malicious nodes detection in aodv-based mobile ad hoc … · 50 malicious nodes detection in...

GESTS Int’l Trans. Computer Science and Engr., Vol.18, No.1 49

ⓒGESTS-Oct.2005

Malicious Nodes Detection in AODV-Based Mobile Ad Hoc Networks★

Jongoh Choi1, Si-Ho Cha2† , GunWoo Park1, and JooSeok Song1,

1 Department of Computer Science, Yonsei University, Seoul, Korea {jochoi, , jssong}@emerald.yonsei.ac.kr

2 Department of Computer Engineering, Sejong University, Seoul, Korea [email protected]

Abstract. This work provides a solution to detect malicious nodes normally operate during determination of a route over but modifies or drop data during data transmission or report wrong information regarding a normal node, using a report message and a report table that list reporter nodes and suspect nodes in AODV-based Mobile Ad Hoc Networks (MANETs). In the existing detection mechanisms, a malicious node that provides wrong information can be easily identified but cannot be removed from a network. To solve this problem, the proposed solution determines a suspect node as a malicious node when more than k lists of reporter nodes and suspect nodes are recorded in the report table in case where k malicious nodes are over the network. We evaluate the average loss rate and the average transmission rate of our solution along a number of parameters.

1 Introduction

The MANET is expected to be very useful in an urgent situation where infrastructure communication facilities are absent or difficult to install. For instance, the MANET may be used as a military communications network in a war field, an urgent rescue communication network when a disaster occurs, or a communications network in a temporary meeting. Since the MANET is weaker to attacks than the wire network, it is required to immediately detect and take measures for an attack against the MANET.

The following matters must be considered in designing a security scheme for the MANET. First, the MANET has an open peer-to-peer construction. Unlike a wire network with a dedicated router, each mobile node over the MANET acts as both a host and a router that transmits packets to a neighbor node. Thus, it is possible to devise security for a router that separates the inside and outside of a wire network, but it is difficult to provide security for the MANET since it has no particular router. Second, a wireless channel is shared by a plurality of nodes. Since both an authorized

★ This research was supported by the MIC (Ministry of Information and Communication),

Korea, under the ITRC (Information Technology Research Center) support program supervised by the IITA (Institute of Information Technology Assessment).

† Corresponding Author

50 Malicious Nodes Detection in AODV-Based Mobile Ad Hoc

ⓒGESTS-Oct.2005

node and a malicious node can access the wireless channel, the network can be easily attacked, that is, security for the network is very loose. Third, network resources over the MANET are very limited than over a wire network. In general, a low power mobile node that uses battery power does not have resources and performance enough to perform an encrypting process that requires large processing overhead. Therefore, the low power nod is vulnerable to external attacks. Fourth, a change in the mobility of mobile node or the state of a wireless channel changes network topology dynamically and remarkably [1].

There are basically two approaches to protect the MANET: proactive and reactive. This paper will study the reactive approach. The conventional studies of the MANET have been focused on detection of a node that maliciously drops or modifies data. That is, they do not provide a method of identifying a malicious node that makes a false report of a normal node. In contrast, this paper proposes a scheme that not only identifies a malicious node, which drops or modifies packets, using a report table storing previous report lists, but also detects a malicious node that makes a false report of a normal node, thus degrading the performance of a network.

Section 2 describes related works regarding identification of a malicious node. Section 3 proposes a method of detecting a malicious node that reports wrong information. Section 4 proves the good performance of the introduced scheme through a simulation using the NS-2 simulator. Section 5 provides the conclusion of this paper.

2 Related Work

Attacks against packet forwarding include dropping or arbitrarily modifying a data packet to be transmitted, repeatedly forwarding an already transmitted data packet, and transmitting a large amount of insignificant packets within a network to consume network resources, thereby increasing contention for or congestion in a wireless channel. In the Watchdog and Pathrater scheme [2], each node transmits data to a next node, stores a copy of the data in its buffer, and overhears whether the next node transmits the data. If the node overhears data transmission of the next node within a predetermined length of time, the node considers that the data was properly transmitted and deletes the copy of the data from the buffer. If not so, the node increases a failure tally for the next node. If the failure tally is greater than a threshold, the node determines that the next node intentionally dropped the data and reports this fact to a source node. Then, the source node discontinues use of a current route and determines a new route. During the determination of the new route, the most reliable route is first selected in consideration of a rate of each node.

In Byzantine Fault approach [3], when the destination node D receives data, it transmits an ACK to the source node S. If the source node S does not receive the ACK within a predetermined length of time, it determines that data loss occurs in the route. Data loss may be caused not only by a malicious node, but also due to buffer overflow or packet collision during a normal network operation. Thus, a threshold is determined in consideration of a probability that the data loss would occur in a normal network. When the rate of data loss is greater than the threshold, it is


ⓒGESTS-Oct.2005

determined that a malicious node does not transmit data and drops the data, and the malicious node is detected. In management of selfish node approach [4], each node transmits data to a next node and stores a copy of the data in its buffer. Upon receipt of a certificate from the next node, the node confirms that the data was properly transmitted to the next node. When the destination node D receives the data, it sends an ACK to the source node S. The nearer a node is to the destination node D, the shorter the length of time the node takes to receive an ACK.

However, the above approaches have a defect since it is impossible to determine whether a malicious node in the route makes a false report about a normal node to the source node.

3 Proposed Scheme

It is assumed that nodes are connected via a bi-directional link, and each node operates in a promiscuous mode and thus can overhear transmission of data of a neighbor node. Also, it is assumed that asymmetric encrypting is used to prevent a node’s false report, a private key Ki- of a node i over a network is not known to any node except the node i, and a public key Ki+ of the node i is known to all nodes over the network. Thus, in order to reports a node k as a malicious node, the node i must encrypt a report message using the private key Ki- and broadcast the report message in the network (reporter: node i, and suspect: node k). All the nodes receiving the report message can read the report message by decoding it using the public key Ki+. Since the private key Ki- is not known, the other node cannot make a false report message.

3.2 Proposed Scheme

The proposed scheme is fairly similar to the Watchdog and Pathrater scheme. Specifically, each node over a network transmits data to a next node, stores a copy of the data in its buffer, and overhears transmission of the data of the next node to confirm whether the next node transmits the data to its neighbor node. Referring to Figure 1, a node B transmits data to a node C, stores a copy of the data in its buffer, and overhears transmission of the data of the node C to determine whether the node C transmits the data to a destination node D. If the node B does not overhear the transmission of data of the node C within a predetermined length of time, the node B increases a failure tally for the node C. When the tally is greater than a threshold, the node B determines that the node C made misbehavior.

Fig. 1 Proposed algorithm

S A B C D

data data data data

drop

Report

overhear overhear

Report Table

C B

Suspect Repoter

Node A, B, …


ⓒGESTS-Oct.2005

However, a malicious node’s misbehavior is reported to a source node S via unicast in the Watchdog and Pathrater scheme, but the misbehavior is reported to all nodes over the network in the proposed scheme, thereby immediately detecting and removing a malicious node. Each of the nodes receiving the report determines whether a reporter and a suspect node listed in the report are recorded in its report table. If the reporter and the suspect are listed in the report table, the node disregards and drops the report. If not so, the node enters the reporter and the suspect node in the report table. In response to the report, the source node S sets up a new route while excluding a route in which the reporter and the suspect node are included as neighbor nodes. When the number of times that a node reports to the source node S is greater than k equivalent to the number of malicious nodes over the network, the node is determined as a malicious node and excluded from the network.

Figure 2 is a flowchart of the proposed scheme that identifies a malicious node, reports the malicious node to a source node using a report message, and manages a report table based on the report message. We represent several scenarios to prove the good performance of the proposed scheme in a network and explain a method of detecting and excluding a malicious node.

Fig. 2 Flowchart of proposed algorithm

Transmission data

Overhear of Next node

within a length of time

Increase Failure tally

Delete of

copy data

in buffer

Threshold excess

Broadcast of report message

Receive report message

The Same report list exists

In report table

Update Report table,

re-broadcast of report message

Report

message drop

Ignore

Y

Y

Y

N

N

N

Store copy of data in buffer after

Transmission of data


ⓒGESTS-Oct.2005

Case 1: A malicious node drops data. Referring to Figure 3, when a malicious node C does not transmit data to a destination node D and drops the data, a preceding node B cannot overhear transmission of data of the node C within a predetermined length of time and thus determines that the node C does not transmit data and drops it. Thus, the node B reports the node C as a malicious node.

S A B C Ddata

overhear

data

overhear

data

data

drop

Fig. 3 When malicious node drops data

Report

Case 2: A malicious node modifies data. Referring to Figure 4, a malicious node C arbitrarily modifies the content of or a part (or the entire part) of a header of data received from a node B, and transmits the modified data to a node D. Then, the node B overhears the transmission of the data of the node C and compares the transmitted data with a copy of the data stored in a buffer of the node B. When the comparison reveals that the data was arbitrarily changed, the node B considers the node C as a malicious node and reports the node C to a source node S.

S A B C D

data

overhear

data

overhear

data Modified

data

overhear

Fig.4 When malicious node modifies data

report

In case 1 or 2, when the node B submits a report regarding the node C, a report list of (a) of Figure 10 is recorded in the report tables of all nodes over the network. When the source node S receives the report and does not receive an ACK from the destination node D, the source node S determines that a malicious node is in the current route and sets up a new route.

If the malicious node C is included in the new route or another route from the source node S to the destination node D, the malicious node C will drop or arbitrarily modify data, and thus, other nodes L and K will report the node C as a malicious node to the source node S [see (b) and (c) of Figure 5]. In other words, when a malicious node operates normally during determination of a route, it can be included in the determined route. However, when the malicious node does not properly transmit data to a neighbor node, other nodes report the malicious node so that the malicious node is recorded as a suspect node in the report table.

If two malicious nodes are on the network, it is possible to consider the node C as a malicious node and exclude it from further network operations when the node C is recorded as a suspect node at least three times. This is because the number of times that the two malicious nodes can submit a false report regarding a normal node while cooperating with each other is two. Accordingly, when the node C is reported as a


ⓒGESTS-Oct.2005

malicious node at least three times, this report can be considered as a true report, not a false report.

C

B

reporter

Node A

Report Table

S A B C Ddata

I J K

L M N

(a)

Report Report

ReportReport

data data

data Suspect

S A B C D

data

data data

data

Report

I J K

L M N

Fig. 5 Measures against case 1 and 2

Case 3: A malicious node disguises itself as another node and submits a false report. Since the proposed scheme uses asymmetric encryption using a private key and a

public key, it is possible to prevent a malicious node from disguising itself as a normal node using the identification of the normal node, and submitting a false report. Referring to Figure 6, even if a node B can disguise itself as a node X and submit a false report message R, the node B does not know a private key KX

- of the node X, and must encrypt the false report message R using its private key KB

- and broadcast the false report message R. Upon receiving the false report message R, each node considers that the node X transmits the false report message R and decodes it using the public key KX

+ of the node X. However, since the false report message R was not encrypted using the private key KX, the false report message R cannot be decoded properly, thus causing an error. Therefore, each node can realize that the false report message R is a false report. For this reason, the node B cannot disguise itself as another node and submit a false report.

Case 4: A malicious node submits a false report regarding another node. When a malicious node M submits a false report regarding a node X irrespective of route setup or data transmission, a list of a reporter and a suspect node is entered in a

S A B C D

data data data

data

Report

I J K

L M N

C

C

C

K

B

N

Node A

Report

(c) reporter

Report

Report

Report

data

C

C

B

K

Node A

Report

reporter

Report

ReportReport

data

(b) Suspect

Suspect


ⓒGESTS-Oct.2005

report table of each node, indicated by ① of Figure 7. If the malicious node M

As shown i ng a normal node C and drops an ACK transmitted from the node D, a source node S sets

stead,

Report Table

continues submitting a false report at a current or new position, a report list is added to the report table of each node, indicated by ② and ③ of Figure 7. When the malicious node M is recorded as a reporter in the report table of each node more than k times, the node M is identified as a false reporter, and thus cannot participate in network operations.

Node J

Case 5: A malicious node submits a false report regarding a normal node. n Figure 8, when a malicious node B submits a false report regardi

up a new route without determining whether the report of the node B is false. Ina list of (a) of Figure 8 is added to a report table of each node. When the node B makes a false report at a new or different route again, lists of (b) and (c) of Figure 8 are added to the report table of each node. Referring to (a) through (c), only the malicious node B is listed as a reporter but nodes listed as suspect nodes are different from one another, which prove that the node B made false reports.

When two malicious nodes are over the network and the node B is recorded as a reporter in the report table three or more times, the node B is considered as a malicious node that submitted false reports. If the node B is a good node and nodes C and H are malicious nodes, the lists (a) and (b) may be created according to true reports, not false reports. Therefore, when the number of reports is larger by at least one than the number of malicious nodes, a suspect node is considered as a malicious node.

S A B C Ddata data data data

M

Repor

E F

Y M

Z M

X M

SuspectReporter

Node A

①

②

③

Fig. 7 In case of temporary report

Encryption ???Decryption

KB- (Private key) KX+ (Public Key)

KB-(R) KX+(KB-(R))=?

Node B Node K

Fig. 6 When malicious node disguises as another node

…

Report,

R

…

Node L


ⓒGESTS-Oct.2005

Fig. 8 In case of false report

3.3 Application of Propose

e proposed scheme to the AODV routing protocols for the Ad Hoc

C B

Report

Node A

d Scheme to AODV

This chapter will discuss a method of applying throuting protocol that is a representative on-demandNetwork. It is easy to exclude a node, which is identified as a malicious node, during determination of a route. Referring to (a) of Figure 9, when a node A broadcasts a RREQ message, a malicious node B receives and rebroadcasts the RREQ message. Normal nodes E, C, and F receive the RREQ message from the malicious node B, realize that the node B is malicious node from their report tables, and do not allow transmission of the RREQ message to other nodes in the network, thereby excluding the node B from the route.

There is a case where a pair of a reporter and a suspect is reported once or more in the network but it is difficult to identify a malicious node. Referring to (a) of Figure 9, the nodes B and C are recorded as a reporter and a suspect, respectively, in the report table of each node over the network. If the reporter node B is a malicious node that maliciously submits a false report, the node B broadcasts the RREQ message and the nodes E, C, and D receive the RREQ message. The normal node C drops the RREQ message, since it does not desire to reflect the RREQ message, which describes that the node B is the reporter and the node C is the suspect, in determining a new route. However, the nodes E and F rebroadcast the RREQ message from the node B so that a new route is determined to reflect to determine the route according to the RREQ message.

Report

S A B C D

data data data data

Report

I J K

L M N

Report

ReportReport

(a)

S A B C D

data data

data data

I J K

L M N

data

C B

B

Report

Node A

(b)

M

Report Report Report

Report Report

S A B C D

data data

data

data

I J K

L M N

d

B

C B

J

Report

Node A

(c)

M

B

Report

Report Report

ReportReport

Suspect

Suspect

Suspect


ⓒGESTS-Oct.2005

Referring to (b) of Figure 9, since a node C is a malicious node, the node C does not drop the RREQ message that the node B broadcast, and rebroadcasts it so that bo

to exclude a malicious , a previous node ad

4. Analysis and performance

mance of the proposed scheme through a simulation. The simulation was performed using an NS-2 simulator. In the simulation,

Network size

th the nodes B and C can be included in a new route. This is because the node C predicts even if the malicious node C is included in the new route again and drops data from the node B and the node B reports this fact, the report of the node B would be disregarded in the network.

In this case, the AODV routing requires an additional scheme

node. Specifically, according to the additional schemedress field previous add is added to the RREQ message, thus allowing a node

receiving the RREQ message to notice a node transmitting the RREQ message and a previous node preceding the node that transmits the RREQ message. Referring to (b) of Figure 9, the malicious node C receives the RREQ message from the node B and transmits the RREQ message to the node D. Then, the node D notices that the previous node of the node C is the node B based on the RREQ message and a report table of the node D, and do not transmit the RREQ message to exclude the nodes B and C from the route.

This section proves the good perfor

the proposed scheme was applied to the existing AODV routing protocol. Also, in the simulation, the existing AODV routing protocol and the AODV routing protocol that uses the proposed scheme are compared with each other in terms of their average loss rates and average transmission rates on an assumption that a malicious node is over a network. Table 1 shows major parameter values used in the simulation.

Table.1 Major parameters

1000 * 1000 (m) Number of nodes 60 Number of malicious nodes 3, 6

A B C

E

G

F

RREQ

A B C G

E

F

C B

Reporter

Node C

Report

(a)

C B

Reporter

Node G

Report

(b) RREQ

Fig. 9 Application of proposed algorithm to AODV

Suspect

Suspect


ⓒGESTS-Oct.2005

Simulation time 1000 sec Pause time 0, 600 sec Traffic UDP/CBR

4.1 Average Loss Rate

100 200 300 400 500 600 700 800 900 10000

10

20

30

40

50

60

70

80

time (sec)

loss

rate

(%)

# of malicious node : 6

AODV-0proposed-0AODV-600proposed-600

100 200 300 400 500 600 700 800 900 10000

10

20

30

40

50

60

70

80

time(sec)

loss

rate

(%)

# of malicious node : 3

AODV-0proposed-0AODV-600proposed-600

(a) The number of malicious nodes : 6 (b) The number of malicious nodes : 3 Fig. 10 Average loss rates

V uting protocol and the p p otocol when the number of

nodes is six. That is, the le

4.2 Average Transmission Rate

verage transmission rates in the existing AODV routing protocol and the proposed AODV routing protocol in the above environment.

(a) of Figure 10 is a graph illustrating avera ro ro osed AODV routing pr

ge loss rates in the existing AOD

malicious nodes is six and pause times are 0 and 600 sec. The graph reveals that the loss rate in the proposed AODV routing protocol is 10 through 20% less than that in the existing AODV protocol. Also, the longer the length of time of the simulation, the less the loss rate in the proposed AODV routing protocol. That is, as a predetermined time has passed, the proposed scheme identifies malicious nodes over a network and excludes them from a newly determined route, thereby preventing attacks by the malicious nodes and reducing the loss rate. Further, the more the mobility of malicious node, the higher the loss rate. In other words, it is highly probable that a malicious node would move to be included in a new route.

Referring to (b) of Figure 10, the average loss rate when the number of malicious nodes is three, is lower than when the number of malicious

ss the number of malicious nodes over the network, the less the probability that the malicious nodes would be included in the route.

Figure 11 is a graph illustrating a

Referring to Figure 11, since the loss rate in the proposed AODV routing protocol is less than that in the existing AODV routing protocol, the transmission rate in the proposed AODV routing protocol is higher than in the existing AODV routing protocol. Also, a large amount of data can be transmitted when three malicious nodes


ⓒGESTS-Oct.2005

are over the network, in contrast with when six malicious nodes are over the network. Further, a loss rate is lower and the transmission rate is higher when pause time is 600 sec, i.e., when the mobility of network is small, than when pause time is 0, i.e., when the mobility of network is large. That is, when malicious nodes frequently move, they are highly likely to be included in a new route. In this case, the loss rate in the network is increased, thus lowering the transmission rate.

The longer the length of time of the simulation, the greater the difference in transmission rates between the existing AODV routing protocol and the proposed A

Fig. 11 Average transmission rates

5. Conclusions

a solution that detects and excludes malicious nodes that normally operate during determination of a route but abnormally operate during data

ODV routing protocol. This is because malicious nodes over the network are detected and excluded from the network as a predetermined length of time has passed.

(a) The number of malicious nodes : 6

(b) The number of malicious nodes : 3

This paper proposed

transmission over the network, using a report message and a report table specifying a pair of a reporter node and a suspect node. In our solution, a suspect node is determined as a malicious node when k malicious nodes are over the MANET and more than k report lists are recorded in the report table. Accordingly, it is possible to effectively determine whether a node is a malicious node submitting a false report and exclude the node from the network. This paper also proves through a simulation that the AODV routing protocol that uses the proposed scheme is superior to the existing AODV routing protocol in view of their average loss rates and transmission rates. The simulation revealed that the more malicious nodes over the network, the more the mobility of the malicious node, the greater the rate of data loss, and the less the rate of transmission. In particular, as time has passed, the performance of the AODV routing protocol using the proposed scheme becomes still better than the existing AODV routing protocol. However, the proposed scheme must further be improved to provide more extensive security during determination of a route over the Ad hoc network.

100 200 300 400 500 600 700 800 900 10000

1000

2000

3000

4000

5000

6000

7000

8000

9000

10000

time(sec)

deliv

ery(

byte

)

# of malicious node : 3# of malicious node : 610000

proposed-600AODV-600proposed-0AODV-0

100 200 300 400 500 600 700 800 900 10000

1000

2000

3000

4000

5000

6000

7000

8000

9000proposed-600AODV-600proposed-0AODV-0

time(sec)

deliv

ery(

byte

)


ⓒGESTS-Oct.2005

References [1] Hao Yang, Haiyun Luo, Fan Ye, Songwu Lu, and Lixia Zhang, “Security in Mobile Ad Hoc

allenges and Solutions”, IEEE Wireless Communications, 2004.

e, 2002.

f.org/rfc/rfc3561.txt, July 2003.

Bi

▲ Name: Jongoh Choi

Networks: Ch[2] S. Marti et al., “Mitigating Routing Misbehavior in Mobile Ad Hoc Networks”, ACM

MOBICOM, 2000. [3] B. Awerbuch et al., “An On-Demand Secure Routing Protocol Resilient to Byzantine

Failures”, ACM WiS[4] gajin Na et al, “Secure Mechanism to manage selfish nodes in Ad hoc Network”, JCCI,

2004. [5] J.Broch, D.Johnson & D.Maltz, “The Dynamic Source Routing Protocol for Mobile Ad

Hoc Networks”, http://ietf.org/internet-drafts/draft-ietf-manet-dsr-09.txt, IETF Internet draft, 15 April 2003, Work in progress.

[6] S.R.Das & C.E.Perkins, “Ad hoc On-Demand Distance Vector(AODV) Routing for Mobile Ad Hoc networks”, http://www.iet

ography

He has received the M.S. degree in the Department of Computer al Defense University, Seoul, Korea, in 2002. He is

Si-Ho Cha

Engineering from Nationcurrently working on Ph.D. degree at Yonsei University, Seoul, Korea. His research interests include Cryptography and Network Security and Wireless Network.

▲ Name:

He received the M.S. and Ph.D. degrees in Computer Science from y in 1997 and 2004, respectively. From 1997 to 2000, Kwangwoon Universit

he worked for Daewoo Telecom as a senior member of scientific staff. He is currently an adjunct professor in the Department of Computer Engineering, Sejong University, Seoul, Korea. His research interests include Network Management, Wireless Sensor Network, and Security Management.

▲ Name: GunWoo Park He received the B.S. degree in the Department of Computer Science from

ersity, in 1997. Currently, he is working toward Chungnam National Univthe M.S. degree in computer science at Yonsei University of Science and Technology, Seoul, Korea. His research interest includes Wireless Communications Networks and Mobile Ad-hoc networks, Security.

▲ Name: JooSeok Song

He received the M.S. degree in electrical engineering from KAIST, Korea, 1n 1979. In 1988, he received the Ph.D. degree in computer science from University of California at Berkeley. He had been an assistant professor of Naval Postgraduate School, California, USA from 1988 to 1989. He is currently a professor of computer science at Yonsei University, Seoul, Korea. His research interests include Cryptography, Next Generation Internet and PCS.

http://ietf.org/internet-drafts/draft-ietf-manet-dsr-09.txt

malicious nodes detection in aodv-based mobile ad hoc … · 50 malicious nodes detection in...

Documents