an integrated stimulation and punishment mechanism for...

IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 60, NO. 8, OCTOBER 2011 3947

An Integrated Stimulation and PunishmentMechanism for Thwarting Packet Dropping

Attack in Multihop Wireless NetworksMohamed Elsalih Mahmoud and Xuemin (Sherman) Shen, Fellow, IEEE

Abstract—In multihop wireless networks, the rational packetdroppers may not relay the others’ packets because packet re-lay consumes their resources without benefits, and the irrationalpacket droppers intentionally drop packets to disrupt the packettransmission process, which may make multihop communica-tion fail. Cooperation stimulation mechanisms can motivate therational packet droppers to relay packets, but they cannot iden-tify the irrational packet droppers. In this paper, we developa novel mechanism that can thwart the rational and irrationalpacket dropping attacks by adopting stimulation and punishmentstrategies (TRIPO). TRIPO uses micropayment to stimulate therational packet droppers to relay the others’ packets and enforcefairness and uses reputation system (RS) to identify and evictthe irrational packet droppers. We propose a novel monitoringtechnique to measure the nodes’ frequency of dropping packetsbased on processing the payment receipts instead of using themedium overhearing technique. The receipts can be processed toextract financial information to reward the cooperative nodes thatrelay packets, as well as contextual information, such as brokenlinks, to build up the RS. Extensive analytical and simulationresults demonstrate that TRIPO can secure the payment andprecisely identify the irrational packet droppers with almost nofalse-positive nodes, which can improve the network performancein terms of packet delivery ratio.

Index Terms—Cooperation stimulation, gray/black holeattacks, packet dropping attack, reputation systems (RSs).

I. INTRODUCTION

MULTIHOP wireless networks (MWNs) have beenemerging to enable new applications and to enhance the

network performance and deployment [1]–[3]. In MWNs, themobile nodes act as routers to relay the source nodes’ packetsto their destinations. Multihop packet relay can extend the com-munication range using limited transmit power and enhance thenetwork throughput and capacity [4], [5]. Moreover, MWNscan be deployed more readily and at low cost in developing andrural areas. However, the reliability of packet relaying nodes

Manuscript received April 14, 2011; revised June 16, 2011; acceptedJuly 20, 2011. Date of publication July 25, 2011; date of current versionOctober 20, 2011. This paper was presented in part at the 2010 IEEE GlobalCommunications Conference [6]. The review of this paper was coordinated byDr. P. Lin.

The authors are with the Centre for Wireless Communications, De-partment of Electrical and Computer Engineering, University of Waterloo,Waterloo, ON N2L 3G1, Canada (e-mail: [email protected];[email protected]).

Color versions of one or more of the figures in this paper are available onlineat http://ieeexplore.ieee.org.

Digital Object Identifier 10.1109/TVT.2011.2162972

cannot be guaranteed because they are autonomous and self-interested, which endangers the network proper operation.

The rational packet droppers do not cooperate in relayingpackets because packet relay consumes their valuable re-sources, such as energy and computing power, with noimmediate benefits. Moreover, the irrational packet droppers,such as compromised and faulty nodes, involve themselvesin communication sessions with the intention of dropping thepackets to disrupt the packet transmission process. Note thatthe words “route” and “session” are used interchangeably inthis paper. Packet dropping attack considerably degrades thenetwork connectivity and performance in terms of packet de-livery ratio (PDR) and throughput, and the presence of even asmall number of attackers results in repeatedly dropped packets,which may make multihop communication fail [7], [8].

Cooperation stimulation mechanisms [9], [10] use credits (ormicropayment) to motivate the rational packet droppers to relaypackets. The nodes earn credits for relaying the others’ packetsand spend them to relay their packets, i.e., these mechanismsmake relaying packets more beneficial for the nodes thandropping them. However, cooperation stimulation mechanismscannot identify the irrational packet droppers assuming thatthe nodes will relay the packets faithfully using credits. Thisassumption cannot be guaranteed in MWNs because, unlikesingle-hop networks that are run by the equipment of theoperators, packet relay is performed by user-provided equip-ment. Some attackers may drop packets to disrupt the packettransmission process, and broken nodes may have a softwareor hardware fault that prevents them from relaying the packetssuccessfully. In Internet Protocol networks, the malfunctionof the network equipment is an important source for networkunavailability [11]. It is impossible to know whether a packetis dropped for malicious or nonmalicious reasons, e.g., dueto faulty nodes and bad channel condition; therefore, it isnecessary to measure the nodes’ frequency of dropping packets,and the nodes that consistently drop the packets are consideredattackers because they pose a severe threat to the proper opera-tion of the network [9], [10].

In this paper, we develop TRIPO, which is a novel mecha-nism that can thwart the rational and irrational packet droppingattacks by adopting stimulation and punishment strategies.TRIPO uses credits to stimulate the rational packet droppersto relay packets and uses a reputation system (RS) to identifyand evict the irrational packet droppers. With TRIPO, uncoop-eration will not be an abuse because the nodes are stimulated

0018-9545/$26.00 © 2011 IEEE

3948 IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 60, NO. 8, OCTOBER 2011

and not forced to relay the others’ packets using their owndevices because packet relay incurs a cost of energy and otherresources, but frequently dropping packets are an obvious abusedue to the disruption of the proper operation of the network.Since a trusted party (TP) may not be involved in a communi-cation route, the nodes in the route submit receipts (proofs ofpacket relay) to an offline TP. For efficient implementation, wepropose a novel technique for measuring the nodes’ frequencyof dropping packets based on processing the receipts instead ofusing the traditional medium overhearing technique [9], [10].The TP can process the receipts to extract financial informationto reward the intermediate nodes and charge the source anddestination nodes, as well as contextual information, such as thebroken link, to build up an RS to identify the irrational packetdroppers. A node’s reputation value is degraded whenever it isinvolved in a broken link; otherwise, it is improved. A nodeis identified as an irrational packet dropper and excluded fromthe network when its reputation value degrades to a thresholdbecause it becomes a threat to the network proper operation, andits packet dropping action is genuine and cannot be temporary.Securing the route discovery is outside the scope of this paper,which focuses on thwarting packet dropping attacks, but TRIPOcan be implemented on top of a secure routing protocol, suchas [12] and [13].

In addition to thwarting the packet dropping attack, TRIPOcan enforce fairness, discourage resource exhaustion attack,and efficiently charge the future services. The fairness issuearises when some nodes take advantage of the network morethan others. For example, although the nodes situated at thenetwork center relay more packets than others, they are notcompensated. Moreover, the nodes that use the network moregenerate more traffic than others. To enforce fairness, TRIPOcan compensate the nodes that relay more packets by reward-ing credits. Since the nodes pay for relaying their packets,TRIPO can discourage launching a resource exhaustion attackby sending spurious packets to exhaust the resources of theintermediate nodes. TRIPO can also be used to charge the futureservices of the wireless networks because the communicationsessions may occur without involving an infrastructure, and themobile nodes may roam among different foreign networks [14],[15]. Extensive analytical and simulation results demonstratethat TRIPO can secure the payment and precisely identifyand evict the irrational packet droppers with almost no false-positive nodes, which can improve the network connectivityand performance in terms of PDR and throughput.

The main contributions of this paper are fourfold: 1) Thisis the first work that points out that cooperation stimulationalone is not sufficient to thwart the packet dropping attack,and TRIPO is the first mechanism that adopts stimulation andpunishment strategies for thwarting the packet dropping attackin MWNs. 2) We propose a novel technique for monitoringthe nodes’ frequency of dropping packets based on processingthe payment receipts instead of using the medium overhearingtechnique. 3) We develop a novel RS that can precisely identifythe irrational packet droppers. 4) We program a simulator toevaluate TRIPO, and the simulation results demonstrate that allthe irrational packet droppers can be identified with almost nofalse-positive nodes.

The remainder of this paper is organized as follows:Section II reviews the related works. Section III presents thesystem models, and Section IV proposes TRIPO. Securityanalysis and performance evaluation are given in Sections Vand VI, respectively, followed by the conclusion and futurework in Section VII.

II. RELATED WORKS

For cooperation stimulation mechanisms, the intermediatenodes usually compose undeniable proofs of relaying the pack-ets, called payment receipts, which contain the identities ofthe payers and the payees and the payment amount. Since theconnection to a trusted centralized unit, which is called theaccounting center (AC), may not be available on a regularbasis, the nodes accumulate the receipts and submit themwhen the connection is possible to update their credit accounts.For cooperation enforcement mechanisms, each node usuallymonitors the transmissions of its neighbors to make sure that theneighbors relay the others’ packets, and thus, packet droppers(rational or irrational) can be identified and punished.

A. Cooperation Stimulation Mechanisms

In Sprite [16], the source node signs the identities of thenodes in the route and appends the signature to its message. Theintermediate nodes verify the signature and compose signedreceipts. Using game theory, Sprite determines the charges andrewards to motivate each node to report its message forwardingactivities honestly and proves the correctness of the proposedmechanism. Ad Hoc-VCG [17] uses game theory to route thepackets through greedy and selfish nodes that accept paymentsfor forwarding the others’ packets if the payments cover thecosts, such as energy, incurred in forwarding the packets. Theyhave shown that it is in the nodes’ best interest to revealtheir true costs for forwarding messages, and the mechanismguarantees that routing is done along the most cost-efficientpath in a game-theoretic sense by paying to the intermediatenodes a premium over their actual costs of forwarding packets.

Unlike Sprite, which charges only the source node no matterhow the destination node is interested in the communication,Fair, Efficient, and Secure Cooperation Incentive Mechanismfor hybrid ad hoc networks (FESCIM) [18] adopts a faircharging policy by charging both the source and destinationnodes when both of them are interested in the communication.In Practical Incentive System for multi-hop wireless networks(PIS) [19], the source node attaches a signature to each mes-sage, and the destination node replies with a signed ACK.PIS can reduce the receipts’ number by generating a fixed-size receipt per session regardless of the number of messagesinstead of generating a receipt per message in Sprite. Efficientand Secure Inceptive Protocol with limited use of public-keycryptography for multi-hop wireless (ESIP) [20] proposes acommunication protocol that can be used for a cooperationstimulation mechanism. The protocol uses public key cryptog-raphy and identity based cryptography to reduce the number ofsigning and verifying operations. The source and destinationnodes generate hash chains and sign their roots. For eachmessage, the source node appends the preimage of the lastsent hash value from its chain and a keyed hash value for each

MAHMOUD AND SHEN: INTEGRATED STIMULATION AND PUNISHMENT MECHANISM FOR THWARTING ATTACK IN MWN 3949

TABLE ICOMPARISON BETWEEN COOPERATION ENFORCEMENT MECHANISMS AND TRIPO

intermediate node to ensure the message integrity at each hop.The destination node replies with an ACK packet containing thepreimage of the last sent hash value from its chain. This way,only two signatures can be generated for the whole session, i.e.,one signature from the source node and one signature fromthe destination node. In [21], instead of submitting paymentreceipts to the AC, each node submits a brief payment reportcontaining its alleged charges and rewards of different sessions.The AC uses lightweight statistical methods to identify thecheating nodes that report incorrect payment. However, due tothe nature of the statistical methods, the colluding nodes maymanage to steal credits, and the payment clearance may belong delayed until identifying the cheating nodes that submitincorrect reports.

Different from these works, TRIPO can identify the irrationalpacket droppers. Although the proposed protocol in ESIP canbe used with TRIPO, we use a simple communication protocoldue to space limitation and to focus on our contribution, i.e.,identifying the irrational packet droppers.

B. Cooperation Enforcement Mechanisms

In [7], two modules called watchdog and path rater areimplemented in each node. When node A transmits a packetto B to relay to C, the watchdog module of node A overhearsthe medium to make sure that B relays the packet. Node Aincreases the reputation value of node B when it overhearsthe packet relay; otherwise, node A decreases the reputationvalue of B. Node A accuses B of dropping packets as soonas its reputation value degrades to a threshold. Based on thewatchdog’s accusations, the path rater module chooses the paththat avoids the packet droppers without punishing them, whichimposes extra load on the honest nodes without compensation.In [22], a node’s reputation value is initialized to neutral (0),every positive behavior (relaying a packet) results in an incre-ment (+1), and every negative behavior (dropping a packet)results in a decrement (−2). Once a node’s reputation valuefalls below a threshold (−40), the node is identified as a packetdropper. However, in [7] and [22], the nodes depend only ontheir observations to evaluate the packet dropping frequency of

the other nodes, and they do not share their evaluations, whichmay degrade the effectiveness of the mechanism because thehonest nodes that drop the packets temporarily, e.g., due tonetwork congestion or other reasons, may falsely be identifiedas packet droppers.

For Cooperation Of Nodes: Fairness In Dynamic AdhocNeTworks (CONFIDANT) [23] and A Collaborative Reputa-tion (CORE) Mechanism to enforce node cooperation in MobileAd hoc Networks [24], each node combines its evaluationwith the evaluations of the other nodes to calculate a node’sreputation value. Only the positive evaluations are propagatedin CORE to prevent maliciously defaming the nodes’ reputa-tions by propagating negative evaluations, and only the neg-ative evaluations are propagated in CONFIDANT to preventthe colluding nodes from falsely boosting their reputations bypropagating positive evaluations. However, to precisely judgethe real behavior of a node, both negative and positive behaviorsshould be considered. Moreover, in CORE and CONFIDANT,the packet droppers are unilaterally isolated from the networkby each node by avoiding them in routing and denying relayingtheir packets, which may result in widespread false accusationsbecause when node A denies relaying the packets of a packetdropper, the neighbors of A may consider its behavior illegal.

In [25], each node counts the number of packets relayed bothby and for a neighboring node, and the ratio of these counts iscombined with reports from other nodes to calculate the node’sreputation value. However, the less frequently selected nodesby the routing protocol, such as those at the network perimeter,have bad reputation falsely. In [26], the two-hop ACK techniqueis used to monitor the nodes’ frequency of dropping packetsinstead of using the medium overhearing technique. Node Aaccuses the neighboring node B of dropping a packet if nodeA does not receive ACK from the two-hop away node C, butthe mechanism completely fails when two neighboring nodescollude to issue fake ACKs.

The main differences between the cooperation enforcementmechanisms and TRIPO are given in Table I. The cooperationenforcement mechanisms cannot enforce fairness because theydo not compensate the nodes that relay more packets, such


Fig. 1. Architecture of MWNs.

as those situated at the network center, and force the nodesto relay the others’ packets with no benefits and punish themwhen they do not cooperate, no matter how they have previ-ously contributed to the network. In cooperation enforcementmechanisms, misbehavior is beneficial for the nodes, e.g., thenodes may relay the packets to avoid punishment, but theydo not monitor their neighbors to save their resources andmake use of the other nodes’ evaluations to avoid routing theirpackets through the packet droppers, which degrades the effec-tiveness of the mechanisms. Moreover, to differentiate betweena node’s unwillingness and incapability to relay packets, thecooperation enforcement mechanism should monitor the nodesover a long time and different sessions because packet dropmay just happen accidently, e.g., due to low resources, nodemobility, bad channel condition, and network congestion, butthe mechanisms may not have sufficient time to precisely judgea node’s behavior due to node mobility.

In addition, the medium overhearing technique suffers frominefficiency and inaccuracy problems because the assumptionthat the transmitted packets by a node can be overheard byall the nodes in its neighborhood cannot be ensured for thefollowing reasons: 1) When node B relays a packet to C, nodeA cannot overhear the packet relay because of packet collision,i.e., due to another concurrent transmission in its neighborhood[27]. 2) Since node A can know if B has relayed a packetbut cannot know if C received it, node B can save its powerand circumvent the monitoring technique if node A is closerthan node C by adjusting its transmission power such that thesignal is strong enough to be overheard by the monitoringnode A but too weak to be received by the true recipientnode C [27]. 3) The overhearing monitoring technique is not

power efficient for transmitters because they have to use fulltransmission power instead of adapting the power accordingto the distance separating the transmitter and the receiver toavoid false accusations [28]. For example, if the required powerto relay packets from B to C is less than the required powerto reach A from B, the packets sent from B to C will notbe overheard by A. Consequently, node A will not be ableto validate any packet relay event by node B and, thus, maywrongly accuse B of dropping the packets.

III. SYSTEM MODELS

A. Network and Communication Models

As illustrated in Fig. 1, the considered MWN includes anoffline TP, mobile nodes, and base stations in some networks.The TP contains the AC and the RS. The TP generates pri-vate/public key pair and certificate with unique identity for eachnode to participate in the network. Once the TP receives thepayment receipts from the network nodes, it processes themto extract financial and contextual information. The financialinformation is passed to the AC to update the nodes’ creditaccounts, and the contextual information is passed to the RSto update the nodes’ reputation values. Once the RS detectsan irrational packet dropper, the TP revokes the node by notrenewing its certificate. TRIPO can be implemented on topof any on-demand routing protocol, such as dynamic sourcerouting (DSR) [29], to establish an end-to-end route betweenthe source and the destination nodes. The source node’s packetsmay be relayed several hops by the intermediate nodes to thedestination node. The nodes can contact the TP at least onceduring a period, which is called updating time, and can be in the


TABLE IIUSEFUL NOTATIONS

range of a few days. During this connection, the nodes submitthe receipts and renew their certificates. This connection canoccur via base stations, Wi-Fi hotspots, or wired networks, suchas the Internet.

B. Threat and Trust Models

The mobile nodes and base stations are probable attackers,but the TP is fully secure. The mobile nodes are autonomousand self-interested, and the base stations may belong to dif-ferent operators that are motivated to misbehave, e.g., to stealcredits. It is impossible to realize secure payment between twoentities without a trusted third party [30]. The attackers can beclassified into two classes: 1) rational attackers and 2) irrationalpacket droppers. The rational attackers misbehave when theycan achieve more benefits than behaving honestly. Specifically,they attempt to steal credits, pay less, and communicate freely.On the contrary, the irrational packet droppers aim to disrupt thepacket transmission process by dropping the packets withoutconsidering their interests and attack cost, such as energy andcredits. The irrational packet droppers may launch a black holeattack, by continuously dropping all the packets they are sup-posed to relay, or a gray hole attack, by intentionally droppingthe packets in some sessions and behaving regularly in othersessions to circumvent the RS, but the ratio of misbehaving ses-sions should be large to launch effective attacks. The irrationalpacket droppers may be compromised, malfunctioned, or faultynodes.

The attackers have full control on their nodes, and thus, theycan change the nodes’ operation. Uncooperation in relayingthe others’ packets will not be an abuse because the nodes arestimulated and not forced to relay the others’ packets usingtheir own devices, but the high frequency of dropping packetsis an abuse due to disrupting the network proper operation. Theattackers may work individually or collude with each other tolaunch sophisticated attacks. The colluding irrational packet

droppers may launch reputation boost and false accusationattacks. For the reputation boost attack, the attackers attemptto falsely augment their reputations to escape the consequenceof dropping the packets; and for the false accusation attacks,the attackers attempt to defame the reputation values of somehonest nodes to evict them from the network. The gained ex-perience from the currently used mechanisms and protocols incivilian applications emphasizes that the large-scale irrationalcollusion attacks are highly unlikely [31], [32]. The RSs aresusceptible to collusion attacks due to the nature of thesesystems. Our objective is to protect the payment against thelarge-scale collusion attacks and protect the RS against thesmall-scale irrational collusion attacks launched by a low num-ber of colluders, e.g., in the range of ten, and improve therobustness of the RS against the large-scale collusion attacks.

For the trust models, the network nodes fully trust the TP tomanage their credit accounts and reputation values, but the TPtrusts no node in the network.

C. Payment Model

We adopt a fair and general-purpose charging policy bysupporting cost sharing between the source and destinationnodes when both of them are interested in the communication.The payment splitting ratio is service dependent and dependson the beneficiary of the communication, e.g., the ratio is 0.5if the source and destination nodes are equally interested in thecommunication, and the DNS server should not pay for nameresolution. For the rewarding policy, TRIPO can be integratedwith any rewarding policy, such as that proposed in [17] thatconsiders the reward for relaying a packet is proportional to theincurred energy in relaying the packet. However, to focus on ourcontributions, similar to [18]–[21], we use a fixed rewardingrate, e.g., λ credits per unit-sized packet. The AC charges thesource and the destination nodes for every transmitted messageeven if it does not reach to the destination node, but the AC


Fig. 2. Architecture of TRIPO.

rewards the intermediate nodes only for the delivered messages.Table II gives the used notations in this paper.

IV. PROPOSED TRIPO

As shown in Fig. 2, TRIPO has four main phases. Forthe communication phase, the nodes are involved in commu-nication sessions and compose payment receipts. The nodesaccumulate the receipts and submit them when the connectionto TP is available. For the processing phase, the TP processesthe receipts to extract financial and contextual information andpasses them to the credit and state update phases to update thenodes’ credit accounts and states. Once the RS identifies anirrational packet dropper, the TP evicts it by not renewing itscertificate.

A. Communication Phase

Route Establishment: To establish an end-to-end route, thesource node broadcasts the route request packet (RREQ) thatcontains the identities of the source (IDS) and destination(IDD) nodes, its certificate, time stamp (TS), the payment split-ting ratio (Pr), and its signature AS = SigS(IDS, IDD, TS,Pr).The source node is charged the ratio of Pr of the total payment,and the destination node is charged the ratio of 1 − Pr . Af-ter receiving the RREQ packet, a network node A signs thepacket’s signature to generate AA, i.e., AA = SigA(AS), asshown in Fig. 3. This signature authenticates node A and holdsit accountable for dropping the next packets, i.e., the TP canmake sure that node A indeed participated in the session. Then,node A broadcasts the RREQ packet after appending its identity(IDA), certificate, and AA.

The destination node receives RREQ packets for differ-ent routes to the source. If the verifications of the sig-natures of the first received RREQ packet, e.g., AC =SigC(SigB(SigA(SigS(IDS, IDD, TS,Pr)))) in Fig. 3, fail, thenthe destination node verifies the signatures of the second re-ceived RREQ packet, and so on. This way, if an intermediatenode manipulates the RREQ packet, then it cannot preventestablishing the session. The destination node generates a hashchain by iteratively hashing a random value VS S times toobtain a final hash value V0 called the root of the hash chain,where VX−1 = H(VX). The destination node signs the signa-ture layers, V0, and SI to generate the authentication code ofthe nodes in the session or AD, e.g., AD = SigD(V0, SI,AC) inFig. 3. SI contains the identities of the nodes in the session andTS, e.g., SI = IDS, IDA, IDB, IDC, IDD, and TS in Fig. 3. AD

can authenticate the nodes in the session with reduced packetoverhead because it requires less space than attaching a separate

signature for each node. AD also authenticates the hash chainand links it to the session. The destination node sends back theroute reply packet (RREP) containing SI, V0, its certificate, andAD. After receiving the RREP packet, each intermediate nodeverifies AD and relays the packet after adding its certificate.For example, node B authenticates S and A from the RREQpacket’s signature (AA) and authenticates C and D from theRREP packet’s signature (AD). The intermediate nodes storeAD, SI, and V0 for composing the payment receipt.

Data Generation and Relay: As illustrated in Fig. 3, thesource node appends the message MX and its signatureSigS(SI,X,H(MX)) to the Xth data packet, where H(MX)is the hash value of MX. Signing the hash of the messageinstead of the message can reduce the receipt size because thesmaller-size H(MX) is attached to the receipt instead of MX.Upon receiving the packet, each intermediate node verifies thesource node’s signature to ensure the message integrity andauthenticity and verify the payment data that includes SI and X.The intermediate nodes save only the last received signature forcomposing the receipt because it is sufficient to prove transmit-ting X messages, e.g., after receiving the Xth data packet, theintermediate node deletes SigS(SI,X − 1,H(MX−1)) and savesSigS(SI,X,H(MX)).

ACK Generation and Relay: For each data packet, Fig. 3shows that the destination node sends back the ACK packetcontaining the preimage of the last sent hash value from thehash chain. V1 is released in the first ACK, V2 in the second,and so on. Each intermediate node verifies the hash valuesby making sure that VX−1 is obtained from hashing VX. Thepayment approval and integrity can be ensured because the hashfunction is one way, i.e., only the destination node can generatethe hash chain. Therefore, instead of generating a signature perACK to secure the payment, one signature is generated per SACK packets. The nodes store only the last released hash valuefor the receipt composition. The number of delivered messagescan be computed from the number of hashing operations to mapVX to V0.

Receipt Composition and Submission: When the session iscompleted or broken, each node in the session composes areceipt. It can be seen from Fig. 4 that a session receipt containstwo main parts: 1) descriptor (D) and 2) security token (St).The descriptor contains the session identifier, the number ofmessages (X), the hash value of the last message (H(MX)),V0, and the last hash value (VX). The security token is a secu-rity proof that prevents payment repudiation and manipulationand thus ensures that the receipt is undeniable, unmodifiable,and unforgeable. To reduce the receipt size, the security tokenis composed by hashing the signatures instead of attaching thesignatures. Since the connection to TP may not be available ona regular basis, the nodes store the receipts and submit them inbatch to the TP for redemption.

If a node drops the RREP, data, or ACK packets, then theroute is considered broken and reestablished. As illustrated inFig. 5, if the session is broken during relaying the RREP packet,then the nodes that received the packet submit an incompletesession receipt [ISR(0)] to enable the RS to identify the attack-ers that frequently drop the RREP packets. The format of theISR(0) is shown in Fig. 4(a). If the session is broken during


Fig. 3. Exchanged security tags in a session.

Fig. 4. Format of the session receipt. (a) The last received packet is RREP.(b) The last received packet is M1. (c) The last received packet is MX andX > 1. (d) The last received packet is the ACK of MX.

relaying the Xth data packet, then the nodes that received thepacket submit the incomplete session receipt for X packetsor ISR(X). In Fig. 4(b), ISR(1) does not contain V1 becausethe first ACK packet is not received. In Fig. 4(c), for X > 1,ISR(X) contains the source node’s signature for X messages,but the last released hash value is VX−1 instead of VX becausethe ACK of the Xth message is not received. This receipt iscalled “incomplete session” because it is submitted only whenthe session is broken. Submitting ISR(X) by node C entails thatthe node has successfully relayed X − 1 packets and receivedone, but it is clear that all the nodes before C in the session

Fig. 5. Composed receipts when the last packet is data, ACK, or RREP.

(A and B) have indeed relayed the Xth data packet. If thelast received packet is the Xth ACK, then the nodes submitthe complete session receipt or CSR(X). Fig. 4(d) shows thatCSR(X) contains the source node’s signature for X packets andVX that is a proof of receiving the Xth ACK. This receipt iscalled “complete session” because the session is complete if allthe nodes in the session submit CSR(X).

B. Processing Phase

Once the TP receives the receipts of a session, it first uses thesession’s unique identifiers (SI) to make sure that the receiptshave not been processed before. Then, to verify the credibilityof the receipts, the TP creates the receipt’s security token bygenerating the nodes’ signatures and hashing them. The receiptis credible if the resultant hash value is identical to the receipt’s


Fig. 6. Possible cases for dropped packets. (a) Dropping the RREP packet.(b) Dropping the first data packet. (c) Dropping the Xth data packet.(d) Dropping the Xth ACK.

security token. The TP verifies the destination node’s hashchain by making sure that V0 is obtained from hashing VX Xtimes. The TP processes the receipts to extract the financialand contextual information. The financial information includeswho pays whom and how much, and the contextual informationreflects the nodes’ misbehaviors in terms of payment cheatingand packet dropping. This information is called contextualbecause it is not carried in the receipts but extracted fromthe context of the receipts, such as the format (ISR or CSR)and the number of messages. The TP classifies each sessioninto fair or cheating, and the fair sessions are further classifiedinto complete or broken. A fair session is complete when thesource node transmits its last message, but it is broken whenat least one link is broken during transmitting the data, ACK,or RREP packets. For the cheating session, at least one nodedoes not submit the receipt or submits a tampered receipt forrational reasons, such as paying less, or for irrational reasons tocircumvent the RS.

A session is complete when all the nodes in the session sub-mit complete session receipts for the same number of packets orCSR(X). For the broken sessions, there are only four possiblecases, as shown in Fig. 6. The TP can identify the broken linkfrom the format of the receipts and/or the number of messages.In Fig. 6(a), if the link between nodes A and B is broken duringrelaying the RREP packet, then the nodes from B to D submitISR(0), but the nodes from S to A do not submit receipts. Sincenode A may drop the RREP packet but does not submit thereceipt to circumvent the RS, the system accuses the two nodesin the broken link of dropping the packet. In Section IV-D, wewill discuss how the RS can precisely differentiate between thehonest nodes and the irrational packet droppers. In Fig. 6(b)and (c), the link between nodes B and C is broken duringrelaying the Xth data packet. If X = 1, the nodes B and Csubmit ISR(1) and ISR(0); otherwise, they submit ISR(X) andCSR(X-1), respectively. In Fig. 6(d), the link between nodes Aand B is broken during relaying the ACK of MX, and therefore,they submit ISR(X) and CSR(X), respectively.

The TP classifies a session into cheating if it is not com-plete or broken. Without loss of generality, Table III givesnumerical examples for cheating sessions. For Case 1, the

TABLE IIINUMERICAL EXAMPLES FOR CHEATING SESSIONS

source node submits receipts with fewer messages to pay lessbecause the intermediate and destination nodes cannot com-pose CSR(5) without the signature of the source node for fivemessages. For Case 2, the source and destination nodes colludeto submit receipts with less payment because the intermediatenodes cannot compose their receipts without the signature ofthe source node for seven messages and V7. As shown inFig. 2, the nodes that submit incorrect receipts, such as nodeS in Case 1 and nodes S and D in Case 2, are evicted. ForCase 3, node A cannot compose its receipt without the signatureof the source node for four messages and V4. For Case 4, thereceipt of node B is not consistent with the receipts of theother nodes. Node B may drop the ninth data packet and submitless payment receipt to circumvent the RS, or the other nodescollude to accuse node B of cheating. For Case 5, the sourceand destination nodes may collude to create receipts for moremessages, but they cannot fabricate receipts for fake sessions tofalsely accuse nodes of dropping packets because the signaturesof the intermediate nodes are required to compose a validreceipt, which is important to make false accusation attackdifficult. The only way the attackers can falsely accuse anhonest node of dropping packets is by neighboring the nodeand dropping packets or by paying more credits by submittingreceipts for more messages, such as Cases 4 and 5. For Case 6,node B dropped the sixth data packet and does not submit thereceipt, or the other nodes collude to falsely accuse node B, butthe colluders have to neighbor node B to compose a valid AD

that contains the signature of node B and use AD to composevalid receipts.

C. Credit Account Update Phase

The AC clears the receipts of the fair sessions according tothe charging and rewarding policies discussed in Section III-C.For the cheating sessions, the AC clears the receipts in sucha way that prevents stealing credits and punishes the cheatingnodes to discourage cheating actions. For example, Cases 1and 2 in Table III are cleared for five and seven messages,respectively, because it is obvious that S cheats in Case 1 andS and D cheat in Case 2. For Case 3, node A is rewarded forfour messages, nodes B and C are not rewarded because theydo not submit the receipt, and nodes S and D are charged forfour messages. For Cases 4–6, each node is rewarded or chargedaccording to the payment of its receipt, and therefore, the payeethat does not submit a receipt is not rewarded, the payee thatsubmits fewer payment receipts is rewarded less, and the payersthat submit more payment receipts are charged more. This way,the nodes that submit incorrect receipts always lose credits.


D. State Update Phase

As shown in Fig. 2, the contextual information is usedto update the nodes’ reputation values to identify the irra-tional packet droppers. The RS performs the following threeprocesses: 1) In rating calculation, a rating is calculated for eachnode in a session. 2) In reputation update, a node’s reputationvalue is updated by aggregating its session rating with its oldreputation value. 3) In state update, once a node’s reputationvalue reaches a threshold, the node is identified as an irrationalpacket dropper and is evicted.

Rating Calculation: A node’s rating is the probability thatthe node drops packets in a session, so the nodes that are not ina broken link receive a positive rating (0) because they cannotbe packet droppers. In other words, all the nodes in completesessions receive positive ratings, and the nodes that are not inthe broken link of a broken session receive positive ratings. ForCases 4–6 in Table III, all the nodes receive negative ratings of(1), and thus, if an attacker manipulates its receipts, he losescredits and receives negative ratings. For the two nodes in abroken link, two techniques are proposed to calculate theirnegative ratings, which are called simple and weighted ratingtechniques (SRT and WRT, respectively).

SRT: The two nodes in a broken link receive equal neg-ative ratings of (1), i.e., the two nodes are equally accused ofdropping the packets, regardless of their history of droppingpackets. The rationale of this technique is that the irrationalpacket droppers should be involved in far more broken linksthan the honest nodes to launch effective attacks, and therefore,they can be identified because they collect many more negativeratings. The technique is called simple because it requiressimple computations and a small storage area.

WRT: The two nodes in a broken link receive ratings thatare proportional to their frequency of dropping packets in thepast. If the link between two neighboring nodes A and B isbroken in session j, then the following equation is used tocalculate the rating of A (RA,j), which is the reputation valueof node A (RLt,A(t)) to the summation of the two nodes’reputation values:

RA,j =RLt,A(t)

RLt,A(t) + RLt,B(t). (1)

By the same way, the rating of node B (RB,j) is its reputationvalue to the summation of the two nodes’ reputation valuesor (RB,j = 1 − RA,j). As shown in Fig. 7, if nodes A and Bhave the same reputation value (RLt,A(t) = RLt,B(t)), thenthey receive equal negative ratings of 0.5, but the node with theworse (higher) reputation value receives more negative ratingand vice versa. The rationale of this technique is that the worsereputation node is more likely the packet dropper because ithas been involved in more broken links. The main advantage ofWRT is that if an honest node and an irrational packet dropperare involved in a broken link, then they receive low and highnegative ratings, respectively, which enables the RS to preciselydifferentiate between the honest nodes and the irrational packetdroppers because the reputation values of the irrational packetdroppers degrade much faster than do those of the honest nodes.In other words, the irrational packet droppers cannot cause a big

Fig. 7. Weighted ratings of two nodes in a broken link. (a) B is an honestnode. (b) B is an irrational packet dropper.

reduction in the reputation values of the honest nodes, but thehonest nodes can cause a big reduction in the reputation valuesof the irrational packet droppers.

In Fig. 7(a), B is an honest node because its reputationvalue is low. If node A is also honest, e.g., with a reputationvalue between 0.05 and 0.15, the two nodes receive ratingsbetween 0.4 and 0.6. However, if node A is an irrational packetdropper, e.g., with a reputation value of 0.8, nodes A and Breceive ratings of 0.89 and 0.11, respectively. In Fig. 7(b),node B is an irrational packet dropper with a reputation valueof 0.8. If node A is also an irrational packet dropper with areputation value close to 0.8, then the rating of the two nodes isaround 0.5. In other words, an irrational packet dropper receivesless and more negative ratings when it neighbors irrationalpacket droppers and honest nodes, respectively, and therefore,an irrational packet dropper can be identified in shorter timewhen it neighbors honest nodes more because its reputationvalue degrades faster. Due to this property, if the number ofhonest nodes is larger than the number of irrational packetdroppers, then the WRT can accelerate the degradation of theirrational packet droppers’ reputation values, i.e., the well-behaving majority can kick out the misbehaving minority.

Reputation Update: Using an RS is necessary to keep trackof the nodes’ long-term packet dropping activities becausepackets may be dropped for nonmalicious reasons, e.g., due tomobility, or temporarily, e.g., due to network congestion, but


Fig. 8. Rating window of node A contains its latest γ ratings.

the high frequency of dropping packets is an obvious misbe-havior. The RS computes a reputation value for each node byaccumulating its ratings. A node’s rating is the probability that anode drops packets in one session, but the reputation value is anevaluation to the node’s packet dropping activities over a largenumber of sessions. In Fig. 8, the RS stores a rating windowfor the latest γ ratings of node A, where RA,j is the rating ofnode A in session number j, and RA,j ∈ {0, 1} and [0, 1] in SRTand WRT, respectively. After computing a new rating, the ratingwindow is shifted to the right to cancel the oldest rating (RA,j),and the new rating is stored at right. Then, with the followingequation:

RSt,A(t) =1γ·

γ∑k=1

RA,k (2)

the short-term reputation value (RSt,A(t)) is calculated by av-eraging the latest γ ratings, which is an evaluation to the node’spacket dropping activities in the latest γ sessions. Finally, withthe following equation:

RLt,A(t) = α · RLt,A(t − 1) + (1 − α) · RSt,A(t) (3)

the new long-term reputation value (RLt,A(t)) is calculatedby aggregating RSt,A(t) with the old long-term reputation(RLt,A(t − 1)), where RSt,A(t), RLt,A(t), and α ∈ [0, 1].RLt,A(t) expresses the probability that node A is an irrationalpacket dropper, i.e., RLt,A(t) should be large for the irrationalpacket droppers. α is called the fading factor that determinesthe given weight to the nodes’ past packet dropping events. Thevalue of α determines how fast the long-term reputation valuebuilds up and falls down, i.e., the lower value α is, the faster theold reputation value is forgotten, and vice versa. To improve theeffectiveness of the RS, α should be greater than 1 − α becauseRLt,A(t − 1) is calculated over more sessions than RSt,A(t).

A node’s reputation value is updated by RSt,A(t) instead ofonly the latest rating (good or bad) to precisely differentiatebetween the honest and irrational packet droppers. This way,the long-term reputation values of the honest nodes degradeslower than those of the irrational packet droppers do becausetheir short-term reputation values are smaller. By the same way,the long-term reputation values of the honest nodes improvefaster than those of the irrational packet droppers do when theyreceive positive ratings because the honest nodes’ short-termreputations are smaller. Moreover, the honest nodes can filterout their negative ratings in two levels: 1) shifting the ratingwindow forgets the node’s behavior in one session and 2) usingα forgets a ratio of the node’s past behavior.

State Update: A node’s state is a conclusion for its behaviorbased on the accumulated experience on it (or its reputationvalue), which can be an expectation to its behavior in the future.

Fig. 9. Node’s state transition diagram.

A node’s state space includes three mutually disjoint states:1) honest or regular node (+1); 2) suspicious or undecided (0);and 3) evicted (−1). From the following equation:

SA(t) =

⎧⎨⎩

+1, RLt,A(t) < Rh (Honest)0, Rh ≤ RLt,A(t) ≤ Rm (Suspicious)−1, RLt,A(t) > Rm (Evicted).

(4)

the state of node A (SA(t)) is honest if the node’s long-termreputation value is below the honest threshold Rh; SA(t) isevicted if the node’s long-term reputation value is above themalicious threshold Rm; otherwise, SA(t) is suspicious. More-over, a node is identified as an irrational packet dropper andevicted when it spends ω consecutive sessions in the suspiciousstate because the node receives negative ratings more than thenormal rate. A node is also evicted when the difference betweenthe spent times in the honest and suspicious states is lessthan β because the node receives positive ratings less than thenormal rate.

The state transition diagram of a node is shown in Fig. 9.A suspicious node may be honest but its reputation value istemporarily degraded; therefore, instead of taking a harsh reac-tion by characterizing this node as an irrational packet dropper,the RS collects more information about the node’s behavior tofigure out whether its misbehavior is temporary or genuine. Ifa suspicious node is honest, then it should be able to improveits reputation value and return to the honest state, but theirrational packet dropper stays for some time in the suspiciousstate before being evicted. As shown in the figure, a node istransferred directly from the honest to the evicted state withoutpassing through the suspicious state when it commits a clearcheating action, such as node S in Case 1 in Table III. Rm canreveal the attackers that drop packets more than the normal rate,β can reveal the attackers that drop packets in a large numberof consecutive sessions, such as broken nodes that misbehaveafter gaining good reputation, and ω can reveal the attackersthat spend a long time in the suspicious state, such as gray holeattackers. Since we cannot know whether a packet is droppeddue to nonmalicious reasons or intentionally, the attackersmay drop packets with keeping their reputations above thethresholds of the RS to avoid eviction. If the thresholds are closeenough to the normal rate, then the RS can force the attackersto drop packets at a lower rate than the system’s thresholds, i.e.,the RS can force the smart attackers to behave in such a way thatit is not a severe threat to the proper operation of the network.


Rh enables an honest node to filter out its negative ratingsbecause the node is identified honest, as long as its reputationvalue is less than Rh. The system tolerates the degradation ofa node’s reputation value up to Rm, provided that the nodeimproves its reputation and returns to the honest state.

V. SECURITY ANALYSIS

A. Defense Against Payment Manipulation

For the double rewarding attack, the attacker attempts toclear a receipt multiple times to increase its rewards. TP canthwart the attack and identify the attacker because each receipthas a unique identifier (SI). For the double-spending attack,the attacker attempts to generate identical receipts for differentsessions to pay once. In TRIPO, a session’s identifier is un-repeatable because it contains the identities of the nodes in theroute and TS. For the receipt forgery or manipulation attack, theattackers attempt to forge receipts or manipulate valid receiptsto increase their rewards. This is impossible in TRIPO withusing secure hash function and public key cryptography be-cause it is not possible to forge or modify the nodes’ signatures,compute the hash value of the signatures without computing thesignatures, and compute VX from VX−1. For the free calling (orriding) attacks, two colluding intermediate nodes in a legitimatesession manipulate the session packets to add their data tocommunicate freely. To thwart this attack, the integrity of thepackets should be checked at each node, and thus, the first nodeafter the colluder can detect the packet manipulation and dropthe packet. For the data, RREQ, and RREP packets, the nodes’signatures can ensure the integrity of the packets. The integrityof the ACK packets can also be ensured by verifying the hashchain elements.

For the packet replay attack, the internal or external attackerrecords valid packets and replays them in a different placeand/or time to establish sessions under the name of others tocommunicate freely. To thwart this attack, a fresh TS is used toestablish a session to ensure that stale packets can be identifiedand dropped. For the impersonation attack, the attackers imper-sonate legitimate nodes to communicate freely or steal credits.This attack is not possible because the nodes use their privatekeys to sign the packets. For the reduced payment attack, someintermediate nodes may collude with the source and destinationnodes to submit receipts with less payment. In TRIPO, even ifa group of nodes colludes to reduce the rewards of an honestnode, the node can submit a receipt with the correct payment,such as Cases 1–3 in Table III. For the receiver robbery attack,the colluding nodes attempt to steal credits from the destinationnode by sending bogus messages that the destination node paysfor them. In TRIPO, the intermediate nodes are rewarded onlywhen the destination node acknowledges receiving correct data,and a route cannot be established if the destination node isnot interested in the communication because its signature isrequired.

B. Defense Against Irrational Packet Dropping Attack

Unlike the cooperation enforcement mechanisms that maynot have sufficient time to judge the nodes’ real behavior due

to the nodes’ mobility, TRIPO can monitor the nodes overdifferent sessions and over a long period of time to preciselyidentify their behaviors. Moreover, packet drop is beneficialfor the nodes in cooperation enforcement mechanisms becausepacket relay consumes their resource without benefits, butpacket relay is beneficial for the nodes in TRIPO to earn credits.In TRIPO, singular attackers cannot launch reputation boostattacks, and they have to neighbor the victim nodes and droppackets to launch false accusation attacks. First, neighboringthe victim nodes may not be easy due to the nodes’ mobility;second, the attackers also receive negative ratings, and falselyaccusing a node does not guarantee that this accusation willbe effective because the node can filter out its negative ratings;finally, frequently launching false accusation attack reduces theeffectiveness of the attack with using WRT because the honestnodes and the attackers receive less and more negative ratings,respectively, which also makes it difficult for an attacker to playwith multiple identities to launch stronger attacks. Although thehonest nodes may receive negative ratings when they neighborirrational packet droppers, the neighbors change due to nodemobility, which can distribute the negative ratings instead ofconcentrating them on a few nodes. Moreover, since droppingthe RREQ packets is not an abuse, an honest node can protectits reputation value by not involving itself in sessions withneighbors that frequently drop packets.

RSs are susceptible to collusion attacks due to the natureof these systems. The impact of small-scale collusion attackscan be mitigated by categorizing ratings by identities. The sys-tem can construct a neighbor density table (NDT) for the nega-tive and positive ratings of a node’s rating window. The densityof the negative (or positive) ratings of node B in the NDTof node A is the number of negative (or positive) ratings thatare caused when B was neighbor to A to the total numberof negative (or positive) ratings in the rating window of nodeA, i.e., the density of the negative (or positive) ratings reflectsthe frequency that node B caused negative (or positive) ratingsto node A. Obviously, in a small-scale collusion attack, thecolluders have much higher densities than the other nodes.Investigating the NDT in deciding a node’s state can improvethe mechanism’s robustness. For example, in reputation boostand false accusation attacks, few nodes have high densities ina node’s positive and negative ratings, respectively, and thenode’s reputation value becomes bad and good with excludingthese false ratings, respectively. NDT can prevent a smallnumber of colluders from falsely improving their reputationvalues and evicting honest nodes from the network and, thus,forces the attackers to collude with a large number of nodes,which is not easy in civilian and large-scale networks [31],[32]. Certainly, if the densities of the NDT are flat or dom-inated by a large number of nodes, then the RS can havea strong belief about the node’s real behavior. Several mea-sures can be taken to improve the robustness against large-scale collusion attacks. Clearance fees can be imposed to clearthe payment of a session to discourage submitting receiptsfor fake sessions to launch reputation boost attack. If collud-ers tamper their receipts to accuse a victim, then they losecredits and defame their reputation values, e.g., Cases 4–6in Table III.


Fig. 10. Effect of Rm on the RS at γ = 50.

Fig. 11. Effect of γ on the RS.

The following equation gives the probability that a nodereceives at least a ratio of Rm negative ratings in γ sessions,or the probability of identifying a node as an irrational packetdropper

Pi(γ) =γ∑

k=γ·Rm

(γ

k

)· Pk · (1 − P)γ−k (5)

where P is the probability of receiving a negative rating in asession. Obviously, P should be much larger for packet droppersthan the honest nodes because they drop much more packets.Fig. 10 shows that if Rm ∈ [0.35, 0.55], then the RS can per-fectly differentiate between the honest nodes and the irrationalpacket droppers. However, if Rm is low, e.g., [0, 0.35), then thehonest nodes may be falsely identified as packet droppers, and ifRm is too tolerant, e.g., (0.55, 1], then the packet droppers maynot be identified. Thus, Rm can control the tradeoff between thefalse accusation probability and the probability of identifyingthe packet droppers. The increase of P increases Pi(γ) at thesame Rm, and thus, some honest nodes may be falsely identifiedas packet droppers if Rm does not have enough tolerance.

From Fig. 11, increasing the size of γ increases Pi(γ) of theirrational packet droppers and decreases Pi(γ) of the honestnodes, which can reduce the number of honest nodes thatare falsely identified as packet droppers and the number ofirrational packet droppers that are not identified. For example,if Rm ∈ [0.3, 0.7] and γ = 10, then some honest nodes may befalsely identified as packet droppers, and some irrational packetdroppers may not be detected, but the RS can perfectly identifythe nodes’ behaviors when γ = 100 or 250. However, this does

Fig. 12. Effect of P on Pi(X) at Rm = 0.5.

not mean that the RS has to wait a long time until the nodesparticipate in γ sessions for identifying the irrational packetdroppers because a node’s rating window is not empty when thenode first joins the network but has initial value. From Fig. 12,the aggressive attackers that drop packets with a very highrate, i.e., having large P, can be identified after participatingin a low number of sessions (or shorter time). For example,the probabilities to identify the irrational packet droppers afterparticipating in 20 sessions are 0.87, 0.92, and 0.96 for P of 0.6,0.63, and 0.66, respectively.

To evaluate the overhead and effectiveness of TRIPO, anetwork simulator is programmed using MATLAB. Thirty-five mobile nodes with 125-m radio transmission range arerandomly deployed in a square cell of 1000 m × 1000 m. Weadopt the modified random waypoint model [33] to emulate thenodes’ mobility. Specifically, a node travels toward a randomdestination uniformly selected within the network field; uponreaching the destination, it pauses for some time, and theprocess repeats itself afterward. The node speed is uniformlydistributed in the range of [0, 10] m/s, and the pause time is10 s. The constant-bit-rate traffic source is implemented in eachnode as an application layer, and the source and destinationnodes are randomly chosen. The DSR routing protocol [29]is simulated over the distributed coordination function of theIEEE 802.11 medium access control protocol. The TS, a node’sidentity (IDA), and the number of messages (X) are 5, 4,and 2 B, respectively. Three hundred sessions are held in eachupdating time, the packet transmission rate is 0.5 packets/s,and 25 packets are transmitted in each session if the route isnot broken. To determine proper thresholds, we run a trainingphase assuming that all the nodes are honest to investigatethe expected and tolerable ratio of dropping the packets. Theparameters Rh, ω, β, γ, and α are 0.19, 100, 100, 50, and0.78, respectively. The initial rating window is the repeat ofthe pattern “00001,” so the nodes’ initial reputation values andstates are 0.2 and honest, respectively.

In Table IV, the number of false-positive nodes is the averagenumber of honest nodes that are falsely identified as irrationalpacket droppers, and the detection time is the average numberof updating times for identifying all the irrational packet drop-pers. The attack strength 1:X means that the attackers behave asirrational packet droppers in one session and behave normallyin X − 1 sessions to circumvent the RS. However, the attackerhas to drop a large ratio of the packets to launch effective


TABLE IVSIMULATION RESULTS

attacks, i.e., X should be small. When X = 1, the attackerslaunch black hole attacks by dropping all the packets theyshould relay; otherwise, they launch gray hole attacks. The sim-ulation results given in Table IV can demonstrate the intuitivetradeoff between the detection time and the number of false-positive nodes, which can be controlled by Rm. Less toleranceto the negative ratings (Rm = 0.35) shortens the detection timebut increases the number of false-positive nodes. This tradeoffis sharper in SRT than WRT because the honest nodes collectmore negative ratings. It takes longer to identify the nodesthat misbehave less frequently, such as the attackers with 1 : 2attacking strength, because they lose their reputation valuesslowly. The increase of the ratio of the attackers increases thenumber of false-positive nodes because the honest nodes collectmore negative ratings due to neighboring more attackers, andthe victims could not improve their reputation values with thesame rate they degrade. Nevertheless, for Rm = 0.35 and X =1, when a large ratio of 42.86% (16 nodes) of the nodes drop allthe packets they should relay, almost no node is falsely accusedin WRT, but around 13.25 nodes (37.8%) are falsely accused inSRT. That is because honest nodes receive less negative ratingsin WRT, i.e., WRT can better filter out the negative ratings ofthe honest nodes, which is important to precisely identify theirrational packet droppers.

The number of false-positive nodes can be reduced in SRTwith increasing Rm, e.g., for X = 1 and 42.86% of the nodesare attackers, the increase of Rm from 0.35 to 0.6 reducesthe number of false-positive nodes from 13.35 (37.8%) to 2.8(8%). However, the increase of Rm means that the attackers candrop more packets with keeping their reputation values abovethe system thresholds and the detection time increases. Rm

can be less in WRT, e.g., Rm = 0.35, for short detection timeand low number of false-positive nodes because the attackersand the honest nodes collect more and less negative ratings,respectively, compared with SRT. Moreover, the simulationresults demonstrate that the increase of the number of attackersincreases the detection time because some attackers may notparticipate in any sessions in an updating time, and the attackersreceive fewer negative ratings due to neighboring more attack-ers and fewer honest nodes in WRT. In addition, the number offalse-positive nodes increases with reducing γ, which confirmsour observation in Fig. 11.

Since the thresholds of the RS have direct impact on thesystem’s effectiveness, our centralized RS can compute goodthresholds from the nodes’ reputation values and periodicallytune them. For example, if the reputation values of the majorityof the nodes are less than 0.3, Rh can be decided as 0.3 assum-ing that the majority of the nodes behave honestly. Moreover,since the nodes contact the TP over discrete times, the detectionand eviction times can be reduced with issuing shorter lifetimecertificates to the bad reputation nodes. Moreover, investigatingthe rate of change of the reputation values can reduce thedetection time for some attackers, e.g., this rate of change islarger for the gray hole attackers than the honest nodes.

VI. PERFORMANCE EVALUATION

The packet dropping attack degrades the network perfor-mance significantly. From [7] and [8], the average throughputdegrades by 16% to 32% if 10%–40% of the nodes droppackets, and the end-to-end packet delay linearly increaseswith the increase of the number of attackers. Moreover, sincea new receipt is generated when the session is broken andreestablished, the packet dropping attack increases the numberof receipts. The attack also wastes the consumed energy andbandwidth in transmitting the packet from the source to theattacker. A packet cannot reach to its destination if any interme-diate node drops the packet, and thus, the PDR decreases withthe growth of the number of attackers. Equation (6) gives theprobability of dropping a packet by an irrational packet dropperin a session with n nodes (or n − 2 intermediate nodes). Pm isthe ratio of the irrational packet dropper, which is equivalent tothe probability that an intermediate node is an irrational packetdropper. The PDR of a route with n nodes [PDR(n)] is thenumber of delivered data packets to the number of sent packetsin the route. In the following equation:

Pb(n) = 1 − (1 − Pm)n−2 (6)

PDR(n) = PDR0(n) · (1 − Pb(n)) . (7)

PDR(n) and PDR0(n) are the average PDRs of a routewith n nodes with and without the irrational packet droppers,respectively. Fig. 13 shows that a low ratio of irrational packet


Fig. 13. Expected drop in the PDR due to irrational packet dropping attacks.

droppers as 20% can reduce the PDR by 74% and 60% forroutes with eight and six nodes, respectively. Moreover, theincrease of n or Pm increases the packet dropping probabilityand, thus, degrades the PDR.

Public key cryptography is necessary for securing the wire-less networks [12], [13]. TRIPO uses public key cryptographyto enable the TP and the intermediate nodes to verify thepayment. Instead of generating a signature per ACK packet, ahash chain is used to reduce the number of public key cryp-tography operations. The proposed communication protocolin [20] can be used with TRIPO to replace the source node’ssignatures with hashing operations. Digital signature technol-ogy and hardware implementation have been improved, andfast signature schemes are currently available. For example, the“online/offline” digital signature [34] is computed in two steps:1) An offline step that is computationally more demanding andindependent of the message is performed before the messageto be signed is available, and 2) a lightweight online step isperformed once the message to be signed becomes available.Moreover, the field-programmable gate array implementationof the RSA signature scheme can perform the signing andverifying operations in several milliseconds [35]. In route estab-lishment, the nodes in the route use signatures to authenticatethemselves not only to secure TRIPO by holding the nodesaccountable for dropping packets but to thwart many attacksthat can be launched by external attackers as well (which arenot members in the network) [36]. For example, the externalattackers may launch resource exhaustion attacks by frequentlyflooding the network with RREQ packets to exhaust the nodes’resources. In this authentication process, each node performsone signing operation and multiple verifying operations, andthus, the RSA signature scheme may be a proper choice be-cause the verifying operations require much less computationaltime and energy than the signing operations [37]. Moreover,dropping the data packets is more serious than dropping theRREP packets because they are much longer; therefore, thenumber of public key cryptography operations and receipts canbe significantly reduced if TRIPO aims to identify only the datapacket droppers. In this case, ISR(0) receipts are not submitted,and the nodes can authenticate themselves in the RREP packetsto reduce the number of public key cryptography operationsbecause the RREP packets are processed only by the nodes inthe route.

The simulation results show that the average receipt size is126.6 B using SHA-1 hash function with digest value of 20 B[38]. The ratings of SRT and WRT are stored in 1 and 7 bits,respectively, and thus, a rating window for 320 ratings requiresa storage area of 40 and 280 B, respectively. Moreover, thestorage area can be significantly reduced by making the size ofthe rating window dynamic. The rating windows can be shortfor the good reputation nodes and long for the bad reputationnodes, e.g., suspicious nodes, to better judge their behavior. Inaddition, the overhead of TRIPO can be significantly reducedby running the RS only on-demand when TP notices that thepackets are dropped more than the normal rate, and the systemcan be run only for the suspected nodes that are frequentlyinvolved in broken links.

VII. CONCLUSION AND FUTURE WORK

In this paper, we have proposed a novel mechanism thatadopts stimulation and punishment strategies to thwart thepacket dropping attack in MWNs. Credits are used to stimulatethe rational packet droppers to relay the others’ packets, andthe payment receipts can be processed to detect the brokenlinks to build an RS to identify the irrational packet droppers.The SRT offers equal negative ratings to the two nodes in abroken link, but the WRT offers a more negative rating to thenode that dropped more packets in the past. Our analytical andsimulation results demonstrate that our mechanism can securepayment against singular and colluding attackers. Moreover, theWRT can precisely identify the irrational packet droppers withalmost no false-positive nodes. The RS is secure against small-scale irrational collusion attacks and robust against large-scalecollusion attacks because the attackers lose credits and defametheir reputations.

The honest nodes have different packet dropping rates, i.e.,the nodes with large hardware capability and low mobility haveless packet dropping probability. In our future work, we willdevelop a routing protocol to route traffic through the nodeshaving low packet dropping probability to integrate the nodes’past behavior into routing decisions as a second line of defenseagainst packet dropping attack and to improve route stabilityand thus the network performance. In addition, to reduce theoverhead of submitting and clearing the receipts, each node canstore the receipts’ security tokens and submit only lightweightpayment reports containing the alleged charges and rewards. Asecurity mechanism will be developed to request the securitytoken when the nodes’ reports are not consistent to identifythe cheating nodes. The mechanism should thwart differentcheating strategies to secure the payment.

REFERENCES

[1] G. Shen, J. Liu, D. Wang, J. Wang, and S. Jin, “Multi-hop relay for next-generation wireless access networks,” Bell Labs Tech. J., vol. 13, no. 4,pp. 175–193, Feb. 2009.

[2] Y. Bi, X. Cai, X. Shen, and H. Zhao, “Efficient and reliable broadcast ininter-vehicle communications networks: A cross layer approach,” IEEETrans. Veh. Technol., vol. 59, no. 5, pp. 2404–2417, Jun. 2010.

[3] Y. Sun, R. Lu, X. Lin, X. Shen, and J. Su, “An efficient pseudonymousauthentication scheme with strong privacy preservation for vehicular com-munications,” IEEE Trans. Veh. Technol., vol. 59, no. 7, pp. 3589–3603,Sep. 2010.


[4] P. Gupta and P. Kumar, “The capacity of wireless networks,” IEEE Trans.Inf. Theory, vol. 46, no. 2, pp. 388–404, Mar. 2000.

[5] “Technical Specification Group Radio Access Network, Opportunitydriven multiple access,” Third-Generation Partnership Project, Sophia-Antipolis, France, 3G Tech. Rep. 25.924, Dec. 1999.

[6] M. Mahmoud and X. Shen, “Credit-based mechanism protecting multi-hop wireless networks from rational and irrational packet drop,” in Proc.IEEE GLOBECOM, Miami, Florida, Dec. 6–10, 2010, pp. 1–5.

[7] S. Marti, T. Giuli, K. Lai, and M. Baker, “Mitigating routing misbehav-ior in mobile ad hoc networks,” in Proc. ACM MobiCom, Boston, MA,Aug. 6–11, 2000, pp. 255–265.

[8] P. Michiardi and R. Molva, “Simulation-based analysis of security expo-sures in mobile ad hoc networks,” in Proc. Eur. Wirel., Florence, Italy,Feb. 25–28, 2002, pp. 1–6.

[9] J. Hu, “Cooperation in mobile ad hoc networks,” Comput. Sci.Dept., Florida State Univ., Tallahassee, FL, Tech. Rep. (TR-050111),Jan. 2005.

[10] G. Marias, P. Georgiadis, D. Flitzanis, and K. Mandalas, “Cooperationenforcement schemes for MANETs: A survey,” J. Wirel. Commun. MobileComput., vol. 6, no. 3, pp. 319–332, May 2006.

[11] G. Iannaccone, C. Chuah, R. Mortier, S. Bhattacharyya, and C. Diot,“Analysis of link failures in an IP backbone,” in Proc. IMW, Marseille,France, Nov. 2002, pp. 237–242.

[12] K. Sanzgiri, D. LaFlamme, B. Dahill, B. Levine, C. Shields, andE. Belding-Royer, “Authenticated routing for ad hoc networks,” IEEE Sel.Areas Commun., vol. 23, no. 3, pp. 598–610, Mar. 2005.

[13] Y. Hu, A. Perrig, and D. Johnson, “Ariadne: A secure on-demand routingprotocol for ad hoc networks,” in Proc. ACM MobiCom, Atlanta, GA,Sep. 2002, pp. 1–12.

[14] Y. Zhang and Y. Fang, “A secure authentication and billing architecture forwireless mesh networks,” ACM Wirel. Netw., vol. 13, no. 5, pp. 663–678,Oct. 2007.

[15] M. Peirce and D. O’Mahony, “Micropayments for mobile networks,”Trinity College, Dublin, Ireland, Tech. Rep. Dept. Comput. Sci.,1999.

[16] S. Zhong, J. Chen, and R. Yang, “Sprite: A simple, cheat-proof, creditbased system for mobile ad-hoc networks,” in Proc. IEEE INFOCOM,San Francisco, CA, Mar. 30–Apr. 3, 2003, vol. 3, pp. 1987–1997.

[17] L. Anderegg and S. Eidenbenz, “Ad Hoc-VCG: A trustful andcost-efficient routing protocol for mobile ad hoc networks withselfish agents,” in Proc. ACM MobiCom, San Diego, CA, Sep. 2003,pp. 245–259.

[18] M. Mahmoud and X. Shen, “FESCIM: Fair, efficient, and secure coop-eration incentive mechanism for hybrid ad hoc networks,” IEEE Trans.Mobile Comput., to be published.

[19] M. E. Mahmoud and X. Shen, “PIS: A practical incentive system formulti-hop wireless networks,” IEEE Trans. Veh. Technol., vol. 59, no. 8,pp. 4012–4025, Oct. 2010.

[20] M. Mahmoud and X. Shen, “ESIP: Secure incentive protocolwith limited use of public-key cryptography for multi-hop wirelessnetworks,” IEEE Trans. Mobile Comput., vol. 10, no. 7, pp. 997–1010,Jul. 2011.

[21] M. Mahmoud and X. Shen, “Stimulating cooperation in multi-hop wire-less networks using cheating detection system,” in Proc. IEEE INFO-COM, San Diego, CA, Mar. 14–19, 2010, pp. 776–784.

[22] S. Bansal and M. Baker, “Observation-based cooperation enforcementin ad-hoc networks,” Comput. Sci. Dept., Stanford Univ., Stanford, CA,Tech. Rep., Jul. 2003.

[23] S. Buchegger and J. Boudec, “Performance analysis of theCONFIDANT protocol: Cooperation of nodes—Fairness in distributed adhoc networks,” in Proc. IEEE/ACM MOBIHOC, Lausanne, Switzerland,Jun. 9–11, 2002, pp. 226–236.

[24] P. Michiardi and R. Molva, “CORE: A collaborative reputation mecha-nism to enforce node cooperation in mobile ad hoc networks,” in Proc.IFIP CMS, Portoroz, Slovenia, Sep. 26–27, 2002, pp. 107–121.

[25] Q. He, D. Wu, and P. Khosla, “A secure incentive architecture for ad-hocnetworks,” Wirel. Commun. Mobile Comput., vol. 6, no. 3, pp. 333–346,May 2006.

[26] K. Liu, J. Deng, and K. Balakrishnan, “An acknowledgment-based ap-proach for the detection of routing misbehavior in MANETs,” IEEETrans. Mobile Comput., vol. 6, no. 5, pp. 536–550, May 2007.

[27] F. Milan, J. Jaramillo, and R. Srikant, “Achieving cooperation in multi-hop wireless networks of selfish nodes,” in Proc. Workshop Game TheoryCommun. Netw., Pisa, Italy, Oct. 14, 2006, p. 3.

[28] L. Feeney, “An energy-consumption model for performance analysis ofrouting protocols for mobile ad hoc networks,” Mobile Netw. Appl., vol. 3,no. 6, pp. 239–249, Jun. 2001.

[29] D. Johnson and D. Maltz, “Dynamic source routing in ad hoc wirelessnetworks,” in Mobile Computing. Norwell, MA: Kluwer, 1996, ch. 5,pp. 153–181.

[30] H. Pagnia and F. Gärtner, “On the impossibility of fair exchange without atrusted third party,” Darmstadt Univ. Technol., Darmstadt, Germany, Tech.Rep. TUD-BS-1999-02, Mar. 1999.

[31] T. Rabin and M. Ben-Or, “Verifiable secret sharing and multiparty proto-cols with honest majority,” in Proc. ACM Symp. Theory Comput., Seattle,WA, 1989, pp. 73–85.

[32] C. Cachin, K. Kursawe, A. Lysyanskaya, and R. Strobl, “Asynchronousverifiable secret sharing and proactive cryptosystems,” in Proc. ACMCCS, 2002, pp. 88–97.

[33] J. Yoon, M. Liu, and B. Nobles, “Sound mobility models,” in Proc. ACMMobiCom, San Diego, CA, Sep. 2003, pp. 205–216.

[34] S. Even, O. Goldreich, and S. Micali, “On-line/off-line digital signatures,”in Proc. CRYPTO, vol. 435, Lecture Notes in Computer Science, 1989,pp. 263–275.

[35] O. Nibouche, M. Nibouche, A. Bouridane, and A. Belatreche, “Fast archi-tectures for FPGA-based implementation of RSA encryption algorithm,”in Proc. IEEE Field-Programmable Technol. Conf., Brisbane, Australia,Dec. 2004, pp. 271–278.

[36] B. Wu, J. Chen, J. Wu, and M. Cardei, “A survey of attacks and coun-termeasures in mobile ad hoc networks,” Wirel. Netw. Security, Springer,Netw. Theory Appl., vol. 17, pp. 103–135, 2007.

[37] A. Menzies, P. Oorschot, and S. Vanstone, Handbook of AppliedCryptography, Boca Raton, FL, CRC, 1996. [Online]. Available:http://www.cacr.math.uwaterloo.ca/hac

[38] Digital Hash Standard, FIPS Pub. 180-1, Apr. 1995.

Mohamed Elsalih Mahmoud received the B.Sc.and M.Sc. degrees (with honors) in electrical com-munications engineering from Banha University,Cairo, Egypt, in 1998 and 2003, respectively, andthe Ph.D. degree from the University of Waterloo,Waterloo, ON, Canada, in 2011.

He is currently a Postdoctoral Fellow with theCentre for Wireless Communications, Departmentof Electrical and Computer Engineering, Universityof Waterloo. He is also currently a member of theBroadband Communications Research Group, Uni-

versity of Waterloo. His research interests include wireless network security,privacy, anonymous and secure routing protocols, trust and reputation systems,cooperation incentive mechanisms, and cryptography.

Dr. Mahmoud received the Best Paper award from the IEEE InternationalConference on Communications, Dresden, Germany, June 14–18, 2009. Thisaward is one of the 14 awards among 1046 papers presented and more than3000 total paper submissions and is the unique award for the Communica-tion and Information Systems Security Symposium. He is the first authorof more than 13 papers in major IEEE conferences and journals. He alsoserved as a technical program committee member for the ad hoc and sensornetworks track and the mobile applications and services track at the IEEEVehicular Technology Conference, which was held in Ottawa, ON, Canada,September 6–9, 2010.


Xuemin (Sherman) Shen (F’09) received the B.Sc.degree from Dalian Maritime University, Dalian,China, in 1982 and the M.Sc. and Ph.D. degreesin electrical engineering from Rutgers University,Camden, NJ, in 1987 and 1990, respectively.

He is currently a Professor and University Re-search Chair with the Department of Electricaland Computer Engineering, University of Waterloo,Waterloo, ON, Canada. His research focuses on re-source management in interconnected wireless/wirednetworks, ultra-wideband wireless communications

networks, wireless network security, wireless body area networks, and vehic-ular ad hoc and sensor networks. He is a coauthor of three books and haspublished more than 500 papers and book chapters in wireless communicationsand networks, control, and filtering.

Dr. Shen served as the Technical Program Committee Chair for the 2010IEEE Vehicular Technology Society Conference, the Symposia Chair for the2010 IEEE International Conference on Communications (ICC’10), the Tuto-rial Chair for IEEE ICC’08, the Technical Program Committee Chair for the2007 IEEE Global Communications Conference, the General Co-Chair for the2007 Communications and Networking in China and the 2006 InternationalConference on Quality of Service in Heterogeneous Wired/Wireless Networks,and the Founding Chair for IEEE Communications Society Technical Com-mittee on Peer-to-Peer Communications and Networking. He also served asa Founding Area Editor for IEEE TRANSACTIONS ON WIRELESS COM-MUNICATIONS; Editor-in-Chief for Peer-to-Peer Networking and Application;Associate Editor for IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY;Computer Networks; and ACM/Wireless Networks, etc., and the Guest Editorfor IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, IEEEWIRELESS COMMUNICATIONS, IEEE COMMUNICATIONS MAGAZINE, andACM Mobile Networks and Applications, etc. He received the Excellent Grad-uate Supervision Award in 2006 and the Outstanding Performance Awardin 2004 and 2008 from the University of Waterloo, the Premier’s ResearchExcellence Award in 2003 from the Province of Ontario, Canada, and theDistinguished Performance Award in 2002 and 2007 from the Faculty ofEngineering, University of Waterloo. He is a Registered Professional Engineerin Ontario, an Engineering Institute of Canada Fellow, and a DistinguishedLecturer of the IEEE Vehicular Technology and Communications Societies.

an integrated stimulation and punishment mechanism for...

Documents