• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content







Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    /Home/himanshu/mane /Home/himanshu/mane Document Transcript

    • A Literature Survey on SECURITY THREATS IN MOBILE AD HOC NETWORK (MANET) by NISHANTH.N ME Telecommunication SR No.: 4812-413-091-06931 Under the Guidance of Prof. P. Venkataram Protocol Engineering and Technology Lab Dept. of Electrical Communication Engineering Indian Institute of Science Bangalore-560 012
    • Abstract In this literature survey, I am focusing on the overall security threats and challenges in Mobile ad hoc networks (MANET).My literature survey starts with different types of wireless network, then vulnerabilities and the security issues are analyzed from individual layers namely application layer, transport layer, network layer, link layer and physical layer. This study provides a good understanding of the current security challenges and solutions for the MANETs. Finally, a brief discussion about agents and role of multi-agents in wireless security is also included in my literature survey.
    • Contents 1 WIRELESS NETWORKS 5 1.1 Types of Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.1.1 Infrastructure Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.1.2 Ad hoc Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.2 IEEE 802.11 WLAN Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.2.1 IEEE 802.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.2.2 IEEE 802.11a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.2.3 IEEE 802.11b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.2.4 IEEE 802.11g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.2.5 IEEE 802.11d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.2.6 IEEE 802.11e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.2.7 IEEE 802.11f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.2.8 IEEE 802.11h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.2.9 IEEE 802.11j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.2.10 IEEE 802.11n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.3 Wireless Personal Area Network (WPAN) . . . . . . . . . . . . . . . . . . . . . . 9 1.3.1 IEEE 802.15.1 (Bluetooth) . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.3.2 IEEE 802.15.3 (Ultra Wide Band) . . . . . . . . . . . . . . . . . . . . . . 10 1.3.3 IEEE 802.15.4 (ZigBee) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 1.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2 MOBILE AD HOC NETWORK (MANET) 11 2.1 Features of MANET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.2 Vulnerabilities of the MANETs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.2.1 Lack of Secure Boundaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.2.2 Threats from Compromised nodes . . . . . . . . . . . . . . . . . . . . . . 13 2.2.3 Lack of Centralized Management Facility . . . . . . . . . . . . . . . . . . . 13 2.2.4 Restricted PowerSupply . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.2.5 Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.3 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 1
    • 3 ATTACKS ON MANET 16 3.1 Attacks On MANET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.1.1 Passive vs. Active attacks: . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.1.2 Attacks on different layers of the Internet model: . . . . . . . . . . . . . . 17 3.1.3 Stealthy vs. Non-stealthy attacks: . . . . . . . . . . . . . . . . . . . . . . 18 3.1.4 Cryptography vs. non-cryptography related attacks: . . . . . . . . . . . . . 18 3.1.5 Multi-layer attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3.2 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 4 SECURITY THREATS IN PHYSICAL LAYER 20 4.1 Eavesdropping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 4.2 Jamming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 4.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 5 SECURITY THREATS IN LINK LAYER 22 5.1 IEEE 802.11 MAC Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 5.2 Vulnerabilities in Link Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 5.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 6 SECURITY THREATS IN NETWORK LAYER 28 6.1 Reactive Routing Protocol: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 6.1.1 DSR (Dynamic Source Routing) . . . . . . . . . . . . . . . . . . . . . . . 29 6.2 Proactive Routing Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 6.2.1 Destination-Sequenced Distance-Vector Routing (DSDV) . . . . . . . . . . 31 6.3 Secure Routing in MANET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 6.3.1 Requirements of a Secure Routing Protocol for MANET . . . . . . . . . . 31 6.4 Attacks at the routing discovery phase . . . . . . . . . . . . . . . . . . . . . . . . 33 6.5 Attacks at data forwarding phase . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 6.6 Advanced Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 6.6.1 Wormhole Attack: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 6.6.2 Blackhole attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 6.6.3 Byzantine attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 6.6.4 Information disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 6.6.5 Resource consumption attack . . . . . . . . . . . . . . . . . . . . . . . . . 37 6.6.6 Rushing attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 6.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 7 SECURITY THREATS IN TRANSPORT LAYER 38 7.1 Establishing a TCP connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 7.2 Closing TCP connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 2
    • 7.3 Attacks in Transport Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 7.3.1 SYN flooding attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 7.3.2 Session Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 7.3.3 TCP ACK Storm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 7.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 8 SECURITY THREATS IN APPLICATION LAYER 42 8.1 Malicious code attacks: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 8.2 Repudiation attacks: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 8.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 9 COUNTERMEASURES 44 9.1 Preventive mechanism: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 9.2 Reactive mechanism: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 9.3 Physical layer defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 9.3.1 FHSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 9.3.2 DSSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 9.4 Link Layer Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 9.4.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 9.5 Network Layer Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 9.5.1 Secure Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 9.5.2 Defense against wormhole attacks . . . . . . . . . . . . . . . . . . . . . . 51 9.5.3 Defense against blackhole attacks . . . . . . . . . . . . . . . . . . . . . . . 52 9.5.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 9.6 Application Layer Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 9.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 10 TRANSPORT LAYER DEFENSE 55 10.1 Modified versions of TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 10.1.1 Feedback based TCP (TCP-F) . . . . . . . . . . . . . . . . . . . . . . . . 58 10.1.2 TCP with Explicit Link Failure Notification (TCP-ELFN) . . . . . . . . . 60 10.1.3 Split-TCP: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 10.2 Defense against Flooding Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 10.2.1 CATCH protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 10.2.2 SWAT: Small World based Attacker Traceback . . . . . . . . . . . . . . . . 65 10.2.3 ATTENTION: ATTackEr Traceback using MAC Layer AbNormality Detec- TION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 10.2.4 Hotspot-Based Traceback . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 10.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 3
    • 11 AGENTS AND MULTI-AGENTS 67 11.1 AGENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 11.2 Multi-Agent System (MAS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 11.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 12 Role of Multi-agent system in wireless security 69 12.1 Role of Mobile Agents (MA) in IDS . . . . . . . . . . . . . . . . . . . . . . . . . 70 12.2 Advantages of using Mobile Agents (MA) in IDS . . . . . . . . . . . . . . . . . . . 70 12.3 System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 12.3.1 MA server functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 12.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 13 PROPOSED WORK 75 REFERENCES 4
    • Chapter 1 WIRELESS NETWORKS Today’s wireless networks have gained momentum in a number of vertical markets such as health- care, education, retail, manufacturing, warehousing, and more. Wireless networks bring massive gains - not only in productivity, but also from reduced cabling and fast client relocation. Flexi- bility is a major reason that wireless networks have become so popular. Just looking at historical buildings gives us an example of this. Once a building is deemed historical, running wires through it can quickly become an unacceptable option. With wireless networks, no wires are necessary; a user just has to plug into an access point and he is set to go. Without having to drill holes for wires, these historical buildings can keep their old-world look and feel. Another way the flexibility of wireless networks is useful is in areas or buildings not owned by the occupant. In this case, holes cannot be drilled into the walls to install wire runs. Wireless allows one to set up the access point and connects all the needed information systems via a wireless connection. Disaster recovery is another area where the flexibility of wireless plays a key role. When major damage impedes the ability to hang cables, using wireless can help keep a workforce connected. 1.1 Types of Wireless Networks Before we discuss the wireless networks types, a small difference between wired and wireless network will be discussed. A network that sends data from one point to another point with cable or wire is called wired network. The data sent over a network which uses wireless medium from one device to another device is called wireless network. In wireless network data is transmitted from one point to another through wireless links. For communication the devices have to be in the transmission or radio range of each other. Wireless networks are divided into two main groups (1) infrastructure wireless network (2) Ad hoc or infrastructure-less network. 5
    • 1.1.1 Infrastructure Networks Fixed network topology is deployed in infrastructure network. These deployed, fixed networks have base stations or access points from which wireless nodes can get connected. All the base stations or access points are connected with the main network through wired links (fiber optic, twisted or coaxial cable) or wireless links. The base station or access point is one of the important units of infrastructure networks. All of the connections will have to pass from the access point (AP). Figure 1.1: Infrastructure Mode A wireless node can connect to anyone of the access points in its radio range. In this mode, a wireless node needs to associate with an AP using an association protocol. An AP and its wireless nodes form a Basic Service Set (BSS). A set of BSS is called Extended Service Set (ESS). Association and Dissociation allows the wireless node to be mobile within the ESS. 1.1.2 Ad hoc Networks An Ad hoc network is deployed where wireless network infrastructure is not available. This kind of ad hoc network is called infrastructure less network or ad hoc network. In infrastructure or ad hoc network each node is connected through wireless links. These nodes get connected to each other and also act as a router, by forwarding data to other wireless nodes. There is no restriction on these nodes to join or leave the network. Thus the network has no vital infrastructure. Ad hoc networks have two forms; one is static ad hoc networks (SANET), the other is called mobile ad hoc network (MANET). Figure 1.2: Ad Hoc Mode 6
    • 1.2 IEEE 802.11 WLAN Standards 1.2.1 IEEE 802.11 In 1997, the IEEE ratified the 802.11 Wireless LAN standards, establishing a global standard for implementing and deploying Wireless LANS. The throughput for 802.11 is 2Mbps, which was well below the IEEE 802.3 Ethernet counterpart. As with any of the other 802 networking standards (Ethernet, Token Ring, etc.), the 802.11 specification affects the lower layers of the OSI reference model, the Physical and Data Link layers. Figure 1.3: Layers in OSI model These networks operate on two physical layers: (1) direct sequence spread spectrum (DSSS) and (2) frequency hopping spread spectrum (FHSS). Each uses a different method of transmitting wireless signals across the airwaves. DSSS uses a wide, single, statically defined channel that is preset in the access point. On FHSS or FH, the access point and the client negotiate a hop sequence, which is used to allow the signal to switch between small slices of frequency in the 2.4- GHz range that wireless 802.11 has defined as usable. The MAC layer has been standardized to help contend with the interference and excessive loss of frames compared to Ethernet. (Detailed description about MAC layer is made on Data link layer attack). 1.2.2 IEEE 802.11a In 1999, the IEEE group successfully standardized the 802.11a standard. 802.11a operates at 5GHz and supports date rates up to 54Mbps. The physical layer technology Orthogonal Frequency Division Multiplexing (OFDM) is used to transfer the data into radio waves. The FCC has allocated 300Mz of RF spectrum for unlicensed operation in the 5GHz range. Although 802.11a supports much higher data rates, the effective distance of transmission is much shorter than 802.11b and is not compatible with 802.11b equipment and in its current state is usable only in the US. However, several vendors have embraced the 802.11a standard and some have dual band support AP devices and network cards. 7
    • 1.2.3 IEEE 802.11b The 802.11b ("baseline") is currently the de facto standard for Wireless LANs. Unlike in 802.11, in which there is a choice between Direct Sequence Spread Spectrum (DSSS) and Frequency Hopping Spread Spectrum (FHSS), 802.11b uses DSSS for physical layer transport. The data rate of 802.11b is raised to11 Mbit/s, but will scale back to 5.5, then 2, then 1 Mbit/s (also known as Adaptive Rate Selection), if signal quality becomes an issue. 1.2.4 IEEE 802.11g The 802.11g ("going beyond b") task group, like 802.11a is focusing on raising the data transmis- sion rate up to 54Mbps, but on the 2.4MHz band. 802.11g hardware is fully backwards compatible with 802.11b hardware. The modulation scheme used in 802.11g is orthogonal frequency-division multiplexing (OFDM) which is same as that used in 802.11a standard 1.2.5 IEEE 802.11d This group is focusing on extending the technology to countries that are not covered by the IEEE. The IEEE completed the 802.11d standard in 2001. It addresses the need for access points to have the ability to inform client cards of what regulator domain they are located at and what rules apply for that location. This helps the business travelers to use wireless network card to use in different countries (do not need to carry multiple client card). 1.2.6 IEEE 802.11e This group is focusing on improving multi-media transmission quality of service. This is critical in time-sensitive communications such as voice or video 1.2.7 IEEE 802.11f The 802.11f standard provides a standard for roaming. This allows companies to create products that can seamlessly roam from one to another (interoperability between vendors ) 1.2.8 IEEE 802.11h The 802.11h standard is looking at using 802.11a and developing the ability to self-tune, and moving away from congested channels. 1.2.9 IEEE 802.11j This standard is for use in Japan only. It defines the physical and MAC layer communications for systems running in the 4.9- to 5-GHz range. 8
    • 1.2.10 IEEE 802.11n IEEE 802.11n is an amendment to IEEE 802.11 standards by adding multiple-input multiple- output (MIMO) and 40 MHz channels to the PHY (physical layer), and frame aggregation to the MAC layer. MIMO is a technology which uses multiple antennas to coherently resolve more information than possible using a single antenna. One way it provides this is through Spatial Division Multiplexing (SDM). MIMO SDM can significantly increase data throughput as the number of resolved spatial data streams is increased. It can support a data rate of up to 600 Mbps. 1.3 Wireless Personal Area Network (WPAN) A wireless personal area network (WPAN) is a low-range wireless network which covers an area of only a few dozen metres. This sort of network is generally used for linking peripheral devices (like printers, cellphones, and home appliances) or a personal assistant (PDA) to a computer, or just two nearby computers, without using a hard-wired connection. The technologies enabling WPAN include Bluetooth, ZigBee, Ultra-wideband(UWB), IrDA, HomeRF, etc., in which the Bluetooth is the most widely used technology for the WPAN communication. The IEEE 802.15 Working Groups is the 15th working group of the IEEE 802 specializes in WPAN technologies. The key concept in WPAN technology is known as plugging in. In the ideal scenario, when any two WPAN-equipped devices come into close proximity (within several meters of each other) or within a few kilometers of a central server, they can communicate as if connected by a cable. Another important feature is the ability of each device to lock out other devices selectively, preventing needless interference or unauthorized access to information. The technology for WPANs is in its infancy and is undergoing rapid development. Proposed operating frequencies are around 2.4 GHz in digital modes. The objective is to facilitate seamless operation among home or business devices and systems. Every device in a WPAN will be able to plug in to any other device in the same WPAN, provided they are within physical range of one another. 1.3.1 IEEE 802.15.1 (Bluetooth) Bluetooth, also known as the IEEE 802.15.1 standard is based on a wireless radio system designed for short-range and cheap devices to replace cables for computer peripherals, such as mice, key- boards, joysticks, and printers. Bluetooth is a specification for wireless personal area networks (PANs) formalized by the Bluetooth SIG in 1999. It was originally developed by Ericsson, who was a member of SIG with IBM, Intel, Nokia, and Toshiba. The protocol operates in the license- free ISM band at 2.4 GHz, with a data rate of 723.1Kbps. Two connectivity topologies are defined in Bluetooth: the piconet and scatternet. A piconet is a WPAN formed by a Bluetooth device serving as a master in the piconet and one or more Bluetooth devices serving as slaves. All devices participating in communications in a given piconet are synchronized using the clock of the master. 9
    • Slaves communicate only with their master in a point-to-point fashion under the control of the master. A scatternet is a collection of operational Bluetooth piconets overlapping in time and space. Two piconets can be connected to form a scatternet. A Bluetooth device may participate in several piconets at the same time, thus allowing for the possibility that information could flow beyond the coverage area of the single piconet. 1.3.2 IEEE 802.15.3 (Ultra Wide Band) UWB has recently attracted much attention as an indoor short-range high-speed wireless commu- nication. One of the most exciting characteristics of UWB is that its bandwidth is over 110 Mbps (up to 480 Mbps) which can satisfy most of the multimedia applications such as audio and video delivery in home networking and it can also act as a wireless cable replacement of high speed serial bus such as USB 2.0 and IEEE 1394. 1.3.3 IEEE 802.15.4 (ZigBee) ZigBee over IEEE 802.15.4 defines specifications for low rate WPAN (LR-WPAN) for supporting simple devices that consume minimal power and typically operate in the personal operating space (POS) of 10m. ZigBee provides self-organized, multi-hop, and reliable mesh networking with long battery lifetime 1.4 Summary Wireless networks are broadly classified into infrastructure based network and ad hoc network.MANET is an example for ad hoc network.IEEE 802.11 is a set of standards carrying out wireless local area network (WLAN) computer communication in the 2.4, 3.6 and 5 GHz frequency bands. While a wireless personal area network (WPAN) is a low-range wireless network which covers an area of only a few dozen metres.The IEEE 802.15 Working Groups is the 15th working group of the IEEE 802 specializes in WPAN technologies. 10
    • Chapter 2 MOBILE AD HOC NETWORK (MANET) A mobile ad hoc network (MANET) is a decentralized, self-organizing and self configuring wireless network, without any fixed infrastructure. In these networks, each mobile node behaves not only as a host, but also as a router which is capable of communicating with other nodes, using either direct wireless links, or multi-hop wireless links. MANET is self-organized in such a way that a collection of mobile nodes without a fixed infrastructure and central management is formed automatically. Each node is equipped with a wireless transmitter and receiver that communicate with other nodes in the vicinity of its radio communication range. If a node decides to send a packet to a node that is outside its radio range, it requires the help of other nodes in the network. Due to the fact that mobile nodes are dynamic and they constantly move in and out of their network vicinity, the topologies constantly change. Figure 2.1: MANET 2.1 Features of MANET A mobile ad hoc network has following features: • Autonomous Terminal: In MANET, each mobile terminal is an autonomous node, which may function as both a host and a router. In other, since there is no background network 11
    • words, besides the basic processing ability as a host, the mobile nodes can also perform switching functions as a router. So usually endpoints and switches are indistinguishable in MANET. • Distributed Operation: For the central control of the network operations, the control and management of the network is distributed among the terminals. The nodes involved in a MANET should collaborate amongst themselves and each node acts as a relay as needed, to implement functions e.g. security and routing. • Multihop Routing: Basic types of ad hoc routing algorithms can be single-hop and mul- tihop, based on different link layer attributes and routing protocols. Single-hop MANET is simpler than multihop in terms of structure and implementation, with the cost of lesser functionality and applicability. When delivering data packets from a source to its destina- tion out of the direct wireless transmission range, the packets should be forwarded via one or more intermediate nodes. • Dynamic Network Topology: Since the nodes are mobile, the network topology may change rapidly and unpredictably and the connectivity among the terminals may vary with time. MANET should adapt to the traffic and propagation conditions as well as the mobility patterns of the mobile network nodes. The mobile nodes in the network dynamically establish routing among themselves as they move about, forming their own network on the fly. • Light-weight Terminal: In most cases, the MANET nodes are mobile devices with less CPU processing capability, small memory size, and low power storage. Such devices need optimized algorithms and mechanisms that implement the computing and communicating functions. 2.2 Vulnerabilities of the MANETs Because mobile ad hoc networks have far more vulnerabilities than the traditional wired networks, security is much more difficult to maintain in the mobile ad hoc network than in the wired network. In this section, we discuss the various vulnerabilities that exist in the mobile ad hoc networks. 2.2.1 Lack of Secure Boundaries The meaning of this vulnerability is self-evident: there is not such a clear secure boundary in the mobile ad hoc network, which can be compared with the clear line of defense in the traditional wired network. This vulnerability originates from the nature of the mobile ad hoc network: freedom to join, leave and move inside the network. In the wired network, adversaries must get physical access to the network medium, or even pass through several lines of defense such as firewall and gateway before they can perform malicious behavior to the targets. However, 12
    • in the mobile ad hoc network, there is no need for an adversary to gain the physical access to visit the network: once the adversary is in the radio range of any other nodes in the mobile ad hoc network, it can communicate with those nodes in its radio range and thus join the network automatically. As a result, the mobile ad hoc network does not provide the so-called secure boundary to protect the network from some potentially dangerous network accesses. Lack of secure boundaries makes the mobile ad hoc network susceptible to the attacks. The attacks mainly include passive eavesdropping, active interfering, leakage of secret information, data tampering, message replay, message contamination, and denial of service. 2.2.2 Threats from Compromised nodes Inside the Network Because of the mobility of the ad hoc network, a compromised node can frequently change its attack target and perform malicious behavior to different node in the network, thus it is very difficult to track the malicious behavior performed by a compromised node especially in a large scale ad hoc network. Therefore, threats from compromised nodes inside the network are far more dangerous than the attacks from outside the network, and these attacks are much harder to detect because they come from the compromised nodes, which behave well before they are compromised. A good example of this kind of threats comes from the potential Byzantine failures encountered in the routing protocol for the mobile ad hoc network. 2.2.3 Lack of Centralized Management Facility Ad hoc networks do not have a centralized piece of management machinery such as a Name Server or Access Point (AP). As a result, detection of attacks is a very difficult problem because it is not easy to monitor the traffic in a highly dynamic and large scale ad hoc network. It is rather common in the ad hoc network that benign failures, such as path breakages, transmission impairments and packet dropping, happen frequently. Therefore, malicious failures will be more difficult to detect, especially when adversaries change their attack pattern and their attack target in different periods of time. For each of the victims, because it can only observe the failure that occurs in itself, this short-time observation cannot produce a convincing conclusion that the failure is caused by an adversary. Thus, the lack of centralized management machinery will cause severe problems when we try to detect the attacks in the ad hoc network. Another issue with lack of centralized administration is that some algorithms in the mobile ad hoc network rely on the cooperative participation of all nodes and the infrastructure. The adversary can make use of this vulnerability and perform some attacks that can break the cooperative algorithm. 2.2.4 Restricted PowerSupply We know that, due to the mobility of nodes in the ad hoc network, it is common that the nodes in the ad hoc network will rely on battery as their power supply method. The first problem that may 13
    • be caused by the restricted power supply is denial-of-service attacks. Since the adversary knows that the target node is battery-restricted, either it can continuously send additional packets to the target and ask it routing those additional packets, or it can induce the target to be trapped in some kind of time-consuming computations. In this way, the battery power of the target node will be exhausted by these meaningless tasks, and thus the target node will be out of service to all the benign service requests since it has run out of power. Furthermore, a node in the mobile ad hoc network may behave in a selfish manner when it finds that there is only limited power supply, and the selfishness can cause some problems when there is a need for this node to cooperate with other nodes to support some functions in the network. Moreover, we should not view all of the selfish nodes as malicious nodes: some nodes may encounter restricted power supply problem and thus behave in a selfish manner, which can be tolerated; however, there can be some other node who intentionally announces that it runs out of battery power and therefore do not want to cooperate with other nodes in some cooperative operation, but actually this node still has enough battery power to support the cooperative operation. 2.2.5 Scalability Unlike the traditional wired network in that its scale is generally predefined when it is designed and will not change much during the use, the scale of the ad hoc network keeps changing all the time: because of the mobility of the nodes in the mobile ad hoc network, you can hardly predict how many nodes there will be in the network in the future. As a result, the protocols and services that are applied to the ad hoc network such as routing protocol and key management service should be compatible to the continuously changing scale of the ad hoc network, which may range from decades of nodes to hundreds of nodes, or even thousands of nodes. In other words, these protocols and services need to scale up and down efficiently. From the discussion in this section, we can safely conclude that the mobile ad hoc network is insecure by its nature: there is no such a clear line of defense because of the freedom for the nodes to join, leave and move inside the network; some of the nodes may be compromised by the adversary and thus perform some malicious behaviors that are hard to detect; lack of centralized machinery may cause some problems when there is a need to have such a centralized coordinator; restricted power supply can cause some selfish problems; and continuously changing scale of the network has set higher requirement to the scalability of the protocols and services in the mobile ad hoc network. As a result, compared with the wired network, the mobile ad hoc network will need more robust security scheme to ensure the security of it. 2.3 Applications With the increase of portable devices as well as progress in wireless communication, ad hoc networking is gaining importance with the increasing number of widespread applications. Ad hoc 14
    • networking can be applied anywhere where there is little or no communication infrastructure or the existing infrastructure is expensive or inconvenient to use. Ad hoc networking allows the devices to maintain connections to the network as well as easily adding and removing devices to and from the network. The set of applications for MANETs is diverse, ranging from large-scale, mobile, highly dynamic networks, to small, static networks that are constrained by power sources. Besides the legacy applications that move from traditional infrastructure environment into the ad hoc context, a great deal of new services can and will be generated for the new environment. It includes: • Military Battlefield • Comercial Sector • Medical Service • Personal Area Network • Rescue Operation 2.4 Summary A MANET is referred to as a network without infrastructure because the mobile nodes in the network dynamically set up temporary paths among themselves to transmit packets.Nodes within each other’s wireless transmission ranges can communicate directly; however, nodes outside each other’s range have to rely on some other nodes to relay messages.A number of challenges like open peer-to-peer network architecture, stringent resource constraints, shared wireless medium, dynamic network topology etc. are posed in MANET.More over, Ad hoc networking allows the devices to maintain connections to the network as well as easily adding and removing devices to and from the network. 15
    • Chapter 3 ATTACKS ON MANET Designing a foolproof security solution for an ad hoc wireless network is a very challenging task. This is mainly because of certain unique characteristics of ad hoc wireless networks, namely, shared broadcast radio channel, insecure operating environment, lack of central authority, lack of association among nodes, limited availability of resources, and physical vulnerability. • Shared broadcast radio channel: Unlike in wired networks where a separate dedicated transmission line can be provided between a pair of end users, the radio channel used for communication in ad hoc wireless networks is broadcast in nature and is shared by all nodes in the network. Data transmitted by a node is received by all nodes within its direct transmission range. So a malicious node could easily obtain data being transmitted in the network. This problem can be minimized to a certain extent by using directional antennas. • Insecure operational environment: The operating environments where ad hoc wireless networks are used may not always be secure. One important application of such networks is in battlefields. In such applications, nodes may move in and out of hostile and insecure enemy territory, where they would be highly vulnerable to security attacks. • Lack of central authority: In wired networks and infrastructure-based wireless networks, it would be possible to monitor the traffic on the network through certain important central points (such as routers, base stations, and access points) and implement security mechanisms at such points. Since ad hoc wireless networks do not have any such central points, these mechanisms cannot be applied in ad hoc wireless networks. • Lack of association: Since these networks are dynamic in nature, a node can join or leave the network at any point of the time. If no proper authentication mechanism is used for associating nodes with a network, an intruder would be able to join into the network quite easily and carry out his/her attacks. • Limited resource availability: Resources such as bandwidth, battery power, and com- putational power (to a certain extent) are scarce in ad hoc wireless networks. Hence, it is difficult to implement complex cryptography-based security mechanisms in such networks. 16
    • • Physical vulnerability: Nodes in these networks are usually compact and hand-held in nature. They could get damaged easily and are also vulnerable to theft. 3.1 Attacks On MANET A variety of attacks are possible in MANET. Some attacks apply to general network, some apply to wireless network and some are specific to MANETs. These security attacks can be classified according to different criteria, such as the domain of the attackers, or the techniques used in attacks. These security attacks in MANET and all other networks can be roughly classified by the following criteria: passive or active, internal or external, different protocol layer, stealthy or non-stealthy, cryptography or non-cryptography related. 3.1.1 Passive vs. Active attacks: The attacks in MANET can roughly be classified into two major categories, namely passive attacks and active attacks. A passive attack obtains data exchanged in the network without disrupting the operation of the communications, while an active attack involves information interruption, modification, or fabrication, thereby disrupting the normal functionality of a MANET. Detection of passive attacks is very difficult since the operation of the network itself does not get affected. One way of overcoming such problems is to use powerful encryption mechanisms to encrypt the data being transmitted, thereby making it impossible for eavesdroppers to obtain any useful information from the data overheard. Passive Attacks Eavesdropping, Traffic Analysis, Monitoring Active Attacks Jamming, Spoofing, Modification, Replaying, DoS Active attacks can be classified further into two categories, namely, external and internal attacks. External attacks are carried out by nodes that do not belong to the network. These attacks can be prevented by using standard security mechanisms such as encryption techniques and firewalls. Internal attacks are from compromised nodes that are actually part of the network. Since the adversaries are already part of the network as authorized nodes, internal attacks are more severe and difficult to detect when compared to external attacks. 3.1.2 Attacks on different layers of the Internet model: The attacks can be further classified according to the five layers of the Internet model. 17
    • Layer Attacks Application Layer Repudiation, Data corruption Transport Layer Session Hijacking, SYN Flooding Network Layer Wormhole, Blackhole, Byzantine, Flooding Location Disclosure, Route Cache Poisoning etc Link Layer Traffic Analysis, NAV attack,WEP weaknesses Disruption of MAC protocol (802.11) Physical Layer Jamming, Interception, Eavesdropping 3.1.3 Stealthy vs. Non-stealthy attacks: Some security attacks use stealth , whereby the attackers try to hide their actions from either an individual who is monitoring the system or an intrusion detection system (IDS). But other attacks such as DoS cannot be made stealthy. 3.1.4 Cryptography vs. non-cryptography related attacks: Some attacks are non-cryptography related, and others are cryptographic primitive attacks. Cryptographic Primitive Attacks Examples Pseudorandom Number Attack Nonce, Timestamp, Initialisation Vector (IV) Digital Signature Attack RSA Signature, ElGamal Signature, Digital Signature Standard (DSS) Hash Collision Attack SHA-0, MD4, MD5, HAVAL-128, RIPEMD 3.1.5 Multi-layer attacks Some security attacks can be launched from multiple layers instead of a particular layer. Examples of multi-layer attacks are denial of service (DoS), man-in-the-middle, and impersonation attacks. • Denial of service: Denial of service (DoS) attacks could be launched from several layers. An attacker can employ signal jamming at the physical layer, which disrupts normal com- munications. At the link layer, malicious nodes can occupy channels through the capture effect, which takes advantage of the binary exponential scheme in MAC protocols and pre- vents other nodes from channel access. At the network layer, the routing process can be interrupted through routing control packet modification, selective dropping, table overflow, or poisoning. At the transport and application layers, SYN flooding, session hijacking, and malicious programs can cause DoS attacks. • Impersonation attacks: Impersonation attacks are launched by using other node’s iden- tity, such as MAC or IP address. Impersonation attacks sometimes are the first step for most attacks, and are used to launch further, more sophisticated attacks. 18
    • • Man-in-the-middle attacks: An attacker sits between the sender and the receiver and sniffs any information being sent between two ends. In some cases the attacker may imper- sonate the sender to communicate with the receiver, or impersonate the receiver to reply to the sender. 3.2 Summary MANETs are characterised by shared broadcast, radio channel, insecure operating environment, lack of central authority, lack of association among nodes, limited availability of resources, and physical vulnerability. The attacks in MANET can roughly be classified into two major cate- gories, namely passive attacks and active attacks.Active attacks can be classified further into two categories, namely, external and internal attacks.External attacks can be prevented by using stan- dard security mechanisms such as encryption techniques and firewalls. Internal attacks are from compromised nodes that are actually part of the network and is very difficult to detect. 19
    • Chapter 4 SECURITY THREATS IN PHYSICAL LAYER As discussed in the previous chapter, we can categorize security attacks according to protocol layers. Now, I will present a survey of security attacks in MANET on each protocol layer used in Internet model. Wireless communication is broadcast by nature. A common radio signal is easy to jam or intercept. An attacker could overhear or disrupt the service of a wireless network physically. The most common physical layer attacks in MANET are eavesdropping, interference, denial-of- service (DoS) and jamming. An attacker with sufficient transmission power and knowledge of the physical and medium access control layer mechanisms can gain access to the wireless medium. Here we will describe eavesdropping, interference and jamming attacks in brief. 4.1 Eavesdropping Eavesdropping is the reading of messages and conversations by unintended receivers. The nodes in MANET share a wireless medium and the wireless communication use the RF spectrum and broadcast by nature which can be easily intercepted with receivers tuned to the proper frequency. As a result transmitted message can be overheard as well as fake message can be injected into the network. 4.2 Jamming Radio signals can be jammed or interfered with, which causes the message to be corrupted or lost. If the attacker has a powerful transmitter, a signal can be generated that will be strong enough to overwhelm the targeted signals and disrupt communications.Jamming attacks can be mounted from a location remote to the target networks. 20
    • 4.3 Summary The most common physical layer attacks in MANET are eavesdropping, interference, denial- of-service (DoS) and jamming.Using Spread spectrum mechanisms e.g. FHSS, DSSS etc. can avoid jamming and eavesdropping.These mechanisms are secure only when the hopping pattern or spreading code is unknown to the eavesdropper. 21
    • Chapter 5 SECURITY THREATS IN LINK LAYER Before going to the security threat in Link layer, let us consider the protocols used in Link layer and major constraints in wireless networks. Major constraints in wireless networks are (1) Hidden node problem and Exposed node problem (2) The received signal energies are very low compared to transmitted signal energy. Hence it is difficult to design reliable collision detection. (Collision detection techniques are used in wired LAN). • Hidden Node Problem Let two nodes a and b have transmission ranges A and B, respectively, as shown in Figure. Let X denote the intersection of A and B. Consider an ongoing transmission from node a. Because node b is out of the transmission range of node a, it cannot sense the carrier from this transmission and can decide to transmit. If node b transmits at the same time as node a, the transmissions from a and b will be received at all nodes in X, and there will be a collision at these receivers. If node a was transmitting to node c in X, then node c will not be able to decode the packet. However, node a will not know of the collision at node c and will continue to transmit; recall that collision detection is not practical in wireless communication. In the scenario just described, we say that node b is hidden from node a with reference to the transmission of node a to node c. Figure 5.1: Hidden Node Problem 22
    • • Exposed Node Problem The interference region of node d is shown as D. Now, suppose the node d wishes to send a packet to node e when node a is transmitting to node c. Node d is within the interference region of node a, and hence node d can sense the signal while node a is transmitting to node c. But the two transmissions, d-e and a-c can co-exist because node c is outside the interference region of node d ; and node e is outside the interference region of node a. But, node d will be forced to defer transmission, on sensing the carrier from node a. So, node d is exposed to a transmission from node . Figure 5.2: Exposed Node Problem Hence, in a wireless network, hidden nodes reduce the capacity by causing collisions at receivers without the transmitter knowing about it, and exposed nodes force a node to be more conservative in its transmission attempts, thus reducing spatial reuse. • Carrier Sense Multiple Access with Collision Avoidance Mechanism (CSMA/CA) Collision Avoidance mechanism (CA) prevents collision due to transmission by hidden nodes. A simple CA mechanism can be implemented by having an auxiliary signaling channel in addition to data channel. A node actively receiving data on the data channel transmits a busy tone on the signaling channel to enable the hidden nodes to defer to receiving nodes in their transmission ranges. But this mechanism is cumbersome and inefficient. An alternate mechanism is to use a handshake between transmitter and receiver. IEEE 802.11 MAC frame exchange protocol addresses the hidden node problem by adding two additional frames. Before transmitting a data packet, a source node transmits a (short) request to send (RTS) packet to the destination. If the destination receives the RTS correctly, it means that it is not receiving any other packet, and it acknowledges the RTS with a clear to send (CTS) packet. The source then begins the packet transmission. If the CTS is not 23
    • received within a specified timeout period, the source assumes that the RTS had a collision at the receiver (most likely with another RTS packet), and a retransmission is attempted after a random backoff period. The RTS is used to inform nodes in the decode region of the transmitter about the imminent transmission of a packet and CTS is used to inform nodes in the decode region of the receiver about the imminent reception of a packet. Hence, hidden nodes are also informed. Figure 5.3: Solving Hidden Node Problem In the above figure, node is a hidden node and it defers the transmission with the reception of CTS packet from node B. If the transmission duration information is also included in the RTS and CTS packets, then nodes in the decode region of both transmitter and receiver can maintain a Network Allocation Vector (NAV) that indicates a remaining time in current transmission and schedule their own transmission to avoid collision. After the completion of RTS/CTS exchange, th e medium is reserved in the region that is union of the decode regions of transmitter and receiver. Hence this channel access mechanism is also called Multiple Access with Channel Acquisition (MACA). Thus, in this protocol, collision, if happens, occurs only for the RTS packet. The RTS/CTS scheme discussed above can only reduce the hidden node problem but does not eliminate it. We know that, nodes in the decode region of receiver is alerted by the CTS. Those nodes in the interference region but not in the decode region of the receiver have just sensed a carrier but do not know the impending packet transmission (since they can’t distinguish a CTS packet and a data packet). Hence, these nodes may transmit during packet transmission which causes collision. Another issue is, any node in the interference region of the transmitter of an ongoing packet is exposed. Even if such a node (node d in the above example) were allowed to transmit an RTS to a node (node e, which is outside the interference region of the ongoing transmission), it will itself not able to receive the subsequent CTS because collision occurs (node d is in the interference region of node a). Hence, exposed node will not know if it can transmit. 24
    • 5.1 IEEE 802.11 MAC Protocol Two basic protocols used are (1) Polling based protocol called Point Coordination Function (PCF) (2) Random access protocol called Distributed Coordination Function (DCF) PCF needs a centralized controller and hence can be used only in infrastructure based network. DCF is used for infrastructure based and ad hoc based network. Since we are dealing with mobile ad hoc network, will consider DCF in detail. The distributed coordinating function (DCF) of 802.11 specifies the use of CSMA/CA to reduce packet collisions in the network. A node with a packet to transmit picks a random backoff value b chosen uniformly from the range (0,CW) were CW is the contention window size, and transmits after waiting for b idle slots. Nodes exchange request to send (RTS) and clear to send (CTS) packets to reserve the channel before transmission. Three values for interframe space (IFS) are defined to provide priority-based access to the radio channel. SIFS is the shortest interframe space and is used for ACK, CTS and poll response frames. DIFS window is used for nodes wishing to initiate a new frame exchange. When the DIFS timer expires, each node enters a backoff phase. Here, random backoff is used to avoid collision. The following points are important regarding the backoff phase. • The node that just completed its data transmission samples a new random backoff value. • If a node was already in backoff when a particular node started its transmission, the for- mer node backoff timer is frozen. After data transmission, the former node continues the remainder of its backoff value. • A collision occurs if two node finishes their backoff simultaneously. In this case, both RTS packet will collide. As a result, a CTS timeout occurs after which the colliding node starts the backoff timer with double the contention window (CW). After the collision event, the nodes that were not involved in the collision continue their backoffs with their residual backoff timers. Consider three nodes Na, Nb and Nc in which node Na wants to send a data packet to node Nb. After DIFS duration, node Na sends an RTS packet to Nb. RTS frame containing the time needed to complete the CTS, data, and ACK frames. Every node receiving this RTS packet now sets its net allocation vector (NAV) in accordance with the duration field. The NAV then specifies the earliest point at which the other stations can try to access the medium again. Node Nb after waiting for SIFS will replies with a CTS packet to node Na. This CTS packet contains the duration field again and all stations receiving this packet from the node Nb have to adjust their NAV. Now all the nodes within the receiving distance are informed that they have to wait more time before accessing the medium. Basically this mechanism reserves the medium for one sender exclusively and hence the name, virtual reservation scheme. Now, node Na after waiting for SIFS 25
    • duration sends data packet to node Nb. Node Nb after waiting SIFS duration will send an ACK packet to node Na. Figure 5.4: Illustration of Channel Contention in 802.11 MAC 5.2 Vulnerabilities in Link Layer The wireless MAC protocol assumes cooperative behavior among all nodes. Obviously, malicious or selfish nodes are not forced to follow the normal operation of the protocol. An attacker can launch the following attack in the link layer by exploiting certain features used in MAC protocol. 1. An attacker can exploit the binary backoff scheme to launch DoS attack in IEEE 802.11 MAC protocol. The binary exponential scheme favors the last winner amongst the contending node. This will lead to a phenomenon called capture effect. The nodes that are heavily loaded tend to capture the channel by continuously sending data, thereby causing lightly loaded neighbors to backoff endlessly. Malicious node can take the advantage of this capture effect vulnerability. Figure 5.5: NAV Attack 2. Attacker can manipulate the size of Network Allocation Vector (NAV) and assign large idle time period to its neighbors. 3. Selfish node will wait for smaller backoff interval than the well behaved nodes. 4. Attacker may not wait for SIFS or DIFS duration. 26
    • 5.3 Summary The wireless MAC protocol assumes cooperative behavior among all nodes in the ad hoc network. A malicious or selfish nodes are not forced to follow the normal operation of the protocol. 27
    • Chapter 6 SECURITY THREATS IN NETWORK LAYER Before going to the details of security threat in Network Layer, let us have look on the different routing protocols used in MANET. As nodes are mobile in a MANET, links are created and destroyed in an unpredictable way, which makes quite challenging the determination of routes between a pair of nodes that want to communicate with each other. In this context, a great number of routing protocols have been proposed. Such routing protocols can be classified into two major classes: (1) proactive routing protocols (2) reactive routing protocols. In reactive routing protocols the communication is only possible when the source node requests to communicate with the other node. Reactive MANET Protocols are mostly suited for nodes with high mobility or nodes that transmit data rarely. Here, we will discuss two reactive routing protocols namely, AODV and DSR. Proactive routing protocol detects the layout of the network actively. A routing table can be maintained at every node from which a route can be determined with less delay. The proactive routing protocols provide good reliability on the current network topology and low latency for deciding a route. We will discuss OLSR protocol in this literature survey. An ad hoc routing protocol is a standard that controls the decision of the nodes that which route the nodes have to taken from source to destination. When a node wants to join a network, it discovers the topology by announcing its presence, and listening to broadcasts from other nodes in the network. This routing discovery is performed differently according to the routing protocol algorithm implemented in the network. 6.1 Reactive Routing Protocol: Reactive routing protocols are called on-demand routing protocols so these routing protocols are called when they are needed and the routes are built. These routes can be acquired by sending 28
    • route requests through the network. Disadvantage of this algorithm is that it offers high latency in searching a network. 6.1.1 DSR (Dynamic Source Routing) The Dynamic Source Routing (DSR) protocol is an on-demand routing protocol that is based on the concept of source routing. The protocol is composed of the two main mechanisms of "Route Discovery" and "Route Maintenance", which work together to allow nodes to discover and maintain routes to arbitrary destinations in the ad hoc network. Each node will maintain a route cache which stores routes to the destination. Entries in the route cache are continually updated as new routes learned. Route Discovery: When a mobile node has a packet to send to some destination, it first consults its route cache to determine whether it already has a route to the destination. If it has an unexpired route to destination, it will use this route to send the packet. On the other hand, if the node does not have such a route, it initiates route discovery by broadcasting route request (RREQ) packet. This route request contains the address of the destination, along with source node’s address and a unique identification number. Each node receiving the packet checks whether it knows of a route to the destination. If it does not have a route, it adds its own address to the route record of the packet and then forwards the packet along its outgoing links. A route reply is generated when the route request reaches the destination, or an intermediate node which contains in its route cache an unexpired route to destination. Consider four nodes say A, B, C and D as shown in the figure below. Let node A is the source and node D is destination. When node A wish to send a data packet to the node D, It will first check its route cache that whether it has direct route to node D or not. If node A does not have a direct route to node D, then it will broadcast a RREQ message in the network. The neighbor node B will get the RREQ message. First node B will check its route cache that whether it have a direct route to the destination node D or not, If it finds a route to the destination node D, it will send a RREP message to the source node A. In the reply of that message the source node A will start sending the data packets (DP) on the discovered route. If it didn’t discover the route from node B to node D so it forwards the message RREQ to the next node C and store the route AB in the cache. The process is going on until the RREQ message reached to destination node D. The destination node D caches the routes AB, BC and CD in its memory and sends a RREP message to the source node A. 29
    • Figure 6.1: Route Discovery in DSR Route Maintenance: The route maintenance uses two kind of messages i.e. route error (RERR) and acknowledgement (ACK). The messages successfully received by the destination nodes send an acknowledgement ACK to the sender. Such as the packets transmitted successfully to the next neighbors nodes gets acknowledgement. If there is some problem in the communication network a route error message denoted by RERR is transmitted to the sender, that there is some problem in the transmission. In other words the source didn’t get the ACK packet due to some problem. So the source gets the RERR packet in order to re initiate a new route discovery. By receiving the RERR message the nodes remove the route entries. In figure below, four nodes are shown i.e. A, B, C and D. The node A sends a message to destination node D. The message goes on up to the node C, while receiving the ACK message up to node B. When the node C forward the RREQ message to the node D and it does not receive the ACK message from node D. The node C recognizes that there is some problem in the transmission. So the node C sends a RRER message to the source node A, which in return search for a new route to the destination node D. Figure 6.2: Route Maintenance in DSR 6.2 Proactive Routing Protocol The routing information about all the nodes is build and maintained by the proactive protocols. The proactive routing protocols are independent of whether or not the route is needed. Control messages are transmitted with periodically intervals. Even if there is no data flow still control messages are transmitted. Because of these control messages proactive routing protocols are not bandwidth efficient. There are many advantages and disadvantages of proactive routing protocols. One of its advantages is that the nodes can easily get routing information, and it easily starts a 30
    • session. The disadvantages are, too much data kept by the nodes for route maintenance, when there is a particular link failure its reform is too slow. Now, we will discuss two proactive routing protocols namely Destination-Sequenced Distance-Vector (DSDV) protocol and the Optimized Link State Routing (OLSR) protocol. 6.2.1 Destination-Sequenced Distance-Vector Routing (DSDV) DSDV is a table-driven routing protocol based on the Bellman-Ford algorithm. The DSDV pro- tocol can be used in mobile ad hoc networking environments by assuming that each participating node acts as a router. Each node must maintain a table that consists of all the possible destina- tions. An entry of the table contains the address identifier of a destination, the shortest known distance metric to that destination measured in hop counts and the address identifier of the node that is the first hop on the shortest path to the destination. Furthermore, the DSDV protocol adds a sequence number to each table entry assigned by the destination node, preventing the for- mation of routing loops caused by stale routes. The routing tables are maintained by periodically transmitted updates by each router to all the neighboring routers. 6.3 Secure Routing in MANET Unlike the traditional wired Internet, where dedicated routers controlled by the Internet service providers (ISPs) exist, in ad hoc wireless networks, nodes act both as regular terminals (source or destination) and also as routers for other nodes. In the absence of dedicated routers, providing security becomes a challenging task in these networks. Various other factors which make the task of ensuring secure communication in ad hoc wireless networks include the mobility of nodes, a promiscuous mode of operation, limited processing power, and limited availability of resources such as battery power, bandwidth, and memory. 6.3.1 Requirements of a Secure Routing Protocol for MANET The fundamental requisites of a secure routing protocol for ad hoc wireless networks are listed as follows: • Detection of malicious nodes: A secure routing protocol should be able to detect the presence of malicious nodes in the network and should avoid the participation of such nodes in the routing process. Even if such malicious nodes participate in the route discovery process, the routing protocol should choose paths that do not include such nodes. • Guarantee of correct route discovery: If a route between the source and the destination nodes exists, the routing protocol should be able to find the route, and should also ensure the correctness of the selected route. 31
    • • Confidentiality of network topology: We know that, an information disclosure attack may lead to the discovery of the network topology by the malicious nodes. Once the network topology is known, the attacker may try to study the traffic pattern in the network. If some of the nodes are found to be more active compared to others, the attacker may try to mount (e.g., DoS) attacks on such bottleneck nodes. This may ultimately affect the on-going routing process. Hence, the confidentiality of the network topology is an important requirement to be met by the secure routing protocols. • Stability against attacks: The routing protocol must be self-stable in the sense that it must be able to revert to its normal operating state within a finite amount of time after a passive or an active attack. The routing protocol should take care that these attacks do not permanently disrupt the routing process. The protocol must also ensure Byzantine robustness, that is, the protocol should work properly even if some of the nodes, which were earlier participating in the routing process, turn out to become malicious at a later point of time or are intentionally damaged. Secure routing protocols are discussed in ‘Network Layer Defense’ 32
    • The main assumption of the previously presented ad hoc routing protocols is that all partici- pating nodes do so in good faith and without maliciously disrupting the operation of the protocol. We know that, network layer protocols extend connectivity from neighboring 1-hops nodes to all other nodes in MANET. The connectivity between mobile hosts over a multi-hop wireless link re- lies heavily on cooperation among all network nodes. By attacking the routing protocols, attackers can absorb network traffic, inject themselves into the path between the source and destination, and thus control the network traffic flow. The attacking node could forward the packet to a non- optimal path, which could introduce significant delay. In addition, the packets could be forwarded to a nonexistent path and get lost. The attackers can create routing loops, introduce severe net- work congestion, and channel contention into certain areas. Multiple colluding attackers may even prevent a source node from finding any route to the destination, causing the network to partition, which triggers excessive network control traffic, and further intensifies network congestion and performance degradation. 6.4 Attacks at the routing discovery phase There are malicious routing attacks that target the routing discovery or maintenance phase by not following the specifications of the routing protocols. Routing message flooding attacks, such as hello flooding, RREQ flooding, acknowledgement flooding, routing table overflow, routing cache poisoning, and routing loop are simple examples of routing attacks targeting the route discovery phase. We know that proactive routing algorithms, such as DSDV and OLSR, attempt to discover routing information before it is needed, while reactive algorithms, such as DSR and AODV, create routes only when they are needed. Thus, proactive algorithms performs worse than on-demand schemes because they do not accommodate the dynamic of MANETs, clearly proactive algorithms require many costly broadcasts. Proactive algorithms are more vulnerable to routing table overflow attacks. Some of these attacks are listed below. • Routing table overflow: In this type of attack, an attacking node advertises routes to non-existent nodes, to the authorized nodes present in the network. The main objective of such an attack is to cause an overflow of the routing tables, which would in turn prevent the creation of entries corresponding to new routes to authorized nodes. Proactive routing protocols are more vulnerable to this attack compared to reactive routing protocols. • Routing table poisoning: Here, the compromised nodes in the networks send fictitious routing updates or modify genuine route update packets sent to other uncompromised nodes. Routing table poisoning may result in sub-optimal routing, congestion in portions of the network, or even make some parts of the network inaccessible. • Packet replication: In this attack, an attacking node replicates stale packets. This con- sumes additional bandwidth and battery power resources available to the nodes and also causes unnecessary confusion in the routing process. 33
    • • Route cache poisoning: In the case of on-demand routing protocols (such as the AODV protocol), each node maintains a route cache which holds information regarding routes that have become known to the node in the recent past. Similar to routing table poisoning, an attacking node can also poison the route cache to achieve similar objectives. 6.5 Attacks at data forwarding phase Some attacks also target data packet forwarding functionality in the network layer. In this sce- nario the malicious nodes participate cooperatively in the routing protocol routing discovery and maintenance phases, but in the data forwarding phase they do not forward data packets consis- tently according to the routing table. Malicious nodes simply drop data packets quietly, modify data content, replay, or flood data packets; they can also delay forwarding time-sensitive data packets selectively or inject junk packets 6.6 Advanced Attacks 6.6.1 Wormhole Attack: Wormhole attack is also known as tunneling attack. A tunneling attack is where two or more nodes may collaborate to encapsulate and exchange messages between them along existing data routes. Once the wormhole link is established, the attacker captures the packet on one end, sends them through the wormhole link and replays them at the other end. The tunnel can be established in many different ways, such as through an out-of-band hidden channel (e.g., a wired link), packet encapsulation, or high powered transmission. Wormhole using Encapsulation: In the figure below, M1 and M2 are two malicious nodes that encapsulate data packets and falsified the route lengths. Figure 6.3: Wormhole Attack Suppose node S wishes to form a route to D and initiates route discovery. When M1 receives a 34
    • RREQ from S, M1 encapsulates the RREQ and tunnels it to M2 through an existing data route, in this case {M1 - A - B - C - M2}. Note that due to the packet encapsulation, the hop count does not increase during the traversal through {M1 - A - B - C - M2}. When M2 receives the encapsulated RREQ on to D as if had only traveled {S - M1 - M2 - D}. After route discovery, the destination finds two routes from S of unequal length: one is of 5 and another is of 4. If M2 tunnels the RREP back to M1, S would falsely consider the path to D via M1 is better than the path to D via A. Thus, tunneling can prevent honest intermediate nodes from correctly incrementing the metric used to measure path lengths. Any routing protocol that uses the metric of shortest path to choose the best route is vulnerable to this mode of wormhole attack. Wormhole using Out-of-Band Channel: The second mode for this attack is the use of an out of band channel. This channel can be achieved, for example, by using a long range directional wireless link or a direct wired link. This mode of attack is more difficult to launch than the previous one since it needs specialized hardware capability. Consider the scenario shown in figure below. Node A sends a RREQ to node B, and nodes M1 and M2 are malicious nodes having an out-of-band channel between them. Figure 6.4: Wormhole attack using Out-of-Band Channel Node M1 tunnels the RREQ to M2, which is a not a legitimate neighbor of B. Node M2 broadcasts the packet to its neighbors, including B. B gets two RREQs namely {A - M1 - M2 - B} and {A - C - D - E - F - B}. The first route is both shorter and faster than the second route, and is thus chosen by B. Wormhole with High Power Transmission: Another method is the use of high power transmission. In this mode, when a single malicious node gets a RREQ, it broadcasts the request at a high power level, a capability which is not available to other nodes in the network. Any node that hears the high-power broadcast rebroadcasts it towards the destination. By this method, the malicious node increases its chance to be in the routes established between the source and the destination even without the participation of a colluding node. 35
    • 6.6.2 Blackhole attack In this attack, a malicious node falsely advertises good paths to the destination node with the intention of intercepting all data packets being sent to the destination node concerned. The backhole attack is performed in two steps. At first step, the malicious node exploits the mobile ad hoc routing protocol such as AODV, to advertise itself as having a valid route to a destination node, even though the route is spurious, with the intention of intercepting the packets. In second step, the attacker consumes the packets and never forwards. In an advanced form, the attacker suppresses or modifies packets originating from some nodes, while leaving the data from the other nodes unaffected. In this way, the attacker falsified the neighboring nodes that monitor the ongoing packets. In the figure below, node 1 wants to send data packets to node 4 and initiates the route discovery process. We assume that node 3 is a malicious node and it claims that it has route to the destination whenever it receives RREQ packets, and immediately sends the response to node 1. If the response from the node 3 reaches first to node 1 then node 1 thinks that the route discovery is complete, ignores all other reply messages and begins to send data packets to node 3. As a result, all packets through the malicious node is consumed or lost. Figure 6.5: Blackhole Attack 6.6.3 Byzantine attack Here, a compromised intermediate node or a set of compromised intermediate nodes works in collusion and carries out attacks such as creating routing loops, routing packets on non-optimal paths, and selectively dropping packets. Byzantine failures are hard to detect. The network would seem to be operating normally in the viewpoint of the nodes, though it may actually be exhibiting Byzantine behavior. This attack will degrade the routing performance and also disrupts the routing services. 6.6.4 Information disclosure A compromised node may leak confidential or important information to unauthorized nodes in the network. Such information may include information regarding the network topology, geographic location of nodes, or optimal routes to authorized nodes in the network. 36
    • 6.6.5 Resource consumption attack In this attack, a malicious node tries to consume/waste away resources of other nodes present in the network. The resources that are targeted are battery power, bandwidth, and computational power, which are only limitedly available in ad hoc wireless networks. The attacks could be in the form of unnecessary requests for routes, very frequent generation of beacon packets, or forwarding of stale packets to nodes. Using up the battery power of another node by keeping that node always busy by continuously pumping packets to that node is known as a sleep deprivation attack. 6.6.6 Rushing attack On-demand routing protocols that use duplicate suppression during the route discovery process are vulnerable to this attack. An attacking node which receives a RouteRequest packet from the source node floods the packet quickly throughout the network before other nodes which also receive the same RouteRequest packet can react. Nodes that receive the legitimate RouteRequest packets assume those packets to be duplicates of the packet already received through the attacking node and hence discard those packets. Any route discovered by the source node would contain the attacking node as one of the intermediate nodes. Hence, the source node would not be able to find secure routes, that is, routes that do not include the attacking node. It is extremely difficult to detect such attacks in ad hoc wireless networks. 6.7 Summary The network layer of the MANET is more immune to attack than all other layers. A good secure routing algorithm can prevent the attack in a more efficient manner. There is no unique algorithm that can prevent all the vulnerabilities. They should be used in cooperation with each other. 37
    • Chapter 7 SECURITY THREATS IN TRANSPORT LAYER The objectives of TCP-like Transport layer protocols in MANET include setting up of end-to-end connection, end-to-end reliable delivery of packets, flow control, congestion control, and clearing of end-to-end connection. Before going to the discussion of transport layer attack, let us consider a brief review of TCP Connection Management. 7.1 Establishing a TCP connection Here, we are assuming a client-server model in which a client wants to establish a connection with the server. For that client application process first informs the client TCP that it wants to establish a connection to a process in the server. The TCP in the client then proceeds to establish a TCP connection with the TCP in the server in the following manner. 1. The client side TCP first sends a special TCP segment to the server side TCP. This TCP segment contains no application data but one of the flag bits in the segment’s header, the so- called SYN bit, set to 1. Hence this special segment is also called SYN segment. Also, the client randomly chooses an initial sequence number say client_isn and puts this number in the sequence number field of the initial TCP SYN segment. 2. Once the TCP SYN segment arrives at server, it allocates TCP buffers and variables to the connection and sends a connection granted segment to the client TCP. Connection granted segment also contains no application data. However, it does contain three important pieces of information in the segment header. First, the SYN bit is set to 1. Second, the acknowledgment field of the TCP segment header is set to client_isn+1. Finally, the server chooses its own initial sequence number (server_isn) and puts this value in the sequence number field of the TCP segment header. The connection-granted segment is sometimes referred to as a SYN-ACK segment. This connection granted segment is saying, in effect, "I received your SYN packet to start a connection with your initial sequence number, client_isn. I agree to establish this connection. My own initial 38
    • sequence number is server_isn." 3. Upon receiving SYNACK segment, client also allocates buffers and variables to the connec- tion. The client host then sends the server yet another segment which acknowledges the server’s connection granted segment with SYN bit is reset to 0, ACK field = server_isn+1, sequence field = client_isn+1. This segment is also called ACK segment. Figure 7.1: TCP 3-way handshake 7.2 Closing TCP connection Suppose, client application process issues a connection close command. This causes, 1. Client TCP sends a special TCP segment with FIN flag bit set to 1. 2. Server receives the segment and it sends the client an acknowledgement segment in return. 3. Server then sends its own shutdown message with FIN = 1 4. Finally, the client acknowledges the server shutdown message Figure 7.2: TCP connection termination 39
    • 7.3 Attacks in Transport Layer The 3-way handshake allows two nodes to learn that other is ready to communicate and to agree on initial sequence numbers for the conversation. From the above discussion, allocation of buffers and variables before completing the third step of the 3-way handshake makes TCP vulnerable to DoS attack. Different Link Layer attack can be classified as (i) SYN Flooding Attack (ii) Session Hijacking 7.3.1 SYN flooding attack The SYN flood attack sends TCP connections requests faster than a machine can process them. It is a denial-of-service attack in which an attacker creates a large number of half-opened TCP connections with a victim node, but never completes the handshake to fully open the connection. For two nodes to communicate using TCP, they must first establish a TCP connection using a three-way handshake. The three messages exchanged during the handshake allow both nodes to learn that the other is ready to communicate and to agree on initial sequence numbers for the conversation. Attacker, first create a half open connection with the neighboring node. Creating half-open connections is easily accomplished with IP spoofing. The attacking system sends SYN messages to the victim node. The SYN-ACK packets are sent out from the victim node right after it receives the SYN packets from the attacker and then the victim waits for the response of ACK packet. Without receiving the ACK packets, the half-open data structure remains in the victim node. Attacker, in this way sends a large amount of SYN packets to a victim node. If the victim node stores these half-opened connections in a fixed-size table while it awaits the acknowledgement of the three-way handshake, all of these pending connections could overflow the buffer, and the victim node would not be able to accept any other legitimate attempts to open a connection. Normally there is a time-out associated with a pending connection, so the half-open connections will eventually expire and the victim node will recover. However, malicious nodes can simply continue sending packets that request new connections faster than the expiration of pending connections. 7.3.2 Session Hijacking Session hijacking is a critical error and gives a malicious node the opportunity of behaving as a legitimate system. All the communications are authenticated only at the beginning of session setup. The attacker may take the advantage of this and commit session hijacking attack. At first, the attacker spoofs the victim’s IP address, determines the correct sequence number that is expected by the target, and then performs a DoS attack on the victim. As a result, the target system becomes unavailable for some time. Thus the attacker impersonates the victim node and continues the session with the target. 40
    • 7.3.3 TCP ACK Storm An attacker can start a TCP ACK storm problem after hijacking a TCP session. ACK storm refers to a situation when a large numbers of Transmission Control Protocol (TCP) acknowledgment (ACK) packets are generated, usually because of an attempted session hijacking Figure 7.3: TCP ACK Storm The attacker sends injected session data, and node A will acknowledge the receipt of the data by sending an ACK packet to node B. This packet will not contain a sequence number that node B is expecting (because node B hasn’t sent any data), so when node B receives this packet, it will try to resynchronize the TCP session with node A by sending it an ACK packet with the sequence number that it is expecting. The cycle goes on and on, and the ACK packets passing back and forth create an ACK storm. Hijacking a session over UDP is the same as over TCP, except that UDP attackers do not have to worry about the overhead of managing sequence numbers and other TCP mechanisms. Since UDP is connectionless, edging into a session without being detected is much easier than the TCP session attacks. 7.4 Summary From the above discussion, it is clear that both TCP and UDP are vulnerable to attack. Attack on UDP is more easier since the attacker need nod be woried about the overhead of managing the sequence number. 41
    • Chapter 8 SECURITY THREATS IN APPLICATION LAYER The application layer communication is also vulnerable to attacks compared with other layers. The application layer contains user data, and it normally supports many protocols such as HTTP, SMTP, TELNET, and FTP, which provide many vulnerabilities and access points for attackers. The application layer attacks are attractive to attackers because the information they seek ulti- mately resides within the application and it is direct for them to make an impact and reach their goals. 8.1 Malicious code attacks: Malicious code, such as viruses, worms, spywares, and Trojan Horses, can attack both operating systems and user applications. These malicious programs usually can spread themselves through the network and cause the computer system and networks to slow down or even damaged. In MANET, an attacker can produce similar attacks to the mobile system of the ad hoc network. 8.2 Repudiation attacks: In the network layer, firewalls can be installed to keep packets in or keep packets out. In the transport layer, entire connections can be encrypted, end-to-end. But these solutions do not solve the authentication or non-repudiation problems in general. Repudiation refers to a denial of participation in all or part of the communication. For example, a selfish person could deny conducting an operation on a credit card purchase, or deny any on-line bank transaction, which is the prototypical repudiation attack on a commercial system. 42
    • 8.3 Summary The application layer attacks are attractive to attackers because the information they seek ulti- mately resides within the application and it is direct for them to make an impact and reach their goals.The main security issues involved in application layers are detecting and preventing viruses, worms, malicious codes and application abuses. 43
    • Chapter 9 COUNTERMEASURES The ultimate goals of the security solutions for MANETs is to provide security services to mobile users, such as 1. Authentication, 2. Confidentiality, 3. Integrity, 4. Non-repudiation 5. Availability In order to achieve this goal, the security solution should provide complete protection spanning the entire protocol stack. There is no single mechanism that will provide all the security services in MANETs. • Authentication: Authentication ensures that the access and supply of data is done only by the authorized parties. It is concerned with assuring that a communication is authentic. In the case of a single message, such as a warning or alarm signal, the function is to assure the recipient that the message is from the source that it claims to be from. In wired network and infrastructure based wireless network, it is possible to implement a central authority at a point such as router, base station, or access point. But in MANETs, there will not be any central authority so that it is much more difficult to authenticate an entity. Authentication can be provided by using encryption along with cryptographic hash function, digital signature and certificates. • Confidentiality: Confidentiality ensures that certain information is only readable or acces- sible by the authorized party. Basically, it protects data from passive attacks. Transmission of sensitive information such as military information requires confidentiality. MANETs uses an open media, so usually all nodes within the direct transmission range can obtain the data. One way to keep information confidential is to encrypt the data, and another technique is 44
    • to use directional antennas. It also ensures that the transmitted data can only be accessed by the intended receivers. • Integrity: Integrity guarantees that the authorized parties are only allowed to modify the information or messages. To protect the integrity of information one must employ suitable validation techniques like digital signature. • Availability: Availability refers to allowing legitimate users to access confidential informa- tion after they have been properly authenticated. Availability ensures the survivability of network services despite of various attacks. For example, on the physical and media access control layers, an attacker could employ jamming to interfere with communication on phys- ical channel while on network layer it could disrupt the routing protocol and continuity of services of the network. • Non-Repudiation: Non-Repudiation prevents either sender or receiver from denying a transmitted message. Thus, when a message is sent, the receiver can prove that the message was in fact sent by the alleged sender. On the other hand, after sending a message, the sender can prove that the message was received by the alleged receiver. Non-repudiation is useful for detection and isolation of compromised nodes. When node A receives an erroneous message from node B, non-repudiation allows A to accuse B using this message and to convince other nodes that B is compromised. • Scalability: Even though, scalability is not directly related to security, it is very important issue that has a great impact on security services. An ad hoc network may consist of hundreds or even thousands of nodes. Security mechanisms should be scalable to handle such a large network . Otherwise, the newly added node in the network can be compromised by the attacker and used for gaining unauthorized access of the whole system. It is very easy to make an island-hopping attack through one rough point in a distributed network. A variety of security mechanisms have been invented to counter malicious attacks. The conven- tional approaches such as authentication, access control, encryption, and digital signature provide a first line of defense. As a second line of defense, intrusion detection systems and cooperation en- forcement mechanisms implemented in MANET can also help to defend against attacks or enforce cooperation, reducing selfish node behavior. 9.1 Preventive mechanism: The conventional authentication and encryption schemes are based on cryptography, which in- cludes asymmetric and symmetric cryptography. Cryptographic primitives such as hash values (message digests) are sufficient in providing data integrity in transmission as well. Threshold cryptography can be used to hide data by dividing it into a number of shares. Digital signatures 45
    • can also be used to achieve data integrity and authentication services. It is also necessary to consider the physical safety of mobile devices, since the hosts are normally small devices, which are physically vulnerable. For example, a device could easily be stolen, lost, or damaged. In the battlefield they are at risk of being hijacked. The protection of the sensitive data on a physical device can be enforced by some security modules, such as tokens or a smart card that is accessible through PIN, passphrases, or biometrics. 9.2 Reactive mechanism: A number of malicious attacks could bypass the preventive mechanisms due to its design, imple- mentation, or restrictions. An intrusion detection system provides a second line of defense. There are widely used to detect misuse and anomalies. A misuse detection system attempts to define im- proper behavior based on the patterns of well-known attacks, but it lacks the ability to detect any attacks that were not considered during the creation of the patterns; Anomaly detection attempts to define normal or expected behavior statistically. It collects data from legitimate user behavior over a period of time, and then statistical tests are applied to determine anomalous behavior with a high level of confidence. In practice, both approaches can be combined to be more effective against attacks. Cooperation enforcement such as Nuglets, Confidant, CORE and Token-based reduce selfish node behavior. Now, we will describe the attack countermeasures in each layer of the internet model. 46
    • 9.3 Physical layer defense Spread spectrum technology, such as frequency hopping (FHSS) or direct sequence (DSSS) can make it difficult to detect or jam signals. It changes frequency in a random fashion to make signal capture difficult or spreads the energy to a wider spectrum so the transmission power is hidden behind the noise level. 9.3.1 FHSS The signal is modulated with a seemingly random series of radio frequencies, which hops from frequency to frequency at fixed intervals. The receiver uses the same spreading code, which is synchronized with the transmitter, to recombine the spread signals into their original form. With the transmitter and the receiver synchronized properly, data is transmitted over a single channel. However, the signal appears to be unintelligible duration impulse noise for the eavesdroppers. Meanwhile, interference is minimized as the signal is spread across multiple frequencies. 9.3.2 DSSS Each data bit in the original signal is represented by multiple bits in the transmitted signal, using a spreading code. The spreading code spreads the signal across a wider frequency band in direct proportion to the number of bits used. The receiver can use the spreading code with the signal to recover the original data. Figure below illustrates that each original bit of data is represented by 4 bits in the transmitted signal. Figure 9.1: Illustration of Direct Sequence Spread Spectrum The first bit of data, a 0 is transmitted as 0110 which is first 4 bits of spreading code. The second bit, 1, is transmitted as 0110 which is bit-wise complement of the second 4 bits of spreading code. In turn, each input bit is combined, using EX-OR, with four bits of the spreading code. Both FHSS and DSSS pose difficulties for outsiders attempting to intercept the radio signals. The eavesdropper must know the frequency band, spreading code, and modulation techniques in order to accurately read the transmitted signals. Spread spectrum technology also minimizes the potential for interference from other radios and electromagnetic devices. 47
    • 9.4 Link Layer Defense As we discussed earlier, a selfish node will select a lower backoff value and such selfish node seriously degrade the performance of well behaving node. So we have to identify the selfish or misbehaving nodes avoid such nodes for routing. Also, we have to design a protocol that will encourage the cooperation by penalizing the misbehaving nodes. Intrusion Detection System (IDS) can be used for identifying misbehaving nodes. This can be done by developing a long-term profile of “normal” activities, and identify intrusion by observ- ing deviations from the measured profile. We know that, the time interval between consecutive transmissions by the sender can be any value within the range of (0, CW). Hence, a receiver that observes the time interval between consecutive transmissions from the sender cannot distinguish a well-behaved sender that legitimately selected a small random backoff, from a misbehaving sender that maliciously selected a nonrandom small backoff. It may be possible to detect sender misbe- havior by observing the behavior of senders over a large sequence of transmissions, but this may introduce a large delay in detecting misbehavior. In addition, it may not be feasible to monitor the behavior of senders over a large sequence of transmissions when the node mobility is high. In a proposed protocol, instead of the sender selecting random backoff values to initialize the backoff counter, the receiver selects a random backoff value and sends it in the CTS and ACK packets to the sender. The sender uses this assigned backoff value in the next transmission to the receiver. With these modifications, a receiver can identify senders deviating from the protocol by observing the number of idle slots between consecutive transmissions from the sender. If this observed number of idle slots is less than the assigned backoff, then the sender may have deviated from the protocol. Now, the protocol will discourage the misbehavior by penalizing those deviating nodes. When the receiver perceives a sender to have waited for less than the assigned backoff, it adds a penalty to the next backoff assigned to that sender. If the sender does not backoff for the duration specified by the penalty, it significantly increases the probability of detecting misbehavior reliably .On the other hand, a misbehaving sender which backs off for the duration specified by the penalty does not obtain significant throughput advantage over other well-behaved nodes. Hence, with the proposed scheme, it is difficult for a misbehaving node to obtain an unfair share of the channel bandwidth while eluding detection. But, this protocol cannot be used for ad hoc network since the receiver cannot be trusted. Another proposal is a statistical approach to detect NAV attack. That is, to detects the misbehaving nodes by monitoring the RTS and CTS frame duration. It is essential to monitor and inspect the network activities and study the network performance statistics under normal condition. This statistic can be used as a tool against which any unexpected change can be compared, to identify an intruder. The statistics used in this study is the packets received from each transmitting node. The statistic will follow a uniform distribution under normal packet transfer for all transmitting nodes. In the presence of an attacker (a node which keeps the RTS duration field a large value), the statistics will no longer be uniformly distributed. 48
    • Finally, the common known security fault in link layer is the weakness of WEP. Fortunately, the 802.11i/WPA has mended all obvious loopholes in WEP and future countermeasures such as RSN/AES-CCMP are also being developed to improve the strength of wireless security. 9.4.1 Summary The security issues that are closely related to link layer are protecting the wireless MAC protocol and providing link-layer security support. One of the vulnerabilities in link layer is its binary exponential backoff scheme. But recently a security extension to 802.11 proposed in which the original 802.11 backoff scheme is slightly modified in that the backoff timer at the sender is provided by the receiver in stead of setting an arbitrary timer value on its own. As mentioned earlier, the threats of resource consumption (using NAV field) is still an open challenge though some schemes have been proposed such as ERA-802.11. Finally, the common known security fault in link layer is the weakness of WEP. Fortunately, the 802.11i/WPA has mended all obvious loopholes in WEP and future countermeasures such as RSN/AESCCMP are also being developed to improve the strength of wireless security. 49
    • 9.5 Network Layer Defense There exist several proposals that attempt to design a secure routing protocol for ad hoc networks, in order to offer protection against the attacks mentioned in the chapter ’Security Threat in Network Layer ’. These proposed solutions are either completely new stand-alone protocols, or in some cases incorporations of security mechanisms into existing ones (like DSR and AODV). As we will see, the design of these solutions focuses on providing countermeasures against specific attacks, or sets of attacks. 9.5.1 Secure Routing Protocols Some of the secure routing protocol is briefly discussed below. ARAN Authenticated Routing for Ad-hoc Networks (ARAN) is an on-demand routing protocol that de- tects and protects against malicious actions carried out by third parties and peers in particular ad- hoc environment. This protocol introduces authentication, message integrity and non-repudiation as a part of a minimal security policy. Though ARAN is designed to enhance ad-hoc security, still it is not immune to rushing attack. ARIADNE ARIADNE is an On-demand Secure Ad-hoc routing protocol based on DSR that implements highly efficient symmetric cryptography. It provides point-to-point authentication of a routing message using a message authentication code (MAC) and a shared key between the two communicating parties. Although ARIADNE is free from a flood of RREQ packets and cache poisoning attack, but it is not immune to the wormhole attack and rushing attack. SEAD The Secure Efficient Ad hoc Distance Vector (SEAD) is a secure ad hoc network routing protocol based on the design of the Destination-Sequenced Distance-Vector (DSDV) algorithms. It deals with attackers that modify routing information and also with replay attacks and makes use of one-way hash chains rather than implementing expensive asymmetric cryptography operations. Two different approaches are used for message authentication to prevent the attackers. SEAD does not cope with wormhole attacks. SRP Secure Routing Protocol (SRP) was developed based on Destination Source Routing protocol (DSR) . The operation of SRP requires the existence of a Security association (SA) between 50
    • source node initiating a route query and the destination node. The security association can be utilized in order to establish a shared secret key between the two nodes, which is used by SRP. The SRP protocol appends a header (SRP header) to the packet of the basic routing protocol. The source node sends a route request with a query sequence number (QSEQ) that is used by the destination in order to identify outdated requests, a random query identifier (QID) that is used to identify the specific request. The intermediate nodes broadcast the query to their neighbors, after updating their routing tables. The entire node maintains their priority ranking of their neighbors according to the rate of generated queries. Nodes that generated a low rate of queries have a higher priority. The destination confirms that the query is not outdated and verifies its integrity and authenticity through the calculation of the keyed hash. So the malicious compromised nodes participating in the network are given least priority to deal with. The security analysis is similar to Ariadne as it is based on DSR protocol. Now, we will discuss some technique to avoid a specific attack. 9.5.2 Defense against wormhole attacks A packet leash protocol is designed as a countermeasure to the wormhole attack. The SECTOR mechanism is proposed to detect wormholes without the need of clock synchronization. Directional antennas are also proposed to prevent wormhole attacks. In the wormhole attack, an attacker receives packets at one point in the network, tunnels them to another point in the network, and then replays them into the network from that point. To defend against wormhole attacks, some efforts have been put into hardware design and signal processing techniques. If data bits are transferred in some special modulating method known only to the neighbor nodes, they are resistant to closed wormholes. Another potential solution is to integrate the prevention methods into intrusion detection systems. However, it is difficult to isolate the attacker with a software-only approach, since the packets sent by the wormhole are identical to the packets sent by legitimate nodes. Packet leashes The Packet leashes are proposed to detect wormhole attacks. A leash is the information added into a packet to restrict its transmission distance. A temporal packet leash sets a bound on the lifetime of a packet, which adds a constraint to its travel distance. A sender includes the transmission time and location in the message. The receiver checks whether the packet has traveled the distance between the sender and itself within the time frame between its reception and transmission. Temporal packet leashes require tightly synchronized clocks and precise location knowledge. In geographical leashes, location information and loosely synchronized clocks together verify the neighbor relation. 51
    • SECTOR The SECTOR mechanism is based primarily on distance bounding techniques, one-way hash chains, and the Merkle hash tree. SECTOR can be used to prevent wormhole attacks in MANET without requiring any clock synchronization or location information. SECTOR can also be used to help secure routing protocols in MANET using last encounters, and to help detect cheating by means of topology tracking. Directional antennas Directional antennas are also proposed as a countermeasure against wormhole attacks. This approach does not require either location information or clock synchronization, and is more efficient with energy. 9.5.3 Defense against blackhole attacks Some secure routing protocols, such as the security-aware ad hoc routing protocol (SAR), can be used to defend against blackhole attacks. The security-aware ad hoc routing protocol is based on on-demand protocols, such as AODV or DSR. In SAR, a security metric is added into the RREQ packet, and a different route discovery procedure is used. Intermediate nodes receive an RREQ packet with a particular security metric or trust level. At intermediate nodes, if the security metric or trust level is satisfied, the node will process the RREQ packet, and it will propagate to its neighbors using controlled flooding. Otherwise, the RREQ is dropped. If an end-to-end path with the required security attributes can be found, the destination will generate a RREP packet with the specific security metric. If the destination node fails to find a route with the required security metric or trust level, it sends a notification to the sender and allows the sender to adjust the security level in order to find a route. To implement SAR, it is necessary to bind the identity of a user with an associated trust level. To prevent identity theft, stronger access control mechanisms such as authentication and authorization are required. In SAR, a simple shared secret is used to generate a symmetric encryption/decryption key per trust level. Packets are encrypted using the key associated with the trust level; nodes belonging to different levels cannot read the RREQ or RREP packets. It is assumed that an outsider cannot obtain the key. In SAR, a malicious node that interrupts the flow of packets by altering the security metric to a higher or lower level cannot cause serious damage because the legitimate intermediate or destination node is supposed to drop the packet, and the attacker is not able to decrypt the packet. SAR provides a suite of cryptographic techniques, such as digital signature and encryption, which can be incorporated on a need-to-use basis to prevent modification. 52
    • 9.5.4 Summary Network layer is more vulnerable to attacks than all other layers in MANET. A variety of security threats is imposed in this layer. Use of secure routing protocols provides the first line of defense. The active attack like modification of routing messages can be prevented through source authenti- cation and message integrity mechanism. For example, digital signature, message authentication code (MAC), hashed MAC (HMAC), one-way HMAC key chain is used for this purpose. By an unalterable and independent physical metric such as time delay or geographical location can be used to detect wormhole attack. For example, packet leashes are used to combat this attack. IPSec is most commonly used on the network layer in internet that could be used in MANET to provide certain level of confidentiality. The secure routing protocol named ARAN protects from various attacks like modification of sequence number, modification of hop counts, modification of source routes, spoofing, fabrication of source route etc. The Security-aware Ad hoc Routing protocol (SAR), provides a solution to overcome blackhole attack. 53
    • 9.6 Application Layer Defense Viruses, worms, spywares, Trojan horses are the common and challenging application layer at- tacks in any network. Firewall provides protection against some of these attacks. For example, it can provide access control, user authentication, incoming and outgoing packet filtering, network filtering, accounting service etc. Anti-spyware software can detect spyware and malicious pro- grams running on the system. Still using firewall is not enough because in certain situation the attacker even can penetrate firewall and make an attack. Another mechanism, Intrusion Detection System (IDS) is effective to prevent certain attacks such as trying to gain unauthorized access to a service, pretending like a legitimate user etc.Intrusion detection can be classified into three broad categories: Anomaly Detection, Signature or Misuse Detection, and Specification based Detection. The application layer also detects a DoS attack more quickly than the lower layers. Detailed description of Intrusion Detection System (IDS) is made in ‘Role of multi-agent system in wireless security’. 9.7 Summary In this chapter we described the countermeasures of the attacks imposed in different layers. Still, there are some attacks such as man-in-middle attack which is known as a multi-layer attack. The countermeasures for this type of attack need to be implemented at different layers. For example, directional antennas are used at the media access layer to defend against wormhole attacks while packet leashes are used for network layer defense. 54
    • Chapter 10 TRANSPORT LAYER DEFENSE We know that Transport Layer is vulnerable to classic SYN Flooding attack, Session Hijacking attack, Ack Storm attack etc. This will affect the confidentiality of the message send through the MANET.One way to provide message confidentiality in transport layer is point-to-point or end-to-end communication through data encryption.We know that TCP and UDP are the two commonly used Transport layer protocol. But, TCP is a connection-oriented reliable transport layer protocol explicitly designed for wired network and hence does not fit well for MANET.Thus, modified TCP protocols are designed which is discussed in the following section. Why Does TCP Not Perform Well in Ad Hoc Wireless Networks? TCP have been designed to perform well for wired networks and it has been observed that even a single wireless link can reduce the TCP throughput considerably. The major reasons behind throughput degradation that TCP faces when used in ad hoc wireless networks are the following: • Misinterpretation of packet loss: Traditional TCP was designed for wired networks where the packet loss is mainly attributed to network congestion. Network congestion is detected by the sender’s packet RTO period. Once a packet loss is detected, the sender node assumes congestion in the network and invokes a congestion control algorithm. Ad hoc wireless networks experience a much higher packet loss due to factors such as high bit error rate (BER) in the wireless channel, increased collisions due to the presence of hidden terminals, presence of interference, location-dependent contention, uni-directional links, frequent path breaks due to mobility of nodes, and the inherent fading properties of the wireless channel. • Frequent path breaks: Ad hoc wireless networks experience dynamic changes in network topology because of the unrestricted mobility of the nodes in the network. The topology changes lead to frequent changes in the connectivity of wireless links and hence the route to a particular destination may need to be recomputed very often. The responsibility of finding a route and reestablishing it once it gets broken is attached to the network layer. Once a path is broken, the routing protocol initiates a route reestablishment process. This 55
    • route reestablishment process takes a significant amount of time to obtain a new route to the destination. The route reestablishment time is a function of the number of nodes in the network, transmission ranges of nodes, current topology of the network, bandwidth of the channel, traffic load in the network, and the nature of the routing protocol. If the route reestablishment time is greater than the RTO period of the TCP sender, then the TCP sender assumes congestion in the network, retransmits the lost packets, and initiates the congestion control algorithm. These retransmissions can lead to wastage of bandwidth and battery power. Eventually, when a new route is found, the TCP throughput continues to be low for some time, as it has to build up the congestion window since the traditional TCP undergoes a slow start. • Effect of path length: It is found that the TCP throughput degrades rapidly with an increase in path length in string (linear chain) topology ad hoc wireless networks. The possibility of a path break increases with path length. Given that the probability of a link break is Pl, the probability of a path break (Pb) for a path of length k can be obtained as Pb = 1 - (1 - Pl)k. Hence as the path length increases, the probability of a path break increases, resulting in the degradation of the throughput in the network. Misinterpretation of congestion window: TCP considers the congestion window as a measure of the rate of transmission that is acceptable to the network and the receiver. In ad hoc wireless networks, the congestion control mechanism are invoked when the network gets partitioned or when a path break occurs. This reduces the congestion window and increases the RTO period. When the route is reconfigured, the congestion window may not reflect the transmission rate acceptable to the new route, as the new route may actually accept a much higher transmission rate. Hence, when there are frequent path breaks, the congestion window may not reflect the maximum transmission rate acceptable to the network and the receiver. • Asymmetric link behavior: The radio channel used in ad hoc wireless networks has differ- ent properties such as location-dependent contention, environmental effects on propagation, and directional properties leading to asymmetric links. The directional links can result in delivery of a packet to a node, but failure in the delivery of the acknowledgment back to the sender. It is possible for a bidirectional link to become uni-directional for a while. This can also lead to TCP invoking the congestion control algorithm and several retransmissions. • Uni-directional path: Traditional TCP relies on end-to-end ACK for ensuring reliability. Since the ACK packet is very short compared to a data segment, ACKs consume much less bandwidth in wired networks. In ad hoc wireless networks, every TCP ACK packet requires RTS-CTS-Data-ACK exchange in case IEEE 802.11 is used as the underlying MAC protocol. This can lead to an additional overhead of more than 70 bytes if there are no retransmissions. This can lead to significant bandwidth consumption on the reverse path. • Network partitioning and remerging: The randomly moving nodes in an ad hoc wireless 56
    • network can lead to network partitions. As long as the TCP sender, the TCP receiver, and all the intermediate nodes in the path between the TCP sender and the TCP receiver remain in the same partition, the TCP connection will remain intact. It is likely that the sender and receiver of the TCP session will remain in different partitions and, in certain cases, that only the intermediate nodes are affected by the network partitioning. Figure shown below illustrates the effect of network partitions in ad hoc wireless networks. A network with two TCP sessions A and B is shown in Figure (a) at time instant t1. Due to dynamic topological changes, the network gets partitioned into two as in Figure (b) at time t2. Now the TCP session A’s sender and receiver belong to two different partitions and the TCP session B experiences a path break. These partitions could merge back into a single network at time t3 (refer to Figure (c)). Figure 10.1: Effect of partitioning and merging of network • The use of sliding-window-based transmission: TCP uses a sliding window for flow control. The transmission of packets is decided by the size of the window, and when the ACKs arrive from a destination, further packets are transmitted. This avoids the use of individual fine-grained timers for transmission of each TCP flow. Such a design is preferred in order to improve scalability of the protocol in high-bandwidth networks such as the Internet where millions of TCP connections may be established with some heavily loaded servers. The use of a sliding window can also contribute to degraded performance in bandwidth-constrained ad hoc wireless networks where the MAC layer protocol may not exhibit short-term and long- term fairness. For example, the popular MAC protocols such as CSMA/CA protocol show short-term unfairness, where a node that has captured the channel has a higher probability of capturing the channel again. This unfairness can lead to a number of TCP ACK packets being delivered to the TCP sender in succession, leading to burstiness in traffic due to the subsequent transmission of TCP segments. 57
    • 10.1 Modified versions of TCP The enhancements to TCP that improve the performance of TCP in ad hoc wireless networks are discussed in the following sections. 10.1.1 Feedback based TCP (TCP-F) TCP-F aims to minimize the throughput degradation resulting from the frequent path breaks that occur in ad hoc wireless networks. TCP-F uses a feedback-based approach in the traditional TCP for improving performance in ad hoc wireless networks. TCP-F requires the support of a reliable link layer and a routing protocol that can provide feedback to the TCP sender about the path breaks. The routing protocol is expected to repair the broken path within a reasonable time period. In TCP-F, an intermediate node, upon detection of a path break, originates a route failure notification (RFN) packet. This RFN packet is routed toward the sender of the TCP session. The TCP sender’s information is expected to be obtained from the TCP packets being forwarded by the node. The intermediate node that originates the RFN packet is called the failure point (FP). The FP maintains information about all the RFNs it has originated so far. Every intermediate node that forwards the RFN packet understands the route failure, updates its routing table accordingly, and avoids forwarding any more packets on that route. If any of the intermediate nodes that receive RFN has an alternate route to the same destination, then it discards the RFN packet and uses the alternate path for forwarding further data packets, thus reducing the control overhead involved in the route reconfiguration process. Otherwise, it forwards the RFN toward the source node. When a TCP sender receives an RFN packet, it goes into a state called snooze. In the snooze state, a sender stops sending any more packets to the destination, cancels all the timers, freezes its congestion window, freezes the retransmission timer, and sets up a route failure timer. This route failure timer is dependent on the routing protocol, network size, and the network dynamics and is to be taken as the worst-case route reconfiguration time. When the route failure timer expires, the TCP sender changes from the snooze state to the connected state. Figure shows the operation of the TCP-F protocol. In the figure, a TCP session is set up between node A and node D over the path A-B-C-D [refer to Figure (a)]. 58
    • Figure 10.2: Operation of TCP-F When the intermediate link between node C and node D fails, node C originates an RFN packet and forwards it on the reverse path to the source node [see Figure (b)]. The sender’s TCP state is changed to the snooze state upon receipt of an RFN packet. If the link CD rejoins, or if any of the intermediate nodes obtains a path to destination node D, a route reestablishment notification (RRN) packet is sent to node A and the TCP state is updated back to the connected state [Figure (c)]. As soon as a node receives an RRN packet, it transmits all the packets in its buffer, assuming that the network is back to its original state. This can also take care of all the packets that were not acknowledged or lost during transit due to the path break. In fact, such a step avoids going through the slow-start process that would otherwise have occurred immediately after a period of congestion. The route failure timer set after receiving the RFN packet ensures that the sender does not remain in the snooze state indefinitely. Once the route failure timer expires, the sender goes back to the connected state in which it reactivates the frozen timers and starts sending the buffered and unacknowledged packets. This can also take care of the loss of the RRN packet due to any possible subsequent congestion. TCP-F permits the TCP congestion control algorithm to be in effect when the sender is not in the snooze state, thus making it sensitive to congestion in the network. Advantages and Disadvantages TCP-F provides a simple feedback-based solution to minimize the problems arising out of frequent path breaks in ad hoc wireless networks. At the same time, it also permits the TCP congestion control mechanism to respond to congestion in the network. TCP-F depends on the intermediate nodes’ ability to detect route failures and the routing protocols’ capability to reestablish a broken path within a reasonably short duration. Also, the FP should be able to obtain the correct path (the path which the packet traversed) to the TCP-F sender for sending the RFN packet. This is simple with a routing protocol that uses source routing [i.e., dynamic source routing (DSR)]. If a route to the sender is not available at the FP, then additional control packets may need to be generated for routing the RFN packet. 59
    • 10.1.2 TCP with Explicit Link Failure Notification (TCP-ELFN) Holland and Vaidya proposed the use of TCP with explicit link failure notification (TCP-ELFN) for improving TCP performance in ad hoc wireless networks. This is similar to TCP-F, except for the handling of explicit link failure notification (ELFN) and the use of TCP probe packets for detecting the route reestablishment. The ELFN is originated by the node detecting a path break upon detection of a link failure to the TCP sender. This can be implemented in two ways: • by sending an ICMP destination unreachable (DUR) message to the sender. • by piggy-backing this information on the RouteError (to inform the sender about path breaks so that the sender can recompute a fresh route to the destination. This is especially used in on-demand routing protocols like DSR) message that is sent to the sender. Once the TCP sender receives the ELFN packet, it disables its retransmission timers and enters a standby state. In this state, it periodically originates probe packets to see if a new route is reestablished. Upon reception of an ACK by the TCP receiver for the probe packets, it leaves the standby state, restores the retransmission timers, and continues to function as normal. Advantages and Disadvantages TCP-ELFN improves the TCP performance by decoupling the path break information from the congestion information by the use of ELFN. It is less dependent on the routing protocol and requires only link failure notification about the path break. The disadvantages of TCP-ELFN include the following: • when the network is temporarily partitioned, the path failure may last longer and this can lead to the origination of periodic probe packets consuming bandwidth and power • the congestion window used after a new route is obtained may not reflect the achievable transmission rate acceptable to the network and the TCP receiver. 10.1.3 Split-TCP: One of the major issues that affect the performance of TCP over ad hoc wireless networks is the degradation of throughput with increasing path length. The short (i. e., in terms of path length) connections generally obtain much higher throughput than long connections. This can also lead to unfairness among TCP sessions, where one session may obtain much higher throughput than other sessions. This unfairness problem is further worsened by the use of MAC protocols such as IEEE 802.11, which are found to give a higher throughput for certain link-level sessions, leading to an effect known as channel capture effect. This effect leads to certain flows capturing the channel for longer time durations, thereby reducing throughput for other flows. The channel capture effect can also lead to low overall system throughput. Split-TCP provides a unique solution to this problem 60
    • by splitting the transport layer objectives into congestion control and end-to-end reliability. The congestion control is mostly a local phenomenon due to the result of high contention and high traffic load in a local region. In the ad hoc wireless network environment, this demands local solutions. At the same time, reliability is an end-to-end requirement and needs end-to-end acknowledgments. In addition to splitting the congestion control and reliability objectives, split-TCP splits a long TCP connection into a set of short concatenated TCP connections (called segments or zones) with a number of selected intermediate nodes (known as proxy nodes) as terminating points of these short connections. Figure below illustrates the operation of split-TCP where a three segment split-TCP connection exists between source node 1 and destination node 15. Figure 10.3: Operation of Split-TCP A proxy node receives the TCP packets, reads its contents, stores it in its local buffer, and sends an acknowledgment to the source (or the previous proxy). This acknowledgment called local acknowledgment (LACK) does not guarantee end-to-end delivery. The responsibility of further delivery of packets is assigned to the proxy node. A proxy node clears a buffered packet once it receives LACK from the immediate successor proxy node for that packet. Split-TCP maintains the end-to-end acknowledgment mechanism intact, irrespective of the addition of zone-wise LACKs. The source node clears the buffered packets only after receiving the end-to-end acknowledgment for those packets. In the above figure, node 1 initiates a TCP session to node 15. Node 4 and node 13 are chosen as proxy nodes. The number of proxy nodes in a TCP session is determined by the length of the path between source and destination nodes. Based on a distributed algorithm, the intermediate nodes that receive TCP packets determine whether to act as a proxy node or just as a simple forwarding node. In Figure, the path between node 1 and node 4 is the first zone (segment), the path between nodes 4 and 13 is the second zone (segment), and the last zone is between node 13 and 15. The proxy node 4, upon receipt of each TCP packet from source node 61
    • 1, acknowledges it with a LACK packet, and buffers the received packets. This buffered packet is forwarded to the next proxy node (in this case, node 13) at a transmission rate proportional to the arrival of LACKs from the next proxy node or destination. The transmission control window at the TCP sender is also split into two windows, that is, the congestion window and the end-to-end window. The congestion window changes according to the rate of arrival of LACKs from the next proxy node and the end-to-end window is updated based on the arrival of end-to-end ACKs. Both these windows are updated as per traditional TCP except that the congestion window should stay within the end-to-end window. In addition to these transmission windows at the TCP sender, every proxy node maintains a congestion window that governs the segment level transmission rate. Advantages and Disadvantages Split-TCP has the following advantages: (i) improved throughput, (ii) improved throughput fair- ness, and (iii) lessened impact of mobility. Throughput improvement is due to the reduction in the effective transmission path length (number of hops in a zone or a path segment). TCP throughput degrades with increasing path length. Split-TCP has shorter concatenated path segments, each operating at its own transmission rate, and hence the throughput is increased. This also leads to improved throughput fairness in the system. Since in split-TCP, the path segment length can be shorter than the end-to-end path length, the effect of mobility on throughput is lessened. The disadvantages of split-TCP can be listed as follows: (i) It requires modifications to TCP protocol, (ii) the end-to-end connection handling of traditional TCP is violated, and (iii) the failure of proxy nodes can lead to throughput degradation. The traditional TCP has end-to-end semantics, where the intermediate nodes do not process TCP packets, whereas in split-TCP, the intermediate nodes need to process the TCP packets and hence, in addition to the loss of end- to-end semantics, certain security schemes that require IP payload encryption cannot be used. During frequent path breaks or during frequent node failures, the performance of split-TCP may be affected. 10.2 Defense against Flooding Attack Flooding-type Denial-of-Service (DoS) and Distributed DoS (DDoS) attacks can cause serious problems in mobile multi-hop networks due to its limited network/host resources. Attacker trace- back is a promising solution to take a proper countermeasure near attack origins, for forensics and to discourage attackers from launching the attacks. However, attacker traceback in mobile multi-hop networks is a challenging problem. Existing IP traceback schemes developed for the fixed networks cannot be directly applied to mobile multi-hop networks due to the peculiar char- acteristics of the mobile multi-hop networks (e.g., dynamic/autonomous network topology, limited network/host resources such as memory, bandwidth and battery life). So Yongjin Kim and Ahmed 62
    • Helmy proposed a special protocol for MANET called CATCH which utilizes MAC and network cross-layer approach. 10.2.1 CATCH protocol A general Traceback protocol is broadly classified into three building block: 1. information searching and gathering, 2. information storage, and 3. information analysis Information searching and gathering are the processes to put together or seek clues on the attack traffic. Information storage is the process to store the gathered clue in some storage for analysis. Information analysis is the process to reconstruct the attack path based on the clue obtained through information storing process or real-time data provided by information searching and gathering processes. Existing attacker traceback schemes (e.g., packet marking, iTrace) cannot be used for MANET because they are designed for wired network. We know that, MANET is charecterised by dynamic topology, limited network resources, limited battery power etc. An obvious drawback of these schemes is that large amount of data needs to be stored at either the end-host or inside the network since perpacket information is required. Sy and Bao tries to solve the storage problem by gradual refreshing of memory. Sung et al. also tries to solve storage problem by storing small percentage of packets and using sophisticated scheme to reconstruct the attack path. However, those schemes still suffer from information gathering problem under dynamic topology change. Al- Duwair and Goyindarasu proposes hybrid scheme between packet marking and logging to reduce amount of data to be stored. However, it does not resolve information gathering/ analysis issue. Another option is to use controlled flooding which does not require information storage. However, it consumes network bandwidth, which is highly undesirable in resource constrained mobile multi- hop networks. Also, high processing overhead and delay are incurred in the existing schemes since it takes per-packet analysis approach. CATCH protocol framework CATCH traceback protocol consists of the following four components: 1. abnormality detection 2. abnormality characterization 3. abnormality searching 4. countermeasures 63
    • Each node in the network will monitors network and MAC layer activity (e.g., number of packet, busy time in MAC layer). Once abnormality is detected, the information is captured and logged. Abnormality monitoring is broadly classified into two:coarse-grained abnormality monitoring and fine-grained abnormality monitoring. In coarse-grained abnormality monitoring, the protocol will trace-back attackers using only packet counters, without using payload-level details. In fine- grained monitoring, the protocol trace-back attackers by analyzing payload-level details. In coarse- grained abnormality- based traceback, computational/storage overhead is minimized by sacrificing payload level analysis for traceback. It is an effective way of traceback in many cases when attack traffic shows obvious abnormality and background traffic is low or moderate. In fine-grained abnormality-based traceback, payload-level information is considered and analyzed to trace back attackers. It requires more computation/storage overhead because we need to store and analyze more detailed information, but it can more accurately trace back attackers. Once abnormality is detected, the abnormality needs to be characterized for traceback. Char- acterized abnormality at the victim is called the ‘attack signature’ and abnormality characterized at an intermediate node is called ‘candidate attack signature’.We need to find nodes that observe candidate attack signature which is sufficiently similar to attack signature. By progressively find- ing nodes that observe similar attack signature from nodes near victim to attack origin, we can find attack route. After we identify the attack origin(s), we carry out countermeasures to ameliorate the intensity of (or stop) the attack. Abnormality Detection: We know that, once flooding-type DoS/DDoS attack is launched, a large volume of traffic (typically 500 packets per second) is generated towards a victim.The increase in the volume of traffic can be statistically detected and identified as abnormality. Increased collisions at MAC layer, increased number of frames at MAC layer and increased busy time at MAC layer can also be treated as abnormality. Thus, the frame count information can be taken as an abnormality indicator and hence it act as an attack signature. Each node monitors protocol layer activity. Once abnormality is detected, the node logs the abnormality information as candidate attack signature. Later, during the search phase the candidate attack signature is compared with the attack signature which is characterized by a victim. To detect abnormality, we need to define a threshold. If the observed value exceeds the threshold, it is defined as abnormality. Threshold can be set either as fixed value or adaptive value. Abnormality searching: Once abnormality is characterized, abnormality matching is done between candidate attack signature and attack signature. If the two signatures are closely match- ing, we can infer the attack route. Two methods are commonly used for signature matching: • traffic pattern matching • KS-fitness test. In Traffic Pattern Matching (TPM), the correlation coefficient between two signatures at node A and B is calculated. If the correlation coefficient r(A,B) is high (greater than 0.7), the signature at 64
    • node A is said to match the signature at node B. While, KS-fitness test uses Kolmogorov–Smirnov (KS) statistic Dn. Traceback-aided countermeasures: Usually, hybrid scheme involving packet filtering and rate limiting is commonly used as countermeasure (based on abnormality matching level). That is, when abnormality matching level is high, we apply packet filtering. On the other hand, when abnormality matching is medium/low level, we apply rate limiting. 10.2.2 SWAT: Small World based Attacker Traceback SWAT is the first traceback protocol developed for MANETs. SWAT consists of two main build- ing blocks: Traffic pattern/volume matching and small world construction. It uses Traffic Pattern Matching (TPM) and Traffic Volume Matching (TVM) techniques to deal with address spoofing problem and utilize small-world model for efficient search. However, SWAT has the following drawbacks: (1) It cannot successfully trace back attacker when there exists high volume of back- ground traffic. (2) SWAT fails to track down distributed DoS attackers. (3) SWAT also shows weakness under node collusion and false reporting since it relays only on relay nodes of attack traffic for traceback. (4) SWAT does not handle node mobility problems. 10.2.3 ATTENTION: ATTackEr Traceback using MAC Layer AbNor- mality DetecTION ATTENTION protocol framework, which pays special attention to MAC layer abnormal activity under attack. ATTENTION consists of three classes, namely, coarse-grained traceback, fine- grained traceback and spatio-temporal fusion architecture. The protocol statistically characterize the MAC layer abnormality that is observed during DoS/DDoS attack and use the abnormality as attack signature for traceback. The attack signature is consistently observed on the attack path from attacker to victim, which enables us to track down attacker. The merits of MAC layer abnormality-based attacker traceback are multifold. First, we can track down attacker in spite of address spoofing using MAC abnormality-based attack signature. Second, the attack signature is observed by many neighbor nodes sharing the medium through overhearing.This overhearing can be efficiently used (i.e., majority voting) to prevent false/malicious reporting by compromised node or inside attacker. In addition, overhearing can be used for attacker traceback under node mobility. 10.2.4 Hotspot-Based Traceback A hotspot is a suspicious area where one or more unknown adversaries may reside or resided and it is covered by the transmission range of a particular node. The node itself may or may not be mali- cious. Once a hotspot is identified, offline or online investi- gation can be conducted there 65
    • to identify the exact identity of the adversaries. Solutions ranging from neighbor monitoring , physical security to human intelligence may be used. TCP feedback (TCP-F), TCP explicit failure notification (TCP-ELFN),Split-TCP etc have been invented, none of these protocols are designed with security in mind.Secure Socket Layer (SSL), Transport Layer Security (TLS),and Private Communications Transport (PCT) protocols were designed for secure communications and are based on public key cryptography. TLS/SSL can help secure data transmission. It can also help to protect against masquerade attacks, man- in-the-middle (or bucket brigade) attacks, rollback attacks, and replay attacks. TLS/SSL is based on public key cryptography, which is CPU-intensive and requires comprehensive administrative configuration. Therefore, the application of these schemes in MANET is restricted. TLS/SSL has to be modified in order to address the special needs of MANET. Some firewall at a higher level can be configured to defend against SYN flooding attacks. 10.3 Summary Use of TCP as the transport layer protocol for the MANETs leads to considerable throughput degradation due to frequent path break, asymmetric link behavior, network partitioning and remerging etc. So modification is made on TCP to handle these situation which leads to the development of modified protocols like TCP-F, TCP-ELFN, Split-TCP etc. 66
    • Chapter 11 AGENTS AND MULTI-AGENTS 11.1 AGENTS Agent is a complex software entity that is capable of acting with a certain degree of autonomy in order to accomplish tasks on behalf of its user. The term "agent" describes a software abstraction, an idea, or a concept. But unlike objects, which are defined in terms of methods and attributes, an agent is defined in terms of its behavior. Agent should have the following characteristics • persistence (agent is not executed on demand but runs continuously and decides for itself when it should perform some activity) • autonomy (agents have capabilities of task selection, prioritization, goal-directed behaviour, decision-making without human intervention) • social ability (agents are able to engage other components through some sort of communi- cation and coordination, they may collaborate on a task) • reactivity (agents perceive the context in which they operate and react to it appropriately). Major application of agents will be in the field of e-commerse in which agents acting on behalf of human traders help automate several business processes that are time-consuming and difficult in e- commerce. They move from marketplace to marketplace on the Internet and display on-demand behaviour based on market dynamics. 11.2 Multi-Agent System (MAS) Multi-agent system has been recognized as the most promising technology for e-commerce due to its ability to deal with complexity through partitioning and cooperation. A Multi-Agent System can be defined as a loosely coupled network of problem solvers that interact to solve problems 67
    • that are beyond the individual capabilities or knowledge of each problem solver. These problem solvers, often called agents, are autonomous and can be heterogeneous in nature. • The motivations for the increasing interest in Multi-Agent System (MAS) research is due to the fact that MASs has the ability to do the following: • Capable of solving problems that are too large for a centralized agent to solve because of resource limitations or the sheer risk of having one centralized system that could be a performance bottleneck or could fail at critical times. • Allow for the interconnection and interoperation of multiple existing legacy systems. To keep pace with changing business needs, legacy systems must periodically be updated. Completely rewriting such software tends to be prohibitively expensive and is often simply impossible. • Provide solutions that efficiently use information sources that are spatially distributed. Ex- amples of such domains include sensor networks, seismic monitoring and information gath- ering from the internet . • Enhance performance in terms of 1. computational efficiency because concurrency of computation is exploited (as long as communication is kept minimal, 2. reliability, that is, graceful recovery of component failures, because agents with redun- dant capabilities or appropriate inter-agent coordination are found dynamically 3. robustness, the system’s ability to tolerate uncertainty, because suitable information is exchanged among agents; 4. maintainability because a system composed of multiple components-agents is easier to maintain because of its modularity; 5. responsiveness because modularity can handle anomalies locally, not propagate them to the whole system; 6. flexibility because agents with different abilities can adaptively organize to solve the current problem; 7. reuse because functionally specific agents can be reused in different agent teams to solve different problems. 11.3 Summary In this chapter we discussed about Agents and multi-agent system, their characteristics and ap- plications. 68
    • Chapter 12 Role of Multi-agent system in wireless security We will consider an example of Intrusion Detection System (IDS) in MANETs to explain the role of multi-agent system in wireless security. Intrusion Detection System (IDS) plays a critical role in securing MANETs. An IDS can discover malicious activities or insider attacks mounted by compromised nodes in the network. The IDS then tries to prevent intrusions that compromise system security, and upon detection of an intrusion, it tries to recover from the damages inflicted by the intrusion. The traditional IDSs developed for wired networks are difficult to use for MANETs because of their architectural differences. Challenges in designing IDS for MANETs • Without centralized audit points like routers, switches, and gateways, MANETs can only collect audit data locally and thus require a distributed and cooperative IDS. • Nodes in MANETs can move freely through the network, and thus their dynamically chang- ing network topology makes MANETs very different from the traditional wired networks. • Nodes in MANETs usually have slower communication links, limited bandwidth, limited battery power, and limited memory. To meet these challenges, a Mobile Agents (MA) based application-layer IDS is developed for MANETs. It utilizes both anomaly and misuse detection to identify attacks and also utilizes MAs to augment each node’s intrusion detection capability. Our goal is to detect and prevent viruses, worms, and malicious applications on each node by using the MA technology to enhance the capability of the IDS. 69
    • 12.1 Role of Mobile Agents (MA) in IDS • Mobile Agents are used for updating attack signatures and normal application profiles, and patching and installing (new) programs on each node. • MAs are being dispatched for further analysis and diagnosis on network nodes when an anomaly is detected. • MAs can be dispatched to verify the correctness of IDS agents. 12.2 Advantages of using Mobile Agents (MA) in IDS • Reducing Network Load: MAs transfer the computation and detection function to the network nodes with audit data instead of transmitting large amounts of audit data to the servers for computation and detection, thus reducing the network load. • Overcoming Network Latency: MAs can be dispatched from the servers to network nodes to detect malware and take corrective actions in real time. The MAs can operate directly on the nodes and respond faster to a potential intrusion than communicating with the servers for assistance. • Making the IDS Attack-Resistant: MAs can be used in the IDS to avoid single-point- of-failures. The time of an MA’s arrival at each node, the reporting mechanism, and the detection algorithm the MA uses are made unpredictable so that attackers may not know this information. • Autonomous Execution: MAs can continue to function even when portions of the IDS or the network get destroyed or malfunction. MAs can increase the IDS’s fault-tolerance by operating independently of the platform. • Dynamic Adaptation: MAs have the ability to sense the execution environment and react to changes. Also, MAs can adapt to the environment as they can be retracted, dispatched, or put to sleep as the network and host conditions change. • Platform Independence: MAs can operate in heterogeneous environments by having a virtual machine or interpreter on the host platform. This capability makes a perfect fit for MANETs as nodes in the network typically are comprised of many different computing platforms. • Upgradability: MAs can perform program updates, and anomaly and misuse detection on each node. MAs can carry the most up-to-date program patches, normal application profiles, and attack signatures to the nodes for upgrade while the IDS keeps working on each node. 70
    • • Scalability: MAs help distribute the computational load to different nodes in the network instead of having all the computation processed on the servers, and reduce the network load. This advantage enhances scalability and makes the IDS more fault-resistant. We know that, attacks on the application layer include data corruption, repudiation, application abuses, DoS attacks, and mobile virus and worm attacks. Here, IDS is used for detecting malicious applications and mobile virus and worm attacks on the nodes in the network. 12.3 System Architecture Consider a network of a large number of mobile nodes and one secure stationary MA server. The MA server is used for managing MAs, normal application profiles, and attack signatures generated by MAs in the network. The MA server dispatches MAs to the nodes in the network when needed. It will periodically broadcast beacon messages for nodes in the network Figure 12.1: The IDS system architecture for MANET Each mobile node has its own local IDS which is responsible for monitoring and detecting attacks, and for responding to the attacks detected. The local IDS perform anomaly and misuse detection. The misuse detection is used to detect known attacks on the node, while the anomaly detection is used for the detection of new or previously-unknown attacks. MAs are designed to update attack signatures and normal application profiles, patch and install programs, analyze and diagnose anomalous nodes, and verify the local IDS agents. Each IDS consists of three agents: 1. the monitoring and detection agent 2. the response agent 3. the secure communication. There is also a local database in each node for storing system audit data, attack signatures, normal application profiles, and the IDS logs. For the execution of MAs, there is a mobile agent place on each node. The local IDS architecture in each mobile node is as shown in Figure below. 71
    • Figure 12.2: The local IDS architecture on a mobile node The monitoring and detection agent monitors the application-level activities and system calls on each node, and also compares the monitoring activities with the attack signatures and normal application profiles stored in the node’s local database. Once a malicious activity is detected by the misuse detection through signature matching, a proper response will be formulated by the response agent to recover the node from the damages occurred to it. If the monitoring and detection agent detects intrusion by anomaly detection through an above-threshold deviation from the normal profile but no signatures match the attack, then the response agent will request the MA server to dispatch an MA for further analysis and diagnosis. The MAs thus dispatched to the mobile nodes can generate new attack behavior signatures and confirm the existence of intrusion after performing analysis and diagnosis of the nodes. The MAs will report these newly-generated attack signatures to the MA server, and the MA server will dispatch MAs to other nodes in the network to add the new attack signatures. The secure communication component is used for the mobile nodes to securely communicate with the MA server and other nodes in the network. Here, misuse detection is implemented as a host based intrusion detection of known attacks and the MA server in his case is used to store and update the attack signatures collected from the nodes in the network. To use anomaly detection in our local IDS, a normal profile is computed for each application program using its audit data on the MA server (The audit data collected on the MA server is the application-level activities and system calls invoked by the application programs). Specifically, the sequence of the system calls generated by each application program and collected in the audit data is used to compute the normal profiles. The nodes will first be deployed in the network with the normal application profiles generated by the MA server for existing applications. When a new normal application profile has been generated due to a program patch or new application installation, MAs will carry the new profile to nodes in the network for update. The monitoring and detection agent will compare the audit data of system traces on each node with the normal application profiles. The difference between a sequence of system calls against a normal application profile can be computed using Hamming distance. Any major deviation of abnormal activities 72
    • from the normal application profiles will be detected and can be used as an alert to the local IDS. 12.3.1 MA server functions The MA server creates and dispatches three types of MAs: 1. update MAs 2. analysis MAs 3. verification MAs. The update MAs are dispatched as needed, the analysis MAs are dispatched upon request by nodes, and the verification MAs are dispatched periodically. • Update MAs: The update MAs are used by the MA server to add new attack signatures and normal application profiles, and patch and install programs on the mobile nodes. When the MA server receives new attack signatures generated by the analysis MAs, it will dis- patch update MAs carrying the signatures to the nodes in the network. All nodes need to be updated with these new signatures for effective and up-to-date misuse detection. When a program is patched, then the normal application profile needs to be updated, or if a new program is installed, then the nodes also need to have a normal profile for the new appli- cation. The MA server will dispatch the update MAs carrying the new normal application profiles generated by the MA server to the nodes for update. • Analysis MAs: When the monitoring and detection agent in a node’s local IDS detects an anomaly but the anomaly did not match any attack signature in its database, then the response agent in the IDS will send an anomaly report to the MA server and request an analysis MA from the MA server for further investigation. The anomaly report includes the related IDS logs and the intrusion information about the anomaly detected on the node. Depending on the content of the anomaly report, the MA server will choose the most suitable analysis MA. The analysis MA is capable of a more detailed analysis and diagnosis than the local IDS, and can evaluate the detected anomaly behavior and determine if it is an intrusion. If the analysis MA determines the anomaly behavior not to be an intrusion, then it will send a detection report to the MA server and destroy itself. However, if the anomaly behavior is determined as an intrusion, then the analysis MA will start the intrusion response through the response agent on the local IDS. Finally, the analysis MA will create an attack signature of the newly-identified intrusion and report the new attack signature to the MA server. After completing the response for the intrusion, the analysis MA will send a detection report to the MA server and destroy itself. If the analysis MA cannot determine if the anomaly is an intrusion or not, then it can request a different analysis MA from the MA server for help. If the analysis MA still cannot (un)confirm an anomalous behavior, it will then send the 73
    • relevant IDS logs and audit data back to the MA server for further analysis. The reason for sending analysis MAs to the nodes instead of having the nodes send all the audit data, IDS logs, and related information to the MA server for analysis is to reduce the network load. Also, the MAs can overcome network latency as the analysis MAs can be dispatched from the MA server to perform analysis on nodes in real time. • Verification MAs: The verification MAs are periodically sent by the MA server to verify the IDS agents on the nodes and check on the IDS logs and the local IDS execution states. These MAs are used to prevent the local IDS from being compromised by attackers. The MA server will periodically send the verification MA with a randomly-generated hash key to the network. The nodes that received the verification MA must execute it to check the integrity of the IDS agents in its local IDS. When the verification MA is executed, it computes a hash over the IDS agents using the hash key it carries, and the hash value will be sent back to the MA server for verification. The verification MA will also check the IDS logs and see if there is any anomaly or unreported events. If a node fails the verification, then the MA server will either send an update MA to correct the IDS agents or shut down the entire node. 12.4 Summary In this chapter we discussed about the architecture of a typical Intrusion Detection System (IDS) used in wireless security.Here, the network consist of a large number of mobile nodes and one secure stationary MA server. The MA server is used for managing MAs, normal application profiles, and attack signatures generated by MAs in the network. The MA server dispatches MAs to the nodes in the network when needed.Also, the MAs augment each nodeŠs intrusion detection capability in the network by updating attack signatures and normal application profiles, patching and installing programs, further analyzing and diagnosing each node, and verifying the integrity of the IDS agents on each node. 74
    • Chapter 13 PROPOSED WORK To design and develop a security technique for transport layer data tansmission in MANET. 75
    • Bibliography [1] Hoang Lan Nguyen * Uyen Trang Nguyen. A study of different types of attacks on multicast in mobile ad hoc networks in ScienceDirect [2] B. Wu, J. Chen, J. Wu, M. Cardei, “A Survey of Attacks and Countermeasures in Mobile Ad HocNetworks,” Department of Computer Science and Engineering, Florida Atlantic University. [3] Security in Mobile Ad Hoc Networks: Challenges and Solutions, IEEE wireless communications, Feb 2004. [4] S. Marti et al., “Mitigating Routing Misbehavior in Mobile Ad Hoc Networks,” ACM MOBICOM, 2000. [5] H. Yang, X. Meng, and S. Lu, “Self-Organized Network Layer Security in Mobile Ad Hoc Networks,” ACM WiSe, 2002. [6] P. Kyasanur, and N. Vaidya, “Detection and Handling of MAC Layer Misbe- havior in Wireless Networks,” DCC, 2003. [7] G. Noubir and G. Lin, “Low-Power DoS Attacks in Data Wireless LANs and Countermeasures,” ACM MobiHoc, Poster Session, 2003. [8] K.Sugantha and S.Shanmugavel, ‘A Statistical Approach to Detect NAV attack at MAC Layer paper published in the proceedings of International Workshop on Wireless Ad-hoc Networks, (IWWAN) 2005 held at King’s College London, University London. [9] K.Sugantha and S.Shanmugavel, ‘Anomaly Detection of the NAV attack in MAC layer under non-time and time-constrained environment’, 3rd IEEE and IFIP International Conference on wireless and Optical Communications, WOCN 2006. pp 1-5. [10] J. Bellardo and S. Savage, “802.11 Denial-of-Service Attacks: Real Vulnerabili- ties and Practical Solutions,” USENIX Security Symposium, August 2003. 76
    • [11] H. Deng, W. Li, Agrawal, D.P., “Routing security in wireless ad hoc networks,” Cincinnati Univ., OH, USA; IEEE Communications Magazine, Oct. 2002, Vol- ume: 40, page(s): 70- 75, ISSN: 0163-6804 [12] H. Hsieh and R. Sivakumar, “Transport OverWireless Networks,” Handbook of Wireless Networks and Mobile Computing, Edited by Ivan Stojmenovic. John Wiley and Sons, Inc., 2002 [13] K. Sanzgiri, B. Dahill, B.N. Levine, C. Shields, E.M. Belding-Royer, “Secure routing protocol for ad hoc networks,” In Proc. of 10th IEEE International Con- ference on Network Protocols, Dept. of Comput. Sci., California Univ., Santa Barbara, CA, USA. 12-15 Nov. 2002, Page(s): 78- 87, ISSN: 1092-1648 [14] H. Yang, H. Luo, F. Ye, S. Lu, L. Zhang, “Security in mobile ad hoc networks: challenges and solutions,” In proc. IEE Wireless Communication, UCLA, Los Angeles, CA, USA; volume- 11, Page(s): 38- 47, ISSN: 1536-1284. [15] L. Zhou, Z.J. Haas, Cornell Univ., “Securing ad hoc networks,” IEEE Network, Nov/Dec 1999, Volume: 13, Page(s): 24-30, ISSN: 0890-8044. [16] S. Yi, P. Naldurg, and R. Kravets, Security-Aware Ad-hoc Routing for Wireless Networks. Report No.UIUCDCS-R-2002-2290, UIUC, 2002. [17] Y. Hu, A. Perrig, and D. Johnson, Ariadne: A Secure On-Demand Routing for Ad Hoc Networks. Proc. of MobiCom 2002, Atlanta, 2002. [18] A. Cardenas, N. Benammar, G. Papageorgiou, and J. Baras, Cross-Layered Security Analysis of Wireless Ad Hoc Networks, Proc. of 24th Army Science Conference, 2004. [19] Katharine Chang and Kang G. Shin,Application-Layer Intrusion Detection in MANETs, The University of Michigan, Ann Arbor, MI 48109-2121. [20] W. Jansen, P. Mell, T. Karygiannis, and D. Marks, ŞApplying Mobile Agents to Intrusion Detection and Response,Ť in NIST Interim Report (IR) 6416, October 1999. [21] Yongjin Kim and Ahmed Helmy, "‘CATCH: A protocol framework for cross- layer attacker traceback in mobile multi-hop networks"’Elsevier. [22] Rocky K. C. Chang, The Hong Kong Polytechnic University,"’Defending against Flooding-Based Distributed Denial-of-Service Attacks:A Tutorial"’. 77
    • [23] Alex C. Snoeren, Student Member, IEEE, Craig Partridge, Fellow, IEEE, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Member, IEEE, Beverly Schwartz, Stephen T. Kent, and W. Timothy Strayer, Senior Member, IEEE, "‘Single-Packet IP Traceback"’. [24] Yongjin Kim andAhmed Helmy,"’ATTENTION: ATTackEr Traceback using MAC Layer AbNormality DetecTION"’ [25] Sanjay Rawat and Ashutosh Saxena,"’Danger Theory Based SYN Flood Attack Detection in Autonomic Network"’. 78