AbstractâThe black hole attack is one of the security attacks that occur in Mobile Ad-hoc Networks (MANETs). In the attack, a malicious node exploits the routing ...
Black Hole Attack Prevention Based on Authentication Mechanism Junhai Luo, Mingyu Fan, and Danxia Ye School of Computer Science & Engineering University of Electronic Science and Technology of China, Chengdu, China, 610054
Abstract— The black hole attack is one of the security attacks that occur in Mobile Ad-hoc Networks (MANETs). In the attack, a malicious node exploits the routing protocol to advertise itself as having the shortest path to the node whose data packets it wants to intercept. In this paper, the black hole problem is addressed. An authentication mechanism, based on the hash function, the Message Authentication Code (M AC), and the Pseudo Random Function (P RF ), is proposed for black hole prevention on top of Ad-hoc On-demand Distance Vector (AODV). The simulation results show the scheme provides fast message verification identifies black hole and discovers the safe routing avoiding the black hole attack.
I. I NTRODUCTION A MANET [1], [2] is a multi-hop temporary communication network of mobile nodes equipped with wireless transmitters and receivers without the aid of any current network infrastructure. A MANET is an emerging research area with practical applications. However, A MANET is particularly vulnerable due to its fundamental characteristics [3], [4], such as open medium, dynamic topology, distributed cooperation, and constrained capability. Routing plays an important role in the security of the entire network. Thus operations in MANETs introduce some new security problems in addition to the ones already present in fixed networks. According to the criterion that whether attackers disrupt the operation of a routing protocol or not, attacks in MANETs can be divided into two classes: passive attacks and active attacks [5], [6], [7]. In a passive attack, the attacker does not disrupt the operation of a routing protocol but only attempts to discover valuable information by listening to the routing traffic. In an active attack, however, these attacks involve actions performed by adversaries, modification and deletion of exchanged data to attract packets destined to other nodes to the attacker for analysis or just to disable the network. Some typical types of active attacks that can usually be easily performed against MANETs are listed as follows [1], [4], [7]: 1) Black hole: A malicious node may use the routing protocol to advertise itself as having the shortest path to the node whose packets it wants to intercept. The detailed description is provided in section 2. 2) Denial of Service (DoS): A malicious node may generate frequent unnecessary routing requests to make the network resources unavailable to other nodes. DoS attack results when the network bandwidth is hijacked by a malicious node [8]. 1-4244-2424-5/08/$20.00 ©2008 IEEE
173
3) Impersonation: A malicious node may impersonate another node while sending the control packets to create an anomaly update in the Routing Table (RT). 4) Disclosure: A malicious node may leak confidential information to unauthorized users in the network, such as routing or location information. In the end, the attacker knows which nodes are situated on the target routing. 5) Spoofing: Spoofing occurs when a node misrepresents its identity in the network, such as by altering its M AC or IP address in outgoing packets. Spoofing combined with packet modification is really a dangerous attack. 6) Sleep deprivation: Battery powered devices in MANETs try to conserve energy by transmitting only when absolutely necessary. An attacker may attempt to consume batteries by requesting routings, or by forwarding unnecessary packets to the nodes. These are mechanisms that help prevent, detect, and respond to security attacks. There are four major security goals that need to be addressed in order to maintain a reliable and secure ad-hoc network environment. They are mainly [9]: 1) Confidentiality: Protection of any information from being exposed to unintended entities. In MANETs, this is more difficult to achieve because intermediates nodes (that act as routers) receive the packets for other recipients, so they can easily eavesdrop the information being routed. 2) Availability: It assures that the services of the system are available at all times and are not denied to authorized users. 3) Authentication: Assurance that an entity of concern or the origin of a communication is what it claims to be or from. Without which an attacker would impersonate a node, thus gaining unauthorized access to resource and sensitive information and interfering with operation of other nodes. 4) Integrity: Message being transmitted is never altered. Non-repudiation: Ensures that sending and receiving parties can never deny ever sending or receiving the message. 5) Assurance: It is required to guarantee that the security measures have been properly implemented and they function as intended. 6) Non-repudiation: Ensures that sending and receiving parties can never deny ever sending or receiving the message. ICCS 2008
The rest of the paper is organized as follows: In section II, the black hole attack in MANETs is discussed. In section III, we present an authentication mechanism to prevent the black hole attack in detail, followed by section IV, it presents the simulation results. In section V, we draw a conclusion and address the future work. II. B LACK H OLE ATTACK
the source node firstly. This makes the source node thinks that the routing discovery process is completed, ignores all other reply messages, and begins to send data packets. The forged routing has been created. As a result, all the packets through node B are simply consumed or lost. Node B could be said to form a black hole in the network, and we call it as the black hole attack [8], [11], [12].
A. AODV Routing Protocol
&
AODV [2] is an on-demand routing protocol in MANETs. Route discovery is not started until it is required (ondemand). The protocol operates in two mechanisms: route discovery and route maintenance. Route discovery is used when the packet sender has no route available in its RT. It broadcasts a RouteRequest packet into the network. A node receives a fresh RouteRequest will check its RT to see whether it has a route to the requested destination. It replies if there is one otherwise, the RouteRequest is forwarded. Before forwarding, it keeps a reverse path to the source node in its RT. The RT records the route information of the next hop, the distance and the current highest sequence number it has seen. Route maintenance starts when changes in the network topology invalidate a cached route. It is used to notify the source node or to trigger a new route discovery. B. Weakness of AODV
6
)
C. Black Hole Attack When a source node wants to send data packets to a destination node, if there has no route available in its RT, it will initiate the routing discovery process [8], [10]. We assume node B to be a malicious node (See Figure 1). Using the routing AODV protocol, node B claims that it has the routing to the destination node whenever it receives RREQ packets, and sends the response to source node at once. The destination node may also give a reply. If the reply from a normal destination node reaches the source node of RREQ first, everything works well; but the reply from node B could reach the source node first, if node B is nearer to the source node. Moreover, node B does not need to check its RT when sending a false message; its response is more likely to reach 174
*
%
(
�D �1HWZRUN�)ORRGLQJ�RI�55(4 &
'
$
6
)
%
*
(
�E �3URSDJDWLRQ�RI�55(3�0HVVDJH
Fig. 1.
It is possible to exploit a number of weaknesses in AODV to disrupt the communication between nodes. We list some weaknesses of AODV as follows [3]: 1) Rush attack with RREQ: The purpose of this rush attack is to suppress a valid RREQ (request) sent by a real originator. 2) False message propagation with RREQ: The goal of this attack is to reroute traffic through the malicious node, and then throw it away. 3) False reply with RREP : This attack intercepts a request with an answer, hopefully before it reaches the final destination. 4) False message propagation with RREP : In this attack, the malicious node reroutes traffic by using false RREP packets. Again, the purpose is to create a black hole and discard traffic.
'
$
Black Hole Attack
III. AUTHENTICATION M ECHANISM In this section, we propose an authentication mechanism for identifying black hole nodes, which could be potentially exploited by malicious nodes. To address the above problems, without assuming the existence of any authentication infrastructure [11], which is usually not practical in MANETs An authentication mechanism is constructed based on the concept of the hash function, M AC, and P RF [12], [13] as below. The source node checks RREP messages to determine the data packets to pass with our authentication mechanism proposed in this paper. A. Assumptions and Definitions In our scheme, there are the basic assumptions and definitions of this work: And it is assumed that each node in MANETs holds the following items [10], [14]: 1) The plaintext M : the original message sent by a destination node is the RREP message. 2) The cipher-text CM : which is the output of M encrypted by the cryptosystem. 3) The sharing secret key Ki [7]: this is undisclosed to all outsiders. Each node gets its Ki by choosing a random number ri and recursively applying P RF [9], [10] (denoted by G(•) ) on ri by k times, that is Ki = Gk (ri ), which recursively is obtained by the following formulation, where k is the length of the circulation. � G(Gi−1 (ri )) i = {1, 2, · · · , k} (1) Gi (ri ) = i=0 G(ri )
IV. S IMULATION
4) Each node holds the symmetric cryptosystem, i.e., M = DKi (EKi (M ))
(2)
where EKi and DKi are the encryption and decryption functions, respectively. 5) M AC: which is defined by M AC(Ki , M ). 6) Time synchronization: time synchronization is imposed in the network so that each mobile node can synchronize the same time. A node partitions the whole time into equal intervals. B. Authentication Mechanism • • •
Step 1: A node gets the sharing secret key Ki . Step 2: According to the system synchronization mechanism, node generates a time stamp Ts . Step 3: By applying M , Ts , and Ki , node uses the one-way-hash function H(•) to generate M AC for this message, i.e., M ACM = H(Ki , Ts , M ) = H(Ki , Ts , RREP ) (3)
•
Step 4: By applying the global symmetric cryptosystem, node gets the encrypted packet P , and then transmits the packet, i.e., P = EKi (Ts , M, M ACM ) = EKi (Ts , RREP, H(Ki , Ts , RREP ))
(4)
For each intermediate node, if a packet is received, it only forwards the packet to the next node. For the destination node, if a packet is received, it checks the following four conditions: • Condition 1: By applying the global symmetric cryptosystem, source node firstly gets the decrypted message, i.e., DKi (EKi (Ts , M, M ACM )) (5) = DKi (EKi (Ts , RREP, H(Ki , Ts , RREP ))) Condition 2: M ACM = H(Ki , Ts , M ) = H(Ki , Ts , RREP ) • Condition 3: Ts is in a reasonable time delay range. • Condition 4: The decrypted Ts is the same as the one in the packet without encryption. If the four above-mentioned conditions are all satisfied, this packet is regarded as a valid packet and this routing is also regarded as a security routing from the source node to the destination node. Then the source node begins to send data packets. Otherwise, the source node executes the following three steps: • Step 1: It discards the packet because the key is disclosed before it receives the packet and M AC might be potentially forged. In addition, a packet with an invalid M AC is discarded. • Step 2: It initiates another a routing discovery process. • Step 3: It sends out an alarm message to isolate the malicious node in the network. •
175
In this section, we describe our simulation environment and report the simulation results. Computer simulation is done using the network simulator NS-2 [15] to build our simulation environment. We use the Distributed Coordination Function (DCF) of IEEE 802.11 for wireless LANs to simulate the MAC layer and set the traffic source to Continuous Bit Rate (CBR). The CBR traffic is generated with a rate of 4 packets per second. A flat network is constructed for simulation purpose and monitored for a number of parameters. The simulation models 50 mobile nodes, moving over a rectangular flat space. Simulation time is 1200 seconds. The random waypoint model is selected as a mobility model in a rectangular field (1000 × 1000m2 ) with a node’s speed uniformly between 0 and a maximum value of 20m/s . Each node in the network is assumed to have a buffer with a capacity of 64 packets and use a FIFO interface queue. We add the function of our method to AODV to detect the black hole attack. TABLE I S IMULATION PARAMETER Parameter Simulator MAC layer protocol Mobility model Node placement Terrain range Transmission range Examined routing protocol Channel bandwidth Maximum speed Application traffic Simulation time Propagation mode Packet size Number of mobile nodes Maximum connection
Value NS-2 IEEE802.11 Random waypoint Random, uniform 1000 ∗ 1000m2 250s AODV 2Mbps 20m/s CBR 1200s Free space 512 bytes 50 20
We use the following metrics to evaluate our method, which eliminates the black hole attack in MANETs. 1) Control Overhead: The overhead of routing control packets to detect the black hole attack are introduced. Transmissions are counted instead of packets since the goal is to compare data transmission to routing related transmissions. The result of the routing control overhead is shown in Figure 2. The standard AODV is used as a baseline to compare with the detection method. As we see, the control overhead does not change much throughout and does not show an obvious trend when maximum moving speed or simulation time changes. 2) False Negative Probability: We study and measure the probability with which the source node does not detect the black hole attack. The result of false negative probability is shown in Figure 3 in the network. As shown in Figure 3, the detection probability increases as the node simulation time increases. Because AODV can not detect the black hole attack, the false negative probability of AODV is equal to 1.
our method maintains relatively high data packet delivery ratio by avoiding black hole nodes.
1 AM AODV
0.9 0.8
1
0.6
0.9
0.5
0.8 Data Package Delivery Ratio
Overhead
0.7
0.4 0.3 0.2 0.1 0
0
200
400
600 800 Simulation Time (s)
1000
1200
0.7 0.6 0.5 0.4 0.3 0.2
Fig. 2.
0.1
Control Overhead
0
AM AODV 0
2
4 6 Number of Black Hole Nodes
8
10
1
Fig. 5.
0.9
Data Package Delivery Ratio
False Negative Probabiltiy
0.8 0.7
V. C ONCLUSION
AM AODV
0.6 0.5 0.4 0.3 0.2 0.1 0
0
200
400
Fig. 3.
600 800 Simulation Time (s)
1000
1200
False Negative Probability
3) Detection Time: This is the time to detect the network, which has a black hole attack. It is measured by the attack detection time minus the traffic start time. Figure 4 shows the result of the detection time. As shown in Figure 4, the detection time increases when the node simulation time increases.
In this paper, we have studied the routing security issues of MANETs, described the black hole attack that can be mounted against a MANET, and proposed a feasible solution for it on the top of AODV protocol to avoid the black hole attack, and also prevented the network form further malicious behavior. An authentication mechanism eliminates the need for a PKI or other forms of authentication infrastructure, which are usually not practical in MANETs. How to handle unlimited message authentication by switching one-way-hash chains and how to prevent a malicious node can not forge a reply if the hash key of any node is to be disclosed to all nodes eventually will be discussed. Mobile Nodes have a right to exit even in static networks, so node’s mobility will be discussed in the future. VI. ACKNOWLEDGMENTS This work was partially funded by the National Studyabroad Scholarship of China under Grant No. 27U38009.
160
R EFERENCES
140
Detection Time (s)
120
100
80 AM 60
40
20
0
200
400
Fig. 4.
600 800 Simulation Time (s)
1000
1200
Detection Time
4) Data Package Delivery Ratio: This is the percentage of the data package sent that are actually received by the destination. Figure 5 shows data packet delivery ratio as a function of the number of black hole nodes. As shown in the Figure 5, at the environments of 10 black hole nodes, the 2500 packets with rates are transmitted. As this result, 176
[1] Y.-C. Hu, D. B. Johnson, and A. Perrig, “Sead: Secure efficient distance vector routing for mobile wireless ad-hoc networks,” in WMCSA ’02: Proceedings of the Fourth IEEE Workshop on Mobile Computing Systems and Applications. Washington, DC, USA: IEEE Computer Society, 2002, pp. 3–13. [2] X. Wang, T. liang Lin, and J. Wong, Feature Selection in Intrusion Detection System over Mobile Ad-hoc Network. Technical Report, Computer Science, Iowa State University, 2005. [3] J. Grønkvist, A. Hansson, and M. Skøld, Evaluation of a Specification-Based Intrusion Detection System for AODV. di.ionio.gr/medhocnet07/wp-content/uploads/papers/90.pdf, 2007. [4] S. Kurosawa, H. Nakayama, and N. Kato, “Detecting black hole attack on aodv based mobile ad-hoc networks by dynamic learning method,” International Journal of Network Security, pp. 338–346, 2007. [5] K. Makki, N. Pissinou, and H. Huang, “Solutions to the black hole problem in mobile ad-hoc network,” 5th World Wireless Congress, pp. 508–512, 2004. [6] M.-C. Basile, M.-Z. Kalbarczyk, and F.-R. K. Iyer, “Inner-circle consistency for wireless ad-hoc networks,” IEEE Transactions on Mobile Computing, vol. 6, no. 1, pp. 39–55, 2007. [7] Q. He, D. Wu, and P. Khosla, “Sori: A secure and objective reputationbased incentive scheme for ad-hoc networks,” Wireless Communications and Networking Conference, 2004. WCNC. 2004 IEEE, vol. 2, pp. 825–830, 21-25 March 2004.
[8] Y.-R. Tsai and S.-J. Wang, “Two-tier authentication for cluster and individual sets in mobile ad-hoc networks,” Comput. Netw., vol. 51, no. 3, pp. 883–900, 2007. [9] S. Sreepathi, V. Venigalla, and A. Lal, A Survey Paper on Security Issues Pertaining to Ad-Hoc Networks. www4.ncsu.edu/ sssreepa/Adhoc-networks-Security-Survey.doc. [10] Y.-R. Tsai and S.-J. Wang, “Routing security and authentication mechanism for mobile ad-hoc networks,” Vehicular Technology Conference, 2004. VTC2004-Fall. 2004 IEEE 60th, vol. 7, pp. 4716–4720 Vol. 7, 26-29 Sept. 2004. [11] C. Basile, Z. Kalbarczyk, and R. Iyer, “Neutralization of errors and attacks in wireless ad-hoc networks,” Dependable Systems and Networks, 2005. DSN 2005. Proceedings. International Conference on, pp. 518–527, 28 June-1 July 2005. [12] L. Junhai, X. Liu, and Y. Danxia, “Research on multicast routing protocols for mobile ad-hoc networks,” Comput. Netw., vol. 52, no. 5, pp. 988–997, 2008. [13] A. Patcha and A. Mishra, “Collaborative security architecture for black hole attack prevention in mobile ad-hoc networks,” Radio and Wireless Conference, 2003. RAWCON ’03. Proceedings, pp. 75–78, 10-13 Aug. 2003. [14] B. Sun, Y. Guan, J. Chen, and U. Pooch, “Detecting black hole attack in mobile ad-hoc networks,” Personal Mobile Communications Conference, 2003. 5th European (Conf. Publ. No. 492), pp. 490–495, 22-25 April 2003. [15] M. Al-Shurman, S.-M. Yoo, and S. Park, “Black hole attack in mobile ad-hoc networks,” in ACM-SE 42: Proceedings of the 42nd annual Southeast regional conference. New York, NY, USA: ACM, 2004, pp. 96–97.
177
