A Survey of Survivability in Mobile Ad Hoc Networks

66 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 11, NO. 1, FIRST QUARTER 2009

A Survey of Survivability in Mobile Ad HocNetworks

Michele Nogueira Lima, Aldri Luiz dos Santos, and Guy Pujolle

AbstractMany efforts have been done towards secureMANETs, but the conventional lines of defense are still inefficientto put all attacks off. This article examines survivable approacheswhose goal is to enable networks to fulfill correctly theircritical functions even in the presence of attacks or intrusions.We introduce the most relevant survivable MANET initiativeswhere either preventive or reactive defenses are combined withtolerant ones. We classify the defense lines taking into accountintrusion tolerance mechanisms and also identify properties andrequirements of survivability. The initiatives are categorizedin three groups: routing discovery, data transmission and keymanagement. For each one, they are correlated in terms ofrequirements and properties. The survey shows that securitysolutions do not yet explore relevant survivability properties andhave only focused on one network layer or one type of attack.

Index TermsSurvivability, Intrusion Tolerance, MANETs,Security

I. INTRODUCTION

THE INCREASING popularity of wireless portable de-vices, such as laptops, PDAs, wireless telephones orwireless sensors, has highlighted the importance of mobile adhoc networks and ubiquitous computing. Nowadays, due toInternet service facilities and the convenience of portability,many people employ mobile networking in their professionaland domestic activities.

Mobile ad hoc network (MANET) is formed by a set ofmobile hosts which communicate among themselves by meansof the air. Those hosts establish dynamically the networkwithout relaying on a support infrastructure and cooperateto forward data in a multi-hop fashion without a centraladministration [1][3]. MANETs were initially proposed formilitary applications and currently their use has been enlarged.Examples of application include emergency disaster relief,military battle field communication, sensing or controlling aregion, sharing information during a lecture or conference, andso on [4].

MANETs hosts must ensure functionalities and guaranteesprovided by support structures in wired networks. Routing,access control and node authentication are examples of net-work functionalities that must be performed by node coopera-

Manuscript received 20 March 2007; revised 28 December 2007. This workwas supported by CAPES/Brazil, grant 4253-05-1.

Michele Nogueira Lima and Guy Pujolle are with Laboratoiredinformatique de Paris 6 (LIP6), UniversitePierre et Marie Curie,104, Avenue du President Kennedy, 75016, Paris, France (e-mail:[email protected], [email protected]).

Aldri Luiz dos Santos is with Department of Informatics, Federal Universityof Parana, 81531-990, Curitiba, Parana, Brazil (e-mail: [email protected]).

Digital Object Identifier 10.1109/SURV.2009.090106.

tion. Nevertheless, those hosts present characteristics, such asconstraint resources (processing, memory, bandwidth, energyand others), mobility and wireless communication that limittheir capacity to execute dense activities and increase thecomplexity on providing network management, control andsecurity.

Due to their communication type and constraint resources,MANETs are vulnerable to diverse types of attacks and intru-sions. Wireless communication, for example, is susceptible tointerferences and interceptions. Portability has made deviceseach time smaller, with resource limitation, and thus easytargets for overload attacks [1], [5]. The fully network de-centralization, absence of support infrastructure and dynamictopology increase the vulnerability to many attacks suchas impersonation, Sybil [6], selective forwarding, blackhole,wormhole [7], [8], among others.

Many solutions have been proposed for security problemson ad hoc networks [1], [3], [8], [9]. In general, these solutionsapply preventive or reactive approaches using mechanismsto protect basic protocols or applications. Essentially, thesolutions use specialized hardware, cryptographic primitives,mechanisms for overhearing neighbor communication or pro-tocols designed for path diversity [10]. However, techniquesand mechanisms are used for a specific goal, being effectiveto one given case, but inefficient to others. Moreover, allexistent techniques and mechanisms are themselves incapableof individually defending against all types of attacks andintrusions.

Due to solution restrictions and MANETs characteristics,researchers have focused on designing security mechanismsfor achieving network survivability. Survivability is commonlydefined as the ability of a system to fulfill its mission,in a timely manner, in the presence of attacks, failures oraccident [11]. The term system has a wide sense and couldcharacterize networks, means of communication or services,and mission represents the abstract goals and requirements ofthe system.

The contributions of this survey are the following: (i) thecontextualization of survivability to attacks, considering a de-sign perspective resiliency-oriented; (ii) the proposal of a newclassification of defense lines, suggesting that survivability toattacks can be reached when all defense lines work coopera-tively; (iii) the identification of survivability key properties andrequirements for MANETs; (iv) the investigation of survivableinitiatives organized on three groups: route discovery, datatransmission and key management. The survey concludes thatcurrent initiatives continue only using preventive and reactivemechanisms, being specialized to one network layer, protocol

1553-877X/09/$25.00 c 2009 IEEE

LIMA et al.: A SURVEY OF SURVIVABILITY IN MOBILE AD HOC NETWORKS 67

DEFENSE LINES

REACTIVE

Intrusion DetectionSystem

HIDS NIDS Hybrid

Cryptography

PREVENTIVE

Firewall

PKI OthersVPN

TOLERANCE

Replication RedundancyContentDistribution

Fig. 1. New classification: lines of defense

or attack, exploring inadequately relevant survivability prop-erties and requirements.

The rest of the survey is organized as follows. Section IIdefines survivable systems, presenting survivability conceptsand key properties, as well as a classification of defense linesconsidering those concepts. Section III summarizes MANETscharacteristics, security issues and conventional countermea-sures. Section IV analyzes the survivability requirements forMANETs, taking into account their essential services. Sec-tion V describes and categorizes in three groups the survivableinitiatives for MANETs. Finally, Section VI concludes thesurvey and gives future directions.

II. SURVIVABILITY CONCEPTSIn general, security mechanisms follow two defense lines:

one preventive and another reactive [8]. The former providesmechanisms to avoid any type of attack, as firewalls andcryptographic systems. The latter consists in taking action ondemand to mitigate intrusions, as intrusion detection systems(IDS). Nevertheless, preventive and reactive solutions are notefficient to put all attacks and intrusions off [12], [13]. Thus,research groups have built security mechanisms toward onethird defense line, called intrusion tolerance (IT) [13], asillustrated in Figure 1.

Tolerance approaches complement the other ones and itsgoal is to develop mechanisms to make systems (networks,means of communication, services and others) tolerant toattacks and intruders, that is, to afford some essential networkservices in the presence of malicious actions [13][16]. Sys-tems using techniques for tolerating intrusions and attacks arecalled intrusion tolerance systems. In a broad sense, thesetechniques can provide certain survivability key properties,supporting the development of survivable systems.

Survivability refers to a system capability of completing itsgoals and requirements in a timely manner in face of attacks,intrusions, failures or accident [11]. Laprie et. al [17] considersurvivability similar to dependability in terms of goals andaddressed threats. Dependability goals consist in the systemcapability of delivering trusted services and avoiding the mostfrequent or severe failures. This work addresses survivabilityas a special case of dependability, where the network is able tocomplete its goals in the presence of malicious faults. Thesefaults present different conditions and specific necessities thatcan only be efficiently treated when analyzed individually [16].

Hence, survivability aims to increase security effectiveness,and assist dependability and security integration.

Making a parallel with dependability, intrusion toleranceapplies fault tolerance mechanisms into the security domain.While survivability is a system capability, intrusion toleranceconsists of techniques and mechanisms to offer correct ser-vices in the presence of intrusions [18]. Intrusion toleranceemerged with Fraga and Powells initiative [19], however,the development of such systems only had more attentionin the last decade with MAFTIA (Malicious-and Accidental-Fault Tolerance will be Internet Applications) [14] and OASIS(Organically Assured and Survivable Information System) [15]projects. The MAFTIA project has designed wide scale dis-tributed systems to tolerate many ordinary faults and maliciousattacks in fixed networks. The OASIS project was developedby American Department of Defense (DARPA) to build atolerant system for high-speed networks.

Survivability attributes are reliability, availability, main-tainability, confidentiality, integrity and safety [17]. Surviv-able systems address a subset of faults, called malicious orintentional faults, comprising of malicious logics and DoSattacks or intrusion [20], [21]. In general, these faults abuseof existent system vulnerabilities, introduced accidentally ordeliberately during the development of the system. An attackcan successfully exploit system vulnerabilities resulting in anintrusion.

This work suggests that survivability should be reachedby the use of preventive, reactive and tolerant approachesoperating together. Figure 2 illustrates this behavior wherepreventive defenses will be the first obstacle for attacks, block-ing certain ones and incapable of preventing others. Someattacks can succeed in intruding into system (or network) andreactive defenses will begin to work, trying to detect and stopthem. However, reactive defenses have also limitations andintruders can be successful in compromising the system. Inorder to guarantee the system operation even in the presence ofintrusions, intrusion tolerance techniques need to be applied,until preventive or reactive defenses can adapt themselves andtake actions against the attack or intrusion.

The proposal of combining the three defense lines should bebetter explored taking into account survivability key propertiesand requirements for MANETs. Survivability requirementsare identified in Section IV and the survivability propertiesare resistance, recognition, recovery and adaptability [16].


Attacks Defenses

Reac

tive

defen

se

Reative

defenseRea

ctive

defen

se

Reactive

defense

IntrusionTolerance

VPN

cryptography

acce

ss

contr

ol

firewa

ll

digital certificate

Fig. 2. All defenses working together

Resistance is the capability of a system to repel attacks.User authentication, firewalls and cryptography are examplesof mechanisms used to reach it. Recognition is the systemcapacity to detect attacks and evaluate the extent of damage.Examples of recognition mechanisms are intrusion detectionby patterns and internal system integrity verification. Recov-ery is the capability of restoring disrupted information orfunctionality within time constraints, limiting the damage andmaintaining essential services. Conventional strategies appliedfor achieving recovery are replication and redundancy.

Finally, adaptability is the system capacity of quicklyincorporating lessons learned from failures and adapting toemerging threats [11], [16]. Examples of adaptation techniquesare the topology control by the radio power managementand active networking technology. The application of activenetworking technology intends to allow the dynamic selec-tion of MAC or network layer parameters, and the dynamicnegotiation of algorithms and entire protocols based on appli-cation requirements or the communication environment [16].Figure 3 illustrates the interaction among these key properties.

III. ISSUES AND MECHANISMS FOR SECURITY INMANETS

MANETs are susceptible to many security issues. Char-acteristics as dynamic topology, resource constraint, limitedphysical security and no centralized infrastructure make thosenetworks vulnerable to passive and active attacks [8]. Inpassive attacks, packets containing secret information might beeavesdropped, violating the confidentiality principle. Active at-tacks include injecting packets to invalid destinations, deletingpackets, modifying the content of packets, and impersonatingother nodes.

The classification of attacks by network protocol stackis the more frequent. Table I summarizes the main attacksfor MANETs according to network layers. Some attacks arealso categorized as byzantine or misbehavior attacks, beinggenerated by network node whose actions cannot be trustedor do not conform to protocol specifications. Blackhole, worm-hole, rushing, Sybil, sinkhole, HELLO flooding and selectiveforwarding are examples of byzantine attacks. Moreover, theseattacks are also related to selfishness problem. The goal of aselfish node is to make use of the benefits of participating inthe ad hoc network without having to expend its own resourcesin exchange [22].

Researchers have actively explored many mechanisms forsecuring mobile ad hoc networks. These mechanisms are based

essentially on customized cryptographic primitives, protocolsfor path diversity, protocols that overhear neighbor communi-cation, and protocols that use specialized hardware [10].

Cryptographic primitives have been used to provide au-thentication, integrity and confidentiality of secure routingprotocols [25][27]. In general, HMAC (message authentica-tion code used for authentication [28]), digital signatures andsymmetric or asymmetric cryptographic operations are appliedwith these purposes. However, this mechanism generally in-creases the network overhead. MANET constraint resourcesprevent the usage of complex encryption methods. Further-more, no existence of infrastructure and dynamic topology in-crease the difficulty for the key management and distribution,and mainly these mechanisms cannot defend against internalattacks.

Path diversity techniques aim to increase route robustnessby discovering multipath routes and using these paths toprovide redundancy in data transmission [10], [29], [30].Multipath routing protocols can use all routes found simul-taneously and transmit the same data more than one time; orcan use them on demand, as an alternative. However, manyof those protocols do not apply mechanisms to authenticateintermediary nodes in routes, making them vulnerable toimpersonation and Sybil attacks.

Techniques for monitoring neighbor communication andbehavior in wireless channel have been proposed to detect andminimize misbehaving nodes [10], [31][34]. Generally, thesetechniques assume that wireless interfaces support promiscu-ous mode operation. Promiscuous mode means that if a nodeA is within range of a node B, it can overhear communicationsto and from B even if those communications do not directlyinvolve the node A. By means of this mechanism, nodes canmonitor others and announce those that have misbehavior asdropping or tampering packets.

Finally, hardware, as GPS (global position system) [35]or directional antennas, has been used to help in preventingand detecting wormhole attacks [36], [37]. Pering et. al, forexample, introduce the notion of packet leash as a generalmechanism for detecting and defending against them [26].A leash is any information added to a packet and designedto restrict its transmission distance. Leashes are classified asgeographical or temporal. A geographical leash ensures thatthe recipient of the packet is within a certain distance fromthe sender, and to take localization positions, the GPS can beused. In [37], a directional antenna scheme was proposed toalso detect those attacks. The scheme restricts the communi-cation among nodes based on distance information, which iscalculated according to received signals. Unfortunately, theseschemes are specific to wormhole attacks.

IV. SURVIVABILITY REQUIREMENTS FOR MANETS

MANETs introduce diverse functions, operations and ser-vices influenced by the context, applications and basic char-acteristics. In a critical situation, where parts of a systemare compromised by attacks or intrusions, priority is givento maintain correct functionality of essential services. Es-sential services demand capacities and guaranties to assuretheir correct delivery in the presence of attacks, failures or


Survivability KeyProperties

(1) Resistance

(2) Recognition

(3) Recovery

(4) Ad

aptab

ility

Strategies to repel attacks. (e.g. traditionalmethods of defense: cryptography,

authentication and others)

Strategies for detecting attacks andintrusion. (e.g. traditional intrusion

detection systems)

Strategies for improving systemsurvivability based on knowledge gained

from intrusions. (e.g. incorporation of newpatterns for intrusion recognition)

Strategies for restoring compromisedinformation or functionality, limiting the extent of

damage, maintaining or restoring essentialservices (e.g. data replication and redundancy)

Fig. 3. Survivability key properties

TABLE IATTACKS BY NETWORK LAYERS

Layer Attack DescriptionPhysical Jamming deliberates interference with radio reception to deny the targets use of a

communication channelLink Exhaustion attacker induces repeated retransmission attempts in order to exhaust

targets resourcesCollision deliberates collisions or corruption induced by an attacker in order to deny

the use of a linkNetwork Wormhole adversaries cooperate to provide a low-latency side-channel for communi-

cation by means of a second radio with higher-power and long-range linkBlackhole malicious nodes manipulate routing packets in order to participate of routes

and then drop data packetsSinkhole an attempt is made to lure traffic from the network to pass through an

adversary in order to facilitate other attacksFlooding overwhelms victims limited resources: memory, processing or bandwidthSelective forward malicious nodes behave like normal nodes in most time but selectively

drop sensitive packets for the application. Such selective dropping is hardto detect

Sybil multiple fake identities will be created for adversary nodes, meaning thatan attacker can appear to be in multiple places at the same time

Rushing adversaries quickly forward their route request (RREQ) messages whena route discovery is initiated, in order to participate any route discovery.This attack can be carried out against on-demand routing protocols, asAODV [23], DSR [24] and others

Transport SYN Flooding classic TCP SYN flood where an adversary sends many connection estab-lishment requests to a target node, overwhelming its resources

accidents. Such capacities and guaranties are identified assurvivability requirements and they can diverge significantlydepending on the system characteristics, its scope, and theconsequence of the service interruption. Despite of Lingeret. al [38] define those requirements in terms of essentialand non-essential services, this section discusses survivabilityrequirements for MANETs considering essential services andnetwork characteristics.

Essential services in MANETs can be classified in twotypes: specific services and general services. The formerrepresents those services designed by application or networkcontext. The latter denotes fundamental services that areindependent of applications or context as routing, connectivityand communication. Since specific services can vary withapplication or context, this work analyzes the survivabilityrequirements related to general services.

Survivable MANETs must maintain a connected networkeven in adverse situations, since that service allows effi-

cient routing and end-to-end communication. Consequently,survivable networks must (i) consider node heterogeneitybalancing their operations and tasks among the network nodes;(ii) be able to change dynamically the parameters of theconnections such as nodes addressing and service discovery(self-configurable); (iii) be able to adjust transmit powers ofnodes adaptively in response to mobility, activity requirementssuch as QoS level, environmental conditions and attacks (self-adaptation); and (iv) use nodes energy and other resourcesefficiently when the system suspects that it is under attack(efficiency).

Routing is another essential service whose cooperative wayof work brings many security weaknesses. Hence, survivablenetworks need to apply mechanisms to (i) control the access ofnodes in the network (access control); (ii) protect the wirelesscommunication at physical and data link layers as well asuser/data acquisition (protection); (iii) guarantee integrity,confidentiality and authentication principles; (iv) offer ro-


bust and efficient routing; and (v) tolerate attacks by meansof intrusion tolerance techniques such as redundant approaches- multipath, double routing protocol and others (redundancy).

Communication is the main purpose of any network, andsecurity or mobility issues make MANETs communication achallenge. In this way, its survivability requirements consistof (i) designing protocols that work normally on different andadverse conditions (self-adaptation); (ii) making functionalend-to-end communication without needing a reliable returnchannel for acknowledgments; (iii) using multiple communica-tion channels (redundancy); (iv) proceeding during eventualdisconnection and along with partial segments of paths (ro-bustness). Table II summarizes MANETs survivability theserequirements taking into account the general services.

Certain survivability requirements are consequence of net-work characteristics. Survivable systems for MANETs cannot have the central point of failures/attacks. They mustbe fully decentralized and they must achieve the necessaryorganizational structures without requiring human intervention(self-organization). Survivable MANETs must be scalable toconsider the great variability on the total number of nodesand the dynamic topology. They must also be self-managedand self-controlled, that is, autonomic to guarantee networkfunctionality and efficiency.

Survivable MANETs must be self-diagnosed monitoringthemselves and finding faulty, unavailable, misbehavior ormalicious nodes. They must also prevent disruptions or recoverfrom problems that might have happened and find an alterna-tive way of using resources and reconfiguring the entity tokeep in normal operation (self-healing). Survivable networksmust finally manage themselves in order to optimize the useof their resources, minimizing latency and maintaining thequality of service. Figure 4 illustrates the integration among allmentioned requirements, highlighting those yielded by generalessential services (light gray) from those produced by networkcharacteristics (dark gray). The requirements dependent ofthe context or application are not considered, making thisincomplete view in the figure.

Each requirement, as depicted in Figure 4, is connectedto others that together can improve the network survivability.Robustness, for example, will be more effective for surviv-ability when redundancy, access control and protection arealso applied. Protection is often reached by authentication,integrity and confidentiality. Access control applies generallyauthentication mechanisms and self-controlling characteristicenhances it. Scalability requirement will be reached by meansof self-management, self-organization and self-controlling.These integrations only illustrate some possibilities for to-gether improving the survivability, without extinguishing allof them.

Nowadays, each essential service in Table II, connectivity,routing and communication, is treated and associated to threedifferent layers, respectively, link, network and applicationlayers. This is not sufficient for archieving a complete sur-vivable system due to multi-layer attacks. Further, the use ofmulti-layer information can make security mechanisms morerobust, resistant and survivable. Routing layer, for example,can use energy or bandwidth information present in linklayer to take better choices and to be more adaptive. Routing

layer can inform the others about attack detection and in thisway, those layers can start an alert procedure. In summary,the survivability existent on the layers can mutually provideguarantees and support.

Based on these previous considerations and on the surviv-ability key properties presented in Section II, we identifiedthree view planes for survivable systems, as illustrated inFigure 5. In the first one (key properties), we have the prop-erties that must be achieved by the system. In the second one(requirements), we highlight the requirements that survivablesystems need to reach. Finally, in the third one (protocollayers), we emphasize that all network layers need to beaddressed by the system. We note that a complete survivablesystem attends these three planes.

V. SURVIVABLE INITIATIVES FOR MANETS

This section describes several initiatives on building surviv-able mobile ad hoc networks. Despite that many of them donot present a complete survivable proposal, they have goals,characteristics and mechanisms more correlated to propertiesand requirements of survivability than just preventive or reac-tive schemes. Since some papers survey conventional securitydefense lines [3], [9], [39], [40], this work focuses on securitypropositions that aggregate more than one defense line andapply some technique of tolerance as redundancy or recovery.

Initiatives found in the literature are categorized on threemain groups: route discovery, data forwarding, and keymanagement and access control. The route discovery groupconsists of approaches trying to make route discovery phaseof routing protocols more resistant and tolerant to differentkinds of attacks and intrusion. The data forwarding group iscomposed of initiatives specialized on data forwarding usingpreventive or reactive security schemes and some tolerancetechniques, as redundancy. The last one includes cryptographickey management and access control approaches built to bemore tolerant to attacks.

A. Route discovery

Routing is essential for the correct operation of MANETs,and many routing protocols have been proposed in the lit-erature, including proactive (table-driven), reactive (demand-driven), and hybrid solutions. Most of the existing protocolshave assumed MANETs as a trust environment. However, asshown in previous sections, MANETs are highly vulnerableto attacks due to their characteristics.

Secure routing protocols have been proposed [26], [27],[41], such as SRP [29], SAODV [42], SAR [43]. These secureprotocols are mostly based on authentication and encryptionalgorithms, being inefficient to put all intruders and attacksoff. In this way, some research groups have built intrusiontolerant routing approaches, such as TIARA (Techniques forIntrusion-resistant Ad Hoc Routing Algorithms) [44], BFTR(Best-Effort Fault Tolerant Routing) [45], ODSBR (An On-Demand Secure Byzantine Routing Protocol) [46] and BA(Boudrigas Approach) [47].


TABLE IISURVIVABILITY REQUIREMENTS

Essential services Survivable system requirementsConnectivity working on heterogeneous networks

self-configuration (mainly, for naming and service discovery)self-adaptation of node transmit powers in response to mobility, activities, environments and attacksthe efficient use of nodes energy

Routing node access controlprotection of wireless communication at physical, medium and data link layersintegrity, confidentiality and authenticity principalsefficiency and robustnessthe use of redundant approaches

Communication working in different and variable conditionsthe use of asymmetric and unidirectional linksend-to-end communication without considering a reliable return channelthe use of multiple communication channelworking even on eventual disconnections

Robustness

Self-adaptation Efficiency

Scalability Self-control

Self-configuration

Self-management

Accesscontrol

Self-organization

IntegrityNocentralization Redundancy

Authentication

Protection

ConfidencialityHeterogeneity Self-opmitization

Self-diagnosing

Self-healing

Fig. 4. Integration among survivability requirements

1) TIARA: TIARA defines a set of design techniques tomitigate the impact of Denial of Service (DoS) attacks andcan be applied on routing protocols to allow the acceptablenetwork operation in the presence of these attacks. The maintechniques established by TIARA are: flow-based route ac-cess control (FLAC), distributed wireless firewall, multipathrouting, flow monitoring, source-initiated flow routing, fastauthentication, the use of sequence numbers and referral-based resource allocation. For its effective implementation,TIARA should be adapted to a routing protocol, being incor-porated more easily into on-demand protocols, such as DSRand AODV.

In the FLAC technique, distributed wireless firewall anda limited resource allocation are applied together to controlpacket flows and to prevent attacks based on resource over-load. Each node participating in the ad hoc network containsan access control list, where authorized flows are defined. Athreshold is defined for allocating limited amount of networkresources for a given flow. Many routes are discovered andmaintained, but only one route is chosen to data forwarding.

The flow monitoring technique checks the network failuressending periodic control messages, called flow status packets.If a path failure is identified, an alternative path found in thediscovery phase will be selected. The authentication process inTIARA consists in placing the path label of the packet in a se-cret position. Each node can define a different position for thelabel within the packet being its authentication information.

2) BFTR: Best-effort fault-tolerant routing (BFTR) is asource routing algorithm exploring path redundancies of adhoc networks. Its goal is to maintain packet routing servicewith high delivery ratio and low overhead in the presence ofmisbehaving nodes. BFTR never attempts to conclude whetherthe path, or any node along it, is good or bad. It takes intoaccount existing statistics to choose the most feasible path,such as each one with the highest packet delivery ratio in theimmediate past. By means of existing statistics and receiversfeedback, different types of attacks can be indistinctly detectedsuch as packet dropping, corruption, or misrouting.

BFTR is based on DSR flooding to retrieve a set of pathsbetween source and destination nodes, whenever necessary,


ResistanceRecognition

RecoveryAdaptability

Pro

toco

l Lay

ers

Physical

Link

Network

Transport

Application

Key

Propert

iesRequirementsEffici

ency

Protec

tion

Robus

tness

Self-co

ntrol

Hetero

geneity

Scalab

ility

Etc.

Self-m

anagem

ent

Self-or

ganizat

ion

Decen

traliza

tion

Fig. 5. Planes of view for survivability

and it chooses initially the shortest path to send packets.If a route failure is reported, the protocol will discard thecurrent routing path and proceed with the next shortest pathin the route cache. The algorithm considers that the behaviorof any good node is to delivery packets correctly with highdelivery ratio. In this way, a good path consists of nodeswith high delivery ratio. Any path with low delivery ratio isthus discarded and replaced by the next shortest path. BFTRrequires no security support from intermediate nodes. Thesource and destination nodes of connections are assumed well-behaved. A previous trust relationship between end nodesis required, being possible the authentication between themduring data communication.

3) ODSBR: ODSBR is a routing protocol that intends toprovide a correct routing service even in the presence ofByzantine attacks [48]. ODSBR operates using three sequen-tial phases: (i) least weight route discovery, (ii) Byzantine faultlocalization and (iii) link weight management. The first phaseis based on double secure flooding and aims to find lowest costpaths. Double flooding means that route discovery protocolfloods with route request and response messages in order toensure path setting up. In this phase, cryptography operationsguarantee secure authentication and digital signature. Thesecond phase discovers faulty links on the paths by means ofan adaptive probing technique. This technique uses periodicsecure acknowledgments (acks) from intermediate nodes alongthe route and the integrity of the packets is assured bycryptography. The last phase of ODSBR protocol managesthe weight assigned to a faulty link. Each faulty link has aweight to identify bad links, being this information stored ata weight list and used by the first phase of the protocol.

Results have shown the good performance of ODSBR inmany scenarios for different metrics. However, some importantpoints are not evaluated or well defined. For example, ODSBRassumes the use of RSA cryptography and digital signatureswithout considering open issues as public key distribution,node pair key initialization or the iteration among nodesto guarantee authenticity. These operations are essential forthe good ODSBR functionality and can influence the results.

Moreover, it is based also on acknowledgments that could notbe assured due to mobility and dynamic topology.

4) Boudrigas approach (BA): Boudriga et. al [47] proposea new approach for building intrusion tolerant MANETs. Itconsists of a multi-level trust model and a network layermechanism for resource allocation and recovery. The multi-level trust model assumes that the network is divided intotwo virtual sets: the resources domain and the users domain.Each resource assigns a unique trust level for each type ofactivity that it is involved with and each location where itappears. Based on this trust level and on the activity, usersor applications allocate resources by a distributed scheme. Itallocates available resources attempting to maximize the useand minimize costs. For each application, only a fraction of aresource is allocated at a given node.

Intrusion tolerance is reached through a distributed firewallmechanism, a technique for detecting and recovering intruder-induced path failures, a trust relation between all nodes,an IPsec-based packet authentication, and a wireless routermodule that enable survivability mechanisms to DoS attacks.The distributed firewall aims to protect the MANET againstflooding attacks and each node maintains a firewall tablecontaining the list of all packets passing through it andsuccessfully accepted by their destination. After a handshakebetween the sender and the receiver of a related flow, theentries in a firewall table will be maintained automaticallyand refreshed when failures, intrusion occurrences or otherabnormal behavior are detected. Based on those entries, thenode can forbid any flood of spurious traffic. Three parametersare managed by the nodes to detect anomalies such as packetloss rate, duplicate packet rate and authentication failure rate.

B. Data forwardingSome works have proposed secure routing mechanisms to

defend against several attacks [10], [32][34]. Despite of thoseprotocols ensure the correctness of the route discovery, theycan not guarantee secure and undisrupted delivery of data.Intelligent attackers can easily gain unauthorized access tothe network, follow the rules of the route discovery, place


themselves on a route, and later redirect, drop or modifytraffics, or inject data packets. In a nutshell, an adversary canhide its malicious behavior for a period of time and then attackunexpectedly, complicating its detection. For these reasons,mechanisms to provide data confidentiality, data availabilityand data integrity are necessary for guaranteeing secure dataforwarding.

Several mechanisms have been proposed for securing dataforwarding. Lightweight cryptographic mechanisms as Mes-sage Authentication Code (MAC) [28], for example, areused to data integrity. Nuglets [49], Friends and Foes [50],Sprite [51] and others [52], [53] propose mechanisms tostimulate node participation in data forwarding, trying toguarantee data availability. CORE [54] and CONFIDANT [55]are examples of reputation systems that provide informationto distinguish between a trustworthy node and a bad node.This information also encourages nodes to participate in thenetwork in a trustworthy manner.

Some solutions to provide data confidentiality and dataavailability have attempted to apply techniques as redundancyand message protection to be more resilient to attacks. InSPREAD [56], SMT [57] and SDMP [58], for example, themessage is divided into multiple pieces by a message divisionalgorithm. These pieces are simultaneously sent from thesource to the destination over multiple paths. In [59], a cross-layer approach is investigated to improve data confidentialityand data availability, using directional antennas and intelligentmultipath routing with data redundancy.

1) SPREAD: The Secure Protocol for Reliable Data De-livery (SPREAD) scheme proposes the use of some tech-niques to enhance data confidentiality and data availability.Initially, messages are split into multiple pieces by the sourcenode, using the threshold secret sharing scheme. Each pieceis encrypted and sent out via multiple independent paths.Encryption between neighboring nodes with a different keyis assumed as well as the existence of an efficient key man-agement scheme. SPREAD focuses on three main operations:to divide the message, to select multiple paths and to allocatemessage pieces into paths.

Messages are split by the threshold secret sharing algo-rithm [60] and each piece is allocated into a selected pathaiming to minimize the probability of harm. SPREAD selectsmultiple independent paths taking into account security factorssuch as the probability of being compromised. The goalof SPREAD is to achieve an optimal share allocation way,where the attacker should damage all the paths to recover themessage.

2) SMT: The goal of the secure message transmission(SMT) protocol is to ensure data confidentiality, data integrity,and data availability, safeguarding the end-to-end transmis-sion against malicious behavior of intermediary nodes. SMTexploits four main characteristics: end-to-end secure and se-cure feedback mechanism, dispersion of the transmitted data,simultaneous usage of multiple paths, and adaptation to thenetwork changing conditions. It requires a security associa-tion (SA) [61] between the two end communicating nodes,so no link encryption is needed. This trust relationship isindispensable for providing data integrity and authentication ofend nodes, necessary for any secure communication scheme.

The two end nodes make use of a set of node-disjoint paths,called Active Path Set (APS), being a subset of all existingpaths between them.

Data message is broken into several small pieces by theinformation dispersal scheme [62]. Data redundancy is addedto allow recovery, being also divided into pieces. All piecesare sent through different routes existent in APS, enhancingstatistically the confidentiality and availability of exchangedmessages. At the destination, the dispersed message is success-fully reconstructed only if a sufficient number of pieces arereceived. Each piece carries a Message Authentication Code(MAC), allowing its integrity verification by the destination.The destination validates the incoming pieces and acknowl-edges the successfully received ones thought a feedback tothe source. The feedback mechanism is also protected bycryptography and is dispersed to provide fault tolerance. Eachpath of APS has a reliability rate calculated by the number ofsuccessful and unsuccessful transmissions on this path. SMTuses this rate to manage the paths in APS, trying to determineand maintain a maximally secure path-set, and adjusting itsparameters to remain effective and efficient.

3) SDMP: The Secured Data based MultiPath (SDMP)protocol exploits also multiple paths between network nodesto increase the robustness and data confidentiality. The pro-tocol assumes Wired Equivalent Privacy (WEP) link encryp-tion/decryption of all the frames between neighboring nodes,which provide link layer confidentiality and authentication.SDMP can work with any routing protocol which providestopology discovery and supports the use of multipath forrouting. SDMP distinguishes between two types of path:signaling and data. Signaling type requires only one path ofthe path-set existent between source and destination nodes,being the other paths available for data transmission.

The protocol divides the message into pieces using theDiversity Coding approach [63]. Each piece has a uniqueidentifier and all of them are combined in pairs through anXOR operation related to a random integer number. Eachpair is sent along a different path. All information necessaryfor message reconstruction at the destination is sent by thesignaling path. Unless the attacker can gain access to all of thetransmitted parts, the probability of message reconstruction islow. That is, to compromise the confidentiality of the originalmessage, the attacker must get within eavesdropping range ofthe source/destination, or simultaneously listen on all the pathsused and decrypt the WEP encryption of each transmitted part.However, it is possible to deduce parts of the original messagefrom only a few of the transmitted pieces, especially since onepiece of the original message is always sent in its original formon one of the paths.

4) Cross-layer approach (CLA): In contrast to previoussolutions, a cross-layer approach is investigated in [59]. Thesolution uses directional antennas and intelligent multipathrouting to enhance end-to-end data confidentiality and dataavailability. Unlike an omni-directional antenna that transmitsor receives radio waves uniformly in all directions, a direc-tional antenna transmits or receives radio waves in one partic-ular direction. Directional antennas make eavesdropping moredifficult and reduce the areas covered by packet transmissions,minimizing the overlap of message pieces sent by multiple


paths. Thus, the use of directional antennas is justified bythe reduction on the likelihood that an adversary is able tosimultaneously gather all of the message pieces at the sourceor destination nodes.

A self-adaptive transmission power control mechanism isused together with directional antennas to reduce the messageinterception probability. This mechanism allows the transmit-ter to use only enough transmission power in order to reachthe intended receiver, minimizing the radiation pattern for agiven radio transmission and the possibility of an attacker tointercept the message transmission. Dynamically the trans-mission power is adjusted depending of the data packet typeexchanged between neighboring nodes. Multipath routing isalso used. Thus, messages are divided based on thresholdsecret sharing algorithm, and then the shares are sent bymultiple node-disjoint paths. Two intelligent routing schemesare proposed to reduce message interception probability. Theformer minimizes the physical distance of hops and the latterminimizes the path-set correlation factor.

C. Key management and access controlSecurity solutions have relied on cryptography and suppose

the existence of an infrastructure for providing and managingkeys. Some MANETs characteristics, as the lack of anycentral infrastructure, make key management a challenge.Despite of this, distributed and self-organized key managementsystem for MANETs have been proposed. Basically, there aretwo types of key infrastructure [3], [9]. The first involves theprivate key infrastructure, which establishes common privatekeys used for symmetric cryptography, such as symmetricgroup keys used for securing group communications. Thesecond considers the public key infrastructure, which providesa couple of keys (public/private) used for asymmetric cryptog-raphy, as in digital signatures. This subsection addresses themost relevant survivable key management initiatives.

1) PGP-like (PL): One of the survivable key managementinitiatives for MANETs is called PGP-like [64]. This systemhandles the public key management problem and proposesa fully distributed self-organizing public key managementinfrastructure. PGP-like (PL) is based on the PGP (PrettyGood Privacy) functionality [65] and each node is respon-sible for creating its public and private keys. Unlike PGP,where certificates are mainly stored in centralized certificaterepositories, certificates in PGP-like are stored, distributed andmanaged by the nodes in a fully self-organized manner. In thissystem, key authentication is performed via chains of public-key certificates.

As public and private keys are created locally by a nodeitself, public-key certificates are issued based on the existingtrust among the nodes. In this way, if a node x believes that agiven public key belongs to a node z, then x can issue public-key certificate in which Kz is bound to z by the signature ofx. Initially, each node holds in its repository certificates issuedby it and the certificates that other nodes issued to it. PGP-like defines a mechanism that provides periodic exchanges ofcertificates between neighbor nodes. This mechanism aims todistribute the certificates and become more efficient to finda chain of public-key certificates. Moreover, mechanisms to

update and to revoke keys are used to prevent conflicts. PGP-like presents also functionalities to deal with misbehaviornodes, such as operations to cross-check the keys in certificatesand detect inconsistencies. The certificates are inconsistentwhen two or more of them are related to the same user, butthey present different keys or relate the same public key todifferent users.

2) Joshis approach (JA): Joshi et. al propose a fullydistributed certificate authority scheme based on secret shar-ing and redundancy [66]. In secret sharing mechanism, thecertificate authoritys private key is first divided into parts.These parts or key shares are then distributed among the nodesin the network. To communicate, nodes have to recreate thekey. The certificate authority (CA) key can be recreated bycombining a minimum number of key shares from the totalnumber of shares. The critical situation is when the numberof nodes required to recreate the key are not found in thecommunication range of the node trying to communicate.

The number of key shares per node is more than one byincorporating redundancy into the network. Since each nodestores more than one key share, then the number of nodesrequired to recreate the CA key is reduced, increasing thechances of a legitimate node for recreating the CA key. Onthe other hand, the redundancy poses a challenging since thechances of an intruder entering in the network and compro-mising the CA key are increased. When an intruder accessesthe network and compromises one node, it becomes as good asa valid node. To overcome this problem, it is proposed the useof a intrusion detection system (IDS), which should identifythe misbehavior/compromised nodes and remove them fromthe network.

3) URSA: URSA is a ubiquitous, decentralized, self-controlled and robust access control solution for mobile adhoc networks, where no single node monopolizes the accessdecision or is assumed to be completely trusted [67]. Instead,multiple nodes jointly monitor a local node and certify/revokeits ticket. Tickets perform the same functionality of con-ventional digital certificates, having expiration time, personalpublic key of the node, signature and identifier. They arecertificated and updated periodically to resist conspiracy ofattacks by multiple misbehavior nodes. Certifications are basedon RSA cryptosystem [67] and on threshold cryptography-based signature [60]. URSA handles a localized group trustmodel where a node is considered trust if it is trusted by anumber of reliant nodes. The trust relation is defined within acertain interval limited by the ticket expiration time. Based onthis model, trust nodes can sign tickets for all other nodesin the network. These nodes also monitor other nodes inorder to detect possible misbehaviors. If a misbehavior nodeis detected, ticket revocation can be done to prevent the attackpropagation. Tickets are also periodically renewed to improvethe resilience of the system.

Other works follow the same idea of URSA and applythreshold approach as [5] and [68]. Although they presentsimilar characteristics to URSA, they deal with a publickey management problem. In fact, Zhou and Haas [5] arethe first to address public key management in MANET, andalso applied threshold approach to make it decentralized androbust.


TABLE IIISURVIVABILITY PROPERTIES IN THE DIFFERENT INITIATIVES

Key propertiesInitiatives resistance recognition recovery adaptability

TIARA BFTR

ODSBR BA

SPREAD SMT

SDMP CLA PL JA

URSA

Table III correlates the initiatives presented in this sectionwith survivability properties. Table IV summarizes the re-quirements achieved by each survivable initiative and Table Vreviews the main techniques applied, the protocol stack layerthat is affected, the dependence on a protocol and the attacksaddressed by each initiative.

VI. CONCLUSIONThe use of MANETs has increased and, consequently,

the security issues have become more important. Traditionaldefense lines are not sufficient for such networks, since theypresent different characteristics and properties that require newapproaches. This article introduced survivability concepts andits correlation with preventive, reactive and tolerance defenselines. Survivable MANETs will be able to fulfill their goals(even in the presence of attacks or intrusions) by means of thecooperation among those three defense lines.

Key properties of survivability as resistance, recognition,recovery and adaptability were detailed, and survivabilityrequirements for MANETs were analyzed. Those require-ments comprise self-organization, self-control, self-configura-tion, self-management, access control, protection, authentica-tion, scalability, redundancy and others.

Existent survivable initiatives were categorized in threegroups: route discovery, data transmission and key manage-ment. Furthermore, these initiatives were described emphasiz-ing their survivability requirements and properties. Based onthis investigation, we can conclude that (i) security solutionsfor MANETs still apply a few set of preventive and reactivetechniques; (ii) solutions focus either on attacks or only onelayer of the stack protocol; (iii) adaptability property is almostunexplored; (iv) requirements as heterogeneity, efficiency,robustness and self-management are not yet reached.

Finally, this work highlights that a fully survivable MANETshould apply cooperatively the three defense lines insteadof only one or two lines independently. Futher, it shouldconsider a multi-layer and multi-attack solution, beyond beingheterogeneous to diverse environments and adaptable on thefly to unexpected situations.

REFERENCES[1] P. Papadimitratos and Z. Haas. Handbook of Ad Hoc Wireless Networks,

chapter Securing mobile ad hoc networks. CRC Press, 2002.[2] F. Adelstein, S. K. S. Gupta, and G. G. Richard III. Fundamentals of

Mobile and Pervasive Computing. McGraw-Hill, 2005.

[3] D. Djenouri, L. Khelladi, and A. N. Badache. A survey of securityissues in mobile ad hoc and sensor networks. IEEE Commun. Surveys& Tutorials, 7(4):228, 2005.

[4] C. E. Perkins. Ad Hoc Networking: An Introduction. Addison-WesleyLongman Publishing Co., Inc., Boston, MA, USA, 2001.

[5] L. Zhou and Z. J. Haas. Securing Ad Hoc Networks. IEEE network,13(6):2430, 1999.

[6] J. Douceur. The sybil attack. In Proc. International workshop on Peer-to-Peer Systems (IPTPS), Cambridge, MA (USA), March 2002.

[7] H. Yang, H. Luo, J. Kong, F. Ye, P. Zerfos, S. Lu, and L. Zhang. AdHoc Network Security: Challenges and Solutions. CRC Press, 2004.

[8] B. Wu, J. Chen, J. Wu, and M. Cardei. Wireless/Mobile NetworkSecurity, chapter A survey on attacks and countermeasures in mobilead hoc networks. Springer, 2006.

[9] P. Argyroudis and D. OMahony. Secure routing for mobile ad hocnetworks. IEEE Commun. Surveys & Tutorials, 7(3):221, Third Quarter2005.

[10] I. Khalil, S. Bagchi, and C. Nita-Rotaru. DICAS: detection, diagnosisand isolation of control attacks in sensor networks. In Proc. Interna-tional Conference on Security and Privacy in Communication Networks(SECURECOMM), pages 89100, Los Alamitos, CA, USA, 2005. IEEEComputer Society.

[11] R. Ellison, D. Fisher, R. Linger, H. Lipson, T. Longstaff, and N. Mead.Survivable Network Systems: An Emerging Discipline (cmu/sei-97-tr-013). Technical report, Software Engineering Institute, Carnegie MellonUniversity, Pittsburgh, PA, 1997.

[12] P. E. Verssimo, N. F. Neves, and M. P. Correia. Intrusion-TolerantArchitectures: Concepts and Design. Technical Report DI-FCUL TR-03-5, University of Lisbon, Department of Informatics, University ofLisbon, Portugal, 2003.

[13] Y. Deswarte and D. Powell. Internet Security: An Intrusion-ToleranceApproach. Proc. IEEE, 94(2):432441, 2006.

[14] Malicious- and Accidental-Fault Tolerance for Internet Applications.http://www.maftia.org. Access: December 2007.

[15] Organically Assured and Survivable Information System (OASIS).http://www.tolerantsystems.org. Access: December 2007.

[16] J. P. G. Sterbenz, R. Krishnan, R. R. Hain, A.W. Jackson, D. Levin,R. Ramanathan, and J. Zao. Survivable Mobile Wireless Networks:Issues, Challenges, and Research Directions. In Proceedings of ACMworkshop on wireless security (WiSe), pages 3140, New York, NY,USA, September 2002. ACM Press.

[17] J.-C. Laprie and B. Randell. Basic Concepts and Taxonomy ofDependable and Secure Computing. IEEE Trans. Dependable SecurityComputer, 1(1):1133, 2004.

[18] P. Verssimo. Intrusion tolerance: concepts and design principles. atutorial. DI/FCUL TR 02, Department of Informatics, University ofLisbon, July 2002.

[19] J. Fraga and D. Powell. A fault- and intrusion-tolerant file system. InProc. International Conference on Computer Security, pages 203218,1985.

[20] J. C. Laprie. Dependability: basic concepts and terminology in English,French, German, Italian, and Japanese (Dependable computing andfault-tolerant systems). Springer-Verlag, December 1991.

[21] A. Avizienis, J.-C. Laprie, and B. Randell. Dependability and its Threats- A Taxonomy. In IFIP congress topical sessions, pages 91120, 2004.

[22] B. Awerbuch, R. Curtmola, D. Holmer, C. Nita-Rotaru, and H. Rubens.Mitigating Byzantine Attacks in Ad Hoc Wireless Networks. Technicalreport, Center for Networking and Distributed Systems, ComputerScience Department, Johns Hopkins University, 2004.

[23] C. E. Perkins and E. M. Royer. Ad-hoc on-demand distance vectorrouting. In Proc. IEEE workshop on mobile computing systems andapplications (WMCSA), page 90, Los Alamitos, CA, USA, 1999. IEEEComputer Society.

[24] D. Johnson, D. Maltz, and J. Broch. DSR - The dynamic source routingprotocol for multihop wireless ad hoc networks, chapter 5, pages 139172. Addison-Wesley, 2001.

[25] A. Perrig, R. Canetti, J. D. Tygar, and D. Song. The TESLA BroadcastAuthentication Protocol. RSA CryptoBytes, 5(2), 2002.

[26] Y. Hu, D. Johnson, and A. Perrig. SEAD: Secure Efficient DistanceVector Routing for Mobile Wireless Ad Hoc Networks. Ad hoc networks,1:175192, 2003.

[27] Y.-C. Hu, A. Perrig, and D. B. Johnson. Ariadne: A Secure On-DemandRouting Protocol for Ad Hoc Networks. Wireless networks, 11(1-2):2138, 2005.

[28] H. Krawczyk, M. Bellare, and R. Canetti. HMAC: Keyed-Hashing forMessage Authentication. RFC 2104, Internet Engineering Task Force,February 1997.


TABLE IVSURVIVABILITY REQUIREMENTS AND INITIATIVES

InitiativesRequirements TIARA BFTR ODSBR BA SPREAD SMT SDMP CLA PL JA URSA

self-configuration self-organization

self-control self-management decentralization access control

protection authentication

integrity confidenciality

efficiency redundancy scalability robustness

heterogeneity self-diagnose self-healing

self-optimization

[29] P. Papadimitratos and Z. Haas. Secure routing for mobile ad hocnetworks. In Proc. Communication Networks and Distributed SystemsModeling and Simulation (CNDS), 2002.

[30] P. Kotzanikolaou, R. Mavropodi, and C. Douligeris. Secure multipathrouting for mobile ad hoc networks. In Proc. Conf. Wireless On-DemandNetwork Systems and Services (WONS), pages 8996, Washington, DC,USA, 2005. IEEE Computer Society.

[31] S. Marti, T. J. Giuli, K. Lai, and M. Baker. Mitigating routingmisbehavior in mobile ad hoc networks. In Proc. International Conf.Nobile Computing and Networking (MobiCom), pages 255265, NewYork, NY, USA, 2000. ACM Press.

[32] M. Just, E. Kranakis, and T. Wan. Resisting malicious packet droppingin wireless ad hoc networks. In Proc. International Conf. AD-HOC Net-works & Wireless (ADHOC-NOW), pages 151163, Montreal, Canada,2003.

[33] Frank Kargl, Andreas Klenk, Stefan Schlott, and Michael Weber. Ad-vanced detection of selfish or malicious nodes in ad hoc networks. InProc. First European Workshop Security in Ad Hoc and Sensor Networks(ESAS), volume 3313 of Lecture Notes in Computer Science, pages 152165. Springer, 2004.

[34] D. Djenouri and N. Badache. Struggling against selfishness and blackhole attacks in MANETs, 2007. Early View. DOI: 10.1002/wcm.493.To appear 2008.

[35] B. Hofmann-Wellenhof, H. Lichteneeger, and J. Collins. Global Posi-tioning System: Theory and Practice. Springer, New York, 2001.

[36] Y. C. Hu, A. Perrig, and D. B. Johnson. Packet leashes: a defense againstwormhole attacks in wireless networks. In Proc. IEEE Computer andCommunications Societies (INFOCOM), volume 3, pages 19761986,2003.

[37] L. Hu and D. Evans. Using directional antennas to prevent wormholeattacks. In Proc. Network and Distributed System Security Symposium(NDSS), pages 8996, Washington, DC, USA, 2004. IEEE ComputerSociety.

[38] R. C. Linger, N. R. Mead, and H. F. Lipson. Requirements definitionfor survivable network systems. In Proc. International Conference onRequirements Engineering (ICRE), pages 0014, Washington, DC, USA,1998. IEEE Computer Society.

[39] T. Anantvalee and J. Wu. Wireless/Mobile Network Security, chapterA survey on intrusion detection in mobile ad hoc networks. Springer,2006.

[40] A. Mishra, K. Nadkarni, and A. Patcha. Intrusion detection in wirelessad hoc networks. IEEE Wireless Commun., 11(1):4860, 2004.

[41] R. B. Bobba, L. Eschenauer, V. Gligor, and W. Arbaugh. Boot-strapping security associations for routing in mobile ad-hoc networks.In Proc. Global Telecommunications Conference (GLOBECOM), vol-ume 3, pages 15111515, 2003.

[42] M. G. Zapata. Secure ad hoc on-demand distance vector routing.ACM SIGMOBILE Mobile Computing and Communications Review,6(3):106107, 2002.

[43] S. Yi, P. Naldurg, and R. Kravets. Security-aware ad hoc routing forwireless networks. In Proc. ACM International Symposium on MobileAd Hoc Networking & Computing (MobiHoc), pages 299302, NewYork, NY, USA, 2001. ACM Press.

[44] R. Ramanujan, S. Kudige, and T. Nguyen. Techniques for intrusion-resistant ad hoc routing algorithms TIARA. In DARPA InformationSurvivability Conference and Exposition (DISCEX), volume 02, pages98100, Los Alamitos, CA, USA, 2003. IEEE Computer Society.

[45] Y. Xue and K. Nahrstedt. Providing fault-tolerant ad hoc routing servicein adversarial environments. Wireless Personal Communications: AnInternational Journal, 29(3-4):367388, 2004.

[46] B. Awerbuch, R. Curtmola, D. Holmer, H. Rubens, and C. Nita-Rotaru. On the survivability of routing protocols in ad hoc wirelessnetworks. In Proc. International Conference on Security and Privacyin Communication Networks (SECURECOMM), pages 327338, LosAlamitos, CA, USA, 2005. IEEE Computer Society.

[47] N. A. Boudriga and M. S. Obaidat. Fault and intrusion tolerance inwireless ad hoc networks. In Proc. IEEE Wireless Communicationsand Networking Conference (WCNC), volume 4, pages 22812286,Washington, DC, USA, 2005. IEEE Computer Society.

[48] D. Holmer, C. Nita-Rotaru, and H. Rubens. ODSBR: An On-DemandSecure Byzantine Resilient Routing Protocol for Wireless Ad HocNetworks. To appear in ACM Trans. Information Systems Security(TISSEC), 2007.

[49] L. Buttyan and J.-P. Hubaux. Stimulating cooperation in self-organizingmobile ad hoc networks. Mobile Network Application, 8(5):579592,2003.

[50] H. Miranda and L. Rodrigues. Friends and foes: preventing selfishnessin open mobile ad hoc networks. Proc. International Conference onDistributed Computing Systems Workshops (ICDCSW), 00:440, 2003.

[51] S. Zhong, J. Chen, and Y.R. Yang. SPRITE: a simple, cheat-proof,credit-based system for mobile ad-hoc networks. In Proc. IEEEComputer and Communications Societies (INFOCOM), volume 3, pages1987 1997, 2003.

[52] Hao Yang, Xiaoqiao Meng, and Songwu Lu. Self-organized network-layer security in mobile ad hoc networks. In Proc. 1st ACM workshopon wireless security (WiSe), pages 1120, New York, NY, USA, 2002.ACM.

[53] V. Srinivasan, P. Nuggehalli, C.-F. Chiasserini, and R. R. Rao. Cooper-ation in wireless ad hoc networks. In Proc.INFOCOM, 2003.

[54] P. Michiardi and R. Molva. CORE: a collaborative reputation mechanismto enforce node cooperation in mobile ad hoc networks. In Proc.IFIP TC6/TC11 Sixth Joint Working Conference on Communicationsand Multimedia Security, pages 107121, Deventer, The Netherlands,2002. Kluwer, B.V.

[55] S. Buchegger and J.-Y. Le Boudec. Performance analysis of theCONFIDANT protocol: cooperation of nodes fairness in dynamicad-hoc networks. In Proc. IEEE/ACM Symposium on Mobile Ad Hoc


TABLE VSUMMARIZING THE MAIN CHARACTERISTICS OF SURVIVABLE INITIATIVES

General characteristicsInitiatives layer protocol dependable techniques used attacks

TIARA network yes resource allocation DoS(reactive protocols) multipath

flow controldistributed firewall

BFTR network yes (DSR protocol) neighbor monitoring misbehaving nodesODSBR network no cryptography Byzantine

secure acknowledgmentslink weight

neighbor monitoringBA network no IPsec DoS

resource allocationrecovery

distributed firewallSPREAD network no multipath selective forwarding

threshold secret sharing droppingcryptography modifications

eaveasdroppingSMT network no multipath selective forwarding

security association droppingdispersal scheme modifications

message authentication code eaveasdroppingcryptography

SDMP network no diversity coding selective forwardingWEP encryption dropping

multipath modificationseaveasdropping

CLA network no intelligent multipath DoSMAC directional antennas eaveasdropping

PL application no certificate chain droppingcross checks modifications

JA application no IDS droppingthreshold secret sharing

URSA application no cryptography droppingthreshold secret sharing modifications

Networking and Computing (MobiHoc), Lausanne, CH, June 2002.IEEE.

[56] W. Lou, W. Liu, and Y. Fang. SPREAD: enhancing data confidentialityin mobile ad hoc networks. In Proc. IEEE Computer and Communica-tions Societies (INFOCOM), 2004.

[57] P. Papadimitratos and Z. J. Haas. Secure data transmission in mobilead hoc networks. In Proc. 2003 ACM workshop on wireless security(WiSe), pages 4150, New York, NY, USA, 2003. ACM Press.

[58] R. Choudhury, X. Yang, R. Ramanathan, and N. H. Vaidya. On design-ing MAC protocols for wireless networks using directional antennas.IEEE Trans. mobile computing, 5(5):477491, 2006.

[59] V. Berman and B. Mukherjee. Data security in MANETs using multipathrouting and directional transmission. In Proc. IEEE internationalConference on Communications (ICC), volume 5, pages 23222328.IEEE Computer Society, 2006.

[60] A. Shamir. How to share a secret. Communications of the ACM,22(11):612613, 1979.

[61] D. Maughan, M. Schertler, M. Schneider, and J. Turner. Internet securityassociation and key management protocol (ISAKMP). RFC 2408,Internet Engineering Task Force, November 1998.

[62] M. O. Rabin. Efficient dispersal of information for security, loadbalancing, and fault tolerance. Journal ACM, 36(2):335348, 1989.

[63] E. Ayanoglu, Chih-Lin I, R. D. Gitlin, and J. E. Mazo. Diversity codingfor transparent self-healing and fault-tolerant communication networks.IEEE Trans. Commun., 41(11):16771686, november 1993.

[64] S. Capkun, L. Buttyan, and J.-P. Hubaux. Self-organized public-key management for mobile ad hoc networks. IEEE Trans. MobileComputing, 2(1):5264, 2003.

[65] P. R. Zimmermann. The official PGP users guide. MIT Press,Cambridge, MA, USA, 1995.

[66] D. Joshi, K. Namuduri, and R. Pendse. Secure, redundant, and fullydistributed key management scheme for mobile ad hoc networks: ananalysis. EURASIP J. Wireless Communications and Networking,2005(4):579589, 2005.

[67] W. Stallings. Cryptography and Network Security - fourth edition.Prentice Hall, 2006.

[68] S. Yi and R. Kravets. MOCA: Mobile certificate authority for wirelessad hoc networks. In Proc. PKI research workshop (PKI), 2003.

Michele Nogueira Lima is a Ph.D. student at University Pierre et MarieCurie, Laboratoire dInformatique Paris 6 (LIP6), with financial support ofCAPES/Brazil, grant 4253-05-1. Michele received her M.Sc in ComputerScience at Federal University of Minas Gerais, Brazil, 2004. She has workedat security area for many years, her interest domain is security, wirelessnetwork, intrusion tolerance and dependability.

Aldri Luiz dos Santos is a professor at the Department of Informatics ofFederal University of Parana and was a visiting researcher at the Departmentof Computer Science of Federal University of Ceara. Aldri received hisPh.D. in Computer Science from Department of Computer Science of FederalUniversity of Minas Gerais, Belo Horizonte, Brazil. Aldri received both hisM.Sc. and B.Sc in Informatics from Federal University of Parana, Curitiba,Brazil. He is member of the SBC (Brazilian Computing Society).

Guy Pujolle received the Ph.D. in Computer Science from the Universityof Paris IX in 1975. He is currently Professor at the University Pierre etMarie Curie and member of the Scientific Advisory Board of the FranceTelecom Group. Pujolle is chairman of IFIP Working Group on Networkand Internetwork Architectures. His research interests include wirelessnetworks, security, protocols, high performance networking and intelligencein networking.

/ColorImageDict > /JPEG2000ColorACSImageDict > /JPEG2000ColorImageDict > /AntiAliasGrayImages false /CropGrayImages true /GrayImageMinResolution 300 /GrayImageMinResolutionPolicy /OK /DownsampleGrayImages false /GrayImageDownsampleType /Average /GrayImageResolution 300 /GrayImageDepth -1 /GrayImageMinDownsampleDepth 2 /GrayImageDownsampleThreshold 1.50000 /EncodeGrayImages true /GrayImageFilter /DCTEncode /AutoFilterGrayImages true /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict > /GrayImageDict > /JPEG2000GrayACSImageDict > /JPEG2000GrayImageDict > /AntiAliasMonoImages false /CropMonoImages true /MonoImageMinResolution 1200 /MonoImageMinResolutionPolicy /OK /DownsampleMonoImages false /MonoImageDownsampleType /Average /MonoImageResolution 1200 /MonoImageDepth -1 /MonoImageDownsampleThreshold 1.50000 /EncodeMonoImages true /MonoImageFilter /CCITTFaxEncode /MonoImageDict > /AllowPSXObjects false /CheckCompliance [ /None ] /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile (None) /PDFXOutputConditionIdentifier () /PDFXOutputCondition () /PDFXRegistryName () /PDFXTrapped /False

/CreateJDFFile false /Description > /Namespace [ (Adobe) (Common) (1.0) ] /OtherNamespaces [ > /FormElements false /GenerateStructure false /IncludeBookmarks false /IncludeHyperlinks false /IncludeInteractive false /IncludeLayers false /IncludeProfiles false /MultimediaHandling /UseObjectSettings /Namespace [ (Adobe) (CreativeSuite) (2.0) ] /PDFXOutputIntentProfileSelector /DocumentCMYK /PreserveEditing true /UntaggedCMYKHandling /LeaveUntagged /UntaggedRGBHandling /UseDocumentProfile /UseDocumentBleed false >> ]>> setdistillerparams> setpagedevice

Documents

A Survey of Survivability in Mobile Ad Hoc Networks