Avoidance of misbehaving nodes in wireless mesh networksam/media/publications/Avoidance... · 2016. 12. 8. · Avoidance of misbehaving nodes in wireless mesh networks T. Grinshpoun,

SECURITY AND COMMUNICATION NETWORKSSecurity Comm. Networks 2014; 7:1096–1114

Published online 22 July 2013 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.841

RESEARCH ARTICLE

Avoidance of misbehaving nodes in wirelessmesh networksTal Grinshpoun1 *, Amnon Meisels1 and Eyal Felstaine2

1 Department of Computer Science, Ben-Gurion University of the Negev, Beer-Sheva, Israel2 Department of Information Systems Engineering, Ben-Gurion University of the Negev, Beer-Sheva, Israel

ABSTRACT

A wireless mesh network is a self organized set of nodes that are connected by wireless links. Communicating partiesthat are not in wireless range of each other relay packets via intermediate nodes. A common approach to wireless meshrouting is reactive routing, where a fixed path between the communicating endpoints is established on-demand when a newsession is initiated. This paper proposes a distributed algorithm which guarantees service even when some wireless meshnodes deliberately change, discard, or misroute data packets to disrupt service. When a misbehaving route is encountered,the proposed algorithm starts a process in which a “virtual” cost penalty is iteratively added to suspicious nodes anda new shortest route is derived until the disrupted path is replaced with one that avoids the misbehaving nodes. Thealgorithm enables proactive calculation of several alternative routes. The proactively calculated routes can be used toperform multipath routing that drastically enhances the robustness of the algorithm versus adversaries that dynamicallychange their behavior. Our algorithm can co-exist with common reactive wireless routing protocols. Furthermore, althoughevery intermediate nodes may be malicious, the proposed algorithm does not impose costly authentication of messagesfrom the participating intermediate nodes. This means that existing deployed infrastructures of wireless mesh nodes canbe software-modified to work with the algorithm. We show that the proposed algorithm quickly converges to efficientalternative routes and present a bounded complexity for its time, communication, and computation overhead. Copyright ©2013 John Wiley & Sons, Ltd.

KEYWORDS

wireless routing; intrusion mitigation; security and system performance tradeoffs

*Correspondence

Tal Grinshpoun, Department of Computer Science, Ben-Gurion University of the Negev, Beer-Sheva, Israel.E-mail: [email protected]

1. INTRODUCTION

A wireless mesh network (WMN) [1] is a self organized,decentralized, relatively inexpensive, and moderately reli-able network, made of nodes that are inter-connected bywireless links. Mesh router nodes form the backbone of theWMN and have minimal mobility, whereas mesh clientsare mobile nodes that usually act as session endpoints.Mesh nodes forward packets on behalf of other nodes thatmay not be within direct wireless transmission range oftheir destinations.

The routing in WMNs is typically performed byprotocols designed for mobile ad hoc networks(MANETs). Nevertheless, several routing protocols ded-icated to WMNs were recently proposed. The wirelessmesh networks routing protocol (MRP) [2] exploits thespecial structure of WMNs with a centralized structure toachieve improved performance. Ruiz and his colleaguesproposed the use of multicast routing for WMNs [3],

whereas other researchers attempted to utilize the use ofmultiple radios that are available in some WMNs [4,5].Some of the proposed protocols for secure routing inWMNs strongly rely on the existence of a public-keyinfrastructure [6–8]. Although this assumption is reason-able in infrastructured WMNs, it is not always the case inhybrid WMNs, where some of the nodes may belong todifferent entities [1].

The limited mobility of mesh routers implies that routesbetween specific source and destination nodes will remainvalid over long periods of time, unlike in the case ofMANETs, where routes change rapidly. However, if amalicious, selfish, or simply overloaded node resides onsuch a long-living route, it may delay, change, drop,corrupt, or replay packets going through it and impactthe entire session. WMNs typically employ low-cost out-door devices that cannot be protected against removal,tampering, or replication by an adversary. Secure WMNrouting protocols are difficult to design because the usage

1096 Copyright © 2013 John Wiley & Sons, Ltd.

T. Grinshpoun, A. Meisels and E. Felstaine Avoidance of misbehaving nodes in wireless mesh networks

of low cost devices in WMNs leads to a scarcity in CPUresources, nodal storage space, and bandwidth. As a result,CPU-intensive, bandwidth-consuming, and cumbersomesecurity mechanisms may consume excessive resources,leading to many new opportunities for denial-of-service(DoS) attacks through the routing protocol.

Following the depicted characteristics and vulnerabil-ities of WMNs, it is clearly essential to deal with theproblem of misbehaving nodes. However, mitigating mis-behavior might turn out very costly. Thus, methods thataddress this problem must be evaluated by several qual-ity measures. The first measure is the convergence time ofthe network to a state of misbehavior-free communication.Another important measure is the continuity of commu-nication. This measure refers to the amount of time thata communication session might be idle due to misbehav-ior. This can also be considered as the survivability of thenetwork. The quality of the resulting misbehavior-free ses-sion is also of interest. An appropriate quality measure fora session is the length (number of hops) of the resultingroute. The computational burden on the nodes, as well asthe time and communication overhead are also to be takenunder consideration when trying to deal with misbehavior.These issues are especially important in WMNs due to thementioned characteristics of the mesh nodes. The relevantassessments are depicted in Sections 5 and 6.

A common approach for detecting misbehaving nodesis using watchdog agents that run on nodes and spyon peers in their vicinity [9]. The watchdog verifiesthat a packet received by an observed peer is indeedforwarded and is identical to the one received. Thisapproach inevitably imposes a heavy communication bur-den on the WMN resources because every mesh node thatacts as a watchdog must listen in a promiscuous modeand constantly exchange observations with collaborativewatchdogs to gather and distribute reputation informa-tion [10,11]. Watchdogs might also be unable to detect amisbehaving node in the presence of packet collisions andamid a coalition of adversaries [9].

Similarly to watchdogs, collecting information onneighboring peers is the basis for a number of attempts tosecure WMN routing. The enhanced secure routing proto-col for wireless mesh networks (E-SRPM) [12] uses infor-mation of previous unsuccessful communications withneighboring nodes as one of the parameters for selectingroutes. Two secure WMN routing protocols were proposedby Sen [13]. The first protocol relies on estimated reliabil-ity of routing paths by collecting information regarding thewireless links to one-hop neighbor nodes, whereas the sec-ond is a trust-based protocol that uses local observationsfor detecting selfish nodes.

Several solutions aim at protecting the route dis-covery process. The secure routing protocol [14] usesend-to-end authentication to prevent impersonation andreplay attacks during route discovery. The Ariadne pro-tocol [15] secures routing messages by requiring authen-tication for each intermediate node. Ariadne uses eitherpair-wise shared keys that require a high setup over-

head, or Tesla [16], which is a broadcast authenti-cation scheme that requires loose time synchroniza-tion. Similar security goals are achieved by using thesecure efficient ad hoc distance vector routing pro-tocol (SEAD) [17], which uses one-way hash chainsto provide authentication, and by using the secureroute discovery protocol (SRDP) [18], which relies onshared-key message authentication codes and public keysignatures.

Routing misbehavior caused by a misbehaving node canbe detected at the endpoints of a wireless communicationsession by applying a reliable authentication mechanism.Upon detecting such misbehavior, the on-demand secureByzantine resilient routing protocol (ODSBR) [19] startsworking in a probing mode, in which it attempts to pin-point a culprit link. Subsequently, it penalizes the linkand initiates a new route discovery process to bypass themisbehaving node.

Another method for bypassing misbehaving nodes isTIARA overlay routing [20], which uses a set of prede-fined “buddy” nodes. Whenever misbehavior is detected bythe endpoints, the algorithm selects a buddy node and initi-ates a route discovery process to find the shortest path thatgoes through the buddy node. In case the new path fails atbypassing the misbehaving node, this process is repeatedusing another buddy node.

Both ODSBR and TIARA overlay routing assume thatthe network is not open. Specifically, that there existsa public-key infrastructure administered by a certificateauthority. ODSBR requires this for its probing mode,whereas overlay routing must be familiar with the networkto create the set of buddy nodes.

In this paper, we present a wireless mesh routingalgorithm that bypasses misbehaving nodes. At its firststage, the algorithm effortlessly detects problematic routes(similar to ODSBR and TIARA). Then, it marks all nodeswithin these routes as suspects (of misbehavior). Finally, itfinds new routes that avoid the misbehaving nodes. This iscarried out by penalizing the costs of routes that go throughsuspects.

Although all the described schemes (the proposed algo-rithm, ODSBR, and TIARA) attempt to achieve the samegoal of bypassing misbehaving nodes, the ODSBR proto-col attempts to first pinpoint a culprit link. This compu-tationally expensive task may be used by a sophisticatedadversary to prevent ODSBR from ever initiating a newroute discovery process. On the other hand, our proposedalgorithm promptly initiates a new route discovery pro-cess. Moreover, the proposed algorithm enables proactivecalculation of several alternative routes. These routes canbe used to perform multipath routing that provides promptdiscovery of misbehavior-free routes along with survivabil-ity and continuous communicability of the network even inthe presence of multiple misbehaving nodes.

Another important contribution of the proposed algo-rithm is that the mesh routers only perform light compu-tations, exclusive of any form of cryptographic operations.Nevertheless, the computational burden on the endpoints

Security Comm. Networks 2014; 7:1096–1114 © 2013 John Wiley & Sons, Ltd. 1097DOI: 10.1002/sec

Avoidance of misbehaving nodes in wireless mesh networks T. Grinshpoun, A. Meisels and E. Felstaine

is similar to that in other approaches, such as ODSBR andTIARA overlay routing. Thus, the important advantages ofthe proposed algorithm are as follows:

� The algorithm does not expect mesh routers to signor authenticate packets that pass through. This meansthat an increase in the processing power of meshrouters or usage of dedicated hardware is not required.

� The proposed solution relies only on authenticationkeys that reside at the endpoints and does not need atrusted key infrastructure at the mesh routers. Apartfrom being complicated and vulnerable, key infras-tructure requires larger memory in mesh routers andconsumes bandwidth for periodic maintenance. Atrusted key infrastructure is still required for eachpair of communicating mesh clients. However, thisrequirement is reasonable, because two communicat-ing endpoints know and trust each other in the firstplace.

� Algorithms such as ODSBR and TIARA overlay rout-ing require a closed network with a certified authority.However, the proposed algorithm can be applied indynamic and more realistic networks that lack anyform of centralized authority.

� Multipath routing can be enabled with the new algo-rithm. This results in effective route discovery, surviv-ability, robustness, and continuous communicabilityof the network even in the presence of several misbe-having nodes.

� The communications overhead and convergence timeof the proposed algorithm are shown to be boundedand competitive. It is comparable with the overheadthat is required for finding a route in the absence ofmisbehaving nodes.

� In simulation experiments it was found that thelengths of the alternative routes are close to optimal.

The first two properties essentially mean that unlikeODSBR, it is possible to incorporate the proposed algo-rithm into state of the art WMNs without imposing asignificant change to the existing routing hardware, whichis impractical for already deployed WMNs.

The rest of this paper is organized as follows. Section 2provides an overview of the proposed algorithm, andSection 3 presents several extensions. The resilience ofour scheme to various attacks is presented in Section 4,and an analysis of the overhead complexity is provided inSection 5. Section 6 includes an experimental evaluation ofthe proposed algorithm. The conclusions are presented inSection 7.

2. ALGORITHM OVERVIEW

The avoidance of misbehaving nodes (AVOMIN) algorithmworks on top of an underlying source routing protocolthat performs a distributed version of shortest path routing(DSR) [21]. The DSR protocol is described in Section 2.1.For simplicity, we assume that all the links in the communi-cation graph are bidirectional and that the routing protocol

uses the traditional number-of-hops metric, that is, a uni-form weight of 1 is given to all the links in the network.When the entire network behaves properly, AVOMIN doesnot alter the shortest path routes detected by the underlyingrouting protocol.

The AVOMIN algorithm comes into action when a nodealong an active session route starts misbehaving. The exis-tence of misbehaving nodes is discovered by a reliableauthentication mechanism that is deployed at the edgesof every wireless communication session. Hence, the end-points identify cases of forged, dropped, duplicated, oraltered packets. After the number of these occurrencessurpasses a predefined threshold, the session is consid-ered to be affected by node misbehavior. The source nodedefines this route as a suspected route, and the set of nodesalong the suspected route (not including the source anddestination nodes) are defined as the suspect list.

In an attempt to avoid the misbehaving node, the algo-rithm temporarily and gradually assigns an artificial weightto all the nodes that belong to the suspect list. Namely,the weights of the suspected nodes are increased by apredetermined ı value.

The routing algorithm is likely to discover a new paththat bypasses the misbehaving node. However, in the eventthat an increase in weight does not yield a route that is freeof misbehaving nodes, the secure layer at the endpointscontinues to detect suspicious behavior. The iterative pro-cess of increasing ı to the weights of the suspected nodescontinues until a route free of misbehaving nodes is dis-covered. Throughout the iterative process, the same sus-pect list (which was derived from the original suspectedroute) is used. This enables the proactive routes calculationextension that is described in Section 3.1.

The artificial increase in weight is performed per senderand does not impact sessions from any other senders.Namely, the nodes do not increase these weights when for-warding packets belonging to sessions of other senders.This separation between the real weights and the arti-ficially increased weights disallows potential blackmailattacks [15], in which a malicious node tries to impairthe overall throughput of the network by falsely accus-ing well-behaving nodes of misbehavior. Consequently, amalicious node that tries such an attack will only harm itsown sessions, which is clearly useless.

The sender may also choose to periodically reset its sus-pect list to allow the resuscitation of nodes that were onlytemporally misbehaving. Such resuscitation is inherentlyachieved when the multipath routing extension is used (seeSection 3.3).

As an example, consider the wireless mesh networkdepicted in Figure 1. The network is composed of severalwireless mesh routers. A link between two mesh routersindicates that the receiver can hear the sender and thus thelink is capable of relaying packets.

Assume that endpoint devices S (source) and D (desti-nation) establish a session. As evidenced by the links inFigure 1, the shortest path is {S, K, J, I, D} (the weight ofthe path equals the number of hops which is 4). Assum-

1098 Security Comm. Networks 2014; 7:1096–1114 © 2013 John Wiley & Sons, Ltd.

DOI: 10.1002/sec


Figure 1. Example network.

ing that S and D detect misbehavior in their session thatsurpasses a predefined threshold, node S decides that theroute is suspected. Node S knows the full route of thesession, because an underlying source routing protocol isused. Consequently, node S defines the suspect list {K, J, I}and distributes it throughout the network as part of a newroute discovery process.

During the new route discovery process, the weights ofthe nodes in the suspect list ({K, J, I}) are increased (penal-ized) by ı, which is equal to 0.6 in this example. Figure 2presents the same network after the new route discoveryprocess is completed.

As can be seen in Figure 2, penalizing ı’s were added tothe three nodes of the original route – K, J, and I. Conse-quently, the new weight of route {S, K, J, I, D} is now 5.8,which is not the shortest path anymore. The new “shortest”path is {S, O, N, M, I, D}, and its weight is 5.6.

In case the real misbehaving node is K or J, the outcomeof the route discovery process is a successful bypassing andavoidance of the misbehaving node. However, if node I isthe misbehaving node, the endpoints S and D are likely toobserve misbehaving activity along the new “shortest” path(which contains the misbehaving node I). Consequently,an additional iteration of the route discovery process isneeded. This is carried out by adding another ı to allthe nodes in the suspect list, increasing their penalty to1.2. After the second iteration, the new weight of route{S, O, N, M, I, D} is 6.2, which is no longer the shortestpath. The new shortest path is any 6-hop route that containsno suspected nodes, for example {S, L, H, G, F, E, D}, andits weight is 6.0.

2.1. Dynamic source routing

The dynamic source routing protocol (DSR) [21] is awidely used reactive on-demand routing protocol for wire-less networks and specifically WMNs. It is based on source

routing, in which every packet holds the entire route pathconsisting of the addresses of all the nodes in the route.DSR is comprised of two mechanisms that work togetherand allow the discovery and maintenance of source routesin DSR. Route discovery is the mechanism by which asource node S that aims at sending a packet to a destinationnode D obtains a source route to D. Route maintenance isthe mechanism by which node S is able to detect, whileusing a source route to D, if the network topology haschanged in such a way that it can no longer use its route toD. In such a case, node S can invoke a new route discoveryprocess.

The route discovery mechanism is illustrated inFigure 3. When a source node S wishes to communicatewith a destination node D without knowing any paths toD, S initiates a route discovery process. S starts by trans-mitting a route request (RREQ) message that contains theaddress of D to all its neighbors. The neighbors in their turnappend their own addresses to the first RREQ they receiveand retransmit it. Each node discards multiple copies of thesame RREQ. Consequently, the RREQ message is floodedthroughout the network until it reaches its destination.Upon receiving the RREQ, the destination node D sendsa route reply (RREP) message back to the source node S.Assuming that the links are bidirectional, the RREP canbe sent back to S in exactly the reverse way that the cor-responding RREQ reached D. Otherwise, another floodingphase is initiated by D with a message containing the pathfrom S to D.

The route maintenance mechanism operates entirely on-demand. It does not use any link status sensing or neighbordetection messages, and does not rely on such functionsfrom any underlying layer of the network. Instead, a linkbreak is detected only when a node forwarding a packet tothe next node in the route path notices that its packet didnot reach the next node. This method of detection is pos-sible by using a confirmation that a packet was received



Figure 2. Example network with suspected nodes (circled).

DS

DS

(b)(a)

Figure 3. Route discovery. (a) Node S sends a RREQ to find a path to node D. The route request (RREQ) is flooded throughout thenetwork. (b) Node D sends back to S a route reply by using the bidirectional path contained in one of the RREQ messages that

reached it.

by the next node along the source route. Such confirmationmay be provided at no cost by an already existing stan-dard part of the MAC protocol in use (for example IEEE802.11 [22]).

2.2. Route discovery in avoidance ofmisbehaving nodes

The choice of using DSR as the underlying routing proto-col is not accidental. Only a source routing protocol suchas DSR inherently provides a suspect list that the AVOMINalgorithm can use. In other protocols such as optimizedlink state routing (OLSR) [23], destination-sequenced dis-tance vector routing (DSDV) [24], and ad-hoc on-demanddistance vector routing (AODV) [25], the routing protocoluses local information from each intermediate node. Whenusing such protocols, node misbehavior can be detectedwith the help of watchdog agents [9]. However as dis-cussed in the introduction, such a routine heavily burdensthe intermediate nodes and may not always detect mis-behavior. As a result, AVOMIN’s endpoint-to-endpointapproach would lose its appeal. Consequently, DSR is usedas the underlying routing protocol henceforward.

When the network behaves properly, new routes are dis-covered using the original route discovery mechanism ofDSR. The AVOMIN algorithm comes into action whenmisbehavior is detected during some session. At that point,the source node of the session creates a suspect list, andinitiates a new route discovery process (Algorithm 1).However, contrary to the DSR route discovery, the RREQmessages that are flooded throughout the network also holdthe suspect list. The part in the RREQ message holding thesuspect list and the iteration number is digitally signed bythe source node to deal with possible attacks on the proto-col (Section 4). Notice, that sessions that are not affectedby misbehavior still use the original DSR route discoverymechanism.

An intermediate node which receives a RREQ messagethat was originated by S first calculates the route’s weight.In the DSR protocol the weight calculation is straightfor-ward, since the RREQ message received at a given nodecontains the route from the source to that node. Howeverin AVOMIN, penalizing ı’s should be added for suspectednodes that belong to the current route. This is done by mul-tiplying the number of suspected nodes in the route by the


DOI: 10.1002/sec


predefined ı, and adding the resulting value to the DSRweight (Algorithm 2).

After receiving RREQ messages from several of itsneighbors, the intermediate node prunes all the ones thatdo not have the minimal weight. It then appends its iden-tity to the route with minimal weight (according to its owncalculations), and resends the RREQ message. Notice, thatto prune non-minimal routes, the node has to wait for sometime before it forwards the RREQ message. Section 3.2discusses the optimal waiting time.

Once a RREQ message reaches the destination node,the latter creates a RREP message containing the receivedroute. It then digitally signs the RREP message (seeSection 4) and sends it in the reverse path of the routerequest (Algorithm 3). This can be carried out under theassumption that the links are bidirectional.

It seems very tempting to try and pinpoint the misbe-having nodes once a suspect list is available. The ODSBRprotocol [19] follows this plan as it enters its probingmode. Our analysis (Section 5) and experimental eval-uation (Section 6) show that such an approach is not

necessarily worthwhile. The fact that in AVOMIN only theendpoints need to sign and verify the messages enablesthe use of already deployed WMNs without any form oftrusted key infrastructure at the mesh routers.

To demonstrate the AVOMIN route discovery process,consider the intermediate node F depicted in Figure 2.Node F receives a RREQ message from node J, whichcontains the route {S, K, J}. Because both K and J are sus-pected nodes, node F adds two ı’s to the number of hops,which is 2 excluding the (J, F) hop. Given ı = 0.6, theresulting weight is 3.2. However, this message is pruned,because F also receives an RREQ message from G, whichconsists of 3 hops and no suspected nodes ({S, L, H, G}).Node F appends its identity to the partial route and resendsthe updated RREQ message – {S, L, H, G, F}. Eventuallyan RREQ message reaches the destination node D, say{S, L, H, G, F, E, D}. Node D creates a RREP messagecontaining the received route and sends it in the reversepath {D, E, F, G, H, L, S}.

3. PROTOCOL EXTENSIONS

3.1. Proactive routes calculation

The route discovery process discussed in Section 2.2imposes the flooding of RREQ messages throughout thenetwork. When several iterations are needed until a routefree of misbehaving nodes is found, the implied messag-ing overhead can become substantial. To mitigate suchan overhead we propose the proactive routes calculationmethod.

The idea is to proactively calculate the routes resultingfrom future iterations. This can be achieved by extendingthe initial RREQ message to include the shortest routes forseveral iterations in advance (Algorithm 4). An interme-diate node gathers all the routes it receives and choosesthe shortest route for every iteration (Algorithm 5). Thenode therefore forwards an RREQ message consistingof the shortest route for the first iteration, the shortestroute for the second iteration, . . . , and the shortest routefor the k’th iteration, where k is a predefined numberof proactively calculated iterations. The route reply mes-sage consists of the k resulting routes (Algorithm 6). Theshortest routes from all the iterations can be proactively



calculated because the same suspect list is used throughoutthe iterative process, and only the iteration number changes(see Algorithm 1).

At the end of the proactive route calculation, the sourcenode has all the necessary data to repenalize the suspectednodes and find alternative routes, without having to floodthe network all over again. The source node can also skipredundant iterations, where the resulting route does notchange.

Table I. Results of proactive routes calculation for the networkdepicted in Figure 2.

Iteration Penalty Shortest route Weight

Original route 0.0 {S, K, J, I, D} 4.0First iteration 0.6 {S, O, N, M, I, D} 5.6Second iteration 1.2 {S, L, H, G, F, E, D} 6.0Third iteration 1.8 {S, L, H, G, F, E, D} 6.0

For example, consider the network depicted in Figure 2with ı = 0.6 and k = 3. The source node S will receive theshortest route for every iteration as listed in Table I. Noticethat the third iteration is redundant, because it obtainsexactly the same route as the second iteration. Such aredundant iteration will be skipped by the source node.

3.2. Route request waiting mechanism

The route discovery process in AVOMIN consists of twophases – RREQ and RREP. The RREQ messages areflooded throughout the network. If no misbehavior isdetected, the AVOMIN RREQ is identical to the DSRRREQ [21] and consists of V transmissions (all the nodestransmit the RREQ after they have received it for the firsttime). However, when the RREQ contains a suspect list,some of the intermediate nodes must transmit the RREQseveral times. This can happen when a node first receives aRREQ that has passed through several suspects, and lateron it receives a second copy of the RREQ that has passedthrough a longer path but with less (or no) suspects, whichhas a lower weight than the first path. In the worst case, theRREQ is transmitted an exponential number of times [26].

To prevent such redundant transmissions, we suggest awaiting mechanism in which an intermediate node waitsbefore forwarding a RREQ message. Each node transmitsthe RREQ message only once, cutting down the overallnumber of RREQ transmissions in the network to V , as inDSR [21].

The most important aspect of the RREQ waiting mecha-nism is deciding on the amount of time that an intermediatenode should wait before forwarding a RREQ. Consider theweight of the first copy of the RREQ message that an inter-mediate node I receives as WROUTE, which is composed of


DOI: 10.1002/sec


the length of the route with the addition of ı’s associatedwith suspected nodes. The receiving node needs to wait forcopies of the RREQ with a lower cost than that of the firstcopy it has received. Knowing the value of WROUTE, thenode under discussion can derive the length of the longestpossible route that it must wait for, which is likely to be aroute that contains no suspects. Consequently, the maximalpossible length of a route is bounded to bWROUTEc.

We denote Thop as the maximal time it takes for a RREQmessage to advance a single hop. Thop includes both theprocessing time within an intermediate node and the trans-mission time of the message before it reaches the nextnode. We can use such an upper bound, because a nodeor a link that operates slower than this bound is consid-ered malfunctioned and is temporarily removed from thenetwork.

By combining the maximal route length and the maxi-mal hop time, we derive that the maximal time that it mighttake the lowest cost RREQ to reach node I is bWROUTEc �

Thop.However, node I is not aware of the exact time in which

the RREQ was originally sent by the source node S. Thisproblem is solved by applying loose time synchronizationbetween nodes. Let � be the maximum time synchroniza-tion error between any two nodes; the value � must beknown by all nodes. Consequently, each intermediate nodehas to wait an extra �. These additional � values accu-mulate in every hop. Thus, the maximal waiting time isas follows:

Twait = TIMEmsg + bWROUTEc � (Thop +�) – TIMEI (1)

where TIMEmsg is the time when the source node S sentthe original RREQ message and TIMEI is the current timeat node I.

The waiting time for the destination node D incor-porates the waiting times for all intermediate nodesbecause the mutual synchronization with the source nodeS (TIMEmsg). Consequently, Twait for node D reflects thetotal time overhead incurred by the waiting mechanism.

Note that to apply the RREQ waiting mechanism, theTIMEmsg field has to be added to the RREQ messages. Itshould be digitally signed along with the S_LIST field toensure that an adversary cannot change its value withoutbeing noticed.

The RREQ waiting mechanism can also be appliedalong with the proactive routes calculation method(Section 3.1). It is important to notice that the longestpossible route grows as the penalty to each suspectednode grows. Consequently, the longest possible route in aproactive route calculation is found in the k’th (last) iter-ation. Thus, we can derive the maximal waiting time withproactive routes calculation:

Twait_pro = TIMEmsg +�

WROUTEk

˘� (Thop +�) – TIMEI

(2)

3.3. Multipath routing

Survivability is a vital property of wireless networks.It means that even amid adversaries, the communica-tion in the network should remain continuously operative.AVOMIN with multipath routing enables the endpointsto continuously communicate throughout a timely conver-gence phase even amid an attack of several adversaries,thus drastically improving the network’s survivability.

The AVOMIN multipath routing algorithm, which isdeployed by the endpoints, is described as follows:

(1) Run a proactive routes calculation (Section 3.1) toobtain up to K different routes between the sourcenode S and the destination node D. We refer toeach of the attained routes as a subflow. This stepcould be executed in advance before any misbehav-ior has occurred in order to reduce the setup time ofAVOMIN. In case the dropped-packet ratio (DPR) ofthe shortest path surpasses a predefined � value, thesession is considered to be carried by misbehavingnodes, and the algorithm advances to stage 2.

(2) Assign a fitness score to each subflow. The initialscore depends on the length of the subflow – shortersubflows (in terms of number of hops) gain higherinitial scores (see Formula 3).

(3) Distribute the packets that belong to the sessionamong the different subflows according to a prede-fined policy. Subflows with a higher fitness score willrelay a larger portion of the packets.

(4) Keep track of the DPR of each subflow and use itto update the fitness score of the subflow, which iscalculated using the following formula:

FITNESSsubflow =(1 – DPR)2

length(3)

Then, go back to stage 3 and distribute the pack-ets among the subflows by using the new fitnessscores. Throughout the session, any dropped packetis retransmitted by node S through a subflow differ-ent from the one that has initially dropped the packet.This is carried out to reduce the chances of a droppedretransmitted packet, a property which is importantto the survivability of the network.

For example, consider the network depicted in Figure 4and the proactively calculated route list presented inTable I. In this simple example, the subflows (denom-inated as SF) are – {S, K, J, I, D} (SF0, which is alsothe original shortest path), {S, O, N, M, I, D} (SF1), and{S, L, H, G, F, E, D} (SF2). These subflows are attained inadvance (see Section 3.1) even before any misbehavior hasoccurred to reduce the setup time in the event that mis-behavior does eventually occur. Nevertheless, in case nomisbehavior is detected in SF0, the other subflows are notused. However, in case the DPR, the percentage of thepackets that do not reach the destination, surpasses a prede-



Figure 4. Example network with multipath routing.

fined � threshold, the protocol begins to work in multipathrouting mode.

Consider I to be an adversary that maliciously desiresto hinder the communication within the network. Assumethat at some point the adversary begins dropping half of thepackets that it receives. Consequently, the DPR of subflowSF0 surpasses the � threshold (in this example � = 20%),and the protocol begins to work in multipath routing mode.At this stage only SF0 has DPR data. Hence, the initialfitness score of subflows SF1 and SF2 relies solely on theirlengths, whereas SF0 also relies on the measured DPR:

FITNESSSF0 =(1 – 0.5)2

4= 0.0625

FITNESSSF1 =(1 – 0)2

5= 0.2

FITNESSSF2 =(1 – 0)2

6= 0.1667

The aim in using a square of (1-DPR) in the formula, is todrastically reduce the fitness scores whenever misbehavioroccurs.

Now, the packets need to be distributed on the basis ofthe fitness scores of the subflows. In this example, the shareof packets that are routed through a subflow is calculatedby the formula:

%PACKETSSFi =

�FITNESSSFi

�2Pk

j=1

�FITNESSSFj

�2(4)

Thus, at this stage, 5.4% of the packets would be routedusing SF0, 55.8% would be routed using SF1, and 38.8%would be routed using SF2. Because node I resides on SF1,and because it continues to drop half of the packets that it

receives, the DPR of subflow SF1 also reaches 50%. Thus,its new fitness score is as follows:

FITNESSSF1 =(1 – 0.5)2

5= 0.05

Consequently, at this stage 11.4% of the packets wouldbe routed using SF0, 7.3% would be routed using SF1, and81.3% would be routed using SF2. Hence, 81.3% of thepackets in the session would bypass the malicious node,and 90.4% would not be dropped. If node I decides to dropa larger share of the packets, it would just cause the fit-ness scores of the subflows that it resides on (SF0 and SF1)to further drop. Thus, the adversary enters a “catch-22”state, in which it must forward packets correctly to pre-vent its subflow’s fitness score from dropping and therebycutting him out of the data stream. The continuous updateof fitness scores allows the algorithm to effortlessly adaptto changes in the adversarial behavior. It also allows theresuscitation of subflows. For example, if node I was onlytemporarily misbehaving as a result of some malfunction,the fitness scores of subflows SF0 and SF1 would even-tually increase, and a large share of the packets would bepassed through them.

If all the subflows experience misbehavior then theaggregated dropped-packet ratio of the multipath sessionmay surpass the threshold. This obviously requires findingnew subflows by applying an additional proactive routescalculation. This time, the suspect list used for the calcu-lation consists of the nodes in all the failed subflows (SF0,SF1, and SF2 in our example).

The presented example shows how AVOMIN multipathrouting copes with sophisticated adversaries that selec-tively drop packets. Other examples include a consistentadversary or a totally malfunctioned node, both of whichconsistently drop all the received packets. In such cases,the respective subflows suffer from 100% DPR, thus no


DOI: 10.1002/sec


traffic would be passed through them. However, the end-points would still periodically relay a very small amount ofpackets through these subflows to allow their resuscitation.

Naturally, when using multipath routing, not all thepackets arrive at their destination appropriately. Thereare commonly two ways to deal with this problem. Thefirst one is retransmitting such packets. A variation ofthis approach that uses alternate subflows is used in theAVOMIN multipath routing algorithm (stage 4). The otherapproach is to replicate packets in advance and to dis-tribute them between different paths with or without cod-ing [27–29]. The assumption in such an approach is thatthe different paths are disjoint and each has a similarchance of packet dropping. For this reason, solutions thatfollow this approach (e.g., erasure coding [27]) are notfitted for working with AVOMIN’s subflows. Moreover,because the subflows in AVOMIN are computed especiallyto circumvent the misbehaving nodes, any solution thatproactively replicates packets adds a redundant overheadand is therefore considered an overkill.

One may notice that the computation of a subflow’sfitness (Formula 3) resembles the expected transmis-sion count metric (ETX) for finding high-throughputroutes [30]. The ETX of a link considers the delivery ratio(1-DPR), whereas the ETX of an entire route is a sum-mation of the ETX for each link in that route. It is notsurprising that both the ETX metric and Formula 3 con-sider the DPR along with the length of the route, because itwas shown that only when considering both these factors,one can appropriately measure a route’s throughput [30].

4. RESILIENCE TO ATTACKS

The AVOMIN algorithm is resilient to many forms ofattacks. Next, we introduce various known attacks againstrouting protocols and describe how the AVOMIN algo-rithm handles these attacks.

A black hole attack is a basic attack in which the adver-sary drops entirely or selectively data packets, while stillparticipating in the routing protocol. We also considerattacks where an adversary alters, corrupts, duplicates, orforges data packets as cases of the black hole attack.

The AVOMIN algorithm uses a reliable authentica-tion mechanism that is deployed at the endpoints todetect packet losses (including packet alteration, corrup-tion, duplication, and forging). When the number of lostpackets becomes higher than a threshold � , a black holeattack is detected. At that point, the AVOMIN algorithmattempts to find a new route that bypasses the adversary bypenalizing suspected nodes. The algorithm will continuewith the process of penalizing suspected nodes until it findsa route free of misbehavior.

In a flood rushing attack [31] the adversary respondsquickly to RREQ messages and promptly forwards them.This attack exploits the fact that many wireless routingprotocols (for example, DSR [21]) forward only the first

copy of each RREQ message they receive. This way, anadversary may control many paths in the network.

The flood rushing attack cannot occur in AVOMIN,because the algorithm retransmits a RREQ message if ithas a lower metric than a previously arrived copy of thesame RREQ (due to penalized nodes). In case an adversarythat is not suspected of misbehavior uses flood rushing tocontrol a path and then begins dropping packets (black holeattack), the AVOMIN algorithm will mark it as a suspectand penalize it. Moreover, applying the waiting mechanism(Section 3.2) completely mitigates rushing attacks.

A blackmail attack [15] is when an adversary accuses agood node of misbehaving. This attack was originally dis-cussed as an attack against the watchdog mechanism [9].However, blackmailing may be applied against any pro-tocol that maintains knowledge about past misbehavior,such as the penalized nodes in AVOMIN. Nevertheless,the AVOMIN algorithm is resilient to blackmail attacks,because knowledge about a past misbehavior is maintainedin the context of the sender and only the sender can createsuspect lists. Consequently, an adversary can only falselyaccuse nodes in the context of its own sessions, which isclearly useless.

In the wormhole attack [32,33], an adversary, or poten-tially multiple colluding adversaries, surreptitiously relaypackets between distant locations. This can give a node theimpression that it is the neighbor of another node that isactually far away. By faking links between distant nodes,adversaries may be able to manipulate nodes to send trafficthrough them.

The AVOMIN algorithm cannot detect a wormhole, butit can mitigate its effect whenever packets going throughthe wormhole are being dropped (black hole attack). In thiscase, the participants of the wormhole would be markedas suspects, and eventually the AVOMIN algorithm wouldfind a route that bypasses the wormhole (if such routeexists).

A short route attack is an attack on the route discoverymechanism. An adversary that wishes to attack as manysessions as possible would like to make routes that gothrough it seem shorter in the route discovery phase. Todo this the adversary needs to resend a RREQ with a routeshorter than the shortest route it received. Assuming thateventually the destination node D chooses this route andsends it back with a RREP, the adversary cannot change theroute on the way back because the RREP message is digi-tally signed by node D. If it does try to change it, the RREPmessage will fail the verification when it finally reachesthe source node S. Consequently, the adversary will haveto either send the RREP message as it is or drop it. Becausethe message contains a route back from the adversaryto the source node S that is shorter than the real shortestroute, the message will fail to reach node S, and node S willnot choose it.

Another potential threat is when several colludingadversaries cunningly time their offense, by attacking thenetwork one at a time, rather than all at once. Such anoffense may have severe consequences on iterative proto-



cols, such as TIARA overlay routing and ODSBR, whichdeal with each problem at a time. However, AVOMIN withmultipath routing completely mitigates the added effectof considerate timing by the adversaries, because severalroutes are used at the same time to deliver the packets.Sophisticated colluding adversaries may in some caseslead to imbalance in load distribution in parts of the net-work. Load balancing is out of the scope of this paper, butwe consider it as a future research direction.

A potential and specific attack on the AVOMIN algo-rithm is for an adversary to try to remove itself from thesuspect list that is appended to the RREQ messages toprevent itself from being penalized by subsequent nodes.However, because the suspect list part of the RREQ mes-sage is digitally signed, the destination node D will failto verify the message, and the route going through theadversary will not be chosen.

A DoS attack is an incident in which nodes in the net-work are deprived of the services they would normallyexpect to receive. Although a DoS attack does not usuallyresult in the theft of information or other security loss, itcan cost the targeted nodes a great deal of time and money.Traditional DoS attacks, which are characterized by packetinjection with the goal of resource consumptions, are outof the scope of this paper.

As previously explained, an adversary cannot apply ashort route attack because of digital signature verificationsconducted by the endpoints of the session. However, anadversary could apply a DoS attack that blocks correctinformation from reaching the endpoints by propagatinglow cost fabricated routes or by corrupting the suspectlist. This way, a valid route might never be found becauseintermediate nodes only resend lower cost routes.

Handling such DoS attacks is out of the scope of thiswork. Nonetheless, the AVOMIN algorithm can be adaptedto deal with such attacks by applying signature verificationat each of the intermediate nodes (similar to ODSBR [19]).

5. COMPLEXITY ANALYSIS

In this section, we analyze the time, communication,and computation complexity of finding a misbehavior-free route using the different versions of AVOMIN. Theanalysis is performed over two adversarial models – asimple adversary that continuously drops packets (blackhole attack) and a sophisticated adversary that knows theprotocol and takes advantage of its weaknesses.

5.1. Simple adversarial model

5.1.1. Time complexity.

The analysis of the time it takes the different versionsof AVOMIN to establish a route free of misbehaving nodesrelies strongly on Tdet, the time it takes to detect misbe-havior at the endpoints, and Tdis, the time it takes the routediscovery process to find a new route. To detect misbehav-

ior at the endpoints, AVOMIN must monitor a total of � �Wpackets. Here � is a predefined loss threshold and W is thesize of the sliding window. Thus,

Tdet =� �W

R(5)

given a flow rate of R packets per second [34].The time it takes the route discovery process to find a

new route depends on Thop, the maximal time required totransmit a message by a node in the network (a single hop),and on the length (number of hops) of the resulting route.The length of the resulting route is bound by V , the numberof nodes in the network. Consequently,

Tdis � Thop � V (6)

In practice the length of the resulting route usually doesnot surpass D, the diameter of the network.

In its basic version, the AVOMIN algorithm iterativelydetects misbehavior at the endpoints and finds alternativeroutes until a route free of misbehaving nodes is estab-lished. Therefore, the time Tbasic it takes the algorithm tosuccessfully bypass the misbehaving node is as follows:

Tbasic = (Tdet + Tdis) � Ibasic �

�� W

R+ Thop � V

�� Ibasic

(7)where Ibasic is the number of iterations conducted by thebasic version of the AVOMIN algorithm. The experimentalresults of Ibasic for different ı values are shown in the leftbars in Figure 5.

Applying the waiting mechanism, induces an overheadto Tdis because of the added loose time synchronization(Section 3.2). Because the maximum time synchronizationerror � accumulates in every hop, the added overhead toTdis is bound by � � V . Consequently, the time it takes theroute discovery process to find a new route with the waitingmechanism is as follows:

Tdis0 � (Thop +�) � V (8)

Figure 5. Number of iterations for basic avoidance of misbe-having nodes (AVOMIN) and AVOMIN with proactive routes

calculation.


DOI: 10.1002/sec


On the other hand, when using proactive route calculation(Section 3.1) the route discovery process is applied onlyonce. Thus,

Tpro = Tdet � Ipro + Tdis0 �� W � Ipro

R+ (Thop +�) �V (9)

where Ipro is the number of iterations conducted whenusing the proactive routes calculation that eliminatesredundant iterations (Ipro � Ibasic). The experimentalresults of Ipro for different ı values are shown in the rightbars in Figure 5. It is clear that the mean value of Ipro isvery close to 1.

When multipath routing is used, all the proactivelycalculated routes start working at once. Thus,

Tmultipath = Tdet + Tdis0 �� W

R+ (Thop +�) � V (10)

in the case where at least one subflow free of misbehavingnodes exists among the proactively calculated routes.

Formulas 7, 9, and 10 present the time complexity offinding a misbehavior-free route by using the different ver-sions of AVOMIN. Most of the parameters in these formu-las (W, R, Thop,�, and V) are system parameters that areindependent of the algorithm used. Thus, the given com-plexity analysis can be used to compare the performanceof AVOMIN with other algorithms. The only nonsystemparameters are the number of iterations (Ibasic, Ipro) and theloss threshold (� ). However, Figure 5 shows that Ibasic isrelatively low (under 2 even for low ı values) and that Iprois even lower.

The value of � can be set by the user of the algorithmand it strongly depends on the environment in which thealgorithm is deployed. For instance, bad weather may leadto a high packet loss rate even without any form of misbe-havior in the network. In such cases a high threshold valuemust be used to prevent false misbehavior detections. Nev-ertheless, our analysis shows that � should be kept as lowas the environment permits to reduce the time complexityof finding a misbehaving-node-free route.

5.1.2. Communication complexity.

The communication complexity refers to the numberof messages transmitted in the entire network until amisbehavior-free route is established. Similarly to the timecomplexity, this number relies on the detection of misbe-havior at the endpoints and on the route discovery processthat finds a new route.

To detect misbehavior at the endpoints, AVOMIN mustmonitor a total of � (loss threshold) times W (the size ofthe sliding window) packets. Each packet is transmitted Ktimes until it reaches the destination node, where K is thelength of the currently used route. K is bound by V , thenumber of nodes in the network, but in practice it rarelysurpasses D, the diameter of the network, for the samereasons discussed in the time complexity analysis. Thus,

Mdet � � �W � V (11)

The route discovery process consists of two phases –RREQ and RREP. In AVOMIN, the RREQ messages areflooded throughout the network. When the waiting mech-anism is applied, an intermediate node transmits eachRREQ only once. Thus, the number of RREQ transmis-sions in AVOMIN is V . The RREP messages in AVOMINare backtracked via the shortest route that was chosen bythe destination node. Consequently, only K transmissionsof the RREP are needed. As previously mentioned, K isbounded by V . Therefore,

Mdis � 2V (12)

The use of the waiting mechanism dramatically reducesthe communication overhead of the route discovery pro-cess. To better illuminate the mechanism’s advantage, letus consider as an example, an algorithm that uses a sim-ilar route discovery process. The ODSBR protocol [19]does not employ a waiting mechanism, which may resultin V�(V+1)

2 RREP messages. Moreover, in extreme casesof message delays in networks with specific topologies,the number of RREP messages in ODSBR is potentiallyexponential, even in the absence of an adversary [26].

The number of messages Mbasic that are sent in the net-work until the basic algorithm with the waiting mechanismsuccessfully bypasses the misbehaving nodes is as follows:

Mbasic = (Mdet + Mdis) � Ibasic � (� �W + 2) �V � Ibasic (13)

where Ibasic is the number of iterations conducted by thebasic version of the AVOMIN algorithm.

When using proactive route calculation, the route dis-covery process is applied only once. Thus,

Mpro = Mdet � Ipro + Mdis � (� �W � Ipro + 2) � V (14)

As discussed in the time complexity analysis, Ipro �

Ibasic.When multipath routing is used, all the proactively

calculated routes start working at once. Hence,

Mmultipath = Mdet + Mdis � (� �W + 2) � V (15)

in the case where at least one subflow free of misbehavingnodes exists among the proactively calculated routes.

Formulas 13, 14, and 15 present the time complexityof finding a misbehavior-free route by using the differ-ent versions of AVOMIN and can be used to compare theperformance of AVOMIN with that of other algorithms.As in the case of the time complexity, our analysis showsthat � should be kept as low as the environment per-mits to reduce the communication complexity of finding amisbehavior-free route.



5.1.3. Computation complexity.

Intermediate nodes within wireless networks (specif-ically in WMNs) have relatively limited computationalpower. Cryptographic operations, such as encryption,decryption, digital signing, and signature verification,require extensive computation. Consequently, crypto-graphic overhead is the most fundamental part when ana-lyzing the computational complexity of a secure routingprotocols such as AVOMIN. We do not consider the com-putation complexity of the endpoints, which are usuallymuch more powerful than the intermediate mesh nodes.

In AVOMIN, no cryptographic operations are per-formed at all by the intermediate nodes. This is in contrastto typical security protocols. As an example, consider theODSBR protocol [19] in which intermediate nodes haveto perform signature verifications for each RREP mes-sage they receive and digitally sign it before resending.From the communication complexity analysis we knowthat there may be O(V2) RREP messages at each iterationof ODSBR. For each such message O(V) signature veri-fications have to be performed for each of the precedingnodes in the RREP route, although the length of the routewill usually not surpass D, the diameter of the network.Thus, a cryptographic overhead of O(V3) may be imposedon each route discovery process performed by ODSBR.

Moreover, while detecting misbehavior, the ODSBRprotocol may enter a probing mode, which requires compu-tationally expensive onion encryption [35]. Such extensivecryptographic operations may be unfeasible for exist-ing deployed infrastructure of wireless mesh nodes. Thismeans that hardware modification may have to be appliedbefore using the ODSBR protocol.

5.2. Sophisticated adversarial model

The sophisticated adversarial model is of a node thatknows the protocol and takes advantage of its weaknesses.In AVOMIN, a sophisticated adversary can cause a DoSattack that prevents the termination of the route discoveryprocess (see Section 4).

To deal with a sophisticated adversary, signature verifi-cations at each of the intermediate nodes have to be appliedduring the route discovery process in AVOMIN (similarto ODSBR [19]). Such an addition would mean that a

cryptographic overhead of O�

V2 � Ibasic

�will be added

to the computation complexity of the basic version ofAVOMIN or O(V2) to the proactive and multipath versionsof the algorithm. Nevertheless, the cryptographic over-head of AVOMIN remains lower than ODSBR’s becauseof the waiting mechanism that is applied in AVOMIN andthe onion encryption that is performed during the probingmode in ODSBR.

A sophisticated adversary may take advantage of theweaknesses of other algorithms too. As an example, suchan adversary can cause the probing mode in ODSBR tonever find the faulty link. It can do so by dynamically caus-ing enough loss to trigger a fault, then switching to causing

loss just under the acceptable threshold � to wait outthe probing mode [19]. Consequently, the protocol mightkeep the traffic going through the problematic path withoutever initiating a new route discovery process. Moreover,the ongoing traffic between the endpoints will continu-ously carry probes as part of the infinite probing mode.These probes imply onion encryption that is performed bythe intermediate mesh nodes. Such a cryptographic over-head on ongoing traffic in a wireless network is clearlyunacceptable.

6. EXPERIMENTAL EVALUATION

The evaluation of AVOMIN is divided into two sets ofexperiments – the first set assesses the performance of thebasic AVOMIN algorithm along with the proactive routescalculation extension, whereas the second set of experi-ments tests the performance of AVOMIN with multipathrouting.

6.1. Experimental setup

The experimental evaluation was performed using a des-ignated simulation tool that was written using the Javaprogramming language. The experiments were performedon 500 simulated networks for each setting. A single ses-sion was executed in each simulated network. In all thesettings the nodes were randomly placed within a area.Each node in these networks has a radio communicationrange of 200 m. The basic setting includes 100 nodes, butsettings with higher node densities were also tested. Inthe basic setting a single misbehaving node was randomlyselected from the nodes that are part of the shortest routebetween the endpoints. The distance between the endpoints(nodes S and D) was limited to a minimum of 800 m tohandle at least 5 hops in each session. In settings that testscenarios with several misbehaving nodes, the additionalmisbehaving nodes were randomly selected from all thenodes in the network, including the remaining nodes in theoriginal shortest route.

6.2. Basic AVOMIN

The effectiveness of AVOMIN is demonstrated in threeaspects – the failure rate of finding a misbehavior-freeroute, the number of iterations performed until the route isfound, and the quality of that route, which is referred to asthe stretch factor.

Table II displays the failure rate of finding amisbehavior-free route. We consider a failure if after 10attempts (iterations) the algorithm does not find such aroute. AVOMIN with ı = 0.1 failed in 0.6% of the exper-iments, whereas it succeeded in all the experiments whenhigher ı values were used. We also display the results ofthe TIARA overlay routing [20] and ODSBR [19] algo-rithms. As previously mentioned, both these algorithmsassume the network to be closed, contrary to AVOMIN


DOI: 10.1002/sec


Table II. Failure rate of finding a misbehavior-free route after10 iterations.

AVOMIN AVOMIN TIARA ODSBR DSR(ı = 0.1) (ı � 0.3) Cache

0.6% 0% 3.2% 0.4% 42.4%

that does not need any a priori knowledge of the network.Both TIARA overlay routing and ODSBR did not manageto find a misbehavior-free route after 10 iterations in someof the experiments. Our results also include a comparisonwith DSR cache, a naive algorithm that chooses alternativeroutes that are cached at the source node whenever misbe-havior is detected at the endpoints. Such cached routes areused in DSR [21]. DSR cache fails in almost half the exper-iments, so it is clearly unsuitable for the task of mitigatingmisbehavior.

Figure 5 displays the number of iterations performedby AVOMIN until a misbehavior-free route is found fordifferent ı values. For each value of ı, two results are pre-sented – the first is of the basic AVOMIN. The secondshows the number of iterations performed by AVOMINwith proactive routes calculation.

The notion of iteration is different for these two versionsof the algorithm. In basic AVOMIN, an iteration consists ofa route discovery process and of the actual communicationconducted along the discovered route until misbehavior isdetected. When proactive routes calculation is applied, allthe routes are known in advance and no additional routediscovery is needed. Consequently, iteration in this caserefers solely to the communication conducted on a proac-tively calculated route. As confirmed by our simulations,the use of a low ı value leads to a number of iterationsin the basic version of the algorithm that is substantiallyhigher due to redundant iterations. These are skipped whenusing the proactive routes calculation (Section 3.1). Thedisplayed results also support the expected reverse relationbetween the ı value and the number of iterations.

Figure 5 also displays the number of iterations per-formed by TIARA overlay routing and by ODSBR (onlyfor successful attempts). An iteration in TIARA is equiva-lent to an iteration in basic AVOMIN, because it it involvesa new route discovery process. The relatively high num-ber of iterations performed by TIARA can be explainedby the fact that some buddy nodes may be disconnectedfrom the source node. An iteration in ODSBR is muchmore complicated, because it involves the costly probingmode. ODSBR needs an average of almost two itera-tions until it finds a misbehavior-free route, because itpenalizes links rather than nodes. This is also the rea-son for ODSBR’s occasional failures after 10 iterations asdisplayed in Table II.

Definition 1. Stretch factor refers to the ratio betweenthe length of the resulting route and the length of the

Figure 6. Stretch factor. AVOMIN, avoidance of misbehavingnodes.

Figure 7. Failure rate of finding a misbehavior-free route after 10iterations under different node densities.

shortest existing misbehavior-free route (i.e., the optimalone).

Figure 6 displays the stretch factor of AVOMIN byusing different ı values and of TIARA. As expected, usinglow ı values results in a better (lower) stretch factor. Withı = 0.1 the average stretch factor is less than 1.008. Thus,the resulting routes are very close to the optimal routes.The poor results of TIARA can be explained by the prac-tically random locations of the buddy nodes. The stretchfactor of ODSBR is always 1, because ODSBR alwaysfinds the shortest available route.

A clear tradeoff between the number of iterations andthe stretch factor in AVOMIN can be observed by consid-ering both Figures 5 and 6. Consequently, if the goal is toreduce the convergence time, a high value of ı should bechosen. On the other hand, when the main goal is the qual-ity of the resulting route (low stretch factor) a low ı valueshould be used. ı = 0.3 seems to give a good balance whenconsidering all the aspects.

Next, we consider the same aspects in settings withincreasing node densities, from the 100 nodes of the basesetting to 1000 nodes in the same 1000 � 1000 – m2 meterarea. Figures 7 and 8 present the failure rate (after 10 iter-ations) and the number of iterations, respectively. In thesesettings we compare the performance of AVOMIN withproactive routes calculation with that of TIARA overlay



Figure 8. Number of iterations under different node densities.

routing and ODSBR. We only show the results for ı = 0.3for clarity reasons.

As shown in Figure 7, AVOMIN did not fail even onceto find a misbehavior-free route in the various settings.Moreover, AVOMIN performs less iterations as the nodedensity increases (Figure 8). The reason for this is that indenser networks there are more alternative routes of similarlength between the endpoints.

TIARA also presents improved performance in densernetworks, because in such networks the chance of selectinga buddy node that is disconnected from the source node orresults in a route that still passes through the misbehavingnode significantly reduces. Nevertheless, Figure 7 shows aquite random failure rate for TIARA in networks with 200nodes or more. This can be explained by the inherent ran-domness of the buddy node choosing process. Contrary tothat, the performance of ODSBR drastically deterioratesas the node density increases. The reason for this phe-nomenon lies in the fact that ODSBR penalizes links ratherthan nodes. This results in more routes passing throughevery node (including through misbehaving nodes). Conse-quently, in dense networks it takes more ODSBR iterationsuntil a route that bypasses the misbehaving node is found.In many cases the number of iterations is larger than 10, asshown in Figure 7.

Figure 9 displays the stretch factor of AVOMIN byusing different ı values under different node densities. Thestretch factor improves as the node density increases, andin networks with 1000 nodes the stretch factor is around 1for ı � 0.6. Even for high ı values, the stretch factor is lessthan 1.01 in networks with at least 600 nodes. To enablea better view (and a correct scale), TIARA overlay rout-ing was left out of the plots in Figure 9. TIARA’s averagestretch factor is between 1.34 and 1.38 for the settings with200 nodes or more.

Finally, we consider networks with several misbehav-ing nodes. Figure 10 displays the failure rate of finding amisbehavior-free route in networks of the basic setting withup to 10 misbehaving nodes. In TIARA overlay routingand ODSBR a failure is considered if after 10 iterations thealgorithm does not find an appropriate route. For AVOMINwe consider a more restrictive notion of failure. On top ofthe 10 iterations threshold, we also restrict AVOMIN toonly a single proactive routes calculation process. We doso because conducting an additional proactive routes cal-

Figure 9. Stretch factor under different node densities.

Figure 10. Failure rate of finding a misbehavior-free route innetworks with several misbehaving nodes.

culation is a considerably more complex notion of iterationthan an iteration within an existing proactive routes cal-culation. Nevertheless, it is still significantly less complexthan an ODSBR iteration (see Section 5).

As expected, the failure rate of all the algorithmsincreases when the network contains more misbehavingnodes. AVOMIN has fewer failures than ODSBR in allthe settings. Interestingly enough, TIARA overlay routingoutperforms AVOMIN when there are at least three misbe-having nodes. The reason for this lies in the randomness ofalternative routes in TIARA as opposed to the locality ofthe routes in AVOMIN and ODSBR. Even in cases that inthe area of the original route there are several misbehavingnodes, TIARA still has a good chance of finding an alter-native route by eventually selecting a buddy node that is faraway from the problematic area. The downside of TIARAremains its stretch factor, as it displays similar values (forthe successful attempts) to the ones shown in Figure 6for a single misbehaving node. When considering the suc-cessful attempts of AVOMIN, the number of iterations andstretch factor remain virtually the same as the values shownin Figures 5 and 6, respectively, regardless of the num-ber of misbehaving nodes in the network. Consequently,these results are not presented, and the interesting aspectwhen considering multiple misbehaving nodes remains thefailure rate.


DOI: 10.1002/sec


6.3. AVOMIN with multipath routing

The main advantage of using multipath routing is that itprovides a robust and dynamic way to deal with alter-ations in the adversarial behavior. However, such robust-ness comes with a price of an increased communicationoverhead. The experiments display the imposed communi-cation overhead with respect to different values of the DPRthat is applied by the misbehaving nodes. Additionally,the dynamic distribution of packets among the subflows isdemonstrated. The experiments use a sliding window of100 packets for each subflow. The data of dropped packetsthat appears in the sliding windows is used for the dynamicdistribution of packets among the subflows.

Commonly used for such purposes is the expected trans-mission count metric (ETX) [30]. ETX considers the DPRof each link in the route, which makes it an appropri-ate metric for either the MAC layer or for higher layeralgorithms that work link-by-link. Contrary to that, theAVOMIN algorithm conducts data verifications only at theendpoints of the communication session. Thus, the DPRdata of each link is unavailable on AVOMIN’s layer. Wetherefore turn to a similar metric that considers a route’slength and endpoints’ DPR.

Definition 2. Communication overhead refers to theratio between the total length of routes that a packethas been sent through, including retransmissions, untilit reaches its destination and the length of the shortestexisting misbehavior-free route.

As an example consider the network that appears inFigure 4. Also consider that node J misbehaves by drop-ping packets it receives. In this case, the shortest availablemisbehavior-free route is SF1 (length 5). A packet P ischosen to be routed through SF0 (length 4), but is droppedby node J. Consequently, packet P is retransmitted, thistime through SF2 (length 6), and reaches its destination.Thus, the total length of routes that packet P has been sentthrough is 10. Consequently, the communication overheadof packet P is 100%.

Figure 11 presents the average communication over-head as a function of the DPR of the misbehaving nodes.The solid line represents the communication overhead ofthe first 100 packets (exactly the size of the sliding win-dow). As can be seen, an increase in the DPR linearlyimpairs the communication overhead. The dotted brownline represents the average communication overhead afterthe transmission of 5000 packets between the endpoints.It is clear that after the algorithm assimilates the dataof dropped packets, the effect of increased DPR disap-pears and the communication overhead converges to 6%.An adversary that drops about 30% of the packets maxi-mally impairs the communication overhead. Nevertheless,the damage that such an adversary can inflict is limited to9% communication overhead.

Figure 12 shows the convergence of the communicationoverhead with respect to the number of sent packets for

Figure 11. The effect of adversarial behaviors dropped-packetratio (DPR) on the communication overhead.

Figure 12. Convergence of the communication overhead undervarious adversarial behaviors dropped-packet ratio (DPR).

three different DPR values. With 10% DPR, the communi-cation overhead converges to a slightly higher value thanthe overhead of the first 100 packets. This negative effectis explained by the quadraticity in Formulas 3 and 4, whichgive more weight to the DPR values than the lengths ofthe subflows. Short subflows that suffer from limited DPRmay have a better communication overhead than longermisbehavior-free subflows. Consequently, preferring thelonger misbehavior-free subflows leads to a slightly higheroverhead. Nevertheless, this preference is essential for theprompt and efficient convergence of the communicationoverhead under higher DPR values. The convergence with50% DPR and with 100% DPR confirms the necessity forquadraticity in the formulas. Moreover, with 100% DPR,the communication overhead is just marginally higher thanwith 10% DPR.

Similar experiments to the ones shown in Figures 11and 12 were conducted for the same networks but this timewith more than a single misbehaving node. Networks inwhich all the subflows contained misbehaving nodes werenot checked. The results of these experiments were almostexactly the same as the results shown in Figures 11 and 12.



Figure 13. The distribution of packets among the subflows inFigure 4.

The reason for the similarity of the results is the adaptivedistribution of sent packets among the subflows. When atleast one subflow is free of misbehavior, the majority of thepackets are sent through this subflow.

Figure 13 demonstrates the dynamic distribution ofpackets on a specific example – the network shown inFigure 4. The left part of the graph presents the distributionof packets when the network contains a single misbehav-ing node, J, which drops half of the packets (50% DPR).This node resides on SF0. Consequently, just 10% of thepackets are routed through SF0 regardless of the fact thatit is the shortest of the three subflows. The center partof the graph shows how the distribution changes whennode I starts dropping half of the packets as well. At thispoint, the DPR of SF0 is 75%, whereas the DPR of SF1is 50%. Although SF2 is the longest of the three subflows,over 80% of the packets are routed through it. The rightpart of the graph demonstrates the distribution of pack-ets in case that both nodes I and J stop dropping packets.The biggest share of packets is routed through the shortestsubflow, SF0.

7. CONCLUSIONS

A distributed algorithm that mitigates routing misbehav-ior is proposed. The new method re-routes a session thatis carried by misbehaving nodes upon detecting routingmisbehavior at the endpoints. The proposed algorithm(AVOMIN) does not expect mesh routers to sign or authen-ticate packets that pass through. The AVOMIN algorithmenables proactive calculation of several alternative routes.This extension along with the RREQ waiting mechanismsignificantly reduces the algorithm’s overhead. The proac-tively calculated routes can be used to perform multipathrouting that provides prompt discovery of misbehavior-freeroutes along with survivability and continuous communi-cability of the network. The addition of multipath routingdrastically enhances the robustness of the algorithm versusadversaries that dynamically change their behavior.

An extensive experimental evaluation comparedAVOMIN with existing algorithms, ODSBR [19] andTIARA overlay routing [20]. AVOMIN needs considerablyless iterations than ODSBR and TIARA to find a routefree of misbehaving nodes. Once it finds such a route, itis usually close to optimal and of higher quality than thatfound by TIARA. Contrary to that, ODSBR always findsthe shortest available route. Nevertheless, a sophisticatedadversary can prevent ODSBR from ever initiating a newroute discovery process, while indefinitely burdening thenetwork with unnecessary cryptographic overhead.

Multipath routing in AVOMIN resembles the use oferasure-coding techniques, because both use multiple pathsand share the similar goal of increasing the reliability andsecurity of the network. The main difference between theseapproaches is in the assumptions they make. AVOMINassumes that some group of nodes is misbehaving, whereasthe other nodes relay packets properly. On the otherhand, algorithms that apply coding assume that any of thepaths may drop packets at any time with similar prob-abilities [28]. While the first assumption relates to thepresence of malfunctioning or adversarial nodes, the sec-ond assumption relates to the unreliable nature of wirelesslinks. In real-life scenarios one must deal with both phe-nomena, and therefore a combination of these two assump-tions is called upon. This may be applicable, becausethe two approaches are basically orthogonal – AVOMINchooses the paths to be taken, whereas erasure-codingmanipulates the contents of the packets. However, sucha combination is not straightforward because AVOMIN’ssubflows are inherently not disjoint. We therefore see themerging of erasure coding and AVOMIN as an interestingdirection for future work. Additionally, such combina-tion may potentially help balance the load distribution inthe network.

Another direction for future work is testing the appli-cability of AVOMIN in MANETs. Experiments that testedthe performance of ODSBR in MANETs [19] producedencouraging results under a mobility model with variousspeeds. Because our experiments and analysis show thefast convergence of AVOMIN, we believe that AVOMINwill perform well in MANETs.

REFERENCES

1. Akyildiz IF, Wang X, Wang W. Wireless mesh net-works: a survey. Computer Networks and ISDN Sys-tems 2005; 47(4): 445–487.

2. Jun J, Sichitiu ML. MRP: wireless mesh networksrouting protocol. Computer Communications 2008; 31(7): 1413–1435.

3. Ruiz PM, Galera FJ, Jelger C, Noel T. Efficient mul-ticast routing in wireless mesh networks connected tointernet, Proceedings of the First International Con-ference on Integrated Internet Ad Hoc and SensorNetworks (InterSense), 2006.


DOI: 10.1002/sec


4. Draves R, Padhye J, Zill B. Routing in multi-radio, multi-hop wireless mesh networks, Proceed-ings of the 10th annual international conference onmobile computing and networking (mobicom), 2004;114–128.

5. Maatta J, Braysy T. A novel approach to fair rout-ing in wireless mesh networks. EURASIP Journalon Wireless Communications and Networking 2009:5:1–5:13.

6. Kandikattu R, Jacob L. Secure hybrid routing withmicro/macro-mobility handoff mechanisms for urbanwireless mesh networks. International Journal ofSecurity and Networks 2008; 3(4): 258–274.

7. Li C, Wang Z, Yang C. Secure routing for wire-less mesh networks. International Journal of NetworkSecurity 2011; 13(2): 109–120.

8. Siddiqui MS, Amin SO, Kim JH, Hong CS. MHRP: asecure multi-path hybrid routing protocol for wirelessmesh network. Proceedings of the Military Communi-cations Conference (MILCOM), 2007; 1–7.

9. Marti S, Giuli TJ, Lai K, Baker M. Mitigating Rout-ing Misbehavior in Mobile Ad Hoc Networks. Mobilecomputing and networking, 2000; 255–265.

10. Michiardi P, Molva R. Core: a collaborative reputa-tion mechanism to enforce node cooperation in mobilead hoc networks. Proceedings of the IFIP TC6/TC11Sixth Joint Working Conference on Communicationsand Multimedia Security, 2002; 107–121.

11. Buchegger S, Boudec JYL. Performance analysisof the CONFIDANT protocol: cooperation of nodes— fairness in dynamic ad-hoc networks. Proceed-ings of the IEEE/ACM Symposium on Mobile AdHoc Networking and Computing (MobiHoc), 2002;226–236.

12. Khan S, Alrajeh NA, Loo KK. Secure route selectionin wireless mesh networks. Computer Networks 2012;56(2): 491 –503.

13. Sen J. Secure routing in wireless mesh networks.In Wireless Mesh Networks, Funabiki Nobuo (ed).InTech, 2011.

14. Papadimitratos P, Haas Z. Secure routing for mobilead hoc networks. Proceedings of the SCS Communica-tion Networks and Distributed Systems Modeling andSimulation Conference (CNDS), 2002; 27–31.

15. Hu YC, Perrig A, Johnson DB. Ariadne: a secure on-demand routing protocol for ad hoc networks. WirelessNetworks 2005; 11(1-2): 21–38.

16. Perrig A, Canetti R, Tygar D, Song D. The TESLAbroadcast authentication protocol. Cryptobytes 2002; 5(2): 2–13.

17. Hu YC, Johnson DB, Perrig A. SEAD: secure effi-cient distance vector routing for mobile wireless adhoc networks. Ad Hoc Networks 2003; I: 175–192.

18. Kim J, Tsudik G. SRDP: secure route discovery fordynamic source routing in manets. Ad Hoc Networks2009; 7(6): 1097 –1109.

19. Awerbuch B, Curtmola R, Holmer D, Nita-Rotaru C,Rubens H. ODSBR: an on-demand secure byzantineresilient routing protocol for wireless ad hoc networks.ACM Transactions on Information and System Security2008; 10(4): 1–35.

20. Ramanujan R, Kudige S, Nguyen T, Takkella S,Adelstein F. Intrusion-resistant ad hoc wireless net-works. Proceedings of the military communicationsconference (milcom), 2002.

21. Johnson DB, Maltz DA. Dynamic source routing in adhoc wireless networks. In Mobile computing, Vol. 353,1996.

22. Committee ICSLMS. IEEE Strandard 802.11-1997:New York, NY, 1997.

23. Clausen T, Jacquet P. Optimized Link State Rout-ing protocol (OLSR). RFC 3626, Internet EngineeringTask Force, 2003.

24. Perkins C, Bhagwat P. Highly dynamic destination-sequenced distance-vector routing (DSDV) for mobilecomputers. Proceedings of the ACM Conference onCommunications Architectures, Protocols and Appli-cations (SIGCOMM), 1994; 234–244.

25. Perkins C, Royer E. Ad-hoc on-demand distance vec-tor routing. Proceedings of the Second IEEE work-shop on Mobile Computing Systems and Applications(WMCSA), 1999; 90–100.

26. Hu YC, Perrig A. A survey of secure wireless adhoc routing. IEEE Security and Privacy 2004; 2 (3):28–39.

27. Wang Y, Jain S, Martonosi M, Fall K. Erasure-codingbased routing for opportunistic networks. Proceed-ings of the acm sigcomm workshop on delay-tolerantnetworking (WDTN), 2005; 229–236.

28. Matsuda T, Takine T. Multicast communications withReed Solomon/network joint coding in wireless mul-tihop networks. Journal of Communications 2009; 4(11): 856–864.

29. Timm-Giel A, Kuladinithi K, Hofmann P, Goerg C.Wireless and ad hoc communications supporting thefirefighter. 16th IST Mobile Summit, 2007.

30. De Couto D S J, Aguayo D, Bicket J, MorrisR. A high-throughput path metric for multi-hopwireless routing. Wireless Networks 2005; 11 (4):419–434.

31. Hu YC, Perrig A, Johnson DB. Rushing attacks anddefense in wireless ad hoc network routing proto-cols. Proceedings of the ACM Workshop on WirelessSecurity (WiSe), 2003; 30–40.

32. Eriksson J, Krishnamurthy S, Faloutsos M. Tru-elink: A practical countermeasure to the wormhole



attack in wireless networks. Proceedings of the 2006IEEE International Conference on Network Protocols(ICNP), 2006; 75–84.

33. Hu YC, Perrig A, Johnson DB. Packet leashes: adefense against wormhole attacks in wireless net-works. In Proceedings of the Twenty-second AnnualJoint Conference of the IEEE Computer and Com-munication Societies (INFOCOM), Vol. 3,1976–1986,2003.

34. Awerbuch B, Cole RG, Curtmola R, Holmer D,Rubens H. Dynamics of learning algorithms for theon-demand secure byzantine routing protocol. ThirdEuropean Workshop on Security and Privacy in AdHoc and Sensor Networks (ESAS), 2006; 98–112.

35. Reed MG, Syverson PF, Goldschlag DM. Anony-mous connections and onion routing. IEEE Journalon Selected Areas in Communications 1998; 16 (4):482–494.


DOI: 10.1002/sec

Documents

Avoidance of misbehaving nodes in wireless mesh networksam/media/publications/Avoidance... · 2016. 12. 8. · Avoidance of misbehaving nodes in wireless mesh networks T. Grinshpoun,