Reputation Based Localized Access Control for Mobile Ad-Hoc Networks Sangheethaa Sukumaran1 and Elijah Blessing2 1
Coimbatore Institute of Technology, Coimbatore- 641014, Tamilnadu, India
[email protected] 2 Karunya Institute of Technology and Sciences, Coimbatore-641114, Tamilnadu, India
[email protected]
Abstract. The absence of a router or a base station urges the need for better access control mechanism in the ad-hoc networks. This paper presents a localized approach for access control which implements ticket certification services through reputation mechanism. Reputation refers to, the opinion of one node as seen by other nodes. Ticket certification ensures that, only well behaving nodes (which forward and route packets of other nodes) can get the tickets and only they can access the network. The tickets are obtained from any node in the locality with high reputation instead of getting it from a centralized authority or from some k neighbors in the neighborhood. This paper gives the analysis and simulation results of the localized approach through reputation mechanism and proves that the localized access control with reputation is better than the localized approach without reputation.
1 Introduction With recent performance advancements in computer and wireless communications technologies, advanced mobile wireless computing is expected to see increasingly widespread use and application. A mobile ad-hoc network (MANET) is a selfconfiguring network of mobile routers (and associated hosts) connected by wireless links, the union of which forms an arbitrary topology. This ad hoc networking technology provides “anytime” and “anywhere” services to the users, in a potentially large infrastructure less wireless network, based on the collaboration among individual network nodes. The routers are free to move randomly and organize themselves arbitrarily; thus, the network's wireless topology may change rapidly and unpredictably. A MANET is an autonomous system of mobile nodes. The system may operate in isolation, or may have gateways to and interface with a fixed network. This paper deals with access control in ad-hoc networks. Access control is a mechanism of deciding which node can access the network i.e. who can use the network layer services like packet forwarding and routing. The ad-hoc network does not have any fixed base station as in cellular networks, or routers as in wired networks to perform this access control mechanism. All the nodes in an ad-hoc network acts as a router and cooperate among themselves for proper functioning of the network. It is T. Kunz and S.S. Ravi (Eds.): ADHOC-NOW 2006, LNCS 4104, pp. 197 – 210, 2006. © Springer-Verlag Berlin Heidelberg 2006
198
S. Sukumaran and E. Blessing
assumed that all the nodes that participate in the network will do forwarding and routing in favor of other nodes. But this assumption does not work in all cases. Sometimes the nodes agree to forward, but fail to do because they want to save their battery power and CPU cycles. They just keep receiving the data destined to them, and drop the data of other nodes without forwarding or routing them, which reduces the throughput of the network. These nodes are called as misbehaving nodes. The main aim of access control is to allow only the well-behaving nodes to access the network and to isolate misbehaving nodes from the network. The misbehaving nodes are denied to use network services like packet forwarding and routing. This paper explains a localized approach for access control which focuses on packet forwarding and routing misbehaviors, and the use of reputation values in access control. Reputation refers to, the opinion of one node as seen by other nodes. It is a proper means of discovering misbehaving nodes in the network. This paper is organized into following sections. Section 2 reviews some of the existing approaches given in the literature and section 3 briefs the localized approach for access control. Section 4 gives details of using the reputation values in the localized approach for access control. Section 5 gives the simulation results for localized approach with reputation mechanism and for localized approach without reputation mechanism. Finally section 6 gives the conclusion.
2 Related Work There are many approaches in the literature, which deals with access control in ad-hoc networks. But only few papers [1], [2], [3] deal with packet forwarding and routing misbehaviors. L.Buttayan et al. [1] focuses on packet forwarding and they address the problem of stimulating co-operation in self-organizing Mobile Ad-hoc Networks for civilian applications. This approach uses a tamper resistant hardware module called “security module”. This security module maintains a nuglet counter. The security module enforces two rules. Firstly, when the node wants to send one of its own packets, the number n of intermediate nodes that are needed to reach the destination is estimated. If the nuglet counter of the node is greater than or equal to n, then the node can send its packet, and the nuglet counter is decreased by n. Otherwise, the node cannot send its packet, and the nuglet counter is not modified. Secondly, when the node forwards a packet for the benefit of other nodes, the nuglet counter is increased by one. Every node has to maintain a +ve counter value in order to send its own data. The nuglet counter is protected from illegitimate manipulations by the tamper resistance of the security module. This approach ensures that the misbehavior is not beneficial and hence it should occur rarely only. But the availability of hardware module is not guaranteed in general. S.Marti et al. [2] addresses the problem of nodes agreeing to forward packets of other nodes but fail to forward. This describes two mechanisms to improve the throughput of the network. One mechanism is the watchdog, which identifies the misbehaving node by monitoring the nearby nodes whether they forward the packets of other nodes in the network. The other mechanism is the path rater that defines the
Reputation Based Localized Access Control for MANETs
199
best route by avoiding those misbehaving nodes. Since this approach tries to avoid the misbehaving nodes for routing, there’s less chance of dropping packets, thus providing a better throughput even in the presence of high number of misbehaving nodes. But this approach does not isolate the misbehaving nodes; they still utilize the network services, i.e. the nodes are not punished for misbehaving. L.Zhou et al. [3] and G.Appenzeller et al. [4] proposed ticket based approaches. Tickets are provided for the nodes, which are well behaving, and network access is provided only to the nodes with a valid ticket. The ticket is obtained from a centralized authority [3] or from distributed servers [4]. The central server approach has several advantages and disadvantages. The central server approach can work well for a simple, less dynamic network. But for a dynamic network the delay will be more. The distributed approach has no much difference with central authority system except that here there are three or more central servers in the network. In both the approaches when the central server fails, the network functioning becomes vulnerable to attacks. T.Michiardi and Molva [9] proposed a COllaborative Reputation (CORE) mechanism that also has a watchdog component for monitoring. Here the reputation value is used to make decisions about cooperation or gradual isolation of a node. Reputation values are obtained by regarding nodes as requesters and providers, and comparing the expected result to the actually obtained result of a request. In CORE the reputation value ranges from positive (+) through null (0) to negative (-). The advantage of this method is that having a positive to negative range allows good behavior to be rewarded and bad behavior to be punished. This method gives more importance to the past behavior and hence tolerable to sporadically bad behavior, e.g. battery failure. But the assumption that past behavior to be indicative of the future behavior may make the nodes to build up credit and then start behaving selfishly. Sonja Buchegger et al. [8] proposed the reputation-based approach, CONFIDANT which consists of the following components: The Monitor, the Reputation System, the Path Manager, and the Trust Manager. These components are present in every node. CONFIDANT extends reactive routing protocols [10] with a reputation-based system in order to isolate misbehaving nodes. As a component within each node, the monitor registers these deviations from normal behavior. As soon as a given bad behavior occurs, the reputation system is called. ALARM messages are sent by the trust manager of a node to warn others about the malicious nodes. The reputation system in this protocol manages a table consisting of entries for nodes and their rating. The rating is changed only when there is sufficient evidence of malicious behavior that is significant for a node and that has occurred a number of times exceeding a threshold to rule out coincidences. If the rating of a node in the table has deteriorated so much as to fall out of a tolerable range, the path manager is called for action. The path manager performs the following functions: a) Path re-ranking according to security metric, e.g. reputation of the nodes in the path. b) Deletion of paths containing malicious nodes. c) Action on receiving a request for a route from malicious node (e.g. ignore, do not send any reply). The CONFIDENT method uses only negative reputation values. In CONFIDANT, the attacks involving building up of credits, before behaving selfishly, have less effect. But it is less tolerant to the failed nodes, which may exhibit failed behavior due to loss of power.
200
S. Sukumaran and E. Blessing
The localized approach for access control is proposed by Haiyoun Luo et al. [5]. Since this approach forms the basis of the proposed scheme it is explained in detail in the following section.
3 The Localized Approach The localized approach [5] proposes a fully localized design paradigm to provide ubiquitous and robust access control for mobile ad hoc networks. This solution takes a ticket-based approach. Each well behaving node uses a certified ticket to participate in routing and packet forwarding. Nodes without valid tickets are classified as misbehaving. They will be denied from any network access, even though they move to other locations. Thus, misbehaving nodes are “isolated” and their damage to the mobile ad hoc network is confined to their locality. The access control operation emphasizes multiple node consensus and fully localized instantiation. Since any individual node is subject to misbehaviors, this approach does not rely on any single node. Instead, the nature of cooperative computing in an ad hoc network is leveraged and the approach depends on the collective behaviors of multiple local nodes. Here multiple nodes in a local network neighborhood, typically one or two hops away, collaborate to monitor a node’s behavior and determine whether it is well-behaving or misbehaving using certain detection mechanism of their choice. These local monitoring neighbors will renew the expiring ticket of a well-behaving node collectively, while a misbehaving node will be denied from ticket renewal or be revoked of its ticket. In this way, the functionality of a conventional access control authority, which is typically centralized, is fully distributed into each node’s locality. Every node contributes to the access control system through its local efforts and all nodes collectively secure the network. The localized approach does not need any hardware module for security. It does not assume anything about the packet size or type of traffic or the type of data. It not only detects the misbehaving nodes but also isolates them from the network. Average delay for ticket renewal is tolerable, because the node gets its ticket from its locality rather than going to a central server. There’s no necessity for the node to rely upon a single node for getting a ticket or for renewal. So this approach is highly robust and scalable. The localized approach requires that each node should get k tickets from its local neighborhood. It is possible to get k number of tickets in a highly populated network. But it is not possible when the number of nodes in a network is less. Thus the localized approach cannot be used in a sparse network. Moreover the protocol used in localized approach broadcasts the ticket request to all its neighbors, which increases the communication overhead. The efficiency of the localized approach depends upon the coalition size k. i.e. the number of partial tickets that the node should get to access the network. The parameters viz. average delay, overhead and success ratio, which are used for simulation in [5], vary depending upon the k value. The k value is fixed as 5 in [5] based on the network size. This value does not change when number of nodes in the network increases or decreases. But this value will not work for all the networks. It is
Reputation Based Localized Access Control for MANETs
201
applicable only to a large network. For a sparse network, collecting 5 tickets from the neighborhood will cause more delay, because the nodes may not have sufficient number of neighbors in their locality. So in order to reduce the number of tickets a node should receive before successful access of the network, reputation mechanism can be used.
4 Reputation Based Localized Access Control The opinion of one node about another node is called as reputation [7]. For Mobile ad-hoc networks, reputation means participation of a node in routing and forwarding as seen by others. This reputation system can be used to make decisions about which nodes to cooperate and which nodes to exclude from the network. This system can be used with any misbehavior identifying schemes. The goals of the reputation systems are 1) to provide information to distinguish between a trustworthy user in the network and an untrustworthy user and 2) to encourage users to act in a trustworthy manner and 3) to discourage untrustworthy user from participating in the network access. Using the reputation mechanism in the localized approach for access control helps to reduce the number of tickets a node has to get to access the network. It is enough to get one ticket from a highly reputed node instead of waiting to get some k tickets from the neighbors. This paper proposes a ticket-based approach, which uses reputation mechanism for evaluating the tickets. The nodes can access the network if they have a valid ticket. The tickets are obtained from the neighboring nodes, which have high reputation value. Initially the tickets are issued by a dealer. When the network is formed each node is assigned with a valid ticket but with a less expiration time. Once the expiration time reaches, the nodes have to renew their tickets. For renewing, the nodes will send the broadcast request to all its one-hop neighbors. On receiving the ticket renewal request, the neighbors have to d ecide whether to send a ticket or not by checking the reputation value of that node. Each node maintains the reputation value, by monitoring the behavior of the neighboring node using any monitoring mechanism. For simulations, watchdog [2] mechanism is used. When the requesting node receives a reply ticket, it checks the reputation value of the node, which has sent the reply. If the reputation value of the node is greater than a threshold value (this value is chosen based on the network behavior) then the requesting node accepts the ticket, otherwise it rejects the ticket from that node and looks for other replies. Once it receives a ticket from higher reputation node, the node uses that ticket to prove its behavior and access the network. This makes the ticket obtaining process simpler. Whenever a node issues a network access request, its ticket and the reputation value of the node, which gave the ticket, is verified. This ensures that two nodes cannot collaborate with each other and generate false tickets. Moreover other nodes will also monitor the behavior of these nodes. Nodes may try to generate their own tickets for communication. But this will be identified because the tickets are signed and verified using RSA [11] algorithm. So this method is false proof and secure.
202
S. Sukumaran and E. Blessing
5 Simulation Results Ns2 [6] is used for simulation. Ns2 is a discrete event simulator, which is widely used for simulation of both wired and wireless networks. An agent similar to UDP (User Datagram Protocol) is used for simulation. The average mobility of the nodes is set as 1-15m/s for the scenarios and for creating the scenario random waypoint model is used. The routing protocol is DSR (Dynamic Source Routing). The number of nodes is varied from 30 –100. The performance of ticket renewal service is measured using the parameters, success ratio, overhead, average number of retries and average delay. Success ratio is defined as the ratio of number of successful renewals to the maximum number of renewal requests sent by all the nodes within the simulation time. Overhead is the total number of bytes sent by all the nodes in the scenario. Average number of retries is the number of retries made by the nodes and average delay is the delay incurred for successful renewal of the tickets. In this paper each node calculates the reputation value of its neighbors using the formula,
∞
Σ
Fpkts
Pkts=0
Rdirect =
(1)
∞
Σ
Spkts
Pkts=0
Where Rdirect is the reputation value calculated by monitoring the neighbors directly and Fpkts is the number of packets forwarded by this nodes and Spkts is the number of packets sent by this node. This formula is used to calculate the reputation value of a node by directly monitoring the neighboring node’s behavior using a monitoring mechanism such as watchdog. Each node runs the monitoring mechanism and counts the number of packets forwarded by the neighboring nodes and number of packets originated from those nodes. It is also possible to pass this reputation value that is calculated directly by monitoring the neighbors, to 1 or 2 hop neighbors. But this exchange of reputation information will increase the communication overhead. For simulations the threshold value for reputation is set as 0.8. This value is chosen based on the assumption that a value below this may lead a node to misbehave at any time, and it cannot be a node which forwards more packets of other nodes than sending its own packets. For example, a node with 0.5 reputation value means that it is forwarding as many packets as it is sending,(it is 50% well behaving node) and at any time the number of packets it is sending can exceed the number of packets it is forwarding. So it cannot be a highly reputed node. The localized approach without reputation mechanism uses a k value of 5.i.e the nodes have to get 5 tickets to become a valid node.
Reputation Based Localized Access Control for MANETs
203
Avg Delay(sec)
Figs. 1-4 show the average delay, success ratio, number of retries and overhead respectively for the localized approach (LA) with reputation mechanism and for the localized approach without reputation mechanism. For these scenarios the average node speed is set as 3m/s and the channel error rate is 1%. The number of nodes is varied from 50 to 100. The localized approach with reputation mechanism exhibits both higher success ratio (Fig. 2) and lower delay (Fig. 1) than the LA without reputation system. This is due to the fact that in the LA without reputation system, the
10 9 8 7 6 5 4 3 2 1 0
LA with reputation LA without reputation
50
60
70 80 # of Nodes
90
100
Fig. 1. Average Delay VS Number of nodes, node speed 3m/s 100.0
Succss ratio (%)
95.0 90.0 85.0
LA with Reputation
80.0
LA without Reputation
75.0 50
60
70
80 # of Nodes
90
100
Fig. 2. Success ratio VS Number of Nodes, node speed 3m/s
110
204
S. Sukumaran and E. Blessing
nodes have to get k tickets from their neighbors for accessing the network, whereas in the reputation based localized control, the nodes need to get only one ticket from a node with high reputation in its locality.
Avg. #Retries
7 6
LA with Reputation
5
LA without Reputation
4 3 2 1 0 50
60
70
80 # of Nodes
90
100
Fig. 3. Average retries VS Number of nodes, node speed 3m/s
3000000
Overhead (bytes)
2500000 2000000 1500000 LA with Reputation
1000000
LA without Reputation
500000 0 50
60
70 80 # of Nodes
90
100
Fig. 4. Overhead VS Number of Nodes, node speed 3m/s
The average number of retries (Fig. 3) for the reputation-based system is also maintained at a minimum value compared to the localized approach. When the number of nodes increases, the communication overhead in the network (Fig. 4) increases more for the localized approach, compared to the reputation-based localized approach.
Reputation Based Localized Access Control for MANETs
205
Figs. 5-9 compare the LA with reputation and the LA without reputation for the low channel error rate (1%, Figs. 5-7) and high channel error rate (10%, Figs. 8-9). For these scenarios the number of nodes is set as 100. The mobility of the nodes is varied from 1-15m/s. From the graphs it is found that the performance of LA without reputation mechanism degrades as the channel error rate increases. But in the LA with reputation mechanism, since the nodes need to get only one ticket, the performance is same even when the channel error rate increases from 1% to 10%. Fig. 5 shows the average delay for various node speeds. For the reputationbased system the average delay is below 8sec even when the mobility increases.
Avg Delay(sec)
14 12
LA with reputation
10
LA without reputation
8 6 4 2 0 0
5
Mobility(m/s) 10
15
Fig. 5. Average Delay VS Mobility, 100 nodes, Channel Error Rate 1%
Succss ratio (%)
100.0 90.0 80.0 70.0 60.0 50.0 40.0 30.0 20.0 10.0 0.0
LA with Reputation LA without Reputation
0
5
Mobility (m/s) 10
Fig. 6. Success Ratio VS Mobility, 100 nodes, Channel Error Rate 1%
15
206
S. Sukumaran and E. Blessing
But the delay for the localized approach without using the reputation mechanism is higher. The overhead (Fig. 7) in the reputation based localized approach is less compared to the localized approach without reputation. It is seen that the success ratio (Fig. 6) is 100 % in the reputation based localized approach even when the mobility increases. The LA without reputation degrades in performance when the channel error rate increases to 10% (Figs. 8-9), but the reputation based LA is not much affected for variations in the channel error rate. 3000000
Overhead (bytes)
2500000 2000000 1500000 1000000
LA with Reputation
500000
LA without Reputation
0 0
2
4
6
8 Mobility(m/s)
10
12
14
Fig. 7. Overhead VS Mobility, 100 nodes, Channel Error Rate 1%
Succss ratio (%)
100.0 90.0 80.0 70.0 60.0 50.0 40.0 30.0 20.0 10.0 0.0
LA with Reputation LA without Reputation
0
5
Mobility (m/s)
10
Fig. 8. Success Ratio VS Mobility, 100 nodes, Channel Error Rate 10%
15
Reputation Based Localized Access Control for MANETs
207
14 LA with reputation
Avg Delay(sec)
12
LA without reputation
10 8 6 4 2 0 0
2
4
6
8
10
12
14
Mobility(m/s) Fig. 9. Average Delay VS Mobility, 100 nodes, Channel Error Rate 10%
40
Avg Delay(sec)
35 30 25 20 LA with reputation
15
LA without reputation
10 5 0 0
2
4
6 8 10 Mobility(m/s)
12
14
Fig. 10. Average Delay VS Mobility, 30 nodes, Channel Error Rate 1%
Figs. 10 -14 show the effect of sparse neighborhood on LA with reputation and on LA without reputation. For these scenarios the number of nodes is set as 30 and the channel error rate is set as 1% (low) for Figs. 10 -12 and 10% (high) for Fig. 13 and Fig. 14. The mobility of the nodes is varied from 1-15m/s. From the Figs 10-14 it is obvious that the performance of the LA without reputation degrades, as the nodes will not be able to get k tickets from the sparse network. Thus the LA without reputation system is not applicable for sparse neighborhood networks. But the reputation based LA system provides good performance by 100% availability, low delay, less number
208
S. Sukumaran and E. Blessing
of retries and minimum overhead when compared to the localized approach. The parameters are not much affected even when the channel error rate increase to 10% in the LA with reputation system. Where as for the LA without reputation system, the increase in channel error rate has a bad impact on the parameters like success ratio and average delay (Figs. 13-14) Thus the simulation results proves that reputation based localized approach outperforms the localized approach without reputation and also shows that the LA
100.0 90.0 80.0 70.0 60.0 50.0 40.0 30.0 20.0 10.0 0.0
Succss ratio (%)
LA with Reputation LA without Reputation
0
5
Mobility (m/s)
10
15
Fig. 11. Success Ratio VS Mobility, 30 nodes, Channel Error Rate 1% 500000
Overhead (bytes)
400000 300000 200000
LA with Reputation
100000
LA without Reputation
0 0
5
10 Mobility(m/s)
Fig. 12. Overhead Ratio VS Mobility, 30 nodes, Channel Error Rate 1%
15
Reputation Based Localized Access Control for MANETs
100.0 90.0 80.0 70.0 60.0 50.0 40.0 30.0 20.0 10.0 0.0
209
Succss ratio (%)
LA with Reputation LA without Reputation
0
5 Mobility (m/s) 10
15
Fig. 13. Success Ratio VS Mobility, 30 nodes, Channel Error Rate 10%
45 40
Avg Delay(sec)
35 30 25 20
LA with reputation
15
LA without reputation
10 5 0 0
2
4
6 8 10 Mobility(m/s)
12
14
Fig. 14. Average Delay VS Mobility, 30 nodes, Channel Error Rate 10%
with reputation can used even in the sparse neighborhood networks. This approach is robust, since any node that needs a ticket can get from its own neighborhood, and it is also scalable.
6 Conclusion The localized access control mechanism works well for a dynamic environment with high mobility. But it does not work for a sparse network and for networks with low mobility. The graphs from the simulation shows that, for localized approach with
210
S. Sukumaran and E. Blessing
reputation mechanism the overhead is minimum, the delay is less, the average number of retries is minimum and also the success ratio is more. Moreover the probability of getting a ticket from a single, highly reputed neighboring node is more than getting tickets from 5 well behaving neighborhood nodes. So it is recommended to use the localized approach along with the reputation mechanism.
References 1. L.Buttayan and J.P.Hubaux, “Stimulating Cooperation in Self-organizing Mobile Ad-Hoc Networks,” in ACM/Kulwer Mobile Networks and Applications, vol. 8, no.5, pp. 579-592, Oct 2003. 2. S.Marti, T.Giuli, K.Lai and M.Baker, “Mitigating Routing Misbehavior in Mobile Ad-Hoc Networks,” in Proc. ACM MOBICOM, pp. 255-265, 2000. 3. L.Zhou, E.B.Schnder and R.Can Renese “COCA: a Secure Distributed on Line Certificate Authority,” ACM Tran, Computer Sys, vol. 2, no. 4, pp. 329-368, Nov. 2002. 4. G.Appenzeller, M.Roussopoulous, and M.Baker, “User-friendly access control for public network ports,” in Proc. IEEE INFOCOM, pp. 699-707, 1999. 5. Haiyoun Luo, P.Zerfos, Songwu Lu, L.Zhang “URSA-Ubiquitous and Robust Access Control for Mobile Ad hoc Networks,” IEEE/ACM Transactions on Networking, vol. 12, no. 6, pg. 1049-1063, Dec. 2004. 6. www.isi.edu/nsnam/ns/ns-tutorial/tutorial-02. 7. Sonja Bucheggery, Jean-Yves Le Boudec, “Self Policing Mobile Ad-hoc Networks by reputation Systems,” available online from http://lcawww.epfl.ch/Publications/LeBoudec /BucheggerL05.pdf 8. Sonja Buchegger and Jean-Yves Le Boudec, “Performance Analysis of the CONFIDANT Protocol: Cooperation Of Nodes — Fairness In Dynamic Ad-hoc NeTworks,” In Proceedings of IEEE/ACM Symposium on Mobile Ad-Hoc Networking and Computing (MobiHOC), Lausanne, CH, June 2002. 9. Pietro Michiardi and Refik Molva, “CORE: A collaborative reputation mechanism to enforce node cooperation in mobile ad hoc networks,” Sixth IFIP conference on security communications, and multimedia (CMS 2002), Portoroz, Slovenia, 2002. 10. D. B. Johnson and D. A. Maltz, “Dynamic source routing in ad hoc wireless networks,” in Mobile Computing, T. Imielinski and H. Korth, Eds. Norwell, MA: Kluwer, vol. 353, pp. 153–181, 1996. 11. Frankel, Gemmall, MacKenzie, Yung, “Proactive RSA,” in Proc. CRYPTO, pp. 440–454, 1997.
