An Efficient Scheme for Detecting An Efficient Scheme for Detecting
Malicious Nodes in Mobile ad Hoc Malicious Nodes in Mobile ad Hoc
NetworksNetworks
December 1. 2006
Jong Oh ChoiDepartment of Computer ScienceYonsei [email protected]
2/21
Contents
� Motivation / Introduction� Related works� Proposed Scheme: efficient scheme for detecting
malicious nodes in mobile ad hoc network � Scenarios
� Case 1 : A malicious node drops data� Case 2 : A malicious node modifies data
� Case 3 : disguise of another node (false report)
� Case 4 : another node � temporary false report
� Case 5 : normal node � malicious node (false report)
� Apply to AODV-based Proposed scheme
� Environments for performance Evaluation
� Conclusions
3/21
Motivation
� MANET� Have focused on wireless channel access
� Multi hop routing based on an assumption that network elements operate in friendly and cooperative environment.
� Actual network environment � Malicious nodes and uncooperative situation may occur in
MANET
� There is growing need for security scheme that guarantees secure communications between mobile nodes
� In this paper
� Propose a scheme capable of effectively detecting malicious node that normally operates during
determination of route over MANET
4/21
Introduction
� MANET( challenges to security design)
· Open Peer to Peer network architecture· Wireless medium share· Stringent resource constraints· Highly dynamic network topology · battlefield, emergency, conference
Vulnerable
& Critical
To attack
Must be Prevented, detected and reacted As soon as possible !
� Two approaches to protect MANET
� Proactive : Prevention (secure routing)
� Reactive : detection and reaction (secure packet forwarding)
5/21
� Two approach to protect the MANET� Proactive : Malicious node is detected and excluded from
network so as to determine a routing route with only frendlyand cooperative nodes
� Reactive
� When attacker compromises the MANET, malicious node is detected and excluded from the network
� In this paper : Reactive method � In Exist study :
� focus on detection of node that maliciously drops or modifies data
� Is not provide method of identifying malicious node that makes a false report of normal node
� In this paper� Propose scheme that not only identifies malicious node,
which drops or modifies packets, using a reporting tablestoring previous report lists, but also detect malicious node that make a false report of normal node, thus degrading the network performance.
Introduction
6/21
Related works
� Attack of Routing� All actions that are not delivery routing information from
being transmitted according to routing scheme for MANET
� DSR : modify source route in the RREQ & RREP
� Deleting node, appending node, Switching order
� AODV : advertise false routing information
� Smaller distance metric, large sequence number
� In this Result
� Attract network traffic certain destination (under their control)
� Non-optimal or non existent route
� Routing loops, Congestion, partition in the network
7/21
Algorithms for detecting malicious node in MANET
� Proposed Algorithm� A method of detecting malicious node that falsely reports normal
node using report table listing report and suspect.
Report Report Report Report TableTableTableTable
SSSS AAAA BBBB CCCC DDDD
datadatadatadata datadatadatadata datadatadatadataDataDataDataData
dropdropdropdrop
ReportReportReportReport
overhearoverhearoverhearoverhear overhearoverhearoverhearoverhear
CB
SuspectReporter
Node A, B, …
GGGG HHHH
FFFFEEEE
Report Report Report Report TableTableTableTable
CB
SuspectReporter
Node A, B, …
Report Report Report Report TableTableTableTable
CB
SuspectReporter
Node A, B, …
Report Report Report Report TableTableTableTable
CB
SuspectReporter
Node A, B, …
8/21
� In this Proposed Algorithm processing � After node B transmits data to node C,
stores copy of data in buffer of node B � Node B overhears data transmission of node C (to
determine whether node C transmits data to destination node D)
� IF node B does not overhear data transmission of node C within time
� �node B increase failure tally of node C � If tally>threshold, misbehavior,
� the misbehavior is reported to all nodes in proposed scheme
� � immediately detecting and removing malicious(but, node S is report unicast in watchdog )
� If all node receiving report determine same reporter and suspect in its report table � � ignore
� Else added to list in report table
9/21
Operations of proposed Scheme
� Operations of proposed scheme (Flowchart)store copy of data in buffer after
data transmission
next node’s
transmission overhear
within time
Increase Failure tally
Delete of copy data in
buffer
Threshold excess
Broadcast of report message
Receive of report message
The same report list exists in report table
Update report table,
re-broadcast of report message
Report message drop
Ignore
Y
N
Y
Y
N
Y
N
Y
Y
10/21
Scenarios
� Case 1 : A malicious node drops data
� Malicious node C is not transmit data to destination D and
drops the data
� Node B cannot overhear transmission of node C within
predetermined length of time.
� Node B understand node C does not transmit data .
� Thus, Node B reports node C as malicious node
SSSS AAAA BBBB CCCC DDDDdatadatadatadata
overhearoverhearoverhearoverhear
datadatadatadata
overhearoverhearoverhearoverhear
datadatadatadata
DataDataDataData
dropdropdropdrop
ReportReportReportReport
11/21
Scenarios
� Case 2 : A malicious node modifies data� Malicious node C arbitrarily modify header and data content receiving from node B
� transmits the modified data to node D
� Node B overhears data transmission of node C
� After node B compares transmitted data with copy of data stored in buffer of node B
� copy of data stored in buffer of node B Node C’s transmission data
� Node B reports node C as malicious node
SSSS AAAA BBBB CCCC DDDDdatadatadatadata
overhearoverhearoverhearoverhear
datadatadatadata
overhearoverhearoverhearoverhear
datadatadatadataDataDataDataDatamodifymodifymodifymodify
overhearoverhearoverhearoverhear
ReportReportReportReportHHHH IIII
KKKKJJJJ
12/21
� Measures against Case 1,2� In the report, ①’s report list is recorded in total report table
� After node S received B’s report,
� IF S is not receive ACK from destination D
� Node S determines malicious node in current route, sets up a new route
� other node (L,K) will report node C as a malicious node(②,③)
� when Malicious node is not data forward, malicious node continuously record in suspect list.
� when number of malicious node = 2, and number of suspect node C’s list=3 ↑↑↑↑(suspect node count >malicious node count)(suspect node count >malicious node count)(suspect node count >malicious node count)(suspect node count >malicious node count)
� node C is as malicious node and exclude it from further network
CL
CK
CB
SuspectReporter
Node AReport Report Report Report TableTableTableTable
①②③
SSSS AAAA BBBB CCCC DDDDdatadatadatadata datadatadatadata datadatadatadata Data Data Data Data
drop/drop/drop/drop/
modifymodifymodifymodify
ReportReportReportReport
overhearoverhearoverhearoverhear overhearoverhearoverhearoverhear
LLLL
KKKK
13/21
� Case 3 : disguise of another node (false report)
� To prevent false report, disguising itself as normal node using other node ID, Asymmetric encryption using Private key and public key
� If node B disguise itself as normal node X and submit a false report message R, node B does not known private key Kx- and must encrypt the false report message R using its Private key KB
- and broadcast the false report message R
� Each nodes receiving false report consider node X’s report and decodes it using the public Key Kx+ of node X
� But report message R was not encrypted using Private key Kx-
False report message R cannot be encrypted � error
Scenarios
Report, RReport, RReport, RReport, R EncryptionEncryptionEncryptionEncryption????????????DecryptionDecryptionDecryptionDecryption
KKKKBBBB----
(Private Key)(Private Key)(Private Key)(Private Key)
KKKKXXXX++++
(Public Key)(Public Key)(Public Key)(Public Key)
KKKKBBBB----(R)(R)(R)(R)
KKKKXXXX++++(K(K(K(KBBBB----(R))=?(R))=?(R))=?(R))=?
Node BNode BNode BNode BNode KNode KNode KNode K
……
Node LNode LNode LNode L
Node JNode JNode JNode J
14/21
� Case 4 : another node � temporary false report
� Malicious node M is false report temporary node X irrespective data forwarding �① report list
� After Malicious node M is current location and move to other location,
� M is false report to temporary node(Y ,Z) : ②③
� List of report node M > threshold in Report table
� node M identifies false report, thus is not participate networkoperation
YM
ZM
XM
SuspectReporter
Node A
Report Report Report Report TableTableTableTable
SSSS AAAA BBBB CCCC DDDDdatadatadatadata datadatadatadata datadatadatadata datadatadatadata
①
②
③
MMMM
ReportReportReportReport
ReportReportReportReport
ReportReportReportReportReportReportReportReport
Scenarios
15/21
� Case 5 : normal node � malicious node (false report)
� IF Malicious node B is false report to the normal node C
� Malicious node B drops ACK from normal node D,
� Node S sets up new route without whether Report of Node B is false
� Total node is added list with report of node B : ①
� Node B is false report in new route → ②③ report list add
� List of False report node B is added in report list,
� Common suspect node not exist in suspect list
� detect Node B’s false report
MB
JB
CB
SuspectReporter
Node A
SSSS AAAA BBBB CCCC DDDD
datadatadatadata datadatadatadata datadatadatadata datadatadatadatareportreportreportreport
Report Report Report Report TableTableTableTable
①
②
③
overhearoverhearoverhearoverhearoverhearoverhearoverhearoverhear overhearoverhearoverhearoverhear
Scenarios
16/21
� A method of applying the proposed scheme to AODV
� In the below Fig, when node A broadcasts RREQ message, malicious node B receives and re broadcasts RREQ message.
� Normal node (E,C,F) receive RREQ message from malicious node B, realize that node B is malicious node from their report tables.
� do not allow transmission of RREQ message to other nodes in the network, so excluding node B from route.
AODV-based proposed Scheme
17/21
Evaluation
� Average Loss rate : Analytic Loss rate(%) vs. Time (sec)
� Performance improvement : loss rate decrease (10-20%)
� The Longer time, the less loss rate in proposed Scheme
� Proposed scheme identifies malicious node over network and excludes them from new determined route, thereby preventing attacks by malicious node, reducing loss rate.
� Average loss rate of Malicious node(3) decrease to malicious node(6)
Malicious node : 6, Pause time : 0,600 Sec Malicious node : 3, Pause time : 0,600 Sec
18/21
Evaluation
� Average Transmission rate : Analytic Delivery vs. Time� Transmission rate of Proposed Scheme is higher than in AODV
(loss rate of proposed scheme is lower than AODV)� Malicious node(3) is numerous data transmission than Malicious
node(6)� In case of Pause time(600 sec)
� Loss rate is low, Data Transmission is numerous※ when malicious nodes frequently move, they are highly likely to be
included in new route. Network loss rate is high, data transmission is low.
Malicious node : 6, Pause time : 0,600 Sec Malicious node : 3, Pause time : 0,600 Sec
19/21
Evaluation
Transmission gains and overhead in AODV and proposed scheme
- Overhead : Proposed Control Packet – AODV Control Packet (byte)
- Transmission gains : Transmission data of Proposed scheme -Transmission data of AODV (byte)
※ Proposed scheme generates numerous control message than AODV in network layer ( when malicious node is identified in Proposed scheme, broadcasting of report table in network)
※ but, As Control Packet is several byte, Data Packet is severalhundred=> Proposed scheme obtains more transmission gains with less overhead in overall network transmission rates.
20/21
Conclusions
� summarize � detects malicious node that normally operates during determination of a route but abnormally operates during data transmission over network, using a report message and a report table specifying a pair of a reporter node and a suspect node.
� The more malicious nodes over network, the more mobility of malicious node, the greater rate of data loss, the less rate of transmission � Proposed Scheme better than AODV
� In future work� Must further be improved to provide more extensive security during determination of route over the MAMET
21/21
Thank you