detection of packet forwarding misbehavior in …€¦ · detection of packet forwarding...

DETECTION OF PACKET FORWARDING MISBEHAVIOR IN

WIRELESS NETWORK

1 N.Karthikeyan

2 Dr.M.Ravindran

1

Research Scholar, Bharathiar University, Coimbatore-641 046.

2Associate Professor, Department of Computer Science, Government Arts College, Madurai.

Abstract – Wireless networks are susceptible to

having their effective operation compromised by a

variety of security attacks. Nodes may misbehave

either because they are malicious and deliberately

wish to disrupt the network, or because they are

selfish and wish to conserve their own limited

resources such as power, or for other reasons. The

wireless nature and inherent features of mobile ad

hoc networks makes them vulnerable to a wide

variety of attacks by misbehaving nodes. Such

attacks range from passive eavesdropping, where

a node tries to obtain unauthorized access to data

destined for another node, to active interference

where malicious nodes hinder network

performance by not obeying globally acceptable

rules. For instance, a node can behave maliciously

by not forwarding packets on behalf of other peer

nodes. This paper presents a mechanism that

enables the detection of nodes that exhibit packet

forwarding misbehavior.

Keywords: Misbehavior detection, Packet

forwarding, Routing misbehavior.

I. INTRODUCTION

In a wireless ad hoc network, all

individual nodes has to cooperate with each other

during packet forwarding primarily due to their

limited transmission range and the lack of

physical network infrastructure. Wireless ad-hoc

network provides the flexibility and scalability

where the nodes are not confined to geographical

restriction and are able to join or leave the

network freely and randomly. Therefore, wireless

ad hoc network has been widely deployed in

military, scientific research, mission-critical

operation and civilian application. Despite having

such benefits, wireless ad hoc network is

notorious for poor administration as the wireless

transmission is vulnerable to security attack.

Contrary to the conventional wireless network,

wireless ad hoc network does not have an absolute

control over the nodes behavior as they are owned

by multiple authorities. As a result, legitimate

packets may be dropped purposely by misbehaved

nodes and might disrupt the network if not taken

seriously.

The wireless nature and inherent features

of mobile ad hoc networks makes them vulnerable

to a wide variety of attacks by misbehaving nodes.

Such attacks range from passive eavesdropping,

where a node tries to obtain unauthorized access

to data destined for another node, to active

interference where malicious nodes hinder

network performance by not obeying globally

acceptable rules. For instance, a node can behave

maliciously by not forwarding packets on behalf

of other peer nodes. However, when a node

exhibits malicious behavior it is not always

because it intends to do so. A node may also

misbehave because it is overloaded, broken,

compromised or congested in addition to

intentionally being selfish or malicious.

Misbehavior can be divided into two categories:

N Karthikeyan et al, Int.J.Computer Technology & Applications,Vol 5 (3),1350-1355

IJCTA | May-June 2014 Available online@www.ijcta.com

1350

ISSN:2229-6093

routing misbehavior (failure to behave in

accordance with a routing protocol) and packet

forwarding misbehavior (failure to correctly

forward data packets in accordance with a data

transfer protocol). This paper focuses on the

packet forwarding misbehavior. Our approach

consists of an algorithm that enables packet

forwarding misbehavior detection.

Our scheme detects misbehaving nodes

(whether selfish, malicious or otherwise) capable

of launching two known attacks: the simplest of

them is the black hole attack. In this attack a

misbehaving node drops all the packets that it

receives instead of normally forwarding them. A

variation on this is a gray hole attack in which

nodes either drop packets selectively (e.g.

Dropping all UDP packets while forwarding TCP

packets) or drop packets in a statistical manner

(e.g. dropping 50% of the packets or dropping

them with a probabilistic distribution). Both types

of gray hole attacks seek to disrupt the network

without being detected by the security measures in

place.

II. RELATED WORK

Felegyhazi et al. [1] presents a game

theoretic model to analyze the cooperation in both

dynamic and static scenarios. The simulation

result shows that cooperation solely based on the

self-interests of the nodes couldn't be realized in

practical and an incentive mechanism is needed.

In SORI [2] all nodes maintain a confidence level

table for them to exchange information with each

other and penalize the bad reputation selfish node.

They use one-way hashing to ensure the selfish

node couldn't impersonate other nodes in

improving its own reputation. However, a

malicious node can always fake the information

and keep condemning other innocent nodes and

eventually causing a chaos in the network. SMDP

[3] is a session-based detection protocol and it use

the principle of data flow conversation where the

data flow in and flow out from a node should

always be equal. At the end of each data session,

all the nodes along the path will send the total

packet they received to the previous hop and the

total packet they transmitted to the next hop. After

gathering all these transmission reports, all the

nodes will rebroadcast the sum of the packets to

the surrounding nodes. A node will be suspected

if the total transmission is much different from the

total reception. Digital signature has been used to

ensure no one can fake the integrity of the report.

However, the source can defame the next

forwarder by reporting an incorrect number of

total transmitted packets.

The Secure Routing Protocol (SRP) [4]

and Authenticated Routing for Ad hoc Networks

(ARAN) [5] assume the existence of a priori

relationships in a network: in the case of SRP

between the two communicating nodes, and for

ARAN between each node in the network and a

certificate server. Both protocols perform an end-

to-end authentication and intermediate nodes are

not allowed to reply to route requests even if they

know a route to the destination. However, a priori

relationships in MANETs may not exist. These

approaches secure the path discovery and

establishment functionality of routing protocols

and our approach complements them by securing

the data forwarding functionality. The routing

protocol proposed in [6] offers resilience to

disruption or degradation of the routing service by

an algorithm that allows the detection of a

malicious link after log n faults have occurred on

a path, where n is the hop length of the path. In

[7] each node is able to detect signs of intrusion

locally and neighboring nodes collaborate to

further investigate malicious behavior. In both

these approaches a node uses its own data to

N Karthikeyan et al, Int.J.Computer Technology & Applications,Vol 5 (3),1350-1355

IJCTA | May-June 2014 Available online@www.ijcta.com

1351

ISSN:2229-6093

identify another node as an intruder. In contrast,

in our approach a node detects anomalies in

packet forwarding based on data acquired by other

nodes in the network as well as on its own data,

thus potentially obtaining a more balanced

evaluation of a node’s behavior.

III. SYSTEM MODEL

3.1. Assumptions and Terminologies

We assume the wireless ad hoc network is

well established and all the nodes interested to

communicate with the base station for some

reason e.g., Internet access. Since most of the

packets °owing upward to the base station, we can

assume it resembles some type of hierarchical

network. In addition, the central authority can be

trusted absolutely and it has no incentive to

misbehave. The base station is the central

authority of the network and it has good

knowledge of the topology of the network.

Besides, we assume all the missing packets are

mainly caused by the misbehavior of the nodes.

Misbehaved node and misbehaver are used

interchangeably to refer to the node who does not

forward packet properly and/or posses a bad

intention in defaming other innocent nodes by

exploiting the existing protocol.

3.2. Attack Model

We consider the packet losses are mainly

due to the misbehaved nodes in network. Thus,

we further classify misbehaved nodes as the

selfish nodes and the malicious nodes. Selfish

nodes always consider about their own benefits

only and refuse to forward legitimate packets

from others. Normally, we term this kind of

misbehavior as packet drop attack. Malicious

nodes are spiteful nodes with intention to degrade

the network performance by defaming other

innocent nodes. We name this type of attack as

reputation attack.

IV. DESIGN CONSIDERATION

Most of the detection mechanisms fail to

serve the primary purpose due to their improper

penalization method and the ambiguous

accusation. For simple illustration, 16 nodes are

deployed in grid and all the nodes in the network

send data packet to the base station (node a)

periodically (see Figure-1). The links in the

network represents the connectivity of the nodes.

Node k is a misbehaved node that drops node p's

legitimate packets. In this case, only node l, o and

p are able to detect node k's misbehavior (by using

promiscuous listening) and they will penalize

node k by dropping its packet in return. However,

their penalization is useless as node k relies its

upstream nodes (node j, f, and g) to forward its

data packets to node a. For convenience, we name

this issue as improper penalization as the

penalization is not executed by all the surrounding

nodes of the misbehaved node.

N Karthikeyan et al, Int.J.Computer Technology & Applications,Vol 5 (3),1350-1355

IJCTA | May-June 2014 Available online@www.ijcta.com

1352

Figure – 1: Simple 16 nodes in a Grid

ISSN:2229-6093

Another similar issue is the

ambiguousness of the accusation where a node is

unsure about the truthfulness of the accusation

report sent by a neighbouring node. The

accusation may be sent by a malicious node who

intends to disgrace other innocent node(s).

Assuming node l is penalizing node k as it is

dropping node p packet. Node k can revenge back

by telling node g and h that node l is a

misbehaved node. In this case, node l hardly can

defend for itself as node g and h are not aware of

the node k misbehavior at downstream.

V. DETECTION AND ACCUSATION

Firstly, the victim node accuses a

misbehaved node by sending a secret accusation

report to the base station through a steady route

and subsequently the base station will assign a set

of random k agents which are the neighbouring

node of the accused node (except the accuser

itself) to investigate the accusation. These agents

investigate the suspected nodes by sending

dummy packet with the accuser identity such that

the suspected node could not aware of the

investigation process. Then, these investigation

agents will observe the response of the suspected

node and send back the result to the base station

for further action secretly. The base station will

gather sufficient feedbacks and the conviction is

based on the majority vote. Once the misbehaved

node is convicted, its identity will be included in

the base station blacklist table and sent to all the

nodes in the network.

Eventually, the detected misbehaving

node(s) will be isolated from the network until the

penalization period over. Our proposed approach

has overcome the issues mentioned above in the

sense that the accusation of the victim is taken as

the reference whereas the final conviction is based

on the feedback of the random appointed

investigation agents. Hence, the probability of the

reputation attack is kept to a very low degree.

Moreover, only the central authority can issue the

blacklist table for all the nodes to execute the

penalization together and thus the detected

misbehaver(s) will be recognized and isolated at

network-wide.

VI. RESULTS AND DISCUSSION

Consider 50 static nodes sending data in a

network of size 1000 x 1000 meter. We assume

all the dropped packets are mainly caused by the

misbehaved nodes instead of the link error. The

shortest path algorithm was used to search for the

next route to forward the data to base station.

Figure-2 (a): Seflish nodes network

N Karthikeyan et al, Int.J.Computer Technology & Applications,Vol 5 (3),1350-1355

IJCTA | May-June 2014 Available online@www.ijcta.com

1353

ISSN:2229-6093

Figure-2 (b): Malicious nodes network

The above Figure-2 (a) and (b) shows the

detection effectiveness against the selfish nodes

and malicious nodes threats. This could achieve a

high correct detection percentage in an ideal

network where only a small number of selfish

nodes existed in the network. As the number of

selfish nodes increases, correct detection degrade

but the false positive detection is still kept to zero

percentage.

In real world, multiple of malicious nodes

might exist in network that threatened the

innocent nodes. The increasing number of

malicious nodes will augment the false positive

detection in the network (Figure-2(b)). In other

words, more of innocent nodes is defamed by

malicious nodes. Meanwhile, the correct detection

percentage is increasing too as the independent

malicious nodes mistakenly accuses each other.

Next, we examine the influence of the amount of

investigators for the detection effectiveness. In an

ideal selfish nodes existence network, the number

of the investigators has no significant influence to

detection effectiveness as selfish nodes do not

defame other innocent nodes. However, in a

malicious nodes existence network, we observed

that the higher number of investigator agents

could reduce the false positive detection

percentage in the network. The correct detection

percentage is slightly reduced as some part of the

network may have insufficient agents to complete

the investigation.

VI. CONCLUSION

Wireless networks rely on the

uninterrupted availability of the wireless medium

to interconnect participating nodes. However, the

open nature of this medium leaves it vulnerable to

multiple security threats. Anyone with a

transceiver can eavesdrop on wireless

transmissions, inject spurious messages, or jam

legitimate ones. We propose a simple yet

effective scheme to identify misbehaving

forwarders that drop or modify packets in wireless

networks.

REFERENCES

1. Felegyhazi, M., J.P. Hubaux, and L. Buttyan,

“Nash equilibria of packet forwarding strategies

in wireless ad hoc networks”, IEEE Transactions

on Mobile Computing, pp. 463-476, 2006.

2. He, Q., D. Wu, and P. Khosla, “SORI: A secure

and objective reputation based incentive scheme

for ad hoc networks”, Proc. of IEEE Wireless

Communications and Networking Conference

(WCNC2004), 2004.

3. Fahad, T., D. Djenouri, R. Askwith, and M.

Merabti, “A new low cost sessions-based

misbehavior detection protocol (SMDP) for

MANET”, AINA Workshops, Vol. 1, pp. 882-

887, 2007.

N Karthikeyan et al, Int.J.Computer Technology & Applications,Vol 5 (3),1350-1355

IJCTA | May-June 2014 Available online@www.ijcta.com

1354

ISSN:2229-6093

4. P. Papadimitratos, and Z. J. Haas, “Secure

routing for mobile ad hoc networks”, Proceedings

of the SCS Communication Networks and

Distributed Systems Modeling and Simulation

Conference, pp. 193-204, 2002.

5. K. Sanzgiri, B. Dahill, B. N. Levine, C.

Shields, and E. M. Belding-Royer, “A secure

routing protocol for ad hoc networks”,

Proceedings of the 10th IEEE International

Conference on Network Protocols, pp. 78-87,

2002.

6. B. Awerbuch, D. Holmes, C. Nita-Rotaru, and

H.Rubens, “An on-demand secure routing

protocol resilient to Byzantine failures”,

proceedings of the 3rd

ACM Workshop on

Wireless Security, pp. 21-30, 2002.

7. Y. Zhang, and W. Lee, “Intrusion detection in

wireless ad-hoc networks”, Proceedings of the 6th

ACM International Conference on Mobile

Computing and Networking, pp. 275-283, August

2000.

8. P. Papadimitratos, and Z. Haas, “Secure data

communication in mobile ad hoc networks”, IEEE

Journal on Selected Areas in Communications,

vol. 24, issue 2, pp. 343-356, 2006.

9. J. Kong, P. Zerfos, H. Luo, S. Lu, and L.

Zhang, “Providing robust and ubiquitous security

support for mobile ad-hoc networks”, Proceedings

of the 9th

IEEE International Conference on

Network Protocols, pp. 251-260, 2001.

10. L. Zhou, and Z. Haas, “Securing ad hoc

networks”, IEEE Network Magazine, vol. 13,

issue 6, 1999.

11. S. Marti, T. J. Giuli, K. Lai, and M. Baker,

“Mitigating Routing Misbehavior in Mobile ad

hoc networks”, Proceedings of the 6th

ACM

International Conference on Mobile Computing

and Networking, pp. 255-265, 2000.

12. R. Rao, and G. Kesidis, “Detecting malicious

packet dropping using statistically regular traffic

patterns in multi-hop wireless networks that are

not bandwidth limited”, Proceedings of the 2003

IEEE Global Telecommunications Conference,

vol.5, pp. 2957-2961, 2003.

N Karthikeyan et al, Int.J.Computer Technology & Applications,Vol 5 (3),1350-1355

IJCTA | May-June 2014 Available online@www.ijcta.com

1355

ISSN:2229-6093