Secure Forwarding in Personal Ad Hoc Networks

Transcription

1 Secure Forwarding in Personal Ad Hoc Networks Master Thesis Author: Qi Xu Supervisors: Dr.ir. Sonia Heemstra de Groot (INF-DACS/WMC) Dr.ir. Pieter-Tjerk de Boer (INF/DACS) Assed Jehangir M.Sc. (INF/DACS) ir. Simon Oosthoek (WMC) Design and Analysis of Communication Systems Faculty of Electrical Engineering, Mathematics and Computer Science University of Twente May 2005, Enschede

2

3 Abstract This thesis focuses on secure packet forwarding in ad hoc networks and proposes a new reputation-based solution to mitigate the effects of adverse situations caused by misbehaving nodes. The new solution consists of three necessary parts: detection, prevention and reaction. An objective and effective dynamic detection mechanism is introduced. It could be used to detect misbehaving nodes through performing neighbor monitoring and local reputation exchange in a fully distributed way. A new prevention approach based on reputation information of intermediate nodes is also described. This prevention mechanism exploits all well-behaving nodes local knowledge to bypass misbehaving nodes, evaluate path quality and choose the most reliable path for data forwarding. In addition, some reaction approaches have been mentioned which could be used to enforce cooperation in ad hoc networks. Furthermore, the packet delivery ratio is primary evaluated in different scenarios. I

4 II

5 Acknowledgement This thesis is the result of my work in WMC for the master final project. Many people contributed to the completion of this thesis. I would like to express my gratitude to all these people who gave me help and support during this period of time. The first person I would like to express my acknowledgement is my direct supervisor Sonia Heemstra de Groot who helped me whenever I had problems during the research. Her valuable guidance and technical advices enabled me to complete this project. I want to express my gratitude to Assed Jehangir who kept close to the process of my work and always was available when I needed his help, and provided me with much information and support. I am very grateful to my committee members Pieter-Tjerk de Boer and Simon Oosthoek for their valuable comments and recommendations. Thanks to Bram van Zeist and Malohat Kamilova with whom we had pleasant and fruitful discussions while working on the project. I am grateful to people in WMC for the fine working atmosphere and for their supports. My absolute acknowledgement is dedicated to my parents, who gave me great encouragement and inspiration throughout my study. Their support enabled me to complete this thesis and finish my education in UT. III

6 IV

7 Table of Contents Abstract...I Acknowledgement...III 1 Introduction Background WLAN WPAN PN Mobile Ad Hoc Network Research Objective Other Relevant Technologies Thesis Structure Secure Data Forwarding in Mobile Ad Hoc Networks Secure Routing Challenges and Solutions Challenges Secure Routing Protocols Secure Data Forwarding Challenges and Solutions Challenges Secure Data Forwarding Solutions A New Reputation-based Secure Forwarding Solution Motivations Reputation Requirements Solution Features Assumptions Solution Overview Detection Prevention Reaction Dynamic Misbehaving Node Detection Neighbor Sensing Neighbor Monitoring Rules Packet Forwarding Monitoring Data Packet Forwarding Rules Route Packet Forwarding Rules Detection Mechanism Description Neighbor Sensing Implementation Neighbor Table Neighbor Monitoring and Local Reputation Calculation Weaknesses of Neighbor Monitoring Possible Optimizations Local Reputation Propagation and Global Reputation Calculation V

8 5 Prevention Technique and Optimal Route Discovery Motivation Bypassing Misbehaving Nodes Optimal Route Discovery Local Reputation Overview Detailed Operations Originating a Route Request Packet Processing a Received Route Request Packet Originating a Route Reply Packet Processing a Received Route Reply Packet Optimal Route Selection Analysis Performance for Various Misbehaving Nodes Limitations Performance Evaluation Network Simulator Introduction DSR in NS Mobile Node Architecture DSR Mobile Node Architecture DSR Implementation in NS Simulation Setup Simulation Configuration Movement Model Communication Model Misbehaving Nodes Simulation Result Analysis Mobility Influence Misbehaving Nodes Bypassing Misbehaving Nodes Optimal Route Discovery Future Work Conclusion Reference Appendix A: Simulation Script...91 VI

9 1 Introduction In recent years, rapid growth in wireless communications has stimulated numerous researches in this field. Many new wireless technologies have been developed, such as WiFi, HiperLAN, Bluetooth, ZigBee, UWB and WiMax. This chapter gives the corresponding background introduction and the objective of this assignment. Section 1.1 presents the background information in which Personal Network and mobile ad hoc network are primarily introduced. Section1.2 describes the objective of this assignment. Section1.3 briefly introduces the other relevant technologies investigated and discussed during this period of time. And section 1.4 gives the structure of this thesis. 1.1 Background Wireless technologies have many advantages compared with their wired competitors, such as flexibility, robustness, mobility and scalability. Therefore, many wireless technologies have been developed recently for various purposes. The following table shows some well-known wireless technologies. Table 1. Wireless technologies [8] 1

10 1.1.1 WLAN A wireless local area network (WLAN) is one in which a mobile device can connect to a local area network through a wireless connection. WLAN technologies have created a fast-growing market currently. It also introduces the flexibility of wireless access into office, home, and other various environments. In addition, many infrastructure providers have been building Wireless LAN hot spots in public areas such as airports, railroads, and hotels, to enable people to perform data communication in a more convenient way. The IEEE [4] standards specify the technologies for wireless LANs. Currently standard-based wireless LANs can operate at high speeds. For example, the majority of WLAN products (802.11b) today are able to communicate at speeds up to 11 megabits per second, new WLAN standards (802.11a and g) are able to provide up to 54 Mbps transmission, and n [9] is expected to support transmission rate at least 100 Mbps. Some other standards within x family are recently proposed for different requirements. For example, e is intended to enhance the MAC to improve and manage Quality of Service (QoS), i defines strong authentication and access control mechanisms to provide improved security, and k defines radio resource measurement mechanism WPAN Personal Area Networks (PANs) [3] also have received much interest in the research community recently. The trend is due to the rapid development of personalized devices and the growing user-centric communication and computing applications. A wireless personal area network (WPAN) is a short-range wireless ad hoc communication system built in the vicinity of a person. WPANs can be used for data communications among the personal devices, or for connecting these devices to a higher level network or the Internet. IEEE standards specify the wireless technologies for WPANs, such as low layers of Bluetooth [5] and Zigbee [7]. Power consumption, complexity, size and cost constrains are considered carefully in these technologies in order to design short-range, low-cost wireless devices. These wireless technologies have different purposes: (WiMedia) [6] is intended to support fast transmission rates, and is suitable for home networks (Zigbee) is designed for sensor networks and targets low power consumption and low cost PN Introduction More and more small but powerful mobile devices are produced and becoming popular in recent years, person-centric applications and services are getting more attractive. As a consequence, many researchers are working in this field to develop new networks to meet the increasing requirements. A personal network (PN) [1,2] is a new concept related to pervasive computing with a strong user-focused view, which extends a person s Personal Area Network 2

11 (PAN) with remote devices and services. The extension could be made via infrastructure-based networks or multi-hop ad hoc networks. PN is now being developed within the IST MAGNET project [10]. A PN connects a person's Personal Nodes together by using direct local wired or wireless connections as well as infrastructure-based connections and multi-hop ad hoc networks (connecting geographically dispersed Personal Nodes). By integrating all of a person s devices and resources into a person s PN, not only the devices within the person s vicinity could be used, but also those far away are available at any moment. Communication with other persons Personal Networks as well as independent Foreign Nodes are also considered. For example, in figure 1, the PN includes the nodes in the core PAN (Private-PAN) around the user, and nodes in remote networks (clusters), such as the home network, and the corporate network. The geographically dispersed clusters could be interconnected through a variety of available networks, such as the Internet, UMTS, and ad hoc networks. Therefore, a person can make use of all his/her devices and relevant services regardless of the current location. Besides, communications among different persons nodes could also be performed at the same time. Figure 1. An example of a PN [1] A PN must be self-configuring and self-organizing to adapt to the changes in surroundings, user s context, location and other conditions, so that ordinal users can operate their Personal Networks in an efficient and simple way. And due to the fact that a PN could incorporate all possible devices of a person, not only the portable devices are included, but also the devices at home, in the car and in the office should also be considered. Therefore, on the network layer, all these devices and networks should be integrated into one PN. 3

12 Abstraction levels Figure 2. Three-level PN architecture [38] As shown in figure 2, a proposed PN architecture has been given in the IST MAGNET project [37, 38]. The first level is called the service abstraction level, which addresses the problems related to discovering services inside or outside a PN. The second level is the network abstraction level addressing the problems related to the network and transport layers. The third level is called the connectivity abstraction lever, which specifies and implements PAN radio interfaces Communication in PNs Secure routing and forwarding is the research objective of this assignment, so some routing issues in PNs are introduced in this section. The network layer is the place where the whole PN for a particular person is constructed and maintained. It is concerned with issues such as addressing, routing and self-organization. Communications in PNs could be classified into several domains Communication in P-PAN The advantage of secure data communication in a P-PAN is that all nodes within this network belong to the same user. Therefore, trust relationship could be easy to be established among these nodes. Mobile ad hoc networks are suitable for P-PAN. Either proactive or reactive routing protocols could be used in a P-PAN depending on the concrete scenarios. Routing protocols designed for mobile ad hoc networks are introduced in the section

13 Figure 3. Communication in P-PAN Intra-cluster Communication Intra-cluster communication has the similar characteristics with P-PAN communication. However, it is likely that less communication happened in a cluster than that in a P-PAN, a reactive routing protocol may be more suitable. Figure 4. Intra-cluster communication Inter-cluster Communication In each cluster, one (or multiple) node is selected as gateway that is responsible for handling all traffic to or from the nodes in this cluster. If a node wants to communicate with another node in a different cluster, it first needs to send data to the gateway. Inter-cluster communication depends on the interconnection structure to connect different clusters. If an infrastructure network is applied as the interconnection structure, IPsec could be used to provide security using tunnel, authentication and encryption mechanisms. If the interconnection structure is an ad hoc network, more security problems will appear, for example, intermediate nodes could drop packets or modify routing information to launch a variety of attacks. 5

14 Figure 5. Inter-cluster communication Communication with foreign nodes The lack of trust relationship gives big challenges for secure communication in this scenario. In infrastructure networks, central agents (Certification Authority) could be used to support establishment of trust relationship. However, it is possible that no such CA is available in some situations. Several solutions are mentioned in [80] to address this problem, such as SUCV [81] and pre-authentication. Figure 6. Communication with foreign nodes A mobile ad hoc network could be a quite suitable network to be applied in PNs, not only for communications among Personal Nodes in a P-PAN, but also for interconnecting geographically dispersed nodes that belong to multiple clusters (Figure 5, 6). In order to route packets among Personal Nodes as well as to and from Foreign Nodes, routing schemes [38, 39] must be investigated in PNs. In order to make the research more general, in this project, we investigate routing and data forwarding security in a mobile ad hoc network in which trust relationships only exist between sender nodes and destination nodes. 6

15 1.1.4 Mobile Ad Hoc Network Mobile ad hoc networks could be important network architectures in PNs due to their unique characteristics, such as infrastructure-independence, self-organization. Within a P-PAN or cluster, a mobile ad hoc network is quite suitable for data exchange among devices due to its simplicity and dynamic topology. When inter-cluster communication is considered, each cluster is regarded as a small mobile network. All these networks could be interconnected through mobile ad hoc networks. In other words, all cluster gateway nodes can communicate with each other to form a mobile ad hoc network. This is useful especially for communication with other persons PNs Introduction During the past decade, mobile computing and wireless communication technologies have been developing extremely fast due to the proliferation of inexpensive, widely available wireless devices. Current cellular systems have reached a high penetration rate, enabling worldwide mobile communication and Internet access. In addition, more and more wireless LAN hot spots are emerging, allowing people to surf the Internet in airports, railways, hotels and other public areas with their portable devices, such as laptops. All these networks are conventional networks which depend on fixed network infrastructure and central administration. These networks require a large investment before they are operational and useful. Furthermore, updating these networks to meet continuously growing requirements, such as bandwidth, has proven to be quite expensive and slow. And at the same time, more and more digital devices are produced which could be equipped with relatively short-range wireless transmission interfaces. These devices are becoming smaller, cheaper, and more popular and powerful. In order to enable multiple small portable devices to interconnect with each other without any fixed infrastructure, a new alternative network architecture has been designed, in which all devices form a self-organizing and self-administering wireless network, called a mobile ad hoc network [8, 27]. The emergence of mobile ad hoc networks enables network accessing and data communication in an area where no fixed infrastructure exists or existing infrastructure is not available. Because ad hoc networks do not rely on any existing infrastructure and are self-organizing, this kind of networks is quite suitable for communication in very diverse environments. For example, mobile ad hoc networks can be used in battlefield as well as in remote areas where infrastructure is not available and building infrastructure in such area is too expensive or time consuming. They also can be used in an area suffering from natural disaster Common Network Architectures There are two common architectures of a mobile ad hoc network: Hierarchical network architecture: Each sub-network dynamically interconnects with 7

16 other sub-networks through its gateways. All traffic to and from a sub-network must pass through its gateways. It could be a feasible network model for PNs, in which multiple clusters belonged to same or different persons could form big mobile ad hoc networks dynamically. An example of such mobile ad hoc networks is shown in figure 7. Figure 7. A two-tier mobile ad hoc network Flat network Architecture: In this architecture, all nodes are treated equally, and there is no gateway in a cluster. An example of flat mobile ad hoc networks is shown in figure 8. Figure 8. A flat mobile ad hoc network Characteristics of Mobile Ad Hoc Networks Mobile ad hoc networks have some specific characteristics mentioned in table 2 briefly: 8

17 Characteristics Infrastructure-independence Multi-hop Dynamic network topology Energy constrained operation Bandwidth constrained Limited physical security Network scalability Decentralized control and management self-organization and self-configuration Table 2. Characteristics of mobile ad hoc networks Routing Protocols Within a mobile ad hoc network, a node's radio transmission range typically can not cover the whole network. In order to enable a node to communicate with other nodes out of its radio coverage, a route generally contains several intermediate nodes, and this is why ad hoc networks are also referred to as multi-hop networks. For data communication in a network, a node must depend on routing protocols to discover routes to the specific destinations. A mobile device is generally limited by its available resources, such as computation capability and memory capacity. Moreover these devices are likely to be battery powered, so energy constraint is another important issue that must be considered. Because of these resource limitations, routing protocols designed for mobile ad hoc networks must take special requirements into account. Therefore, the existing routing protocols designed for wired networks are not suitable for mobile ad hoc networks, and new routing protocols have been designed recently. Some routing protocols are introduced here. 1. Proactive routing protocols For proactive routing protocols, the routing control information is exchanged in the network periodically to enable each node to get a good knowledge of network topology. The advantage of this kind of routing protocols is that the routes are available immediately when a node wants to communicate with other nodes. DSDV Destination-Sequenced Distance-Vector (DSDV) [28] was developed 1994 by C. Perkins and it is a proactive distance-vector routing protocol. Its difference from traditional distance vector routing protocols is that each entry in routing table or a routing update message is tagged with a sequence number, which is generated by the destination. The sequence number is used to guarantee loop free and to prevent stale routing information being used. Only routing information with higher destination sequence numbers or same destination sequence but better metric will be used to update 9

18 routing table. This technique promises that only newest routing information will be used. OLSR Optimized Link State Routing Protocol (OLSR) [29, 30] is an optimization over a pure link state routing protocol, and utilizes a multicast-like mechanism to reduce control traffic overhead. Each node declares a subset of its symmetric 1-hop neighbors as its multipoint relays (MPRs), through which all its symmetric 2-hop neighbors can be reached. OLSR minimizes the flooding of control traffic in the network by using only these MPRs to retransmit control messages. This technique significantly reduces the number of retransmissions required to flood a message to all nodes in the network. Furthermore, OLSR requires a node to broadcast only a part of its link state information about its neighbors. TBRPF Topology Dissemination Based on Reverse-Path Forwarding (TBRPF) routing protocol [74] is another proactive, link state routing protocol designed for mobile ad hoc networks. Each node reports part of its source tree to its neighbors to minimize overhead. A modification of Dijkstra s algorithm is used to calculate a source tree and only partial topology information in the topology table is used. Both periodic and differential updates are used to enable all neighbors to obtain full or additional topology information. 2. Reactive routing protocols For reactive routing protocols, they work in an on-demand way. Routing information is only transmitted in the network when a node has something to send but no suitable route is available. This kind of routing protocol is suitable for large networks, and necessary route control traffic is smaller than that of reactive routing protocols. AODV Ad hoc On-Demand Distance Vector (AODV) [31] routing protocol is a reactive routing protocol specially designed for mobile ad hoc networks. It enables mobile nodes to obtain routes quickly for new destinations, and do not require nodes to maintain routes to those destinations that are not in active communication. AODV builds routes using a route request / route reply query cycle. Each node keeps a next-hop routing table containing the destinations to which it currently has a route. AODV makes use of a destination sequence number for each route entry to guarantee loop free. DSR Dynamic Source Routing (DSR) [32] protocol is another well-know reactive routing protocol designed for mobile ad hoc networks with various efficiency improvements. DSR is one of the most preferred protocols due to its simplicity and efficiency. It enables the network to be completely self-organizing and self-configuring. DSR also employs 10

19 route request / route reply packets in the route discovery phase to discover routes on-demand. And each node keeps a routing table that contains full paths to some specific destinations. In the data packet forwarding phase, a complete path is included in each data packet. 3. Hybrid routing protocols For hybrid routing protocols, both proactive and reactive mechanisms are applied. ZRP Zone routing protocol (ZRP) [33] is a hybrid routing protocol that combines both the proactive and the reactive routing mechanisms. The route discovery phase can be divided into an intra-zone discovery and an inter-zone discovery. Intra-zone discovery involves all the nodes whose distance from the sender is in a certain number of hops, and it is executed in a proactive way. And inter-zone discovery operates using a reactive approach. The tradeoff between proactive and reactive routing protocols defines the optimal zone radius in a specific network. Besides the routing protocols mentioned above, many other routing protocols have been proposed, such as Temporally-Ordered Routing Algorithm (TORA) [34], Dynamic MANET On-demand Routing Protocol (DYMO) [35], and Ariadne [36]. 1.2 Research Objective The ad hoc nature of PNs brings serious security challenges. Research in the field of secure routing could be divided into two complementary parts: secure route discovery and secure data forwarding. This thesis addresses the problems on secure data forwarding. In ad hoc networks each node functions as a router and forwards packets for other nodes. Here, we study the impact of misbehaving nodes on packet forwarding. Most existing routing protocols designed for ad hoc networks typically assume a trusted and non-adversarial environment where each node is assumed to be cooperative and well-behaving. This assumption is not true in a hostile environment. The existence of misbehaving nodes may significantly disrupt the network operation and degrade the network performance. For example, if a misbehaving node on an active route drops data packets, then a large number of packets will be lost. Simulation results show that the average packet delivery ratio of DSR [11] degrades by 30%, when 20% nodes are misbehaving nodes [12]. The main objective of this research is to investigate security issues in the context of PNs based on mobile ad hoc networks, analyze the benefits and weaknesses of currently existing solutions, and find new and effective solutions for the purpose of secure data forwarding in mobile ad hoc networks. 11

20 1.3 Other Relevant Technologies During the process of doing this assignment, in additional to the investigation of security challenges, corresponding secure routing and forwarding techniques, other relevant technologies have also been studied to evaluate their applicability and adaptability in PNs. Security in Bluetooth [13, 14, 15] and i [16] was analyzed to see whether these security mechanisms could be used in PNs to provide link-level security for data communication. Link-level authentication and encryption, initial key establishment, and security weaknesses were primarily studied. IPsec [17, 18] was analyzed to see how to employ it to support secure packet exchange on the network layer in PNs, especially for communication between different clusters. Some related protocols and techniques are studied, such as AH [22], ESP [23], IKE [18], and HMAC [21]. Mobile IP [24, 25] and Network Mobility (NEMO) [26] have also been studied for the purpose of defining possible network layer architecture of PNs. Address auto-configuration, mobility management and relevant protocols have been investigated. 1.4 Thesis Structure The remainder of this report is organized as follows: chapter 2 discusses the security problems related to routing and forwarding in mobile ad hoc networks, and some proposed solutions are classified and analyzed. Chapter 3 introduces a new reputation-based solution for secure data forwarding containing three components: prevention, detection and reaction. Chapter 4 specifically describes the detection mechanism of this solution, which is used to detect misbehaving nodes in the network. Chapter 5 introduces the prevention mechanism of the solution, which is used to bypass misbehaving nodes and discover the optimal routes. Chapter 6 presents and analyzes the simulation results to show the effect caused by various misbehaving nodes, and the network performance improvement if the prevention techniques is applied. Chapter 7 gives the future research in this area and chapter 8 gives the conclusion of the thesis. 12

21 2 Secure Data Forwarding in Mobile Ad Hoc Networks Characteristics of mobile ad hoc networks such as infrastructure-independence and self-organization make this kind of networks very flexible. However, at the same time some new security challenges specific to this new technology appear. In this chapter, the challenges related to routing and data forwarding in mobile ad hoc networks are discussed. Some proposed solutions are introduced and analyzed. Section 2.1 is related to secure routing, and section 2.2 is related to secure data forwarding. 2.1 Secure Routing Challenges and Solutions In this section, the security challenges related routing in mobile ad hoc networks are discussed, and some corresponding solutions are described briefly, which are primarily used to guarantee the acquisition of correct routing information Challenges The provision of security in mobile ad hoc networks faces a set of challenges. Unique characteristics of mobile ad hoc networks, such as open network architecture, shared medium, highly dynamic network topology, lack of infrastructure and authorization facilities and decentralized control [40, 41, 59, 60], introduce many new security challenges. The infrastructure-independence feature of mobile ad hoc networks extends the application scope of this kind of networks, but it makes network control and management more difficult compared to traditional networks. Many efficient and effective network management schemes such as central network control and authentication mechanisms can not be directly implemented in mobile ad hoc networks. Absence of infrastructure also impedes the popular operation of establishing a line of defense. As a consequence, it increases the difficulty of detecting attacks. Dynamic network topology is another important characteristic of mobile ad hoc networks. All nodes in such networks are allowed to move arbitrarily at any time. And each node could join and leave the network independently. The network topology of a mobile ad hoc network is likely to change dynamically. Therefore, it is difficult to have a clear global view of an ad hoc network. 13

22 Trust relationships among nodes may also change dynamically in some scenarios due to the flexibility of ad hoc networks. Furthermore, in large-sized mobile ad hoc networks, it is possible that there is no trust relationship among the majority of nodes. For example, when an ad hoc network is used as the interconnection structure for communication among a large number of users, it is possible that no trust relationship is available. As a consequence, security solutions with static configuration are not suitable for mobile ad hoc networks. Routing in wired networks is usually performed on dedicated devices such as switches, routers and gateways. But in mobile ad hoc networks, each node works as router and is responsible for forwarding packets for other nodes. This feature significantly complicates the network management and makes the network very vulnerable to attacks. If a misbehaving node on an active route begins to drop data packets, it is obvious that a large number of packets will be lost. Therefore, all nodes in a mobile ad hoc network are required to behave cooperatively to support the network operation. Mobile devices generally have limited resources, such as computational capability and memory capacity. They are also constrained by energy since they are more likely to be battery powered. Therefore, complicated and expensive solutions, such as advanced authentication or encryption/decryption operations performed on each packet, are not very suitable for this kind of networks. When these factors mentioned above are considered, it is difficult to promise that no misbehaving nodes exist in mobile ad hoc networks. Moreover, compared to traditional infrastructure-based networks, it is much easier for misbehaving nodes to perform some harmful activities in mobile ad hoc networks, especially for operations related to routing and forwarding. For example, a malicious node could claim that it is one hop away from a specific destination to cause all routes to that destination to pass through it. Fabricating false routing information or modifying transmitted routing messages could cause data to be lost. A small number of misbehaving nodes could degrade the network performance significantly. Furthermore, mobile ad hoc networks require not only the correct execution of network operations such as routing and data forwarding by each node, but also fair distribution of these operations among all network nodes. The latter requirement is a big challenge and difficult to realize, but it is quite important and has received much attention recently Secure Routing Protocols Most of the routing protocols designed for mobile ad hoc networks generally assume all nodes in the network are cooperative and well-behaving. But this assumption does not hold in many scenarios, in which routing information is vulnerable and misbehaving nodes could easily change the routing information to disrupt the network. Therefore, a number of secure routing protocols have been proposed to prevent a set of attacks that attempt to compromise the route discovery. These protocols could be used to guarantee the acquisition of correct network 14

23 topological information. Some proposed protocols are introduced briefly below. ARIADNE Ariadne [51] is a new secure on-demand routing protocol and is based on DSR. Authentication of routing messages in Ariadne could be performed through three modes: shared secrets between each pair of nodes, shared secrets between communicating nodes together with broadcast authentication, or digital signatures. TESLA [53] is a widely accepted broadcast authentication protocol which relies on synchronized clocks. It is a very suitable authentication mechanism for Ariadne. SEAD Secure Efficient Ad hoc Distance vector (SEAD) routing protocol [54] is based on destination-sequence distance vector (DSDV) routing protocol. It makes use of one-way hash functions rather than expensive asymmetric cryptographic operations to protect routing information. It is quite efficient and can be employed by mobile nodes that constrained with resources. In SEAD, hop counts and sequence numbers are protected by hash chains. SRP Secure Routing Protocol (SRP) [50, 52] is based on DSR. SRP could guarantee the acquisition of correct routing information. No assumption is made to intermediate nodes in SRP. Its only requirement is that a security association (SA) exists between endpoints of a path, which is used for Message Authentication Code (MAC) calculation. MAC is used to support data integrity and message originator authenticity of route request/reply packets. SAODV Secure AODV (SAODV) [55] is a security extension to the AODV routing protocol. It can be used to protect routing information and provide security features like data integrity, originator authenticity and non-reputation. The protocol employs two schemes, digital signatures and hash chains. Digital signatures are used to protect non-mutable fields of messages, and hash chains are used to protect hop count information. 2.2 Secure Data Forwarding Challenges and Solutions Data forwarding is the next phase of route discovery. Obtaining correct routing information does not guarantee that packets could reach their destinations. In this section, the security problems related to data forwarding in mobile ad hoc networks are discussed. Some proposed solutions for secure data forwarding are presented and analyzed. 15

24 2.2.1 Challenges The secure routing protocols mentioned in are primarily designed for routing information protection. They depend on various authentication mechanisms to provide routing data integrity and originator authenticity. However, even in case all obtained routing information is correct, misbehaving nodes can still launch various attacks in the data forwarding phase. For example, a misbehaving node could behave cooperatively during the route discovery phase, but drop data packets later (Denial of Service attack). Moreover, if misbehaving nodes simply drop all packets including routing related packets, all these solutions can not detect and prevent such attacks, as they focus only on the detection of modification of routing control traffic or fabricating false routing information. Generally, attacks in mobile ad hoc networks can be divided into two kinds: passive attacks and active attacks. Passive attacks such as eavesdropping give an adversary access to secret information, since the promiscuous mode is usually required by many protocols. Active attacks, such as replay attacks and DoS attacks, are launched by an adversary to propagate false information, impersonate other nodes, or disrupt the network operation. Besides these traditional attacks, in mobile ad hoc networks, a new type of attack is emerging which is less dramatic but more subtle. In mobile ad hoc networks, nodes are generally battery powered, so they have limited power available. As a consequence, a new type of misbehaving nodes called selfish nodes appeared in research papers [41, 42, 44, 61]. A selfish node does not intend to attack or jeopardize other nodes, but it refuses to spend its own resources such as energy on forwarding packets for other nodes. Its intension is to save energy to prolong its own life time. However, if there are a larger number of selfish nodes in a mobile ad hoc network, the network performance will degrade and well-behaving nodes burdens will increase significantly. In order to deal with these security challenges related to data forwarding, especially for malicious packet dropping and selfishness, some solutions have been proposed recently. In the following section, these solutions are introduced and analyzed Secure Data Forwarding Solutions SMT In [47], the secure message transmission (SMT) protocol is proposed, which could be used to protect the data transmission against arbitrary malicious behavior of misbehaving nodes. Different from some detection mechanisms, this protocol takes advantage of topology and transmission redundancies to achieve secure data transmission. SMT consists of four elements: end-to-end secure and robust feedback mechanism, dispersion of the transmitted data, simultaneous usage of multiple paths, and adaptation to the network changing conditions. It requires a security association between endpoints of a communication. 16

25 A sender node disperses each message into a number of pieces according to a certain algorithm. This operation introduces redundancy to each message. And then each piece is transmitted over different path to the destination. At the destination node, a message could be reconstructed even if some message pieces are lost or corrupted. Each dispersed message piece carries a message authentication code (MAC) to provide integrity and authenticity of its origin. A security association between sender and destination is necessary. The destination node acknowledges the successfully received messages through feedback messages which are also protected. The main problem of this solution is that it is difficult to guarantee the required number of available routes for message pieces delivery. This is due to many factors, such as node mobility, congestion and transmission impairments. And another problem is that it needs much computation for MAC calculation and message division/reconstruction Watchdog and Pathrater This solution [41] is used to address packet lost problem caused by misbehaving nodes in mobile ad hoc networks. Two extensions are introduced to DSR to mitigate the effects of misbehaving nodes. The watchdog is in charge of monitoring neighbors to identify misbehaving nodes, and the pathrater try to prevent packets being delivered through these nodes. After a node forwards a packet, its watchdog checks whether the next node on the path forwards the packet cooperatively. The watchdog performs this operation by listening promiscuously to the next node's transmissions. If the number of packets a neighboring node drops exceeds a threshold, that neighbor will be regarded as a misbehaving node. The watchdog needs to know the next two hops in order to monitor the next node's data forwarding behaviors. Therefore, watchdog is implemented based on DSR. The pathrater in each node selects the most likely reliable route according to knowledge of misbehaving nodes and link reliability information. It calculates the route metric by averaging the rating of all nodes on a path and chooses the path with the highest metric. In this solution, the node rating is calculated in terms of link reliability rather than neighbor monitoring results. The pathrater only assigns and updates rating of nodes which are currently in use. In each interval, it increases a node's rating if the link is normal by 0.01 and decreases a node's rating by 0.05 if the link is broken during the data forwarding phase. The detected misbehaving node is reported to all nodes that are transmitting data through this node. And those sender nodes assign an extreme negative rating value to this reported misbehaving node. As a consequence, the routes containing this misbehaving node will have a negative value and will not be chosen. 17

26 Misbehaving nodes can be detected by watchdog and prevented by pathrater. However, there are some weaknesses of this solution. First, the transmission of reports about misbehaving nodes is vulnerable. In a network without trust relationship in most of the nodes, it is easy for a malicious node to give a report to claim that the next node is misbehaving. Secondly, the watchdog scheme is based on the assumption that misbehaving nodes behave cooperatively during the route discovery phase. But if these nodes drop all packets, they will not be detected BMR In [42], Xue and Nahrstedt propose a solution named BMR (Bypassing Misbehaving nodes Routing), which is able to bypass misbehaving nodes and select a good path to route packets. BMR algorithm is based on DSR, and includes two phases: the testing phase and the delivery phase. In the testing phase, packets are transmitted to the intended destination node on each available route, and end-to-end performance is measured on each path. Routes with low packet loss rate and small delivery delay are regarded as good path. Routes are evaluated according to the ascending order of their length until a good path is found or all paths have been tested. In the delivery phase, the sender node chooses a good path or the path with the highest metric for data delivery. By making routing decision according to end-to-end performance, BMR provides an efficient solution to address the problems caused by misbehaving nodes. However, BMR can only work under the assumption that misbehaving nodes behave consistently during the test phase and the delivery phase, because no end-to-end performance will be measured during the delivery phase. Another problem is that BMR only works well under lightly-loaded networks. Otherwise, good path and bad path may not be distinguished due to network congestion. Node mobility also gives a challenge to BMR. Furthermore, the test phase is time-consuming and a certain number of data packets are required for this purpose CONFIDANT In CONFIDANT [43, 44], several components (figure 9) are combined together in each node. They interact with each other to detect and isolate misbehaving nodes, and to discipline each node to work cooperatively. In this protocol, a node only concerns with the abnormal behaviors of its neighbors, which means that only the negative reputation values will be considered and propagated. This reputation system is based on negative experience rather than positive impressions. 18

27 Figure 9. Trust architecture and finite state machine within each node [44] The monitor in each node is responsible for monitoring behavior of neighbors. If a suspicious event is detected, relevant information will be reported to the reputation system. Incoming alarm messages from other nodes are first delivered to the trust manager. In that component they are checked for trustworthiness according to their originators' credibility, and are processed accordingly. If there is sufficient evidence to show that the node reported in alarm messages is misbehaving, relevant information will be sent to the reputation system. The reputation system is responsible for analyzing and calculating a node's reputation. The reported suspicious events from alarm messages and direct observation are weighted and processed to calculate reputation. The reputation will only be changed if there is sufficient evidence of abnormal behavior (evidence exceeds the predefined threshold that is high enough to distinguish malicious behavior from simple coincidences such as collisions). When the rating becomes intolerable, the report is sent to the path manager, which deletes all routes containing discovered misbehaving nodes from the routing table. At the same time, an alarm message will be sent to all nodes in its friend list. This protocol has a good performance for malicious and selfish node detection because it only concerns with negative experience. However, due to this nature, it is less tolerant to failing nodes. These nodes may be regarded as misbehaving nodes for some inevitable reasons, such as network congestion or shortage of energy. Therefore, the preset threshold is quite important and needs to be considered carefully to prevent such situations. Another problem is that this protocol is vulnerable to low reputation attack. Such attack could be launched by malicious nodes through propagating false low reputation values. Because a well-behaving node s good performance is not rewarded or maintained, it is easier for a malicious node to launch this attack, especially for a malicious node with high reputation (behaving cooperatively first). And friend relationships used in this solution are also difficult to measure. 19

28 CORE CORE [45] is another reputation-based solution. The authors regard a mobile ad hoc network as a community, in which only ones contributing own resources are entitled to use shared resources. In CORE, three types of reputations are employed. Subjective reputation values are obtained directly from a node's own observation of behavior of its neighbors. Contrary to CONFIDANT, more weight is assigned to past observations to prevent false detection caused by link breaks or collisions. Indirect reputation values are obtained from other nodes, and only positive values are considered to avoid denial of service attack (broadcasting negative ratings for legitimate nodes). Function reputation values are related to certain functions like routing and data forwarding. And global reputations are calculated in terms of subjective reputation and indirect reputation on different functions. In CORE, there are two types of protocol entities, requestors and providers. It works as follows: a requestor asks for service to a provider, if the provider refuses to cooperate or provide service, the CORE scheme of the requestor will react by decreasing the reputation of that provider. And the requestor will be excluded from the network if its non-cooperative behavior persists. Reputation can be updated in two different situations, the request phase and the reply phase. During the request phase, only the subjective reputation value is updated. It means if the provider did not behave cooperatively, a negative rating factor will be assigned to the observation and that node s reputation value will decrease. If the provider is well-behaving, its reputation does not change. During the second phase, only indirect reputation value is updated. In CORE, the reply message from the destination node contains a list of entities that correctly behaved. As a consequence, these entities' indirect reputation values are positive and their reputation values of course will increase. CORE is tolerant of sporadically bad behavior because it puts more weight on past behavior and good behavior is rewarded by increasing reputation. But CORE is less sensitive to misbehavior than CONFIDANT due to its natures. Reputation increase in the reply phase depends on other nodes feedback. However, these reply messages are vulnerable Pricing-based Solutions Pricing-based solutions [56, 57, 58] are another kind of solutions. These solutions do not try to detect misbehaving nodes to take corresponding measures such as punishment or isolation, but treat packet forwarding as a service that can be priced. Virtual currency is introduced in these mechanisms to stimulate each node to behave cooperatively. In [56], tamper resistant hardware is used to process nuglet (virtual currency). And in [57], a central agent called Credit Clearance Service (CCS) is introduced to process credit (virtual currency) issues. However, these solutions have some problems. First, traffic in mobile ad hoc networks is likely to be unevenly distributed. So it may be difficult for some nodes to earn enough credits to transmit their own packets even if they always behave cooperatively, and there may be the 20

29 case where some nodes could get sufficient credits easily, even if they do not behave cooperatively sometimes (dropping some packets). Secondly, some solutions require the existence of a central control agent, which is not applicable in a pure ad hoc network. Thirdly, they are relatively difficult to implement due to some security problems, such as nuglet initialization, transition and maintenance Other Solutions In [46], Dewan and Dasgupta propose a solution also based on reputation, which is similar to BMR. End-to-end performance is measured to evaluate path quality. In [48], the Secure and Objective Reputation-based Incentive (SORI) scheme is proposed to encourage packet forwarding and discipline selfish behavior. In this solution, a node s reputation is quantified by objective measurements, and reputation values are propagated in a secure way. A punishment scheme is used to penalize selfish nodes. In [75], the REliable and efficient forwarding (REEF) is described. In this solution, each intermediate node decides the next hop to a certain destination according to the available routes and next node s reputation. ACK packets from the destination are used to update the next node s reputation. 21