Building a trustworthy, secure, and private

advertisement
12. Detecting Service Violations in
Internet and Mobile Ad Hoc Networks
Bharat Bhargava
CERIAS Security Center
CWSA Wireless Center
Department of CS and ECE
Purdue University
bb@cs.purdue.edu
Supported by NSF IIS 0209059, NSF IIS 0242840 ,
NSF CNS 0219110, CISCO, Motorola, IBM
1
Research Team
•
Faculty Collaborators
– Dongyan Xu, Middleware and privacy
– Mike Zoltowski, Smart antennas, wireless security
– Sonia Fahmy, Internet security
•
Postdoc
–
–
–
–
•
Lezsek Lilien, Privacy and vulnerability
Xiaoxin Wu, Wireless security
Jun Wen, QoS
Mamata Jenamani, Privacy
Ph.D. students
–
–
–
–
–
Ahsan Habib, Internet Security
Mohamed Hefeeda, Peer-to-Peer networking
Yi Lu, Wireless security and congestion control
Yuhui Zhong, Trust management and fraud
Weichao Wang, Security in wireless networks
More information at http://www.cs.purdue.edu/people/bb
2
Motivation
• Lack of trust, privacy, security, and
reliability impedes information sharing
among distributed entities.
• Research is required for the creation of
knowledge and learning in secure
networking, systems, and applications.
3
Goal
• Enable the deployment of secure
applications in the pervasive computing
and communication environments.
4
Objective
• A trustworthy, secure, and privacy preserving
network platform must be established for
trusted collaboration. The fundamental
research problems include:
–
–
–
–
–
Trust management
Privacy preserved collaborations
Dealing with a variety of attacks in networks
Intruder identification in ad hoc networks
Trust-based privacy preservation for peer-to-peer
data sharing
5
Applications/Broad Impacts
• Guidelines for the design and deployment of
security sensitive applications in the next
generation networks
– Data sharing for medical research and treatment
– Collaboration among government agencies for
homeland security
– Transportation system (security check during travel,
hazardous material disposal)
– Collaboration among government officials, law
enforcement and security personnel, and health care
facilities during bio-terrorism and other emergencies
6
Scientific Contributions
A. Trust formalization
B. Privacy-preserving Collaborations
Privacy preservation in interactions
C. Detecting Service Violations in Internet
Network tomography techniques for DoS attacks
D. Intruder Identification in Ad Hoc
Networks
Intrusion detection and intruder identification
E. Trust-based Privacy Preservation for
Peer-to-Peer Data Sharing
7
8
A. Trust Formalization
• Problem
– Dynamically establish and update trust among entities in an open
environment.
• Research directions
– Handling uncertain evidence
– Modeling dynamic trust
– Formalization and detection of fraud
• Challenges
– Uncertain information complicates the inference procedure.
– Subjectivity leads to various interpretations toward the same
information.
– The multi-faceted and context-dependent characteristics of trust
require tradeoff between representation comprehensiveness and
computation simplicity of the trust model.
9
Trust Info and Metrics
• Trust based on
– Evidence
– Credential
– Interactions
– Fraud potential
– Privacy requirement
• Measure of trust
10
Uncertain Evidence
• Probability-based approach to evaluate the
uncertainty of a logic expression given a set of
uncertain evidence
– Atomic formula: Bayes network + causal
inference + conditional probability interpretation
of opinion
– AND/OR expressions: rule defined by Jsang
[Jsang'01]
– Subjectivity is realized using discounting operator
proposed by Shafer [Shafer'76]
11
Dynamic Trust
• Trust production based on direct interaction
– Identify behavior patterns and their characteristic
features
– Determine which pattern is the best match of an
interaction sequence
– Develop personalized trust production algorithms
considering behavior patterns
• Reputation aggregation
– Global reputation vs. personalized reputation
– Personalized reputation aggregation
• Determine the subset of trust information useful for
a specific trustor by using collaborative filters
• Translate trust information into the scale of a
specific trustor
12
Trust Enhanced Role Assignment (TERA)
Prototype
• Trust enhanced role mapping (TERM) server
assigns roles to users based on
– Uncertain & subjective evidence
– Dynamic trust
• Reputation server
– Dynamic trust information repository
– Evaluate reputation from trust information by using
algorithms specified by TERM server
Prototype and demo are available at
http://www.cs.purdue.edu/homes/bb/NSFtrust/
13
TERA Architecture
RBAC enhanced
application server
Interactions
User's behavior
Assigned role
Trust based on behaviors
Role request
Alice
Reputation
TERM server
Trust based on behaviors
Reputation server
Assigned role
Bob
Role request
Reputation
TERM server
Interactions
TERA
User's behavior
RBAC enhanced
application server
14
Trust Enhanced Role Mapping (TERM) Server
• Evidence rewriting
• Role assignment
– Policy parser
– Request processor & inference engine
– Constraint enforcement
• Policy base
• Trust information management
– User behavior modeling
– Trust production
15
TERM Server
Reputation
server
Trust information
Application
server
Behaviors
Reputation
Trust
Information
Management
Trust toward
issuer
Trust toward
user/issuer
Evidence
Rewriting
Assign role
Role
Assignment
user
Request role
Evidence
statement
Evidence
statement
Role-assignment
Policy
Policy Base
TERM
Credential
Manager
Role-assignment
policies
Credentials provided /
retrieved
Policy
maker
16
Fraud Formalization and Detection
• Model fraud intention
– Uncovered deceiving intention
– Trapping intention
– Illusive intention
• Fraud detection
– Profile-based anomaly detection
• Monitor suspicious actions based upon the
established patterns of an entity
– State transition analysis
• Build an automaton to identify activities that lead
towards a fraudulent state
17
Model Fraud Intentions
• Uncovered deceiving
intention
– Satisfaction ratings
are stably low.
– Ratings vary in a
small range over
time.
18
Model Fraud Intentions
• Trapping intention
– Rating sequence can
be divided into two
phases: preparing
and trapping.
– A swindler behaves
well to achieve a
trustworthy image
before he conducts
frauds.
19
Model Fraud Intentions
• Illusive intention
– A smart swindler
attempts to cover the
bad effects by
intentionally doing
something good after
misbehaviors.
– Process of preparing
and trapping is
repeated.
20
21
B. Privacy-Preserving Collaborations
• Problem
– Preserve privacy, gain trust, and control dissemination
of data
• Privacy based on
– Approximate location
– Approximate version of information
– Any cast
• Determine the degree of data privacy
– Size of anonymity set metrics
– Entropy-based metrics
• Tradeoff between privacy and trust
22
23
C. Detecting Service Violations in Internet
• Problem statement
Detecting service violation in networks is
the procedure of identifying the
misbehaviors of users or operations that
do not adhere to network protocols.
24
Topology Used (Internet)
Victim, V
A3 uses
reflector H3
to attack V
H5
A1 spoofs H5’s
address to attack V
25
Detecting DoS Attacks in Internet
*SPIE: Source Path Isolation Engine
26
• Research Directions
– Observe misbehavior flows through service
level agreement (SLA) violation detection
– Core-based loss
– Stripe based probing
– Overlay based monitoring
27
Approach
• Develop low overhead and scalable
monitoring techniques to detect service
violations, bandwidth theft, and attacks.
The monitor alerts against possible DoS
attacks in early stage
• Policy enforcement and controlling the
suspected flows are needed to maintain
confidence in the security and QoS of
networks
28
Methods
• Network tomography
– Stripe based probing is used to infer individual
link loss from edge-to-edge measurements
– Overlay network is used to identify congested
links by measuring loss of edge-to-edge paths
• Transport layer flow characteristics are
used to protect critical packets of a flow
• Edge-to-edge mechanism is used to
detect and control unresponsive flows
29
Monitoring Network Domains
• Idea:
– Excessive traffic changes internal characteristics
inside a domain (high delay & loss, low throughput)
– Monitor network domain for unusual patterns
– If traffic is aggregating towards a domain (same IP
prefix), probably an attack is coming
• Measure delay, link loss, and throughput
achieved by user inside a network domain
Monitoring by periodic polling or deploying
agents in high speed core routers put non-trivial
overhead on them
30
Core-assisted loss measurements
• Core reports to the monitor whenever packet drop
exceeds a local threshold
• Monitor computes the total drop for time interval t
• If the total drop exceeds a global threshold
a. The monitor sends a query to all edge routers
requesting their current rates
b. The monitor computes total incoming rate from all
edge
c. The monitor computes the loss ratio as the ratio of
the dropped packets and the total incoming rate
d. If the loss ratio exceeds the SLA loss ratio, a
possible SLA violation is reported
31
Stripe Unicast Probing [Duffield et al., INFOCOM ’01]
• Back-to-back packets experience
similar congestion in a queue with a
high probability
• Receiver observes the probes to correlate them
for loss inference
• Infer internal characteristics using topology
• For general tree? Send stripe from root to every
order-pair of leaves
• Develop stripe-based monitoring by extending
loss inference for multiple drop precedence
32
Inferring Loss
• Calculate how many packets are received
by the two receivers. Transmission
probability Ak
ZR1 ZR2
Ak =
ZR1 U R2
where Zi binary variable which takes 1
when all packets reached their destination
and 0 otherwise
• Loss is 1 - Ak
• For general tree, send stripe from root to
every order-pair of leaves.
Overlay-based Monitoring
•
Problem statement
–
•
Given topology of a network domain, identify which
links are congested
Solutions: Simple and Advanced methods
1. Monitor the network for link delay
2. If delayi > Thresholdidelay for path i, then probe the
network for loss
3. If lossj > Thresholdjloss for any link j, then probe the
network for throughput
4. If BWk > ThresholdkBW, flow k is violating service
agreements by taking excess resources. Upon
detection, we control the flows.
34
Probing: Simple Method
Congested link
(a) Topology
(b) Overlay
(c) internal links
• Each peer probes both of its neighbors
• Detect congested link in both directions
35
An Example
• Perform one round peer-to-peer probing in counter-clockwise direction
• Each boolean variable Xij represents the congestion status of link i  j
• For each probe P, we have an equation Pi,j = Xi,k+ … + Xl,j
36
Experiments: Evaluation methodology
• Simulation using ns-2
• Two topologies
– C-C links, 20 Mbps
– E-C links, 10 Mbps
• Parameters
– Number of flows order of
thousands
– Change life time of flows
– Simulate attacks by varying
traffic intensities and
injecting traffic from multiple
entry points
• Output Parameters
– delay, loss ratio, throughput
Congested link
Topology 1
37
Loss Ratio
Loss Ratio
Identified Congested Links
Time (sec)
(a) Counter clockwise probing
Time (sec)
(b) Clockwise probing
Probe46 in graph (a) and Probe76 in graph (b) observe high losses,
which means link C4  E6 is congested.
38
False Positive (theoretical analysis)
• The simple method does not correctly label all links
• The unsolved “good” links are considered bad hence
false positive happens
39
• Need to refine the solution  Advanced Method
• Example:
if 100 links in the network and 20 of them are
congested and 80 are “good”. The basic probing
method can identify 15 congestion links and 70
good links. The other 15 are labeled as
“unknown”. If all unknown links are treated as
congested, 10 good link will be falsely labeled as
congested. When the false positive is too high,
the available paths that can be chosen by the
routers are restricted, thus network performance
is impacted.
40
Analyzing Simple Method
• Lemma 1. If P and P’ are probe paths in the first
and the second round of probing respectively,
|P  P’ | ≤ 1
• Theorem 1. If only one probe path P is shown to
be congested in any round of probing, the
simple method successfully identifies status of
each link in P
• Performs better if edge-to-edge paths are
congested
• The average length of the probe paths in the
Simple method is ≤ 4
41
Theorem 2. Let p be
the probability of a link
being congested in
any arbitrary overlay
network. The simple
method determines
the status of any link
of the topology with
probability at least 2(1p)4-(1-p)7+p(1-p)12
Detection Probability
Performance: Simple Method
Frac of actual congested links
42
Advanced Method
AdvancedMethod()
begin
Conduct Simple Method. E is the unsolved equation set
for Each undecided variable Xij of E do
node1 = FindNode(Tree T, vi, IN)
node2 = FindNode(Tree T, vj , OUT)
if node1 ≠ NULL AND node2 ≠ NULL then
Probe(node1, node2). Update equation set E
end if
Stop if no more probe exists
endfor
end
43
Loss Ratio
Identifying Links: Advanced Method
Time (sec)
Link E2  C2, C1  C3, C3  C4, and C4  E6 are congested. Simple
method identifies all except E2  C2. Advanced method finds probe
44
E5E1 to identify status of E2  C2.
Analyzing Advanced Method
• Lemma 2. For an arbitrary overlay network with n
n(3n  2)
edge routers, on the average a link lies on b = 8 log n
edge-to-edge paths
• Lemma 3. For an arbitrary overlay network with n
edge routers, the average length of all edge-to3n
edge paths is d = 2 log n
• Theorem 3. Let p be the probability of a link being
congested. The advanced method can detect the
status of a link with probability at least
(1(1-(1-p)d)b)
45
• Graph shows lower and
upper bounds
• When congestion is ≤
20%, links are
identified with O(n)
probes with probability
≥ 0.98
• Does not help if ≥ 60%
links are congested
Detection Probability
Bounds on Advanced Method
Frac of actual congested links
Advanced method uses output of simple method and
topology to find a probe that can be used to identify
status of an unsolved link in simple method
46
% of traffic
Experiments: Delay Measurements
Delay (ms)
Cumulative distribution function (cdf)
• Attack changes delay pattern in a network domain
• We need to know the delay pattern when there is not attack
47
Loss Ratio
Loss Ratio
Experiments: Loss measurements
Time (sec)
(a) Core-assisted
Time (sec)
(b) Stripe-based
Core-based measurement is more precise than stripe-based, however, it
has high overhead
48
Loss Ratio
Delay (ms)
Attack Scenarios
Time (sec)
Time (sec)
(a) Changing delay pattern due to attack
(b) Changing loss pattern due to attack
• Attack 1 violates SLA and causes 15-30% of packet loss
• Attack 2 causes more than 35% of packet loss
49
Detecting DoS Attacks
• If many flows aggregate towards a downstream
domain, it might be a DoS attack on the domain
• Analyze flows at exit routers of the congested
links to identify misbehaving flows
• Activate filters to control the suspected flows
• Flow association with ingress routers
– Egress routers can backtrack paths, and confirm entry
points of suspected flows
50
Processing overhead (CPU cycle)
Communication overhead in KB
Overhead comparison
Percentage of misbehaving flow
Percentage of misbehaving flow
(a) Processing overhead
(b) Communication overhead
• Core has relative low processing overhead
• Overlay scheme has an edge over other two schemes
51
Observations
• Stripe-based Monitoring
– Stripe-based probing can monitor DiffServ
networks only from the edges
– It takes 10 sec to converge the inferred loss
ratio to actual loss ratio with ≥ 90% accuracy
– 10-15 delay probes and 20-25 loss probes per
second are sufficient for monitoring
– Probe is a 3-packet stripe
• 3 shows good correlation, 4 does not add much
52
Observations (Cont’d)
• Overlay-based Monitoring
– Congestion status of individual links can be
inferred from edge-to-edge measurements
– When the network is ≤ 20% congested
• Status of a link is identified with probability ≥ 0.98
• Requires O(n) probes, where n is the number of
edge routers
– Worst case is O(n2), whereas stripe-based
requires O(n3) probes to achieve same
functionality
53
Observations (Cont’d)
• Analyze existing techniques to defeat DoS
attacks
– Marking has less overhead than Filtering,
however, it is only a forensic method
– Monitoring might have less processing
overhead than marking or filtering, however,
monitoring injects packets and others do not
– Monitoring can alert against DoS attacks in
early stage
54
Observations (Cont’d)
• Traffic Conditioner
– Using small state table, we can design
scalable traffic conditioner
– It can protect critical packets of a flow to
improve application QoS (delay, throughput,
response time, …)
– Both Round trip time (RTT) & Retransmission
time-out (RTO) are necessary to avoid RTTbias among flows
55
Observations (Cont’d)
• Flow Control
– Network tomography is used to design edgeto-edge mechanism to detect & control
unresponsive flows
– QoS of adaptive flows improves significantly
with flow control mechanism
56
Conclusion on Monitoring
• Elegant way to use probability in inferring loss. 3packets stripe shows good correlation
• Monitoring network can detect service violation and
bandwidth theft using measurements
• Monitoring can detect DoS attacks in early stage. Filter
can be used to stop the attacks
• Overlay-based monitoring requires only O(n) probing
with a very high probability, where n is the number of
edge routers
• Overlay-based monitoring has very low communication
and processing overhead
• Stripe-based inference is useful to annotate a topology
tree with loss, delay, and bandwidth.
57
58
D. Intruder Identification in Ad Hoc Networks
• Problem Statement
Intruder identification in ad hoc networks is the
procedure of identifying the user or host that
conducts the inappropriate, incorrect, or anomalous
activities that threaten the connectivity or reliability
of the networks and the authenticity of the data
traffic in the networks
Papers:
“On Security Study of Two Distance Vector Routing Protocols for Mobile
Ad Hoc Networks”, in Proceedings of IEEE International Conference on
Pervasive Computing and Communications (PerCom), 2003.
“On Vulnerability and Protection of Ad Hoc On-demand Distance Vector
Protocol”, in Proceedings of 10th IEEE International Conference on
59
Telecommunication (ICT), 2003.
Research Motivation
• More than ten routing protocols for Ad
Hoc networks have been proposed
– Incl. AODV, DSR, DSDV, TORA, ZRP
• Research focuses on performance
comparison and optimizations such as
multicast and multiple path detection
• Research is needed on the security of
Ad Hoc networks.
• Applications: Battlefields, disaster
recovery.
60
Research Motivation
• Two kinds of attacks target Ad Hoc
network
– External attacks:
• MAC Layer jam
• Traffic analysis
– Internal attacks:
• Compromised host sending false routing
information
• Fake authentication and authorization
• Traffic flooding
61
Research Motivation
• Protection of Ad Hoc networks
– Intrusion Prevention
• Traffic encryption
• Sending data through multiple paths
• Authentication and authorization
– Intrusion Detection
• Anomaly pattern examination
• Protocol analysis study
62
Research Motivation
• Deficiency of intrusion prevention
– increase the overhead during normal
operation period of Ad Hoc networks
– The restriction on power consumption and
computation capability prevent the usage
of complex encryption algorithms
– Flat infrastructure increases the difficulty
for the key management and distribution
– Cannot guard against internal attacks
63
Research Motivation
• Why intrusion detection itself is not
enough
– Detecting intrusion without isolating the
malicious host leaves the protection in a
passive mode
– Identifying the source of the attack may
accelerate the detection of other attacks
64
Research Motivation
• Research problem: Intruder
Identification
• Research challenges:
• How to locate the source of an attack ?
• How to safely combine the information
from multiple hosts and enable individual
host to make decision by itself ?
• How to achieve consistency among the
conclusions of a group of hosts ?
65
• Related Work
– Vulnerability model of ad hoc routing protocols [Yang
et al., SASN ’03]
– A generic multi layer integrated IDS structure [Zhang
and Lee, MobiCom ’00]
– IDS combining with trust [Albert et al., ICEIS ’02]
– Information theoretic measures using entropy
[Okazaki et al., SAINT ’02]
– SAODV adopts both hash chain and digital signature
to protect routing information [Zapata et al, WiSe’03]
– Security-aware ad hoc routing [Kravets et al,
MobiHOC’01]
66
Related Work in wired Networks
• Secure routing / intrusion detection in
wired networks
• Routers have more bandwidth and CPU
power
• Steady network topology enables the use
of static routing and default routers
• Large storage and history of operations
enable the system to collect enough
information to extract traffic patterns
• Easier to establish trust relation in the
hierarchical infrastructure
67
Related Work in wired networks
• Attack on RIP (Distance Vector)
• False distance vector
• Solution (Bellovin 89)
•
•
•
•
Static routing
Listen to specific IP address
Default router
Cannot apply in Ad Hoc networks
68
Related Work in wired networks
• Attack on OSPF (Link State)
• False connectivity
• Attack on Sequence Number
• Attack on lifetime
• Solution
• JiNAO:NCSU and MCNC
• Encryption and digital signature
69
Related Work in Ad Hoc Networks
• Lee at GaTech summarizes the difficulties
in building IDS in Ad Hoc networks and
raises questions:
• what is a good architecture and response
system?
• what are the appropriated audit data sources?
• what is the good model to separate normal and
anomaly patterns?
• Haas at Cornell lists the 2 challenges in
securing Ad Hoc networks:
• secure routing
• key management service
70
Related Work in Ad Hoc Networks
• Agrawal at University of Cincinnati presents
the general security schemes for the secure
routing in Ad Hoc networks
• Nikander at Helsinki discusses the
authentication, authorization, and accounting
in Ad Hoc networks
• Bhargavan at UIUC presents the method to
enhance security by dynamic virtual
infrastructure
• Vaidya at UIUC presents the idea of securing
Ad Hoc networks with directional antennas
71
Related Work ongoing projects
• TIARA: Techniques for Intrusion Resistant Ad-Hoc
Routing Algorithm (DARPA)
• develop general design techniques
• focus on DoS attack
• sustain continued network operations
• Secure Communication for Ad Hoc Networking (NSF)
• Two main principles:
• redundancy in networking topology, route discovery and
maintenance
• distribution of trust, quorum for trust
72
Related Work ongoing projects
• On Robust and Secure Mobile Ad Hoc and Sensor
Network (NSF)
• local route repair
• performance analysis
• malicious traffic profile extraction
• distributed IDs
• proposed a scalable routing protocol
• Adaptive Intrusion Detection System (NSF)
• enable data mining approach
• proactive intrusion detection
• establish algorithms for auditing data
73
Evaluation Criteria
• Accuracy
• False coverage: Number of normal hosts that are
incorrectly marked as suspected.
• False exclusion: Number of malicious hosts that
are not identified as such.
• Overhead
• Overhead measures the increases in control
packets and computation costs for identifying the
attackers (e.g. verifying signed packets, updating
blacklists).
• Workload of identifying the malicious hosts in
multiple rounds
74
Evaluation Criteria - cont.
• Effectiveness
– Effectiveness: Increase in the performance of ad
hoc networks after the malicious hosts are
identified and isolated. Metrics include the
increase of the packet delivery ratio, the decrease
of average delay, or the decrease of normalized
protocol overhead (control packets/delivered
packets).
• Robustness
– Robustness of the algorithm: Its ability to resist
different kinds of attacks.
75
Assumptions
A1. Every host can be uniquely identified and its ID cannot be
changed throughout the lifetime of the ad hoc network. The ID
is used in the identification procedure.
A2. A malicious host has total control on the time, the target and the
mechanism of an attack. The malicious hosts continue
attacking the network.
A3. Digital signature and verification keys of the hosts have been
distributed to every host. The key distribution in ad hoc
networks is a tough problem and deserves further research.
Several solutions have been proposed. We assume that the
distribution procedure is finished, so that all hosts can examine
the genuineness of the signed packets.
A4. Every host has a local blacklist to record the hosts it suspects.
The host has total control on adding and deleting elements
from its list. For the clarity of the remainder of this paper, we
call the real attacker as “malicious host”, while the hosts in
blacklists are called “suspected hosts”.
76
Applying Reverse Labeling Restriction
to Protect AODV
• Introduction to AODV
• Attacks on AODV and their impacts
• Detecting False Destination Sequence
Attack
• Reverse Labeling Restriction Protocol
• Simulation results
77
Introduction to AODV
• Introduced in 97 by Perkins at NOKIA, Royer
at UCSB
• 12 versions of IETF draft in 4 years, 4
academic implementations, 2 simulations
• Combines on-demand and distance vector
• Broadcast Route Query, Unicast Route Reply
• Quick adaptation to dynamic link condition
and scalability to large scale network
• Support multicast
78
Ideas
• Monitor the sequence numbers in the route
request packets to detect abnormal conditions
• Apply reverse labeling restriction to identify and
isolate attackers
• Combine local decisions with knowledge from
other hosts to achieve consistent conclusions
• Combine with trust assessment methods to
improve robustness
79
Security Considerations for AODV
“AODV does not specify any special security measures.
Route protocols, however, are prime targets for
impersonation attacks. If there is danger of such attacks,
AODV control messages must be protected by use of
authentication techniques, such as those involving
generation of unforgeable and cryptographically strong
message digests or digital signatures.
”
- http://www.ietf.org/internet-drafts/draft-ietf-manet-aodv-11.txt
80
Message Types in AODV
• RREQ: route request
• RREP: route reply
• RERR: route error
81
Route Discovery in AODV (An Example)
D
S1
S3
S2
S4
S
Route to the source
Route to the destination
82
Attacks on routing in mobile ad hoc networks
Attacks on routing
Active attacks
Routing
procedure
False reply
Wormhole
attacks
Passive
attacks
Flood network
Route
request
Packet silent
discard
Routing
information
hiding
Route
broken
message
83
Attacks on AODV
• Route request flooding
– query non-existing host (RREQ will flood throughout the
network)
• False distance vector
– reply “one hop to destination” to every request and select a
large enough sequence number
• False destination sequence number
– select a large number (even beat the reply from the real
destination)
• Wormhole attacks
– tunnel route request through wormhole and attract the data
traffic to the wormhole
• Coordinated attacks
– The malicious hosts establish trust to frame other hosts, or
conduct attacks alternatively to avoid being identified
84
Impacts of Attacks on AODV
We simulate the attacks and measure their impacts on packet delivery ratios and
protocol overhead
No Attacks
Packet Delivery
Ratio
96%
Control packet /
data packet
0.38
Vicious Flooding
91%
2.93
False Distance
75%
0.38
False Destination
Sequence
53%
0.66
Wormhole
61%
0.41
85
False Destination Sequence Attack
Sequence number 5
S3
RREQ(D, 3)
S
RREP(D, 4)
RREQ(D, 3)
S4
D
RREQ(D, 3)
S1
RREQ(D, 3)
RREP(D, 20)
S2
M
Packets from S to D are sinking at M.
86
During Route Rediscovery, False Destination
Sequence Number Attack Is Detected, S needs to find
D again.
Node movement breaks the path from S to M (trigger route
rediscovery).
(1). S broadcasts a
request that carries the
old sequence + 1 = 21
D
S3
RREQ(D, 21)
S
S1
S2
(2) D receives the RREQ.
Local sequence is 5, but the
sequence in RREQ is 21. D
detects the false destination sequence number
attack.
M
S4
Propagation of RREQ
87
Reverse Labeling Restriction (RLR)
Blacklists are updated after an attack is detected.
• Basic Ideas
• Every host maintains a blacklist to record suspicious
hosts who gave wrong route related information.
• The destination host will broadcast an INVALID
packet with its signature. The packet carries the
host’s identification, current sequence, new
sequence, and its own blacklist.
• Every host receiving this packet will examine its
route entry to the destination host. The previous host
that provides the false route will be added into this
host’s blacklist.
88
BL {}
S3
D
BL {}
INVALID ( D, 5, 21,
BL{}, Signature )
S4
S
S1
BL {S2}
BL {S1}
M
S2
BL {}
BL {M}
S4
BL {}
Correct destination sequence number is broadcasted.
Blacklist at each host in the path is determined.
89
D1
S4
[M]
D3
[M]
S1
D2
M
[M]
S3
D4
[M]
S2
M attacks 4 routes (S1-D1, S2-D2, S3-D3, and S4-D4). When the first two
false routes are detected, D3 and D4 add M into their blacklists. When later
D3 and D4 become victim destinations, they will broadcast their blacklists,
and every host will get two votes that M is malicious host.
Malicious site is in blacklists of multiple destination hosts.
90
Combine Local Decisions with Knowledge
from Other Hosts
• When a host is destination of a route and is
victim by any malicious host, it will broadcast
its blacklist.
• Each host obtains blacklists from victim
hosts.
• If M is in multiple blacklists, M is classified as
a malicious host based on certain threshold.
• Intruder is identified.
• Trust values can be assigned to other hosts
based on past information.
91
Acceleration in Intruder Identification
D3
D2
D1
M2
M3
M1
S1
S2
S3
Coordinated attacks by M1, M2, and M3
Multiple attackers trigger more blacklists to be broadcasted by D1, D2,
D3.
92
Reverse Labeling Restriction (RLR)
• Update Blacklist by Broadcasted Packets
from Destinations under Attack
• Next hop on the false route will be put into
local blacklist, and a counter increases. The
time duration that the host stays in blacklist
increases exponentially to the counter value.
• When timer expires, the suspicious host will
be released from the blacklist and routing
information from it will be accepted.
93
Deal With Hosts in Blacklist
• Packets from hosts in blacklist
• Route request: If the request is from suspicious
hosts, ignore it.
• Route reply: If the previous hop is suspicious and
the query destination is not the previous hop, the
reply will be ignored.
• Route error: Will be processed as usual. RERR
will activate re-discovery, which will help to detect
attacks on destination sequence.
• Broadcast of INVALID packet: If the sender is
suspicious, the packet will be processed but the
blacklist will be ignored.
94
Attacks of Malicious Hosts on RLR
• Attack 1: Malicious host M sends false
INVALID packet
• Because the INVALID packets are signed, it
cannot send the packets in other hosts’ name
• If M sends INVALID in its own name
• If the reported sequence number is greater than the
real sequence number, every host ignores this
attack
• If the reported sequence number is less than the
real sequence number, RLR will converge at the
malicious host. M is included in blacklist of more
hosts. M accelerated the intruder identification
directing towards M.
95
• Attack 2: Malicious host M frames other
innocent hosts by sending false blacklist
• If the malicious host has been identified, the
blacklist will be ignored
• If the malicious host has not been identified, this
operation can only make the threshold lower. If
the threshold is selected properly, it will not
impact the identification results.
• Combining trust can further limit the impact of this
attack.
96
• Attack 3: Malicious host M only sends
false destination sequence about some
special host
• The special host will detect the attack and
send INVALID packets.
• Other hosts can establish new routes to the
destination by receiving the INVALID packets.
97
Experimental Studies of RLR
• The experiments are conducted using ns2.
• Various network scenarios are formed by
varying the number of independent
attackers, number of connections, and
host mobility.
• The examined parameters include:
– Packet delivery ratio
– Identification accuracy: false positive and
false negative ratio
– Communication and computation overhead
98
Simulation Parameter
Simulation duration
1000 seconds
Simulation area
1000 * 1000 m
Number of mobile hosts
Transmission range
Pause time between the host
reaches current target and
moves to next target
30
250 m
0 – 60 seconds
Maximum speed
5 m/s
Number of CBR connection
25/50
Packet rate
2 pkt / sec
99
Experiment 1: Measure the Changes in
Packet Delivery Ratio
Purpose: investigate the impacts of host mobility,
number of attackers, and number of connections
on the performance improvement brought by RLR
Input parameters: host pause time, number of
independent attackers, number of connections
Output parameters: packet delivery ratio
Observation: When only one attacker exists in the
network, RLR brings a 30% increase in the
packet delivery ratio. When multiple attacker
exist in the system, the delivery ratio will not
recover before all attackers are identified.
100
Increase in Packet Delivery Ratio: Single Attacker
X-axis is host pause time, which evaluates the mobility of host. Y-axis is delivery ratio. 25 connections
and 50 connections are considered. RLR brings a 30% increase in delivery ratio. 100% delivery is
difficult to achieve due to network partition, route discovery delay and buffer.
101
Increase in Packet Delivery Ratio: Multiple Attackers
X-axis is number of attackers. Y-axis is delivery ratio. 25 connections and 50 connections are
considered. RLR brings a 20% to 30% increase in delivery ratio.
102
Experiment 2: Measure the Accuracy of
Intruder Identification
Purpose: investigate the impacts of host mobility,
number of attackers ,and connection scenarios
on the detection accuracy of RLR
Input parameters: number of independent attackers,
number of connections, host pause time
Output parameters: false positive alarm ratio, false
negative alarm ratio
Observation: The increase in connections may improve
the detection accuracy of RLR. When multiple
attackers exist in the network, RLR has a high
false positive ratio.
103
Accuracy of RLR: Single Attacker
30 hosts, 25 connections
Host Pause
time (sec)
# of normal
hosts identify
the attacker
# of normal
hosts marked
as malicious
30 hosts, 50 connections
# of normal
hosts identify
the attacker
# of normal
hosts marked
as malicious
0
24
0.22
29
2.2
10
25
0
29
1.4
20
24
0
25
1.1
30
28
0
29
1.1
40
24
0
29
0.6
50
24
0.07
29
1.1
60
24
0.07
24
1.0
The accuracy of RLR when there is only one attacker in the system
104
Accuracy of RLR: Multiple Attackers
30 hosts, 25 connections
# of attackers
# of normal
hosts identify
all attackers
# of normal
hosts marked
as malicious
30 hosts, 50 connections
# of normal
hosts identify
all attackers
# of normal
hosts marked
as malicious
1
28
0
29
1.1
2
28
0.65
28
2.6
3
25
1
27
1.4
4
21
0.62
25
2.2
5
15
0.67
19
4.1
The accuracy of RLR when there are multiple attackers
105
Experiment 3: Measure the Communication
Overhead
Purpose: investigate the impacts of host mobility and
connection scenarios on the overhead of RLR
Input parameters: number of connections, host pause
time
Output parameters: control packet overhead
Observation: When no false destination sequence
attacks exist in the network, RLR introduces
small packet overhead into the system.
106
Control Packet Overhead
X-axis is host pause time, which evaluates the mobility of host. Y-axis is normalized overhead
(# of control packet / # of delivered data packet). 25 connections and 50 connections are
considered. RLR increases the overhead slightly.
107
Research Opportunities: Improve
Robustness of RLR
• Protect the good hosts from being framed
by malicious hosts
• The malicious hosts can frame the good hosts
by putting them into blacklist.
• By lowering the trust values of both complainer
and complainee, we can restrict the impacts of
the gossip distributed by the attackers.
108
• Avoid putting every host into blacklist
• Combining the host density and movement
model, we can estimate the time ratio that two
hosts are neighbors
• The counter for a suspicious host decreases as
time passes
• Adjusting the decreasing ratio to control the
average percentage of time that a host stays in
the blacklist of another host
109
• Defend against coordinated attacks
• The behaviors of collusive attackers show
Byzantine manners. The malicious hosts may
establish trust to frame other hosts, or conduct
attacks alternatively to avoid being identified.
• Look for the effective methods to defend
against such attacks. Possible research
directions include:
• Apply classification methods to detect the hosts
that have similar behavior patterns
• Study the behavior histories of the hosts that
belong to the same group and detect the
pattern of malicious behavior (time-based,
order-based)
110
An Architecture of Intruder Identification Agent
111
• Intruder identification can be applied to
detect more attacks in ad hoc networks:
– DoS attacks
– Malicious discard
– Trust abuse and privacy violation
• Reverse labeling mechanism can be
applied to identify the attackers that
– Disseminate false routing information
– Discard data packets
– Generate gossip to destroy other hosts’
reputation
112
Conclusions on Intruder Identification
• False destination sequence attacks can be
detected by the anomaly patterns of the
sequence numbers
• Reverse labeling method can reconstruct the
false routing tree
• Isolating the attackers brings a sharp
increase in network performance
• On going research will improve the
robustness of the mechanism and the
accuracy of identification
113
Related Ongoing Research
1) Detecting wormhole attacks
2) Position-based private routing in ad hoc
networks
3) Fault tolerant authentication in movable
base station systems
4) Congestion avoidance routing in ad hoc
networks
114
1) Detecting Wormhole Attacks
• Problem statement
The malicious nodes can eavesdrop the packets,
tunnel them to another location in the network, and
retransmit them. This generates a false scenario that
the original sender is in the neighborhood of the
remote location.
wireless
node 1
wireless
node 2
tunnel
attacker 1
attacker 2
115
• Research challenges
– Detect wormholes when the malicious host can be
the legal member of the network
– Control the overhead introduced by wormhole
detection to avoid the hosts being overwhelmed
116
Classification of Wormholes
• the wormholes are divided into 3 groups:
– Closed
– Half open
– Open
117
The Approach: End-to-End Mechanism
• Assumption:
– The hosts have the positioning devices and loosely
synchronized clocks
– Pair-wise keys have been deployed
• Ideas:
– The source and the intermediate hosts will attach the
<time, position> pairs that record the receiving and
forwarding events
– The attached information is protected by message
authentication codes (MAC)
– The neighbor relation validations are conducted by
the destination
118
Validation at the Destination
• The MAC codes are calculated correctly
• The neighbor hosts are within the radio
range when the packet is passed
• The average moving speed between the
<time, position> pairs from the same host
does not exceed the maximum value.
119
Controlling Overhead:
Cell-based Open Tunnel Avoidance
• Divide the area into same-sized cells and
the time into same-length slots
• Require a constant storage space and
linear computation operations for every
intermediate host
• Have a configurable wormhole detection
capability
120
Computation Efficiency
• The experiments are conducted on a iPAQ 3630
with 206M Hz CPU and 64M RAM
• The computation overhead of wormhole
detection for one 10-hop route consumes less
than 0.5% of its CPU.
• The computation resource of a real PDA can
support wormhole detection using COTA without
trouble.
121
Conclusions
• The end-to-end mechanism can detect
half open and open wormholes in ad hoc
networks
• As a position information management
scheme, COTA requires constant storage
space and linear computation resource for
every intermediate host
• The proposed mechanism can be adopted
by real mobile devices
122
2) Position-based Private Routing in Ad Hoc
Networks
• Problem statement
– To hide the identities of the nodes who are
involved in routing in mobile wireless ad hoc
networks.
• Challenges
– Traditional ad hoc routing algorithms depend
on private information (e.g., ID) exposure in
the network.
– Privacy solutions for P2P networks are not
suitable in ad hoc networks.
123
Weak Privacy for Traditional Position-based
Ad Hoc Routing Algorithm
• Position information of each node has to be
locally broadcast periodically.
• Adversaries are able to obtain node trajectory
based on the position report.
• Adversaries can estimate network topology.
• Once a match between a node position and its
real ID is found, a tracer can always stay close
to this node and monitor its behavior.
124
AO2P: Ad Hoc On-Demand Position-based
Private Routing
• Position of destination is the information
exposed in the network for routing discovery.
• A receiver-contention scheme is designed to
determine the next hop in a route.
• Pseudo IDs are used instead of real IDs for data
packet delivery after a route is built up.
• Route with a smaller number of hops will be
used for better end-to-end throughput.
125
AO2P Routing Privacy and Accuracy
• Only the position of destination is revealed in the
network for routing discovery. The privacy of the
destination relies on the difficulty of matching a position
to a node ID.
• Node mobility enhances destination privacy because a
match between a position to a node ID is temporary.
• The privacy for the source and the intermediate
forwarders is well preserved.
• Routing accuracy relies on the fact that at a specific
time, only one node can be at a position. Since the
pseudo ID for a node is generated from its position and
the time it is at that position, the probability that more
than one node have the same pseudo ID is negligible.
126
Privacy Enhancement: R-AO2P
• The position of reference point is carried in rreq instead
of the position of the destination.
• The reference point is on the extended line from the
sender to the destination. It can be used for routing
discovery because generally, a node that processes the
rreq closer to the reference point will also process the
rreq closer to the destination.
• The position of the destination is only disclosed to the
nodes who are involved in routing.
Reference point in R-AO2P
127
Illustrated Results
• Average delay for next hop determination
128
Illustrated Results
• Packet delivery ratio
129
Conclusions
• AO2P preserves node privacy in mobile ad
hoc networks.
• AO2P has low next hop determination
delay.
• Compared to other position-based ad hoc
routing algorithm, AO2P has little routing
performance degradation.
130
3) Fault Tolerant Authentication in
Movable Base Station System
• Problem
– To ensure security and prevent theft of resources
(like bandwidth), all the packets originating inside
the network should be authenticated.
– Authentication may become unreliable when
base station fails or node moves from one cell to
another.
• Challenge
– How to design fault tolerant authentication
methods that are robust in the above conditions
– How to design the protocols adaptable and reconfigurable
131
Proposed Schemes
•
We propose two schemes to solve the
problem.
– Virtual Home Agent
– Hierarchical Authentication
•
They differ in the architecture and the
responsibilities that the Mobile Nodes
and Base Stations (Agents) hold.
132
Virtual Home Agent Scheme
VHA ID = IP ADDRESS
Master Home Agent (MHA)
Database Server
Shared Secrets
Database
Backup Home Agents
Other nodes in the network
133
Advantages of Proposed Scheme
• Has only 3 states and hence the overhead of
state maintenance is negligible.
• Very few tasks need to be performed in each
state (outlined in the tech report).
• Flexible – there could be multiple VHAs in the
same LAN and a MHA could be a BHA for
another VHA, a BHA could be a BHA for
more than one VHA at the same time.
134
Disadvantages of Virtual HA Solution
• Not scalable if every packet has to be
authenticated
– Ex: huge audio or video data
• BHA (Backup Home Agents) are idle most
of the time (they just listen to MHA’s
advertisements.
• Central Database is still a single point of
failure.
135
Hierarchical Authentication Scheme
• Multiple Home Agents in a LAN are organized
in a hierarchy (like a tree data structure).
• A Mobile Node shares a key with each of the
Agents above it in the tree (Multiple Keys).
• At any time, highest priority key is used for
sending packets or obtaining any other kind
of service.
136
Hierarchical Authentication Scheme
A
K2
Database
B
K1
C
Database
D
E
F
G
(K1, P1)
(K2, P2)
137
Hierarchical Authentication Scheme
Key Priority depends on several factors and
computed as cumulative sum of weighted
priorities of each factors:
Example Factors:
• Communication Delays
• Processing Speed of the Agents
• Key Usage
• Life Time of the Key
138
4) Congestion Avoidance Routing in Ad Hoc
Networks
• Objective
– To bring the consideration of congestion in the design
of the routing protocols.
• Thrust
– To avoid congestion by minimizing contention for
channel access.
• Challenges
– The global coupling effect of wireless channel access
in ad hoc networks.
– Quantification of congestion without exchanging
messages with neighbors.
139
Intermediate Delay (IMD)
• IMD is a routing metric that characterizes
the impacts of channel contention, the
length of the route, and the traffic load at
individual nodes.
• IMD estimates the delay introduced by the
intermediate nodes along the route using
the sum of delays from each node.
140
Ad Hoc Routing Based on IMD
B
B
C
C
A
A
2P/C
P/C
D
Simplification of delay computation:
1. If channel capacity is C and
packet size is P, delay is P/C.
P/C 2P/C
E
G
F
2. If n nodes are in contention for a
channel, each node gets C/n
share of the channel capacity.
The delay is nP/C.
PC
P/C
H
P/C
J
I
Adapt to changes in traffic and network topology
141
Delay Estimation
• A mobile node is modeled as a single
server queuing system.
• Total delay includes the delay for
transmitting a packet and the delay in the
queue.
• The key is to estimate the delay for
transmitting a packet.
– Node with active traffic
• Use the mean value to estimate the delay.
– Node without active traffic
• Study the procedure of packet transmission to
obtain the expectation of the delay.
142
IEEE 802.11 DCF
(Distributed Coordination Function)
E[Tsucc]=TRTS+TCTS+TDATA+TACK+3TSIFS+E[Tbackoff]
E[Tfail]=TRTS+Ttimeout+E[Tbackoff]
143
SAGA: Self-Adjusting Congestion Avoidance
Routing Protocol
• SAGA is a distance vector routing
protocol.
– use IMD instead of hop count as the distance
– bypass hop spots where contention is intense
• Lazy route query uses special route
advertisement for local route discovery.
• Approach to reduce the oscillation of IMD
and prevent a node from switching back
and forth among alternative routes.
144
Experimental Evaluation
• Objective
– Study the performance of SAGA, AODV, DSR, and
DSDV under congestion.
• Performance metrics
– Throughput, delivery ratio, protocol overhead, and
end-to-end delay
• Method
– Simulation using the network simulator ns2
– Two types of UDP traffic: constant bit rate (CBR) and
pareto on/off (POO)
– The offered traffic load is taken as the input parameter
– Six experiments by varying the maximum speed of
movement of nodes and the number of connections
– Five independent runs with random scenarios for each
experiment
145
30 CBR Connections, Low Mobility (4m/s)
146
10 POO Connections, High Mobility (20m/s)
147
Other Related Ongoing Research
1. Time-based private routing in ad hoc
networks
2. Trust-based Privacy Preservation for
Peer-to-peer Data Sharing
148
149
E. Trust-based Privacy Preservation for Peer-toPeer Data Sharing
Problem statement
• Privacy in peer-to-peer systems is different
from the anonymity problem
• Preserve privacy of requester
• A mechanism is needed to remove the
association between the identity of the
requester and the data needed
150
Proposed solution
• A mechanism is proposed that allows the
peers to acquire data through trusted
proxies to preserve privacy of requester
– The data request is handled through the
peer’s proxies
– The proxy can become a supplier later and
mask the original requester
151
Related work
• Trust in privacy preservation
– Authorization based on evidence and trust,
[Bhargava and Zhong, DaWaK’02]
– Developing pervasive trust [Lilien, CGW’03]
• Hiding the subject in a crowd
– K-anonymity [Sweeney, UFKS’02]
– Broadcast and multicast [Scarlata et al,
INCP’01]
152
Related work (2)
• Fixed servers and proxies
– Publius [Waldman et al, USENIX’00]
• Building a multi-hop path to hide the real
source and destination
– FreeNet [Clarke et al, IC’02]
– Crowds [Reiter and Rubin, ACM TISS’98]
– Onion routing [Goldschlag et al, ACM
Commu.’99]
153
Related work (3)
5
• p [Sherwood et al, IEEE SSP’02]
5
p
– provides sender-receiver anonymity by
transmitting packets to a broadcast group
• Herbivore [Goel et al, Cornell Univ Tech
Report’03]
– Provides provable anonymity in peer-to-peer
communication systems by adopting dining
cryptographer networks
154
Privacy measurement
• A tuple <requester ID, data handle, data
content> is defined to describe a data
acquirement.
• For each element, “0” means that the peer
knows nothing, while “1” means that it knows
everything.
• A state in which the requester’s privacy is
compromised can be represented as a vector
<1, 1, y>, (y Є [0,1]) from which one can link the
ID of the requester to the data that it is
interested in.
155
Privacy measurement (2)
For example, line k
represents the states
that the requester’s
privacy is compromised.
156
Mitigating collusion
• An operation “*” is defined as:
 c1 , c2 , c3  a1 , a2 , a3    b1 , b2 , b3 
max( ai , bi ),
ci  
0,

ai  0 and bi  0;
otherwise.
• This operation describes the revealed
information after a collusion of two peers when
each peer knows a part of the “secret”.
• The number of collusions required to
compromise the secret can be used to evaluate
the achieved privacy
157
Trust based privacy preservation scheme
• The requester asks one proxy to look up
the data on its behalf. Once the supplier is
located, the proxy will get the data and
deliver it to the requester
– Advantage: other peers, including the
supplier, do not know the real requester
– Disadvantage: The privacy solely depends on
the trustworthiness and reliability of the proxy
158
Trust based scheme – Improvement 1
• To avoid specifying the data handle in plain text,
the requester calculates the hash code and only
reveals a part of it to the proxy.
• The proxy sends it to possible suppliers.
• Receiving the partial hash code, the supplier
compares it to the hash codes of the data
handles that it holds. Depending on the revealed
part, multiple matches may be found.
• The suppliers then construct a bloom filter based
on the remaining parts of the matched hash
codes and send it back. They also send back
their public key certificates.
159
Trust based scheme – Improvement 1 – cont.
• Examining the filters, the requester can eliminate some
candidate suppliers and finds some who may have the
data.
• It then encrypts the full data handle and a data transfer
key k Datawith the public key.
• The supplier sends the data back using k Data through
the proxy
• Advantages:
– It is difficult to infer the data handle through the partial hash code
– The proxy alone cannot compromise the privacy
– Through adjusting the revealed hash code, the allowable error of
the bloom filter can be determined
160
Data transfer procedure after improvement 1
Requester
Proxy of
Requester
Supplier
R: requester S: supplier
Step 1, 2: R sends out the
partial hash code of the data
handle
Step 3, 4: S sends the bloom
filter of the handles and the
public key certificates
Step 5, 6: R sends the data
handle and k Data encrypted by
the public key
Step 7, 8: S sends the required
data encrypted by k Data
161
Trust based scheme – Improvement 2
• The above scheme does not protect the
privacy of the supplier
• To address this problem, the supplier can
respond to a request via its own proxy
162
Trust based scheme – Improvement 2
Requester
Proxy of
Requester
Proxy of
Supplier
Supplier
163
Trustworthiness of peers
• The trust value of a proxy is assessed
based on its behaviors and other peers’
recommendations
• Using Kalman filtering, the trust model can
be built as a multivariate, time-varying
state vector
164
Experimental platform - TERA
• Trust enhanced role mapping (TERM)
server assigns roles to users based on
– Uncertain & subjective evidences
– Dynamic trust
• Reputation server
– Dynamic trust information repository
– Evaluate reputation from trust information
by using algorithms specified by TERM
server
165
Trust enhanced role assignment architecture (TERA)
RBAC enhanced
application server
Interactions
User's behavior
Assigned role
Trust based on behaviors
Role request
Alice
Reputation
TERM server
Trust based on behaviors
Reputation server
Assigned role
Bob
Role request
Reputation
TERM server
Interactions
TERA
User's behavior
RBAC enhanced
application server
166
Conclusion
• A trust based privacy preservation method
for peer-to-peer data sharing is proposed
• It adopts the proxy scheme during the
data acquirement
• Extensions
– Solid analysis and experiments on large
scale networks are required
– A security analysis of the proposed
mechanism is required
167
• More information may be found at
http://raidlab.cs.purdue.edu
• Our papers and tech reports
W. Wang, Y. Lu, B. Bhargava, On vulnerability and protection of
AODV, CERIAS Tech Report TR-02-18.
B. Bhargava, Y. Zhong, Authorization based on Evidence and
Trust, in Proceedings of Data Warehouse and Knowledge
Management Conference (DaWak), 2002
Y. Lu, B. Bhargava and M. Hefeeda, An Architecture for Secure
Wireless Networking, IEEE Workshop on Reliable and
Secure Application in Mobile Environment, 2001
W. Wang, Y. Lu, B. Bharagav, “On vulnerability and protection
of AODV”, in proceedings of ICT 2003.
W. Wang, Y. Lu, B. Bhargava, “On security study of two
distance vector routing protocols for two mobile ad hoc
networks”, in proceedings of PerCOm 2003.
168
Selected References
•
•
•
•
•
•
•
•
[1] C. Perkins and E. Royer, “Ad-hoc on-demand distance vector
routing,” in Proceedings of the 2nd IEEE Workshop on Mobile
Computing Systems and Applications, 1999.
[2] C. Perkins, “Highly dynamic destination-sequenced distancevector
routing (DSDV) for mobile computers,” in Proceedings of SIGCOMM,
1994.
[3] Z. Haas and M. Pearlman, “The zone routing protocol (ZRP) for ad
hoc networks,” IETF Internet Draft, Version 4, July, 2002.
[4] T. Camp, J. Boleng, B. Williams, L. Wilcox, and W. Navidi,
“Performance comparison of two location based routing protocols for ad
hoc networks,” in Proceedings of the IEEE INFOCOM, 2002.
[5] Z. Haas, J. Halpern, and L. Li, “Gossip-based ad hoc routing,” in
Proceedings of the IEEE INFOCOM, 2002.
[6] C. Perkins, E. Royer, and S. Das, “Performance comparison of two
on-demand routing protocols for ad hoc networks,” in Proceedings of
IEEE INFOCOM, 2000.
[7] S. Das and R. Sengupta, “Comparative performance evaluation of
routing protocol for mobile, ad hoc networks,” in Proceedings of IEEE
the Seventh International Conference on Computer Communications
and Networks, 1998.
[8] L. Venkatraman and D. Agrawal, “Authentication in ad hoc
networks,” in Proceedings of the 2nd IEEE Wireless Communications
and Networking Conference, 2000.
169
Selected References
•
•
•
•
•
•
•
[9] Y. Zhang and W. Lee, “Intrusion detection in wireless ad-hoc
networks,” in Proceedings of ACM MobiCom, 2000.
[10] Z. Zhou and Z. Haas, “Secure ad hoc networks,” IEEE Networks,
vol. 13, no. 6, pp. 24–30, 1999.
[11] V. Bharghavan, “Secure wireless LANs,” in Proceedings of the
ACM Conference on Computers and Communications Security, 1994.
[12] P. Sinha, R. Sivakumar, and V. Bharghavan, “Enhancing ad-hoc
routing with dynamic virtual infrastructures.,” in Proceedings of IEEE
INFOCOM, 2001.
[13] S. Bhargava and D. Agrawal, “Security enhancements in AODV
protocol for wireless ad hoc networks,” in Proceedings of Vehicular
Technology Conference, 2001.
[14] P. Papadimitratos and Z. Haas, “Secure routing for mobile ad hoc
networks,” in Proceedings of SCS Communication Networks and
Distributed Systems Modeling and Simulation Conference (CNDS),
2002.
[15] P. Albers and O. Camp, “Security in ad hoc network: A general id
architecture enhancing trust based approaches,” in Proceedings of
International Conference on Enterprise Information Systems (ICEIS),
2002.
170
171
Download