488                                                                              IEEE TRANSACTIONS ON MOBILE COMPUTING,   ...
490                                                             IEEE TRANSACTIONS ON MOBILE COMPUTING,    VOL. 6, NO. 5,  ...
492                                                               IEEE TRANSACTIONS ON MOBILE COMPUTING,          VOL. 6, ...
494                                                                   IEEE TRANSACTIONS ON MOBILE COMPUTING,   VOL. 6, NO....
496                                                              IEEE TRANSACTIONS ON MOBILE COMPUTING,            VOL. 6,...
498                                                               IEEE TRANSACTIONS ON MOBILE COMPUTING,           VOL. 6,...
500                                                             IEEE TRANSACTIONS ON MOBILE COMPUTING,     VOL. 6, NO. 5, ...
24. an acknowledgment based approach for the detection of routing misbehavior in mane ts
24. an acknowledgment based approach for the detection of routing misbehavior in mane ts
Upcoming SlideShare
Loading in...5

24. an acknowledgment based approach for the detection of routing misbehavior in mane ts


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

24. an acknowledgment based approach for the detection of routing misbehavior in mane ts

  1. 1. 488 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 6, NO. 5, MAY 2007 An Acknowledgment-Based Approach for the Detection of Routing Misbehavior in MANETs Kejun Liu, Jing Deng, Member, IEEE, Pramod K. Varshney, Fellow, IEEE, and Kashyap Balakrishnan, Member, IEEE Abstract—We study routing misbehavior in MANETs (Mobile Ad Hoc Networks) in this paper. In general, routing protocols for MANETs are designed based on the assumption that all participating nodes are fully cooperative. However, due to the open structure and scarcely available battery-based energy, node misbehaviors may exist. One such routing misbehavior is that some selfish nodes will participate in the route discovery and maintenance processes but refuse to forward data packets. In this paper, we propose the 2ACK scheme that serves as an add-on technique for routing schemes to detect routing misbehavior and to mitigate their adverse effect. The main idea of the 2ACK scheme is to send two-hop acknowledgment packets in the opposite direction of the routing path. In order to reduce additional routing overhead, only a fraction of the received data packets are acknowledged in the 2ACK scheme. Analytical and simulation results are presented to evaluate the performance of the proposed scheme. Index Terms—Mobile Ad Hoc Networks (MANETs), routing misbehavior, node misbehavior, network security, Dynamic Source Routing (DSR). Ç1 INTRODUCTIONA Mobile Ad Hoc Network (MANET) is a collection of mobile nodes (hosts) which communicate with eachother via wireless links either directly or relying on other mobile environment. An individual mobile node may attempt to benefit from other nodes, but refuse to share its own resources. Such nodes are called selfish or misbehav-nodes as routers. The operation of MANETs does not ing nodes and their behavior is termed selfishness ordepend on preexisting infrastructure or base stations. misbehavior [2]. One of the major sources of energyNetwork nodes in MANETs are free to move randomly. consumption in the mobile nodes of MANETs is wirelessTherefore, the network topology of a MANET may change transmission [3]. A selfish node may refuse to forward datarapidly and unpredictably. All network activities, such as packets for other nodes in order to conserve its own energy.discovering the topology and delivering data packets, have Several techniques have been proposed to detect andto be executed by the nodes themselves, either individually alleviate the effects of such selfish nodes in MANETs [4],or collectively. Depending on its application, the structure [5], [6], [7], [8], [9]. In [4], two techniques were introduced,of a MANET may vary from a small, static network that is namely, watchdog and pathrater, to detect and mitigate thehighly power-constrained to a large-scale, mobile, highly effects of the routing misbehavior, respectively. The watch-dynamic network. dog technique identifies the misbehaving nodes by over- There are two types of MANETs: closed and open [1]. In hearing on the wireless medium. The pathrater techniquea closed MANET, all mobile nodes cooperate with each allows nodes to avoid the use of the misbehaving nodes inother toward a common goal, such as emergency search/ any future route selections. The watchdog technique isrescue or military and law enforcement operations. In an based on passive overhearing. Unfortunately, it can onlyopen MANET, different mobile nodes with different goals determine whether or not the next-hop node sends out theshare their resources in order to ensure global connectivity. data packet. The reception status of the next-hop link’sHowever, some resources are consumed quickly as the receiver is usually unknown to the observer.nodes participate in the network functions. For instance, In order to mitigate the adverse effects of routingbattery power is considered to be most important in a misbehavior, the misbehaving nodes need to be detected so that these nodes can be avoided by all well-behaved nodes. In this paper, we focus on the following problem:. K. Liu and J. Deng are with the Department of Computer Science, University of New Orleans, 2000 Lakeshore Dr., New Orleans, LA 70148. Misbehavior Detection and Mitigation. In MANETs, E-mail: {kliu, jing}@cs.uno.edu. routing misbehavior can severely degrade the performance at the. P.K. Varshney is with the Electrical Engineering and Computer Science routing layer. Specifically, nodes may participate in the route Department, 335 Link Hall, Syracuse University, Syracuse, NY 13244. discovery and maintenance processes but refuse to forward data E-mail: varshney@syr.edu.. K. Balakrishnan is with the Security Services Group, Deloitte and Touche packets. How do we detect such misbehavior? How can we make LLP, 1750 Tysons Boulevard, Suite 800, McLean, VA 22102. such detection processes more efficient (i.e., with less control E-mail: kbalakrishnan@deloitte.com. overhead) and accurate (i.e., with low false alarm rate and missedManuscript received 13 Oct. 2005; revised 4 Apr. 2006; accepted 23 Aug. detection rate)?2006; published online 7 Feb. 2007. We propose the 2ACK scheme to mitigate the adverseFor information on obtaining reprints of this article, please send e-mail to:tmc@computer.org, and reference IEEECS Log Number TMC-0300-1005. effects of misbehaving nodes. The basic idea of the 2ACKDigital Object Identifier no. 10.1109/TMC.2007.1036. scheme is that, when a node forwards a data packet 1536-1233/07/$25.00 ß 2007 IEEE Published by the IEEE CS, CASS, ComSoc, IES, & SPS
  2. 2. LIU ET AL.: AN ACKNOWLEDGMENT-BASED APPROACH FOR THE DETECTION OF ROUTING MISBEHAVIOR IN MANETS 489successfully over the next hop, the destination node of the In [15], each node maintains a counter termed the nugletnext-hop link will send back a special two-hop acknowl- counter. The counter is decreased when the node sendsedgment called 2ACK to indicate that the data packet has packets of its own, but increased when it forwards packetsbeen received successfully. Such a 2ACK transmission takes for the other nodes. The counter should be positive before aplace for only a fraction of data packets, but not all. Such a node is allowed to send its packet. Therefore, the nodes are“selective” acknowledgment1 is intended to reduce the encouraged to continue to help other nodes. Tamper-additional routing overhead caused by the 2ACK scheme. resistant hardware modules are used to keep nodes fromJudgment on node behavior is made after observing its increasing the nuglet counter illegally.behavior for a certain period of time. Another credit-based scheme, termed Sprite, was pro- In this paper, we present the details of the 2ACK scheme posed by Zhong et al. [8]. In Sprite, nodes keep receipts ofand our evaluation of the 2ACK scheme as an add-on to the the received/forwarded messages. When they have a fastDynamic Source Routing (DSR [10]) protocol. The rest of the connection to a Credit Clearance Service (CCS), they reportpaper is organized as follows: In Section 2, we summarize all of these receipts. The CCS then decides the charge andthe various approaches for router misbehavior detection credit for the reporting nodes. In the network architecture of Sprite, the CCS is assumed to be reachable through the useand mitigation that have been proposed and studied in the of the Internet, limiting the utility of Sprite.literature. In Section 3, we present the problem and discuss The main problem with credit-based schemes is that theythe performance degradation caused by the misbehaving usually require some kind of tamper-resistant hardwarenodes in MANETs. The details of the 2ACK scheme and and/or extra protection for the virtual currency or therelated discussion are given in Section 4. In Section 5, we payment system. We focus on reputation-based techniquespresent our simulation results that compare the DSR in this paper instead.scheme, the DSR+2ACK scheme, and other related schemes.We conclude the work in Section 6. 2.2 Reputation-Based Schemes The second category of techniques to combat node2 RELATED WORK misbehavior in MANETs is reputation-based [4], [7]. In such schemes, network nodes collectively detect and declare theThe security problem and the misbehavior problem of misbehavior of a suspicious node. Such a declaration is thenwireless networks including MANETs have been studied propagated throughout the network so that the misbehav-by many researchers, e.g., [11], [12], [13], [14]. Various ing node will be cut off from the rest of the network.techniques have been proposed to prevent selfishness in In [4], Marti et al. proposed a scheme that contains twoMANETs. These schemes can be broadly classified into major modules, termed watchdog and pathrater, to detect andtwo categories: credit-based schemes and reputation-based mitigate, respectively, routing misbehavior in MANETs.schemes. Nodes operate in a promiscuous mode wherein the watch- dog module overhears the medium to check whether the2.1 Credit-Based Schemes next-hop node faithfully forwards the packet. At the sameThe basic idea of credit-based schemes is to provide time, it maintains a buffer of recently sent packets. A dataincentives for nodes to faithfully perform networking packet is cleared from the buffer when the watchdogfunctions. In order to achieve this goal, virtual (electronic) overhears the same packet being forwarded by the next-hopcurrency or similar payment system may be set up. Nodes node over the medium. If a data packet remains in theget paid for providing services to other nodes. When they buffer for too long, the watchdog module accuses the next-request other nodes to help them for packet forwarding, hop neighbor of misbehaving. Thus, the watchdog enablesthey use the same payment system to pay for such services misbehavior detection at the forwarding level as well as the[5], [6], [15], [9]. link level. Based on the watchdog’s accusations, the In [5], Buttyan and Hubaux used the concept of nuggets pathrater module rates every path in its cache and(also called beans) as payments for packet forwarding. They subsequently chooses the path that best avoids misbehavingproposed two models: the Packet Purse Model and the nodes. Due to its reliance on overhearing, however, thePacket Trade Model. In the Packet Purse Model, nuggets are watchdog technique may fail to detect misbehavior or raiseloaded into the packet before it is sent. The sender puts a false alarms in the presence of ambiguous collisions,certain number of nuggets on the data packet to be sent. receiver collisions, and limited transmission power, asEach intermediate node earns nuggets in return for explained in [4].forwarding the packet. If the packet exhausts its nuggets The CONFIDANT protocol proposed by Buchegger andbefore reaching its destination, then it is dropped. In the Le Boudec in [7] is another example of reputation-basedPacket Trade Model, each intermediate node “buys” the schemes. The protocol is based on selective altruism andpacket from the previous node for some nuggets and “sells” utilitarianism, thus making misbehavior unattractive. CON-it to the next node for more nuggets. Thus, each inter- FIDANT consists of four important components—the Monitor, the Reputation System, the Path Manager, andmediate node earns some nuggets for providing the the Trust Manager. They perform the vital functions offorwarding service and the overall cost of sending the neighborhood watching, node rating, path rating, andpacket is borne by the destination. sending and receiving alarm messages, respectively. Each 1. It will become clear later that the acknowledgment in the 2ACK node continuously monitors the behavior of its first-hopscheme is different from SACK in TCP. neighbors. If a suspicious event is detected, details of the
  3. 3. 490 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 6, NO. 5, MAY 2007event are passed to the Reputation System. Depending on The Best-effort Fault-Tolerant Routing (BFTR) schemehow significant and how frequent the event is, the due to Xue and Nahrstedt [18] also employs end-to-endReputation System modifies the rating of the suspected ACKs. The BFTR scheme continuously monitors the qualitynode. Once the rating of a node becomes intolerable, control (i.e., packet delivery ratio) of the path in use. This isis passed to the Path Manager, which accordingly controls compared with the predefined expected behavior of goodthe route cache. Warning messages are propagated to other routes. If the behavior of the route in use deviates from thenodes in the form of an Alarm message sent out by the Trust behavior of good routes, it is marked as “infeasible” and aManager. new route is used. Since BFTR throws out the entire route The Monitor component in the CONFIDANT scheme before detecting the misbehaving nodes, the newly chosenobserves the next hop neighbor’s behavior using the route may still include the same misbehaving nodes. Evenoverhearing technique. This causes the scheme to suffer though the new route will be detected as infeasible by thefrom the same problems as the watchdog scheme. source after a period of observation time, data packet loss In [1], Miranda and Rodrigues adopted a similar will occur in traffic flows when using protocols such asapproach. Each node i maintains a data structure Statusi ½jŠ UDP. Such a repeated detection process is inefficient. Inabout every other node j as an indication of what impression contrast with BFTR, we try to identify such misbehavingnode i has about node j. Along with a credit counter, node i links in this work. Therefore, more accurate information onalso maintains lists of nodes to which node j will and will routing misbehavior can be obtained in the 2ACK scheme.not provide service. Every node periodically broadcasts Compared with the schemes in [16], [17], [18], the 2ACKrelevant information in the form of a self-state message. scheme does not rely on end-to-end acknowledgment. SuchOther nodes update their own lists based on the information an acknowledgment scheme may not exist in some trafficcontained in these self-state messages. flows (such as UDP). Instead, the 2ACK scheme tries to2.3 End-to-End Acknowledgment Schemes detect misbehaving links as the links are being used. Such aThere are several schemes that use end-to-end acknow- proactive detection approach results in quicker detectionledgments (ACKs) to detect routing misbehavior or and identification of misbehaving links. Note that it may bemalicious nodes in wireless networks. beneficial to include end-to-end acknowledgments in the In the TCP protocol, end-to-end acknowledgment is 2ACK scheme. In such a combined scheme, the 2ACKemployed. Such acknowledgments are sent by the end- transmission and the monitoring processes are turned onreceiver to notify the sender about the reception of data only when routing performance degrades. It will further reduce the routing overhead of the 2ACK scheme.packets up to some locations of the continuous data stream. In [19], Conti et al. proposed a scheme to choose routesThe Selective Acknowledgment (SACK) technique is used based on the reliability index of each outgoing neighbor.to acknowledge out-of-order data blocks. Each node maintains a table of reliability indices of its The 2ACK technique differs from the ACK and the neighbors. Such a reliability index reflects the past success/SACK schemes in the TCP protocol in the following failure experience of packet transmissions through thismanner: The 2ACK scheme tries to detect those misbehav- neighbor. For example, a successful end-to-end transmis-ing nodes which have agreed to forward data packets for sion will result in an increase of the reliability index of thethe source node but refuse to do so when data packets neighbor associated with the route. When choosing routesarrive. TCP, on the other hand, uses ACK and SACK to for data transmissions, nodes prefer those rooted at themeasure the usefulness of the current route and to take neighbors with higher reliability indices. Different policiesappropriate action. For example, congestion control is based for route selection were investigated in [19]. Since a sourceon the reception of the ACK and the SACK packets. node judges all potential routes through its immediate In order to identify malicious routers that draw traffic neighbors, the overall reliability of the chosen routetoward themselves but fail to correctly forward the traffic, depends on how the neighbors choose the rest of the route.Padmanabhan and Simon proposed the secure traceroute Here, we propose a scheme to detect misbehaving links andprotocol [16]. The normal traceroute protocol allows the to avoid them as much as possible.sender to simply send packets with increasing Time-To-Live (TTL) values and wait for a warning message from the 2.4 Other Prior State-of-the-Art Schemesrouter at which time the packet’s TTL value expires. The The misbehavior problem that we focus on in this work wassecure traceroute protocol authenticates the traceroute referred to as the Black Hole attack in [20], [14]. In [14], Aadpackets and disguises them as regular data packets. et al. investigated the JellyFish attack for closed-loop flows In [17], Awerbuch et al. proposed an On-Demand Secure such as TCP. It was shown that a JellyFish attacker mayRouting Protocol to adaptively probe faulty links on the stealthily rearrange, delay, or periodically drop packetsroute being used. Similarly to the secure traceroute scheme, while still remaining protocol-compliant. Such attacks maybinary search is initiated on faulty routes. Asymptotically, cause end-to-end throughput of closed-loop flows to drop.logðnÞ probes are needed to identify a faulty link on a Similarly, the Black Hole attack was also shown to havefaulty n-hop route. This technique only works with static adverse effect on open-loop flows such as UDP. Unlike [14],misbehaviors and needs to disguise the probing messages we propose a 2ACK technique to detect such misbehaviors.as regular routing control packets. Once a link is identified Several other interesting techniques have been proposedas faulty, the link weight is increased so that future link to address the issue of potential node misbehavior inselections will avoid this link. MANETs. For example, Srinivasan et al. addressed the issue
  4. 4. LIU ET AL.: AN ACKNOWLEDGMENT-BASED APPROACH FOR THE DETECTION OF ROUTING MISBEHAVIOR IN MANETS 491of user cooperation in MANETs [21]. The behavior of nodes . R: the transmission range of each node. We assumewas assumed to be rational, i.e., their actions were strictly that the transmission of all nodes is omni-directionaldetermined by self-interest. A Generous TIT-FOR-TAT and the transmission range is homogeneous. We(GTFT) scheme was used to make sure that a Nash assume R ¼ 250 m in our simulations.equilibrium would be achieved. Such an equilibrium will . Vm : the maximum speed of a mobile node.lead to optimized throughput performance for all nodes in . h: the average number of hops from the source nodethe network. The problem of a few misbehaving nodes to the destination node.cannot be solved by this approach. . ‘: the expected progress of one-hop transmission. Mahajan et al. proposed a CATCH scheme to allow . d: the expected distance between the source nodecooperative nodes to detect free-riders in the neighborhood and the destination node.[22]. A free-rider is defined as a node that does not provide . pm : the fraction of nodes that are misbehaving. Thisservice to other nodes but requests service from others. The is also the probability of a node being a misbehaving node. The misbehaving nodes are selected among allCATCH scheme also allows the cooperative neighbors of a network nodes randomly. In our simulations, pmfree-rider to isolate it from the rest of the network. The ranges from 0 to 0.4.CATCH scheme is essentially built on top of the watchdog . pr : the probability of a misbehaving route, i.e., thescheme in [4]. We will discuss the difference between our probability of a route with at least one misbehavingproposed scheme and the watchdog scheme in Section 4.2. router.2.5 The TWOACK and S-TWOACK Schemes . Rmis : the threshold to determine the allowable ratio of the total number of 2ACK packets missed to theIn [23], we proposed an early version of the 2ACK scheme, total number of data packets sent.termed TWOACK. The 2ACK and the TWOACK schemes . Rack : the acknowledgment ratio, the fraction of datahave the following major differences: 1) The receiving node packets that are acknowledged with 2ACK packetsin the 2ACK scheme only sends 2ACK packets for a fraction (maintained at the 2ACK sender).of received data packets, while, in the TWOACK scheme, . : the value of timeout, beyond which time a dataTWOACK packets are sent for every data packet received. packet will be considered to be unacknowledged.Acknowledging a fraction of received data packets gives the . Tobs : the observation period prior to declaring node2ACK scheme better performance with respect to routing misbehavior.overhead. 2) The 2ACK scheme has an authentication . Cmis : the counter of missing 2ACK packets (main-mechanism to make sure that the 2ACK packets are tained at the observing node).genuine. . Cpkts : the counter of forwarded data packets (main- The Selective TWOACK (S-TWOACK) scheme proposed tained at the observing node).in [23] is different from 2ACK as well. Mainly, eachTWOACK packet in the S-TWOACK scheme acknowledges 3.2 Routing Misbehavior Modelthe receipt of a number of data packets, but a 2ACK packet We present the routing misbehavior model considered inin the 2ACK scheme only acknowledges one data packet. this paper in the context of the DSR protocol [10]. Due toWith such a subtle change, the 2ACK scheme has easier DSR’s popularity, we use it as the basic routing protocol tocontrol over the trade-off between the performance of the illustrate our proposed add-on scheme. The details of DSRnetwork and the cost as compared to the S-TWOACK can be found in [10]. The implementation of our scheme asscheme. an add-on to other routing schemes will be discussed in Section 6. We focus on the following routing misbehavior: A selfish3 PROBLEM OF ROUTING MISBEHAVIOR node does not perform the packet forwarding function forIn this section, we describe the problems caused by routing data packets unrelated to itself.2 However, it operatesmisbehavior. But first, we summarize the notations and normally in the Route Discovery and the Route Mainte-assumptions used throughout this paper. nance phases of the DSR protocol. Since such misbehaving3.1 Notations and Assumptions nodes participate in the Route Discovery phase, they mayThis section outlines our assumptions regarding the be included in the routes chosen to forward the data packetsproperties of the physical and network layers. Throughout from the source. The misbehaving nodes, however, refusethis paper, we assume bidirectional communication. Such a to forward the data packets from the source. This leads tosymmetry of links is needed for the transmission of the the source being confused.designed 2ACK packets. Our scheme works with source In guaranteed services such as TCP, the source node mayrouting, such as DSR [10]. We further assume that there is either choose an alternate route from its route cache or initiate a new Route Discovery process. The alternate routeno collusion among misbehaving nodes. We argue thatmisbehavior caused by selfishness is usually limited to 2. In some networks, a router may be considered well-behaved as long asindividual nodes in MANETs. it sends out the packet toward the next-hop node. This, however, does not We use the following notations throughout the paper: guarantee the successful reception of the packet at the next-hop node. Such a behavior by the router, if consistently repeated, will be considered as misbehavior in this work. After all, it is the router’s responsibility to make . X Ã Y : the size of network area. sure of the successful reception of the packet at the next-hop node when it . N: the total number of nodes in the network. responded to the route-discovery process.
  5. 5. 492 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 6, NO. 5, MAY 2007may again contain misbehaving nodes and, therefore, the The average one-hop progress, ‘, can be approximated asdata transmission may fail again. The new Route Discovery the average of the maximum distance between a sender andphase will return a similar set of routes, including the each of the neighbors within its transmission range.3 Wemisbehaving nodes. Eventually, the source node may calculate the average number of nodes in the transmissionconclude that routes are unavailable to deliver the data circle, :packets. As a result, the network fails to provide reliablecommunication for the source node even though such N ¼ Á R2 ; ð2Þroutes are available. In best-effort services such as UDP, the XÃYsource simply sends out data packets to the next-hop node, N where X à Y is the size of the network area and XÃY is thewhich forwards them on. The existence of a misbehaving node density.node on the route will cut off the data traffic flow. The For simplicity of discussion, we assume that is ansource has no knowledge of this at all. integer. The probability of all nodes residing within In this paper, we propose the 2ACK technique to detect distance r from the center of the transmission circle can besuch misbehaving nodes. Routes containing such nodes will expressed asbe eliminated from consideration. The source node will beable to choose an appropriate route to send its data. In this F ðrÞ ¼ ProbðAll nodes reside within a circle of radius rÞwork, we use both UDP and TCP to demonstrate the ¼ ½Probða node resides within rފadverse effect of routing misbehavior and the performance 2 of our proposed scheme. r ¼ The attackers (misbehaving nodes) are assumed to be R2capable of performing the following tasks: r2 ¼ 2 ; R . dropping any data packet, . masquerading as the node that is the receiver of its where we have used the assumptions of node location next-hop link, independence and randomness. . sending out fabricated 2ACK packets, The Probability Density Function (pdf) of progress r . sending out fabricated hn , the key generated by the from the source is 2ACK packet senders, and @ 2 Á r2À1 . claiming falsely that its neighbor or next-hop links fðrÞ ¼ F ðrÞ ¼ : are misbehaving. @r R2 The average progress is then the expected value of r with3.3 Probability of Misbehaving Routes respect to pdf fðrÞ,In order to demonstrate the adverse effect of routing Z Rmisbehavior, we estimate the probability of misbehaving 2 Á R ‘¼ rfðrÞdr ¼ : ð3Þroutes in this subsection. A route is defined as misbehaving 0 2 þ 1when there is at least one router along the route that can beclassified as misbehaving. Based on (3): When ¼ 0, no progress can be made Our analysis is based on the following assumptions: (‘ ¼ 0); when ¼ 1, the progress is the expected value of the distance at which the sole node is located from the center, .The network nodes are randomly distributed over ‘ ¼ 2 R; when is large, the progress approaches R, ‘ ! R. 3 the entire network area. Each node’s location is In a network area of size X à Y , the average distance independent of all other nodes’ locations. There are between the source and the destination can be approxi- N nodes in the network area of size X à Y . mated by . The source and the destination of each transaction pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi are chosen randomly among all nodes. d % ð0 þ X2 þ Y 2 Þ=2: ð4Þ . Nodes (other than the source and the destination) Therefore, the expected number of hops can be estimated as are chosen as misbehaving nodes, independently, with probability pm . pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi d X 2 þ Y 2 ð2 þ 1Þ Á X 2 þ Y 2 We examine a route with an average number of hops, h. h% % % ; ð5Þ ‘ 2‘ 4RThere are h À 1 routers between the source and thedestination. Each of these routers may misbehave with where we have implicitly assumed that the averageprobability pm . The probability of the route with at least one progress made on a hop is independent of the averagemisbehaving node is: progress made on the previous hops. Combining (1) and (5), we have pr ¼ 1 À ð1 À pm ÞhÀ1 : ð1Þ pffiffiffiffiffiffiffiffiffi ð2þ1ÞÁ X2 þY 2 À1 pr ¼ 1 À ð1 À pm Þ 4R ; ð6Þ In order to estimate pr , we need to know h, the averagenumber of hops of a route. We use the following approach: where is given by (2).We first estimate the average progress of each hop, ‘, in thenetwork; we then estimate the average distance, d, between 3. Note that this is only an approximation, which assumes that the farthest neighbor from the sender is always in the direction toward thethe source and the destination; the value of h can be destination. Our simulation results, presented later in this section, showestimated as d=‘. that our approximation works quite well.
  6. 6. LIU ET AL.: AN ACKNOWLEDGMENT-BASED APPROACH FOR THE DETECTION OF ROUTING MISBEHAVIOR IN MANETS 493 TABLE 1 Probability of Misbehaving Routes for Different Misbehavior Ratio, pm Fig. 1. The 2ACK scheme. In the next-hop link, a misbehaving sender or a misbehav- ing receiver has a similar adverse effect on the data packet: It will not be forwarded further. The result is that this link will be tagged [17]. Our approach discussed here signifi- cantly simplifies the detection mechanism. 4.1 Details of the 2ACK Scheme The 2ACK scheme is a network-layer technique to detect misbehaving links and to mitigate their effects. It can be implemented as an add-on to existing routing protocols for MANETs, such as DSR. The 2ACK scheme detects misbehavior through the use of a new type of acknowl- edgment packet, termed 2ACK. A 2ACK packet is assigned a fixed route of two hops (three nodes) in the opposite direction of the data traffic route. Fig. 1 illustrates the operation of the 2ACK scheme. We have compared the numerical results based on (6) Suppose that N1 , N2 , and N3 are three consecutive nodesand simulation results. Our simulation results were (triplet) along a route. The route from a source node, S, to aobtained through 20 runs with different seeds in NS2. In destination node, D, is generated in the Route DiscoveryTable 1, we show the results for different network areas and phase of the DSR protocol. When N1 sends a data packet tonumber of nodes. The transmission range is R ¼ 250 m for N2 and N2 forwards it to N3 , it is unclear to N1 whether N3every node. receives the data packet successfully or not. Such an Based on Table 1, we can conclude that, as expected, the ambiguity exists even when there are no misbehavingprobability of a misbehaving route, pr , increases with pm . nodes. The problem becomes much more severe in openThis probability also increases with network area because MANETs with potential misbehaving nodes.the routes are longer. The values of pr obtained analytically The 2ACK scheme requires an explicit acknowledgmentare larger than those obtained using simulation. This is due to be sent by N3 to notify N1 of its successful reception of ato our estimation of d in (4) that is higher than the actual data packet: When node N3 receives the data packetvalues. In addition, the estimation of ‘ in (3) is smaller than successfully, it sends out a 2ACK packet over two hops tothe actual value. The adverse effects of misbehaving nodes N1 (i.e., the opposite direction of the routing path as shown),in MANETs can be seen clearly in Table 1. For example, in a with the ID of the corresponding data packet. The tripletnetwork of 5R à 5R and pm ¼ 0:2, around 50 percent of the ½N1 ! N2 ! N3 Š is derived from the route of the originalroutes contain at least one misbehaving node. With such a data traffic. Such a triplet is used by N1 to monitor the linkhigh probability of misbehaving route, pr , the throughput N2 ! N3 . For convenience of presentation, we term N1 in theperformance of the MANET will be severely degraded. This triplet ½N1 ! N2 ! N3 Š the 2ACK packet receiver or themotivates our development of an efficient approach for observing node and N3 the 2ACK packet sender.detection and mitigation of routing misbehavior. Such a 2ACK transmission takes place for every set of triplets along the route. Therefore, only the first router from the source will not serve as a 2ACK packet sender. The last4 THE 2ACK SCHEME router just before the destination and the destination willThe watchdog detection mechanism in [4] has a very low not serve as 2ACK receivers.4overhead. Unfortunately, the watchdog technique suffers To detect misbehavior, the 2ACK packet sender main-from several problems such as ambiguous collisions, tains a list of IDs of data packets that have been sent outreceiver collisions, and limited transmission power. The but have not been acknowledged. For example, after N1main issue is that the event of successful packet reception sends a data packet on a particular path, say, ½N1 ! N2 !can only be accurately determined at the receiver of the 4. The 2ACK packet is different from the selective acknowledgmentnext-hop link, but the watchdog technique only monitors (SACK) [24] in TCP. The SACK packets are used by the TCP data receiver tothe transmission from the sender of the next-hop link. acknowledge noncontiguous blocks of data that are not covered by the Noting that a misbehaving node can either be the sender Cumulative Acknowledgment field. A 2ACK packet, on the other hand, acknowledges the received data packet. In addition, the SACK packets areor the receiver of the next-hop link, we focus on the problem sent by the data traffic receiver, but the 2ACK packets are sent by the thirdof detecting misbehaving links instead of misbehaving nodes. node in every set of triplets along the traffic route.
  7. 7. 494 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 6, NO. 5, MAY 2007 2ACK technique solves this problem by requiring N3 to send a 2ACK packet explicitly. . Receiver Collisions. Receiver collisions take place in the overhearing techniques when N1 overhears theFig. 2. Data structure maintained by the observing node. data packet being forwarded by N2 , but N3 fails to receive the packet due to collisions in its neighbor-N3 Š in Fig. 1, it adds the data ID to LIST (refer to Fig. 2, hood. A misbehaving N2 will not retransmit the datawhich illustrates the data structure maintained by the packet, which costs extra energy. Again, the 2ACKobserving node), i.e., on its list corresponding to N2 ! N3 . technique overcomes this problem due to the explicitA counter of forwarded data packets, Cpkts , is incremented 2ACK packets.simultaneously. . Limited Transmission Power. A misbehaving N2 At N1 , each ID will stay on the list for seconds, the may maneuver its transmission power such that N1timeout for 2ACK reception. If a 2ACK packet correspond- can overhear its transmission but N3 cannot. Thising to this ID arrives before the timer expires, the ID will be problem is similar to the Receiver Collisions pro-removed from the list. Otherwise, the ID will be removed at blem. It becomes a threat only when the distancethe end of its timeout interval and a counter called Cmis will between N1 and N2 is less than that between N2 andbe incremented. N3 . The 2ACK scheme is immune to limited When N3 receives a data packet, it determines whether it transmission power problem.needs to send a 2ACK packet to N1 . In order to reduce the . Limited Overhearing Range. A well-behaved N2additional routing overhead caused by the 2ACK scheme, may use low transmission power to send dataonly a fraction of the data packets will be acknowledged via toward N3 . Due to N1 ’s limited overhearing range,2ACK packets. Such a fraction is termed the acknowl- it will not overhear the transmission successfullyedgment ratio, Rack . By varying Rack , we can dynamically and will thus infer that N2 is misbehaving, causing atune the overhead of 2ACK packet transmissions. false alarm. Both this problem and the limited Node N1 observes the behavior of link N2 ! N3 for a transmission power problem are caused by theperiod of time termed Tobs . At the end of the observation potential asymmetry of communication links. Theperiod, N1 calculates the ratio of missing 2ACK packets as 2ACK scheme is immune to the limited overhearingCmis =Cpkts and compares it with a threshold Rmis . If the ratio range issue.is greater than Rmis , link N2 ! N3 is declared misbehaving With the explicit requirement of 2ACK transmissions,and N1 sends out an RERR (or the misbehavior report) the 2ACK scheme solves the above problems. Comparedpacket. The data structure of RERR is shown in Fig. 3. Since with overhearing techniques, the 2ACK scheme has aonly a fraction of the received data packets are acknowl- disadvantage of higher routing overhead. This additionaledged, Rmis should satisfy Rmis 1 À Rack in order to routing overhead is caused by the transmission of 2ACKeliminate false alarms caused by such a partial acknowl- packets. However, we will show later that, by reducing theedgment technique (see Section 4.6). acknowledgment ratio, Rack , the number of 2ACK transmis- Each node receiving or overhearing such an RERR marks sions can be significantly lowered (Section 4.6).the link N2 ! N3 as misbehaving and adds it to the blacklistof such misbehaving links that it maintains. When a node 4.3 Authenticating the 2ACK Packetsstarts its own data traffic later, it will avoid using such We look into the problem of 2ACK packet fabrication in thismisbehaving links as a part of its route. subsection. Since the 2ACK packets are forwarded by an The 2ACK scheme can be summarized in the pseudo- intermediate node (e.g., node N2 in Fig. 1), without propercode provided in the appendix for the 2ACK packet sender protection, a misbehaving node N2 can simply fabricateside (N3 ) and the observing node side (N1 ). 2ACK packets and claim that they were sent by node N3 .4.2 Comparison with Overhearing Techniques Therefore, an authentication technique is needed in order toCompared with the overhearing techniques, such as watch- protect 2ACK packets from being forged.dog in [4], the 2ACK scheme solves the problems of A straightforward way to stop N2 from forging theambiguous collisions, receiver collisions, and limited trans- 2ACK packets is to use the digital signature algorithm. Amission power: digital signature is a small number of extra bits of information attached by node N3 . The signature is unique . Ambiguous Collisions. Ambiguous collisions may and usually computationally impossible to forge unless the occur at node N1 . When a well-behaved node N2 security key of node N3 is disclosed. Furthermore, the forwards the data packet toward N3 , it is possible that signature may be used to assure the integrity of the N1 cannot overhear the transmission due to another transmitted data, i.e., any changes on the signed informa- concurrent transmission in N1 ’s neighborhood. The tion will be detected. Typically, the digital signature isFig. 3. Data structure of the RERR packet (the misbehavior report).
  8. 8. LIU ET AL.: AN ACKNOWLEDGMENT-BASED APPROACH FOR THE DETECTION OF ROUTING MISBEHAVIOR IN MANETS 495Fig. 4. The packet format of 2ACK.implemented relying on asymmetric cryptography, using N1 . This technique bypasses N2 , the potential threat to thetechniques such as RSA [25]. However, such asymmetric distribution of hn . While such a technique consumes moreoperations are too expensive for the mobile nodes in energy from node N3 , it takes place rather infrequently. ItMANETs which are usually resource constrained. will be seen later that every 2ACK packet uses one In [26], an efficient algorithm termed one-way hash chain element in the one-way hash chain in (7). The distribution[27] was used to guard against security attacks such as DoS of a new hn element is only needed when the entire chainand resource consumption attacks in the destination- has been used.sequenced distance vector (DSDV) routing protocol [28]. A An alternative technique to delivering the hn element isone-way hash chain can be constructed based on a one-way the “multipath transmission” mechanism. In this method,hash function, H. The hash function is a transformation that N3 sends its hn through a number of different paths. Fortakes a variable-length input and returns a fixed-length bit instance, a packet carrying the hn element may be floodedstring, that is, H : f0; 1gà ! f0; 1g , where is the length, in to the local neighborhood. The packet has a Time-To-Livebits, of the output of the hash function. An ideal hash (TTL) value of two or three hops. This is similar to thefunction H should have the following properties: broadcast of the RREQ packets in DSR. N1 employs a majority vote technique to obtain hn after it receives several . The input can be of any length. copies of hn . Note that only the misbehaving N2 is . The output has a fixed length. interested in forging a new hn . Since a majority of the . HðxÞ is relatively easy to compute for any given nodes are well-behaved, the true value of hn can be input x. obtained. . It is computationally infeasible to calculate x from Once the hn element is distributed from N3 to N1 , N3 can HðxÞ. use hi (0 i n) sequentially to sign the 2ACK packets to . HðxÞ is collision-free. be sent to N1 . The hi elements will be disclosed by N3 one at The collision-free property assures that the hash results a time.are unique. Examples of such hash functions include MD5 Assume that hiþ1 has been disclosed (initially, i ¼ n À 1).[29] and SHA1 [30]. When node N3 needs to send a 2ACK packet, it calculates a To create a one-way hash chain, a node picks up a Message Authentication Code (MAC) based on hiÀ1 ,random initial value x 2 f0; 1g and computes its hash ½N2 ; N1 ; IDŠhiÀ1 , and attaches the MAC and the hi value tovalue. The first number in the hash chain h0 is initialized to the 2ACK packet. Fig. 4 illustrates the packet format of ax. By using the general formula hi ¼ HðhiÀ1 Þ, for 0 i n, 2ACK packet. The fields in Fig. 4 are explained below:for some n, a chain of hi is formed: . N2 : the receiver of the next hop, in the opposite h0 ; h1 ; h2 ; h3 ; Á Á Á ; hn : ð7Þ direction of the route.It can be proven that, given an existing authenticated . N1 : the destination of the 2ACK packet, the obser-element of a one-way hash chain, it is feasible to verify the ving node, that is two-hop away from the 2ACKother elements preceding it. For example, given an packet sender.authenticated value of hn , a node can authenticate hnÀ3 . ID: the sequence number of the corresponding databy computing HðHðHðhnÀ3 ÞÞÞ and comparing the result packet.with hn [26]. . ½N2 ; N1 ; IDŠhiÀ1 : Message Authentication Code (MAC), Our scheme uses the above one-way hash chain to protect signed with hiÀ1 .the 2ACK packets against fabrication. In order to use the . hi : the newly disclosed element in the one-way hashone-way hash chain in (7) to authenticate 2ACK packets, chain, 0 i n.node N3 must distribute the hn element to N1 . A traditional Since hiþ1 is known to N1 , it compares Hðhi Þ with hiþ1 . Ifapproach for such information distribution is through a the results match, the hi element is accepted and recorded.trusted certificate authority. However, in a MANET, nodes The 2ACK message must have been sent from node N3 .roam from one place to another and there is usually no However, the integrity of the 2ACK packet can only becentral server or base station to act as a trusted certificate proven when the next 2ACK packet arrives (with hiÀ1 ).entity. We propose two techniques to distribute the initial When hiÀ1 is disclosed to N1 , it can be used to verify theauthentication element hn from node N3 to node N1 . integrity of the 2ACK packet received last time by The first technique is the “transmission extension” calculating the MAC and comparing it with the receivedmechanism. Using this technique, N3 increases the one. This is the so-called “delayed disclosure” techniquetransmission power to send the hn element directly to due to Hu et al. [26].
  9. 9. 496 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 6, NO. 5, MAY 2007 In this work, we do not study the overhead caused by 4.6 Acknowledgment Ratio, Rackthe authentication of the 2ACK packets. Compared to The additional routing overhead caused by the transmis-traditional security measures, the computation cost of the sion of the 2ACK packets can be controlled by theone-way hash function is relatively low [26]. The commu- parameter acknowledgment ratio, Rack , at the 2ACK packetnication overhead depends on the length of each element sender. With the use of the parameter Rack in the 2ACKand the value of n, i.e., the size of the one-way hash chain. scheme, only a fraction of the received data packets will beWhen n and the size of each element are chosen reasonably, acknowledged. Therefore, the parameter Rack provides awe expect low overhead due to the transmission of hn . mechanism to tune the overhead.5 The reduction of over-4.4 Timeout for 2ACK Reception, head comes with a cost: the shrinking of the range over which Rmis can take values. When only Rack of the dataThe parameter timeout, , will be used to set up a timer for packets received are acknowledged via the 2ACK packet,2ACK reception. If the timer expires before the expected 1 À Rack of them are not acknowledged. Since 1 À Rack of all2ACK packet is received, the missing 2ACK packet counter, data packets are not acknowledged at all, Rmis should beCmis , will be incremented. Thus, an appropriate value of is greater than 1 À Rack . That is,important for the successful operation of the 2ACK scheme. It is clear that false alarms may be triggered if is too Rmis 1 À Rack : ð8Þsmall. On the other hand, if is too large, the observingnode will have to maintain a longer list, requiring a large In a sense, the difference between Rmis and 1 À Rackmemory size. Therefore, should be set at a value that is serves as the buffer to avoid false alarms. Therefore,large enough to allow the occurrence of temporary link increasing Rack lowers the potential buffer to avoid falsefailures (for example, the unsuccessful transmission due to alarms. We investigate the effect of Rack on routingnode mobility or local traffic congestion). overhead in Section 5. It is essential that should satisfy 4.7 False Misbehavior Reports and Intentional 4 à ½single-hop transmission delayŠ; Dropping of 2ACK A misbehaving node N1 as shown in Fig. 1 may send falsewhere a single-hop transmission delay includes packet misbehavior reports regarding the next-hop link, N2 ! N3 .transmission delay, random back-off delay at the Medium However, the 2ACK scheme makes sure that such aAccess Control (MAC) layer, data processing delay, and behavior will not benefit node N1 : 1) N1 may still bepotential retransmission delay. included in alternative routes and 2) N1 needs to forward4.5 Observation Period, Tobs , and Dynamic Behavior data packets to N2 as necessary. Otherwise, it will beThe 2ACK scheme distinguishes link misbehaviors and detected as part of a misbehaving link (by the nodetemporary link failures by observing the reception of 2ACK preceding it on the route).packets over a certain period of time, termed the observa- A misbehaving node N3 may refuse to send any 2ACKtion period, Tobs . Since the temporary link failures do not packet for the data packets that have been received. As ausually last long, such a technique is able to distinguish result, N1 declares the link N2 ! N3 as misbehaving andtemporary link failures from link misbehavior. sends a misbehavior report to the source. Since N3 , as a The value of Tobs should be large enough so that several misbehaving node, refuses to forward data packets, N2 will2ACK packets are transmitted from the 2ACK packet also declare the link of N3 ! N4 (the node following N3 ) assender to the observing node. This is especially important misbehaving. Thus, links around node N3 are declaredwhen the acknowledgment ratio, Rack , is small. For misbehaving and will be avoided by future route selections.example, when Rack ¼ 0:1, one 2ACK packet will be Note that this might seem to have achieved the goal oftransmitted for every 10 data packets received. However, slandering node N2 by N3 . On the contrary, our mechanismthe observation period should not be too long. A long of misbehaving link detection instead of misbehaving nodeobservation period means that the observing node takes detection protects node N2 . The link N2 ! N3 will bemore time to observe the behavior of the next-hop link marked as misbehaving, but there is no accusation of N2 (orbefore a misbehavior is declared. Data packets may be N3 ). Other links associated with node N2 might still be used.dropped over this extended period of time and the Detection of the misbehaving node N3 and its punishmenteffectiveness of the misbehavior detection algorithm is are trickier. Essentially, consensus needs to be developedreduced. among the majority of neighbors of node N3 to punish it. The observation process should be initiated by the Similarly, when there are consecutive misbehavingobserving node randomly and repeatedly. Therefore, the nodes on the route, the first misbehaving node and its2ACK packet sender or forwarder has to transmit 2ACK forwarding link will be detected and reported to the source.packets for the entire data duration (based on the acknowl- Such a route will be avoided in the next round of routeedgment ratio, Rack ). Such repeated observations will help discovery.in the detection of misbehaving nodes which have dynamic Topology changes may also lead to false misbehaviorbehavior depending on their energy levels. When such reports. When two well-behaved neighboring nodes movenodes are well-behaved, the links associated with them willbe treated as normal links and used. Once such nodes 5. In practice, the value of an appropriate Rack may depend on the actual extra-cost of sending a 2ACK packet and the projected traffic load of themisbehave, the links associated with them will be detected network. It is also possible to change Rack dynamically. We leave this asas misbehaving and other nodes will stop using them. future work.
  10. 10. LIU ET AL.: AN ACKNOWLEDGMENT-BASED APPROACH FOR THE DETECTION OF ROUTING MISBEHAVIOR IN MANETS 497out of each other’s range, the link between them will fail in the destination nodes were randomly chosen among allterms of data delivery. In 2ACK, this is taken care of by the nodes in the network. The total simulation time wasrouting scheme in use (DSR). When the sender of the link 800 seconds. For each data point, 20 simulations (withnotices that the receiver is out of range, it will submit a different seeds) were run to obtain the average value. TheRoute Error (RERR) message to report the link failure. 95 percent confidence intervals of all results are shown as vertical line segments.4.8 Partial Data Forwarding Both UDP and TCP traffics have been simulated toA misbehaving node may forward data packets partially evaluate the performance of 2ACK. A random way-pointby forwarding a fraction of the packets and try to cheat mobility model was assumed with a maximum speed ofthe monitoring system. Such a behavior will be detected Vm ¼ 0; 10; 20 m/sec and a pause time of 0 second. Theby the 2ACK scheme. We use the triplet N1 ! N2 ! N3 in mobility scenarios were generated by the “random trip”Fig. 1 as an example for explanation. generic mobility model due to Le Boudec and Vojnovi [32]. c Assume a misbehaving node N2 receives ND data Constant Bit Rate (CBR) traffic was used. Each simulationpackets from N1 successfully and only forwards a fraction included 10 CBR sessions, each of which generated fourof the data packets, say, Rpart (0 Rpart 1), of ND toward packets per second. In simulations for TCP traffic, theN3 . We further assume that all data packets forwarded by maximum node speed was Vm ¼ 20 m/sec, with a pauseN2 are successfully received by N3 . Thus, N3 receives Rpart Á time of 0 second. Each simulation ran 10 Telnet sessions.ND data packets and only Rack Á Rpart Á ND of them will be We used the following metrics to measure the perfor-acknowledged by 2ACK packets sent from N3 . mance of the 2ACK scheme with respect to UDP traffic: Therefore, in order to cheat the system, a misbehavingnode N2 has to make sure that . Packet Delivery Ratio, P DR: the ratio of the number of packets received at the destination and the 1 À Rack Á Rpart Rmis : ð9Þ number of packets sent by the source. . Routing Overhead, RO: the ratio of the amount ofAs the gap between 1 À Rack and Rmis shrinks, the feasible routing related transmissions (RREQ, RREP, RERR,value of Rpart approaches 1. Therefore, the 2ACK scheme and 2ACK) to the amount of data transmissions. Theeffectively guards against partial forwarding. Rearranging amounts are in bytes. Both forwarded and trans-(9), we have mitted packets are counted. 1 À Rmis . Number of False Alarm, NF A : the number of false Rpart : ð10Þ misbehavior reports. Rack For TCP traffic flows, the packet delivery ratio as definedThus, by increasing 1ÀRmis , we force N2 to forward more data Rack in the UDP traffic scenario would be similar for differentpackets. The disadvantage of such an approach is the loss of schemes. This is because the TCP senders automaticallyprotection from false alarms.6 detect end-to-end transmission failures. When misbehaving links appear on a route and the acknowledgments from the5 PERFORMANCE EVALUATION destination are missing, the source node of a TCP session may slow down or even stop sending packets. Therefore, aIn this section, we present our simulation results for more reasonable performance metric is the total number ofperformance evaluation. Since the 2ACK scheme works as packets that are received at the destination. We compared aan add-on technique for the DSR protocol, the performance relative throughput, a normalized number of packets thatof the 2ACK scheme is actually the performance of the are received, of different schemes in the TCP traffic scenario.DSR+2ACK scheme. 5.2 Simulation Results for UDP Traffic5.1 Simulation Methodology and Performance Fig. 5 compares the packet delivery ratio of the 2ACK Metrics scheme, the BFTR scheme [18], the S-TWOACK scheme,In the simulations, we used a version of Network Simulator and the original DSR protocol as a function of misbehavior(ns-2) [31] that includes wireless extensions developed by ratio, pm . We varied pm from 0 (all of the nodes are well-the CMU Monarch project group. We modified the DSR behaved) to 0.4 (40 percent of the nodes misbehave). Themodule in ns-2 to simulate misbehaving nodes. The maximum speed is Vm ¼ 20 m/sec. From the figure, we canobservation period of the 2ACK scheme was set to Tobs ¼ observe that most packets were delivered by all four0:8 second. Unless specified otherwise, the 2ACK scheme schemes when pm ¼ 0 (no misbehaving nodes). The packetused Rack ¼ 0:20, Rmis ¼ 0:85, and a timeout value of ¼ delivery ratio decreases as pm increases. Compared with the0:15 second. original DSR scheme, the 2ACK scheme maintains a much The IEEE 802.11 MAC was used with a channel data rate higher PDR. For example, the 2ACK scheme delivered overof 11 Mbps. The data packet size was 512 bytes. The 90 percent of data packets even when pm ¼ 0:4. The rest ofwireless transmission range of each node was R ¼ 250 m. In the packets were dropped because no well-behaved routesthe simulations, N ¼ 50 mobile nodes were randomly could be found from the source to the destination. On thedistributed in a 700 m by 700 m flat area. The source and other hand, DSR delivered about 40 percent of the packets in the same scenario. 6. While we provide some suggested values for the parameters such asRmis and Rack , the system managers of such operating networks will have Based on Fig. 5, the BFTR scheme and the S-TWOACKthe flexibility to vary them. scheme with maximum_IDs_Carried set to 5, i.e., one
  11. 11. 498 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 6, NO. 5, MAY 2007Fig. 5. Packet delivery ratio of 2ACK, BFTR, S-TWOACK, and DSR. Fig. 7. Packet delivery ratio of 2ACK for different Rack .TWOACK packet is sent for every five consecutively received to report misbehaviors and to find alternate routes in a moredata packets [23], have similar PDR performance. Both are hostile network environment.outperformed by the 2ACK scheme. For example, the BFTR In Fig. 7, we show the PDR of the 2ACK scheme withscheme delivered roughly 82 percent and the S-TWOACK different acknowledgment ratios, Rack . The acknowledg-scheme delivered about 85 percent data packets when ment ratio Rack was set to 0.05, 0.2, 0.50, and 1.0,pm ¼ 0:4. Compared with the 2ACK scheme, since the BFTR respectively. The corresponding Rmis was 0.98, 0.85, 0.6,scheme does not detect a misbehaving node/link, it may and 0.33, respectively. Note that Rmis and Rack need tochoose an alternate route which still contains the misbehav- satisfy (8). Based on Fig. 7, we can see that the PDRing node. The S-TWOACK scheme takes more time to detect performance of the 2ACK scheme is not appreciablymisbehaving links, causing more packets being dropped affected by Rack .before an alternate route is used. We compare the routing overhead of the 2ACK scheme In Fig. 6, we compare the routing overhead of the 2ACK with different Rack values in Fig. 8. As expected, the routingscheme (with Rack ¼ 0:2), the BFTR scheme, the S-TWOACK overhead of the 2ACK scheme is the highest when Rack ¼ 1.scheme (with maximum_IDs_Carried = 5), and the DSR This is due to the large number of 2ACK packetsscheme. The higher routing overhead in the 2ACK and the transmitted in the network. As the value of Rack decreases,S-TWOACK schemes is due to the transmission of extra the routing overhead reduces dramatically. Therefore, Rackacknowledgment packets. The extra routing overhead of the in the 2ACK scheme provides an effective “knob” to tuneBFTR scheme is caused by the extra route discovery routing overhead.processes. The overhead of 2ACK increases with the Comparing Fig. 8 and Fig. 6, we have the followingincrease of misbehavior percentage. This is because more observations on routing overhead: As Rack decreases, theRERR (the misbehavior report) and RREQ packets are sent routing overhead of the 2ACK scheme reduces to a levelFig. 6. Routing overhead of 2ACK, BFTR, S-TWOACK, and DSR. Fig. 8. Routing overhead of 2ACK with different Rack .
  12. 12. LIU ET AL.: AN ACKNOWLEDGMENT-BASED APPROACH FOR THE DETECTION OF ROUTING MISBEHAVIOR IN MANETS 499Fig. 9. The packet delivery ratio of 2ACK for different Vm . Fig. 11. Packet delivery ratio of 2ACK and DSR for TCP traffic (Vm ¼ 20 m/sec).that is slightly higher than that of the DSR scheme butcannot be lowered further. This can be explained by the mobility network and, in some rare cases, the 2ACK schemeadditional route discovery processes initiated by the may treat such broken routes as misbehaving. The resultssources receiving the misbehavior reports. The DSR scheme reveal the appropriate values for timeout, . Based on thedoes not initialize such new route discovery processes (note results, ¼ 0:1 À 0:15 seconds works well in networks withthat these simulations were based on UDP traffic). Vm 20 m/sec. In Fig. 9, we present the packet delivery ratio of the 5.3 Simulation Results for TCP Traffic2ACK scheme as a function of misbehavior ratios pm withdifferent maximum speeds Vm . We can observe that the In Fig. 11, we compare the PDR value of the 2ACK schemepacket delivery ratio reduces when mobility increases, and the regular DSR scheme for TCP sessions. Relativelyregardless of pm . There are two possible reasons causing close PDR values for both schemes can be observed. This isPDR to decrease: packets being dropped due to node expected as the senders of the TCP sessions slow down ormobility and false alarms in the 2ACK scheme. We even stop their transmissions when the acknowledgmentsinvestigate the false alarm issue in Fig. 10. from the destination are missing. Comparing the results in In Fig. 10, we show the number of false alarms as a Fig. 11 and Fig. 5 or Fig. 9, we can see that the 2ACK schemefunction of timeout value, , for different maximum speeds supports slightly higher PDR for the TCP traffic than for theVm . It can be observed that the number of false alarms UDP traffic. This is due to the additional acknowledgmentreduces as timeout increases. The number of false alarms and route selection performed in the TCP protocol.increases when the nodes move more rapidly. This is due to In Table 2, we present the relative throughput, normal-the fact that routes are broken more frequently in a high ized number of packets received, when the 2ACK scheme and the DSR scheme are used. Based on Table 2, the relative throughput reduces when pm increases due to higher chances of using routes with misbehaving links and longer time being spent to switch to good routes. From the table, we can observe that the 2ACK scheme outperforms the DSR scheme in terms of relative throughput, especially in the networks with larger pm . For instance, when pm ¼ 0:4, the 2ACK scheme is able to support a relative throughput of 0.614, but the DSR scheme can only support 0.472. The relative throughput of the 2ACK scheme is slightly lower TABLE 2 The Relative Throughput Supported by 2ACK and DSR for TCP TrafficFig. 10. Number of false alarms in 2ACK (pm ¼ 0).
  13. 13. 500 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 6, NO. 5, MAY 2007than that of the DSR scheme at pm ¼ 0. This is due to the The 2ACK scheme has been implemented on top of DSR.false alarm reports in the 2ACK scheme in a high mobility It is also possible to implement the 2ACK scheme over othernetwork, as shown in Fig. 10. routing schemes. The main challenge is how to derive the Note that comparisons cannot be made directly between triplet information so that the 2ACK sender and thethe values in Fig. 5 and the numbers in Table 2. The former observing node are informed of such information. Knowl-represents packet delivery ratio (PDR); the latter represents edge of topology of the 2-hop neighborhood may be used.the total number of packets that are received (normalized In addition, the 2ACK scheme can only work in managedover a fixed number, the average number of packets MANETs (as compared to open MANETs). The maintransmitted). reason is that parameters such as Rack and Rmis need to be set. In our future work, we will investigate how to add the 2ACK scheme to other types of routing schemes and6 CONCLUSIONS AND FUTURE WORK open networks. Theoretical analysis of the performanceMobile Ad Hoc Networks (MANETs) have been an area for gain of the 2ACK scheme is of interest as well.active research over the past few years due to theirpotentially widespread application in military and civilian APPENDIXcommunications. Such a network is highly dependent onthe cooperation of all of its members to perform networking PSEUDOCODE OF THE 2ACK SCHEMEfunctions. This makes it highly vulnerable to selfish nodes. We use the triplet N1 ! N2 ! N3 in Fig. 1 as an example toOne such misbehavior is related to routing. When such illustrate 2ACK’s pseudocode. Note that such codes are runmisbehaving nodes participate in the Route Discovery on each of the sender/receiver of the 2ACK packets.phase but refuse to forward the data packets, routing A.1 2ACK Packet Sender Side (Node N3 )performance may be degraded severely. In this paper, we have investigated the performance 1: publish hn == Send authenticated element to node N1degradation caused by such selfish (misbehaving) nodes in 2: Cpkts 0, Cack 0, i n == Initialization at node N3MANETs. We have proposed and evaluated a technique, 3: while true dotermed 2ACK, to detect and mitigate the effect of such 4: if (data packet received) thenrouting misbehavior. The 2ACK technique is based on a 5: Cpkts ++ == Increase the counter of received packetssimple 2-hop acknowledgment packet that is sent back by 6: if (Cack =Cpkts Rack ) then == The data packet needsthe receiver of the next-hop link. Compared with other to be acknowledgedapproaches to combat the problem, such as the overhearing 7: prepare MAC with hiÀ1technique, the 2ACK scheme overcomes several problems 8: prepare 2ACK with ID, MAC, hi == Addincluding ambiguous collisions, receiver collisions, and authentication to 2ACK packetlimited transmission powers. The 2ACK scheme can be 9: send 2ACKused as an add-on technique to routing protocols such as 10: Cack þ þ, i - - == Increase the counter ofDSR in MANETs. acknowledged packets We have presented the 2ACK scheme in detail and 11: enddiscussed different aspects of the 2ACK scheme. Extensive 12: endsimulations of the 2ACK scheme have been performed to 13: endevaluate its performance. Our simulation results show thatthe 2ACK scheme maintains up to 91 percent packet A.2 Receiver (Observer) Side (Node N1 )delivery ratio even when there are 40 percent misbehaving Parallel process 1 (receiving hn )nodes in the MANETs that we have studied. The regularDSR scheme can only offer a packet delivery ratio of 1: while true do40 percent. The false alarm rate and routing overhead of the 2: if receive hn from the 2ACK packet sender then 3: record hn , i n2ACK scheme are investigated as well. One advantage of 4: endthe 2ACK scheme is its flexibility to control overhead with 5: endthe use of the Rack parameter. In this work, we have focused only on link misbehavior. Parallel process 2 (receiving 2ACK packets)It is more difficult to decide the behavior of a single node. 6: while true doThis is mainly due to the fact that communication takes 7: randomly select Tstart current time == Start theplace between two nodes and is not the sole effort of a observationsingle node. Therefore, care must be taken before punishing 8: while current time Tstart doany node associated with the misbehaving links. When a 9: == nulllink misbehaves, either of the two nodes associated with the 10: endlink may be misbehaving. In order to decide the behavior of 11: LIST , Cpkts 0, Cmis 0 == Initialization ata node and punish it, we may need to check the behavior of node N1links around that node. This is a potential direction for our 12: while current time Tstart þ Tobs do == Observationfuture work. period is not expired