Secure communication in cellular and ad hoc environments Bharat Bhargava [email protected] Department of Computer Sciences, Purdue University This is supported

Secure communication in cellular and ad hoc environments

Bharat Bhargava

[email protected]

Department of Computer Sciences,

Purdue University

This is supported by Motorola Communication Research Lab & National Science Foundation

Team at Motorola:Jeff Bonta George CalcevBenetido Fouseca Trefor Delve

Team at Purdue University:X. Wu Research scientist (receives his

PhD from UC-Davis)Y. Lu PhD studentG. Ding PhD studentW. Wang PhD student

3

Problem statement

How to provide secure, continuous, and efficient connectivity for a mobile unit in a structured (cellular based) or unstructured (ad hoc) network environment?

4

Challenges• Dynamic topology

– Movement, node failure, etc.

• Heterogeneous and decentralized control

• Limited resources– Bandwidth, processing ability, energy

• Unfriendly environment– Selfish nodes, malicious attackers

5

Research contributions

• Combining advantages of cellular systems and ad hoc networks to enable a more secure network structure and better performance

• Designing routing protocols for ad hoc networks that adapt to both network topology and traffic congestion

• Designing intruder identification protocols in ad hoc networks

• Conducting experimental studies in heterogeneous wireless environments and evaluating our protocols

6

Research directions

• Cellular-aided Mobile Ad Hoc Network (CAMA)

• Adaptive and Heterogeneous Mobile Wireless Networks

• Intruder Identification in Ad Hoc Networks

Cellular-aided Mobile Ad Hoc Network (CAMA)

8

CAMA: Problem Statement

How to realize commercial peer-to-peer applications over mobile wireless ad hoc networks?

Papers: “Integrating Heterogeneous Wireless Technologies: Cellular-Aided Mobile Wireless Ad hoc Networks (CAMA)”, submitted to ACM Special Issues of the Journal on Special Topics in Mobile Networking and Applicaitons (MONET).

9

Challenges• Authentication and accounting

– No fixed membership

• Security concern – Open medium without any centralized control

• Real time services– Dynamic topology and slow routing

information distribution

10

Current Environment

Cellular network provides:

• Wide coverage

• Multiple services with single cellular ID

• Small packet service in 3G network

• Wireless terminals with different protocols

11

CAMA Description

• Integration of cellular network and ad hoc network

• CAMA agent works as centralized server attached to the cellular network

• CAMA agent provides ad hoc nodes information such as authentication, routing support, keys through cellular channel

• Data transmission uses ad hoc channel

12

CAMA Environment

13

Major Ideas

• Use signals via cellular network for ad hoc routing and security managements

• Centralized CAMA agent provides control over distributed ad hoc network

14

CAMA vs. ad hoc networkCAMA has advantages over pure ad hoc networks in:• Simple network authentication and

accounting• Routing server for more accurate routing

decisions• Certification authority for key distribution• Central security check point for intrusion

detection

15

CAMA vs. cellular/WLAN

CAMA has advantages over cellular/WLAN

integrated network in:

• No extra fixed infrastructure– No access point needed

• No ad hoc channel radio coverage limit– Multi-hop ad hoc link

• No transmission bottleneck – Not all traffic need going through a single node

16

Impact

• Cellular service combined with low-cost, high-data-rate wireless service

17

Research Questions

• Feasibilities in commercial applications requires:– Development of routing algorithm and

protocols for multimedia service– Investigation of CAMA vulnerabilities– Development of security protocols for key

distribution and intrusion detection– Evaluation of gain in ad hoc network– Evaluation of overhead in cellular network

18

Methodology of Research• Building algorithms and protocols• Developing bench marks and performance metrics

on multi-media service• Conducting experimental studies

– Using ns-2

– Using common platform simulator from Motorola Inc.

• Comparing with ad hoc routing protocols– Ad hoc on-demand distance vector routing (AODV)

– Destination source routing (DSR)

19

Research of Interest to Motorola • Evaluating CAMA routing in realistic simulation

environment:– Radio environment

• Adaptive data rate determined by signal-noise-ratio (SNR)– Node mobility

• Exponentially distributed speed– Node density

• 400 users/sq.km to 14800 users/sq.km – Traffic pattern

• VoIP, TCP, Video– Inaccurate position information

• Error of 5m to 100m

20

Research of Interest to Motorola (ctn.)

• Authentication– By CAMA agent– By mobile nodes

• Accounting– Charging rate– Award to intermediate nodes

21


• Key assignment– Group key assignment

• For entire ad hoc network

• For nodes along an active route

– Session key assignment• For peer-to-peer communication

22


• Intrusion detection– Information collection

• Information for different intrusions

– Malicious judging rule• Quick malicious node elimination vs. probability of

wrong judgment

• Detection cost vs. gain

Adaptive and Heterogeneous Mobile Wireless Networks

24

Problem statement

How to provide continuous connectivity for a mobile unit to a network in which every node is moving?

Papers:“Secure Wireless Network with Movable Base Stations”, being revised for IEICE/IEEE Joint Special Issue on Assurance Systems and Networks.

“Study of Distance Vector Routing Protocols for Mobile Ad Hoc Networks”, in Proceedings of IEEE International Conference on Pervasive Computing and Communications (PerCom), 2003.

25

Challenges• Dynamic topology

– Movement, node failure, energy problem, etc.

• Decentralized control

• Limited bandwidth– Congestion is typically the norm rather than the

exception. [RFC 2501]

26

Research contributions• Routing protocols for mobile ad hoc

networks that adapt to not only network topology, but also traffic and congestion.

• Architecture, design of protocols, and experimental evaluation in heterogeneous wireless environments

27

Broad impacts

• Military networks

• Sensor networks

28

Two network environments considered

• Mobile ad hoc networks– No centralized control

• Large scale heterogeneous wireless networks with control in base stations– Wireless networks with movable base stations

(WNMBS)

29

Research questions in mobile ad hoc networks

• Development of ad hoc routing protocols that adapt to traffic load and network congestion.– Identify the network parameters that impact the

performance of routing protocols.

– Determine the appropriateness of on-demand and proactive approaches (given specific routing requirements and network parameters).

– Identify features of ad hoc networks that can be used to improve routing.

30

Related work (routing protocol)• Destination-Sequenced Distance Vector (DSDV) [Perkins/Bhagwat,

SigComm’94] (Nokia)• Ad-hoc On-demand Distance Vector (AODV) [Perkins/Royer/Das,

WMCSA’99, IETF draft 98-03] (Nokia, UCSB, SUNY-Stony Brook)• Dynamic Source Routing (DSR) [Johnson/Maltz, Mobile Computing’96,

IETF draft 03] (Rice Univ., CMU)• Zone Routing Protocol (ZRP) [Haas/Pearlman/Samar, ICUPC’97, IETF

draft 99-02] (Cornell)• Adaptive Distance Vector (ADV) [Boppana/Konduru, InfoCom’01] (UT-

San Antonio)• Source-Tree Adaptive Routing (STAR) [Garcia-Luna-Aceves/Spohn,

MONET’01] (UCSC, Nokia)• Associativity-Based Routing (ABR) [Toh, Wireless Personal

Communications Journal’97] (Cambridge Univ.)• Ad-hoc On-demand Multipath Distance Vector (AOMDV) [Marina/Das,

ICNP’01] (Univ. of Cincinnati)

31

Related work (cont’d)Protocol Approach Routing information

usesAdditional information

DSDV Proactive Distance Vector

DSR On-demand Source routing

AODV On-demand Distance Vector

ZRP Hybrid Distance Vector

ADV Hybrid Distance Vector

STAR Proactive Link State

ABR On-demand Distance Vector Associativity

AOMDV On-demand Distance Vector Multipath

32

Related work (performance comparison)

• Comparison of DSDV, TORA, AODV and DSR [Broch/Maltz/Johnson/Hu/Jetcheva, MobiCom’98] (CMU)

• Scenario-based performance analysis of DSDV, AODV, and DSR [Johansson/Larsson/Hedman/Mielczarek/Degermark, MobiCom’99] (Ericsson)

• Performance comparison of AODV and DSR [Perkins/Royer/Das/Marine, IEEE Personal Communications’01]

33

Methodology of research

• Developing benchmarks and performance metrics for routing protocols

• Conducting experimental studies– Determine guidelines for design– Evaluate protocols

• Building algorithms and protocols

34

Ongoing research

• Study of proactive and on-demand approaches

• Congestion-aware distance vector routing protocol

• Packet loss study

35

Research study

• Investigate the proactive and on-demand approaches– Generalize the results obtained from protocols to the

proactive and on-demand approaches

– Introduce power consumption as a performance metric

– Inject heavy traffic load

– Identify the major causes for packet drop

– Comprehensively study in various network environments

• Propose a congestion-aware routing protocol

36

• DSDV and AODV are studied by varying network environment parameters– Node mobility (maximum moving speed)– Traffic load (number of connections)– Network size (number of mobile nodes)

• Performance metrics – Packet delivery ratio – Average end-to-end delay – Normalized protocol overhead– Normalized power consumption

Simulation experiments

37

Simulation setup for experiments

Simulator ns-2

Examined protocols DSDV and AODV

Simulation duration 1000 seconds

Simulation area 1000 m x 1000 m

Transmission range 250 m

Movement model Random waypoint

Maximum speed 4 – 24 m/s

Traffic type CBR (UDP)

Data payload 512 bytes/packet

Packet rate 4 packets/sec

Node pause time 10 seconds

Bandwidth 1 Mb/s

38

• The proactive protocols provide better support for:– Applications requiring QoS

• Timely propagate network conditions

– Intrusion and anomaly detection• Constantly exchange the network topology information

• The proactive approach exhibits better scalability with respect to the number of mobile nodes and traffic load.

Motivation for a new proactive protocol

39

Proposed protocol: Congestion Aware Distance Vector (CADV)

• Problem with the proactive approach– Congestion

• Objective:– Dynamically detect congestion and route packets through less-

crowded paths

• Method:– Characterize congestion and traffic load by using expected delay.

– Consider expected delay at the next hop as the secondary metric to make routing decisions.

– Allow a one-hop longer route to be chosen.

– Use destination sequence number to avoid loop.

40

Design issues

• Use MAC layer callback to detect broken link– Quick detection

– More triggered updates

– Whether re-queue a packet

• Allowing a one-hop longer route– A one-hop shorter route may not replace the current one if it

introduces significantly more delay.

– To avoid short-lived loop, do not replace the current route with a longer one if they have the same sequence number.

• Deal with fluctuation– Use randomness in routing decisions to reduce fluctuation

41

CADV

• Components:– Real time traffic monitor– Traffic control– Route maintenance module

• Route update:– When broadcasts an update, every node advertises the expected

delay of sending a packet as:

• Route maintenance– Apply a function f(E[D], distance) to evaluate the value of a route

Ln

DDE i][

42

• CADV outperforms AODV and DSDV in terms of delivery ratio

• The end-to-end delay becomes longer because longer routers may be chosen to forward packets

• The protocol overhead of CADV is doubled compared with that of DSDV. It is still less than that of AODV when the network is loaded

• CADV consumes less power per delivered packet than DSDV and AODV do

Observations of CADV

43

Characteristics of wireless networks with movable base stations

• Large scale

• Heterogeneity

• Autonomous sub-nets

• Base stations have more resources

• Base stations take more responsibilities

44

Research questions• How to organize the network?

– Minimize the effect of motion– Minimize the involvement of mobile host

• How to build routing protocol?– IP-compliant– Cooperate with various intra-subnet routing protocols

• How to secure communications?– Authenticate– Maintain authentication when a host is roaming

45

Related work• Integrating ad hoc and cellular

– Mobile-Assisted Connection-Admission (MACA) [Wu/Mukherjee/Chan, GlobeCom’00] (UC-Davis)

– Integrated Cellular and Ad-hoc Relaying (iCAR) [Wu/Qiao/De/Tonguz, JSAC’01] (SUNY-Buffalo)

– Multihop Cellular Networks (MCN) [Lin/Hsu, InfoCom’00] (Taiwan)

• Mobile base station– Distributed, dynamic channel allocation [Nesargi/Prakash, IEEE

Transactions on Vehicular Technology’02] (UT-Dallas)

• Hierarchical structure– Multimedia support for Mobile Wireless Networks (MMWN)

[Ramanathan/Steenstrup, MONET’98] (BBN Technologies)– Clustering scheme for hierarchical control in multi-hop wireless

networks [Banerjee/Khuller, InfoCom’01] (UMD)

46

Methodology of research

• Building architecture, developing algorithms and protocols– Membership management– Inter-subnet routing– Intra- and inter-subnet authentication

• Evaluation through experiments

47

Research results

• Hierarchical mobile wireless network (HMWN)– Hierarchical membership management scheme– Segmented membership-based group routing

protocol– Protection of network infrastructure– Secure roaming and fault-tolerant

authentication

48

Future research plan

• Develop congestion avoidance routing protocol for ad hoc networks.

• Conduct experiments to study the effect of implementing congestion avoidance at different layers.

• Conduct a series of experiments to evaluate HMWN.

Intruder Identification in Ad Hoc Networks

50

Problem Statement• Intruder identification in ad hoc networks is the

procedure of identifying the user or host that conducts the inappropriate, incorrect, or anomalous activities that threaten the connectivity or reliability of the networks and the authenticity of the data traffic in the networks.

Papers:“On Security Study of Two Distance Vector Routing Protocols for Mobile Ad Hoc Networks”, in Proceedings of IEEE International Conference on Pervasive Computing and Communications (PerCom), 2003.

“On Vulnerability and Protection of Ad Hoc On-demand Distance Vector Protocol”, in Proceedings of 10th IEEE International Conference on Telecommunication (ICT), 2003.

51

Research Motivation• More than ten routing protocols for Ad Hoc

networks have been proposed (AODV, DSR, DSDV, TORA, ZRP, etc.)

• Research focus has been on performance comparison and optimizations such as multicast and multiple path detection

• Research is needed on the security of Ad Hoc networks.

• Applications: Battlefields, Disaster recovery.

52

Research Motivation

• Two types of attacks target Ad Hoc network• External attacks:

• MAC layer jamming

• Traffic analysis

• Internal attacks:• Compromised host sending false routing

information

• Fake authentication and authorization

• Traffic flooding

53

Research Motivation

• Protection of Ad Hoc networks• Intrusion Prevention

• Traffic encryption

• Sending data through multiple paths

• Authentication and authorization

• Intrusion Detection• Anomaly pattern examination

• Protocol analytical study

54

Research Motivation

• Deficiencies of intrusion prevention• Increases the overhead during normal

operations of Ad Hoc networks• Restriction on power consumption and

computation capability prevent the usage of complex encryption algorithms

• Flat infrastructure increases the difficulty for the key management and distribution

• Cannot guard against internal attacks

55

Research Motivation

• Why intrusion detection itself is not enough• Detecting intrusion without removing the

malicious host leaves the protection in a passive mode

• Identifying the source of the attack may accelerate the detection of other attacks

56

Research Motivation

• Research problem: Intruder Identification

• Research challenges:• How to locate the source of an attack ?• How to safely combine the information from

multiple hosts and enable individual host to make decision by itself ?

• How to achieve consistency among the conclusions of a group of hosts ?

57

Related Work in wired Networks

• Secure routing / intrusion detection in wired networks• Routers have more bandwidth and CPU power• Steady network topology enables the use of

static routing and default routers• Large storage and history of operations enable

the system to collect enough information to extract traffic patterns

• Easier to establish trust relation in the hierarchical infrastructure

58

Related Work in wired networks

• Attack on RIP (Distance Vector)• False distance vector

• Solution (Bellovin 89)• Static routing

• Listen to specific IP address

• Default router

• Cannot apply in Ad Hoc networks

59

Related Work in wired networks

• Attack on OSPF (Link State)• False connectivity

• Attack on Sequence Number

• Attack on lifetime

• Solution• JiNAO:NCSU and MCNC

• Encryption and digital signature

60

Related Work in Ad Hoc Networks

• Lee at GaTech summarizes the difficulties in building IDS in Ad Hoc networks and raises questions: • what is a good architecture and response system?

• what are the appropriated audit data sources?

• what is the good model to separate normal and anomaly patterns?

• Haas at Cornell lists the 2 challenges in securing Ad Hoc networks:• secure routing

• key management service

61

Related Work in Ad Hoc Networks

• Agrawal at University of Cincinnati presents the general security schemes for the secure routing in Ad Hoc networks

• Nikander at Helsinki discusses the authentication, authorization, and accounting in Ad Hoc networks

• Bhargavan at UIUC presents the method to enhance security by dynamic virtual infrastructure

• Vaidya at UIUC presents the idea of securing Ad Hoc networks with directional antennas

62

Related Work ongoing projects

• TIARA: Techniques for Intrusion Resistant Ad-Hoc Routing Algorithm (DARPA)

• develop general design techniques

• focus on DoS attack

• sustain continued network operations

• Secure Communication for Ad Hoc Networking (NSF)

• Two main principles:• redundancy in networking topology, route discovery and mai

ntenance

• distribution of trust, quorum for trust

63

Related Work ongoing projects

• On Robust and Secure Mobile Ad Hoc and Sensor Network (NSF)• local route repair• performance analysis• malicious traffic profile extraction• distributed IDs• proposed a scalable routing protocol

• Adaptive Intrusion Detection System (NSF)• enable data mining approach• proactive intrusion detection• establish algorithms for auditing data

64

Problem Statement

• Intruder identification in ad hoc networks is the procedure of identifying the user or host that conducts the inappropriate, incorrect, or anomalous activities that threaten the connectivity or reliability of the networks and the authenticity of the data traffic in the networks.

65

Evaluation Criteria

• Accuracy• False coverage: Number of normal hosts that are

incorrectly marked as suspected.

• False exclusion: Number of malicious hosts that are not identified as such.

• Overhead • Overhead measures the increases in control packets and

computation costs for identifying the attackers (e.g. verifying signed packets, updating blacklists).

• Workload of identifying the malicious hosts in multiple rounds

66

Evaluation Criteria

• Effectiveness – Effectiveness: Increase in the performance of ad hoc

networks after the malicious hosts are identified and isolated. Metrics include the increase of the packet delivery ratio, the decrease of average delay, or the decrease of normalized protocol overhead (control packets/delivered packets).

• Robustness – Robustness of the algorithm: Its ability to resist

different kinds of attacks.

67

Assumptions

A1. Every host can be uniquely identified and its ID cannot be changed throughout the lifetime of the ad hoc network. The ID is used in the identification procedure.

A2. A malicious host has total control on the time, the target and the mechanism of an attack. The malicious hosts continue attacking the network.

A3. Digital signature and verification keys of the hosts have been distributed to every host. The key distribution in ad hoc networks is a tough problem and deserves further research. Several solutions have been proposed. We assume that the distribution procedure is finished, so that all hosts can examine the genuineness of the signed packets.

A4. Every host has a local blacklist to record the hosts it suspects. The host has total control on adding and deleting elements from its list. For the clarity of the remainder of this paper, we call the real attacker as “malicious host”, while the hosts in blacklists are called “suspected hosts”.

68

Applying Reverse Labeling Restriction to Protect AODV

• Introduction to AODV

• Attacks on AODV and their impacts

• Detecting False Destination Sequence Attack

• Reverse Labeling Restriction Protocol

• Simulation results

69

Introduction to AODV

• Introduced in 97 by Perkins at NOKIA, Royer at UCSB

• 12 versions of IETF draft in 3 years, 4 academic implementations, 2 simulations

• Combines on-demand and distance vector• Broadcast Route Query, Unicast Route Reply• Quick adaptation to dynamic link condition and sc

alability to large scale network• Support Multicast

70

Security Considerations for AODV

“AODV does not specify any special security measures. Route protocols, however, are prime targets for impersonation attacks. If there is danger of such attacks, AODV control messages must be protected by use of authentication techniques, such as those involving generation of unforgeable and cryptographically strong

message digests or digital signatures. ”- http://www.ietf.org/internet-drafts/draft-ietf-manet-aodv-11.txt

71

Message Types in AODV

• RREQ: route request• RREP: route reply• RERR: route error

72

Route Discovery in AODV

S

D

S1

S2

S3

S4

Broadcast request

Establish path to the source

Broadcast request


Broadcast request


Establish path to the destinationUnicast reply



73

Introduction to AODV (con’d)

• Security Features of AODV• Combination of Broadcast and Unicast

• Route reply is sent out along a single path, prevent the disclosure of routing information

• Fast Expiration of Reverse Route Entry• Route entry created by un-replied route request will

expire in a short time

• Freshness of Routing Information• Unique, monotonic destination sequence for every h

ost, could only be updated by destination/request initiator

74

Attacks on AODV

• Malicious route request– query non-existing host (RREQ will flood throughout the

network)

• False route error– route broken message sent back to source (route discovery is re-

initiated)

• False distance vector– reply “one hop to destination” to every request and select a large

enough sequence number

• False destination sequence– select a large number (even beat the reply from real destination)

75

Impacts of Attacks on AODV

Packet Delivery Ratio

Protocol Overhead

No Attacks 96% 38%

Silent Discard 91% 41%

False Distance 75% 38%

False Destination Sequence

53% 66%

Vicious Flooding 91% 293%

76

False Destination Sequence Attack

D

S S1

S2 M

S3

RREP(D, 5)

RREP(D, 20)

RREQ(D, 3)

RREQ(D, 3)

RREQ(D, 3)

RREQ(D, 3)

RREP(D, 5)

RREP(D, 20)

RREP(D, 20)

77

Attacks on AODV and Simulation Results

• Simulation of Attacks• A module called “AODV Attack” added into

ns2• Four attacks have been implemented

• malicious route request

• silently discard

• false distance vector

• false destination sequence

78

Attacks to AODV and Simulation Results• Simulation parameters

Simulator ns2


Simulation area 1000 * 1000 m

Number of mobile hosts 30

Transmission range 250 m (Lucent WaveLAN Card Specification)

Maximum speed 5 -- 20 m/s

Number of CBR connection 25

Packet rate 2 pkt / sec

Simulated attacks False distance vector and false destination sequence

79

Attacks to AODV and Simulation Results

X-axis is max moving speed, which evaluates the mobility of host. Y-axis is delivery ratio. Two attacks: false distance vector and false destination sequence, are considered. They lead to about 30% and 50% of packets to be dropped.

80

Detecting false destination sequence attackby destination host during route rediscovery

D

S S1

S2 M

S3

S4

RREQ(D, 21)

(1). S broadcasts a request that carries the old sequence + 1 = 21

(2) D receives the RREQ. Local sequence is 5, but the sequence in RREQ is 21. D detects the false desti-nation sequence attack.

Propagation of RREQ

81

Reverse Labeling Restriction (RLR)• Basic Ideas

• Every host maintains a blacklist to record suspicious hosts. Suspicious hosts can be released from the blacklist or put there permanently.

• The destination host will broadcast an INVALID packet with its signature when it finds that the system is under attack on sequence. The packet carries the host’s identification, current sequence, new sequence, and its own blacklist.

• Every host receiving this packet will examine its route entry to the destination host. If the sequence number is larger than the current sequence in INVALID packet, the presence of an attack is noted. The next hop to the destination will be added into this host’s blacklist.

82

Reverse Labeling Restriction (RLR)

• All routing information or intruder identification packets from hosts in blacklist will be ignored, unless the information is about themselves.

• After a host is released from the blacklist, the routing information or identification results from it will be processed.

83

Example to illustrate RLR

D

S S1

S2 M

S3

S4

BL {}

BL {S2}

BL {}BL {M}

BL {S1}

BL {}

D sends INVALID packet with current sequence = 5, new sequence = 21. S3 examines its route table, the entry to D is not false. S3 forward packet to S1. S1 finds that its route entry to D has sequence 20, which is > 5. It knows that the route is false. The hop which provides this false route to S1 was S2. S2 will be put into S1’s blacklist. S1 forward packet to S2 and S. S2 adds M into its blacklist. S adds S1 into its blacklist. S forward packet to S4. S4 does not change its blacklist since it is not involved in this route.

INVALID ( D, 5, 21, {}, SIGN )

84

Reverse Labeling Restriction (con’d)

• Update Blacklist by INVALID Packet

• Next hop on the invalid route will be put into local blacklist, a timer starts, a counter ++

• Labeling process will be done in the reverse direction of route

• When timer expires, the suspicious host will be released from the blacklist and routing information from it will be accepted

• If counter > threshold, the suspicious host will be permanently put into blacklist

85

RLR creates suspicion trees. If a host is the root of a quorum of suspicion trees, it is labeled as the attacker.

86


• Update local blacklist by other hosts’ blacklist• Attach local blacklist to INVALID packet with

digital signature to prevent impersonation• Every host will count the hosts involved in

different routes that say a specific host is suspicious. If the number > threshold, it will be permanently added into local blacklist and identified as an attacker.

• Threshold can be dynamically changed or can be different on various hosts

87


• Two other effects of INVALID packets• Establish routes to the destination host: when

the host sends out INVALID packet with digital signature, every host receiving this packet can update its route to the destination host through the path it gets the INVALID packet.

• Enable new sequence: When the destination sequence reaches its max number (0x7fffffff) and needs to round back to 0, the host sends an INVALID packet with current sequence = 0x7fffffff, new sequence = 0.

88


• Packets from suspicious hosts• Route request: If the request is from suspicious hosts,

ignore it.

• Route reply: If the previous hop is suspicious and the query destination is not the previous hop, the reply will be ignored.

• Route error: will be processed as usual. RERR will activate re-discovery, which will help to detect attacks on destination sequence.

• INVALID: if the sender is suspicious, the packet will be processed but the blacklist will be ignored.

89

Simulation parameter


Simulation area 1000 * 1000 m

Number of mobile hosts 30

Transmission range 250 m

Pause time between the host reaches current target and moves to next target

0 – 60 seconds

Maximum speed 5 m/s

Number of CBR connection 25/50

Packet rate 2 pkt / sec

90

Reverse Labeling Restriction (con’d)Simulation results

The following metrics are chosen:• Delivery ratio (evaluate effectiveness of RLR)

• Number of normal hosts that identify the attacker (evaluate accuracy of RLR)

• Number of normal hosts that are marked as attacker by mistake (evaluate accuracy of RLR)

• Normalized overhead (evaluate communication overhead of RLR)

• Number of packets to be signed (evaluate computation overhead of RLR)

91


X-axis is host pause time, which evaluates the mobility of host. Y-axis is delivery ratio. 25 connections and 50 connections are considered. RLR brings a 30% increase in delivery ratio. 100% delivery is difficult to achieve due to network partition, route discovery delay and buffer.

92

X-axis is number of attackers. Y-axis is delivery ratio. 25 connections and 50 connections are considered. RLR brings a 20% to 30% increase in delivery ratio.


93


30 hosts, 25 connections 30 hosts, 50 connections

Host Pause time (sec)

# of normal hosts identify the attacker

# of normal hosts marked as malicious

# of normal hosts identify the attacker


0 24 0.22 29 2.2

10 25 0 29 1.4

20 24 0 25 1.1

30 28 0 29 1.1

40 24 0 29 0.6

50 24 0.07 29 1.1

60 24 0.07 24 1.0

The accuracy of RLR when there is only one attacker in the system

94


30 hosts, 25 connections 30 hosts, 50 connections

# of attackers # of normal hosts identify all attackers


# of normal hosts identify all attackers


1 28 0 29 1.1

2 28 0.65 28 2.6

3 25 1 27 1.4

4 21 0.62 25 2.2

5 15 0.67 19 4.1

The accuracy of RLR when there are multiple attackers

95

X-axis is host pause time, which evaluates the mobility of host. Y-axis is normalized overhead (# of control packet / # of delivered data packet). 25 connections and 50 connections are considered. RLR increases the overhead slightly.


96


X-axis is host pause time, which evaluates the mobility of host. Y-axis is the number of signed packets processed by every host. 25 connections and 50 connections are considered. RLR does not severely increase the computation overhead to mobile host.

97


X-axis is number of attackers. Y-axis is number of signed packets processed by every host. 25 connections and 50 connections are considered. RLR does not severely increase the computation overhead of mobile host.

98

Robustness of RLR

• If the malicious host sends false INVALID packet• Because the INVALID packets are signed, it

cannot send the packets in other hosts’ name

• If it sends INVALID in its own name, the reverse labeling procedure will converge on the malicious host and identify the attacker. The normal hosts will put it into their blacklists.

99

Robustness of RLR

• If the malicious host frames other innocent hosts by sending false Blacklist• If the malicious host has been identified, the blacklist

will be ignored

• If the malicious host has not been identified, this operation can only lower the threshold by one. If the threshold is selected properly, it will not impact the identification results.

100

Robustness of RLR

• If the malicious host only sends false destination sequence about some special host• The special host will detect the attack and send

INVALID packets.

• Other hosts can establish new routes to the destination by receiving the INVALID packets.

101

Securing Ad Hoc networks -- Establish trust relationship in open area

• Evaluate known knowledge Known knowledge:

• Interpretations of observations• Recommendations

An algorithm that evaluates trust among hosts is being developed

A host’s trustworthiness affects the trust toward the hosts on the route

• Predict of trustworthiness of a host Current approach uses the result of evaluation as

prediction.

102


• What trust information is needed when adding/ removing suspicious host from blacklist? The trust opinion of S1 towards an entity S2 in

a certain context R• What characteristics of trust need to be included in

the model? Dependability: combination of competence,

benevolence, and integrity Predictability

103


What is the suitable representation of trust?• A random variable is used to represent trust so

that the inherent uncertainty of deriving trust from behaviors can be accommodated.

How to represent the interpretation of an observation?• A trust distribution function

104

Further Work

• Design a set of formalized criteria to evaluate identification algorithms

• Study more features of Ad Hoc networks and exploit their vulnerability

• Simulate attacks on RLR, examine its robustness• Integrate with research on trust• Methods to identify the non-attackers and release

them from blacklist• Mechanisms to release hosts from the permanent

blacklist

105

• More information may be found athttp://raidlab.cs.purdue.edu

• Our papers and tech reportsW. Wang, Y. Lu, B. Bhargava, On vulnerability and protection of AO

DV, CERIAS Tech Report TR-02-18.B. Bhargava, Y. Zhong, Authorization based on Evidence and Trust, i

n Proceedings of Data Warehouse and Knowledge Management Conference (DaWak), 2002

Y. Lu, B. Bhargava and M. Hefeeda, An Architecture for Secure Wireless Networking, IEEE Workshop on Reliable and Secure Application in Mobile Environment, 2001

W. Wang, Y. Lu, B. Bharagav, “On vulnerability and protection of AODV”, in proceedings of ICT 2003.

W. Wang, Y. Lu, B. Bhargava, “On security study of two distance vector routing protocols for two mobile ad hoc networks”, in proceedings of PerCOm 2003.

http://raidlab.cs.purdue.edu/

106

Selected References• [1] C. Perkins and E. Royer, “Ad-hoc on-demand distance vector routing,” in

Proceedings of the 2nd IEEE Workshop on Mobile Computing Systems and Applications, 1999.

• [2] C. Perkins, “Highly dynamic destination-sequenced distancevector routing (DSDV) for mobile computers,” in Proceedings of SIGCOMM, 1994.

• [3] Z. Haas and M. Pearlman, “The zone routing protocol (ZRP) for ad hoc networks,” IETF Internet Draft, Version 4, July, 2002.

• [4] T. Camp, J. Boleng, B. Williams, L. Wilcox, and W. Navidi, “Performance comparison of two location based routing protocols for ad hoc networks,” in Proceedings of the IEEE INFOCOM, 2002.

• [5] Z. Haas, J. Halpern, and L. Li, “Gossip-based ad hoc routing,” in Proceedings of the IEEE INFOCOM, 2002.

• [6] C. Perkins, E. Royer, and S. Das, “Performance comparison of two on-demand routing protocols for ad hoc networks,” in Proceedings of IEEE INFOCOM, 2000.

• [7] S. Das and R. Sengupta, “Comparative performance evaluation of routing protocol for mobile, ad hoc networks,” in Proceedings of IEEE the Seventh International Conference on Computer Communications and Networks, 1998.

• [8] L. Venkatraman and D. Agrawal, “Authentication in ad hoc networks,” in Proceedings of the 2nd IEEE Wireless Communications and Networking Conference, 2000.

107

Selected References• [9] Y. Zhang and W. Lee, “Intrusion detection in wireless ad-hoc networks,”

in Proceedings of ACM MobiCom, 2000.• [10] Z. Zhou and Z. Haas, “Secure ad hoc networks,” IEEE Networks, vol. 13,

no. 6, pp. 24–30, 1999.• [11] V. Bharghavan, “Secure wireless LANs,” in Proceedings of the ACM

Conference on Computers and Communications Security, 1994.• [12] P. Sinha, R. Sivakumar, and V. Bharghavan, “Enhancing ad-hoc routing

with dynamic virtual infrastructures.,” in Proceedings of IEEE INFOCOM, 2001.

• [13] S. Bhargava and D. Agrawal, “Security enhancements in AODV protocol for wireless ad hoc networks,” in Proceedings of Vehicular Technology Conference, 2001.

• [14] P. Papadimitratos and Z. Haas, “Secure routing for mobile ad hoc networks,” in Proceedings of SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS), 2002.

• [15] P. Albers and O. Camp, “Security in ad hoc network: A general id architecture enhancing trust based approaches,” in Proceedings of International Conference on Enterprise Information Systems (ICEIS), 2002.

Documents

Secure communication in cellular and ad hoc environments Bharat Bhargava [email protected] Department of Computer Sciences, Purdue University This is supported