Secure communication in cellular

and ad hoc environments

Bharat Bhargava
bb@cs.purdue.edu
Department of Computer Sciences,
Purdue University
This is supported by Motorola Communication
Research Lab & National Science Foundation

Team at Motorola:
Jeff Bonta
George Calcev
Benetido Fouseca
Trefor Delve
Team at Purdue University:
X. Wu
Research scientist (receives his
PhD from UC-Davis)
Y. Lu
PhD student
G. Ding
PhD student
W. Wang
PhD student

Problem statement
How to provide secure, continuous,
and efficient connectivity for a
mobile unit in a structured (cellular
based) or unstructured (ad hoc)
network environment?
3

Challenges
Dynamic topology
Movement, node failure, etc.

Heterogeneous and decentralized control

Limited resources
Bandwidth, processing ability, energy

Unfriendly environment
Selfish nodes, malicious attackers

Research contributions
Combining advantages of cellular systems and ad
hoc networks to enable a more secure network
structure and better performance
Designing routing protocols for ad hoc networks
that adapt to both network topology and traffic
congestion
Designing intruder identification protocols in ad
hoc networks
Conducting experimental studies in heterogeneous
wireless environments and evaluating our protocols
5

Research directions
Cellular-aided Mobile Ad Hoc Network
(CAMA)
Adaptive and Heterogeneous Mobile
Wireless Networks
Intruder Identification in Ad Hoc Networks

Cellular-aided Mobile Ad Hoc

Network (CAMA)

CAMA: Problem Statement

How to realize commercial peer-to-peer
applications over mobile wireless ad hoc
networks?
Papers:
Integrating Heterogeneous Wireless Technologies:
Cellular-Aided Mobile Wireless Ad hoc Networks
(CAMA), submitted to ACM Special Issues of the
Journal on Special Topics in Mobile Networking and
Applicaitons (MONET).
8

Challenges
Authentication and accounting
No fixed membership

Security concern
Open medium without any centralized control

Real time services

Dynamic topology and slow routing
information distribution

Current Environment
Cellular network provides:
Wide coverage
Multiple services with single cellular ID
Small packet service in 3G network
Wireless terminals with different protocols

10

CAMA Description
Integration of cellular network and ad hoc
network
CAMA agent works as centralized server
attached to the cellular network
CAMA agent provides ad hoc nodes
information such as authentication, routing
support, keys through cellular channel
Data transmission uses ad hoc channel
11

CAMA Environment

12

Major Ideas
Use signals via cellular network for ad hoc
routing and security managements
Centralized CAMA agent provides control
over distributed ad hoc network

13

CAMA vs. ad hoc network

CAMA has advantages over pure ad hoc
networks in:
Simple network authentication and
accounting
Routing server for more accurate routing
decisions
Certification authority for key distribution
Central security check point for intrusion
detection
14

CAMA vs. cellular/WLAN

CAMA has advantages over cellular/WLAN
integrated network in:
No extra fixed infrastructure
No access point needed

No ad hoc channel radio coverage limit

Multi-hop ad hoc link

No transmission bottleneck
Not all traffic need going through a single node
15

Impact
Cellular service combined with low-cost,
high-data-rate wireless service

16

Research Questions
Feasibilities in commercial applications
requires:
Development of routing algorithm and
protocols for multimedia service
Investigation of CAMA vulnerabilities
Development of security protocols for key
distribution and intrusion detection
Evaluation of gain in ad hoc network
Evaluation of overhead in cellular network
17

Methodology of Research
Building algorithms and protocols
Developing bench marks and performance metrics
on multi-media service
Conducting experimental studies
Using ns-2
Using common platform simulator from Motorola Inc.

Comparing with ad hoc routing protocols

Ad hoc on-demand distance vector routing (AODV)
Destination source routing (DSR)
18

Research of Interest to Motorola

Evaluating CAMA routing in realistic simulation
environment:
Radio environment
Adaptive data rate determined by signal-noise-ratio (SNR)

Node mobility
Exponentially distributed speed

Node density
400 users/sq.km to 14800 users/sq.km

Traffic pattern
VoIP, TCP, Video

Inaccurate position information

Error of 5m to 100m

19

Research of Interest to Motorola (ctn.)

Authentication
By CAMA agent
By mobile nodes

Accounting
Charging rate
Award to intermediate nodes

20

Research of Interest to Motorola (ctn.)

Key assignment
Group key assignment
For entire ad hoc network
For nodes along an active route

Session key assignment

For peer-to-peer communication

21

Research of Interest to Motorola (ctn.)

Intrusion detection
Information collection
Information for different intrusions

Malicious judging rule

Quick malicious node elimination vs. probability of
wrong judgment
Detection cost vs. gain

22

Adaptive and Heterogeneous

Mobile Wireless Networks

Problem statement
How to provide continuous connectivity for
a mobile unit to a network in which every
node is moving?
Papers:
Secure Wireless Network with Movable Base Stations, being
revised for IEICE/IEEE Joint Special Issue on Assurance
Systems and Networks.
Study of Distance Vector Routing Protocols for Mobile Ad Hoc
Networks, in Proceedings of IEEE International Conference on
Pervasive Computing and Communications (PerCom), 2003.

24

Challenges
Dynamic topology
Movement, node failure, energy problem, etc.

Decentralized control
Limited bandwidth
Congestion is typically the norm rather than the
exception. [RFC 2501]

25

Research contributions
Routing protocols for mobile ad hoc
networks that adapt to not only network
topology, but also traffic and congestion.
Architecture, design of protocols, and
experimental evaluation in heterogeneous
wireless environments

26

Broad impacts
Sensor networks
Military networks

27

Two network environments

considered
Mobile ad hoc networks
No centralized control

Large scale heterogeneous wireless

networks with control in base stations
Wireless networks with movable base stations
(WNMBS)

28

Research questions in mobile ad

hoc networks
Development of ad hoc routing protocols that adapt
to traffic load and network congestion.
Identify the network parameters that impact the
performance of routing protocols.
Determine the appropriateness of on-demand and
proactive approaches (given specific routing requirements
and network parameters).
Identify features of ad hoc networks that can be used to
improve routing.
29

Related work (routing protocol)

Destination-Sequenced Distance Vector (DSDV) [Perkins/Bhagwat,
SigComm94] (Nokia)
Ad-hoc On-demand Distance Vector (AODV) [Perkins/Royer/Das,
WMCSA99, IETF draft 98-03] (Nokia, UCSB, SUNY-Stony Brook)
Dynamic Source Routing (DSR) [Johnson/Maltz, Mobile Computing96, IETF
draft 03] (Rice Univ., CMU)
Zone Routing Protocol (ZRP) [Haas/Pearlman/Samar, ICUPC97, IETF draft
99-02] (Cornell)
Adaptive Distance Vector (ADV) [Boppana/Konduru, InfoCom01] (UT-San
Antonio)
Source-Tree Adaptive Routing (STAR) [Garcia-Luna-Aceves/Spohn,
MONET01] (UCSC, Nokia)
Associativity-Based Routing (ABR) [Toh, Wireless Personal Communications
Journal97] (Cambridge Univ.)
Ad-hoc On-demand Multipath Distance Vector (AOMDV) [Marina/Das,
ICNP01] (Univ. of Cincinnati)

30

Related work (contd)

Protocol

Approach

Routing information
uses

Additional
information

DSDV

Proactive

Distance Vector

DSR

On-demand

Source routing

AODV

On-demand

Distance Vector

ZRP

Hybrid

Distance Vector

ADV

Hybrid

Distance Vector

STAR

Proactive

Link State

ABR

On-demand

Distance Vector

Associativity

AOMDV

On-demand

Distance Vector

Multipath

31

Related work (performance

comparison)
Comparison of DSDV, TORA, AODV and DSR
[Broch/Maltz/Johnson/Hu/Jetcheva, MobiCom98]
(CMU)
Scenario-based performance analysis of DSDV,
AODV, and DSR
[Johansson/Larsson/Hedman/Mielczarek/Degermar
k, MobiCom99] (Ericsson)
Performance comparison of AODV and DSR
[Perkins/Royer/Das/Marine, IEEE Personal
Communications01]
32

Methodology of research
Developing benchmarks and performance
metrics for routing protocols
Conducting experimental studies
Determine guidelines for design
Evaluate protocols

Building algorithms and protocols

33

Ongoing research
Study of proactive and on-demand
approaches
Congestion-aware distance vector routing
protocol
Packet loss study

34

Research study
Investigate the proactive and on-demand approaches
Generalize the results obtained from protocols to the
proactive and on-demand approaches
Introduce power consumption as a performance metric
Inject heavy traffic load
Identify the major causes for packet drop
Comprehensively study in various network environments

Propose a congestion-aware routing protocol

35

Simulation experiments
DSDV and AODV are studied by varying
network environment parameters
Node mobility (maximum moving speed)
Traffic load (number of connections)
Network size (number of mobile nodes)

Performance metrics

Packet delivery ratio

Average end-to-end delay
Normalized protocol overhead
Normalized power consumption
36

Simulation setup for

experiments
Simulator

ns-2

Examined protocols

DSDV and AODV

Simulation duration

1000 seconds

Simulation area
Transmission range

1000 m x 1000 m
250 m

Movement model

Random waypoint

Maximum speed

4 24 m/s

Traffic type
Data payload
Packet rate
Node pause time
Bandwidth

CBR (UDP)
512 bytes/packet
4 packets/sec
10 seconds
1 Mb/s

37

Motivation for a new proactive protocol

The proactive protocols provide better support
for:
Applications requiring QoS
Timely propagate network conditions

Intrusion and anomaly detection

Constantly exchange the network topology information

The proactive approach exhibits better

scalability with respect to the number of
mobile nodes and traffic load.
38

Proposed protocol: Congestion Aware

Distance Vector (CADV)
Problem with the proactive approach
Congestion

Objective:
Dynamically detect congestion and route packets through lesscrowded paths

Method:
Characterize congestion and traffic load by using expected delay.
Consider expected delay at the next hop as the secondary metric
to make routing decisions.
Allow a one-hop longer route to be chosen.
Use destination sequence number to avoid loop.

39

Design issues
Use MAC layer callback to detect broken link
Quick detection
More triggered updates
Whether re-queue a packet

Allowing a one-hop longer route

A one-hop shorter route may not replace the current one if it
introduces significantly more delay.
To avoid short-lived loop, do not replace the current route with a
longer one if they have the same sequence number.

Deal with fluctuation

Use randomness in routing decisions to reduce fluctuation

40

CADV
Components:
Real time traffic monitor
Traffic control
Route maintenance module

Route update:
When broadcasts an update, every node advertises the expected
delay of sending a packet as:

E[ D ]

Route maintenance
Apply a function f(E[D], distance) to evaluate the value of a route

41

Observations of CADV
CADV outperforms AODV and DSDV in terms
of delivery ratio
The end-to-end delay becomes longer because
longer routers may be chosen to forward packets
The protocol overhead of CADV is doubled
compared with that of DSDV. It is still less than
that of AODV when the network is loaded
CADV consumes less power per delivered packet
than DSDV and AODV do

42

Characteristics of wireless networks with

movable base stations

Large scale
Heterogeneity
Autonomous sub-nets
Base stations have more resources
Base stations take more responsibilities

43

Research questions
How to organize the network?
Minimize the effect of motion
Minimize the involvement of mobile host

How to build routing protocol?

IP-compliant
Cooperate with various intra-subnet routing protocols

How to secure communications?

Authenticate
Maintain authentication when a host is roaming

44

Related work
Integrating ad hoc and cellular
Mobile-Assisted Connection-Admission (MACA)
[Wu/Mukherjee/Chan, GlobeCom00] (UC-Davis)
Integrated Cellular and Ad-hoc Relaying (iCAR)
[Wu/Qiao/De/Tonguz, JSAC01] (SUNY-Buffalo)
Multihop Cellular Networks (MCN) [Lin/Hsu, InfoCom00] (Taiwan)

Mobile base station

Distributed, dynamic channel allocation [Nesargi/Prakash, IEEE
Transactions on Vehicular Technology02] (UT-Dallas)

Hierarchical structure
Multimedia support for Mobile Wireless Networks (MMWN)
[Ramanathan/Steenstrup, MONET98] (BBN Technologies)
Clustering scheme for hierarchical control in multi-hop wireless
networks [Banerjee/Khuller, InfoCom01] (UMD)

45

Methodology of research
Building architecture, developing
algorithms and protocols
Membership management
Inter-subnet routing
Intra- and inter-subnet authentication

Evaluation through experiments

46

Research results
Hierarchical mobile wireless network
(HMWN)
Hierarchical membership management scheme
Segmented membership-based group routing
protocol
Protection of network infrastructure
Secure roaming and fault-tolerant
authentication
47

Future research plan

Develop congestion avoidance routing
protocol for ad hoc networks.
Conduct experiments to study the effect of
implementing congestion avoidance at
different layers.
Conduct a series of experiments to evaluate
HMWN.
48

Intruder Identification in Ad
Hoc Networks

Problem Statement
Intruder identification in ad hoc networks is the
procedure of identifying the user or host that conducts
the inappropriate, incorrect, or anomalous activities
that threaten the connectivity or reliability of the
networks and the authenticity of the data traffic in the
networks.
Papers:
On Security Study of Two Distance Vector Routing Protocols for
Mobile Ad Hoc Networks, in Proceedings of IEEE International
Conference on Pervasive Computing and Communications
(PerCom), 2003.
On Vulnerability and Protection of Ad Hoc On-demand
Distance Vector Protocol, in Proceedings of 10th IEEE
International Conference on Telecommunication (ICT), 2003.
50

Research Motivation
More than ten routing protocols for Ad Hoc
networks have been proposed (AODV, DSR,
DSDV, TORA, ZRP, etc.)
Research focus has been on performance
comparison and optimizations such as multicast
and multiple path detection
Research is needed on the security of Ad Hoc
networks.
Applications: Battlefields, Disaster recovery.
51

Research Motivation
Two types of attacks target Ad Hoc network
External attacks:
MAC layer jamming
Traffic analysis

Internal attacks:
Compromised host sending false routing
information
Fake authentication and authorization
Traffic flooding

52

Research Motivation
Protection of Ad Hoc networks
Intrusion Prevention
Traffic encryption
Sending data through multiple paths
Authentication and authorization

Intrusion Detection
Anomaly pattern examination
Protocol analytical study

53

Research Motivation
Deficiencies of intrusion prevention
Increases the overhead during normal
operations of Ad Hoc networks
Restriction on power consumption and
computation capability prevent the usage of
complex encryption algorithms
Flat infrastructure increases the difficulty for
the key management and distribution
Cannot guard against internal attacks
54

Research Motivation
Why intrusion detection itself is not enough
Detecting intrusion without removing the
malicious host leaves the protection in a passive
mode
Identifying the source of the attack may
accelerate the detection of other attacks

55

Research Motivation
Research problem: Intruder Identification
Research challenges:
How to locate the source of an attack ?
How to safely combine the information from
multiple hosts and enable individual host to
make decision by itself ?
How to achieve consistency among the
conclusions of a group of hosts ?

56

Related Work in wired Networks

Secure routing / intrusion detection in wired
networks
Routers have more bandwidth and CPU power
Steady network topology enables the use of
static routing and default routers
Large storage and history of operations enable
the system to collect enough information to
extract traffic patterns
Easier to establish trust relation in the
hierarchical infrastructure
57

Related Work in wired networks

Attack on RIP (Distance Vector)
False distance vector

Solution (Bellovin 89)

Static routing
Listen to specific IP address
Default router
Cannot apply in Ad Hoc networks

58

Related Work in wired networks

Attack on OSPF (Link State)
False connectivity
Attack on Sequence Number
Attack on lifetime

Solution
JiNAO:NCSU and MCNC
Encryption and digital signature

59

Related Work in Ad Hoc Networks

Lee at GaTech summarizes the difficulties in
building IDS in Ad Hoc networks and raises
questions:
what is a good architecture and response system?
what are the appropriated audit data sources?
what is the good model to separate normal and
anomaly patterns?

Haas at Cornell lists the 2 challenges in

securing Ad Hoc networks:
secure routing
key management service
60

Related Work in Ad Hoc Networks

Agrawal at University of Cincinnati presents the
general security schemes for the secure routing in
Ad Hoc networks
Nikander at Helsinki discusses the authentication,
authorization, and accounting in Ad Hoc networks
Bhargavan at UIUC presents the method to
enhance security by dynamic virtual infrastructure
Vaidya at UIUC presents the idea of securing Ad
Hoc networks with directional antennas

61

Related Work ongoing projects

TIARA: Techniques for Intrusion Resistant Ad-Hoc
Routing Algorithm (DARPA)
develop general design techniques
focus on DoS attack
sustain continued network operations
Secure Communication for Ad Hoc Networking (NSF)
Two main principles:
redundancy in networking topology, route discovery and
maintenance
distribution of trust, quorum for trust

62

Related Work ongoing projects

On Robust and Secure Mobile Ad Hoc and Sensor
Network (NSF)
local route repair
performance analysis
malicious traffic profile extraction
distributed IDs
proposed a scalable routing protocol
Adaptive Intrusion Detection System (NSF)
enable data mining approach
proactive intrusion detection
establish algorithms for auditing data

63

Problem Statement
Intruder identification in ad hoc networks is
the procedure of identifying the user or host
that conducts the inappropriate, incorrect, or
anomalous activities that threaten the
connectivity or reliability of the networks
and the authenticity of the data traffic in the
networks.

64

Evaluation Criteria
Accuracy
False coverage: Number of normal hosts that are
incorrectly marked as suspected.
False exclusion: Number of malicious hosts that are not
identified as such.

Overhead
Overhead measures the increases in control packets and
computation costs for identifying the attackers (e.g.
verifying signed packets, updating blacklists).
Workload of identifying the malicious hosts in multiple
rounds
65

Evaluation Criteria
Effectiveness
Effectiveness: Increase in the performance of ad hoc
networks after the malicious hosts are identified and
isolated. Metrics include the increase of the packet
delivery ratio, the decrease of average delay, or the
decrease of normalized protocol overhead (control
packets/delivered packets).

Robustness
Robustness of the algorithm: Its ability to resist
different kinds of attacks.

66

Assumptions
A1. Every host can be uniquely identified and its ID cannot be changed
throughout the lifetime of the ad hoc network. The ID is used in the
identification procedure.
A2. A malicious host has total control on the time, the target and the
mechanism of an attack. The malicious hosts continue attacking the
network.
A3. Digital signature and verification keys of the hosts have been
distributed to every host. The key distribution in ad hoc networks is a
tough problem and deserves further research. Several solutions have
been proposed. We assume that the distribution procedure is finished,
so that all hosts can examine the genuineness of the signed packets.
A4. Every host has a local blacklist to record the hosts it suspects. The host
has total control on adding and deleting elements from its list. For the
clarity of the remainder of this paper, we call the real attacker as
malicious host, while the hosts in blacklists are called suspected
hosts.

67

Applying Reverse Labeling Restriction to

Protect AODV
Introduction to AODV
Attacks on AODV and their impacts
Detecting False Destination Sequence
Attack
Reverse Labeling Restriction Protocol
Simulation results
68

Introduction to AODV
Introduced in 97 by Perkins at NOKIA, Royer at
UCSB
12 versions of IETF draft in 3 years, 4 academic
implementations, 2 simulations
Combines on-demand and distance vector
Broadcast Route Query, Unicast Route Reply
Quick adaptation to dynamic link condition and
scalability to large scale network
Support Multicast
69

Security Considerations for AODV

AODV does not specify any special security
measures. Route protocols, however, are prime
targets for impersonation attacks. If there is
danger of such attacks, AODV control messages
must be protected by use of authentication
techniques, such as those involving generation
of unforgeable and cryptographically strong
message digests or digital signatures.

- http://www.ietf.org/internet-drafts/draft-ietf-manet-aodv-11.txt
70

Message Types in AODV

RREQ: route request
RREP: route reply
RERR: route error

71

Route Discovery in AODV

D

Establish path to
Unicast reply
the destination

Establish Broadcast
path to
the sourcerequest
S1

S3

Establish Broadcast
path to
the sourcerequest

Establish path to
Unicast reply
the destination

S2

S4

Establish path to
Unicast reply
the destination

Establish
Broadcast
path to
the source
request
S

72

Introduction to AODV (cond)

Security Features of AODV
Combination of Broadcast and Unicast
Route reply is sent out along a single path, prevent
the disclosure of routing information

Fast Expiration of Reverse Route Entry

Route entry created by un-replied route request will
expire in a short time

Freshness of Routing Information

Unique, monotonic destination sequence for every
host, could only be updated by destination/request
initiator
73

Attacks on AODV
Malicious route request
query non-existing host (RREQ will flood throughout the
network)

False route error

route broken message sent back to source (route discovery is reinitiated)

False distance vector

reply one hop to destination to every request and select a large
enough sequence number

False destination sequence

select a large number (even beat the reply from real destination)

74

Impacts of Attacks on AODV

Packet Delivery
Ratio

Protocol Overhead

No Attacks

96%

38%

Silent Discard

91%

41%

False Distance

75%

38%

False Destination
Sequence

53%

66%

Vicious Flooding

91%

293%
75

False Destination Sequence Attack

RREP(D, 5)
RREQ(D,5)3)
S3 RREP(D,
RREQ(D, 3)
S

RREQ(D,20)
3)
RREP(D,
S1

RREQ(D, 3)
RREP(D, 20)
S2

RREP(D, 20)
M

76

Attacks on AODV and Simulation Results

Simulation of Attacks
A module called AODV Attack added into
ns2
Four attacks have been implemented

malicious route request

silently discard
false distance vector
false destination sequence
77

Attacks to AODV and Simulation Results

Simulation parameters
Simulator
Simulation duration
Simulation area
Number of mobile hosts
Transmission range
Maximum speed
Number of CBR connection
Packet rate
Simulated attacks

ns2
1000 seconds
1000 * 1000 m
30
250 m (Lucent WaveLAN Card
Specification)
5 -- 20 m/s
25
2 pkt / sec
False distance vector and false
destination sequence

78

Attacks to AODV and Simulation Results

X-axis is max moving speed, which evaluates the mobility of host. Yaxis is delivery ratio. Two attacks: false distance vector and false
destination sequence, are considered. They lead to about 30% and 50%
of packets to be dropped.

79

Detecting false destination sequence attack

by destination host during route rediscovery
(1). S broadcasts a
request that carries the
old sequence + 1 = 21

D
S3

RREQ(D, 21)
S

(2) D receives the RREQ.

Local sequence is 5, but the
sequence in RREQ is 21. D
detects the false destination sequence attack.

S1

S2

S4
Propagation of RREQ

80

Reverse Labeling Restriction (RLR)

Basic Ideas
Every host maintains a blacklist to record suspicious
hosts. Suspicious hosts can be released from the blacklist
or put there permanently.
The destination host will broadcast an INVALID packet
with its signature when it finds that the system is under
attack on sequence. The packet carries the hosts
identification, current sequence, new sequence, and its
own blacklist.
Every host receiving this packet will examine its route
entry to the destination host. If the sequence number is
larger than the current sequence in INVALID packet, the
presence of an attack is noted. The next hop to the
destination will be added into this hosts blacklist.
81

Reverse Labeling Restriction (RLR)

All routing information or intruder identification packets
from hosts in blacklist will be ignored, unless the
information is about themselves.
After a host is released from the blacklist, the routing
information or identification results from it will be
processed.

82

Example to illustrate RLR

S3

S
BL {S1}

S4
BL {}

S1

BL {}

INVALID ( D, 5, 21,
{}, SIGN )

BL {S2}

S2
BL {M}

M BL {}

D sends INVALID packet with current sequence = 5, new sequence = 21. S3

examines its route table, the entry to D is not false. S3 forward packet to S1. S1
finds that its route entry to D has sequence 20, which is > 5. It knows that the
route is false. The hop which provides this false route to S1 was S2. S2 will be put
into S1s blacklist. S1 forward packet to S2 and S. S2 adds M into its blacklist. S
adds S1 into its blacklist. S forward packet to S4. S4 does not change its blacklist
since it is not involved in this route.

83

Reverse Labeling Restriction (cond)

Update Blacklist by INVALID Packet
Next hop on the invalid route will be put into local
blacklist, a timer starts, a counter ++
Labeling process will be done in the reverse
direction of route
When timer expires, the suspicious host will be
released from the blacklist and routing information
from it will be accepted
If counter > threshold, the suspicious host will be
permanently put into blacklist

84

RLR creates suspicion trees. If a host is the root of a

quorum of suspicion trees, it is labeled as the attacker.

85

Reverse Labeling Restriction (cond)

Update local blacklist by other hosts blacklist
Attach local blacklist to INVALID packet with
digital signature to prevent impersonation
Every host will count the hosts involved in
different routes that say a specific host is
suspicious. If the number > threshold, it will be
permanently added into local blacklist and
identified as an attacker.
Threshold can be dynamically changed or can
be different on various hosts
86

Reverse Labeling Restriction (cond)

Two other effects of INVALID packets
Establish routes to the destination host: when
the host sends out INVALID packet with digital
signature, every host receiving this packet can
update its route to the destination host through
the path it gets the INVALID packet.
Enable new sequence: When the destination
sequence reaches its max number (0x7fffffff)
and needs to round back to 0, the host sends an
INVALID packet with current sequence =
0x7fffffff, new sequence = 0.
87

Reverse Labeling Restriction (cond)

Packets from suspicious hosts
Route request: If the request is from suspicious hosts,
ignore it.
Route reply: If the previous hop is suspicious and the
query destination is not the previous hop, the reply will
be ignored.
Route error: will be processed as usual. RERR will
activate re-discovery, which will help to detect attacks
on destination sequence.
INVALID: if the sender is suspicious, the packet will be
processed but the blacklist will be ignored.
88

Simulation parameter
Simulation duration
Simulation area
Number of mobile hosts
Transmission range
Pause time between the host
reaches current target and moves to
next target

1000 seconds
1000 * 1000 m
30
250 m
0 60 seconds

Maximum speed

5 m/s

Number of CBR connection

25/50

Packet rate

2 pkt / sec

89

Reverse Labeling Restriction (cond)

Simulation results
The following metrics are chosen:
Delivery ratio (evaluate effectiveness of RLR)
Number of normal hosts that identify the attacker
(evaluate accuracy of RLR)
Number of normal hosts that are marked as attacker by
mistake (evaluate accuracy of RLR)
Normalized overhead (evaluate communication
overhead of RLR)
Number of packets to be signed (evaluate computation
overhead of RLR)
90

Reverse Labeling Restriction (cond)

X-axis is host pause time, which evaluates the mobility of host. Y-axis is
delivery ratio. 25 connections and 50 connections are considered. RLR
brings a 30% increase in delivery ratio. 100% delivery is difficult to
achieve due to network partition, route discovery delay and buffer.

91

Reverse Labeling Restriction (cond)

X-axis is number of attackers. Y-axis is delivery ratio. 25 connections

and 50 connections are considered. RLR brings a 20% to 30% increase
in delivery ratio.

92

Reverse Labeling Restriction (cond)

30 hosts, 25 connections
Host Pause time
(sec)

# of normal
hosts identify
the attacker

# of normal
hosts marked as
malicious

30 hosts, 50 connections
# of normal
hosts identify
the attacker

# of normal
hosts marked as
malicious

24

0.22

29

2.2

10

25

29

1.4

20

24

25

1.1

30

28

29

1.1

40

24

29

0.6

50

24

0.07

29

1.1

60

24

0.07

24

1.0

The accuracy of RLR when there is only one attacker in

the system

93

Reverse Labeling Restriction (cond)

# of attackers

30 hosts, 25 connections

30 hosts, 50 connections

# of normal
# of normal
hosts identify all hosts marked as
attackers
malicious

# of normal
# of normal
hosts identify all hosts marked as
attackers
malicious

28

29

1.1

28

0.65

28

2.6

25

27

1.4

21

0.62

25

2.2

15

0.67

19

4.1

The accuracy of RLR when there are multiple attackers

94

Reverse Labeling Restriction (cond)

X-axis is host pause time, which evaluates the mobility of host. Yaxis is normalized overhead (# of control packet / # of delivered
data packet). 25 connections and 50 connections are considered.
RLR increases the overhead slightly.

95

Reverse Labeling Restriction (cond)

X-axis is host pause time, which evaluates the mobility of host.

Y-axis is the number of signed packets processed by every host.
25 connections and 50 connections are considered. RLR does not
severely increase the computation overhead to mobile host.

96

Reverse Labeling Restriction (cond)

X-axis is number of attackers. Y-axis is number of signed packets

processed by every host. 25 connections and 50 connections are
considered. RLR does not severely increase the computation
overhead of mobile host.

97

Robustness of RLR
If the malicious host sends false INVALID
packet
Because the INVALID packets are signed, it cannot
send the packets in other hosts name
If it sends INVALID in its own name, the reverse
labeling procedure will converge on the malicious
host and identify the attacker. The normal hosts
will put it into their blacklists.

98

Robustness of RLR
If the malicious host frames other innocent hosts
by sending false Blacklist
If the malicious host has been identified, the blacklist
will be ignored
If the malicious host has not been identified, this
operation can only lower the threshold by one. If the
threshold is selected properly, it will not impact the
identification results.

99

Robustness of RLR
If the malicious host only sends false
destination sequence about some special host
The special host will detect the attack and send
INVALID packets.
Other hosts can establish new routes to the
destination by receiving the INVALID packets.

100

Securing Ad Hoc networks -- Establish trust

relationship in open area
Evaluate known knowledge
Known knowledge:
Interpretations of observations
Recommendations

An algorithm that evaluates trust among hosts is being

developed
A hosts trustworthiness affects the trust toward the
hosts on the route

Predict of trustworthiness of a host

Current approach uses the result of evaluation as
prediction.
101

Securing Ad Hoc networks -- Establish trust

relationship in open area
What trust information is needed when adding/
removing suspicious host from blacklist?
The trust opinion of S1 towards an entity S2 in
a certain context R
What characteristics of trust need to be included in
the model?
Dependability: combination of competence,
benevolence, and integrity
Predictability
102

Securing Ad Hoc networks -- Establish trust

relationship in open area
What is the suitable representation of trust?
A random variable is used to represent trust so
that the inherent uncertainty of deriving trust
from behaviors can be accommodated.
How to represent the interpretation of an observation?
A trust distribution function

103

Further Work
Design a set of formalized criteria to evaluate
identification algorithms
Study more features of Ad Hoc networks and
exploit their vulnerability
Simulate attacks on RLR, examine its robustness
Integrate with research on trust
Methods to identify the non-attackers and release
them from blacklist
Mechanisms to release hosts from the permanent
blacklist
104

 More information may be found at

http://raidlab.cs.purdue.edu

Our papers and tech reports

W. Wang, Y. Lu, B. Bhargava, On vulnerability and protection of
AODV, CERIAS Tech Report TR-02-18.
B. Bhargava, Y. Zhong, Authorization based on Evidence and Trust,
in Proceedings of Data Warehouse and Knowledge Management
Conference (DaWak), 2002
Y. Lu, B. Bhargava and M. Hefeeda, An Architecture for Secure
Wireless Networking, IEEE Workshop on Reliable and Secure
Application in Mobile Environment, 2001
W. Wang, Y. Lu, B. Bharagav, On vulnerability and protection of
AODV, in proceedings of ICT 2003.
W. Wang, Y. Lu, B. Bhargava, On security study of two distance
vector routing protocols for two mobile ad hoc networks, in
proceedings of PerCOm 2003.

105

Selected References

[1] C. Perkins and E. Royer, Ad-hoc on-demand distance vector routing, in

Proceedings of the 2nd IEEE Workshop on Mobile Computing Systems and
Applications, 1999.
[2] C. Perkins, Highly dynamic destination-sequenced distancevector routing
(DSDV) for mobile computers, in Proceedings of SIGCOMM, 1994.
[3] Z. Haas and M. Pearlman, The zone routing protocol (ZRP) for ad hoc
networks, IETF Internet Draft, Version 4, July, 2002.
[4] T. Camp, J. Boleng, B. Williams, L. Wilcox, and W. Navidi, Performance
comparison of two location based routing protocols for ad hoc networks, in
Proceedings of the IEEE INFOCOM, 2002.
[5] Z. Haas, J. Halpern, and L. Li, Gossip-based ad hoc routing, in
Proceedings of the IEEE INFOCOM, 2002.
[6] C. Perkins, E. Royer, and S. Das, Performance comparison of two ondemand routing protocols for ad hoc networks, in Proceedings of IEEE
INFOCOM, 2000.
[7] S. Das and R. Sengupta, Comparative performance evaluation of routing
protocol for mobile, ad hoc networks, in Proceedings of IEEE the Seventh
International Conference on Computer Communications and Networks, 1998.
[8] L. Venkatraman and D. Agrawal, Authentication in ad hoc networks, in
Proceedings of the 2nd IEEE Wireless Communications and Networking
Conference, 2000.

106

Selected References

[9] Y. Zhang and W. Lee, Intrusion detection in wireless ad-hoc networks, in

Proceedings of ACM MobiCom, 2000.
[10] Z. Zhou and Z. Haas, Secure ad hoc networks, IEEE Networks, vol. 13,
no. 6, pp. 2430, 1999.
[11] V. Bharghavan, Secure wireless LANs, in Proceedings of the ACM
Conference on Computers and Communications Security, 1994.
[12] P. Sinha, R. Sivakumar, and V. Bharghavan, Enhancing ad-hoc routing
with dynamic virtual infrastructures., in Proceedings of IEEE INFOCOM,
2001.
[13] S. Bhargava and D. Agrawal, Security enhancements in AODV protocol
for wireless ad hoc networks, in Proceedings of Vehicular Technology
Conference, 2001.
[14] P. Papadimitratos and Z. Haas, Secure routing for mobile ad hoc
networks, in Proceedings of SCS Communication Networks and Distributed
Systems Modeling and Simulation Conference (CNDS), 2002.
[15] P. Albers and O. Camp, Security in ad hoc network: A general id
architecture enhancing trust based approaches, in Proceedings of
International Conference on Enterprise Information Systems (ICEIS), 2002.

107