report on a working session on security in wireless ad hoc...

Report on a Working Session on Security in WirelessAd Hoc Networks

Levente Buttyan Jean-Pierre [email protected] [email protected]

Laboratory for Computer Communications and ApplicationsSwiss Federal Institute of Technology – Lausanne (EPFL), Switzerland

On June 12, 2002, we organized a working session de-voted to the topic of security in wireless ad hoc networks.This event took place on our campus the day after MobiHoc2002 and attracted around twenty persons in an informalsetting.

Securing wireless ad hoc networks is particularly diffi-cult for many reasons including the following:

• Vulnerability of channels.As in any wireless network,messages can be eavesdropped and fake messages canbe injected into the network without the difficulty ofhaving physical access to network components.

• Vulnerability of nodes.Since the network nodes usu-ally do not reside in physically protected places, suchas locked rooms, they can more easily be captured andfall under the control of an attacker.

• Absence of infrastructure.Ad hoc networks are sup-posed to operate independently of any fixed infrastruc-ture. This makes the classical security solutions basedon certification authorities and on-line servers inappli-cable.

• Dynamically changing topology.In mobile ad hocnetworks, the permanent changes of topology requiresophisticated routing protocols, the security of whichis an additional challenge. A particular difficulty isthat incorrect routing information can be generated bycompromised nodes or as a result of some topologychanges, and it is hard to distinguish between the twocases.

Clearly the problem is so broad that there is no way todevise a general solution. It is also clear that different ap-plications will have different security requirements. Thecomplexity and diversity of the field has led to a multitudeof proposals, which focus on different parts of the problemdomain. The presentations of the working session reflectedthis complexity and diversity.

The working session was started with a brief overviewgiven by J.-P. Hubaux on the different aspects of securityin wireless ad hoc networks. The remaining presentationswere organized into the following four sessions:

• Trust and key management.Many security objectivescan be achieved by using cryptographic mechanisms.Cryptographic mechanisms, in turn, rely on the propermanagement of cryptographic keys. The presentationsby L. Zhou, S. Lu, and S.Capkun were strongly re-lated to this problem, and in particular, to certificatebased public-key distribution in mobile ad hoc net-works. The talk given by G. Tsudik addressed the

broader issue of membership management in dynamicpeer groups, and went beyond the problems of groupkey management.

• Secure routing and intrusion detection.Existing adhoc routing protocols, such as DSR and AODV, arevulnerable to many kinds of attacks. It is fairly easy toinject fake routing messages or modify legitimate onessuch that the operation of the network would be heav-ily disturbed (e.g., by creating loops or disconnectingthe network). The talks given by Z. Haas, A. Perrig,Y.-C. Hu, and E. Belding-Royer addressed this prob-lem by proposing secure ad hoc routing protocols thatare resistant to various kinds of attacks. In his pre-sentation, C. Castelluccia suggested the use of cryptobased identifiers for securing ad hoc routing protocols.Finally, the talk by Y. Zhang focused on the problemof intrusion detection in ad hoc networks.

• Availability. This session was concerned with theproblem of service unavailability due to either inten-tional denial of service attacks or selfishness of thenodes. Selfishness is a new problem that arises specif-ically in the context of ad hoc networks where thenodes belong to multiple administrative domains. Inthese networks, nodes may tend to deny providing ser-vices for the benefit of other nodes in order to savetheir own resources (e.g., battery power). The presen-tation by N. Vaidya discussed the problem of greedi-ness (a form of selfishness) at the MAC layer, whileR. Molva, S. Buchegger, and L. Buttyan addressedselfishness in the context of packet forwarding.

• Cryptographic protocols. Traditional solutions forkey management can be unsuitable for ad hoc net-works; likewise, existing solutions for other, higherlevel security services, may also have to be reconsid-ered. An example is fair exchange, which is knownto be impossible without a trusted third party, hence,its implementation can be problematic in an infras-tructureless ad hoc network. The presentations byS. Vaudenay and L. Buttyan addressed this problemby proposing concepts that provide weaker guaranteesthan true fairness but can be implemented in ad hocnetworks.

What follows is a set of extended abstracts of the pre-sentations. The abstracts have been written by the par-ticipants themselves; we only collected them together anddid some editorial work. We would like to thank all ofthe participants for their contribution. We are also grateful

Mobile Computing and Communications Review, Volume 6, Number 4 1

to the Swiss National Competence Center in Research onMobile Information and Communication Systems (NCCR-MICS)1, also known as the Terminodes Project2, for spon-soring the working session. Finally, many thanks to ClaudeCastelluccia who suggested to publish this report in MC2R.

Trust and key management

Distributed Trust in Ad Hoc Networks , Lidong Zhou(Microsoft Research, Mountain View CA)

We propose a security paradigm centering around the no-tion of distributed trustfor ad hoc networks. Distributedtrust enhances security by composing otherwise untrust-worthy individual entities into a trustworthy aggregation,one that remains available and correct even if some of itsentities fail or become compromised. The challenge ofconstructing such a trustworthy aggregation lies not onlyin how to create and configure the aggregation, but alsoin how the aggregation maintains its security by adaptingto changes in the network topology and the environment,as well as to compromises of the individual entities. Wedemonstrate how we apply distributed trust to building se-cure services and to secure routing.Distributed Secure Services:For a security-sensitive ser-vice, such as a certification authority, distributed trust ad-vocates providing the service through a set of nodes asservers, so that the service remains available and correcteven if a small number of servers become compromised.

Fault tolerance mechanisms, such as the replicated state-machine approach and quorum systems, have proven effec-tive against server failures. However, replication of a secreton servers increases the chance of disclosure because com-promise of any server exposes the secret. The solution hereis secret sharing. A secret sharing scheme allows serversto store shares of a secret, so that the secret can be recov-ered if and only if enough shares are obtained from servers.Threshold cryptographycan be used for servers to performsigning and decryption when the secret is a private key.

Secret sharing alone does not defend againstmobileadversaries, which attack, compromise, and control oneserver for a limited period before moving to the next. Overtime, a mobile adversary could compromise enough serversand recover the secret.Share refreshing, where servers cre-ate a new, independent set of shares and replace old shareswith the new ones, provides a defense to mobile adver-saries. Because new shares cannot be combined with oldones to recover the secret, a mobile adversary must com-promise enough servers between two consecutive execu-tions of share refreshing. Share refreshing can be gener-alized for the new shares to be re-distributed to a differentset of servers with a possibly different configuration. Suchgeneralization allows a service to adapt itself when certainservers are permanently compromised or when the serviceencounters a more malicious environment.

The feasibility of building such a secure distributed ser-vice has been demonstrated for networks such as the Inter-

1NCCR-MICS is supported by the Swiss National Science Foundationunder grant number 5005-67322.

2http://www.terminodes.org/

net. The obstacles to deploying such a service on an ad hocnetwork come not only from the scarcity of both compu-tation and communication resources in an ad hoc network,but also from the lack of secure network infrastructure. Thelatter problem is addressed by secure routing.Secure Routing:Secure routing is concerned with main-taining connectivity in an ad hoc network despite com-promised nodes disrupting route discovery and messagetransmission. Following the philosophy of distributedtrust, multiple (ideally disjoint) paths between two nodesshould be discovered and maintained so that a small num-ber of compromised nodes cannot disrupt all the paths.We believe route discovery should be coupled with mes-sage transmission, because, otherwise, even with a secureroute discovery protocol that prevents compromised nodesfrom cheating, a compromised node could cooperate dur-ing route discovery, but misbehave during message trans-mission if the node happens to be on the discovered path.

We thus propose a probabilistic secure routing scheme,where a node maintains, for each possible destination, aprobability distribution over all its neighbors. The proba-bility associated with a neighbor reflects the relative likeli-hood of that neighbor forwarding and eventually deliveringa message to the destination. Every message is routed prob-abilistically at each hop based on the probability distribu-tion for the destination. Multiple paths are thus implicitlymaintained through the probability distributions. Messagetransmission itself provides the feedback for nodes to ad-just the probability distributions. For example, an acknowl-edgment, whose integrity is cryptographically protected(e.g., by a digital signature), of the receipt of a messageprovides a positive feedback for the path through which themessage traversed. Consequently, the set of multiple pathsmaintained by the routing scheme for any two nodes adaptsitself as the probability distributions change.

Although probabilistic routing schemes have been stud-ied in swarm intelligence, the application to secure rout-ing raises various new issues, such as how to ensure theintegrity of feedbacks in face of compromised nodes with-out excessive costs. Both analysis of and experiments withsuch schemes are also needed to establish their practicality.

An extensive survey on swarm intelligence can be foundin [3]. Other related references can be found in the bibliog-raphy of [37, 38].Acknowledgments:This paper is in part based on jointwork with Fred B. Schneider, Robbert van Renesse, andZygmunt J. Haas, and benefited from discussions withMichael Marsh, Panagiotis Papadimitratos, and MartinRoth.

Network Performance Centric Security Design inMANET , Hao Yang (UCLA), Gary Zhong (UCLA), andSongwu Lu (UCLA)

“In theory there is no difference between theoryand practice. In practice there is...”

–Bruce Schneier inSecrets and Lies[33]

Security is a basic requirement for mobile ad hoc networks.Several recent papers [37, 16, 19] have started to address

2 Mobile Computing and Communications Review, Volume 6, Number 4

security issues in such networks. While these early pro-posals each have their own merit, they mainly focus on thesecurity vigor of the design and leave thenetwork perfor-manceaspect largely unaddressed. As a result, these so-lutions may be extremely secure from the cryptographicstandpoint, but their real performance when deployed inthe network is unclear. This concern is further aggravatedby the unique characteristics of ad hoc networks, suchas highly dynamic network topology, frequent node ar-rival/departure, and bandwidth-constrained wireless links.

In this work, we shift our main attention from thecryptography-centric design approach to a more network-centric design scheme, and focus on the practical networkperformance aspect of the security design. Our goal isto developnetwork performance-centricsecurity solutionsthat effectively balance security strength and network per-formance in practice.

We focus on node authentication, the basic component ina security solution. At the first stage, we investigate severaldesign choices – centralized, peer-to-peer, and localizedauthentication schemes, and examine their network perfor-mance by extensive simulations. The centralized scheme[37] is similar to the TTP (Trusted Third Party) authen-tication widely used in the wired networks, in which au-thentication is done via the third-party certificate authority(CA). The peer-to-peer authentication scheme [16] bearsthe same philosophy as PGP, where authentication is donethrough a chain of trust relationship that forms the “web oftrust”. The localized scheme [19] is specially designed forad hoc networks, in which each node is authenticated andmonitored by its multiple local neighboring nodes.

The simulation results are summarized in Table 1.Scalability: We examine whether the design scales to thenumber of nodes. The average node speed is 10 m/s, andthere is no channel error and other ongoing traffic (bench-mark setting). When the number of nodes increases from40 to 100, the success ratio of the authentication requestin centralized scheme drops from92% to 22%; the successratio in peer-to-peer scheme remains stable around88%;while the success ratio in localized scheme remains stablearound96%.Availability: We increase the network traffic load and ex-amine whether the design provides “anytime, anywhere”security service to the mobile hosts. For a 60-node set-ting with average speed of 10m/s, when the network traf-fic load increases from 0 to 100 pkt/s (packet size 512B),the success ratio in centralized schemes drops from80%to 45%; the success ratio in peer-to-peer scheme almostremains stable around85%; while the success ratio in lo-calized scheme remains stable around95%.Robustness: We examine the robustness feature for differ-ent channel conditions. For the same 60-node setting, whenthe channel error rate increases from 0 to10%, the suc-cess ratio in centralized scheme drops from80% to 50%;the success ratio in peer-to-peer scheme drops from85%to 82%; while the success ratio in localized scheme dropsfrom 95% to 93%.

The fundamental reason for the performance differenceis the traffic pattern in these schemes. The localized scheme

has the best network performance in that the traffic is notonly distributed in the network, but also confined in the lo-cal neighborhood. As a result, the impact of network scale,traffic load, channel error, mobility, etc., on the localizedauthentication service is very small in most scenarios.

The current study provides two guidelines for future se-curity design in ad hoc networks: 1) the network perfor-mance aspect should be explicitly considered in the design;2) in order to have good network performance, it is desir-able for the security solution to have localized traffic pat-tern. Our next-stage effort focuses on devising new net-work mechanisms to improve the performance of the secu-rity design.

Scheme Centralized Peer-to-Peer Localized

Scalability Bad Good GoodAvailability Bad Uncertain GoodRobustness Bad Uncertain Good

Communication Centralized Distributed LocalizedComputation Undertaken solely Shared by Shared by

by the servers the nodes the nodes

Table 1: Network Performance Comparison of Three Au-thentication Schemes (Network Performance Centric Secu-rity Design in MANET,H. Yang, G. Zhong, and S. Lu)

Self-Organized Public Key Management for MobileAd Hoc Networks, Srdjan Capkun (EPFL), LeventeButtyan (EPFL), and Jean-Pierre Hubaux (EPFL)

By definition, mobile ad hoc networks do not rely on anyfixed infrastructure; instead, all networking functions (e.g.,routing, mobility management, etc.) are performed by thenodes themselves in a self-organizing manner. In secu-rity terms, we consider an ad hoc network to befully self-organized, meaning that there is no infrastructure (henceno PKI), no central authority, no centralized trusted thirdparty, no central server, no secret share dealer,even in theinitialization phase.

In [16], we propose a self-organizing public-key man-agement system for fully self-organized mobile ad hoc net-works. Our approach is similar to PGP in the sense thatusers issue certificates for each other based on their per-sonal acquaintances. However, in the proposed system,certificates are stored and distributed by the users them-selves, unlike in PGP, where this task is performed by on-line servers (called certificate directories). In the proposedself-organizing public-key management system, each usermaintains alocal certificate repository. When two userswant to verify the public keys of each other, they mergetheir local certificate repositories and try to find appropriatecertificate chains within the merged repository that makethe verification possible.

The success of this approach very much depends on theconstruction of the local certificate repositories and on thecharacteristics of the certificate graphs. By a certificategraph, we mean a graph whose vertices represent public-keys of the users and the edges represent public-key certifi-cates issued by the users. In the same article, we proposeseveral repository construction algorithms and study their


performance. The proposed algorithms take into accountthe characteristics of the certificate graphs in a sense thatthe choice of the certificates that are stored by each userdepends on the connectivity of the user and her certificategraph neighbors. More precisely, each user stores in her lo-cal repository several directed and mutually disjoint pathsof certificates. Each path begins at the user herself, andeach certificate on the path is chosen from the set of cer-tificates that are connected to the last selected user on thepath in such a way that the chosen certificate leads to auser that has the highest number of certificates connectedto her (i.e., the highest vertex degree). We call this algo-rithm theMaximum Degree Algorithm, as the local repos-itory construction criterion is the degree of the vertices inthe certificate graph. In a second, more sophisticated al-gorithm, certificates are selected into the local repositoriesbased on the number of theshortcut certificatesconnectedto the users. Here, a shortcut certificate is defined as a cer-tificate such that when it is removed from the graph, theshortest path between the two users previously connectedby this certificate becomes strictly larger than two. We callthis algorithm theShortcut Hunter Algorithm.

The analysis of these two algorithms shows that evena simple construction algorithm can achieve high perfor-mance in the sense that any useru can find at least one cer-tificate chain to any other userv in the merged repositoryof u andv with very high probability even if the size of thelocal repositories is small (in the order of

√n) compared

to the total numbern of users in the system. We simu-lated the effectiveness of the two proposed algorithms onthe PGP certificate graph, as this graph is the only knownexample of a self-organized certificate graph creation. Theresults show that even with a certificate repository size ofless than

√n, two users have a high (90%) chance of find-

ing an appropriate chain of certificates between them intheir merged repositories. Our results further show that theaverage length of the certificate chains in the merged localrepositories of the users is≈ 8, while in the whole PGPcertificate graph it is≈ 6. This is due to the characteris-tics of the PGP certificate graph, which exhibits the small-world phenomenon [8]. More precisely, in PGP certificategraphs, the average shortest path length between two ver-tices is small (compared to the graph size) and it scaleslogarithmically with the graph size.

As any approach that uses certificate chains, this ap-proach assumes that trust is transitive (which is often notthe case in practice). In order to alleviate this problem, wepropose to look for multiple certificate paths and to use au-thentication metrics.

The main idea of the proposed approach is summarizedon Figure 1. The public keys of the users are represented bycertificate graph vertices, while the graph edges representpublic-key certificates issued by the owners of the publickeys. The figure shows the local certificate repositories ofusersu andv and the chains of certificates thatu uses toauthenticate the public keyKv of v.

Admission Control in Collaborative Groups, YongdaeKim (University of Minnesota, Minneapolis), Daniele Maz-zocchi (Torino Polytechnic), and Gene Tsudik (UC Irvine)

KvKu

local certificate repository of u

local certificate repository of v

path from K tou Kv

Figure 1: Paths fromKu to Kv in the merged local reposi-tories ofu andv (Self-Organized Public Key Managementfor Mobile Ad Hoc Networks,S.Capkun, L. Buttyan, andJ.-P. Hubaux)

The current proliferation of group-oriented applications,protocols and services triggers the need for special-ized group security services and mechanisms. Exam-ples of popular group-oriented settings include: IP tele-phony, video/audio conferencing, file sharing, collabora-tive workspaces, and multi-user games. Group settings areclearly very diverse. Some, such as conferencing, requiresynchronous operation while others, such as file sharing,operate in a disconnected, asynchronous manner. Com-munication models vary as well: from the one-to-many orfew-to-many (e.g., GPS) to any-to-any peer groups (e.g.,Gnutella).

The need for, and the importance of, group securitymechanisms has been recognized by the research commu-nity as supported by popularity of this topic. However, thebulk of prior work has been done in the context of largemulticast-style groups where it is natural to assume or im-pose a centralized authority (the sender or an on-line trustedthird party) that can perform security chores, e.g., key man-agement, admission/access control and member authenti-cation. Such an authority may be group-specific or group-independent and its existence makes it relatively easy to im-plement security policies and mechanisms. However, dueto peer nature, some other group settings exhibit uniqueproperties and requirements.

Our research is focused on admission control mecha-nisms for peer groups. Apeer group is characterized bya flat non-hierarchical) structure where all members haveidentical rights and duties. In other words, there is no un-derlying assumption of a centralized authority that providessecurity services such as access control or key manage-ment. Also, a peer group often involves any-to-any com-munication: any member can send data to any other mem-ber(s). Security in peer groups presents a formidable chal-lenge. Lack of centralized authority entails the involvementof all group members in tasks, such as key management. As


evidenced by prior work in peer group key management, itis very hard to design multi-party, multi-round protocolsthat are, at the same time, secure, efficient and robust.

Although an important issue, peer group admission con-trol has been somehow overlooked in the past. With theexception of Antigone, most prior work in peer group se-curity has focused on key management and authentica-tion, whereas, without admission control, key managementalone is all but useless. Consequently, our initial goal is todevelop a framework for peer group admission control aswell as investigate cryptographic mechanisms suitable fordifferent peer group flavors.

This short (1-page) abstract is clearly insufficient to pro-vide the technical description of our work. We refer thereader to the full paper3 for details. However, as a briefoverview, the highlights of the full paper are as follows:

• We begin by motivating the need for a so-calledGroupCharter, a certified statement stipulating the group ad-mission criteria (policy or rules).

• We then argue that an authoritative entity (referred toas theGroup Authority) must be defined (and reflectedin the Group Charter) in order to actually perform theadmission. This entity may be off- or on-line and mayor may not be distributed. In one extreme case, it iscomposed of all group members collectively.

• Next, several important dimensions in peer group ad-mission control are considered: Membership Dynam-ics, Membership Awareness, Members’ On-Line Pres-ence, Group Lifetime. Related to these are the char-acteristics of the Group Authority, in particular, itsplacement (in or out of the group) and its composition(single or distributed)

• Then, we introduce and discuss three models for peergroup admission control: 1) admission via publicACL, 2) admission by Group Authority, and 3) admis-sion by the members themselves (here we also con-sider the case of the group acting as its own GroupAuthority)

• Concentrating on the last (and the most challenging)model, we look into different flavors of voting suitablefor the admission.

• Lastly, we attempt to sorting out a number of signa-ture schemes applicable for the voting process. Theseinclude: 1) plain digital signatures, 2) threshold sig-natures (both fixed and dynamic), 3) accountable sub-group multi-signatures and 4) group signatures.

To conclude, we motivate the importance of admissioncontrol in dynamic peer groups. This work representsan initial attempt to develop an admission control frame-work suitable for different flavors of peer groups and matchthem with appropriate cryptographic techniques. We exam-ine various dimensions of admission control, discuss sev-eral cryptographic techniques and assess their applicability.Clearly, much remains to be done...

3http://sconce.ics.uci.edu/admctl

Secure routing and intrusion detec-tion

Secure Routing for Mobile Ad Hoc Networks4, Pana-giotis Papadimitratos (Cornell University) and ZygmuntJ. Haas (Cornell University)

For such self-organizing infrastructures as mobile ad hocnetworks , envisioned to operate in an open, collabora-tive, and highly volatile environment, the importance ofsecurity cannot be underrated. The provision of compre-hensive secure communication mandates that both routediscovery and data forwarding be safeguarded. The dis-cussed here Secure Routing Protocol (SRP) [25] countersmalicious behavior that targets the discovery of topologi-cal information. The protection of the data transmission isa separate problem: an intermittently misbehaving attackercould first comply with the route discovery to make itselfpart of a route, and then corrupt the in-transit data. Protec-tion of data transmission is addressed through our relatedSecure Message Transmission Protocol (SMT), which pro-vides a flexible, end-to-end secure data forwarding schemethat naturally complement SRP. Here we discuss the designof SRP only, while SMT is the subject of another publica-tion.

SRP provides correct routing information; i.e., factual,up-to-date, and authentic connectivity information regard-ing a pair of nodes that wish to communicate in a securemanner. The sole requirement is that any two suchendnodes have a security association. Accordingly, SRP doesnot require that any of theintermediatenodes performcryptographic operations or have a prior association withthe end nodes. As a result, its end-to-end operation allowsfor efficient cryptographic mechanisms, such as messageauthentication codes. More importantly, SRP can be usedin wide range of networks, without restrictive assumptionson the underlying trust, network size, and membership.

SRP discovers one or more routes whose correctness canbe verified from the route “geometry” itself. Route re-quests propagate verifiably to the sought, trusted destina-tion. Route replies are returned strictly over the reversedroute, as accumulated in the route request packet. In or-der to guarantee this crucially important functionality, theinteraction of the protocol with the IP-related functional-ity is explicitly defined. An intact reply implies that (i)the reported path is the one placed in the reply packet bythe destination, and (ii) the corresponding connectivity in-formation is correct, since the reply was relayed along thereverse of the discovered route.

The securing of the route discovery deprives the adver-sarial nodes of an “effective” means to systematically dis-rupt the communications of their peers. Despite our min-imal trust assumptions, attackers cannot impersonate thedestination and redirect data traffic, cannot respond withstale or corrupted routing information, are prevented frombroadcasting forged control packets to obstruct the laterpropagation of legitimate queries, and are unable to influ-ence the topological knowledge of benign nodes. To that

4This work has been sponsored in part by the NSF grant number ANI-9980521 and the ONR contract number N00014-00-1-0564.


extent, SRP provides very strong assurances on the correct-ness of the link-level connectivity information as well. Itprecludes adversarial nodes from forming “dumb” relays,and from controlling multiple potential routes per source-destination pair. However, with the adversary within thetransmission range of the destination the last two defensesare somewhat weakened. Additionally, two colluding ad-versaries might be able to “tunnel” the query and the cor-responding reply packets to each other within a singlequery/response phase. Then, the validated route would pro-vide partially correct link information only. However, thisvulnerability is not specific to SRP: such information couldnot be distinguished from the actual link connectivity, evenunder the assumption of a fully trusted network.

Furthermore, it is important to estimate the cost of intro-ducing security features, such as computational and trans-mission overhead, increased traffic and delays, etc. On theone hand, security countermeasures should not underminethe efficiency of the network protocols; e.g., the ability ofnodes to quickly respond to topological changes and dis-cover correct routes. On the other hand, it necessary toensure the effectiveness of the security provision; i.e., thatthe route discovery retains its ability to operate when un-der attack. Finally, the solution should be applicable to awide range of network instances, especially when nodeshave limited computational and communication resources.Through a systematic performance evaluation, our resultsshow that, over a range of scenarios, SRP is successful inproviding correct routing information in a timely manner.Also, it can do so even in the presence of a significant frac-tion of adversaries that disrupt the route discovery. More-over, we observe that the processing overhead due to cryp-tographic operations remains low, allowing the protocol toremain competitive to reactive protocols, which do not in-corporate security features at all.

As future work, we intend to investigate complex attacksagainst SRP and classify them with respect to their impacton the protocol performance. Through combining of SMTwith SRP, the detrimental effects on performance of suchattacks, in particular, those of intermittently misbehavingnodes, can be alleviated.

Packet Leashes: A Defense against Wormhole Attacksin Wireless Ad Hoc Networks, Yih-Chun Hu (Rice Uni-versity), Adrian Perrig (UC Berkeley), David B. Johnson(Rice University)

We describe thewormhole attack[14], a severe attackagainst ad hoc routing protocols that is particularly chal-lenging to defend against. We show how an attacker canuse the wormhole attack to cripple a range of ad hoc net-work routing protocols. In the wormhole attack, an attackerrecords packets (or bits) at one location in the network, tun-nels them to another location, and retransmits them thereinto the network. Most existing ad hoc network routingprotocols, without some mechanism to defend them againstthe wormhole attack, would be unable to find routes longerthan one or two hops, severely disrupting communication.

If a wormhole attacker tunnels all packets through thewormhole honestly and reliably, no harm is done; the

attacker actually provides a useful service in connectingthe network more efficiently. However, when an attackerforwards only routing control messages, routing may beseverely disrupted. For example, when used against an on-demand routing protocol such as DSR [17] or AODV [29],a powerful application of the wormhole attack can bemounted by tunneling eachROUTE REQUEST packet di-rectly to the destination target node of theREQUEST. Thisattack prevents routes more than two hops long from be-ing discovered. Periodic protocols are also vulnerable tothe same attack. For example, OLSR [31] and TBRPF [1]useHELLO packets for neighbor detection, so if an attackertunnels toB all HELLO packets transmitted byA, and tun-nels toA all HELLO packets transmitted byB, thenA andB will believe that they are neighbors, which would causethe routing protocol to fail to find routes when they are notactually neighbors. The wormhole attack is also dangerousin other wireless applications. One example is any wire-less access control system that is proximity based, such aswireless car keys, or proximity and token based access con-trol systems for PCs [11, 18]. In such systems, an attackercould relay the authentication exchanges to gain unautho-rized access.

Our solution to the wormhole attack ispacket leashes.We consider specifically two types of packet leashes:geo-graphical leashesandtemporal leashes. The key intuitionis that by authenticating either an extremely precise times-tamp or location information combined with a loose times-tamp, a receiver can determine if the packet has traversed adistance that is unrealistic for the specific network technol-ogy used.

Temporal Leashes:Temporal leashes rely on extremelyprecise time synchronization and extremely precise times-tamps in each packet. The travel time of a packet can beapproximated as the difference between the receive timeand the timestamp. To be more conservative, however, anode may choose to add the maximum time synchroniza-tion error, on the assumption that the sender’s clock maybe faster than the receiver’s. Conversely, to allow all di-rect communication between legitimate nodes, a node maysubtract the maximum time synchronization error, on theassumption that the sender’s clock may be slower than thereceiver’s.

Given the precise time synchronization required by tem-poral leashes, we constructed some very efficient broad-cast authenticators based entirely on symmetric primitives.In particular, we extend the TESLA broadcast authentica-tion protocol [30] to allow the disclosure of the authentica-tion key within the packet that is authenticated. We use aMerkle tree [22] to authenticate these keys.

We demonstrated the suitability of temporal leashes withour authentication mechanism by measuring computationalpower and memory currently available in mobile devices.Current commodity wireless LAN products such as com-monly used 802.11b cards provide11 Mbps at250 meters.With time synchronization provided by a Trimble Thun-derbolt GPS-Disciplined Clock [34], the synchronizationerror can be as low as 183 ns with probability1−10−10.We also assume authentic keys are re-established every day,


with a 20 byte minimum packet size and an 80-bit messageauthentication code length. Our scheme requires just 2.6megabytes of storage and requires a maximum of 39,500hash functions per second (assuming packets are arriving atlink speed), which is well within the capability of an iPaq,with 82.2% of its CPU time to spare.Geographical Leashes:Another method to construct aleash is to use location information and loosely synchro-nized clocks. If the clocks of the sender and receiverare synchronized to within±∆, andν is an upper boundon the velocity of any node, then the receiver can com-pute an upper bound on the distance between the senderand itselfdsr. Specifically, based on the timestampts inthe packet, the local receive timetr, the maximum rela-tive error in location informationδ, and the locations ofthe receiverpr and the senderps, dsr can be bounded bydsr ≤ ||ps − pr||+ 2ν · (tr − ts + ∆) + δ.

In certain circumstances, bounding the distance betweenthe sender and receiverdsr cannot prevent wormhole at-tacks; for example, when obstacles prevent communicationbetween two nodes that would otherwise be in transmissionrange, a distance-based scheme would still allow worm-holes between the sender and receiver. A network that useslocation information as a leash can control even these kindsof wormholes. To accomplish this, each node has a radiopropagation model. A receiver verifies that every possi-ble location of the sender (aδ + ν(tr − ts + 2∆) radiusaroundps) can reach every possible location of the receiver(a δ + ν(tr − ts + 2∆) radius aroundpr).Summary: Packet leashes restrict an attacker’s ability totunnel a packet between two legitimate nodes. If deployedin a very conservative way, it may also restrict legitimatecommunications between two legitimate nodes, but moreseverely restrict tunnels. Conversely, less conservative set-tings allow more legitimate communications, but also pro-vide an attacker with greater flexibility.

Secure Efficient Distance Vector Routing in MobileWireless Ad Hoc Networks, Yih-Chun Hu (Rice Univer-sity), David B. Johnson (Rice University), Adrian Perrig(UC Berkeley)

We describe our protocol, which we call theSe-cure Efficient Ad hoc Distance vectorrouting protocol(SEAD) [13]. SEAD is robust against multiple uncoordi-nated attackers creating incorrect routing state in any othernode, even in spite of active attackers or compromisednodes in the network. We base the design of SEAD in parton theDestination-Sequenced Distance-Vectorad hoc net-work routing protocol (DSDV) [28]. In order to supportuse of SEAD with nodes of limited CPU processing ca-pability, and to guard against Denial-of-Service attacks inwhich an attacker attempts to cause other nodes to consumeexcess network bandwidth or processing time, we use effi-cient one-way hash functionsand do not use asymmetriccryptographic operations in the protocol.Distance Vector Routing:In distance vector routing, eachrouter maintains a routing table listing all possible destina-tions within the network. Each entry in a node’s routing ta-ble contains the address (identity) of some destination, this

node’s shortest known distance (usually in number of hops)to that destination, and the address of this node’s neighborrouter that is the first hop on this shortest route to that desti-nation; the distance to the destination is known as themet-ric in that table entry. Each router forwarding a packet usesits own routing table to determine the next hop towards thedestination.

To maintain the routing tables, each node periodicallybroadcasts routing update containing the information fromits own routing table. Each node updates its own table usingthe updates it hears, so that its route for each destinationuses as a next hop the neighbor that advertised the smallestmetric in its update for that destination; the node sets themetric in its table entry for that destination to 1 (hop) morethan the metric in that neighbor’s update.

The primary improvement for ad hoc networks made inDSDV over standard distance vector routing is the addi-tion of asequence numberin each routing table entry. Theuse of this sequence number prevents routing loops causedby updates being applied out of order; this problem maybe common over multihop wireless transmission, since therouting information may spread along many different pathsthrough the network.Hash Chains:A one-way hash chain is built on a one-wayhash function. Like a normal hash function, a one-way hashfunction,H, maps an input of any length to a fixed-lengthbit string. Thus,H : {0, 1}∗ → {0, 1}ρ, whereρ is thelength in bits of the output of the hash function. The func-tion H should be simple to compute yet must be computa-tionally infeasible in general to invert.

To create a one-way hash chain, a node chooses a ran-domx ∈ {0, 1}ρ and computes the list of values

h0, h1, h2, h3, . . . , hn

whereh0 = x, andhi = H(hi−1) for 0 < i ≤ n, for somen. The node at initialization generates the elements of itshash chain as shown above, from “left to right” (in orderof increasing subscripti) and then over time uses certainelements of the chain to secure its routing updates; in usingthese values, the node progresses from “right to left” (inorder of decreasing subscripti) within the generated chain.

Given an existing authenticated element of a one-wayhash chain, it is possible to verify elements later in the se-quence of use within the chain (further to the “left,” or in or-der of decreasing subscript). For example, given an authen-ticatedhi value, a node can authenticatehi−3 by comput-ing H(H(H(hi−3))) and verifying that the resulting valueequalshi. To use one-way hash chains for authentication,we assume some mechanism for a node to distribute an au-thentic element such ashn from its generated hash chain.Authenticating Routing Updates:Each node in SEAD usesa specific single next element from its hash chain in eachrouting update that it sends about itself (metric 0). Based onthis initial element, the one-way hash chain conceptuallyprovides authentication for the lower bound of the metricin other routing updates for this destination; the authenti-cation provides only a lower bound on the metric: An at-tacker can increase the metric, claim the same metric, butcannot decrease the metric.


We assume that an upper bound can be placed on the di-ameter of the ad hoc network, and we usem− 1 to denotethis bound. The method used by SEAD for authenticatingan entry in a routing update uses thesequence numberinthat entry to determine a contiguous group ofm elementsfrom that destination node’s hash chain, one element ofwhich must be used to authenticate that routing update. Theparticular element from this group of elements that must beused to authenticate the entry is determined by themetricvalue being sent in that entry. Specifically, if a node’s hashchain is the sequence of values

h0, h1, h2, h3, . . . , hn

andn is divisible bym, then for a sequence numberi insome routing update entry, letk = n

m − i. An elementfrom the group of elements

hkm, hkm+1, . . . , hkm+m−1

from this hash chain is used to authenticate the entry; ifthe metric value for this entry isj, 0 ≤ j < m, thenthe valuehkm+j here is used to authenticate the routingupdate entry for that sequence number. Nodes receivingany routing update can easily authenticate each entry in theupdate, given any earlier authentic hash element from thesame hash chain.

Ariadne: A Secure On-Demand Routing Protocol forAd Hoc Networks, Yih-Chun Hu (Rice University), AdrianPerrig (UC Berkeley), David B. Johnson (Rice University)

We describe some features of Ariadne [15], a secure on-demand routing protocol that withstands node compromiseand relies only on highly efficientsymmetriccryptography.Ariadne can authenticate routing messages using one ofthree schemes: shared secrets between each pair of nodes,shared secrets between communicating nodes combinedwith broadcast authentication, or digital signatures. We pri-marily discuss here the use of Ariadne with TESLA [30],an efficient broadcast authentication scheme that requiresloose time synchronization. Using pairwise shared keysavoids the need for synchronization, but at the cost ofhigher key setup overhead.Basic Ariadne Route Discovery:We present the design ofthe Ariadne protocol in two stages: we first present a mech-anism that enables the target to verify the authenticity oftheROUTE REQUEST; we then present an efficient per-hophashing technique to verify that no node is missing fromthe node list in theREQUEST. In the following discussionwe assume that the initiatorS performs a Route Discov-ery for targetD, and that they share the secret keysKSD

andKDS , respectively, for message authentication in eachdirection.

Target authenticatesROUTE REQUESTs. To convincethe target of the legitimacy of each field in aROUTE RE-QUEST, the initiator simply includes a MAC computed withkey KSD over unique data, for example a timestamp. Thetarget can easily verify the authenticity and freshness of theroute request using the shared keyKSD.

In a Route Discovery, the initiator wants to authenticateeach individual node in the node list of theROUTE REPLY.

A secondary requirement is that the target can authenticateeach node in the node list of theROUTE REQUEST, so thatit will return a ROUTE REPLY only along paths that con-tain only legitimate nodes. Each hop authenticates newinformation in theREQUEST. The target buffers theRE-PLY until intermediate nodes can release the correspondingTESLA keys. The TESLA security condition is verified atthe target, and the target includes a MAC in theREPLY tocertify that the security condition was met.

Per-hop hashing.Authentication of data in routing mes-sages is not sufficient, as an attacker could remove a nodefrom the node list in aREQUEST. We use one-way hashfunctions to verify that no hop was omitted, and we callthis approachper-hop hashing. To change or remove a pre-vious hop, an attacker must either hear aREQUESTwithoutthat node listed, or must be able to invert the one-way hashfunction.Basic Ariadne Route Maintenance:Route Maintenance inAriadne is based on DSR. A node forwarding a packet tothe next hop along the source route returns aROUTE ER-ROR to the original sender of the packet if it is unable todeliver the packet to the next hop after a limited number ofretransmission attempts. In this section, we discuss mech-anisms for securingROUTE ERROR s, but we do not con-sider the case of attackers not sendingERRORs.

To prevent unauthorized nodes from sendingERROR s,we require that anERROR be authenticated by the sender.Each node on the return path to the source forwards theERROR. If the authentication is delayed, for example whenTESLA is used, each node that will be able to authenticatetheERRORbuffers it until it can be authenticated.Avoiding Routing Misbehavior:The protocol described sofar is vulnerable to an attacker that happens to be alongthe discovered route. In particular, we have not presenteda means of determining whether intermediate nodes arein fact forwarding packets that they have been requestedto forward. We choose routes based on their prior per-formance in packet delivery. Our scheme relies on feed-back about which packets were successfully delivered. Thefeedback can be received either through an extra end-to-end network layer message, or by exploiting properties oftransport layers, such as TCP with SACK [21]; this feed-back approach is somewhat similar that used in IPv6 forNeighbor Unreachability Detection [24].

A node with multiple routes to a single destination canassign a fraction of packets that it originates to be sentalong each route. When a substantially smaller fraction ofpackets sent along any particular route are successfully de-livered, the node can begin sending a smaller fraction of itsoverall packets to that destination along that route.

Authenticated Routing for Ad Hoc Networks, KimayaSanzgiri (UCSB), Bridget Dahill (UMass, Amherst), BrianN. Levine (UMass, Amherst), Clay Shields (GeorgetownUniversity, Washington DC), Elizabeth M. Belding-Royer(UCSB)

Abstract: Most proposed routing protocols for mobile adhoc networks are vulnerable to modification, imperson-ation and fabrication attacks. The proposed secure rout-


ing protocol, Authenticated Routing for Ad Hoc Networks,prevents such attacks through message authentication, in-tegrity and non-repudiation. Simulation results show thatARAN maintains good network performance while offer-ing significant security advantages over existing routingprotocols.Introduction: Mobile ad hoc networks consist purely ofwireless mobile nodes with no wired infrastructure. Com-munication between nodes that are not within direct trans-mission range of each other is enabled through packet for-warding by intermediate nodes. The topology and mem-bership of these networks is highly dynamic. Most of theproposed routing protocols for ad hoc networks are opti-mized for performance in such a dynamic environment.However, many of these proposed routing protocols havesecurity vulnerabilities that may be exploited to launch dif-ferent types of attacks.

In this analysis, three main categories of attacks are iden-tified. The first of these are modification attacks, where ma-licious nodes can make illegitimate modifications to rout-ing messages. The second category is that of impersonationor spoofing attacks, where a malicious node can fake itsidentity by illegally modifying its IP and/or MAC addressin outgoing messages. Fabrication attacks form the thirdcategory of attacks, where a malicious node could injectfalse routing messages into the network. These techniquescan be used both individually and in various combinationsto cause illegal route redirection, route corruption and de-nial of service.

The proposed protocol, Authenticated Routing for Ad-hoc Networks (ARAN) [32], prevents the above types ofattacks through message authentication, integrity and non-repudiation.Protocol Description: The ARAN Protocol uses publickey cryptography to guarantee message authentication, in-tegrity and non-repudiation. The protocol is designed forthemanaged-openenvironment, where nodes can obtain apublic key certificate from a common certification author-ity that is trusted by all other nodes in the environment.Typical examples of such an environment are classroom orconference scenarios. The operation of the protocol can bedivided into route discovery and route maintenance phases.

The route discovery process is initiated by the sourcenode by flooding a digitally signed Route Discovery packet(RDP) to its neighbors:

S → broadcast: [RDP, IPD, certS , NS , t]KS− (1)

When a neighborA receives the RDP message, it sets up areverse path back to the source node and verifies the signa-ture of the source by extractingS’s public key from its cer-tificate. The node then signs the contents of the message,appends its own certificate, and broadcasts the message toits neighbors. WhenA’s neighborB receives the message,it validatesA’s signature, and then replaces it with its ownsignature (the signature of the source node is retained). Thepacket continues to be rebroadcast in this manner across thenetwork until it reaches the destination.

When the first RDP reaches the destination, the destina-tion node verifies the signature of the source node and then

sends a digitally signed Route Reply packet (REP) back tothe source. The REP travels along the same path as theRDP, and the same signing procedure is performed by in-termediate nodes. Note that because the destination mustsign the REP message, only the destination is allowed to re-spond to the RDP. Also, because RDP messages are signedat each hop and do not contain a hop count or a sourceroute, malicious nodes have no opportunity to intentionallyredirect traffic.

Route maintenance is performed through digitally signedError messages that are initiated by the node directly up-stream of a link failure.Conclusion:ARAN provides both end-to-end and hop-by-hop authentication of route discovery and reply messages,preventing impersonation attacks. The digital signaturesguarantee integrity and non-repudiation, preventing ille-gal message modification and enabling identification of thesource of erroneous messages.

Simulation results show that ARAN provides the samethroughput as leading ad hoc routing protocols withmarginally increased overhead and delay due to the digi-tal signatures.

Dynamic and Secure Group Membership in Ad Hocand Peer-to-Peer Networks, Claude Castelluccia (INRIARhone-Alpes) and Gabriel Montenegro (Sun Labs, Europe)

Introduction: Ad hoc or peer-to-peer networks (calledim-promptunetworks henceforth) pose many problems withrespect to securing their highly dynamic structures. A naiveapproach assumes any given node can trust all other nodesin the impromptu network for any type of operation (forexample, engaging in some cooperative and perhaps confi-dential activity). This paper improves on previous effortsto secure group authorization (including membership). Wedo so by employing crypto-based identifiers [23] for nodeand group identification, and then use these in authoriza-tion certificates. These allow groups (or nodes) to authorizenodes (or other groups) [10].

Our approach enables highly flexible and robust im-promptu security services in an inherently distributed fash-ion. Previous work on securing impromptu networks hasassumed the existence of a traditional PKI, of some web oftrust or of some mechanism to distribute keys and sharedsecrets. We believe these assumptions are unrealistic in im-promptu networks.Secure Node Identity:First of all, we must start by defin-ing an addressing model. Previous efforts for ad hoc net-works conclude that since there is no aggregation to the de-gree possible with regular fixed networks, addressing canbe more flexible. We propose to use pure identifiers withno topological meaning.

Our scheme improves upon these by having an im-plicit cryptographic binding between a node’s identifier andits public key (or certificate). A node autoconfigures its(crypto-based) identifier (CBID) by doing the following:

• Create a pair of public and private keys (PK andSK).

• Create its CBID:CBID = hash(PK).


Note that the hash function can be applied over morethan just the public key (e.g., a salt or some other val-ues) [23]. Given the secure correspondence between iden-tity and public key, the latter can be communicated by thenode itself. This simplifies key management, since no thirdparties need to be involved either in creating or distributingthe public keys.

Provided the bit-length of the CBID’s is largeenough [23], these identifiers have two very importantproperties: (1) they arestatistically unique, because ofthe collision-resistance property of the cryptographic hashfunction used to generate them, and (2) they aresecurelybound to a given node: the node can prove ownership ofthe CBID by signing packets with the corresponding pri-vate key. Any other node can verify the signature withoutrelying on any centralized security service such as a PKI orKey Distribution Center.

These characteristics (1) make CBID’s a very scalablenaming system, well adapted to ad hoc environments, and(2) provide an autoconfigurable and solid foundation fornodes to engage in verifiable exchanges with each other.Dynamic and Secure Node Authentication:The first appli-cation of the above is to protect basic exchanges betweentwo peers or nodes in a network from malicious intermedi-ate hosts. For example, in on-demand ad hoc routing proto-cols (e.g. [27, 26]), nodes discover each other by exchang-ing “route request” and “route reply” messages. We haverecently shown how CBID can protect this basic exchangefrom impersonation attacks [9]. Similar work is underwayfor the JXTA5 open-source peer-to-peer protocol.Dynamic and Secure Group Membership:Subsequently,CBID’s are used to express authorization via authorizationcertificates, similar to how they are used toSecure GroupManagement for IPv6[10].

Authorization certificates have the following form:

Cert = (group,node, delegation, tag , validity)

In the above,group is a group CBID for the entire im-promptu network, or for a subset of it. Appropriately, thecertificate is signed with the private key that correspondsto it. Here,nodeis the CBID of the beneficiary of this au-thorization, that is, the node that is authorized by the groupto join it or perform certain services on its behalf.delega-tion is a boolean (in either SPKI [12] or KeyNote2 [2]) thatspecifies whether or not the group has allowed thenodetofurther delegate the permission expressed in the next field.Finally, tag is the authorization to be a member of the sign-ing group, or to perform certain services as authorized bythe group.

This is an example of how a single nodeA with CBID ofA CBID could start an ad hoc network (really a groupwithin a perhaps already physically existing ad hoc net-work) by following these steps:

• A creates the group group public and private key pair:G PK andG SK.

• A creates the group identifier: G CBID =hash(G PK).

5http://www.jxta.org

• A as thegroup controller issues a certificate to al-low itself into the group:(G CBID, A CBID, true,“groupMembership′′, someDuration).

• A as the group controller admits another node(e.g., B) into the group by issuing the corre-sponding certificate: (G CBID, B CBID, false,“groupMembership′′, someDuration).

Now, eitherA or B can prove to other nodes that theyare legitimate members of the group by sending a messagewhich includes their certificate, and that is signed with theirprivate keyA SK or B SK, respectively.

Intrusion Detection, Yongguang Zhang (HRL Labs & UTAustin) and Wenke Lee (GA Tech)

Intrusion prevention measures, such as encryption and au-thentication, can be used in ad-hoc networks to reduce in-trusions, but cannot eliminate them. For example, encryp-tion and authentication cannot defend against compromisedmobile nodes, which often carry the private keys. Insiderattacks may also deem firewalls useless. The history of se-curity research has taught us a valuable lesson – no matterhow many intrusion prevention measures are inserted in anetwork, there are always some weak links that one couldexploit to break in. In a high-survivability network, Intru-sion Detection System (IDS) is necessary as a second wallof defense.

However, current IDS techniques are designed for wirednetworks only; they are inadequate for mobile ad-hoc net-works (MANET). For example, today’s network-based IDSrelies on real-time traffic analysis of traces collected atswitches, routers, or gateways. However, MANET en-vironment does not have such traffic concentration pointwhere one can collect audit data for the entire network.Instead, the only available audit trace is limited to com-munication activities taking place within the radio range.IDS is thus forced to work with this partial and localizedinformation. Furthermore, thanks to mobility MANET isseemingly chaotic in nature, and this blends anomaly andnormalcy situations together. There is nothing parallel tothis in wired networks, and none of the current IDSes hasbeen tested in such a dynamic environment.

Therefore, there are unique issues for IDS in MANET:

• A fully distributed solution. IDS must work alone ateach node, but collaborative detection and investiga-tion among neighboring nodes is possible.

• Localized and incomplete audit data. IDS algorithmmay be required to sense anomaly hops away.

• Thin line between anomaly and normalcy, which re-quires an elaborated model to produce high detectionrate with low false alarm rate.

• Resource constrains. IDS should not consume toomuch power as MANET environment is often oper-ated on battery power.

Our goal is to develop IDS techniques that address theseissues. In our preliminary study [35], we have developed a


new architecture called “Distributed and Cooperative Intru-sion Detection.” In this model, IDS agent runs at each mo-bile node and performs local data collection and local de-tection, whereas cooperative detection and global intrusionresponse can be triggered when a node reports anomaly.We have also proposed an anomaly detection model for de-tecting attacks on MANET routing protocols.

In a subsequent study [36], we have built such an IDSmodel and implemented it in a network simulator (ns2 withCMU’s MANET extension). We have also conducted a se-ries of experiments to study its effectiveness. The exper-iments are on a 10-node MANET network. The perfor-mance evaluation is by measuring the detection rate andfalse-alarm rate (see Figure 2). We simulate three differ-ent types of intrusion conditions separately: route-attackmodel where a node’s route table is randomly falsified,traffic-attack model where a node randomly drops packetsthat it is supposed to forward, and “no-attack” (i.e., undernormal use). In Figure 2, square, cylinder, and darker barsrepresent each of these conditions respectively. We alsorepeat the experiments with different MANET routing pro-tocol (DSR, ADOV, or DSDV), and use two different typesof IDS model-training tools (RIPPER or SVM-Light).

0

10

20

30

40

50

60

70

80

90

100

detection rate (RIPPER) false alarm rate (RIPPER) detection rate (SVM Light) false alarm rate (SVM Light)

no attacksroute attackstraffic attacks

DSR DSDVAODV

DSR DSDVAODV

DSR DSDVAODV

DSR DSDVAODV

Figure 2: IDS performance measurement (Intrusion Detec-tion, Y. Zhang and W. Lee)

The result seems rather positive: under some configura-tion (DSR + SVM-Light), our IDS model can detect 99%of the intrusions with lower than 1% false-alarm rate. Moreimportantly, we do learn some useful lessons. First, thereis indeed a very thin line between normalcy and anomalyin MANET. We had to try a large number of feature com-binations and most of the earlier ones simply fell with lowdetection rate and high false alarm rate. The good news isthat it is possible to find this line, like the final model weused to generate this result.

Another observation is the disparity among routingprotocols. For example, on-demand protocols (DSRand AODV) are likely to out-perform table-driven ones(DSDV). This is due to the higher correlation in rout-ing information, such as the connection between trafficpattern and route change in on-demand routing, and thesource routes embedded in DSR. Therefore, when we de-sign MANET protocol we should intentionally increasesuch correlation to help IDS.

Nonetheless, there are serious limitations to the IDS-in-MANET research in general. Intrusion detection heavily

relies on the understanding of applications and threat mod-els. Unfortunately, this research community does not yetknow what constitute a “typical” application or scenario.We have used a mobility and application scenario very sim-ilar to what have been widely used in literature, such as10 nodes moving in a random way-point pattern within a1000 × 1000 space. This is artificial at best. IDS modelsdeveloped using such scenario will hardly have any effec-tiveness in real life. So we believe the more pressing tasksare for us to better understand the potential applicationsfor MANET, and to define realistic benchmarks. Withoutthese, it will be very difficult to develop IDS techniques foruse in MANET in the future.

Availability

Handling MAC Layer Misbehavior in Wireless Net-works, Pradeep Kyasanur (UIUC) and Nitin H. Vaidya(UIUC)

Introduction: Wireless MAC protocols such as IEEE802.11 use cooperative contention resolution mechanismsfor sharing the channel. In this environment, someselfishhosts in the network can misbehave by failing to adhere tothe network protocols with the intent of obtaining an un-fair share of the channel bandwidth. Our work focuses ondetecting and handling MAC layer misbehavior byselfishhosts in IEEE 802.11-based networks.

In IEEE 802.11 DCF mode, nodes exchange RTS andCTS packets to reserve the channel before data transmis-sion (When data packets are small RTS/CTS exchange maybe omitted.) A node with a packet to transmit picks a ran-dom backoff valueb chosen uniformly from range[0, CW ],whereCW is called the Contention Window, and transmitsafter waiting forb idle slots. If a transmission results in acollision, theCW value is doubled. The throughput ob-tained by a node is inversely proportional to the averagetime it waits in backing off. Therefore, misbehaving nodescan obtain a higher share of throughput by selecting smallbackoff values or by not doubling theCW value after acollision.Handling Misbehavior:Misbehaving hosts may obtain anunfair share of channel bandwidth. Traffic analysis can beused to identify such misbehaving hosts. IEEE 802.11 pro-tocol is unfair in the short-term and thus the monitoringinterval should be sufficiently large for reasonably accu-rate misbehavior detection. Consequently, short-term mis-behavior may not be detected using traffic analysis. In ad-dition, a misbehaving node may restrict itself to a fair shareof bandwidth and yet have low transmission delay by trans-mitting its packets with small backoff values. Traffic analy-sis may not detect such misbehavior. Game-theoretic tech-niques have also been used to develop MAC layer protocolsthat are resilient to misbehavior. However, these protocolsmay result in poorer throughput in the absence of misbe-havior.

An alternate approach that we adopt is to modify theIEEE 802.11 protocol to simplify misbehavior detectionwhile retaining its performance and fairness characteristics.We present a detection procedure [20] for a network having


a well-behaved receiver and multiple potentially misbehav-ing senders. An example of this is an infrastructure-basednetwork having a well-behaved base station (receiver) andmultiple mobile hosts (senders) communicating with thebase station. We use this example network to illustrate oursolution. However, our solution may be applied to ad hocnetworks as well.

Detection Procedure.The base station provides a back-off valueb to be used by a host for its(i + 1)th transmis-sion to the base station in the CTS or ACK packet of theith

transmission. In the event of a collision, the host generatesa new backoff value using a deterministic functionf withb as a parameter. The host includes the attempt number ofretransmission in every RTS or DATA packet. When thebase station receives a packet successfully, it computes theexpected number of slots the host should have waited us-ing the transmission attempt number and the originally as-signed backoff value as parameters to the functionf . Thehost is deemed to have deviated from the protocol if thenumber of idle slots sensed by the base station between theith and(i+1)th from the host is lesser than a fractionα ofthe expected number of slots. IfK deviations are identifiedin a window ofTHRESHpackets from the node (α, K andTHRESHare protocol parameters), the host is designatedto bemisbehaving.

Correcting Misbehavior.The benefits gained by misbe-having nodes are increased throughput and decreased de-lay. Thecorrectionmechanism aims to negate these ben-efits without penalizing the conforming nodes. When themonitoring procedure detects that a host has waited for lessthan the expected backoff by an amountD, this amountD is added as penalty to the next backoff assigned to thatnode. In addition, a misbehaving node suffers fewer col-lisions per successful transmission on an average and weattempt to negate this benefit by adding additional penaltyto the next backoff value assigned to that node.

Conclusion and Future Work:In this work, we have de-veloped modifications to IEEE 802.11 protocol for sim-plified misbehavior detection in infrastructure-based net-works. The approach may be used in ad hoc networks aswell. Each node in the ad hoc network can monitor thetraffic it receives to verify that the nodes sending the pack-ets are well-behaved. We plan to augment our approachwith mechanisms to detect a misbehaving node that gainsmore bandwidth by using multiple MAC addresses. Wealso plan to develop protocols to handle misbehavior forscenarios with misbehaving receivers, and scenarios withcolluding senders and receivers. We will also explore otherapproaches for handling misbehavior.

Stimulating Cooperation of Selfish Nodes in MANET,Pietro Michiardi (Inst. Eurecom) and Refik Molva (Inst.Eurecom)

This paper focuses on a security issue specific to mobilead hoc networks: node selfishness. Unlike networks usingdedicated nodes to support basic functions like packet for-warding, routing, and network management, in MANETthose functions are carried out by all available nodes. Insuch networks there is no good reason to assume that a node

will cooperate and provide services to each other: serviceprovision consumes energy, a scarce resource that nodesare induced to use for their own communications.

It is a realistic assumption that selfish nodes do not per-form active attacks, due to the high energy consumptionthereof. In the proposed security scheme (CORE), node co-operation is stimulated by a collaborative monitoring tech-nique and a reputation mechanism. Each node of the net-work monitors the behavior of its neighbors with respect toa requested function and collects observations about the ex-ecution of that function: as an example, when a node initi-ates a Route Request (e.g., using the DSR routing protocol)it monitors that its neighbors process the request, whetherwith a Route Reply or by relaying the Route Request. Ifthe observed result and the expected result coincide, thenthe observation will take a positive value, otherwise it willtake a negative value.

Based on the collected observations, each node com-putes a reputation value for every neighbor. The formulaused to evaluate the reputation value avoids false detections(caused for example by link breaks) by using an aging fac-tor that gives more relevance to past observations: frequentvariations on a node behavior are filtered. Furthermore, ifthe function that is being monitored provides an acknowl-edgement message (e.g., the Route Reply message of theDSR protocol), reputation information can also be gatheredabout nodes that are not within the radio range of the mon-itoring node. In this case, only positive ratings are assignedto the nodes that participated to the execution of the func-tion in its totality.

The CORE mechanism resists to attacks performed us-ing the security mechanism itself: no negative ratings arespread between the nodes, so that it is impossible for anode to maliciously decrease another node’s reputation.The reputation mechanism allows the nodes of the MANETto gradually isolate selfish nodes: when the reputation as-signed to a neighboring node decreases below a pre-definedthreshold, service provision to the misbehaving node willbe interrupted. Misbehaving nodes can, however, be re-integrated in the network if they increase their reputationby cooperating to the network operation.

An original approach to study the node selfishness prob-lem in MANET is based on an economic model. In thismodel, service provision preferences for each node are rep-resented by a utility function. As the name implies, the util-ity function quantifies the level of satisfaction a node getsfrom using the network resources. Game-theoretic meth-ods are applied to study cooperation under this new model.Game theory is a powerful tool for modeling interactionsbetween self-interested users and predicting their choice ofstrategy. Each player in the game maximizes some func-tion of utility in a distributed fashion. The games settle ata Nash equilibrium if one exists. Since nodes act selfishly,the equilibrium point is not necessarily the best operatingpoint from a social point of view. Pricing emerges as aneffective tool for cooperation enforcement because of itsability to guide node behavior toward a more efficient op-erating point from the social point of view.

In our analysis we first identify the preference relations


that are specific to our problem and then design a utilityfunction that satisfies this structure. The utility function weused to model the selfishness problem takes into accountthe energy that a node spends for the purpose of its owncommunications and energy that the node has to use whenparticipating in the routing protocol and when relaying datapackets on behalf of other nodes. Node behavior is repre-sented as the percentage of energy a node dedicates for itsown communications and the percentage of energy spentfor network operation (i.e., 50% means that the node useshalf of its energy for itself, half for routing and packet for-warding). Simulations shows that under this definition, aselfish node that tries to maximize its utility function willdedicate the totality of its available energy for its own com-munications. The CORE mechanism is then modeled as thepricing function that is used to guide the operating point toa fair position: reputation influences the percentage of en-ergy a node is allowed to use for its own communications.When the reputation rating is high, the amount of energythe node can spend for its own use rises and vice versa.Simulation results show a stable feedback system that con-verges to an operating point where 48% of the availableenergy is dedicated to the network operation (see Figure 3).

0 50 100 150 200 250 300 350 400−2.5

−2

−1.5

−1

−0.5

0

Rep

utat

ion

0 50 100 150 200 250 300 350 4000

0.1

0.2

0.3

0.4

0.5

0.6

0.7

Nod

e i b

ehav

ior

SELFISH BEHAVIOR SELFISH BEHAVIOR NORMAL BEHAVIOR

TIME

TIME

Figure 3: Reputation and node behavior in time (Stimulat-ing Cooperation of Selfish Nodes in MANET,P. Michiardiand R. Molva)

Cooperation of Nodes, Sonja Buchegger (IBM Research,Zurich) and Jean-Yves Le Boudec (EPFL)

In game-theoretic terms, cooperation is a dilemma. Thedominating strategy for individual nodes is not to cooper-ate, as cooperation consumes resources and it might resultin a disadvantage. But if every node follows that strategy,the outcome is undesirable for everyone as it results in anon functional or entirely absent network.Learning by Observing – CONFIDANT:Our approach is tofind the selfish and/or malicious nodes and to isolate them,so that misbehavior will not pay off but result in isolationand thus cannot continue. CONFIDANT [4] is short for‘Cooperation Of Nodes, Fairness In Dynamic Ad-hoc NeT-works’ and detects malicious nodes by means of observa-

tion or reports about several types of attacks, thus allow-ing nodes to route around misbehaved nodes and to isolatethem. Figure 4 shows the CONFIDANT components asextension to a routing protocol such as Dynamic SourceRouting (DSR).

Nodes have amonitor for observations,reputationrecordsfor first-hand and trusted second-hand observationsabout routing and forwarding behavior of other nodes,trustrecordsto control trust given to received warnings, and apath managerto adapt their behavior according to reputa-tion and to take action against malicious nodes. The termreputationis used to evaluate routing and forwarding be-havior according to the network protocol, whereas the termtrust is used to evaluate participation in the CONFIDANTmeta-protocol.

Figure 4: CONFIDANT Components in a Node (Coopera-tion of nodes,S. Buchegger and J.-Y. Le Boudec)

The dynamic behavior of CONFIDANT is as follows.Nodesmonitor their neighbors and change thereputationaccordingly. If they have reason to believe that a node mis-behaves, they can takeaction in terms of their own routingand forwarding and they can decide to inform other nodesby sending an ALARM message. When a node receivessuch an ALARM either directly or by promiscuously lis-tening to the network, it evaluates how trustworthytrustthe ALARM is based on the source of the ALARM and theaccumulated ALARM messages about the node in ques-tion. It can then decide whether to takeactionagainst themisbehaving node.

Simulations for “no forwarding” have shown that CON-FIDANT can cope well, even if half of the network popu-lation acts maliciously.Robustness:Assuming that nodes employ the CONFI-DANT protocol, malicious nodes can be detected and iso-lated. However, we have to ensure the robustness of CON-FIDANT itself, for example its robustness against wrongobservations, i.e., categorizing behavior as an attack whenit is not or vice versa, and its robustness against wrong ac-cusations, i.e., maliciously excluding cooperative nodes byspreading the rumor that they misbehave. To facilitate cat-egorization and trust management, we use a Bayesian ap-proach, in which the belief of a node about its environmentas captured in the reputation records is updated at each ob-servation. The belief models of several nodes are then com-pared, evaluating the compatibility and excluding outliers.


This assumes that nodes that spreading wrong accusationsare not in the majority at any given time.Conclusions: Our goals are to increase cooperation byproactively giving selfish nodes an incentive to cooperate,as well as reactively isolate selfish or malicious nodes suchthat they cannot continue their misbehavior. To make co-operation in mobile ad-hoc networks attractive we have tomake sure that selfish behavior, i.e., a behavior that max-imizes the utility of a node, leads to an outcome that isalso beneficial for the network. In CONFIDANT this isachieved by gradually isolating a node that has accumu-lated a bad reputation, such that, —once detected— it canno longer benefit from the network, so if a node wants toremain in the network it has to cooperate. This effect isalso exploited to largely neutralize malicious nodes whenother nodes no longer route or forward with or for them, byreducing their influence to the radius of one hop. We arecurrently investigating how to use the trust administrationto provide incentives to cooperate also at the meta-level,i.e., to participate in CONFIDANT.

Stimulating Cooperation by Means ofNuglets, LeventeButtyan (EPFL) and Jean-Pierre Hubaux (EPFL)

In civilian applications of ad hoc networks, where eachnode is its own authority, nodes may selfishly deny coop-eration in order to save their own resources (e.g., batterypower, memory, CPU cycles).

One approach to solving this problem would be to makethe nodes tamper resistant, so that their behavior cannotbe modified by their users. However, this approach doesnot seem to be very realistic, since ensuring that the wholedevice is tamper resistant may be very difficult, if not im-possible. Therefore, we propose another approach that re-quires only a tamper resistant hardware module (such asthe SIM card in GSM phones), calledsecurity module, ineach node. Under the assumption that the user can possi-bly modify the behavior of the node, but never that of thesecurity module, our design ensures that tampering withthe node isnot advantageousfor the user, and therefore, itshould happen only rarely.

We focus on the stimulation of packet forwarding, whichis a fundamental networking function that the nodes shouldperform. In a nutshell, we propose a protocol that requiresthe node to pass each packet (generated as well as receivedfor forwarding) to its security module. The security mod-ule maintains a counter, callednuglet counter. When thenode wants to send a packet as originator, the numbernof forwarding nodes that are needed to reach the destina-tion is estimated, and the nuglet counter is decreased byn. When the node forwards a packet, its nuglet counter isincreased by one. The value of the nuglet counter must re-main positive, which means that if the node wants to sendits own packets, then it must forward packets for the benefitof other nodes. The nuglet counter is protected from illegit-imate manipulation by the tamper resistance of the securitymodule.

In order to study the behavior of the proposed protocol,we conducted simulations written in plain C++ language.In our simulations, each node generates packets with a con-

stant average rate. If an own packet cannot be sent (due tothe low value of the nuglet counter), then it is dropped. Wemodel selfishness of the nodes by the goal of minimizingthe number of own packets dropped, which is equivalent tomaximizingzo = outo

ino, whereouto denotes the number of

own packets sent by the node andino stands for the numberof own packets generated by the node during the simulationtime.

We studied the performance of the following three for-warding rules:

• Rule 1: always forward

• Rule 2: if c ≤ C then forward else forward with prob-ability C/c and drop with probability1− C/c

• Rule 3: if c ≤ C then forward else drop

wherec andC denote the current and the initial number ofnuglets at the node, respectively. Clearly, the most cooper-ative rule is Rule 1; Rules 2 and 3 are less cooperative, inthis order.

We set 90% of the nodes to use a given rule (we call thisthemajority rule), and the remaining 10% of the nodes touse Rule 1 in a first set of simulations, Rule 2 in a secondset of simulations, and finally Rule 3 in a third set of simu-lations. We observed the average value ofzo that the 10%deviating nodes could achieve in each case. The results areshown in Table 2.

Average value ofzo

Majority of the 10% deviating nodesrule when they use:

Rule 1 Rule 2 Rule 3Rule 1 0.979 0.935 0.924Rule 2 0.941 0.905 0.897Rule 3 0.898 0.873 0.865

Table 2: Comparison of forwarding rules (Stimulatingcooperation by means ofnuglets, L. Buttyan and J.-P.Hubaux)

Remarkably, Rule 1 performed the best in every case.This means that nodes drop the smallest portion of theirown packets when they use Rule 1, no matter whether themajority of the nodes use Rule 1, Rule 2, or Rule 3. Fur-thermore, this is true for every packet generation rate thatwe have simulated. Therefore, we conclude that the pro-posed mechanism indeed stimulates the nodes for packetforwarding.

A full description of the proposed approach, its protec-tion scheme, and the simulations can be found in [6].

Cryptographic protocols

Cryptography with Guardian Angels: Bringing Civi-lization to Pirates, Gildas Avoine (EPFL) and Serge Vau-denay (EPFL)

Abstract: In contrast with traditional cryptographic pro-tocols in which parties can have access to common third


parties, and where at least one of them is assumed to behonest, we propose here a new model which is relevantfor networks of communication devices with security mod-ules. We then focus on the problem of fair exchange in thismodel. We propose a probabilistic protocol which providesarbitrarily low unfairness (involving a complexity cost).Pirates and Guardian Angels Model:In classical mobilenetworks, the communication scheme is made of both de-vices Pi and providers; the latter may have put securitymodulesGi in their devices.Gi’s can only communicatewith their own Pi, andPi’s can only communicate withboth their security module and their provider.

In future networks like self-organized mobile networks,the communication chain looks as follows and providersare no longer involved.

P1 ↔ P2 ↔ . . . ↔ Pn−1 ↔ Pn

l l l lG1 G2 Gn−1 Gn

Here we may assume that all users try to optimize theirbenefit and are potential pirates, and thus security modulesserve as Guardian Angels in order to enforce communityrules. Since users can modify the behavior of their devices,we can consider a user and a device as a same entity, aPirate.

For practical considerations, we assume that guardiansare tamper-resistant, simple and limited devices, and thatthey can only communicate with their own deviceP . Smartcards are examples of guardian angels. Guardians are setup by a given provider who may define his own communitybylaw. This setting may lead to some interesting businessmodels.

In this model, confidentiality, integrity, and authenticityare addressed in a classical way. A specific problem is theinsurance of receipt: how to certify that a message was welltransmitted and received? Here we address this problem incontext of fair exchange problem.Fair Exchange Protocol:The proposed protocol is a proba-bilistic fair exchange protocol between two entitiesPi andPi+1 without trusted third party, which is in this way partic-ularly relevant for self-organized networks. We recall firstthat an exchange protocol is fair if, at the end of the execu-tion, either both parties have received the expected valuevi

andvi+1, or none of them have received any informationabout the other value.

In the pirates and angels model, we assume thatGi’shave a virtual private network (VPN) which protects confi-dentiality, integrity, authentication, and sequentiality of theexchanged messages. So, the only possible attack consistsin aborting the protocol. During a first stage,Gi andGi+1

use this VPN in order to exchange the expected valuesvi

andvi+1.The remaining stage is a simple synchronization prob-

lem: Gi andGi+1 need to decide in a synchronous way thatthe exchange succeeded in order to disclose the exchangedvalue to their devices. In this synchronization protocol, theguardians, in turn, send a message through the VPN. Thismessage can be a termination signal or some dummy ran-dom value. To do this, they flip a coin with probabilityp to

issue a termination signal. The piratesPi andPi+1 are as-sumed to be unable to distinguish the signal from a randomvalue. Then, guardians consider that the protocol succeedswhen they have both received and sent the termination sig-nal. Since pirates are assumed to get no information in themessages, they cannot decide to stop depending on the pro-tocol view. Hence they must decide to stop at some levelno matter what the communication are.

An analysis of our synchronization protocol yields to thefollowing theorems:

Theorem 1: LetC be the number of messages exchangedbetweenGi andGi+1. If p is the termination probability,we haveE(C) = 3

p − 1 whenPi andPi+1 are honest.

Theorem 2 : Ifp is the termination probability andpa thehighest probability of unfairness over all possible misbe-havior of pirates, we havep4 ≤ pa ≤ p

4(1−p) .

The proofs of these theorems are available in the ex-tended abstract, as well as variants and extensions.

Rational Exchange, Levente Buttyan (EPFL) and Jean-Pierre Hubaux (EPFL)

There are many applications where two parties have to ex-change digital items via a network. Clearly, each partywould like to have some guarantee that the other partywill not bring her in a disadvantageous situation by mis-behaving in the exchange. The usual solution to this prob-lem is to use a fair exchange protocol, which ensures fora correctly behaving party that it cannot suffer any disad-vantages. However, fair exchange is impossible without atrusted third party, and therefore, its implementation can beproblematic in infrastructureless ad hoc networks.

A promising approach to solve the exchange problem inad hoc networks is based on the concept ofrational ex-change. A rational exchange protocol ensures that a mis-behaving party cannot gain anything with the misbehavior.Therefore, rational (self-interested) parties have no reasonto misbehave. However, unlike in fair exchange, a correctlybehaving party may suffer a disadvantage. While rationalexchange seems to provide weaker guarantees than fair ex-change does, it has an appealing feature: under certain as-sumptions, rational exchange is possible without a trustedthird party.

In order to be able to design rational exchange proto-cols, one needs to have a fairly good understanding of theconcept. However, currently, rational exchange is not wellunderstood, and often confused with fair exchange. Ourgoal is, therefore, to clarify this situation. In order to do so,we propose a formal model of exchange protocols, which isbased on game theory [5]. We model the situation in whichparties of a given exchange protocol find themselves as agame. We call this game the protocol game. The protocolgame encodes all the possible interactions of the protocolparties. The protocol parties are modeled as players. Theprotocol itself (as a set of rules) is represented as a set ofstrategies (one strategy for each protocol party). Misbe-havior means that a protocol party follows a strategy that isdifferent from its prescribed strategy.

We define the concept of rational exchange in terms of


properties of the protocol game and the prescribed strate-gies of the protocol parties. More precisely, we have beeninspired by the striking similarity between the informal def-inition of rational exchange and the concept of Nash equi-librium in games. Therefore, we define rational exchangeformally in terms of a Nash equilibrium in the protocolgame:

Definition: Let us consider a two-party exchange protocolπ = {π1, π2}, whereπ1 andπ2 are the programs for theprotocol parties. Furthermore, let us consider the protocolgameGπ of π, and let us denote the strategy of playerpk

that representsπk within Gπ by s∗pk, k ∈ {1, 2}. π is said

to berationaliff

• (s∗p1, s∗p2

) is a Nash equilibrium in the protocol gameGπ; and

• bothp1 andp2 prefer the outcome of(s∗p1, s∗p2

) to theoutcome of any other Nash equilibrium inGπ.

Our model is sufficiently rich to permit the definitionof other properties of exchange protocols as well. Morespecifically, we can also define fairness. Representing theconcepts of rational exchange and fair exchange in thesame model allows us to study their relationships. In par-ticular, we prove that fairness implies rationality (assumingthat the protocol satisfies certain additional requirements):

Theorem: If the protocol satisfies the effectiveness, gainclosed, and safe back out properties, then fairness impliesrationality.

It is easy to see that the reverse is not true in general. Thus,the result that we obtain from the model justifies the intu-ition that fairness is a stronger requirement than rationality.

Besides leading to a deeper understanding of the conceptof rational exchange and its relationship to fair exchange,our formalism can also be used to formally verify existingrational exchange protocols. We illustrate this by analyz-ing a rational exchange protocol proposed in the literatureby Syverson [7]. Our analysis leads to the conclusion thatSyverson’s protocol is rational only under the assumptionthat the network is reliable, which means that it deliversmessages within a constant time interval; if this assump-tion is removed, then the rationality property is lost.

This work is relevant in the context of ad hoc network-ing as rational exchange might be the only viable solu-tion to the exchange problem if the network is fully self-organizing. To the best of our knowledge, we are the firstwho formalized the concept of rational exchange in its fullgenerality, studied its relation to fair exchange, and pro-vided rigorous proofs of rationality for existing rational ex-change protocols. Perhaps, the most original contributionof this work is the usage of game theory as a tool for mod-eling and analyzing security protocols. It shows that gametheory can successfully be used for such a task. In fact,we believe that it is the most appropriate tool for modelingrational exchange in particular.

References

[1] B. Bellur and R. G. Ogier. A reliable, efficient topol-ogy broadcast protocol for dynamic networks. InPro-ceedings of the Eighteenth Annual Joint Conferenceof the IEEE Computer and Communications Societies(Infocom), pages 178–186, March 1999.

[2] M. Blaze, J. Feigenbaum, J. Ioannidis, andA. Keromytis. The KeyNote trust-management sys-tem Version 2. Internet RFC 2704, September 1999.

[3] E. Bonabeau, M. Dorigo, and G. Theraulaz.SwarmIntelligence: From Natural to Artificial Systems. SFIStudies in the Sciences of Complexity. Oxford Uni-versity Press, July 1999.

[4] S. Buchegger and J.-Y. Le Boudec. Performanceanalysis of the CONFIDANT protocol. InProceed-ings of the3rd ACM International Symposium on Mo-bile Ad Hoc Networking and Computing (MobiHoc),pages 226–236, June 2002.

[5] L. Buttyan and J.-P. Hubaux. Rational exchange –a formal model based on game theory. InProceed-ings of the2nd International Workshop on ElectronicCommerce (WELCOM), November 2001.

[6] L. Buttyan and J.-P. Hubaux. Stimulating co-operation in self-organizing mobile ad hoc net-works. ACM/Kluwer Mobile Networks and Applica-tions (MONET), to appear 2002.

[7] L. Buttyan, J.-P. Hubaux, and S.Capkun. A for-mal analysis of Syverson’s rational exchange proto-col. In Proceedings of the15th IEEE Computer Se-curity Foundations Workshop (CSFW), June 2002.

[8] S. Capkun, L. Buttyan, and J.-P. Hubaux. Smallworlds in security systems: an analysis of the PGPcertificate graph. InProceedings of the ACM New Se-curity Paradigms Workshop, 2002.

[9] C. Castelluccia and G. Montenegro. Protecting AOD-Vng against impersonation attacks.ACM MobileComputing and Communications Review, July 2002.

[10] C. Castelluccia and G. Montenegro. Securing groupmanagement in IPv6. Technical report, INRIA, Au-gust 2002.

[11] M. Corner and B. Noble. Zero-interaction authentica-tion. In Proceedings of the8th ACM InternationalConference on Mobile Computing and Networking(MobiCom), September 2002.

[12] C. Ellison and al. SPKI certificate theory. InternetRFC 2693, September 1999.

[13] Y.-C. Hu, D. B. Johnson, and A. Perrig. Secureefficient distance vector routing in mobile wirelessad hoc networks. InProceedings of the4th IEEEWorkshop on Mobile Computing Systems and Appli-cations(WMCSA), June 2002.


[14] Y.-C. Hu, A. Perrig, and D. B. Johnson. Packetleashes: A defense against wormhole attacks in wire-less ad hoc networks. Technical Report TR01-384,Department of Computer Science, Rice University,December 2001.

[15] Y.-C. Hu, A. Perrig, and D. B. Johnson. Ariadne:A secure on-demand routing protocol for ad hoc net-works. InProceedings of the8th ACM InternationalConference on Mobile Computing and Networking(MobiCom), September 2002.

[16] J.-P. Hubaux, L. Buttyan, and S.Capkun. The questfor security in mobile ad hoc networks. InProceed-ings of the 2nd ACM International Symposium on Mo-bile Ad Hoc Networking and Computing (MobiHoc),October 2001.

[17] D. B. Johnson. Routing in ad hoc networks ofmobile hosts. InProceedings of the IEEE Work-shop on Mobile Computing Systems and Applications(WMCSA), pages 158–163, December 1994.

[18] T. Kindberg, K. Zhang, and N. Shankar. Contextauthentication using constrained channels. InPro-ceedings of the IEEE Workshop on Mobile ComputingSystems and Applications(WMCSA), pages 14–21,June 2002.

[19] J. Kong, P. Zerfos, H. Luo, S. Lu, and L. Zhang.Providing robust and ubiquitous security support formanet. InProceedings of the9th IEEE InternationalConference on Network Protocols (ICNP), 2001.

[20] P. Kyasanur and N. H. Vaidya. Detection and han-dling of mac layer misbehavior in wireless networks.Technical report, CSL, UIUC, August 2002.

[21] M. Mathis, J. Mahdavi, S. Floyd, and A. Romanow.TCP selective acknowledgment options. InternetRFC 2018, October 1996.

[22] R. Merkle. Protocols for public key cryptosystems. InProceedings of the IEEE Symposium on Security andPrivacy, 1980.

[23] G. Montenegro and C. Castelluccia. StatisticallyUnique and Cryptographically Verifiable (SUCV)identifiers and addresses. InProceedings of the9th Annual Network and Distributed System SecuritySymposium (NDSS), February 2002.

[24] T. Narten, E. Nordmark, and W. A. Simpson. Neigh-bor discovery for IP version 6 (IPv6). InternetRFC 2461, December 1998.

[25] P. Papadimitratos and Z. J. Haas. Secure routing formobile ad hoc networks. InProceedings of SCS Com-munication Networks and Distributed Systems Mod-eling and Simulation (CNDS), January 2002.

[26] C. Perkins, E. Belding-Royer, and S. Das. Ad hocon demand distance vector (AODV) routing for IPversion 6. Internet Draft, draft-perkins-manet-aodv6-01.txt, November 2001.

[27] C. Perkins, E. Belding-Royer, and S. Das. Ad hoc ondemand distance vector (AODV) routing, June 2002.

[28] C. Perkins and P. Bhagwat. Highly dynamicDestination-Sequenced Distance-Vector routing(DSDV) for mobile computers. InProceedings ofthe ACM SIGCOMM Conference on CommunicationArchitectures, Protocols, and Applications, pages234–244, August 1994.

[29] C. Perkins and E. Royer. Ad-hoc on-demand distancevector routing. InProceedings of the IEEE Work-shop on Mobile Computing Systems and Applications(WMCSA), pages 90–100, February 1999.

[30] A. Perrig, R. Canetti, D. Tygar, and D. Song. Efficientauthentication and signature of multicast streams overlossy channels. InProceedings of the IEEE Sym-posium on Security and Privacy, pages 56–73, May2000.

[31] A. Qayyum, L. Viennot, and A. Laouiti. Multipointrelaying: An efficient technique for flooding in mo-bile wireless networks. Technical Report RR-3898,INRIA, February 2000.

[32] K. Sanzgiri, B. Dahill, B. N. Levine, C. Shields, andE. M. Belding-Royer. A secure routing protocol for adhoc networks. InProceedings of the10th IEEE Inter-national Conference on Network Protocols (ICNP),November 2002.

[33] B. Schneier.Secrets and Lies: Digital Security in aNetworked World. Wiley Computer Publishing, 2000.

[34] Trimble Navigation Limited. Data sheet and spec-ifications for Trimble Thunderbolt GPS DisciplinedClock. Sunnyvale, California. Available athttp://www.trimble.com/thunderbolt.html.

[35] Y. Zhang and W. Lee. Intrusion detection in wire-less ad-hoc networks. InProceedings of the 6th ACMInternational Conference on Mobile Computing andNetworking (MobiCom), August 2000.

[36] Y. Zhang, W. Lee, and Y. Huang. Intrusion de-tection techniques for mobile wireless networks.ACM/Kluwer Mobile Networks and Applications(MONET), to appear 2002.

[37] L. Zhou and Z. Haas. Securing ad hoc networks.IEEE Network, 13(6):24–30, Nov/Dec 1999.

[38] L. Zhou, F. B. Schneider, and R. van Renesse. COCA:A secure distributed on-line certification authority.ACM Transactions on Computer Systems, to appear.


report on a working session on security in wireless ad hoc...

Documents