A Reputation-Based Metric for Secure Routing in ... - Semantic Scholar

A Reputation-based Metric for Secure Routing in Wireless Mesh Networks Francesco Oliviero

Simon Pietro Romano

Dipartimento di Informatica e Sistemistica Federico II University of Napoli, Italy Email: [email protected]

Dipartimento di Informatica e Sistemistica Federico II University of Napoli, Italy Email: [email protected]

Abstract—The continuous growth of wireless networks calls for more and more sophisticated solutions for their security. In particular, mechanisms for limiting effects of routing protocol attacks are becoming a mandatory requirement: black-hole and gray-hole attacks can in fact seriously compromise the performance of a critical infrastructure like a Wireless Mesh Network. In this paper we present a new routing metric aimed at mitigating the effects of such attacks, based on an estimation of the trustworthiness level of network nodes. By applying the metric to existing wireless routing protocols we show that it is possible to increase both the security level and the performance of the overall network, even in the presence of routing attacks. Keywords: Wireless Mesh Network, Routing Protocol, Security, Trust

I. I NTRODUCTION Wireless Mesh Networks (WMNs) do represent a key technology in the emerging context of wireless network scenarios [1]. More and more deployments become available on an everyday basis: campus and company networking, community and neighborhood Internet access, building networks represent only a few examples of the spreading of this technology. The main reason of their success is the low cost of the involved technologies. COTS (Common Off-The-Shelf) components such as desktop computers, laptops, PDAs, phones, Access Points equipped with wireless interfaces can be included in a WMN deployment. A typical WMN consists of two types of nodes: mesh routers and mesh clients. Mesh routers are fixed nodes equipped with one or more wireless interfaces, which provide a backbone infrastructure managed through routing protocols. Mesh clients may be either fixed or mobile terminal hosts. Due to their growing success, WMNs are drawing the attention of new network attacks. The routing protocols, in particular, are constantly victims of attacks trying to compromise their capabilities. Two specific problems have been dealt with recently [2] [3] [4]: blackhole and grayhole [5]. A routing blackhole typically is a compromised node that, by using forged routing messages, can attract traffic to it in order to maliciously drop data packets. Usually this is performed by announced short distance to destination. A grayhole, instead, drops packets selectively. In particular it might forward routing packets, while dropping data packets. In this way it joins the path discovery process but precludes data from reaching

the destination. Such attacks indeed represent a tremendously serious problem since, by preventing data from reaching their destination, they make all other forms of data protection useless. According to this assumption, we herein propose a new metric based on nodes’ reputation that, when applied to the routing path selection process, is capable to avoid selecting routes which include malicious nodes. We apply this new metric to an existing routing protocol for WMNs, namely AODV (Ad-hoc On-demand Distance Vector), and show its benefits in terms of network performance. The rest of the paper proceeds as follows. In section II we analyze recent solutions for secure routing in wireless networks. Our solution will be presented in section III. We evaluate the proposed solution through simulations in section IV. Conclusions are provided in section V. II. R ELATED W ORK In terms of technologies and protocols, WMNs derive directly from ad-hoc networks. For this reason routing protocols developed for the latter are usually exploited also for WMNs: DSDV [6], AODV [7], DSR [8], and OLSR [9] are common solutions. Unfortunately these solutions lack in terms of two fundamental properties like optimization and security. These protocols, indeed, have been devised for networks where each node can be considered reliable. Unfortunately, in a real WMN deployment this can not be considered a common situation [10]. Recently, trust-based approaches have been adopted to increase the security of routing protocols. Watchdog and Pathrater are two mechanisms to detect and mitigate misbehavior in routing processes [2]. Watchdog is responsible for detecting nodes that don’t forward packets. Each node stores information of packets sent to its neighbor and waits for their retransmission: if data packets change or a timeout expires, a fault event is added to the failure list for that neighbor. Pathrater, instead, performs a path computation by combining node misbehavior rating with information about the network links. CONFIDANT (Cooperation Of Nodes: Fairness In Dynamic Ad-hoc NeTworks) [3] adds a reputation model to Watchdog and Pathrater. The solution proposed is based on detection of misbehavior and subsequent reaction to it: upon detection of malicious behavior of a node, the system responds by blocking

978-1-4244-2324-8/08/$25.00 © 2008 IEEE.

1

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE "GLOBECOM" 2008 proceedings.

the forwarding process of packets coming from that node. It provides two mechanisms to detect malicious nodes: (i) learning correctness of neighbor nodes behaviors from their direct observation; (ii) sharing information about malicious nodes with other components of the network. CORE (COllaborative REputation) [4], similar to CONFIDANT, defines two different kinds of reputation: Subjective Reputation and Indirect Reputation. Subjective Reputation and Indirect Reputation are merged by means of a weighted combining formula in order to compute a final value of reputation to be adopted in the DSR protocol. III. AODV-REX: A S ECURE ROUTING P ROTOCOL We herein propose a new approach to secure routing, which considers nodes reputation as a good metric for path selection. Indeed, existing routing protocols usually choose routes based on hop count value: the path selected is the shortest path in terms of hop count. Our idea is to modify the hop count values in order to let them also reflect information about the nodes’ reputations along the path. We want to replace the idea of shortest path first, common to all routing protocols, with the concept of “most trustworthy” path first which characterizes our solution. We suggest to artificially “lengthen” the paths traversing nodes with bad reputation in order to avoid their selection. For this reason we proposed a new routing metric based on nodes reputation, to be integrated in the existing routing protocol. In the following we present an extension to the AODV protocol, called AODV-REX (AODV - Reputation EXtension), which integrates the above mentioned new metric. We just remark that reputation dissemination and metric computation, as proposed in this paper, exploit basic mechanisms of path discovery and selection which are typical of any routing protocol. We can thus claim that our solution can be easily applied to routing protocols other than AODV. An innovative reputation model, combined with integrated reputation dissemination and path selection are the fundamental ingredients of AODV-REX. In the following we will describe separately such issues. A. The Reputation Model We adopted a multi-layered model for estimating the reputation of network nodes, called REFACING (RElationshipFAmiliarity-Confidence-INteGrity) [11]. The lower-most layer provides information about the existence of some form of interaction among nodes. The absence of connection indicates the actual impossibility of carrying out any form of social relationship with the other nodes of the network. Otherwise, the second layer in the stack can prove useful to quantitatively measure the level of interaction existing between each pair of network nodes. The more we interact, the more familiar we are with each other. Yet, this does not necessarily imply that we trust each other: a node can know a neighbor quite well, but it can hardly trust it, if their past interactions showed that such neighbor is not that reliable. This justifies the presence of a third layer in the trustworthiness stack, which deals with

confidence. If a node has relations with others, and if it is familiar with the others as well, it can much more objectively determine their level of trustworthiness with respect to their social interactions. This said, to further foster the capability of assessing someone else’s loyalty level related to his/her interactions within the network, one more dimension should be taken into account to somehow reflect the variability in the behavioral interaction patterns of each node. To make things clearer, the fact that some node has showed a blameless behavior in one single interaction does not necessarily mean that such node shall be irreproachable also in its subsequent interactions. Some form of estimation of the line of conduct over time is definitely needed for all nodes: the more coherent my behavior has been in the past, the less probable it will be that I am behaving too differently in the near future. This issue is dealt with at the uppermost layer, which provides information about the level of integrity of network nodes. In the context of our routing process the model can be mapped as follows. Each node establishes some form of relationship with neighbors whenever it interacts with them by means of the routing protocol or if it sends them data to be further forwarded towards a specified destination (layer 1 in the trustworthiness stack). The frequency of interactions defines the familiarity among node pairs (layer 2 of the stack). Information pertaining to the third layer can be retrieved through a comparison between neighbor’s reputation evaluated at every single node (i.e. a local reputation measure) and the global reputation provided by other nodes in the network. Stated in different terms, my confidence level about a neighbor gets higher if my personal evaluation was found in accordance with the global opinion about it. Finally, data at the fourth layer can be computed by statistically analyzing the information related to all past interactions among nodes (e.g. neighbor integrity level gets higher if its confidence level has kept on growing over the past interactions). B. Watchdog The watchdog is the module that is in charge of controlling the behavior of a node’s neighbors. Based on the model proposed by Marti et al. in [2], watchdog observes if the neighbors complete the forwarding process required when data packets are sent to them. This is possible since the wireless channel is a broadcast medium; if the reception and transmission ranges are the same, every forwarding activity of a node is sensed by all its neighbors. The watchdog works directly as an extension to the forwarding process provided by the routing algorithm. Every time a data packet is sent to the next node along the route, and provided that such node is not the final destination, the watchdog stores information about the packet in a buffer and immediately thereafter activates a timer. Based on the neighbors’ behavior, the watchdog updates local reputation values associated with each of them. Two are the events that trigger a reputation update. If the node senses a packet forwarded by its neighbor and such packet is already present in the buffer, a positive score is assigned to the neigh-

978-1-4244-2324-8/08/$25.00 © 2008 IEEE.

2

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE "GLOBECOM" 2008 proceedings.

bor’s activity and data in the buffer are deleted. Otherwise, if a timeout for a stored packet occurs, the watchdog assigns the neighbor a negative observation score. A queue of N observed events is implemented in order to estimate local reputation by taking into account past interactions between a node and each of its neighbors. The main objective of this solution is to introduce a “history” of events that can contribute to mitigate sporadic misbehavior not ascribable to malicious activities.

RREQ ID; Src; Dst; HC=0 RB ; RC

2

2

RREQ ID; Src; Dst; HC=1 RB; RC; RA; RD; RE

1 RREQ ID; Src; Dst; HC=0 RB; RC

F

2

C E

C. Dissemination Process

Fig. 1.

The main problem for the reputation metric is how a node disseminates its local observations to its partners. A solution for data spreading requires that information about nodes’ behavior must be carefully selected in order to avoid that malicious nodes can take advantage from knowing the “opinion” of their neighbors. For this reason we propose to propagate exclusively a reputation that is a merging of local reputation with the reputations of other nodes in the network. In this way, malicious nodes can not identify exactly the neighbors that have begun to propagate bad reputation about them. The information about the reputation is encapsulated in an RREQ (Route REQuest) message of the AODV protocol. In particular, an “option” extension, called Reputation Option, is applied to the standard RREQ message. For each neighbor, the node inserts both a Neighbor IP address and a Neighbor Reputation. In order to allow nodes that implement AODV-REX to work in conjunction with nodes that do not support our reputation extension we can exploit the Reserved field in the RREQ message [7]. This field is usually set to 0 and it is ignored upon reception. We can inform about the presence of the proposed Reputation Option through the first bit in the field, while with the remaining 10 bits we can appropriately number such option. According to the AODV protocol, every time a node has data to send, it generates an RREQ message. Together with the usual AODV information, our protocol completes the message with reputation about its neighbors. The RREQ is then broadcasted to all neighbors. Upon reception of such RREQ, the neighbors look for the presence of the mentioned Reputation Option by checking the Reserved field. If a node present in the Reputation Option does not belong to the neighbors of the receiving node, this disregards the reputation information and leaves it unmodified in the forwarded RREQ. Otherwise, it exploits the reputation value (that can be considered as a summarization of a node’s trustworthiness as computed by all other nodes in the network) in order to update the computed reputation value with its local observation. This new value is then inserted in the RREQ, together with reputation values of the neighbors that were not already present in the message. Eventually, this new message is broadcasted to all neighbors (Fig. 1).

RREQ ID; Src; Dst; HC=1 RB; RC; RA; RD; RE

RREQ ID; Src; Dst; HC=1 RB; RC; RA; RD; RE

A

D

B

1

RREQ process in AODV-REX

D. Reputation Extraction Process ADOV-REX is based on two reputation levels which represent, respectively, the global and the local information: a local reputation, coming from the observations provided by the watchdogs, and a global reputation supplied by other nodes through the dissemination protocol. Local and global estimates are merged to define the reputation that can be exploited to evaluate the real behavior of a node. The problem of information merging can be described as follows. Let RBA (i) be the reputation of node B at node A G (i) represents the global at the i − th iteration, while RB A reputation of node B at node A at the i−th iteration. Anytime node A receives a new reputation value RCB (i) about node C, sent by node B through the RREQ message, A first weighs this information with the reputation RBA (i−1) that it has with regard to B, in order to reduce the risk of bad news propagated from malicious nodes. This new information is then compared with the last reputation value about node C at node A w (i) = RBA (i − 1) ∗ RCB (i) RC B

(1)

G w ΔCAB = |RC (i − 1) − RC (i)| A B

(2)

The new global reputation of node C at node A is 1 1 G w ∗(1+ΔCAB )∗RC (i−1)+ ∗(1−ΔCAB )∗RC (i) A B 2 2 (3) Local and global reputation extraction are supported by a mechanism that stores the recent events, both direct observations by watchdogs and global reputation by other nodes. Local and global reputations are extracted by a Weighted Moving Average on recent samples stored in order to allow for a node’s “reintegration” in case it has recently shown a faultless behavior. We define the following formula: G RC (i) = A

¯ B = wlr R A

N −1 

(1 − wlr )i−1 RBA (i)+(1−wlr )N −1 RBA (N )

i=1

(4) According to the REFACING model, the reputation extraction process is implemented as follows. Whenever a new event happens, for example an RREP (Route REPly) message is

978-1-4244-2324-8/08/$25.00 © 2008 IEEE.

3

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE "GLOBECOM" 2008 proceedings.

RD < 1

received or a watchdog timer expires, we need to update the reputation of the neighbor. We adopt either an increment or a decrement ΔBA of the mean of previous reputation values ¯B R A ¯ B (i − 1) + ΔB (i − 1) RBA (i) = R A A

(5)

In spite of the local and global reputation average defined by (4), for the reputation we adopt a simple mean of all the previous reputation samples. In order to set the value of ΔBA we need to evaluate the agreement between the global reputation and the local one of ¯ L the averages ¯G e R node B at node A. Let us define R BA BA respectively of global and local reputation. We compare these two values to evaluate the “distance” between them. ¯L ¯G ΔLG BA = |RBA − RBA |

(6)

Clearly, global and local information agree if ΔLG BA is lower then a well-known threshold T , for example 0.5; otherwise, they disagree. So in the first case we adopt a positive value for ΔBA ⎧ ⎨Δ

BA

¯B ) ∗ = Γ ∗ (1 − R A

⎩Δ ¯ BA = −Γ ∗ RBA ∗

ΔLG BA 2

(1−ΔLG BA ) 2

agree

(7)

disagree.

If local and global estimates disagree, reducing the reputation can be a good solution since the overall estimate of node B’s reputation indicates some anomalous behavior. The value of Γ represents a weight that takes into account the reputation, the interaction degree ID between the node and its neighbor, and the variance of reputation: ¯ B + β ∗ ID + ω ∗ VBR Γ=α∗R A A

(8)

α+β+ω =1

(9)

with:

Once we compute the new value for reputation, we also have ¯ B and variance to update the values for reputation mean R A R VBA by adopting standard algorithms. The reputation value computed by (5) provides a unique vision of nodes behaviors since it is a merge of what is observed locally and what the other nodes observe. This information is the basement of our secure routing solution as we will see in the next section. E. Reputation Metric and Route Selection In AODV the path length is defined during the reply process, by counting the number of hops traversed: every time a node receives the RREP message it increments the Hop Count value by one to account for the new hop through the intermediate node. Our idea is to define a new distance between two nodes that is not just a physical distance but a virtual distance that takes into account the reputation level of the node connected to the link: the distance of two neighbor nodes increases by

RM = 3 RF = 1

RREP – HC = 2

1+3

RREP – HC = 6

B

D

RM = 0

RREP – HC = 1

1

1

A F C E

Fig. 2.

RREP process in AODV-REX

decreasing the reputation of one of them. For this reason we introduce a new link metric called Reputation Metric from node A to node B as follows: RMAB  = (1 − RBA ) ∗ N D

(10)

where RBA is the reputation of the node connected to the link, and N D represents the Network Diameter, i.e. the maximum network diameter defined by the AODV protocol. The Reputation Metric is added to the physical distance. If reputation is 0, then the metric is equal to the maximum diameter of the network; otherwise, the metric RM is 0 every time the reputation of a node’s neighbor is at its maximum level. When a node generates an RREP it sets the Hop Count to one as in AODV. Upon reception of the RREP, the AODVREX protocol retrieves from its Reputation Neighbor Table the value of reputation associated with the node that sent the RREP (Fig. 2). Then, it computes the RM value by using (10), and adds it to Hop Count. The result is further incremented in order to take into account the physical hop. The approach based on the increment of the distance by RM in the RREP message ensures an intrinsic security of the protocol: by adopting this mechanism a subverted node cannot modify the distance, since the RM is added by downstream nodes. Such node might modify the distance in the RREP message received, but anyway its reputation is reflected in the RM computed by downstream nodes. IV. P ERFORMANCE E VALUATIONS The solution proposed is evaluated through ns2 simulations. We consider a random network topology made of 17 WMN nodes with a single gateway node. Each node is equipped with a single 802.11 interface and an omnidirectional antenna. The malicious nodes are implemented by modifying the standard forwarding process of AODV. We designed a malicious bursting node where bursts of packets are dropped with probability of 0.3. The burst length is 20 packets. Packet dropping is applied exclusively to data packets since we want that also the malicious nodes are involved in the routing protocol operations. This allows subverted nodes to be potentially included in routes. We compare AODV with AODV-REX.

978-1-4244-2324-8/08/$25.00 © 2008 IEEE.

4

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE "GLOBECOM" 2008 proceedings.

TCP Traffic

UDP Traffic

UDP Traffic

AODV

AODV

AODV-REX

70

300

TCP Traffic

AODV

AODV-REX

70

AODV

AODV-REX 1,8

40 30 20

1,6 50

200

Packet Loss [%]

Throughput [kBits/sec]

Throughput [kBits/sec]

50

150

100

0,1

0,2

0,3

0,4

0,5

0,6

0,7

0,8

0,9

1

30 20

0,1

0,2

0,3

0,4

0,5

0,6

0,7

0,8

0,9

1

(a) Throughput - UDP

0,6 0,4

0,2

0,3

0,4

0,5

0,6

0,7

0,8

0,9

1

0,1

0,2

Infection Degree

(b) Throughput - TCP Fig. 3.

1 0,8

0 0,1

Infection Degree

Infection Degree

1,2

0,2

0

0

0

1,4

40

10

50

10

AODV-REX

60

250

Packet Loss [%]

60

(c) Packet Loss - UDP

0,3

0,4

0,5

0,6

0,7

0,8

0,9

1

Infection Degree

(d) Packet Loss - TCP

Performance Evaluation

First, we want to observe the limited overhead of our solution with respect to the standard AODV. The communication overhead due to the reputation exchange, indeed, is limited to the use of the Reputation Option appended to the standard RREQ payload; no new packets are generated for the dissemination process. Consequently, channel interference is minimized. Furthermore, computation overhead does not influence the forwarding process since it is limited to the discovery and path selection process. Also, the watchdog operations add little overhead to the standard AODV forwarding process. By simulations we provide a comparison of AODV-REX with AODV in terms of both throughput and packet loss. The packet loss is exclusively referred to packets dropped by malicious nodes. We analyze protocol behavior in the presence of both TCP and UDP traffic. The traffic generated consists of 6 periodic flows from several sources to the gateway. The choice to adopt periodic flows is justified by the consideration that we want to allow information about nodes’ reputation to be spread widely into the network. Furthermore, we gradually increased the number of infected nodes in order to compare the behavior of AODV and AODV-REX in critical conditions. Generally, we observe an improvement in the performance of AODV-REX with respect to AODV, except in case of either a low degree of infection or a full network infection. As we have supposed, for UDP traffic we observe a greater gain for infection degree values between 0.5 and 0.9. The reason is due to the higher probability of AODV-REX to select a “secure path” when compared to AODV: when the infection degree is low, the probability that AODV selects a bad path is low, and it is comparable with that of AODV-REX. By increasing the number of infected nodes, the probability to select paths passing through compromised nodes increases accordingly. No gain can be observed when the network is completely infected. Furthermore we observe a lower gain when AODV-REX is adopted with TCP traffic with respect to UDP. This is due to the fact that TCP mechanisms for reliable communications do limit the effects of malicious packet dropping. V. C ONCLUSIONS In this paper we proposed a new metric for routing in wireless mesh networks. With the growing popularity of such technologies security issues become a fundamental challenge

for the research community. In particular, the attacks to routing protocols can seriously compromise the performance of such networks. We showed how a reputation-based metric applied to existing routing protocols can improve the reliability of the overall network communication. We presented an extension to the AODV protocol, called AODV-REX, which exploits a reputation metric in order to increase the security level of the overall infrastructure. Simulations show the effectiveness of the proposed solution with regard to overall network performance. The next step will be the thorough analysis of reputation spreading rate among the network nodes, as well as the application of our metric to other popular routing protocols with the aim to evaluate its effectiveness in different protocol scenarios. R EFERENCES [1] I. F. Akyldiz, X. Wang, and W. Wang, “Wireless mesh network: A survey,” Computer Networks, vol. 47, no. 4, pp. 445–487, March 2005. [2] S. Marti, T. Guili, K. Lai, and M. Baker, “Mitigating routing misbehavior in mobile ad hoc networks,” in Proceedings of 6th Annual International Conference on Mobile Computing and Networking, MobiCom, August 2000. [3] S. Buchegger and J.-Y. L. Boudec, “Performance analysis of the confidant protocol (cooperation of nodes: Fairness in dynamic ad-hoc networks),” in Proceedings of IEEE/ACM Symposium on Mobile Ad Hoc Networking and Computing, MobiHOC, June 2002. [4] P. Michiardi and R. Molva, “Core: A collaborative reputation mechanism to enforce node cooperation in mobile ad-hoc networks,” in Proceedings of Communications and Multimedia Security Conference, CMS, September 2002. [5] Y.-C. Hu and A. Perrig, “A survey of secure wireless ad hoc routing,” IEEE Security and Privacy, vol. 2, no. 3, pp. 28–39, June 2004. [6] C. E. Perkins and P. Bhagwat, “Highly dynamic destination-sequenced distance-vector routing (dsdv) for mobile computers,” in Proceedings of ACM Conference on Communications Architectures, Protocols and Applications, SIGCOMM, 1994, pp. 234–244. [7] C. Perkins, E. Belding-Royer, and S. Das, “Rfc 3561 - ad hoc on-demand distance vector (aodv) routing,” IETF,” Internet Draft, July 2003. [8] D. Johnson, Y. Hu, and D. Maltz, “Rfc 4728 - the dynamic source routing protocol (dsr) for mobile ad hoc networks for ipv4,” IETF,” Internet Draft, Febraury 2007. [9] T. Clausen and P. Jacquet, “Rfc 3629 - optimized link state routing protocol (olsr),” IETF,” Internet Draft, October 2003. [10] N. B. Salem and J.-P. Hubaux, “Securing wireless mesh network,” IEEE Wireless Communications, vol. 13, no. 2, pp. 50–55, April 2006. [11] F. Oliviero, L. Peluso, and S. P. Romano, “Refacing: an autonomic approach to network security based on multidimensional trustworthiness,” 2008, accepted for pubblication on Computer Networks – article in press, doi:10.1016/j.comnet.2008.04.022.

978-1-4244-2324-8/08/$25.00 © 2008 IEEE.

5

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE "GLOBECOM" 2008 proceedings.