8/7/2019 PgNet2006

1/6

Testimony-based Isolation: New Approach To

Overcome Packet Dropping Attacks in MANET

Djamel Djenouri1, Nadjib Badache2

1: CERIST Center of Research, Algiers 16030, Algeria.

2: USTHB University, Algiers, Algeria.Emails: ddjenouri@mail.cerist.dz, badache@mail.cerist.dz

Abstract Attackers could take advantage of the cooperativenature of MANETs routing protocols, by participating in theroute discovery procedure to include themselves in routes, thensimply drop data packets during the forwarding phase, aimingat a DoS (Denial of Service) attack. In this paper we deal withthe detection and isolation of such malicious nodes. We firstpropose a monitoring technique different from the promiscuousoverhearing (watchdog) used by almost all the current solutions,that overcomes many watchdogs shortcomes. After that wepropose a testimony-based isolation protocols basing on ourmonitoring technique.

I. INTRODUCTION

Security in MANET attracts more and more researchers,

with its variety of fields, problems, and challenges arisen from

the features of this infrastructureless environment [1]. One of

the complex problems is detecting and isolating nodes that

drop packets they receive to forward. Current secure routing

protocols [2] aim at protecting the route discovery and route

maintenance procedures. However, the packet dropping attack

is launched during the forwarding phase. Although it could

be launched easily, it is difficult to detect it. In the context of

selfish nodes detection and isolation, many solutions have been

proposed [1]. Selfish nodes also drop data packet, they only

differ from them with respect to their purpose. Like maliciousnodes, selfish nodes drop packets to save their resource, they

do not aim damaging others. Still, all the detective solutions

could be used in the context of malicious nodes. All these

solutions, however, relay on the watchdog technique, thus

inherent all its drawbacks.

The principle of the watchdog is that each node in the

source route monitors its successor after it sends it a packet

to forward, by overhearing the channel. A monitor accuses a

monitored node as misbehaving when it detects that this latter

drops more than a given number (threshold) of packets. This

basic technique of monitoring has no overhead when nodes do

not misbehave. Nevertheless, it suffers from some problems,

especially when using the transmission power control tech-nique employed by some new power-aware routing protocols

following the watchdogs proposal, such as [3].

Assume three aligned nodes: A, B and C, such that A sends

B a packet and monitors its forwarding to C, and lets assume

that B uses the power control technique. When A is closer

to B than C, B could circumvent the watchdog by using a

transmission power strong enough to reach A but less than the

one required to reach C, which is power efficient for B. On

the other hand, when C is closer to B than A, and B behaves

correctly but uses the power control technique, A could not

overhear Bs forwarding to C and will wrongly notice a packet

dropping, which might result in false detections when the

number of packets falsely detected exceeds the configured

threshold. Further, packet collisions either at C or A during the

monitoring could cause false detections, and after a collision at

C, B could circumvent to A by not retransmitting the packet.

In this proposal we suggest a novel monitoring approach to

overcome the watchdogs problems with reasonable overhead.

We also propose a Baysien approach for nodes accusation,that enables nodes redemption before judgment. Finally, we

suggest a social-based approach to approve detections and

safely isolate guilty nodes. This approachs aim is to consider

and avoid false accusation attacks (rumors) vulnerability, as

well as decreasing false positives that might be caused by

channel conditions and nodes mobility. In contrast to the

current solutions [4], [5], where each node unilaterally isolates

nodes it judges as misbehaving, our isolation mechanism

safely enables that all nodes together isolate the attacker.

Unilateral isolation could cause problems as we will see later.

The remainder of the paper is organized as follows: Next,

our solution will be presented, followed by some analysis and

discussions in section 3. Section 4 will be devoted to thesimulation study, and finally the last section will conclude the

paper, and sketches our perspectives.

I I . SOLUTION OVERVIEW

Our solution consists of three related steps: the monitoring

step, in which nodes control each other when forwarding

packets. The judgment step, in which nodes decide about the

behavior of each monitored node basing on the result of the

previous step. And finally an isolation step, in which a detector

node launch the execution of a testimony-based protocol to

isolate the detected node.

A. Monitoring

Like the watchdog, in our solution each node A in the source

route 1 monitors its successor B, and checks whether this latter

forwards to C each packet it provides. We define a new kind

of feedbacks we call two-hop ACK, an ACK that travels two

hops. Node C acknowledges packets sent from A by sending

this latter via B a two-hop ACK. Node B could, however,

escape from the monitor without being detected by simply

1like the watchdog, our protocol is also implemented with DSR [6]

8/7/2019 PgNet2006

2/6

sending A a falsified two-hop ACK. Note that performing in

this way is power economic for B, since sending a short packet

like an ACK consumes too less energy than a data packet. To

get over this vulnerability we use an asymmetric cryptography

based strategy as follows:

Node A generates a random number and encrypts it with Cs

public key (PK), then appends it in the packets header. When

C receives the packet it retrieves the number, decrypts it using

its secret key (SK), encrypts it using As PK, and puts it in a

two-hop ACK it sends back to A via B. In the first hop (C,B),

the ACK is piggybacked to the ordinary MAC ACK (using

a cross-layer implementation) , instead of being transmitted

in a separate packet. When A receives the ACK it decrypts

the random number and checks whether the number within

the packet matches with the one it has generated, to validate

Bs forwarding regarding the appropriate packet. However, if

B does not forward the packet A will not receive the two-hop

ACK, and it will be able to detect this malicious after a time

out. This strategy needs a security association between each

pair of nodes to ensure that nodes share their PK with each

other. This requires a key distribution mechanisms, which canbe achieved by continuously appending public keys to route

request (RREQ) and route reply (RREP) packets during each

route discovery of DSR [6] until all public keys reach every

node. To ensure authenticity of keys, a mechanism like the

chain of trust [7] can be used. Note that the same keys could

be employed for other security purposes at other layers.

The watchdogs problems related to detection are mitigated

with this approach, as long as Bs forwarding validation at A

is not only related to Bs transmission, but to Cs reception.

Nevertheless, the problem with this first solution is that it

requires a two-hop ACK for each packet on each coupe of

hops, which might result in important overhead.

To decrease this cost we propose to randomize the ACK ask,viz. A does not ask C an ACK for each packet, but upon

sending a packet to forward it randomly decides whether it

asks an ACK or not, with a probability p, then it conceal thisdecision in the packet. A simple way to conceal the decision

is to exploit the random number. For instance, when the node

decides to ask an ACK it selects an even number, and an odd

number when it decides to not ask the ACK. This random

selection strategy prevents the monitored node from deducting

which packets contain ACK requests. Note that getting such

information allows a misbehaving to drop packets with no

requests without being detected.

The probability p is continuously updated as follows:

It is set to 1 (the initial value) when a timeout exceeds withoutreceiving the requested ACK, and set to ptrust upon receivingthe requested ACK.

This way more trust is given to well-behaving nodes, and

by setting p to 1 the ACK request is enforced after a lack ofACK, which allows to achieve all by the same performance in

misbehaving true detections (true positives) like the ordinary

two-hop ACK as we will see later.

B. Judgment

The new monitoring method (random two-hop ACK) allows

to confirm the correct forwarding of packets. Though, when a

monitoring node notices that some packet has been dropped

over a link it should not directly accuse the monitored

as misbehaving, since this dropping could be caused by

collisions or nodes mobility. Indeed, a threshold of tolerance

should be fixed. In the following we propose a Bayesianapproach allowing nodes to decide about the behavior of

each other. In our approach, the threshold is not constant but

increases with the nodes well-behaving.

The Bayesian approach [8] is a mathematical estimation

method, that consists of estimating a parameter the

observations of which follow a Bernouli distribution by

a Beta distribution. The Bayesian approach for nodes

reputation regarding packet forwarding in MANET has

already been used by Buchegger and Le-Boudec [4], but

their solution requires periodic transmissions of huge control

packets.

Since misbehaving is usually exception rather than the

norm, information exchange in our solution is limited tonegative impressions, thereby it is simpler and engenders no

overhead when nodes well-behave. Hereafter, we describe

our Bayesian-based approach.

Each node i thinks that each other node j misbehaves with

probability j , which is a random variable estimated bya Beta distribution Beta(a, b). For brevity we remove theindices in the following, and simply denote this probability by

. Initially with no prior information, is assumed uniformin [0,1], which is idem to Beta(1,1). As observations, that

follow a Bernoulli distribution with parameter , are made, aand b are updated as follows: a = a + u, b = b + 1 uwhere u=1 if the observation consists of a dropping, and

0 otherwise. A dropping in our solution is a lack of a

required two-hop ACK. If the monitor does not ask a two-hop

ACK, the observation is considered as non-dropping. After

as many observations as the decision could be made (could be approximated by the mathematical expectation

E(Beta(a, b))), j will be judged. This point is denotedby the decision point, and the number of observations is

expressed by a+b. j will be accused as misbehavior as soon

as: E(Beta(a, b)) > Emax.Note that: E(Beta(a, b)) = a/(a + b).

Emax could be fixed to 0.5, or for more efficiency it should

be estimated empirically for each network as follows:1) Make simulations with no misbehaving and compute E

at each node for different scenarios that estimate the

network.

2) Retrieve the maximum value in all scenarios from the

decision point then consider it as Emax

In Bucheggers approach [4], every node periodically broad-

casts in its neighborhood each j . Nodes used this information(known as second hand information) to update their own

opinion on nodes behavior. To decide about the acceptance

8/7/2019 PgNet2006

3/6

of a provided information, each node performs complicated

tests on the trustworthiness of the provider. The problem

with this proactive solution is the important overhead, even

if nodes well-behave. Our approach is rather reactive, thus no

such information are exchanged. Indeed, each node performs

monitoring separately and informs the others in order to isolate

the attacker as soon as it judges it, as we will see in the

following with more details.

C. Isolation

Isolating a misbehaving node means:

do not route packets through it, to avoid losing them

do not forward packets for it, to punish it

A node X that judges some other node Y as misbehaving

should not isolate it unilaterally, but it must ensure its isolation

by all nodes. This because when X unilaterally isolates Y, the

others could consider X as misbehaving when they realize that

it does not forward packets for Y.

In social life, a person that accuses another for a crime must

show proofs. One possible way to do so is to get a witness

against the accused person.Identically, we suggest a testimony-based protocol to isolate a

detected node. Upon a detection, the detector informs nodes

in its neighborhood about the dropper (the accused), and asks

for witnesses by broadcasting a WREQ (Witness REQuest)

packet. It also put the detected node in a special nodes set we

call suspicious set. Each node receiving WREQ immediately

sends a signed WREP (Witness REPly) packet to the accuser

in the following two cases:

if its suspicious set includes the accused

if the accuseds misbehaving expectation is close to Emaxand/or the number of control packets detected dropped is

close to the configured maximum thresholdOtherwise, when it has not enough experience with the ac-

cused, and if it is its neighbor then it asks the successor of

the accused node whether it has received packets forwarded

from this latter, by sending an ACREQ (ACcusation REQuest)

packet using a route that does not include the accused. But

first, in order to ovoid false accusations, the investigator should

ensure that the accuser has really sent a packet to the accused

to be forwarded to the appropriate successor. One possible

way to do this is to check whether such a packet has been

recently overheard using the promiscuous mode. The node

also should check whether the accused has sent the accuser an

ACK just after overhearing the data, to ensure that it has really

received the packet and that the accuser is not impressing it, asit will be illustrated later. Note that unlike the watchdog, the

information provided from the promiscuous mode are not used

for the monitoring, but only for testifying, aiming at improving

efficiency on detections.

If the accuseds successor has not recently received any

packet forwarded from the accused, it sends a signed ACREP

(ACcusation REPly) packet to the investigator, then this latter

testifies to the accusation and sends the accuser a signed

WREP (Witness REPly) packet. When the detector collects

k validation from its neighbors, with at least one providedby direct experience (without asking the successor of the ac-

cused), it broadcasts in the network an accusation packet (AC),

containing signatures of all validating nodes. The requirement

of at least one direct witness will be argued later. Each node

receiving such a valid accusation isolates the guilty. Otherwise,

if the detector fails to collect k validation it does not isolatethe detected node, but keeps it in the suspicious set.

III. ANALYSIS

Getting rid of the promiscuous mode based monitoring

makes our monitoring solution independent of transmission

powers, and resolves the watchdog false detection problem

related to the employment of the power-control technique.

Moreover, our solution resolves some watchdogs problems

related to collisions.

If we assume the average path length is H hops, the average

communication complexity of our monitoring technique for

n packet is: O( (1+ptrust)

2

(H 1) n) two-hop ACKtransmissions, it converges to O(ptrust (H 1) n)when all nodes on the route well-behave. This reduces the

communication complexity of the ordinary two hop ACK (our

first monitoring solution) which is O((H 1) n). That isby a factor of 1/Ptrust.

Now, we discuss the efficiency in detection of the random

two-hop ACK vs. the ordinary two-hop ACK. We assume

that there is no packet loss. Later in our simulation study

we will make more investigations of more realistic scenarios

with mobility and collusion. Like in the Bayesien judgment,

we suppose that the monitored node misbehaves (drop the

packet) with a probability , i.e the behavior of the node for

each packet follows a Bernoulli distribution with a parameter. Monitoring n packets could be considered as simply therepetition of the previous operation (monitoring one packet)

n times. Therefore, the number of packets dropped (pdr) forn packets is a random variable that is the sum of n random

variables which follows a Bernoulli distribution with param-

eter , thus follows a Binomial distribution with expectation:E(pdr) = n.Theoretically, the ordinary two hop ACK detects all this

number of packets (when the assumption of no packet loss

is held). The purpose now is to asses the number of packets

dropped and detected (pd) by the random two hop ACK, i.e

E(pd).

The probability of requesting an ACK is continuously updated,it differs from one operation (monitoring one packet) to

another according to the result of the previous operation and

the previous behavior.

We denote the algorithms probability of requesting an

ACK for a packet i (the value of p set by the algorithm for the

packet i, which is a random variable) by Pi. Consequently,The real probability (in the execution) of asking an ACK for

packet i + 1 would be expressed by E(Pi). Pi is fixed to1 if in the previous operation the packet was dropped and

8/7/2019 PgNet2006

4/6

detected, that is with the probability 2 E(Pi1), sincethe events dropping the ithpacket and requesting ACK forthe (i 1)th packet are independent. Otherwise, it is fixedto Ptrust, i.e with probability 1 E(Pi1). Therefore,the mathematical expectation of Pi could be expressed by:1 E(Pi1) + Ptrust(1 E(Pi1)). Hence:E(Pi) = Ptrust + (1 Ptrust)E(Pi1)......(1)

The number of packets detected by the random strategy

(pd) also follows a Binomial distribution, since it is the resultsof repeating a Bernoulli operation n times with parameterPi, but the only difference from the continuous requestingis that in this latter strategy (Pi) is not constant. We have:

E(pd) =

n

i=1

E(Pi) = n

i=1

E(Pi)......(2)

Not that P1 = 1.

Lemma 1: i 1,

E(Pi) = i1(1 Ptrust)i + Ptrust

i1

j=0

j(1 Ptrust)j

Proof:

We prove this lemma by recurrence on i.

For i=1. We simply replace i by 1 in the formula, then we

get E(P1) = 1 which is correct.Now assume the formula is held for i-1 then we will prove it

for i. Hence by assumption:

E(Pi1) = i2(1 Ptrust)

i1 + Ptrust

i2

j=0

j(1 Ptrust)j

By replacing this expression of E(Pi1) in (1) we obtain:

E(Pi) = Ptrust + (1 Ptrust) (i2(1 Ptrust)

i1 +

Ptrust

i2X

j=0

j(1 Ptrust)

j) = Ptrust + i1(1 Ptrust)

i +

Ptrust

i1X

j=1

j(1 Ptrust)

j =

i1(1 Ptrust)

i + Ptrust(1 +

i1X

j=1

j(1 Ptrust)

j).

Since 0(1 Ptrust)0 = 1 , we conclude:

E(Pi) = i1(1 Ptrust)

i + Ptrust

i1

j=0

j(1 Ptrust)j

Using this lemma, formula 2 could be developed into:

E(pd) = Ptrust1(1Ptrust) n + (1Ptrust)1n(1Ptrust)n1(1Ptrust)

(1 Ptrust1(1Ptrust) )......(3)

The steps of simplification are removed due to space

limitation.

This probability depends on many parameters, we will try

2The probability of detection is the probability of asking an ACK in the(i 1)th operation

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

DetectionRation

Theta

Ptrust=1/4Ptrust=1/2Ptrust=3/4

Fig. 1. Detection Ratio

to investigate it vs some usual values of Ptrust.For Ptrust = 1/4, E(pd)

43

n

for Ptrust = 1/2, E(pd)

2 n

and finally, for Ptrust = 3/4: E(pd) 34

n

Figure 1 illustrates the approximated detection ratio accord-

ing to . We mean by detection ratio E(pd)/E(pdr)

Ptrust = 0.5 strikes a balance between efficiency andcost. It decreases the complexity overhead as much as half,

while keeping the detection ratio good enough. Contrary to

Ptrust = 0.25 that has too low values for low and averagemisbehaving, and to Ptrust = 0.75 that does not reducesthe overhead enough. Thus, we fix Ptrust = 0.5 later in oursimulation study.

As illustrated, authentication of the two-hop ACK packet is

ensured by employing encreption/decreption operations on the

random number generated by the monitor and piggybacked

to the monitored packet. For this, we propose to use the ECC

encryption algorithm [9], which is more time-efficient than

the standard RSA. The encryption time completely depends

on the computation power of nodes and the length of keys.

Anyway, our encryption operations have minor impact, sincethey are applied merely on the random number and not on

the whole packet holding it.

Because a packet dropping might be unintentional due to

nodes mobility and channel conditions, accusation should not

be made upon one dropping detection, but more observations

must be noted. We have proposed a Bayesian approach

to make such a judgment, where each node estimates

each others misbehavior with a probability that follows a

Beta(a,b) distribution, whose parameters (a,b) are updated

as observations are made. When enough observations with

regard to a given monitored node are collected such that

the judgment point is reached, the monitoring node will

accuse the monitored one as soon as the estimated probability(E(Beta(a, b))) exceeds the configured maximum tolerance,i.e E(Beta(a, b)) > Emax.

E(Beta(a, b)) > Emax a

a+b> Emax a >

bEmax1Emax

:

This latter ( bEmax1Emax ) represents the tolerable number ofpackets, which is proportional to b, the number of packets

forwarded. More the node forward packets, more its tolerable

threshold increases.

8/7/2019 PgNet2006

5/6

Forwarding packets after an unintentional or intentional drop-

pings that does not results in accusation would decrease E,which allows redemption before accusation. This redemption

could not be possible when setting the tolerable threshold to

a fixed number of packets.

Note that the strategy of dropping up to the tolerable threshold

is not efficient for an attacker, since it cannot know whether

and how much the monitor will notice false observations due

to channel conditions or nodes mobility.

Upon the detection of a misbehaving, the detector launches

locally in its neighborhood a call for witnesses using a

broadcast control packet. This costs only one transmission.

Neighbors that considers the accused as suspicious, or those

that are monitoring the accused node and whose misbehaving

estimations against it are close to the tolerable threshold testify

against it by sending the requestor a signed reply packet. Those

which have not enough experience with the accused investigate

this accusation and ask the accuseds successor whether it

has recently received packets from the accused. But first, they

ensure that the accuser really sent the packet to the accused

to forward to the claimed successor. To do this they must beneighbor of the accused, otherwise they do not testify. The

following example illustrates and analyzes the investigation:

Assume three aligned nodes A, B and C, and another node

D in As range, as illustrated in figure 2. When A accuses B

to not forward packets to C and sends a call for witnesses, D

investigates the issue. But before asking C it ensures that A

has really sent the packet and B has received it, by checking

the data packet and ACK overheard. If it has recently received

the data packet, D could not ensure that B has received it. For

instance, if D is closer to A than B, A (attempting a DoS attack

against B) could send the packet in a power strong enough

to be overhead by D, but not by B. Requiring the ACK 3

reception from B just after the data ensures that B has reallyreceived the data from A. To do this, D simply safeguards

the overheard packets (their headers) during a short period.

This way, a node that asks the accuseds successor has no

doubt that the accused has received a data packet to forward

to the successor in question. Any collision at D prevents it

from testifying, but has no effect on false detections.

Upon the reception of the ACREQ, the asked node (C) replies

with a signed ACREP packet if it has not received any

packet from B. A coincidental collision at C at that moment,

however, would result in a false reply if A is attempting

a DoS attack, then in a false testimony. Nevertheless, the

requirement of at least one direct testimony (provided from a

direct experience) mitigates wrong accusation caused by thiskind of false testimonies.

The signature of the packets prevents their spoofing, thus no

node could testify using the ID of another.

The accuser have to collect k different signatures to approveits accusation. Theoretically, k1 is the maximum number ofmisbehaving nodes that could exists at any time. In practice,

3The source of this ACK should be authenticated at the MAC level, toprevent spoofing MAC addresses

Fig. 2. Example of a nodes connections

however, it is hard to determine such a number, so it shouldbe fixed to strike a balance between efficiency and robustness.

Setting k to a high value increases the robustness of theprotocol against false detections and rumors, but decreases

its efficiency regarding true detections. On the other hand,

a low value of k allows high detections, but opens thevulnerability of rumors and increases the unintentional false

detections (false positives), since k nodes could collude toaccuse maliciously any node, or could wrongly accuse it. This

issue related to k will be investigated later in our simulations.Once the accuser collects k valid signatures, it broadcastsan accusation packet including all signatures through the

network to isolate the guilty. This broadcast is costly, but

it is not performed until a node is detected and approved

as misbehaving. Expect for monitoring, our solution requires

no overhead as long as nodes well-behave, as no opinions

are exchanged periodically. This makes our solution reactive,

unlike the current solutions reputation-based solutions [1].

Regarding monitoring, the randomization of the two-hop ACK

reduces dramatically the overhead, as it will be shown in the

following section. Also, the inclusion of two-hop ACK in the

ordinary ACK for each first hop reduces the number of two-

hop ACK packets as much as half compared with a separate

transmission on each hop.

IV. SIMULATION-BASED ASSESSMENT

To asses the performance of our solution in mobile envi-

ronment, we have driven a GloMoSim-based [10] simulation

study we present hereafter.

We have simulated a network of 50 nodes, located in an area of

15001000m2, where they move following the random way-point model during the 900 seconds of simulation time. To

generate traffic, we used three CBR sessions between remote

nodes, each session consists of continually sending a 512 bytes

data packet each second. On each hop, each data packet is

transmitted using a controlled power according to the distance

between the transmitter and the receiver. In these conditions

we remarked many link changes and collisions.

First, we remarked that our monitoring approach improvesdramatically the detection rate compared to the watchdog, i.e

decreases the false detections and increases the true detections.

We also remarked that the random version reduces the over-

head while keeping the efficiency to close to the ordinary two-

hop ACK. Figure 3 shows the false detection rate of the two

versions of our monitoring approach and the watchdog vs the

rate of misbehaving nodes. Figures regarding the true detection

and the overhead are omitted because of space limitation.

To investigate the impact of the parameter k (the required

8/7/2019 PgNet2006

6/6

0.06

0.08

0.1

0.12

0.14

0.16

0.18

0.2

0.22

0.24

0 5 10 15 20 25 30 35 40 45 50

Detection

Misbehaving nodes rate

False Detection rate

2HopACKRandom2HopACK

WD

Fig. 3. False detection vs. Misbehaving rate

0

0.2

0.4

0.6

0.8

1

2 4 6 8 10 12 14 16 18 20

Truepositiverate

Misbehaving monitored nodes rate

True positive rate

2Witness1Witness

Fig. 4. True detection vs. Misbehaving rate

number of witnesses) we compare two versions, respectively

denoted by one witness and two witness (the first with k = 1while the second with k = 2).As illustrated in figure 4 and 5, two witness considerably

improves (decreases) false positive rate, but losses a little bit

on true positive rate compared with one witness, especially

when misbehaving rate exceeds 10%.False detections in our scenarios are due to nodes mobility

and collisions. The one-witness version has unacceptable val-

ues with respect of this metric, particulary when misbehavingrate is low. Two-witness mitigates this shortcoming, and also

cut down the vulnerability of collusive false accusation attack

compared with one-witness, since more than two nodes have

to collude to isolate a node.

The parameter k could be increased to be less toleranton false detections and false accusations attacks, but should

depend on nodes connectivity to not loss efficiency on de-

tections. In networks with low connectivity, it should not be

increased lots, because this would prevent nodes from finding

witnesses, and consequently reduces the detection efficiency.

V. CONCLUSION

In this work we have proposed a solution to monitor andsafely isolate malicious nodes that drop packets in MANET.

Instead of relying the promiscuous monitoring (the watchdog),

used by all the current solutions, our monitor is based on

an efficient technique (namely random two hop ACK) that

gets over the watchdogs limitations. Simulation results also

show that the random requesting reduces the overhead, while

keeping the efficiency on detection good enough. After detec-

tion, we proposed a testimony-based protocol, that enforces

the detector to collect at least k witnesses before isolating the

0

0.05

0.1

0.15

0.2

0.25

0.3

0 5 10 15 20

Falsepositiverate

Misbehaving monitored nodes rate

False positive rate

2Witness1Witness

Fig. 5. False detection vs. Misbehaving rate

detected node. Fixing k is a trade-off problem, high valuesmitigates rumors aiming DoS attacks as well false detections

(especially for control packets with which we have been more

sever), but reduces the efficiency on detections, contrary to

low values. In our simulation, the protocol with two witnesses

showed considerable improvement regarding false accusation

while keeping the true detection good enough. This parameter

could be risen to ensure more robustness, but should depend

on the connectivity to keep efficiency.In this proposal we have focused on data packets. As

perspective, we plan to complete the solution to deal with

selfishness misbehavior. Contrary to an attacker, a selfish

dropper is not interested in dropping only data packets, but also

control packets, to exclude itself from routes. We especially

aim at proposing solutions for control packets.

REFERENCES

[1] D. Djenouri, L. Khalladi, and N. Badache, A survey of security issuesin mobile ad hoc and sensor networks, IEEE Communications Surveysand Tutorials, vol. 7, no. 4, pp. 228, 2005.

[2] Y.-C. Hu and A. Perrig, A survey of secure wireless ad hoc routing, IEEE Security and Privacy, vol. 2, no. 3, pp. 2839, 2004.

[3] D. Djenouri and N. Badache, New power-aware routing for mobile adhoc networks, The International Journal of Ad Hoc and UbiquitousComputing (Inderscience), vol. 1, no. 3, 2005.

[4] S. Buchegger and J.-Y. Le-Boudec, A robust reputation system for p2pand mobile ad-hoc networks, in Second Workshop on the Economics ofPeer-to-Peer Systems, Barkeley, CA, USA, June 2004.

[5] P. Michiardi and R. Molva, CORE: A collaborative reputation mecha-nism to enforce node cooperation in mobile ad hoc networks, in Com-munication and Multimedia Security Conference, Portoroz, Slovenia,September 26-27 2002.

[6] B. David and A. David, Dynamic source routing in ad hoc wirelessnetworks, in Mobile Computing. Kluwer Academic, 1996, vol. 353,pp. 153181.

[7] S. Capkun, L. Buttyan, and J.-P. Hubaux, Self-organized public-keymanagement for mobile ad hoc networks, IEEE Transactions on MobileComputing, vol. 2, no. 1, pp. 5264, January 2003.

[8] A. Davison, Bayesian Models, Chapter 11 in Manuscript. Springer,

2000.[9] V. Miller and N. Koblitz, Elliptic curve cryptosystems, Mathematicsof Computation, pp. 203209, 1985.

[10] X. Zeng, R. Bagrodia, and M. Gerla, Glomosim: A library for theparallel simulation of large-scale wireless networks, in The 12th Work-shop on Parallel and distributed Simulation. PADS98, Banff, Alberta,Canada, May 1998, pp. 154161.