
however, it is hard to determine such a number, so it shouldbe fixed to strike a balance between efficiency and robustness.
Setting k to a high value increases the robustness of theprotocol against false detections and rumors, but decreases
its efficiency regarding true detections. On the other hand,
a low value of k allows high detections, but opens thevulnerability of rumors and increases the unintentional false
detections (false positives), since k nodes could collude toaccuse maliciously any node, or could wrongly accuse it. This
issue related to k will be investigated later in our simulations.Once the accuser collects k valid signatures, it broadcastsan accusation packet including all signatures through the
network to isolate the guilty. This broadcast is costly, but
it is not performed until a node is detected and approved
as misbehaving. Expect for monitoring, our solution requires
no overhead as long as nodes well-behave, as no opinions
are exchanged periodically. This makes our solution reactive,
unlike the current solutions reputation-based solutions [1].
Regarding monitoring, the randomization of the two-hop ACK
reduces dramatically the overhead, as it will be shown in the
following section. Also, the inclusion of two-hop ACK in the
ordinary ACK for each first hop reduces the number of two-
hop ACK packets as much as half compared with a separate
transmission on each hop.
IV. SIMULATION-BASED ASSESSMENT
To asses the performance of our solution in mobile envi-
ronment, we have driven a GloMoSim-based [10] simulation
study we present hereafter.
We have simulated a network of 50 nodes, located in an area of
15001000m2, where they move following the random way-point model during the 900 seconds of simulation time. To
generate traffic, we used three CBR sessions between remote
nodes, each session consists of continually sending a 512 bytes
data packet each second. On each hop, each data packet is
transmitted using a controlled power according to the distance
between the transmitter and the receiver. In these conditions
we remarked many link changes and collisions.
First, we remarked that our monitoring approach improvesdramatically the detection rate compared to the watchdog, i.e
decreases the false detections and increases the true detections.
We also remarked that the random version reduces the over-
head while keeping the efficiency to close to the ordinary two-
hop ACK. Figure 3 shows the false detection rate of the two
versions of our monitoring approach and the watchdog vs the
rate of misbehaving nodes. Figures regarding the true detection
and the overhead are omitted because of space limitation.
To investigate the impact of the parameter k (the required
-
8/7/2019 PgNet2006
6/6
0.06
0.08
0.1
0.12
0.14
0.16
0.18
0.2
0.22
0.24
0 5 10 15 20 25 30 35 40 45 50
Detection
Misbehaving nodes rate
False Detection rate
2HopACKRandom2HopACK
WD
Fig. 3. False detection vs. Misbehaving rate
0
0.2
0.4
0.6
0.8
1
2 4 6 8 10 12 14 16 18 20
Truepositiverate
Misbehaving monitored nodes rate
True positive rate
2Witness1Witness
Fig. 4. True detection vs. Misbehaving rate
number of witnesses) we compare two versions, respectively
denoted by one witness and two witness (the first with k = 1while the second with k = 2).As illustrated in figure 4 and 5, two witness considerably
improves (decreases) false positive rate, but losses a little bit
on true positive rate compared with one witness, especially
when misbehaving rate exceeds 10%.False detections in our scenarios are due to nodes mobility
and collisions. The one-witness version has unacceptable val-
ues with respect of this metric, particulary when misbehavingrate is low. Two-witness mitigates this shortcoming, and also
cut down the vulnerability of collusive false accusation attack
compared with one-witness, since more than two nodes have
to collude to isolate a node.
The parameter k could be increased to be less toleranton false detections and false accusations attacks, but should
depend on nodes connectivity to not loss efficiency on de-
tections. In networks with low connectivity, it should not be
increased lots, because this would prevent nodes from finding
witnesses, and consequently reduces the detection efficiency.
V. CONCLUSION
In this work we have proposed a solution to monitor andsafely isolate malicious nodes that drop packets in MANET.
Instead of relying the promiscuous monitoring (the watchdog),
used by all the current solutions, our monitor is based on
an efficient technique (namely random two hop ACK) that
gets over the watchdogs limitations. Simulation results also
show that the random requesting reduces the overhead, while
keeping the efficiency on detection good enough. After detec-
tion, we proposed a testimony-based protocol, that enforces
the detector to collect at least k witnesses before isolating the
0
0.05
0.1
0.15
0.2
0.25
0.3
0 5 10 15 20
Falsepositiverate
Misbehaving monitored nodes rate
False positive rate
2Witness1Witness
Fig. 5. False detection vs. Misbehaving rate
detected node. Fixing k is a trade-off problem, high valuesmitigates rumors aiming DoS attacks as well false detections
(especially for control packets with which we have been more
sever), but reduces the efficiency on detections, contrary to
low values. In our simulation, the protocol with two witnesses
showed considerable improvement regarding false accusation
while keeping the true detection good enough. This parameter
could be risen to ensure more robustness, but should depend
on the connectivity to keep efficiency.In this proposal we have focused on data packets. As
perspective, we plan to complete the solution to deal with
selfishness misbehavior. Contrary to an attacker, a selfish
dropper is not interested in dropping only data packets, but also
control packets, to exclude itself from routes. We especially
aim at proposing solutions for control packets.
REFERENCES
[1] D. Djenouri, L. Khalladi, and N. Badache, A survey of security issuesin mobile ad hoc and sensor networks, IEEE Communications Surveysand Tutorials, vol. 7, no. 4, pp. 228, 2005.
[2] Y.-C. Hu and A. Perrig, A survey of secure wireless ad hoc routing, IEEE Security and Privacy, vol. 2, no. 3, pp. 2839, 2004.
[3] D. Djenouri and N. Badache, New power-aware routing for mobile adhoc networks, The International Journal of Ad Hoc and UbiquitousComputing (Inderscience), vol. 1, no. 3, 2005.
[4] S. Buchegger and J.-Y. Le-Boudec, A robust reputation system for p2pand mobile ad-hoc networks, in Second Workshop on the Economics ofPeer-to-Peer Systems, Barkeley, CA, USA, June 2004.
[5] P. Michiardi and R. Molva, CORE: A collaborative reputation mecha-nism to enforce node cooperation in mobile ad hoc networks, in Com-munication and Multimedia Security Conference, Portoroz, Slovenia,September 26-27 2002.
[6] B. David and A. David, Dynamic source routing in ad hoc wirelessnetworks, in Mobile Computing. Kluwer Academic, 1996, vol. 353,pp. 153181.
[7] S. Capkun, L. Buttyan, and J.-P. Hubaux, Self-organized public-keymanagement for mobile ad hoc networks, IEEE Transactions on MobileComputing, vol. 2, no. 1, pp. 5264, January 2003.
[8] A. Davison, Bayesian Models, Chapter 11 in Manuscript. Springer,
2000.[9] V. Miller and N. Koblitz, Elliptic curve cryptosystems, Mathematicsof Computation, pp. 203209, 1985.
[10] X. Zeng, R. Bagrodia, and M. Gerla, Glomosim: A library for theparallel simulation of large-scale wireless networks, in The 12th Work-shop on Parallel and distributed Simulation. PADS98, Banff, Alberta,Canada, May 1998, pp. 154161.