Despite having such benefits, wireless ad hoc network is notorious for poor ... Most emphasized on the detection scheme but neglected the importance of ...
PIERS ONLINE, VOL. 4, NO. 8, 2008
891
Separation of Detection Authorities (SDA) Approach for Misbehavior Detection in Wireless Ad Hoc Network Zan Kai Chong1 , Moh Lim Sim1 , Hong Tat Ewe2 , and Su Wei Tan1 1
2
Multimedia University, Malaysia Tunku Abdul Rahman University, Malaysia
Abstract— Wireless ad hoc network is a distributed wireless network without the presence of a physical network infrastructure. Having a limited wireless transmission range, all the nodes need to cooperate with each other during packet forwarding in order to maintain the connectivity. In addition, the lack of energy resources may cause a selfish node to drop legitimate packets which eventually disrupt the network performance. In fact, many detection protocols have been proposed to discourage such behaviour. However, the implemented penalization is ineffective as not all the surrounding nodes execute in the same manner. Moreover, most of them have neglected the existence of the malicious node that could inflict them directly and indirectly. In this paper, we present the separation of detection authorities (SDA) approach to detect and exclude the misbehaved nodes in the network. The SDA distributes the detection authorities to the reporter, investigation agents, and the central authority where each of them takes charge of different detection process. To ensure accuracy, only the central authority will report the result. Our evaluation demonstrated that SDA can detect misbehaved nodes in the network effectively.
1. INTRODUCTION
In a wireless ad hoc network, all individual nodes has to cooperate with each other during packet forwarding primarily due to their limited transmission range and the lack of physical network infrastructure. Wireless ad hoc network provides the flexibility and scalability where the nodes are not confined to geographical restriction and are able to join or leave the network freely and randomly. Therefore, wireless ad hoc network has been widely deployed in military, scientific research, mission-critical operation and civilian application. Despite having such benefits, wireless ad hoc network is notorious for poor administration as the wireless transmission is vulnerable to security attack. Contrary to the conventional wireless network, wireless ad hoc network does not have an absolute control over the nodes behaviour as they are owned by multiple authorities. As a result, legitimate packets may be dropped purposely by misbehaved nodes and might disrupt the network if not taken seriously. Many research papers have discussed about the solutions to discourage erratic nodes in the network. Most emphasized on the detection scheme but neglected the importance of exclusion mechanism (penalization). For example, a simple hierarchical wireless ad hoc network has all the nodes sending data upward to the base station (root of the network). Assuming that misbehaved nodes are scattering around in the network and a downstream node wishes to penalize its upstream nodes erratic behaviour by refusing to forward packet for it. Due to the fact that the upstream node’s data packet always flows upward to the base station only, the downstream penalization has no effect on the upstream node performance. Some protocols actually allow ambiguous accusation where the accuracy of the accusation is susceptible to the erratic manipulation. We proposed a detection scheme based on the separation of detection authorities (SDA) approach for misbehaviour detection in wireless ad hoc network to tackle imperfect localized penalization and ambiguous accusation. An analogy to our SDA scheme is the operation of a democratic country where power is separated among several independent divisions for a fair execution of administrative power. In SDA, the detection authorities are distributed to the reporter, investigation agents and the central authority where each of them is responsible for certain part of the detection process. The victim of the misbehaved node will become the reporter of this deviation act by sending a secret accusation to the central authority. The central authority is the centrepiece that processes the accusation and issue a trustworthy conviction to the misbehaved nodes. Neighbours of the suspicious node will be appointed as the investigation agent by the central authority to verify the reliability of the accusation. Identity of the misbehaved node will be published by the central authority to all the
PIERS ONLINE, VOL. 4, NO. 8, 2008
892
nodes in the network, such penalization is deemed network-wide. Normally, the packet drop attack is initiated by a single misbehaved node only. However, collaboration among several misbehaved nodes is considered in our simulation as well. The rest of the paper is organized as follows: Section 2 reviews other related literature. Section 3 will be our system model. Next, Section 4 describes the design of SDA scheme and its operation. Section 5 is the evaluation of the SDA performance. The last section is the conclusion of this paper. 2. RELATED WORK
Felegyhazi et al. [1] presents a game theoretic model to analyse the cooperation in both dynamic and static scenarios. The simulation result shows that cooperation solely based on the self-interests of the nodes couldn’t be realized in practical and an incentive mechanism is needed. In SORI [2] all nodes maintain a confidence level table for them to exchange information with each other and penalize the bad reputation selfish node. They use one-way hashing to ensure the selfish node couldn’t impersonate other nodes in improving its own reputation. However, a malicious node can always fake the information and keep condemning other innocent nodes and eventually causing a chaos in the network. [10] is a reward-based scheme that relies on the secured module where it must be tamper resistance and protected from illegal manipulation. The secured module only feasible under a controlled environment. Thus, it is not suitable in real world implementation as the availability and the robustness of the modules are not guaranteed. SMDP [4] is a session-based detection protocol and it use the principle of data flow conversation where the data flow in and flow out from a node should always be equal. At the end of each data session, all the nodes along the path will send the total packet they received to the previous hop and the total packet they transmitted to the next hop. After gathering all these transmission reports, all the nodes will rebroadcast the sum of the packets to the surrounding nodes. A node will be suspected if the total transmission is much different from the total reception. Digital signature has been used to ensure no one can fake the integrity of the report. However, the source can defame the next forwarder by reporting an incorrect number of total transmitted packet. URSA [11] is a robust network access control that based on the ticket certification service through multiple node consensus and fully localized instantiation. It is a protocol that relies on the multi-signature (Threshold cryptography) to achieve the group trust model where each of the legitimate node holds a portion of the secret key (SK) and k portion of SKs are needed to renew the signature of the ticket. Our proposed SDA approach outperforms the URSA as URSA is affected by the connectivity of the network. In other words, insufficient k nodes in an area of network will cause an innocent nodes be excluded from the network. Besides, the robustness of URSA relies on the strength of the threshold cryptography and it needs to periodically refresh the network secret key to avoid the malicious node from obtaining k secret key illegally by joining the network repeatedly. SDA only requires the majority of the neighbouring nodes to be helpful to strengthen the security and will abort the investigation if insufficient of neighbouring node exist. 3. SYSTEM MODEL
In this section, the assumptions and the terminologies of this paper will be described and the attack model will be explained as well. 3.1. Assumptions and Terminologies
We assume the wireless ad hoc network is well established and all the nodes interested to communicate with the base station for some reason e.g., Internet access. Since most of the packets flowing upward to the base station, we can assume it resembles some type of hierarchical network. In addition, the central authority can be trusted absolutely and it has no incentive to misbehave. The base station is the central authority of the network and it has good knowledge of the topology of the network. Besides, we assume all the missing packets are mainly caused by the misbehaviour of the nodes. Misbehaved node and misbehaver are used interchangeably to refer to the node who does not forward packet properly and/or posses a bad intention in defaming other innocent nodes by exploiting the existing protocol. 3.2. Attack Model
We consider the packet losses are mainly due to the misbehaved nodes in network. Thus, we further classify misbehaved nodes as the selfish nodes and the malicious nodes. Selfish nodes always consider about their own benefits only and refuse to forward legitimate packets from others.
PIERS ONLINE, VOL. 4, NO. 8, 2008
893
Normally, we term this kind of misbehaviour as packet drop attack. Malicious nodes are spiteful nodes with intention to degrade the network performance by defaming other innocent nodes. We name this type of attack as reputation attack. 4. SDA DESIGN
In this section we will describe our SDA design consideration and its operation flow. 4.1. Design Consideration
Most of the detection mechanisms fail to serve the primary purpose due to their improper penalization method and the ambiguous accusation. For simple illustration, 16 nodes are deployed in grid and all the nodes in the network send data packet to the base station (node a) periodically (see Figure 1). The links in the network represents the connectivity of the nodes. Node k is a misbehaved node that drops node p’s legitimate packets. In this case, only node l, o and p are able to detect node k ’s misbehaviour (by using promiscuous listening) and they will penalize node k by dropping its packet in return. However, their penalization is useless as node k relies its upstream nodes (node j, f, and g) to forward its data packets to node a. For convenience, we name this issue as improper penalization as the penalization is not executed by all the surrounding nodes of the misbehaved node.
Figure 1: Simple 16 nodes in grid.
Another similar issue is the ambiguousness of the accusation where a node is unsure about the truthfulness of the accusation report sent by a neighbouring node. The accusation may be sent by a malicious node who intents to disgrace other innocent node(s). Assuming node l is penalizing node k as it is dropping node p packet. Node k can revenge back by telling node g and h that node l is a misbehaved node. In this case, node l hardly can defend for itself as node g and h are not aware of the node k misbehaviour at downstream. Example protocols that have these mentioned issue are SORI [2], two-hops acknowledgement [3], PIFA [5], and [6]. In order to overcome the issues mentioned above, we propose SDA approach in the misbehaviour detection where all the accusation will be verified by three different detection authorities. In addition, the SDA approach promotes global penalization where a detected misbehaved nodes will be published by both upstream and downstream nodes. 4.2. Detection and Accusation
Basically, SDA algorithm can be divided into three parts — the victim responsible for lodging the report, the agents investigate the accusation, and the central authority that concludes the judgement. Firstly, the victim node accuses a misbehaved node by sending a secret accusation report to the base station through a steady route and subsequently the base station will assign a set of random k agents which are the neighbouring node of the accused node (except the accuser itself) to investigate the accusation. These agents investigate the suspected nodes by sending dummy packet with the accuser identity such that the suspected node could not aware of the investigation process. Then, these investigation agents will observe the response of the suspected node and send back the result to the base station for further action secretly. The base station will gather sufficient feedbacks and the conviction is based on the majority vote. Once the misbehaved node is convicted, its identity will be included in the base station blacklist table and sent to all the nodes in the network. Eventually, the detected misbehaving node(s) will be isolated from the network until the penalization period over.
PIERS ONLINE, VOL. 4, NO. 8, 2008
894
Our proposed approach has overcome the issues mentioned above in the sense that the accusation of the victim is taken as the reference whereas the final conviction is based on the feedback of the random appointed investigation agents. Hence, the probability of the reputation attack is kept to a very low degree. Moreover, only the central authority can issue the blacklist table for all the nodes to execute the penalization together and thus the detected misbehaver(s) will be recognized and isolated at network-wide. 5. PERFORMANCE EVALUATION
We use OMNet++ [12] to simulate 50 static nodes sending data in a network of size 1000 × 1000 meter. We assume all the dropped packets are mainly caused by the misbehaved nodes instead of the link error. The shortest path algorithm was used to search for the next route to forward the data to base station. We run two types of simulations to evaluate the SDA detection effectiveness against the selfish nodes and malicious nodes threats. SDA could achieve a high correct detection percentage in an ideal network where only a small number of selfish nodes existed in the network (Figure 2(a)). As the number of selfish nodes increases, the SDA’s correct detection degrade but the false positive detection is still kept to zero percentage.
(a) Seflish nodes network.
(b) Malicious nodes network.
Figure 2: Detection effectiveness against different percentages of misbehaviour network.
In real world, multiple of malicious nodes might exist in network that threatened the innocent nodes. The increasing number of malicious nodes will augment the false positive detection in the
(a) Seflish nodes network.
(b) Malicious nodes network.
Figure 3: Detection effectiveness of different number of investigators.
PIERS ONLINE, VOL. 4, NO. 8, 2008
895
network (Figure 2(b)). In other words, more of innocent nodes is defamed by malicious nodes. Meanwhile, the correct detection percentage is increasing too as the independent malicious nodes mistakenly accuses each other. Next, we examine the influence of the amount of investigators in SDA approach for the detection effectiveness. In an ideal selfish nodes existence network, the number of the investigators has no significant influence to the SDA’s detection effectiveness as selfish nodes do not defame other innocent nodes (Figure 3(a)). However, in a malicious nodes existence network, we observed that the higher number of investigator agents could reduce the false positive detection percentage in the network (Figure 3(b)). The correct detection percentage is slightly reduced as some part of the network may have insufficient agents to complete the investigation. 6. CONCLUSION
SDA utilized a democratic approach in detection process. We believed that our SDA approach is a robust and unambiguous scheme as each accusation will be processed by different authorities and the penalization decision is recognized network-wide. REFERENCES
1. Felegyhazi, M., J.-P. Hubaux, and L. Buttyan, “Nash equilibria of packet forwarding strategies in wireless ad hoc networks,” IEEE Transactions on Mobile Computing 2006, 463–476, 2006. 2. He, Q., D. Wu, and P. Khosla, “SORI: A secure and objective reputation based incentive scheme for ad hoc networks,” Proc. of IEEE Wireless Communications and Networking Conference (WCNC2004), 2004. 3. Djenouri, D. and N. Badache, “Cross-layer approach to detect data packet droppers in mobile ad-hoc networks,” IWSOS/EuroNGI 2006, 163–176, 2006. 4. Fahad, T., D. Djenouri, R. Askwith, and M. Merabti, “A new low cost sessions-based misbehaviour detection protocol (SMDP) for MANET,” AINA Workshops, Vol. 1, 882–887, 2007. 5. Yoo, Y., S. Ahn, and D. P. Agrawal, “A credit-payment scheme for packet forwarding fairness in mobile ad hoc networks,” IEEE International Conference on Communications (ICC 2005), May 16–20, 2005. 6. Gonzalez Duque, O. F., G. Ansa, M. Howarth, and G. Pavlou, “Detection and accusation of packet forwarding misbehavior in mobile ad-hoc networks,” Journal of Internet Engineering, Vol. 2, No. 1, 2008. 7. Buchegger, S. and J. Y. Le Boudec, “Performance analysis of the CONFIDANT protocol: Cooperation of nodes fairness in dynamic ad-hoc networks,” Proceedings of IEEE/ACM Symposium on Mobile Ad Hoc Networking and Computing (MobiHOC), Lausanne, CH, June 2002. 8. Michiardi, P. and R. Molva, “CORE: A collaborative reputation mechanism to enforce node cooperation in mobile ad hoc networks,” IFIP — Communication and Multimedia Security Conference 2002, 2002. 9. Wang, Y. and M. Singhal, “A light-weight solution for selfish nodes problem considering battery status in wireless ad-hoc networks,” IEEE International Conference on Wireless and Mobile Computing, Networking and Communsications, (WiMob’2005), Vol. 3, 299–306, August 22–24, 2005. 10. Tan, C.-W. and S. K. Bose, “Enforcing cooperation in an ad hoc network using a cost-credit based forwarding and routing approach,” Wireless Communications and Networking Conference, WCNC 2007, IEEE, 2935–2939, 2007. 11. Luo, H., J. Kong, P. Zerfos, S. Lu, and L. Zhang, “URSA: Ubiquitous and robust access control for mobile ad-hoc networks,” IEEE/ACM Transactions on Networking, Vol. 12, No. 6, 1049–1063, December 2004. 12. Drytkiewicz, W., S. Sroka, V. Handziski, A. Koepke, and H. Karl, “A mobility framework for OMNeT++,” 3rd International OMNeT++ Workshop, Budapest University of Technology and Economics, Department of Telecommunications Budapest, Hungary, January 2003.
