1 12. detecting service violations in internet and mobile ad hoc networks bharat bhargava cerias...
TRANSCRIPT
1
12. Detecting Service Violations in Internet and Mobile Ad Hoc Networks
Bharat BhargavaCERIAS Security CenterCWSA Wireless Center
Department of CS and ECEPurdue University
Supported by NSF IIS 0209059, NSF IIS 0242840 ,
NSF CNS 0219110, CISCO, Motorola, IBM
2
Research Team
• Faculty Collaborators– Dongyan Xu, Middleware and privacy– Mike Zoltowski, Smart antennas, wireless security– Sonia Fahmy, Internet security
• Postdoc– Lezsek Lilien, Privacy and vulnerability– Xiaoxin Wu, Wireless security– Jun Wen, QoS– Mamata Jenamani, Privacy
• Ph.D. students– Ahsan Habib, Internet Security– Mohamed Hefeeda, Peer-to-Peer networking– Yi Lu, Wireless security and congestion control– Yuhui Zhong, Trust management and fraud– Weichao Wang, Security in wireless networks
More information at http://www.cs.purdue.edu/people/bb
3
Motivation
• Lack of trust, privacy, security, and reliability impedes information sharing among distributed entities.
• Research is required for the creation of knowledge and learning in secure networking, systems, and applications.
4
• Enable the deployment of secure applications in the pervasive computing and communication environments.
Goal
5
Objective
• A trustworthy, secure, and privacy preserving network platform must be established for trusted collaboration. The fundamental research problems include:– Trust management– Privacy preserved collaborations– Dealing with a variety of attacks in networks– Intruder identification in ad hoc networks– Trust-based privacy preservation for peer-to-peer
data sharing
6
Applications/Broad Impacts
• Guidelines for the design and deployment of security sensitive applications in the next generation networks– Data sharing for medical research and treatment– Collaboration among government agencies for
homeland security– Transportation system (security check during travel,
hazardous material disposal)– Collaboration among government officials, law
enforcement and security personnel, and health care facilities during bio-terrorism and other emergencies
7
Scientific Contributions
A. Trust formalizationB. Privacy-preserving Collaborations
Privacy preservation in interactions
C. Detecting Service Violations in Internet Network tomography techniques for DoS attacks
D. Intruder Identification in Ad Hoc Networks
Intrusion detection and intruder identification
E. Trust-based Privacy Preservation for Peer-to-Peer Data Sharing
8
9
A. Trust Formalization
• Problem– Dynamically establish and update trust among entities in an open
environment.
• Research directions– Handling uncertain evidence– Modeling dynamic trust– Formalization and detection of fraud
• Challenges– Uncertain information complicates the inference procedure.– Subjectivity leads to various interpretations toward the same
information.– The multi-faceted and context-dependent characteristics of trust
require tradeoff between representation comprehensiveness and computation simplicity of the trust model.
10
Trust Info and Metrics
• Trust based on– Evidence– Credential– Interactions– Fraud potential– Privacy requirement
• Measure of trust
11
Uncertain Evidence• Probability-based approach to evaluate the
uncertainty of a logic expression given a set of uncertain evidence– Atomic formula: Bayes network + causal
inference + conditional probability interpretation of opinion
– AND/OR expressions: rule defined by Jsang [Jsang'01]
– Subjectivity is realized using discounting operator proposed by Shafer [Shafer'76]
12
Dynamic Trust• Trust production based on direct interaction
– Identify behavior patterns and their characteristic features
– Determine which pattern is the best match of an interaction sequence
– Develop personalized trust production algorithms considering behavior patterns
• Reputation aggregation– Global reputation vs. personalized reputation– Personalized reputation aggregation
• Determine the subset of trust information useful for a specific trustor by using collaborative filters
• Translate trust information into the scale of a specific trustor
13
Trust Enhanced Role Assignment (TERA) Prototype
• Trust enhanced role mapping (TERM) server assigns roles to users based on – Uncertain & subjective evidence
– Dynamic trust
• Reputation server – Dynamic trust information repository– Evaluate reputation from trust information by using
algorithms specified by TERM server
Prototype and demo are available at
http://www.cs.purdue.edu/homes/bb/NSFtrust/
14
TERA Architecture
T E R M s er v er
T E R M s er v er
T r u s t b as ed o n b eh av io r s
T r u s t b as ed o n b eh av io r s
R ep u ta tio n
R ep u ta tio n
R ep u ta tio n s er v er
Alic e
Bo b
T E R A
R o le r eq u es t
As s ig n ed r o le
R o le r eq u es t
As s ig n ed r o le
R BAC en h an c edap p lic a tio n s er v er
R BAC en h an c edap p lic a tio n s er v er
Us er 's b eh av io r
Us er 's b eh av io r
I n te r ac tio n s
I n te r ac tio n s
15
Trust Enhanced Role Mapping (TERM) Server
• Evidence rewriting
• Role assignment– Policy parser – Request processor & inference engine– Constraint enforcement
• Policy base
• Trust information management– User behavior modeling – Trust production
16
TERM Server
TERM
Credential Manager
Assign role
Credentials provided / retrieved
Role Assignment
Evidence statement
Evidence statement
Evidence Rewriting Trust toward
issuer
Trust toward user/issuer
Trust
Information Management
Behaviors
Policy Base
Role-assignment Policy
Role-assignment policies
Reputation
user
Reputation server
Policy maker
Application server
Trust information
Request role
17
Fraud Formalization and Detection
• Model fraud intention– Uncovered deceiving intention– Trapping intention– Illusive intention
• Fraud detection– Profile-based anomaly detection
• Monitor suspicious actions based upon the established patterns of an entity
– State transition analysis• Build an automaton to identify activities that lead
towards a fraudulent state
18
Model Fraud Intentions
• Uncovered deceiving intention– Satisfaction ratings
are stably low. – Ratings vary in a
small range over time.
19
Model Fraud Intentions
• Trapping intention– Rating sequence can
be divided into two phases: preparing and trapping.
– A swindler behaves well to achieve a trustworthy image before he conducts frauds.
20
Model Fraud Intentions
• Illusive intention– A smart swindler
attempts to cover the bad effects by intentionally doing something good after misbehaviors.
– Process of preparing and trapping is repeated.
21
22
B. Privacy-Preserving Collaborations
• Problem– Preserve privacy, gain trust, and control
dissemination of data
• Privacy based on– Approximate location– Approximate version of information– Any cast
• Determine the degree of data privacy– Size of anonymity set metrics– Entropy-based metrics
• Tradeoff between privacy and trust
23
24
C. Detecting Service Violations in Internet
• Problem statementDetecting service violation in networks is the procedure of identifying the misbehaviors of users or operations that do not adhere to network protocols.
25
Topology Used (Internet)
A1 spoofs H5’s address to attack V
A3 uses reflector H3 to attack V
H5
Victim, V
26
Detecting DoS Attacks in Internet
*SPIE: Source Path Isolation Engine
27
• Research Directions– Observe misbehavior flows through service
level agreement (SLA) violation detection– Core-based loss– Stripe based probing– Overlay based monitoring
28
Approach
• Develop low overhead and scalable monitoring techniques to detect service violations, bandwidth theft, and attacks. The monitor alerts against possible DoS attacks in early stage
• Policy enforcement and controlling the suspected flows are needed to maintain confidence in the security and QoS of networks
29
Methods
• Network tomography – Stripe based probing is used to infer individual
link loss from edge-to-edge measurements– Overlay network is used to identify congested
links by measuring loss of edge-to-edge paths
• Transport layer flow characteristics are used to protect critical packets of a flow
• Edge-to-edge mechanism is used to detect and control unresponsive flows
30
Monitoring Network Domains
• Idea: – Excessive traffic changes internal characteristics inside a
domain (high delay & loss, low throughput)
– Monitor network domain for unusual patterns
– If traffic is aggregating towards a domain (same IP prefix), probably an attack is coming
• Measure delay, link loss, and throughput achieved by user inside a network domain
Monitoring by periodic polling or deploying agents in high speed core routers put non-trivial overhead on them
31
Core-assisted loss measurements
• Core reports to the monitor whenever packet drop exceeds a local threshold
• Monitor computes the total drop for time interval t • If the total drop exceeds a global threshold
a. The monitor sends a query to all edge routers requesting their current rates b. The monitor computes total incoming rate from all edge c. The monitor computes the loss ratio as the ratio of the dropped packets and the total incoming rate d. If the loss ratio exceeds the SLA loss ratio, a possible SLA violation is reported
32
Stripe Unicast Probing [Duffield et al., INFOCOM ’01]
• Back-to-back packets experience similar congestion in a queue with a high probability
• Receiver observes the probes to correlate them for loss inference
• Infer internal characteristics using topology• For general tree? Send stripe from root to every
order-pair of leaves• Develop stripe-based monitoring by extending
loss inference for multiple drop precedence
Inferring Loss
• Calculate how many packets are received by the two receivers. Transmission probability Ak
where Zi binary variable which takes 1 when all packets reached their destination and 0 otherwise
• Loss is 1 - Ak
• For general tree, send stripe from root to every order-pair of leaves.
ZR1 ZR2
ZR1 U R2
Ak =
34
Overlay-based Monitoring
• Problem statement– Given topology of a network domain, identify which
links are congested
• Solutions: Simple and Advanced methods1. Monitor the network for link delay
2. If delayi > Thresholdidelay for path i, then probe the
network for loss
3. If lossj > Thresholdjloss for any link j, then probe the
network for throughput
4. If BWk > ThresholdkBW, flow k is violating service
agreements by taking excess resources. Upon detection, we control the flows.
35
Probing: Simple Method
(a) Topology (b) Overlay (c) internal links
Congested link
• Each peer probes both of its neighbors
• Detect congested link in both directions
36
An Example
• Perform one round peer-to-peer probing in counter-clockwise direction
• Each boolean variable Xij represents the congestion status of link i j
• For each probe P, we have an equation Pi,j = Xi,k+ … + Xl,j
37
Experiments: Evaluation methodology
• Simulation using ns-2 • Two topologies
– C-C links, 20 Mbps– E-C links, 10 Mbps
• Parameters– Number of flows order of
thousands– Change life time of flows– Simulate attacks by varying
traffic intensities and injecting traffic from multiple entry points
• Output Parameters– delay, loss ratio, throughput
Congested link
Topology 1
38
Identified Congested Links
(a) Counter clockwise probing (b) Clockwise probing
Probe46 in graph (a) and Probe76 in graph (b) observe high losses, which means link C4 E6 is congested.
Time (sec) Time (sec)
Loss
Rati
o
L
oss
Rati
o
39
False Positive (theoretical analysis)
• The simple method does not correctly label all links• The unsolved “good” links are considered bad hence
false positive happens• Need to refine the solution Advanced Method
40
• Example:if 100 links in the network and 20 of them are congested and 80 are “good”. The basic probing method can identify 15 congestion links and 70 good links. The other 15 are labeled as “unknown”. If all unknown links are treated as congested, 10 good link will be falsely labeled as congested. When the false positive is too high, the available paths that can be chosen by the routers are restricted, thus network performance is impacted.
41
Analyzing Simple Method
• Lemma 1. If P and P’ are probe paths in the first and the second round of probing respectively, |P P’ | ≤ 1
• Theorem 1. If only one probe path P is shown to be congested in any round of probing, the simple method successfully identifies status of each link in P
• Performs better if edge-to-edge paths are congested• The average length of the probe paths in the Simple
method is ≤ 4
42
Performance: Simple Method
Theorem 2. Let p be the probability of a link being congested in any arbitrary overlay network. The simple method determines the status of any link of the topology with probability at least 2(1-p)4-(1-p)7+p(1-p)12
Frac of actual congested links
Dete
ctio
n P
robabili
ty
43
Advanced Method
AdvancedMethod()begin
Conduct Simple Method. E is the unsolved equation set
for Each undecided variable Xij of E do
node1 = FindNode(Tree T, vi, IN)
node2 = FindNode(Tree T, vj , OUT) if node1 ≠ NULL AND node2 ≠ NULL then
Probe(node1, node2). Update equation set E end if Stop if no more probe exists
endforend
44
Identifying Links: Advanced Method
Link E2 C2, C1 C3, C3 C4, and C4 E6 are congested. Simple method identifies all except E2 C2. Advanced method finds probe E5E1 to identify status of E2 C2.
Time (sec)
L
oss
Rati
o
45
Analyzing Advanced Method
• Lemma 2. For an arbitrary overlay network with n edge routers, on the average a link lies on b = edge-to-edge paths
• Lemma 3. For an arbitrary overlay network with n edge routers, the average length of all edge-to-edge paths is d =
• Theorem 3. Let p be the probability of a link being congested. The advanced method can detect the status of a link with probability at least (1-(1-(1-p)d)b)
n
nn
log8
)23(
n
n
log2
3
46
Bounds on Advanced Method• Graph shows lower and
upper bounds• When congestion is ≤
20%, links are identified with O(n) probes with probability ≥ 0.98
• Does not help if ≥ 60% links are congested Frac of actual congested
links
Dete
ctio
n
Pro
babili
ty
Advanced method uses output of simple method and topology to find a probe that can be used to identify status of an unsolved link in simple method
47
Experiments: Delay Measurements
Cumulative distribution function (cdf)
• Attack changes delay pattern in a network domain
• We need to know the delay pattern when there is not attack
Delay (ms)
% o
f tr
affi
c
48
Experiments: Loss measurements
(b) Stripe-based(a) Core-assisted
Core-based measurement is more precise than stripe-based, however, it has high overhead
Time (sec) Time (sec)
Loss
Rati
o
L
oss
Rati
o
49
Attack Scenarios
(a) Changing delay pattern due to attack
(b) Changing loss pattern due to attack
Time (sec) Time (sec)
D
ela
y (
ms)
L
oss
Rati
o
• Attack 1 violates SLA and causes 15-30% of packet loss
• Attack 2 causes more than 35% of packet loss
50
Detecting DoS Attacks
• If many flows aggregate towards a downstream domain, it might be a DoS attack on the domain
• Analyze flows at exit routers of the congested links to identify misbehaving flows
• Activate filters to control the suspected flows
• Flow association with ingress routers– Egress routers can backtrack paths, and confirm entry
points of suspected flows
51
Overhead comparison
• Core has relative low processing overhead
• Overlay scheme has an edge over other two schemes
(a) Processing overhead (b) Communication overhead
Percentage of misbehaving flow
Com
munic
ati
on o
verh
ead in
KB
Percentage of misbehaving flow
Pro
cess
ing o
verh
ead (
CPU
cy
cle)
52
Observations
• Stripe-based Monitoring– Stripe-based probing can monitor DiffServ
networks only from the edges– It takes 10 sec to converge the inferred loss
ratio to actual loss ratio with ≥ 90% accuracy– 10-15 delay probes and 20-25 loss probes per
second are sufficient for monitoring– Probe is a 3-packet stripe
• 3 shows good correlation, 4 does not add much
53
Observations (Cont’d)
• Overlay-based Monitoring – Congestion status of individual links can be
inferred from edge-to-edge measurements– When the network is ≤ 20% congested
• Status of a link is identified with probability ≥ 0.98• Requires O(n) probes, where n is the number of
edge routers
– Worst case is O(n2), whereas stripe-based requires O(n3) probes to achieve same functionality
54
Observations (Cont’d)
• Analyze existing techniques to defeat DoS attacks– Marking has less overhead than Filtering,
however, it is only a forensic method– Monitoring might have less processing
overhead than marking or filtering, however, monitoring injects packets and others do not
– Monitoring can alert against DoS attacks in early stage
55
Observations (Cont’d)
• Traffic Conditioner– Using small state table, we can design
scalable traffic conditioner– It can protect critical packets of a flow to
improve application QoS (delay, throughput, response time, …)
– Both Round trip time (RTT) & Retransmission time-out (RTO) are necessary to avoid RTT-bias among flows
56
Observations (Cont’d)
• Flow Control– Network tomography is used to design edge-
to-edge mechanism to detect & control unresponsive flows
– QoS of adaptive flows improves significantly with flow control mechanism
57
Conclusion on Monitoring
• Elegant way to use probability in inferring loss. 3-packets stripe shows good correlation
• Monitoring network can detect service violation and bandwidth theft using measurements
• Monitoring can detect DoS attacks in early stage. Filter can be used to stop the attacks
• Overlay-based monitoring requires only O(n) probing with a very high probability, where n is the number of edge routers
• Overlay-based monitoring has very low communication and processing overhead
• Stripe-based inference is useful to annotate a topology tree with loss, delay, and bandwidth.
58
59
D. Intruder Identification in Ad Hoc Networks
• Problem Statement Intruder identification in ad hoc networks is the
procedure of identifying the user or host that conducts the inappropriate, incorrect, or anomalous activities that threaten the connectivity or reliability of the networks and the authenticity of the data traffic in the networks
Papers:“On Security Study of Two Distance Vector Routing Protocols for Mobile Ad Hoc Networks”, in Proceedings of IEEE International Conference on
Pervasive Computing and Communications (PerCom), 2003.
“On Vulnerability and Protection of Ad Hoc On-demand Distance Vector Protocol”, in Proceedings of 10th IEEE International Conference on
Telecommunication (ICT), 2003.
60
Research Motivation
• More than ten routing protocols for Ad Hoc networks have been proposed– Incl. AODV, DSR, DSDV, TORA, ZRP
• Research focuses on performance comparison and optimizations such as multicast and multiple path detection
• Research is needed on the security of Ad Hoc networks.
• Applications: Battlefields, disaster recovery.
61
Research Motivation
• Two kinds of attacks target Ad Hoc network– External attacks:
• MAC Layer jam• Traffic analysis
– Internal attacks:• Compromised host sending false routing
information• Fake authentication and authorization• Traffic flooding
62
Research Motivation
• Protection of Ad Hoc networks– Intrusion Prevention
• Traffic encryption• Sending data through multiple paths• Authentication and authorization
– Intrusion Detection• Anomaly pattern examination• Protocol analysis study
63
Research Motivation
• Deficiency of intrusion prevention– increase the overhead during normal
operation period of Ad Hoc networks– The restriction on power consumption and
computation capability prevent the usage of complex encryption algorithms
– Flat infrastructure increases the difficulty for the key management and distribution
– Cannot guard against internal attacks
64
Research Motivation
• Why intrusion detection itself is not enough– Detecting intrusion without isolating the
malicious host leaves the protection in a passive mode
– Identifying the source of the attack may accelerate the detection of other attacks
65
Research Motivation
• Research problem: Intruder Identification
• Research challenges:• How to locate the source of an attack ?• How to safely combine the information from
multiple hosts and enable individual host to make decision by itself ?
• How to achieve consistency among the conclusions of a group of hosts ?
66
• Related Work– Vulnerability model of ad hoc routing protocols [Yang
et al., SASN ’03]– A generic multi layer integrated IDS structure [Zhang
and Lee, MobiCom ’00]– IDS combining with trust [Albert et al., ICEIS ’02]– Information theoretic measures using entropy
[Okazaki et al., SAINT ’02]– SAODV adopts both hash chain and digital signature
to protect routing information [Zapata et al, WiSe’03]– Security-aware ad hoc routing [Kravets et al,
MobiHOC’01]
67
Related Work in wired Networks
• Secure routing / intrusion detection in wired networks• Routers have more bandwidth and CPU
power• Steady network topology enables the use
of static routing and default routers• Large storage and history of operations
enable the system to collect enough information to extract traffic patterns
• Easier to establish trust relation in the hierarchical infrastructure
68
Related Work in wired networks
• Attack on RIP (Distance Vector)• False distance vector
• Solution (Bellovin 89)• Static routing• Listen to specific IP address• Default router• Cannot apply in Ad Hoc networks
69
Related Work in wired networks
• Attack on OSPF (Link State)• False connectivity• Attack on Sequence Number• Attack on lifetime
• Solution• JiNAO:NCSU and MCNC• Encryption and digital signature
70
Related Work in Ad Hoc Networks
• Lee at GaTech summarizes the difficulties in building IDS in Ad Hoc networks and raises questions: • what is a good architecture and response
system?• what are the appropriated audit data sources?• what is the good model to separate normal and
anomaly patterns?
• Haas at Cornell lists the 2 challenges in securing Ad Hoc networks:• secure routing• key management service
71
Related Work in Ad Hoc Networks
• Agrawal at University of Cincinnati presents the general security schemes for the secure routing in Ad Hoc networks
• Nikander at Helsinki discusses the authentication, authorization, and accounting in Ad Hoc networks
• Bhargavan at UIUC presents the method to enhance security by dynamic virtual infrastructure
• Vaidya at UIUC presents the idea of securing Ad Hoc networks with directional antennas
72
Related Work ongoing projects
• TIARA: Techniques for Intrusion Resistant Ad-Hoc Routing Algorithm (DARPA)• develop general design techniques• focus on DoS attack• sustain continued network operations
• Secure Communication for Ad Hoc Networking (NSF)• Two main principles:
• redundancy in networking topology, route discovery and maintenance
• distribution of trust, quorum for trust
73
Related Work ongoing projects
• On Robust and Secure Mobile Ad Hoc and Sensor Network (NSF)• local route repair• performance analysis• malicious traffic profile extraction• distributed IDs• proposed a scalable routing protocol
• Adaptive Intrusion Detection System (NSF)• enable data mining approach• proactive intrusion detection• establish algorithms for auditing data
74
Evaluation Criteria
• Accuracy• False coverage: Number of normal hosts that are
incorrectly marked as suspected.
• False exclusion: Number of malicious hosts that are not identified as such.
• Overhead • Overhead measures the increases in control
packets and computation costs for identifying the attackers (e.g. verifying signed packets, updating blacklists).
• Workload of identifying the malicious hosts in multiple rounds
75
Evaluation Criteria - cont.
• Effectiveness – Effectiveness: Increase in the performance of ad
hoc networks after the malicious hosts are identified and isolated. Metrics include the increase of the packet delivery ratio, the decrease of average delay, or the decrease of normalized protocol overhead (control packets/delivered packets).
• Robustness – Robustness of the algorithm: Its ability to resist
different kinds of attacks.
76
Assumptions
A1. Every host can be uniquely identified and its ID cannot be changed throughout the lifetime of the ad hoc network. The ID is used in the identification procedure.
A2. A malicious host has total control on the time, the target and the mechanism of an attack. The malicious hosts continue attacking the network.
A3. Digital signature and verification keys of the hosts have been distributed to every host. The key distribution in ad hoc networks is a tough problem and deserves further research. Several solutions have been proposed. We assume that the distribution procedure is finished, so that all hosts can examine the genuineness of the signed packets.
A4. Every host has a local blacklist to record the hosts it suspects. The host has total control on adding and deleting elements from its list. For the clarity of the remainder of this paper, we call the real attacker as “malicious host”, while the hosts in blacklists are called “suspected hosts”.
77
Applying Reverse Labeling Restriction to Protect AODV
• Introduction to AODV
• Attacks on AODV and their impacts
• Detecting False Destination Sequence Attack
• Reverse Labeling Restriction Protocol
• Simulation results
78
Introduction to AODV
• Introduced in 97 by Perkins at NOKIA, Royer at UCSB
• 12 versions of IETF draft in 4 years, 4 academic implementations, 2 simulations
• Combines on-demand and distance vector• Broadcast Route Query, Unicast Route Reply• Quick adaptation to dynamic link condition
and scalability to large scale network• Support multicast
79
Ideas
• Monitor the sequence numbers in the route request packets to detect abnormal conditions
• Apply reverse labeling restriction to identify and isolate attackers
• Combine local decisions with knowledge from other hosts to achieve consistent conclusions
• Combine with trust assessment methods to improve robustness
80
Security Considerations for AODV
“AODV does not specify any special security measures. Route protocols, however, are prime targets for impersonation attacks. If there is danger of such attacks, AODV control messages must be protected by use of authentication techniques, such as those involving generation of unforgeable and cryptographically strong
message digests or digital signatures. ”- http://www.ietf.org/internet-drafts/draft-ietf-manet-aodv-
11.txt
81
Message Types in AODV
• RREQ: route request• RREP: route reply• RERR: route error
82
Route Discovery in AODV (An Example)
S
D
S1
S2
S3
S4
Route to the source
Route to the destination
83
Attacks on routing in mobile ad hoc networks
Attacks on routing
Active attacks Passive attacks
Packet silent discard
Routing information hiding
Routing procedure
Flood network
False reply Wormhole attacks
Route request
Route broken message
84
Attacks on AODV• Route request flooding
– query non-existing host (RREQ will flood throughout the network)
• False distance vector– reply “one hop to destination” to every request and select a
large enough sequence number
• False destination sequence number– select a large number (even beat the reply from the real
destination)
• Wormhole attacks– tunnel route request through wormhole and attract the data
traffic to the wormhole
• Coordinated attacks– The malicious hosts establish trust to frame other hosts, or
conduct attacks alternatively to avoid being identified
85
Impacts of Attacks on AODV
Packet Delivery Ratio
Control packet / data packet
No Attacks 96% 0.38
Vicious Flooding 91% 2.93
False Distance 75% 0.38
False Destination Sequence
53% 0.66
Wormhole 61% 0.41
We simulate the attacks and measure their impacts on packet delivery ratios and protocol overhead
86
False Destination Sequence Attack
S4
S S1
S2 M
S3
RREQ(D, 3)
RREQ(D, 3)
RREQ(D, 3)
RREQ(D, 3)
RREP(D, 4)
RREP(D, 20)
Packets from S to D are sinking at M.
D
Sequence number 5
87
During Route Rediscovery, False Destination Sequence Number Attack Is Detected, S needs to find D again.
D
S S1
S2 M
S3
S4
RREQ(D, 21)
(1). S broadcasts a request that carries the old sequence + 1 = 21
(2) D receives the RREQ. Local sequence is 5, but the sequence in RREQ is 21. D detects the false desti-nation sequence number attack.
Propagation of RREQ
Node movement breaks the path from S to M (trigger route rediscovery).
88
Reverse Labeling Restriction (RLR)
Blacklists are updated after an attack is detected.• Basic Ideas
• Every host maintains a blacklist to record suspicious hosts who gave wrong route related information.
• The destination host will broadcast an INVALID packet with its signature. The packet carries the host’s identification, current sequence, new sequence, and its own blacklist.
• Every host receiving this packet will examine its route entry to the destination host. The previous host that provides the false route will be added into this host’s blacklist.
89
D
S S1
S2M
S3
S4
BL {}
BL {S2}
BL {}BL {M}
BL {S1}
BL {}
INVALID ( D, 5, 21, BL{}, Signature )
Correct destination sequence number is broadcasted.
Blacklist at each host in the path is determined.
S4BL {}
90
D4
D1
S3
S1
M
D3
S4
S2
D2
M attacks 4 routes (S1-D1, S2-D2, S3-D3, and S4-D4). When the first two false routes are detected, D3 and D4 add M into their blacklists. When later D3 and D4 become victim destinations, they will broadcast their blacklists, and every host will get two votes that M is malicious host.
[M]
[M]
[M]
[M]
Malicious site is in blacklists of multiple destination hosts.
91
Combine Local Decisions with Knowledge from Other Hosts
• When a host is destination of a route and is victim by any malicious host, it will broadcast its blacklist.
• Each host obtains blacklists from victim hosts.
• If M is in multiple blacklists, M is classified as a malicious host based on certain threshold.
• Intruder is identified.• Trust values can be assigned to other hosts
based on past information.
92
D3
M1
S1
D1
Coordinated attacks by M1, M2, and M3
Multiple attackers trigger more blacklists to be broadcasted by D1, D2, D3.
D2
M2 M3
S2 S3
Acceleration in Intruder Identification
93
Reverse Labeling Restriction (RLR)
• Update Blacklist by Broadcasted Packets from Destinations under Attack• Next hop on the false route will be put into
local blacklist, and a counter increases. The time duration that the host stays in blacklist increases exponentially to the counter value.
• When timer expires, the suspicious host will be released from the blacklist and routing information from it will be accepted.
94
Deal With Hosts in Blacklist
• Packets from hosts in blacklist• Route request: If the request is from suspicious
hosts, ignore it. • Route reply: If the previous hop is suspicious and
the query destination is not the previous hop, the reply will be ignored.
• Route error: Will be processed as usual. RERR will activate re-discovery, which will help to detect attacks on destination sequence.
• Broadcast of INVALID packet: If the sender is suspicious, the packet will be processed but the blacklist will be ignored.
95
Attacks of Malicious Hosts on RLR
• Attack 1: Malicious host M sends false INVALID packet• Because the INVALID packets are signed, it
cannot send the packets in other hosts’ name• If M sends INVALID in its own name
• If the reported sequence number is greater than the real sequence number, every host ignores this attack
• If the reported sequence number is less than the real sequence number, RLR will converge at the malicious host. M is included in blacklist of more hosts. M accelerated the intruder identification directing towards M.
96
• Attack 2: Malicious host M frames other innocent hosts by sending false blacklist• If the malicious host has been identified, the
blacklist will be ignored• If the malicious host has not been identified, this
operation can only make the threshold lower. If the threshold is selected properly, it will not impact the identification results.
• Combining trust can further limit the impact of this attack.
97
• Attack 3: Malicious host M only sends false destination sequence about some special host• The special host will detect the attack and
send INVALID packets.• Other hosts can establish new routes to the
destination by receiving the INVALID packets.
98
Experimental Studies of RLR
• The experiments are conducted using ns2.• Various network scenarios are formed by
varying the number of independent attackers, number of connections, and host mobility.
• The examined parameters include:– Packet delivery ratio– Identification accuracy: false positive and
false negative ratio– Communication and computation overhead
99
Simulation Parameter
Simulation duration 1000 seconds
Simulation area 1000 * 1000 m
Number of mobile hosts 30
Transmission range 250 m
Pause time between the host reaches current target and moves to next target
0 – 60 seconds
Maximum speed 5 m/s
Number of CBR connection 25/50
Packet rate 2 pkt / sec
100
Experiment 1: Measure the Changes in Packet Delivery Ratio
Purpose: investigate the impacts of host mobility, number of attackers, and number of connections on the performance improvement brought by RLR
Input parameters: host pause time, number of independent attackers, number of connections
Output parameters: packet delivery ratioObservation: When only one attacker exists in the
network, RLR brings a 30% increase in the packet delivery ratio. When multiple attacker exist in the system, the delivery ratio will not recover before all attackers are identified.
101
Increase in Packet Delivery Ratio: Single Attacker
X-axis is host pause time, which evaluates the mobility of host. Y-axis is delivery ratio. 25 connections and 50 connections are considered. RLR brings a 30% increase in delivery ratio. 100% delivery is difficult to achieve due to network partition, route discovery delay and buffer.
102
X-axis is number of attackers. Y-axis is delivery ratio. 25 connections and 50 connections are considered. RLR brings a 20% to 30% increase in delivery ratio.
Increase in Packet Delivery Ratio: Multiple Attackers
103
Experiment 2: Measure the Accuracy of Intruder Identification
Purpose: investigate the impacts of host mobility, number of attackers ,and connection scenarios on the detection accuracy of RLR
Input parameters: number of independent attackers, number of connections, host pause time
Output parameters: false positive alarm ratio, false negative alarm ratio
Observation: The increase in connections may improve the detection accuracy of RLR. When multiple attackers exist in the network, RLR has a high false positive ratio.
104
Accuracy of RLR: Single Attacker
30 hosts, 25 connections 30 hosts, 50 connections
Host Pause time (sec)
# of normal hosts identify the attacker
# of normal hosts marked as malicious
# of normal hosts identify the attacker
# of normal hosts marked as malicious
0 24 0.22 29 2.2
10 25 0 29 1.4
20 24 0 25 1.1
30 28 0 29 1.1
40 24 0 29 0.6
50 24 0.07 29 1.1
60 24 0.07 24 1.0
The accuracy of RLR when there is only one attacker in the system
105
Accuracy of RLR: Multiple Attackers
30 hosts, 25 connections 30 hosts, 50 connections
# of attackers # of normal hosts identify all attackers
# of normal hosts marked as malicious
# of normal hosts identify all attackers
# of normal hosts marked as malicious
1 28 0 29 1.1
2 28 0.65 28 2.6
3 25 1 27 1.4
4 21 0.62 25 2.2
5 15 0.67 19 4.1
The accuracy of RLR when there are multiple attackers
106
Experiment 3: Measure the Communication Overhead
Purpose: investigate the impacts of host mobility and connection scenarios on the overhead of RLR
Input parameters: number of connections, host pause time
Output parameters: control packet overhead
Observation: When no false destination sequence attacks exist in the network, RLR introduces small packet overhead into the system.
107
X-axis is host pause time, which evaluates the mobility of host. Y-axis is normalized overhead (# of control packet / # of delivered data packet). 25 connections and 50 connections are considered. RLR increases the overhead slightly.
Control Packet Overhead
108
Research Opportunities: Improve Robustness of RLR
• Protect the good hosts from being framed by malicious hosts• The malicious hosts can frame the good hosts
by putting them into blacklist. • By lowering the trust values of both complainer
and complainee, we can restrict the impacts of the gossip distributed by the attackers.
109
• Avoid putting every host into blacklist• Combining the host density and movement
model, we can estimate the time ratio that two hosts are neighbors
• The counter for a suspicious host decreases as time passes
• Adjusting the decreasing ratio to control the average percentage of time that a host stays in the blacklist of another host
110
• Defend against coordinated attacks• The behaviors of collusive attackers show
Byzantine manners. The malicious hosts may establish trust to frame other hosts, or conduct attacks alternatively to avoid being identified.
• Look for the effective methods to defend against such attacks. Possible research directions include:
• Apply classification methods to detect the hosts that have similar behavior patterns
• Study the behavior histories of the hosts that belong to the same group and detect the pattern of malicious behavior (time-based, order-based)
111
An Architecture of Intruder Identification Agent
112
• Intruder identification can be applied to detect more attacks in ad hoc networks:– DoS attacks– Malicious discard– Trust abuse and privacy violation
• Reverse labeling mechanism can be applied to identify the attackers that– Disseminate false routing information– Discard data packets– Generate gossip to destroy other hosts’
reputation
113
Conclusions on Intruder Identification
• False destination sequence attacks can be detected by the anomaly patterns of the sequence numbers
• Reverse labeling method can reconstruct the false routing tree
• Isolating the attackers brings a sharp increase in network performance
• On going research will improve the robustness of the mechanism and the accuracy of identification
114
Related Ongoing Research
1) Detecting wormhole attacks
2) Position-based private routing in ad hoc networks
3) Fault tolerant authentication in movable base station systems
4) Congestion avoidance routing in ad hoc networks
115
1) Detecting Wormhole Attacks
• Problem statement The malicious nodes can eavesdrop the packets,
tunnel them to another location in the network, and retransmit them. This generates a false scenario that the original sender is in the neighborhood of the remote location.
wireless node 1
wireless node 2
attacker 1 attacker 2
tunnel
116
• Research challenges– Detect wormholes when the malicious host can be
the legal member of the network– Control the overhead introduced by wormhole
detection to avoid the hosts being overwhelmed
117
Classification of Wormholes• the wormholes are divided into 3 groups:
– Closed– Half open
– Open
118
The Approach: End-to-End Mechanism
• Assumption:– The hosts have the positioning devices and loosely
synchronized clocks– Pair-wise keys have been deployed
• Ideas:– The source and the intermediate hosts will attach the
<time, position> pairs that record the receiving and forwarding events
– The attached information is protected by message authentication codes (MAC)
– The neighbor relation validations are conducted by the destination
119
Validation at the Destination
• The MAC codes are calculated correctly
• The neighbor hosts are within the radio range when the packet is passed
• The average moving speed between the <time, position> pairs from the same host does not exceed the maximum value.
120
• Divide the area into same-sized cells and the time into same-length slots
• Require a constant storage space and linear computation operations for every intermediate host
• Have a configurable wormhole detection capability
Controlling Overhead: Cell-based Open Tunnel Avoidance
121
Computation Efficiency
• The experiments are conducted on a iPAQ 3630 with 206M Hz CPU and 64M RAM
• The computation overhead of wormhole detection for one 10-hop route consumes less than 0.5% of its CPU.
• The computation resource of a real PDA can support wormhole detection using COTA without trouble.
122
Conclusions
• The end-to-end mechanism can detect half open and open wormholes in ad hoc networks
• As a position information management scheme, COTA requires constant storage space and linear computation resource for every intermediate host
• The proposed mechanism can be adopted by real mobile devices
123
2) Position-based Private Routing in Ad Hoc Networks
• Problem statement– To hide the identities of the nodes who are
involved in routing in mobile wireless ad hoc networks.
• Challenges– Traditional ad hoc routing algorithms depend
on private information (e.g., ID) exposure in the network.
– Privacy solutions for P2P networks are not suitable in ad hoc networks.
124
Weak Privacy for Traditional Position-based Ad Hoc Routing Algorithm
• Position information of each node has to be locally broadcast periodically.
• Adversaries are able to obtain node trajectory based on the position report.
• Adversaries can estimate network topology.• Once a match between a node position and its
real ID is found, a tracer can always stay close to this node and monitor its behavior.
125
AO2P: Ad Hoc On-Demand Position-based Private Routing
• Position of destination is the information exposed in the network for routing discovery.
• A receiver-contention scheme is designed to determine the next hop in a route.
• Pseudo IDs are used instead of real IDs for data packet delivery after a route is built up.
• Route with a smaller number of hops will be used for better end-to-end throughput.
126
AO2P Routing Privacy and Accuracy
• Only the position of destination is revealed in the network for routing discovery. The privacy of the destination relies on the difficulty of matching a position to a node ID.
• Node mobility enhances destination privacy because a match between a position to a node ID is temporary.
• The privacy for the source and the intermediate forwarders is well preserved.
• Routing accuracy relies on the fact that at a specific time, only one node can be at a position. Since the pseudo ID for a node is generated from its position and the time it is at that position, the probability that more than one node have the same pseudo ID is negligible.
127
Privacy Enhancement: R-AO2P
• The position of reference point is carried in rreq instead of the position of the destination.
• The reference point is on the extended line from the sender to the destination. It can be used for routing discovery because generally, a node that processes the rreq closer to the reference point will also process the rreq closer to the destination.
• The position of the destination is only disclosed to the nodes who are involved in routing.
Reference point in R-AO2P
128
Illustrated Results
• Average delay for next hop determination
129
Illustrated Results
• Packet delivery ratio
130
Conclusions
• AO2P preserves node privacy in mobile ad hoc networks.
• AO2P has low next hop determination delay.
• Compared to other position-based ad hoc routing algorithm, AO2P has little routing performance degradation.
131
3) Fault Tolerant Authentication in Movable Base Station System• Problem
– To ensure security and prevent theft of resources (like bandwidth), all the packets originating inside the network should be authenticated.
– Authentication may become unreliable when base station fails or node moves from one cell to another.
• Challenge– How to design fault tolerant authentication
methods that are robust in the above conditions– How to design the protocols adaptable and re-
configurable
132
Proposed Schemes
• We propose two schemes to solve the problem.
– Virtual Home Agent– Hierarchical Authentication
• They differ in the architecture and the responsibilities that the Mobile Nodes and Base Stations (Agents) hold.
133
Virtual Home Agent Scheme
VHA ID = IP ADDRESSMaster Home Agent (MHA) Database Server
Shared SecretsDatabase
Backup Home Agents Other nodes in the network
134
Advantages of Proposed Scheme
• Has only 3 states and hence the overhead of state maintenance is negligible.
• Very few tasks need to be performed in each state (outlined in the tech report).
• Flexible – there could be multiple VHAs in the same LAN and a MHA could be a BHA for another VHA, a BHA could be a BHA for more than one VHA at the same time.
135
Disadvantages of Virtual HA Solution
• Not scalable if every packet has to be authenticated– Ex: huge audio or video data
• BHA (Backup Home Agents) are idle most of the time (they just listen to MHA’s advertisements.
• Central Database is still a single point of failure.
136
Hierarchical Authentication Scheme
• Multiple Home Agents in a LAN are organized in a hierarchy (like a tree data structure).
• A Mobile Node shares a key with each of the Agents above it in the tree (Multiple Keys).
• At any time, highest priority key is used for sending packets or obtaining any other kind of service.
137
Hierarchical Authentication Scheme
A
CB
GFED
K2
K1
(K1, P1)(K2, P2)
Database
Database
138
Hierarchical Authentication Scheme
Key Priority depends on several factors and computed as cumulative sum of weighted priorities of each factors:
Example Factors:• Communication Delays• Processing Speed of the Agents• Key Usage• Life Time of the Key
139
4) Congestion Avoidance Routing in Ad Hoc Networks
• Objective– To bring the consideration of congestion in the design
of the routing protocols.
• Thrust– To avoid congestion by minimizing contention for
channel access.
• Challenges– The global coupling effect of wireless channel access
in ad hoc networks.– Quantification of congestion without exchanging
messages with neighbors.
140
Intermediate Delay (IMD)
• IMD is a routing metric that characterizes the impacts of channel contention, the length of the route, and the traffic load at individual nodes.
• IMD estimates the delay introduced by the intermediate nodes along the route using the sum of delays from each node.
141
Ad Hoc Routing Based on IMD
B
A C
D E
F
H I
G
J
2P/C 2P/C
P/CPC
P/C
P/CP/C
Simplification of delay computation:
1. If channel capacity is C and packet size is P, delay is P/C.
2. If n nodes are in contention for a channel, each node gets C/n share of the channel capacity. The delay is nP/C.
Adapt to changes in traffic and network topology
B
A C
142
Delay Estimation
• A mobile node is modeled as a single server queuing system.
• Total delay includes the delay for transmitting a packet and the delay in the queue.
• The key is to estimate the delay for transmitting a packet.– Node with active traffic
• Use the mean value to estimate the delay.
– Node without active traffic• Study the procedure of packet transmission to
obtain the expectation of the delay.
143
IEEE 802.11 DCF (Distributed Coordination Function)
E[Tsucc]=TRTS+TCTS+TDATA+TACK+3TSIFS+E[Tbackoff]
E[Tfail]=TRTS+Ttimeout+E[Tbackoff]
144
SAGA: Self-Adjusting Congestion Avoidance Routing Protocol
• SAGA is a distance vector routing protocol.– use IMD instead of hop count as the distance– bypass hop spots where contention is intense
• Lazy route query uses special route advertisement for local route discovery.
• Approach to reduce the oscillation of IMD and prevent a node from switching back and forth among alternative routes.
145
Experimental Evaluation• Objective
– Study the performance of SAGA, AODV, DSR, and DSDV under congestion.
• Performance metrics– Throughput, delivery ratio, protocol overhead, and
end-to-end delay• Method
– Simulation using the network simulator ns2– Two types of UDP traffic: constant bit rate (CBR) and
pareto on/off (POO)– The offered traffic load is taken as the input parameter– Six experiments by varying the maximum speed of
movement of nodes and the number of connections– Five independent runs with random scenarios for each
experiment
146
30 CBR Connections, Low Mobility (4m/s)
147
10 POO Connections, High Mobility (20m/s)
148
Other Related Ongoing Research
1. Time-based private routing in ad hoc networks
2. Trust-based Privacy Preservation for Peer-to-peer Data Sharing
149
150
E. Trust-based Privacy Preservation for Peer-to-Peer Data Sharing
Problem statement
• Privacy in peer-to-peer systems is different from the anonymity problem
• Preserve privacy of requester
• A mechanism is needed to remove the association between the identity of the requester and the data needed
151
Proposed solution
• A mechanism is proposed that allows the peers to acquire data through trusted proxies to preserve privacy of requester– The data request is handled through the
peer’s proxies– The proxy can become a supplier later and
mask the original requester
152
Related work
• Trust in privacy preservation– Authorization based on evidence and trust,
[Bhargava and Zhong, DaWaK’02]– Developing pervasive trust [Lilien, CGW’03]
• Hiding the subject in a crowd– K-anonymity [Sweeney, UFKS’02]– Broadcast and multicast [Scarlata et al,
INCP’01]
153
Related work (2)
• Fixed servers and proxies– Publius [Waldman et al, USENIX’00]
• Building a multi-hop path to hide the real source and destination– FreeNet [Clarke et al, IC’02]– Crowds [Reiter and Rubin, ACM TISS’98]– Onion routing [Goldschlag et al, ACM
Commu.’99]
154
Related work (3)
• [Sherwood et al, IEEE SSP’02]– provides sender-receiver anonymity by
transmitting packets to a broadcast group
• Herbivore [Goel et al, Cornell Univ Tech Report’03]– Provides provable anonymity in peer-to-peer
communication systems by adopting dining cryptographer networks
5p5p
155
Privacy measurement
• A tuple <requester ID, data handle, data content> is defined to describe a data acquirement.
• For each element, “0” means that the peer knows nothing, while “1” means that it knows everything.
• A state in which the requester’s privacy is compromised can be represented as a vector <1, 1, y>, (y Є [0,1]) from which one can link the ID of the requester to the data that it is interested in.
156
For example, line k represents the states that the requester’s privacy is compromised.
Privacy measurement (2)
157
Mitigating collusion
• An operation “*” is defined as:
• This operation describes the revealed information after a collusion of two peers when each peer knows a part of the “secret”.
• The number of collusions required to compromise the secret can be used to evaluate the achieved privacy
,0
),,max( iii
bac
.
;00
otherwise
banda ii
321321321 ,,,,,, bbbaaaccc
158
Trust based privacy preservation scheme
• The requester asks one proxy to look up the data on its behalf. Once the supplier is located, the proxy will get the data and deliver it to the requester– Advantage: other peers, including the
supplier, do not know the real requester– Disadvantage: The privacy solely depends on
the trustworthiness and reliability of the proxy
159
Trust based scheme – Improvement 1
• To avoid specifying the data handle in plain text, the requester calculates the hash code and only reveals a part of it to the proxy.
• The proxy sends it to possible suppliers.• Receiving the partial hash code, the supplier
compares it to the hash codes of the data handles that it holds. Depending on the revealed part, multiple matches may be found.
• The suppliers then construct a bloom filter based on the remaining parts of the matched hash codes and send it back. They also send back their public key certificates.
160
Trust based scheme – Improvement 1 – cont.
• Examining the filters, the requester can eliminate some candidate suppliers and finds some who may have the data.
• It then encrypts the full data handle and a data transfer key with the public key.
• The supplier sends the data back using through the proxy
• Advantages:– It is difficult to infer the data handle through the partial hash code– The proxy alone cannot compromise the privacy– Through adjusting the revealed hash code, the allowable error of
the bloom filter can be determined
DatakDatak
161
Data transfer procedure after improvement 1
R: requester S: supplier
Step 1, 2: R sends out the partial hash code of the data handle
Step 3, 4: S sends the bloom filter of the handles and the public key certificates
Step 5, 6: R sends the data handle and encrypted by the public key
Step 7, 8: S sends the required data encrypted by
Datak
Datak
Requester Proxy of Supplier Requester
162
Trust based scheme – Improvement 2
• The above scheme does not protect the privacy of the supplier
• To address this problem, the supplier can respond to a request via its own proxy
163
Trust based scheme – Improvement 2
Requester Proxy of Proxy of Supplier Requester Supplier
164
Trustworthiness of peers
• The trust value of a proxy is assessed based on its behaviors and other peers’ recommendations
• Using Kalman filtering, the trust model can be built as a multivariate, time-varying state vector
165
Experimental platform - TERA
• Trust enhanced role mapping (TERM) server assigns roles to users based on – Uncertain & subjective evidences– Dynamic trust
• Reputation server – Dynamic trust information repository– Evaluate reputation from trust information
by using algorithms specified by TERM server
166
Trust enhanced role assignment architecture (TERA)
T E R M s er v er
T E R M s er v er
T r u s t b as ed o n b eh av io r s
T r u s t b as ed o n b eh av io r s
R ep u ta tio n
R ep u ta tio n
R ep u ta tio n s er v er
Alic e
Bo b
T E R A
R o le r eq u es t
As s ig n ed r o le
R o le r eq u es t
As s ig n ed r o le
R BAC en h an c edap p lic a tio n s er v er
R BAC en h an c edap p lic a tio n s er v er
Us er 's b eh av io r
Us er 's b eh av io r
I n te r ac tio n s
I n te r ac tio n s
167
Conclusion
• A trust based privacy preservation method for peer-to-peer data sharing is proposed
• It adopts the proxy scheme during the data acquirement
• Extensions– Solid analysis and experiments on large
scale networks are required– A security analysis of the proposed
mechanism is required
168
• More information may be found athttp://raidlab.cs.purdue.edu
• Our papers and tech reportsW. Wang, Y. Lu, B. Bhargava, On vulnerability and protection
of AODV, CERIAS Tech Report TR-02-18.B. Bhargava, Y. Zhong, Authorization based on Evidence and
Trust, in Proceedings of Data Warehouse and Knowledge Management Conference (DaWak), 2002
Y. Lu, B. Bhargava and M. Hefeeda, An Architecture for Secure Wireless Networking, IEEE Workshop on Reliable and Secure Application in Mobile Environment, 2001
W. Wang, Y. Lu, B. Bharagav, “On vulnerability and protection of AODV”, in proceedings of ICT 2003.
W. Wang, Y. Lu, B. Bhargava, “On security study of two distance vector routing protocols for two mobile ad hoc networks”, in proceedings of PerCOm 2003.
169
Selected References
• [1] C. Perkins and E. Royer, “Ad-hoc on-demand distance vector routing,” in Proceedings of the 2nd IEEE Workshop on Mobile Computing Systems and Applications, 1999.
• [2] C. Perkins, “Highly dynamic destination-sequenced distancevector routing (DSDV) for mobile computers,” in Proceedings of SIGCOMM, 1994.
• [3] Z. Haas and M. Pearlman, “The zone routing protocol (ZRP) for ad hoc networks,” IETF Internet Draft, Version 4, July, 2002.
• [4] T. Camp, J. Boleng, B. Williams, L. Wilcox, and W. Navidi, “Performance comparison of two location based routing protocols for ad hoc networks,” in Proceedings of the IEEE INFOCOM, 2002.
• [5] Z. Haas, J. Halpern, and L. Li, “Gossip-based ad hoc routing,” in Proceedings of the IEEE INFOCOM, 2002.
• [6] C. Perkins, E. Royer, and S. Das, “Performance comparison of two on-demand routing protocols for ad hoc networks,” in Proceedings of IEEE INFOCOM, 2000.
• [7] S. Das and R. Sengupta, “Comparative performance evaluation of routing protocol for mobile, ad hoc networks,” in Proceedings of IEEE the Seventh International Conference on Computer Communications and Networks, 1998.
• [8] L. Venkatraman and D. Agrawal, “Authentication in ad hoc networks,” in Proceedings of the 2nd IEEE Wireless Communications and Networking Conference, 2000.
170
Selected References
• [9] Y. Zhang and W. Lee, “Intrusion detection in wireless ad-hoc networks,” in Proceedings of ACM MobiCom, 2000.
• [10] Z. Zhou and Z. Haas, “Secure ad hoc networks,” IEEE Networks, vol. 13, no. 6, pp. 24–30, 1999.
• [11] V. Bharghavan, “Secure wireless LANs,” in Proceedings of the ACM Conference on Computers and Communications Security, 1994.
• [12] P. Sinha, R. Sivakumar, and V. Bharghavan, “Enhancing ad-hoc routing with dynamic virtual infrastructures.,” in Proceedings of IEEE INFOCOM, 2001.
• [13] S. Bhargava and D. Agrawal, “Security enhancements in AODV protocol for wireless ad hoc networks,” in Proceedings of Vehicular Technology Conference, 2001.
• [14] P. Papadimitratos and Z. Haas, “Secure routing for mobile ad hoc networks,” in Proceedings of SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS), 2002.
• [15] P. Albers and O. Camp, “Security in ad hoc network: A general id architecture enhancing trust based approaches,” in Proceedings of International Conference on Enterprise Information Systems (ICEIS), 2002.
171