An approach to mitigate DoS attack based on ... - Semantic Scholar

Peer-to-Peer Netw. Appl. DOI 10.1007/s12083-013-0215-5

An approach to mitigate DoS attack based on routing misbehavior in wireless ad hoc networks Gunhee Lee · Wonil Kim · Kangseok Kim · Sangyoon Oh · Dong-kyoo Kim

Received: 3 January 2013 / Accepted: 1 May 2013 © Springer Science+Business Media New York 2013

Abstract The routing misbehavior is one of the most serious threats to wireless ad hoc networks where nodes are not forwarding messages correctly. Once the attack has been launched, nodes in the network are not able to send messages anymore. Thus it could be a kind of DoS (denial of service) attack. So far, in order to detect the attack, most researches employ a watchdog method although it is not efficient and has a high false positive ratio. In this paper, we propose a novel approach to detect the attacks based on routing misbehavior. It can detect attacks in a more effective way as well as solve problems in existing watchdog. In the proposed method a node in the network cooperates with its neighbor nodes to collect statistics on packets. According to the statistical information, the method determines each nodes misbehavior. The simulation results shows that the proposed method is practical and effective to apply to real domain.

G. Lee The Attached Institute of ETRI, 909 Jeonmin-dong, Yuseong-gu, Daejeon 305-390, Korea e-mail: [email protected] W. Kim () College of Electronics and Information Engineering, Sejong University, 98 Gunja-dong, Gwangjin-gu Seoul, Korea e-mail: [email protected] K. Kim Department of Knowledge Information Engineering, Graduate School of Ajou University, San 5 Woncheon-Dong Yeongtong-Gu, 443-749 Suwon, Korea S. Oh · D. Kim Department of Information and Computer Engineering, Ajou University, San 5 Woncheon-Dong Yeongtong-Gu, 443-749 Suwon, Korea

Keywords Routing misbehavior · Wireless ad hoc network · DoS attack

1 Introduction A wireless ad hoc network has an autonomous structure in which network nodes are scattered around without the help of specific infrastructure communication and cooperate with one another through wireless media. In a wireless ad hoc network, all the nodes perform a series of routing processes during communication and deliver messages to the destination. That is, for a message to be transmitted from the source to the destination, multiple nodes repeat the process of receiving the message from the previous node and sending it to the next one. Accordingly, if one of the nodes misbehaves during the message delivery process, communication cannot be made properly. A misbehavior is an intentional damage to the network by not following the routing process and by causing the loss of messages [1]. Most of misbehaviors bring damages such as denial of service to the network [2, 3]. For example, if all packets to be delivered by a malicious node disguised as a normal node are discarded, all communication sessions that use a route including the node cannot get the intended service. This type of attacks includes black hole, gray hole (selective forwarding), wormhole, message blocking, and message delivery to a wrong path. Such attacks are detected by the method of network monitoring that watches continuously whether messages are delivered properly to the next hop. This method basically uses watchdog [4]. Watchdog observes through overhearing, which is a characteristic of communication technology based on wireless media, whether the node at the next hop delivers the message, which has been passed by the

Peer-to-Peer Netw. Appl.

watchdog to the hop, to its next hop accurately. However, the use of watchdog has the difficulty that each message transmission has to be overheard continuously. Furthermore, it should have information on all messages transmitted. There are also technical limitations in watchdog itself [5]. Thus, in this paper, we review problems in previous researches, and propose a novel monitoring method that does not use overhearing watchdog. The proposed method can detect attacks in a more effective way while solving problems in the existing watchdog method. In the proposed method, each node accumulates statistical data on messages that has been processed by the node itself in the routing activity. Based on the information accumulated in itself and neighbor nodes to be monitored, each node determines whether a neighbor node under monitoring is normal or abnormal, which damages the network through frequent wrong routing behaviors. An experiment using a network simulator validates that the proposed method is effective to apply to real domain. The contents of this paper are as follows. Section 2 describes problems in previous studies for detecting wrong routings. Section 3 presents information to be collected by each node for the proposed method, and Section 4 explains the general concept of the proposed method and its detailed elements. Section 5 explains the simulation results and Section 6 draws conclusions.

a method for secure communication in wireless ad hoc networks using the AODV routing method [6]. This method uses watchdog in order to detect whether surrounding nodes perform a wrong packet forwarding behavior. Michiardi et al. described a method that blocks malicious nodes in the network based on each nodes reputation value [7]. This method also uses watchdog in order to identify malicious nodes. However, existing watchdog methods have the following shortcomings [4]. –

–

–

–

– 2 Related works and motivation Various types of attacks in wireless ad hoc networks are detected and coped with by the message authentication method and the network node monitoring method. Using the message authentication method, we can block wrong messages that are intended to harm the networks, and the network node monitoring method monitors a specific node’s message transmission behavior continuously and sees whether the node forwards received messages to the next hop correctly. Because the approach to be discussed in this paper aims at attack detection that prevents a message from being delivered to the destination through wrong routing, we propose an effective detection method using the latter monitoring technology. In the existing monitoring method, each monitoring node should contain the function called watchdog. The watchdog function starts the network receiver of the node in the promiscuous mode and tests all packets running through the network. Marti et al. introduced the problem of routing misbehavior [4]. Using the watchdog, it detects attackers who do not perform the message routing behavior properly and excludes attackers on establishing the message routing path by employing pathrater. Yang et al. explained

Partial dropping: The attack is hardly detectable, if the attacker meets the two conditions; knowing the minimum misbehavior threshold which is gotten from a detected misbehavior of a node and maintaining the packet dropping level below the threshold. Receiver collision: In the relation between the sender and receiver of packets, if a collision happens in the receivers side and the sending attacker ignores it, the attacker can deliver packets in an abnormal way without being noticed by the watcher. False misbehavior accusations: A normal node may be reported to be an attacker node intentionally or accidentally. Insufficient transmission power: The packet deliverer adjusts transmission power so that only the watcher can hear and the node that should receive the packet cannot hear. Cooperated misbehavior: As two or more nodes cooperate, they can make an attack in which packets are delivered properly but are dropped by the next node. In this case, the watcher cannot distinguish the attack accurately.

In addition to the problems listed above, if all nodes perform the watchdog function for monitoring, they consume an excessive amount of computing resource, and even if some selected nodes perform the function to reduce the burden, it is quite hard to determine the minimum number of monitoring nodes for covering the entire network. Djenouri et al. proposed the 2–hop acknowledgement method in order to improve the weak point of watchdog [8]. This method also uses watchdog, but receives an ACK message for each packet from the node two hops away from the watcher on the message routing path. That is, assuming that there are three nodes A, B and C on the message routing path, A watches B and B watches C. When C receives a message transmitted by A, C sends A a hash value for the received message so that A can determine whether B behaves normally. Because this method should be applied to all messages and increases the computation load considerably, it is not practical in real environment.


Duque et al. [9] used an adaptable method to detect packet forwarding misbehavior based on the principle of flow conservation [10] and the use of policy-based management (PBM) [11]. The approach is deployed over a role-based wireless network, as the management overlay organized in a hybrid tiered manner [12]. But, the approach focuses on providing protection to the data packet forwarding functionality only. In this paper, we propose a new monitoring method that determines each nodes misbehavior or attacking behavior through monitoring without using watchdog. In the proposed method, nodes on the network cooperate to collect statistical information on packets. Based on the information, it determines each nodes misbehavior or attacking behavior.

3 Monitoring elements Before proposing a monitoring method, it is important to decide what elements to be monitored by the method. Various types of attack detection methods in wireless ad hoc networks are mostly using information on network traffic or the traffic of each node. For example, black hole does not deliver a received message to the next hop. Consequently, if there is a black hole in a routing path and n messages are received by the attacker, no message is sent. Thus, the attack can be detected by an extraordinary imbalance between the two numbers; the number of received messages and the number of forwarded messages. Also, a malicious node which is launching selective forward attack receives n messages but send only n − d messages, where d is the number of dropped messages. Thus, this attack can also be detected by the imbalance between the number of received messages and that of sent messages. Moreover, DoS attacks and message flooding attacks can be detected by the increasing number of messages on the network or high forwarding load applied to any normal node. Thus, the number of messages transmitted within a time unit and forwarding load on each node are important monitoring elements. In this paper, we consider following elements for the network monitoring method. –

–

Forwarding rate: If the ratio of the number of received messages to the number of forwarded messages is close to 1 in a node, the node can be regarded as quite normal. However, if the ratio is too low or too high, then the node seems to be a malicious node. Forwarding load: When we define a forwarding load as the number of received message that should be forwarded at a node within a unit time, if it is abnormally high without a good reason, it should be suspected to be a DoS attack such as message flooding attack.

4 Proposed detection approach 4.1 Overview of the proposed approach Figure 1 shows the schematic diagram of the proposed approach to monitor the wireless ad hoc networks and detect routing misbehavior. In this example, nodes in a dotted circle form a cluster. In order to monitor node A, neighbor nodes around node A collect necessary information whenever they forward a message to and receive a message from node A. That is, two nodes B and C, which have node A between them, count the number of packets that they have forwarded to node A and the number of packets that they have received from node A. Collected information is passed regularly to the representative node of the cluster and the representative node analyzes the information and detects routing misbehavior if there is any clue. The proposed method is composed of three components: constructing the list of neighbor nodes, monitoring network traffic and deciding routing misbehavior. –

–

–

Constructing the list of neighbor nodes: In the proposed method, a subject node is monitored by several nodes surrounding the subject node. Any one node among monitoring nodes receives statistic information on routing behavior of the subject from other monitoring nodes, and it assembles the information to detect routing misbehavior. Thus each node needs to know its neighbor nodes, and they construct the list of neighbor nodes. For this component, we have designed a protocol through which each node collects information on neighbor nodes. This process considers not only secure session key exchange between nodes but also mutual authentication between them. The protocol will also guarantee the integrity of messages. Monitoring network traffic: Each node monitors its neighbors routing behavior by collecting statistical information on packets that has to be forwarded to its neighbors. The counting excludes packets for which a neighbor node is the destination or the source. It continuously adds up the statistical information until the detection process has been started. After starting the detection process, the statistical information will be delivered to a representative node and be initialized. Identifying the Attack: Collected information is periodically sent to a specific node. From collected information, the specific node produces a batch of statistical data and detects attacks or misbehaviors based on the data. It is regarded as an attack if the forwarding rate exceeds a specific threshold or if the forwarding load oversteps the predefined threshold.

Peer-to-Peer Netw. Appl. Fig. 1 Network traffic monitoring method using cooperating nodes

4.2 Constructing the neighbor list Newly installed or joined node should take the participation process successfully before collecting neighbor node information in cooperation with nodes around them. During the participation process, the new node should build a neighbor list that contains every path to its neighbors. The neighbor list construction protocol has two operations; one is the collection of information on neighbor nodes and another is session key exchange with each neighbor node. In session key exchange, we used the modified Diffie-Hellman key agreement algorithm that prevents man-in-the-middle attack. In order to perform this protocol, each node should have a master key which is known only to the node and manage two lists: a list of neighbor nodes and a list of key information. The key information list stores session keys between the node and its neighbors. We call them neighbor node list and key list respectively. In this paper, the proposed neighbor list construction protocol considers two kinds of neighbors such as 1-hop neighbors that are located in transmission range of a node and 2-hop neighbors that are neighbors of 1-hop neighbors, while most neighbor discovery protocols consider 1-hop neighbors. As shown in Fig. 1, each node is monitored by two nodes, which are located in the previous hop and the next hop in a routing path. In this example, if node B want to acquire statistical information on node As routing behavior, it should know neighbor nodes of node A, which are the 2-hop neighbor of node B. Thus, in the proposed protocol, each node should collect information on both 1-hop neighbors and 2-hop neighbors. The detailed neighbor node list construction protocol is depicted in Figs. 2 and 3. Figure 2 shows the process of the protocol between new node C and 1–hop neighbor node A and Fig. 3 shows the sequence of the process between node C and 2–hop neighbor node B.

The description of each step of the neighbor list construction protocol is as follows. As shown in Figs. 2 and 3, two processes are similar to each other except for the last step, which is the registration of a neighbor. Additionally, in the case of 2-hop neighbor, the proposed protocol can omit reply and commitment steps. 1. A new node C broadcasts an announcement message. This message will be delivered to both 1–hop neighbor and 2-hop neighbor. It includes node Cs identity I D(C) and encrypted identity H MACT K(C) {I D(C)}. T K(C) is a temporal key of node C. It is generated from the master key and only node C knows the value. 2. When node A receives the announcement message, it sends node C an acknowledgement message, which contains node As identity I D(A), encrypted identity H MACT K(A) {I D(A)}, node As parameters that is used at Diffie-Hellman key exchange algorithm. 3. When node C receives acknowledgement form node A, it creates a session key SK(C, A), and it replies to the acknowledgement by sending a message having randomly calculated nonce N , temporal key T K(C), and node Cs parameter that is used at Diffie-Hellman key exchange algorithm. Especially, nonce N and temporal key T K(C) are encrypted with the session key. 4. When node A accepts the reply message from node C, it calculates a session key SK(C, A) and obtains temporal key and nonce by decrypting the message. It verifies the encrypted identity with the temporal key. If the result of verification is correct, then it confirms that node C is authenticated and session key SK(C, A) is created correctly. This confirmation is performed by sending node C a commitment message, which contains a new nonce N + 1 and node As temporal key T K(A). They are encrypted with the session key.

Peer-to-Peer Netw. Appl. Fig. 2 The process of creating a 1–hop neighbor node information list

Newly joined Node C

2-hop Neighbor B

1-hop Neighbor A

- Checking TTL - Storing a pair (ID C, HMACTK(C){ID C})

Announcement (ID C, HMACTK(C){ID C}) TTL=2 Acknowledgement (ID A, HMACTK(A){ID A}, param(g, p, A))

Announcement (ID C, HMACTK(C){ID C}) TTL=1

- Creating a Session Key, SK (A,C) (C = g c mod p, SK = Ac mod p) - Storing (ID A, HMACTK(A){ID A}, SK (A,C)) Reply (ID C, ESK(A,C){N, TK(C)}, param(C))

Perform 2-hop node s role - Creating SK(A,C) - Retrieving N, TK (C) - Verifying IDC

Commitment (ID A, ESK(A,C){N+1, TK (A)}) - Retrieving N+1, TK (A) - Verifying ID A - Adding (ID A, 0) to a neighbor list - Adding (ID A, SK (A,C)) to a key list

5. Once node C gets the commitment message, it first decrypts the ESA(C,A) {N + 1, T K(A)} and it verifies that N + 1 is correct. With the recovered T K(A), then it also checks whether encrypted identity of node A is correct by calculating H MACT K(A) {I D(A)}. 6. Finally both node C and node A updates their own neighbor list. Each entry of the neighbor list is a pair of neighbors identity such as (id1 , id2 ). The first component id1 means 1–hop neighbor and the second component id2 means 2–hop neighbor. Thus, if node A is a 1–hop neighbor to node C, then node C adds (A, null) to its neighbor list. If node B is 2–hop neighbor of node C and node A is located between node C and node B, then node C adds (A, B) to its neighbor list.

4.3 Monitoring the network traffic In the proposed approach, each node continuously monitors their neighbors by counting the number of messages. To check the behavior of each node, we monitor two kinds of messages: one is the message that its neighbor nodes have received through the neighbor node and the other is the message that it has received from its neighbor nodes for forwarding. The monitoring, however, excludes messages for which a neighbor node is the destination or the source. That is, if a node has a message to be forwarded to a neighbor node and the neighbor node is not the destination of the message, the node increases the count of messages forwarded to the neighbor node. In addition, if the node has a message from a neighbor node, which is not the source of the message, and the message should be forwarded to another neighbor node, then the node increases the count of messages received from the neighbor node. For the latter, we use incoming counter, while we use outgoing counter for the former. Thus for each subject node, every monitoring node has two counters. If a

Figure 4 shows an example of a neighbor node list, which is created with the process we describe above when the new node A participates in the network. As shown in the Fig. 4, the neighbor node list has all nodes around node A in it and the paths to them. They can be reached with one hop or two hops. Fig. 3 The process of creating a 2-hop neighbor node information list

- Adding (ID C, 0) to a neighbor list - Adding (ID C, SK (A,C)) to a key list

Newly joined Node C

1-hop Neighbor A

2-hop Neighbor B

Announcement (ID C, HMACTK(C){ID C}) TTL=1

- Checking TTL - Storing a pair (ID C, HMACTK(C){ID C}, ID A)

Acknowledgement (ID B, HMACTK(B){ID B}, param(g, p, B)) - Creating a Session Key, SK (B,C) (C = g c mod p, SK (B,C) = Bc mod p) - Storing (ID B, HMACTK(B){ID B}, SK (B,C), ID A) Reply (ID C, ESK(B,C){N, TK (C)}, param(C))

Commitment (ID B, ESK(B,C){N+1, TK (B)}) - Retrieving N+1, TK (B) - Verifying ID B - Adding (ID A, ID B) to a neighbor list - Adding (ID B, SK (B,C)) to a key list

- Creating SK(B,C) - Retrieving N, TK (C) - Verifying IDC - Adding (ID A, ID B) to a neighbor list - Adding (ID B, SK (B,C)) to a key list

Peer-to-Peer Netw. Appl. Fig. 4 An example of a neighbor node information list

node has n 1-hop neighbors, then it has n incoming counters and n outgoing counters. For instance, a message is delivered to node F through a node A and C as shown in Fig. 5. Node A forwards the message to node C and this increases the value of the outgoing counter for node C. Node C again forwards the message to F , but the value of the outgoing counter is not changed because the node F is the destination of the message. 4.4 Identifying the attack Traffic information is accumulated for a specific time interval through the method presented in the previous section, and misbehavior is detected using the information. The misbehavior detection operation begins with assembling the statistical information. To do this, each node sends statistical Fig. 5 An example of monitoring messages processed by a node

data about the message delivery behavior to the representative node of their location and the representative node assembles lots of received information. The representative node makes a decision on attacks based on routing misbehavior. At this moment, it compares the rate of the number of received messages to the number of forwarded messages with specific threshold Hrat e . In addition, it checks if there is any node that processes messages more than Havg , which is the average amount of messages processed by each node in the network. The attack detection process is performed periodically at predefined time interval t. The detailed decision process is as following cyclic steps. –

Initiation: It is impossible that a node performs the attack decision process for every neighbor at the same time, since each node has several neighbors that should


–

–

be monitored. If the processes are carried out simultaneously, they might be a network DoS attack. Thus the processes are initiated by a representative node one by one. Each node selects a subject node X and waits for the time interval t. Data Collection: After the time interval t, the representative node gathers statistical information on the subject X from Xs neighbors in order to analyze the Xs routing behavior. For this, the decision maker sends a message that requests the statistical information on the subject node X to every 2-hop neighbors which are the 1-hop neighbor of the subject node X. Analysis: Based on thresholds Hrat e , Havg and λ, the representative node analysis the collected data. The node should check whether the message forwarding ration is between 1 and Hrat e . It should verify that the difference between the number of messages handled by the subject node X and Havg is in the predefined threshold λ. If the analysis is unsatisfied with any one condition, the subject X is identified as a malicious node.

After the detection process for the node X has been performed successfully, the counter for X should be initialized to be included in the next detection process. The subject node X will be excluded in the next detection process. After the detection process has been performed for all nodes, the list of nodes to be included in the next detection process is reset.

5 The simulation results 5.1 Simulation setup In order to evaluate the proposed approach, we conducted a simulation using network simulator ns–2. In the simulation, attacks were made by paralyzing network service through dropping network packets using attacker nodes in the environment without using the proposed detection approach, and the same attacks were made in the environment using the

a

5.2 Attack detection performance Figure 6 shows the successful intrusion detection ratio and the false intrusion detection ratio of the proposed system according to the number of attacker nodes. The detection ratio increases slightly with the increase in the number of attacker nodes, and is over 97 % even when the number of attacker nodes is the smallest. This also means that falsenegative is less than 3 %. In the Fig. 6, we define the false detection ratio which means false positive ratio to total number of attack detections. When there is no attacker node, false detection ratio is 0.3 %. Regardless of the number of attacker nodes, false detection ratio is less than 1 %. This suggests that the probability of false-negative or falsepositive is low enough to apply the proposed method to the real environment. Figure 7 shows the cumulative number of packets dropped by attacker nodes during the simulation. For the cases that the number of attacker nodes are 2 and 4, it shows cumulative change resulting from detection and isolation using the proposed method and that without using it. The graph shows change in the value through logarithmic graduations. As shown in the Fig. 7, when the proposed detection method is not used, the number of dropped packets are 3700 (with two attacker nodes) and 6700 (with four attacker nodes), but when the proposed method are used, the number was less than 10 in both cases. It shows that the attacks are effectively mitigated by the proposed method and the network performance has been improved remarkably. Figure 8 shows the packet loss ratio according to the change of the number of attacker nodes. When the proposed

b

1

False Positive Ratio

0.6

0.4

0.2

0

0.012 0.01

0.8

Detection Ratio

Fig. 6 Change in the intrusion detection ratio

proposed method. In the experimental network, a total of 100 nodes were distributed at random within a 180 m × 180 m square. In the experiment, network routing was performed by the DSR (dynamic source routing) method. In each session, 0∼10 attackers were distributed in the network. When communication was active in the network, each attacker dropped a certain percentage of network packets so that network service was discontinued.

0.008 0.006 0.004 0.002

0

2

4

6

No. of Malicious Nodes Detection Ratio

8

10

0

0

2

4

6

No. of Malicious Nodes False Detection Ratio

8

10

Peer-to-Peer Netw. Appl. 0.025

0.02 1000

w/o mechanism, 2 attackers w/o mechanism, 4 attackers w/ mechanism, 2 attackers w/ mechanism, 4 attackers

Average Latency (s)

Cumulative no. of dropped packets by attacker

10000

100

10

1

0.015

0.01

0.005

0 100

200

400

300

600

500

800

700

900

1st

2nd

3rd

4th

5th

6th

7th

8th

9th

10th

Simulation Rounds

Simulation Time

Fig. 7 The cumulative number of dropped packets

Fig. 9 Change in the average network delay

approach is not employed, the packet loss ratio goes up to 50 % with the increase in the number of attacker nodes. However when the proposed detection method is applied, the packet loss ratio is stable within 3 %. This ratio includes packet loss is caused by attackers and it comes from processing delay resulting from the execution of the routing misbehavior detection process.

nodes. In the figure, we define the ρ as a probability a node B for becoming both a 1–hop neighbor node and a 2– hop neighbor node of another node A. The higher ρ leads the higher density of nodes in a network. In the results, when each node has 5 neighbors and they are distributed in 180 m×180 m square, the number of messages is 108 for the worst case (ρ = 0.1) and 53 for the best case (ρ = 0.5). The number of the messages is not small as we expected but this large number of message is only necessary for the network installation time.

5.3 The change in network performance Figure 9 shows change in network delay according to the change of the number of attacker nodes. Compared to that without using the proposed method, network delay is increased by around 50 % as the proposed detection method is used. However, the delay of around 0.02 second is tolerable to network service users. Accordingly, the proposed approach is considered highly applicable to real systems. Figure 10 shows change in the number of messages necessary for a specific node to collect neighbor node information according to the number of 1–hop neighbor

6 Conclusions In this paper, we proposed a new monitoring method that can detect attacks made by performing the message delivery process improperly and by paralyzing the network using an abnormally large number of messages. In the proposed method, all nodes keep the count of messages that they 450

0.6 w/o mechanism w/ mechanism

0.5

350

No. of Messages

Packet Loss Ratio

p=0.1 p=0.2 p=0.3 p=0.4 p=0.5

400

0.4

0.3

300 250 200 150

0.2 100 50

0.1

0

0 0

2

4

6

8

10

1

2

3

4

5

6

7

8

9

10

No. of 1-hop Neighbors

No. of Malicious Node

Fig. 8 Change in the packet loss ratio

Fig. 10 The number of messages exchanged in the neighbor node list creation process according to the number of neighbor nodes


have received from and forwarded to their neighbor nodes to monitor nodes on the network. The statistical data of the number of messages is used cyclically to detect nodes that misbehave in forwarding packets to their neighbor nodes. A representative node should gather and assemble the statistical data from all adjacent nodes to the subject node, and the representative identifies the attacker based on the bunch of data. The results of experiment in DSR-based network environment showed that the proposed method can detect various network problems effectively. In addition, the result shows that the proposed method is not very efficient but tolerable enough to apply it to the wireless ad hoc networks. In order to improve the proposed method, we need to refine the construction of the neighbor list. The creation protocol of the proposed method is stable and secure, but it lowers the overall efficiency of the proposed method. To solve this problem, we need to propose a more efficient algorithm such as neighbor list construction method using a routing table of neighbor nodes. Also, additional tests should be conducted by implementing the method in prototype environment in order to see if the proposed method is practical in real environment. Acknowledgments This work was supported by the Power Generation & Electricity Delivery of the Korea Institute of Energy Technology Evaluation and Planning (KETEP) grant funded by the Korea government Ministry of Knowledge Economy (No.2010101040046A and No. 2011101050001A)

References 1. Yang H, Luo H, Ye F, Lu S, Zhang L (2004) Security in mobile ad hoc networks: challenges and solutions. IEEE Wirel Commun 11(1):38–47 2. Aad I, Hubaux JP, Knightly E.W. (2008) Impact of denial of service attacks on ad hoc networks. IEEE Trans Netw 16(4):791– 802 3. Zhou L, Haas ZJ (1999) Securing ad hoc networks. IEEE Netw 13(1):24–30 4. Marti S, Giuli T, Lai K, Baker M (2008) Mitigating routing misbehavior in mobile ad hoc networks. In: Proceedings the 6th annual international conf. on mobile computing and networking, pp. 255–265, Boston 5. Djenouri D, Khalladi L, Badache N (2005) A survey of security issues in mobile ad hoc and sensor networks. IEEE Commun Surv Tutor 7(4):2–28 6. Yang H, Meng X, Lu S (2002) Self-organized network layer security in mobile ad hoc networks. In: Proceedings of acm workshop on wireless security, pp. 11–20, Atlanta 7. Michiardi P, Molva R (2002) Core: a collaborative reputation mechanism to enforce node cooperation in mobile ad hoc networks. In: Proceedings of communication and multimedia security, pp 107–121 8. Djenouri D, Badache N (2005) New approach for selfish nodes detection in mobile ad hoc networks. In: Proceedings of International Conference on Security and Privacy for Emerging Areas in Communication Networks, pp. 288–294

9. Duque OG, Hadjiantonis A, Pavlou G, Howarth M (2009) Adaptable misbehaviour detection and isolation in wireless ad hoc networks using policies. In: Proceedings of international conference on security and privacy for emerging areas in communication networks, pp 288–294 10. Bradley KA, Cheung S, Puketza N, Mukherjee B, Olsson RA (1998) Detecting disruptive routers: a distributed network monitoring approach. In: Proceedings of symposium on security and privacy, pp 115–124 11. Boutaba R, Aib I (2007) Policy-based management: a historical perspective. J Netw Syst Manag 15(4) 12. Hadjiantonis AM, Malatras A, Pavlou G (2006) A context-aware, policy-based framework for the management of MANETs. In: Proceedings of 7th IEEE international workshop on policies for distributed systems and networks, pp 23–32

Gunhee Lee received Ph.D. in Information and Communication Engineering from Ajou University, Korea. He is a senior researcher of The Attached Institute of ETRI, Korea. His main research interest is in the design and development of authentication protocol for M2M communication environment including Control System, Smart Grid, Power System, Nuclear Plant and Wireless Ad hoc Networks. He is also interested in network security, access control system and intrusion detection system (No photo available).

Wonil Kim received the B.S., M.S in Computer Science from Southern Illinois University, U.S.A. in 1988, 1990 respectively. He received Ph.D. in Computer and Information Science from Syracuse University, U.S.A. in 2000. Since 2003, he has been with Department of Digital Content, College of Electronics and Information, Sejong University, Seoul, Korea. His research interests include artificial intelligence, multimedia contents, bioinformatics, adaptive systems, and computer security.

Kangseok Kim received Ph.D. in Computer Science from Indiana University at Bloomington, IN, USA. He is currently research professor of Knowledge Information Engineering department at Graduate School of Ajou University, Suwon, Korea. His main research interests include Mobile Computing, Ubiquitous Computing, Scalable Distributed Database System, Pervasive Collaborative Applications with Smart Phones, Mobile Network Security, Wireless Sensor Networks, Data Mining, and Bioinformatics.

Peer-to-Peer Netw. Appl. Sangyoon Oh received Ph.D. in Computer Science Department from Indiana University at Bloomington, U.S.A. He is an associate professor of School of Information and Computer Engineering at Ajou University, South Korea. Before joining Ajou University, he worked for SK Telecom, South Korea. His main research interest is in the design and development of web based large scale software systems including Cloud Computing, Virtualization Technology, Parallel Computing and Grid Computing.

Dong-kyoo Kim received Ph.D. in Computer Science from Kansas State University, KS, USA. He is a professor of Information and Communication Engineering Department at Ajou University, Suwon, Korea. Before joining Ajou University, he worked for KIST, South Korea. His main research interests include Computer Communication, Computer Security and Network Security.