An Adaptive and Predictive Security Model for Mobile ...

An Adaptive and Predictive Security Model for Mobile Ad hoc Networks

An Adaptive and Predictive Security Model for Mobile Ad hoc Networks Sathishkumar Alampalayam and Anup Kumar Computer Engineering and Computer Science Department University of Louisville Louisville, KY 40292 {spalam01, ak}@louisville.edu

Abstract. Mobile ad hoc networks are infrastructure free, pervasive and ubiquitous in nature, without any centralized authority. These unique characteristics coupled with the growing concerns for security attacks demand an immediate solution for securing the ad hoc network, prior to its full-fledged deployment in commercial and military applications. So far, most of the research in mobile ad hoc networks has been primarily focused on routing and mobility aspects rather than securing the ad hoc networks themselves. Due to ever increasing security threats, there is a need to develop schemes, algorithms, and protocols for a secured ad hoc network infrastructure. To realize this objective, we have proposed a practical and effective security model for mobile ad hoc networks. The proposed predictive security model is designed using a fuzzy feedback control approach. The model is based on identifying critical network parameters that are affected by various types of attacks and it continuously monitors those parameters. Once we measure the relative change in these parameter values, we could detect the type of attack accurately and protect the system, without compromising its effectiveness. Experimental results of the model simulated for selected packet mistreatment attacks and routing attacks are very promising. Keywords: Mobile Ad hoc Networks, Network Parameters, GloMoSim, Selfishness and routing attacks.

1. Introduction:

A mobile ad hoc network is a collection of wireless mobile nodes that form a temporary network without any established infrastructure or centralized authority. Until now, the main research focus has been on improving the protocols for multi hop routing, performance and scalability of the ad hoc networks [1]. Although the performance and scalability have their place in wireless network research, the current and future applications of the ad hoc networks have forced the research community to look at the dependability and security aspects of ad hoc networks. Security in ad hoc network is essential even for basic network functions, like routing and packet forwarding, since the basic network functions are carried out by the nodes themselves rather than specialized routers. Hence, the nodes of ad hoc network must be trusted for the proper execution of basic network functions. The intruder in the ad hoc network can come from anywhere, along any direction and can

Sathishkumar Alampalayam and Anup Kumar

1


target any communication channel in the network, unlike their wired counterpart, where the intruder has to gain physical access to the wired link or pass through security holes at firewalls and router. Since the infrastructure free mobile ad hoc network does not have a clear line of defense, every node must be prepared for the adversity. Hence, a centralized or hierarchical network security solution for the existing wired and infrastructure-based cellular wireless networks will not work properly for mobile ad hoc networks. Securing ad hoc networks, like any other fields of computers, is based on the principles of confidentiality and integrity. These principles exist in every field, but the presence of malicious nodes, selfish nodes, covert channels and eavesdroppers in the mobile ad hoc network makes this extremely important and quite a challenging problem [2]. In the past decade there has been a surge of network security research in the field of information assurance that has focused on protecting the data, using such techniques as authentication and encryption. However, these techniques are applied to the wired and infrastructure bound cellular networks, but cannot be applied to infrastructure-less mobile ad hoc networks that are not bounded to any central authority [1]. In these infrastructure-less networks, the nodes themselves perform basic network functions, like routing and packet forwarding. Therefore, mobile ad hoc network security is a pressing issue which needs immediate research attention [3-5]. Existing technology in the field of security and privacy is not suited for the future generation wireless mobile-networks. A Personal Area Network (PAN) level firewall, as envisioned for the next generation wireless networks, can protect only if the users are at home but not when the users are roaming [10]. Even if such a firewall is provided, the communication would get fragmented by these ‘check points’ on the network, as each firewall needs maintenance of activities like log control, software update etc., creating unnecessary overhead. Thus, existing technologies like, firewalls and Virtual Private Network (VPN) sandboxes, cannot be directly applied to the wireless mobile world. Even if the firewall concept is achieved by creating a private extranet (VPN), which extends the firewall protected domain to wherever the user moves, this would still lead to an inefficient routing. This paper is organized into five sections. Section two provides motivation and background for this paper. It also presents limitations of existing approaches and the benefits of the proposed model. Section three presents the proposed predictive security model, with its rationale, general architecture, and explanation of operations of the model for a specific attack scenario. Section four explains the simulation of the proposed security model with experiments and its results. Section five presents the conclusion and the future work.


2


2. Background and Motivation:

In ad hoc networks a mobile node or host may depend on other node(s) to route or forward a packet to its destination. The security of these nodes could be compromised by an external attacker or due to the selfish nature of other nodes. This would create severe threat for routing and Denial of Service (DoS) attacks, where malicious nodes collude to deny the services to legitimate nodes. To illustrate the motivation of the proposed approach, let us discuss the following attack scenarios and the limitations of the existing security schemes that are suggested for those attacks.

2.1 SCENARIO:ACTIVE ATTACKS IN MOBILE AD HOC NETWORK– ROUTING ATTACKS:

Active attacks in the mobile ad hoc network can be defined as direct attacks on an entity by another hostile entity during the execution or transmission phase. These attacks include actions like code/data modification, deletion or forging. In this section, we focus on the threats of routing protocol attacks on mobile ad hoc networks. Routing attacks require significant research attention, since very little research efforts have been undertaken in this direction. It is a significant problem because nodes within the ad hoc network themselves performs routing functions and the security concepts are not incorporated in most of the routing protocols. Also, routing tables form the basis of network operations and any corruption to the routing table may lead to significant adverse consequences. Secure ad hoc network routing protocol is challenging to design due to the following reasons: Firstly, routing relies on the trustworthiness of all the nodes involved and it is difficult to distinguish selfish nodes from normal nodes. Secondly, rapid mobility of nodes that perform the role of routing and network topology makes the design of a secure routing protocol more difficult. Active routing attacks differ in their behavior depending on the nature of the routing protocol. In case of link-state routing protocol, a router sends information about its neighbors. Hence, a malicious router can send incorrect updates about its neighbors, or remain silent if the link state of the neighbor has actually changed. However, in case of distance-vector protocols, routers can send wrong and potentially dangerous updates regarding any nodes in the network, since the nodes do not have the full network


3


topology. These attacks in case of both link-state and distance-vector protocols are very difficult to prevent if the routers exhibit Byzantine faults [6]. Routing attacks on the mobile ad hoc networks can be classified into reactive routing protocol attacks and proactive routing protocol attacks based on the type of protocol used for routing. In reactive routing protocol, like on-demand routing protocol, a node attempts to discover a route to a destination only when it has a packet to send to that destination. In proactive routing protocol, like table-driven routing protocol, entries in the table are updated periodically to perform routing. Since both reactive and proactive routing protocols exhibit different characteristics in state information, exchange and route computation, they are exposed to different types of vulnerabilities, which provide unique set of challenges for securing them. In the next section, we identify different types of routing protocol attacks in the mobile ad hoc networks and discuss the known solutions to the problem.

2.1.1 Types of routing attacks: The routing attacks can be classified into two general categories: resource-disruption and resource-consumption attacks. In resource-disruption attack, the attacker attempts to cause legitimate data packets to be routed in dysfunctional ways. In a resource-consumption attack, the attacker attempts to consume valuable network resources, like bandwidth, power or storage. Some of the important and common types of routing attacks are: Router Protocol Poisoning: In this attack an intruder causes the disruption by poisoning the routing protocol. Securing these attacks is important because the routing protocol forms the basis of network operations, and any corruption of the protocol may lead to significant consequences. These attacks on the mobile ad hoc networks can lead to looping, congestion, sub optimal routing and partitioning [8]. Thus, they can ultimately affect the performance of an ad hoc network. Injecting incorrect information in the routing table: In this type of routing attack, malicious nodes or an intruder would inject incorrect routing information, which in turn would poison the routing tables. This causes congestion and DoS to agents on genuine nodes. These attacks would result in the artificial partitioning of the network, and the hosts residing in one partition would not be able to communicate with hosts residing in the other partition.


4


Routing Loop Attacks: In this attack, intruder or malicious nodes update the routing table to create a loop, so that packets can traverse in the network without reaching the destination, thereby conserving energy and bandwidth.

2.1.2 Limitations of existing routing security approaches: In Secure Routing Protocol (SRP) proposed by Papadimitratos and Haas [8], fair utilization of network resources and possible ways to prevent nodes from broadcasting are not addressed. For instance, a malicious node could simply use IP broadcast instead of the route discovery mechanism, thereby causing DoS attacks. Thus, it is important to defend nodes from attacks that exploit the protocol itself. The ARIADNE (Alliance of Remote Instructional Authoring and Distributed Networks for Europe) model which is designed based on the basic operation of Dynamic Source Routing (DSR), is inefficient compared to the DSR protocol. Key exchange proposed in this scheme is complicated, and in the mobile ad hoc environment this scheme is most likely not feasible [9]. OSRP (On-demand Security Routing Protocol) scheme detects byzantine fault using a fixed threshold scheme. However, this scheme does not explore other methods, such as adaptive threshold or probabilistic schemes, which may provide superior performance and extensibility. Also this scheme does not provide means of protection from traditional DoS attacks [6]. The Watchdog and Pathrater model assumes that there are no apriori trust relationships. Performance of the model is bound to suffer when trusted node lists in ad hoc networks are also taken into account. Also, in this model, all simulations are based on Constant Bit Rate (CBR) data, without considering reliability requirements [7].

2.2 SCENARIO: PASSIVE ATTACKS IN MOBILE AD HOC NETWORK– SELFISHNESS:

Passive attacks in mobile ad hoc networks can be defined as indirect attacks on an entity by another participating entity in the network that happens during collaboration. Passive attacks could be caused by selfishness, eavesdropping and traffic analysis. In this type of attack, the selfish node abuses constrained resources, such as battery power, for its own benefit [12]. They do not intend to directly damage other nodes in the network. These types of attacks are very difficult to detect. Attackers may also get hold of a node and modify its behavior to make it malicious, so the node would perform selfish attacks in need of resources [5]. These attacks have limited effectiveness


5


compared to the routing-table “poisoning” and DoS attacks [11]. This is because, the attacks are limited to a part of the network rather than the whole network as in the case of routing protocol attacks.

2.2.1 Types of selfish node attacks: In this kind of attack, a node in mobile ad hoc network does not perform the expected network functions, like packet forwarding or routing, and later claims that the transaction or communication never took place [11]. It could be deliberate or accidental, due to false repudiation of a transaction or due to scarce resources in the mobile ad hoc networks. Some of the important and common types of selfish node attacks are: Packet mistreatment or interception: In this kind of attack, a selfish node does not perform the function of packet forwarding. By executing this attack, a selfish node will save a significant battery power by neglecting large data packets, while still contributing to the network maintenance operations. As mentioned earlier, interruption of packets may reduce the overall throughput of the network. In a specialized form of packet discarding, selfish nodes do not forward the packets to host destination, but to itself. This results in black hole and DoS attacks. Energy consumption: In this kind of attacks, nodes try to save significant battery power by not performing networking functions, such as routing. This is due to the fact that in ad hoc network most of the energy is consumed by routing of packets. For instance, experiments have shown that if the average hop from source to destination is 5, approximately 80% of the available energy is spent in sending packets from source to destination by packet forwarding [14]. These attacks result in congestion in the network due to heavily loaded links.

2.2.2 Limitations of existing selfish attack security approaches: The scheme CORE (COllaborative REputation mechanism) that enforces node cooperation in mobile ad hoc networks, considers only attacks from selfish nodes, not from active intruders. Hence the scheme needs to be extended and tested for active attacks as well. Also there is no definition of formal method to analytically prove robustness of CORE [13]. The solution for attack by selfish nodes, presented in nuglets model, focuses just on packet forwarding attacks. In addition, this model does not address application-level issues, like mutual provision of information services, in an ad hoc network [14]. The CONFIDANT protocol assumes that nodes are authenticated and that no node


6


can pretend to be another in order to get rid of a bad reputation [15]. CONFIDANT is an acronym for ‘Cooperation Of Nodes, Fairness In Dynamic Ad-hoc NeTwork’. The Guardian Angel model is not a comprehensive security scheme and does not take into account attacks like packet forwarding, DoS and routing attacks [16].

2.3 BENEFITS OF OUR MODEL:

Many existing proposals in the area of mobile ad hoc network address the issue of efficient routing. So far little research has been done to prevent routing attacks from malicious selfish nodes. Protecting a mobile node against selfish nodes or intruders from security attacks is not a “nice-tohave” feature, but it is essential for an ad hoc network system’s usefulness. To summarize, the existing security management schemes suffer from one or more of the following limitations: 

No work has been carried out to address both active attacks due to intruders, like routing table attacks, and passive attacks due to selfish nodes, like packet mistreatment attacks.



Most of the existing schemes do not provide continuous monitoring, detection and appropriate protection against different active and passive attacks.



Secure routing protocols do not prevent routing-table “poisoning” attacks. These include secure versions of table-driven routing protocols and demand driven distance-vector protocols.



The existing schemes are applicable to a specific type of network domain. Some schemes are only applicable for wired Internet security, while others are limited to cellular network or ad hoc network. There is no generalized framework that can be adapted to heterogeneous networks.



Current schemes have practical problems related to prediction, intrusion detection and adaptive response due to inefficient training and testing. The proposed Adaptive and Predictive Security Model for Mobile Ad hoc Networks

(APSMAN) addresses some of these limitations. Our model integrates the user’s security requirements by intelligently combining predictive and adaptive security techniques. This model provides a flexible and scalable infrastructure for addressing different types of attacks in ad hoc networks.


7


3. Proposed Security Model - APSMAN:

Before we discuss our model further, it is imperative to explain what we mean by adaptive and predictive security. By adaptive security we mean that the proposed model reacts and modifies the security of the system based on the vulnerability level at a given time. On the other hand, the proposed security model could also predict an attack by means of monitoring a set of metrics measured from the ad hoc network. We define adaptive and predictive security as an aggregation of traditional security measures, vulnerability monitoring, vulnerability detection and vulnerability response.

3.1 RATIONALE FOR THE PROPOSED SECURITY MODEL - APSMAN:

To explain the rationale of the proposed adaptive security model, let us consider a possible active attack and passive attack.

3.1.1 Active attack: ‘Poisoning’ routing table information by intruder causing routing loop: Let us consider an active routing attack by an intruder who injects incorrect routing information, which in turn poisons the routing table or protocol. In this method, an intruder updates the routing table to create a loop, so that packets traverse in the network without reaching the destination. B

A

C Intruder updates routing table so that the packets are routed from B to D instead of C and hence the packets from A never reach C.

D E

Fig 1. Routing Loop Attacks. As shown in Figure 1, let us assume that packets are supposed to traverse from source node A to destination node C. However, the intruder updates the routing table so that the packets traverse from B to D instead of C, and hence the packets from A never reach C. This also causes congestion on domains served by nodes A, D and E, due to the bombardment of packets, whose actual destination was C. Thus, attacks on the mobile ad hoc networks can lead to network performance Sathishkumar Alampalayam and Anup Kumar

8


degradation. Some of the critical parameters with respect to mobile ad hoc networks that are affected by this type of active routing attacks are: Throughput: Due to the poisoning of routing protocol or table, packets may never reach the destination. Relative increase in the number of lost packets from the genuine nodes would indicate the possibility of a routing attack. Total number of packets dropped due to no routing information: Due to poisoning of the routing protocol or table, packets may be dropped from the network for want of routing information. Relative increase in the measurement of number of packets from genuine nodes that are dropped from the network would indicate the possibility of a routing attack.

3.1.2 Passive attack: Packet discarding or mistreatment by selfish nodes: Let us consider a selfish node that simply does not perform its intended function of forwarding the packet to a proper destination node and routes all packets to itself as being the destination and later discards them. The motivation in these attacks by selfish nodes is to save significant battery power, instead of performing networking functions such as packet forwarding. C

B A

Selfish Node B discards the packet from A and forwards to itself instead of forwarding to C, and hence the packets from A never reach C.

Fig 2. Packet Mistreatment Attacks. As shown in Figure 2, let us assume that the packets are supposed to traverse from source node A to destination node C. However, selfish node B discards the packets from A and forwards to itself instead of forwarding to C, and hence the packets from A never reach C. This results in ‘black hole’ attacks. This in turn may also result in DoS or deadlock issues that result in performance degradation. Some of the critical parameters that are affected by this kind of passive attack with respect to ad hoc networks are: Throughput: Due to packet mistreatment by selfish nodes, packets do not generally reach host nodes. This results in packet loss, and hence a significant decrease in the measurement of throughput for the destination host nodes within the ad hoc network may indicate a packet mistreatment attack.


9


Packet drop rate: Packets discarded by selfish nodes are characterized by the drop in the rate of flow of packets. Hence, a significant increase in the packet drop rate for collaborating selfish nodes in ad hoc network may indicate a packet mistreatment attack. Energy consumption: Since battery power is a constrained resource in mobile ad hoc networks, the selfish nodes discard packets to save battery power by means of techniques like sleep deprivation [5]. Hence, a relative decrease in the measurement of power or energy consumed for group of selfish nodes within the network would indicate a packet mistreatment attack. Our philosophy is that, by identifying and continuously monitoring these critical network parameters that are affected by various types of attacks, which cause the security threats, we could measure the relative change in parameter values and detect the type of attack. Once an attack is detected, proper level of protection measures could be applied and hence, nodes causing these attacks could be blocked from accessing the system or network. We simulated the model for the routing and selfish node packet mistreatment attacks and the experiment results are discussed in the following sections.

3 .2 ARCHITECTURE OF PROPOSED SECURITY MODEL - APSMAN:

The proposed APSMAN uses a feedback control scheme that is analogous to a human biological model where a virus is detected by the higher body temperature, blood sugar or pressure level. Once a virus is detected by the body, it is attacked by anti-cells to kill the virus. Similarly, in this security model various parameters of an ad hoc node or set of ad hoc nodes are monitored. If these parameters change rapidly in a given time frame, the appropriate threat is identified and a corrective action is taken. The proposed security model is distributed and cooperative, where every node in the wireless mobile ad hoc network participates in intrusion detection and response. Each node is responsible for detecting signs of intrusion locally and independently, but neighboring nodes can collaboratively investigate in a broader range. Figures 3a and 3b shows the architecture of the proposed security model for mobile ad hoc networks. To quantify an attack or vulnerability we define a new measure, Threat Index (TI), which models the vulnerability of various components in a given network. TI at each node can be computed based on communicational metrics such as bandwidth, number of connections, service queue length, packet drop rate, packets with error, protocol (IP/ICMP/UDP/TCP) flow rate, number


10


of collisions, connection utilization etc. The vulnerability analysis can be applied to any level of abstraction within the network, i.e., connections, node or whole network system. TI for a node, connection or a system is evaluated using fuzzy logic in the proposed framework. IDRS

IDRS

B IDRS

D IDRS

A

F C \

E

IDRS

IDRS

Figure3a. Intrusion Detection and Response System (IDRS) model

Normal and Vulnerable Network Data

Step 1: Log /Data Fetch Framework

Step 2: Log/Data Analysis Framework

Step 3: TI Evaluation Framework

Step 4: Response and Protection Framework

Figure3b. Architecture of proposed APSMAN IDRS model for mobile ad hoc networks As shown in the above Figures 3a and 3b, the proposed model works by propagating the intrusion detection state information among neighboring nodes and the local node. IDRS represents the proposed APSMAN Intrusion Detection and Response System model. The need for the cooperative and distributed intrusion detection/response arises because mobile ad hoc networks are dynamic and they typically lack a central entity. Hence, each node responds based on the intrusion reports from other nodes in a distributed manner. Intrusion response depends on the type of intrusion, the type of network protocols/applications and the certainty (confidence) in the evidence. The response actions are explained in detail in section 3.3.4. The basic framework of the model, shown in Figure 3b, is described as following. Step 1: Log/Data Fetch Framework: This step collects the real time raw network data from the local node and information from the neighboring node, and it passes them to step 2.


11


Step 2: Log/Data Analysis Framework: This step pre-processes the collected data to make it suitable for security threat index evaluation and vulnerability detection. This step identifies the significant parameters that relate to an attack and measures those parameters. Step 3: TI Evaluation Framework: This framework evaluates TI of the local nodes that are subject to security attacks, based on significant parameters identified in step1. If a threat is determined, then an alarm is sent to step 4. Step 4: Response and Protection Framework: This framework responds to the attacks by invoking appropriate security measures to move the system to the normal security level and to protect the system based on specified security policies.

3.3 EXPLANATION OF APSMAN OPERATIONS:

This section explains the details of the proposed model. In the following illustration using a step-by-step approach, we apply our model to monitor, detect, analyze and protect the packet mistreatment attack on the mobile ad hoc network. In packet mistreatment attacks, the selfish node does not forward the packet to destination, and it forwards to itself to save power. This can result in a lot of packets being lost or dropped and reduction in the usage of system resources like battery power. We have used the terms variable, parameter and metric interchangeably throughout the paper. Various steps in operations of the model are illustrated in the following sections.

3.3.1 Step 1-Log/Data Fetch Framework: In this step, the raw ad hoc network data is collected and fed on a real time basis to the data analysis framework.

3.3.2 Step 2- Log/Data Analysis Framework: The networked system or node behavior can be characterized by three operational states: Normal State (NS), Uncertain State (US) and Vulnerable State (VS). At any moment, a given node must be in one of the three states. Thresholds are used to differentiate between these three states. For example, if the metric value exceeds a particular level, the system or node changes from one state to another.


12


In order to formally explain the framework, we define TI as a composition of communication and computational metrics {x1, x2,…, xn}. For a packet mistreatment attack scenario, xi represent metrics like packet drop rate, throughput and power of signals transmitted. We could measure the vulnerability of an ad hoc node under an organized attack by malicious selfish nodes using this metric.

3.3.3 Step 3- TI Evaluation Framework: We have used a fuzzy logic approach for vulnerability evaluation in the proposed security model. To calculate TI and detect vulnerability, the proposed scheme requires a different set of fuzzy rules for different types of attacks. The output TI is calculated based on the values of the input vulnerability metric. For instance, packet mistreatment attack by malicious selfish nodes would require measurement of several vulnerability factors like number of packets dropped, signals transmitted and throughput. This implies that the vulnerability of the system due to packet mistreatment attacks can be concluded only if the above measurements of parameters change rapidly in a given time period. But for attacks like masquerade or unauthorized access attack, a measurement like the number of connections would be enough, and the other metrics do not influence TI. Hence, the rule needs for different attacks have to be different, since the antecedents for the consequent is different. In order to formally specify the concept, Let X represents different metric parameters that represent an attack. For finite set, X can be defined as X ={x1, x2 …, xn}

(1)

In general, X is defined as X = {xi ; i=1,2,…n}, the fuzzy set A in X is a set of ordered pairs defined as: A={(xi, μa(xi)), xi Є X and i=1,2…n}

(2)

Where μa is the grade of membership of xi in A. The values of membership function μ a(xi) are real numbers in the interval [0, 1]. The above set of ordered pairs in the area of fuzzy logic is typically represented as: A={x1/μa(x1) + x2/μa(x2) + x3/μa(x3) + … + xn/μa(xn)}

(3)

TI can be easily derived from this general form, when the lower and upper bounds are specified with the certainty value.


13


The membership function values can be computed using many different schemes. In this paper, we have used a triangular membership function for fuzzy variables. These membership functions for fuzzy sets are different from standard probabilities. Probability is a measure of the degree of uncertainty based on the frequency or proportion of the occurrence of an event, while a fuzzy membership function relates to the degree of vagueness, which measures the ease with which an event can be attained [17]. Thus, a set of fuzzy rules can be related to an attack by means of network parameters or metrics, which can be measured and can act as a key indicator of the system under attack. For instance, let us consider a packet mistreatment attack, where a malicious selfish node consumes or forwards a packet to itself so that the destination host does not receive the packets properly. For this particular attack, we have performed experiments and found that some of the parameters like throughput, packet drop rate and signals transmitted are significant in measuring these attacks both at system level and at node level. Hence, these metrics were used to design the rule base for calculating the TI. Fuzzy system in our model uses linguistic variables to describe input and output to perform a fuzzy operation on the inputs for generating the output. Since this model is based on a Mamdani type of fuzzy controller [17], it uses composition based inference mechanism, which combines all rules into an aggregated system output and determines the final non-fuzzy control value. This model uses a Centroid method with min operator for defuzzification, where the final system output, TI, is expressed as: n

w y TI =

i 1 n

i

w i 1

i

(4) i

Here, yi indicates the output value associated with the consequent of that particular rule i in the fuzzy set, and wi indicates the rule strength for rule i in the fuzzy set. Rule strength illustrates how active or reliable a rule is in the fuzzy set. Rule strength using min operator is calculated as: wi = min(μa (xj))

(5)

where j Є {1,2,…k}, and k is number of input metrics for each rule. For instance, a generic fuzzy rule, “IF x1 Є μ 1 and x2 Є μ 2 and … xk Є μk THEN y1 Є μ a” has k membership values: μi (xj) (i=1,…k). Using the above formal concept, let us assume two metrics, Packet Lost (PL) and Energy Consumption (EC), to evaluate TI for packet mistreatment attacks as an example to explain the


14


vulnerability evaluation framework in the proposed security model. The value of TI is used to represent the state of the system. For instance, normal state (NS), uncertain state (US) and vulnerable state (VS) could be represented by TI < 5, TI = 5 to 10 and TI > 10, respectively. Similarly, the values of PL and EC can also be categorized to normal, uncertain and vulnerable vectors. For example, PL < 5, PL = 5 to 10 and PL > 10 could represent small, medium and high values, respectively. Similarly, EC < 10, EC = 11 to 20 and EC > 20 could represent high, medium and low values in representing TI, respectively. A fuzzy relation can be represented by a matrix or fuzzy graph. A fuzzy graph using the above values for the above scenario is shown in Table 1. The membership values of μl, μm and μh represent low, medium and high membership values for a fuzzy set. Table1: Fuzzy graphs for metrics PL and EC in determining TI PL

μl

μm

μh

EC(mWhr)

μh

μm

μl

2.5 3.75 5 6.25 10

1.0 0.5 0 0 0

0 0.5 1 0.5 0

0 0 0 0.5 1

5 7.5 10 12.5 20

1 0.5 0 0 0

0 0.5 1 0.5 0

0 0 0 0.5 1

The above Table 1 shows selected values of PL and EC and their corresponding triangular membership function values that range between 0 and 1. The implication relation “high PL”  “high TI” and “low EC”  “high TI” can be shown in the following fuzzy rules. Rule 1: If PL is low and EC is low then TI is US  Strength of this rule is 8 Rule 2: If PL is low and EC is medium then TI is NS  Strength of this rule is 5 Rule 3: If PL is low and EC is high then TI is NS  Strength of this rule is 5 Rule 4: If PL is medium and EC is low then TI is VS  Strength of this rule is 10 Rule 5: If PL is medium and EC is medium then TI is US  Strength of this rule is 8 Rule 6: If PL is medium and EC is high then TI is NS  Strength of this rule is 5 Rule 7: If PL is high and EC is low then TI is VS  Strength of this rule is 10 Rule 8: If PL is high and EC is medium then TI is VS  Strength of this rule is 10 Rule 9: If PL is high and EC is high then TI is US  Strength of this rule is 8

For instance, if the value of current PL = 10 and EC = 2.5, rule 7 applies and hence strength = 10 and weight = min(μ (QL), μ (NC)) = 1 (From Table 1). Since no other rule except rule 7 applies, TI is calculated using the equation 4. There is only one rule applicable, so n=1 and (Weight * Strength)/Weight = (1*10)/1 = 10 (indicates vulnerable state of the system).


(6)

15


3.3.4 Step 4-Response and Protection Framework: As shown in the following Figure 4, the response and protection framework is based on collaborative monitoring technique, reputation management mechanism and response action plan. A collaborative monitoring technique is a co-operative security mechanism, where each network node keeps track of other network nodes and collects observation about the execution of a particular requested function. Based on the collaborative monitoring, if a suspicious event is detected, then the information is passed on to the reputation management mechanism, which updates the reputation rating of the node. The reputation metric, computed by this mechanism, is based on the data monitored by a local entity and information provided by the neighboring nodes in the network. If there is not enough evidence of a decrease in reputation rating, no action is necessary. If there is enough evidence, based on the evaluation of the rating and the value of TI, the current value of security index, SIcurr is calculated. Response action plans are then executed based on the values of SIcurr. Such a mechanism allows for detection and response to the selfish and malicious node attacks. Those malicious and selfish nodes with a specific IP address that generate abnormal metric parameter values are gradually isolated, disconnected, blocked or automatically denied future connections from accessing the network. Thus, it results in a self healing architecture that executes action plans and reconfigures automatically depending on the measurement of network parameters that represent attack scenarios and keep the mobile ad hoc networks in a steady state. The response actions are explained in next section.

Colloborative Monitoring framework

Reputation Management Mechanism

No action required

Is SIcurr within tolerance limit

Y

N Response per action plan

Figure 4. Logical model for response framework


16


The protection framework in the proposed model can be mathematically represented as: SIcurr = TI – SI;

(7)

As represented in the mathematical equation 7 above, SI is the user specified required security level that represents the starting security level for the model, and TI indicates the vulnerability evaluated by the proposed framework from the measured metrics. TI represents the composition of communication metrics {x1, x2, x3...xn} of ad hoc networks. For a packet mistreatment attack scenario, xi represents metrics like packet drop rate, throughput and signals transmitted. As represented, SIcurr is calculated based on values of SI and TI. If value of SIcurr is greater than zero, the action plan that corresponds to SIcurr is fired to correct and protect the system from attack. SIcurr represents the current required security level. Based on the value of SIcurr received from the error detection framework, the protection framework would fire different actions in the security policy, as shown in Table 2 for a given attack scenario, and would protect the system. As shown in Table2, no response action would be required if TI is less than 5 or SIcurr less than 0. Table 2: Security Policy Table for protection framework SI SI; SI < 5 5 5 5 5 5 5

TI TI; TI < 5 6 7 8 9 10 TI; TI > 12

SIcurr = TI – SI SIcurr; SIcurr < 0 1 2 3 4 5 SIcurr; SIcurr > 11

System State Normal State

Action No Action Required Action Plan 1

Uncertain State

Vulnerable State

Action Plan 2

Response Actions: Response actions are required when the system is in an uncertain and vulnerable state. Some of the general response actions that are performed include tracking the IP addresses of the nodes that generate abnormal values for the selected metrics. This is done using the log collected from the system on a real time basis and executed out by means of automatic network reconfiguration through the system configuration file. The following action plans are used in the response framework. Action Plan 1: If an attack is detected by the higher value of TI, say TI = 5 to 9, the state is identified to be in an uncertain state, and necessary precautions are needed to prevent further damage. In this case, specific action plan 1 is fired. Actions include:  Verify the correct execution of the packet forwarding function.


17


 Automatic modification of the routing table information to the original state, in order to bring the system to original state.  Automatic modification of the propagation limits of the ad hoc nodes, in order to perform the packet forwarding function. Action Plan 2: When the system state is identified as vulnerable, say TI ≥ 10, action plan 2 is fired instantly to protect the system. Actions include:  Allow nodes in the ad hoc network to observe several types of abnormal behavior, which makes it possible for the nodes to route around the misbehaved nodes and isolate them or delete the path containing malicious nodes.

3.4 ALGORITHM FOR THE MODEL:

Algorithm of the proposed model is indicated in the following steps: Step 0: Input SI as specified by the security policy of the user for a given system. For the first iteration, SIcurr is assumed to be SI and TI to be 0. Execute Step 5. Step 1: Identify the critical parameters (metrics) that relate to a particular security threat. Step 2: Measure the characteristics of the critical parameters of each node. Step 3: Evaluate TI from the metrics. Step 4: Compute SIcurr= TI – SI; Step 5: Protection framework triggers an appropriate security response. This enables reconfiguration and self healing of the ad hoc network automatically. Based on the security policy described in Table 2, if SIcurr is in an uncertain state, execute action plan 1, or else if SIcurr is in a vulnerable state, execute action plan 2. Otherwise, no action is required. Step 6: System reacts with the security actions and possible additional attacks. Repeat Step 1 through Step 6 as long as the user needs the system to be in normal security level, SI.

4. Simulation and Experimentation:

The overall simulation of the model for ad hoc networks is carried out using GloMoSim, and TI is evaluated using the fuzzy logic tool box in MATLAB. We focused our attention on the active routing and passive packet mistreatment attacks in these simulation experiments. The description of


18


the GloMoSim package, its input and output parameters and its use in simulation is explained with details in [18]. The parameters for the mobile ad hoc networks to be simulated are specified using the input configuration file. Routing details are specified using the routes input file. The variables or metrics are measured using the output statistics collected by different layers in GloMoSim during the simulation.

4.1 SIMULATION OF THE MODEL FOR PASSIVE PACKET MISTREATMENT ATTACKS:

In this simulation, the nodes are configured not to perform the packet forwarding function [5]. This is carried out by modifying the propagation limit parameter in the configuration file. The consequence of such a simulation is that the selfish node will save a significant amount of its battery life by neglecting data packets, while still contributing to the network operations. The layers whose output metrics are considered for analysis are: radio and MAC layer. These measured values are fed to the evaluation framework, in order to evaluate TI. The results of various experiments are discussed in the next several sections.

4.1.1 Scenario for Experiments: In these experiments, the effects of the passive attacks are studied on four different scenarios: low node density (10 nodes) – low node mobility (2 m/s), low node density (10 nodes) – high node mobility (20 m/s), high node density (50 nodes) – low node mobility (2 m/s) and high node density (50 nodes) – high node mobility (20 m/s). The node density represents the number of nodes that form an ad hoc network over 2000 by 2000 meters flat space. Mobility represents the rate of movement of nodes within the simulation space. Both the density and mobility characteristics are specified using the configuration file. Simulation run time for all experiments are kept constant at 23 ms. Experiments are then performed by varying the propagation limit.

4.1.2 Metrics for Experiments: For the above scenario, metrics considered for measuring the packet mistreatment attacks are: Radio Layer

: Rate of signals transmitted

MAC Layer

: Rate of packets received clearly

Radio Layer

: Energy consumption measured in mwh


19


A similar simulation based study on security exposures in a mobile ad hoc network demonstrates that the above metrics can be used to detect attacks like packet mistreatment attacks due to selfishness [11]. For the above mentioned scenarios, we evaluated the vulnerability of ad hoc networks as a whole, under an organized passive attack using these metrics. In Table 3, Sig represents the rate of signals transmitted, which indicates the number of signals transmitted per ms, PC represents the rate of packets received clearly, EC represents the energy consumption in mwh. These metrics are measured at the node level.

4.1.3 Experimental Results: The values of the considered metrics for the simulated passive packet mistreatment attacks are shown in Table 3. These values represent the values at node 1 and node 2 of a simulated ad hoc network for low density-high mobility scenario explained earlier. Table 3: Measurement of metric parameters for passive packet mistreatment attacks Run Time

Node 1

Node 2

(ms)

Sig

PC

EC (mwh) Sig

PC

EC(mwh)

23

180

12

225.014

171

14

225.008

46

100

11

225.009

85

18

225

69

176

1

225.013

168

9

225.008

92

178

5

225.013

169

7

225.008

115

173

12

225.013

166

14

225.008

138

180

12

225.014

171

14

225.008

These measured values are then used to evaluate TI for each node as explained in section 3. Based on TI, appropriate protection measures were applied to the network. In GloMoSim, the network is reconfigured by modifying the propagation limit in the input configuration file, and TI is reevaluated using the output file statistics. We repeated these steps until the simulated mobile ad hoc network reaches the normal state. The results of the evaluated TI for the packet mistreatment attacks at node 1 and node 2 of the simulated network are shown in Figure 5. As shown in Figure 5, each iteration is executed after every 23 ms. The iteration execution time can be varied as required.


20


TI at Nodes for Passive Packet Mistreatm ent Attacks 9 8 7

Propagation limit correction is applied after packet mistreatment attack is detected

TI

6 5

Node1

4

Node2

3 2 1 0 0

23

46

69

92

115

Run Tim e (m s)

Figure 5. Plot of the evaluated TI for passive mistreatment attack Figure 5 shows the plot of TI evaluated using the significant parameters for the packet mistreatment attacks by a group of selfish nodes in the mobile ad hoc network. As shown in Figure 5, TI of nodes 1 and 2 increases as the vulnerability of the ad hoc network due to packet mistreatment attacks increases. As it is detected, and due to subsequent correction and protection measures in the propagation limit of the selfish nodes, TI for the nodes decreases within milliseconds after it is detected and reaches the normal state.

4.2 SIMULATION OF THE MODEL FOR ACTIVE ROUTING ATTACK:

In this simulation experiment the incorrect routing information is injected into the routing table by means of an input routes file. This is done by specifying routing protocol as static in the configuration file and inputting the static routing information through an input routing file. As explained in earlier sections, these routing attacks may result in looping, detour and DoS, leading to improper usage of system resources and could even cripple the whole system. These experiments are conducted using GloMoSim and the fuzzy logic tool box in MATLAB. The layers whose output metrics are considered for analysis are: network, application and transport layer. These measured values are fed to the evaluation framework to evaluate TI using fuzzy logic. The results of various experiments are discussed in the next section.


21


4.2.1 Scenario for Experiments: In these experiments, the effects of active routing attacks are studied using four different node density and node mobility scenarios, as explained earlier. With all the parameters kept constant as mentioned earlier, the vulnerability of the ad hoc network is evaluated under an organized routing attack.

4.2.2 Metrics for Experiments: For the above scenario, metrics considered for measuring the active routing attack are: Network Layer

: Average hop count

Transport Layer : Rate of duplicate acknowledgement packets received Application Layer: Throughput of the service in kbps For the given scenario, we evaluated the vulnerability of the ad hoc network, under an organized routing attack using these metrics. In Table 4, throughput metric represents the throughput for the Telnet service by a particular node in the ad hoc network. Duplicate Ack packets represent the number of duplicate acknowledgement packets received per second by a particular node at the transport layer. Average hop count represents the number of hops that the packet traverses from source to a particular destination node. These metrics are measured at the layer level for each node simulated.

4.2.3 Experimental Results: The experimental values of metrics for active routing attacks are shown in Table 4. These values represent the values at node 1 and node 2 of the simulated ad hoc network for low densityhigh mobility scenario explained earlier. Table 4: Measurement of metric parameters for active routing attacks Run Time

Node 1

Node 2

Throughput (bps)

Avg Hop Count

DupAck Packets

Throughput (bps)

Avg Hop Count

DupAck Packets

23

337079

0.2

5

334879

0.2

2

46

207547

1

2

206640

1

1

69

279655

0.3

6

281154

0.3

2

92

291032

0.2

1

288670

0.2

1

(ms)


22


The significant metrics shown in the above Table 4 is used to calculate the TI. Based on TI, appropriate correction measures to fix the improper updates in the routing file were applied to the network. We repeated these steps until the simulated ad hoc network reaches the normal state. Figure 6 shows the results of the evaluated TI for the active routing attacks at node 1 and node 2 of the simulated ad hoc network. As shown in the Figure 6, each iteration is executed after every 23 ms.

TI

TI at Nodes for Active Routing Attacks

Correction to fix the improper updates in the routing file is applied after active routing attack is detected

10 9 8 7 6 5 4 3 2 1 0

Node 1 Node 2

23

46

69

92

Run Tim e (m s)

Figure 6. Plot of the evaluated TI for active routing attacks As shown in Figure 6, TI of node 1 and 2 increases due to routing attacks. Due to subsequent correction and protection measures to fix the improper updates applied through the input routing file, TI for the nodes decreases within milliseconds, after it is detected and reaches the normal state.

5. Conclusion:

In this paper, we have discussed active and passive security issues in mobile ad hoc networks. In order to address some of these issues, we have also proposed a practical and effective security model for mobile ad hoc networks. The proposed adaptive and predictive security model is designed using a fuzzy feedback control approach. The model is based on identifying critical system parameters that are affected by various types of attacks and continuously monitoring those parameters for nodes in a network. Experimental results of the model simulated using GloMoSim for selected active routing and passive packet mistreatment attacks are very promising. We intend to extend this model to other attacks like unauthorized access, probing and non-repudiation attacks in mobile ad hoc networks, and the future work will be devoted to this.


23


References: [1] [2] [3] [4] [5] [6]

[7]

[8] [9] [10] [11] [12]

[13]

[14] [15]

[16]

[17]

[18]

Jean-Pierre Hubaux, Levente Buttyan and Srdjan Capkun, “The Quest for Security in Mobile Ad Hoc Networks”, Proceedings of MobiHoc, 2001. Frank Stajano and Ross Anderson, “The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks”, Proceedings of Security Protocols Workshop, 1999. Preetida Vinayakraj-Jani, “Security within Ad hoc Networks”, Proceeding of PAMPAS Workshop, Sept. 2002. Konrad Wrona, “Distributed Security: Ad Hoc Networks & Beyond”, Proceedings of PAMPAS Workshop, Sept.2002. Pietro Michiardi and Refik Molva, “Simulation-based Analysis of Security Exposures in Mobile Ad Hoc Networks”, Proceedings of European Wireless Conference, 2002. Baruch Awerbuch, David Holmer, Cristina Nita-Rotaru and Herbert Rubens, “An OnDemand Secure Routing Protocol Resilent to Byzantine Failures”, Proceedings of ACM Workshop on Wireless Security (WiSe), 2002. Marti, Giuli, Lai and Baker, “Mitigating Routing Misbehavior in Mobile Ad hoc Networks”, Proceedings of the 6th annual international conference on Mobile computing and networking, 2000. P. Papadimitratos and Z.J. Haas, “Secure Routing for Mobile Ad Hoc Networks”, Published in Mobile Computing and Communications Review, vol.6, no.4, 2002. Yih-Chun Hu, Adrian Perrig, David B. Johnson, “Ariadne: A secure On-Demand Routing Protocol for Ad hoc Networks”, Proceedings of MobiCom, 2002. Book of Visions 2001 Vision of the Wireless World, Wireless World Research Forum, Working Copy, December 2001. Pietro Michiardi, Refik Molva, “Prevention of Denial of Service Attacks and selfishness in Mobile Ad Hoc Networks”, Research Report RR-02-063 - Jan 2002. Sonja Buchegger and Jean-Yves Le Boudec, “Nodes Bearing Grudges: Towards Routing Security, Fairness, and Robustness in Mobile Ad Hoc Networks”, Proceedings in 10th Euromicro Workshop on Parallel, Distributed and Network-based Processing, 2002. Pietro Michiardi and Refik Molva, “Core: A COllaborative REputation mechanism to enforce node cooperation in Mobile Ad Hoc Networks”, Proceedings of Communication and Multimedia Security Conference, 2002. L.Buttyán and J.-P. Hubaux, “Stimulating Cooperation in Self-Organizing Mobile Ad Hoc Networks”, ACM journal for Mobile Networks (MONET), 2003. Sonja Buchegger and Jean-Yves Le Boudec, “Performance Analysis of the CONFIDANT Protocol: Cooperation of Nodes - Fairness In Distributed Ad-hoc NeTworks”, Proceedings of MobiHoc, 2002. Gildas Avoine and Serge Vaudenay, “Cryptography with Guardian Angels: Bringing Civilization to Pirates”, ACM Mobile Computing and Communications Review (MC2R), Vol. 6., No. 4., 2002. A Kumar and R.Ragade, “X-REF: An Extended Reliability Evaluation Framework for Computer Systems Using Fuzzy Logic”, Journal of Computer and Software Engineering, Vol 2, No 4, 1994. GloMoSim at http://pcl.cs.ucla.edu/projects/glomosim/.


24

An Adaptive and Predictive Security Model for Mobile ...

An Adaptive and Predictive Security Model for Mobile ...

Suggest Documents

An Adaptive Security Model for Mobile Agents in Wireless Networks

ADAPTIVE AND NON-ADAPTIVE MODEL PREDICTIVE CONTROL

An Adaptive Predictive Model for Student Modeling - Universidade de ...

Adaptive and Predictive Path Tracking Control for Off-road Mobile ...

Model Predictive and Adaptive Wind Farm Power

An explanatory and predictive model for ...

An Adaptive Security Model for Multi-agent Systems ... - ePrints Soton

an adaptive model predictive approach to power ... - CiteSeerX

field tests of an adaptive model-predictive heating ... - Infoscience - EPFL

field tests of an adaptive model-predictive heating ... - Infoscience - EPFL

Adaptive and Resilient Security for Multi-hop Multi-media Mobile

Concurrent Learning Adaptive Model Predictive Control with ...

Adaptive Neural Model-Based Predictive Control

Robust Adaptive Model Predictive Control of

adaptive nonlinear model predictive control based

Research Article Adaptive Model Predictive Vibration

indirect adaptive model predictive control of a

Adaptive-model predictive control of electronic ...

Iterative Solution in Adaptive Model Predictive Control

adaptive model predictive vibration control with state

an architecture for adaptive mobile applications - CiteSeerX

An Adaptive Middleware Infrastructure for Mobile ... - Conferences

An adaptive data distribution system for mobile

Adaptive Model Predictive Controller for Web Transport Systems