Security in Ad Hoc Networks From Vulnerability to Risk Management

Marianne A. Azer CIT Dept.

Nile University Cairo, Egypt

mazer@nileuniversity.edu.eg

Sherif M. El-Kassas Computer Science Dept.

American University in Cairo Cairo, Egypt

sherif@aucegypt.edu

Magdy S. El-Soudani Electronics and Communications Dept.

Cairo University, Faculty of Engineering Cairo, Egypt

melsoudani@menanet.net

Abstract— Mobile Ad hoc Networks (MANETs) have lots of applications. Due to the features of open medium, absence of infrastructure, dynamic changing network topology, cooperative algorithms, lack of centralized monitoring and management point, resource constraints and lack of a clear line of defense, these networks are vulnerable to attacks. A vital problem that must be solved in order to realize these applications is that concerning the security aspects of such networks. Solving these problems combined with the widespread availability of devices such as PDAs, laptops, small fixtures on buildings and cellular phones will ensure that ad hoc networks will become an indispensable part of our life. In this paper, we discuss the reasons of vulnerability as well as active and passive attacks on such networks. We present the security measures used to secure ad hoc networks such as authentication, threshold cryptography, trust and reputation, and present a risk management scheme. Concluding remarks are presented at the end of this paper, while mentioning the different open research areas and challenges in the discussed security measures.

Keywords- ad hoc networks; attacks; security measures; vulnerabilities

I. INTRODUCTION Ad hoc networks are highly appealing for many reasons.

Due to their inherently distributed nature, they are more robust than their cellular counterparts against single-point failures, and have the flexibility to reroute around congested nodes. Furthermore, mobile ad hoc networks can conserve battery energy by delivering a packet over a multihop path that consists of short hop by hop links. They can be rapidly deployed and reconfigured. Hence, they can be tailored to specific applications. Due to their features, mobile ad hoc networks are vulnerable to attacks. In this paper the main reasons for ad hoc networks vulnerability as well as the security attacks will be presented. We survey the security measures used for ad hoc networks and present a risk management scheme.

The remainder of this paper is organized as follows. In section II, a background about the reasons of vulnerability of ad hoc networks is presented. Section III focuses on active and passive attacks on ad hoc networks. In Section IV and V,

the security measures used for ad hoc networks and a risk management scheme are presented respectively. Conclusions and future directions are presented in section VI.

II. MOBILE AD HOC NETWORKS VULNERABILITY Ad hoc networks are vulnerable to attacks due to many

reasons, amongst them are: The Absence of Infrastructure: Unlike traditional

networks, in ad hoc networks all nodes are required to cooperate in supporting the network operation, while no prior security association (SA) can be assumed for all the network nodes. Freely roaming nodes form transient associations with their neighbors, joining and leaving subdomains independently with and without notice. There is an intrinsic requirement of mutual trust among all nodes in underlying protocol design.

Wireless Links between Nodes: The wireless channel is accessible to both legitimate network users and malicious attackers. As a result, there is no clear line of defense in MANETs from the security design perspective. The wireless link does not provide the same level of protection for data transmission as a wired link, allowing adversaries within radio transmission range to make attacks against the data transmitted over the wireless link without gaining physical access to the link. Hence, attacks on a wireless network can come from all directions and target at any node.

Limited Physical Protection: A serious problem present in ad hoc networks is the physical vulnerability of the nodes themselves. Mobility also makes physical security more challenging as the compromise of a legitimate node or the insertion of malicious nodes may go unnoticed in such a dynamic environment.

The Lack of a Centralized Monitoring or Management Unit: Decision-making in mobile computing environment is sometimes decentralized and some wireless network algorithms rely on the cooperative participation of all nodes and the infrastructure. The lack of centralized authority means that the adversaries can exploit this vulnerability for new types of attacks designed to break the cooperative algorithms. As MANETs typically lack a central authority for authentication and key distribution, security mechanisms must be scalable and capable of frequent topology changes. They must also safeguard against the broadcasting of false

2009 Third International Conference on Emerging Security Information, Systems and Technologies

978-0-7695-3668-2/09 $25.00 © 2009 IEEE

DOI 10.1109/SECURWARE.2009.38

203

routing information by malicious nodes. The lack of a central authority and network infrastructure, coupled with the dynamic nature of the network topology, makes malicious routing information a key vulnerability of MANETs. The primary security threat to MANET routing is the possibility of an adversary disrupting traffic by compromising the routing mechanisms. The distribution of false routing information allows the potential of unintended network routing loops, denial of service attacks, or other nonfunctional routes. These attacks may hinder or prohibit the communication vital to fulfilling the mission of networked nodes. It is therefore critical for nodes to dynamically determine the validity of routing information prior to making routing decisions.

The Resource Constraints in Mobile Ad Hoc Networks: The battery-powered operation of ad hoc networks gives attackers ample opportunity to launch a Denial of Service (DoS) attack by creating additional transmissions or expensive computations to be carried out by a node in an attempt to exhaust its batteries.

The reasons mentioned above all lead to increased vulnerability of ad hoc networks and their exposure to attacks. Despite such challenges, mobile users may request for anytime, anywhere security services as they move from one place to another.

III. SECURITY ATTACKS YOUR PAPER There are several ways to classify the types of attacks.

An attack may be classified depending on its effects to active and passive attack, depending on its source to external and internal attack, depending on the attacker capabilities to mote and laptop-class attack and finally based on the target operation of the attack to routing and packet forwarding attack. In this section, we will focus on active and passive attacks.

A. Passive Attacks Passive attacks are the interception of network

communications (i.e., eavesdropping or monitoring the network traffic) by unauthorized attackers. These attacks can be performed without any difficulty. These attacks are difficult to prevent and measures are available to minimize their success. If we consider a powerful adversary with unbounded eavesdropping capability and bounded cryptanalysis and node intrusion capability we find that there are passive link and node intrusions [1] as follows:

Passive link intrusion: An adversarial node at this level is an external adversary that poses threat to wireless link only. The adversary knows and actualizes all network protocols and functions. It can eavesdrop and record wireless packets.

Passive node intrusion: An adversarial node at this level is an internal adversary that also poses threat to network members. After the adversary compromises a victim node, it can see the victim’s currently stored records including the private route caches. Intrusion detection is not perfect. A passive internal adversary exhibiting no malicious behavior will stay in the system and intercept all routing messages.

This means encrypting routing information cannot stop a passive internal adversary who is granted the privilege to decrypt routing messages. In [1], design principles of a routing protocol resistant to passive adversary were presented in details, and these principles are:

• Ensuring three aspects of mobile privacy support: content privacy, location privacy, and anonymous untraceable routing. • Intrusion-tolerant ad hoc routing. • Robustness against eavesdropper’s traffic analysis. • Fully dynamic routing information. • Avoiding expensive cryptographic operations.

B. Active Attacks Use Amongst the active attacks we mention: • Impersonation: Here the attacker uses the identity of another node to gain unauthorized access to a resource or data. This attack is often used as a prerequisite to eavesdropping. • Masquerade: A masquerade takes place when an attacker pretends to be a different authorized entity to obtain privileges of the network. This attack is usually combined with other forms of active attacks. For example, an unauthorized party inserts new data and claims that it originates from a legitimate party. This is an insertion attack combined with impersonation. • Replay: A reply involves retransmission of passively captured data units to produce an unauthorized effect. • Modification of messages: This involves altering portions of a legitimate message, or that messages are delayed or reordered to produce an unauthorized effect. This attack modifies data during the transmission between the communicating nodes, implying that the communicating nodes do not share the same view of the transmitted data. An example could be when the transmitted data represents a financial transaction where the attacker has modified the transaction value. • Denial of Service (DoS): These attacks are intended to disable communication of authorized users over a network by capturing the network resources. This resource could be a specific node, service, or the whole network. These attacks are destructive in nature and are meant to cause disruption of services to other legitimate users. A survey on preventing DoS attacks on routing traffic and on data traffic was presented in [2]. Other active attacks against the wireless link include jamming to deny service to mobile nodes, and energy exhaustion attacks, referred to as sleep deprivation torture, to exhaust the battery life of mobile nodes. Battery exhaustion could effectively destroy a network node if recharging is impossible [3]. Sometimes, as in [3], this kind of attacker is characterized based on the number of nodes it owns in the network and the number of good nodes it has compromised. We assume that the attacker owns all the cryptographic key information of compromised nodes and distributes it among all its nodes. Such an attacker is denoted: Active-nm, where n is the number of nodes it has compromised and m is the number of nodes it owns.

204

IV. SECURITY MEASURES This section introduces the proactive and reactive

approaches for protecting MANETs, in addition to the security measures used in MANETs.

A. Proactive and Reactive Approaches There are basically two approaches to protecting

MANETs: proactive and reactive approaches. The proactive approach attempts to prevent an attacker from launching attacks in the first place, typically through various cryptographic techniques. In contrast, the reactive approach seeks to detect security threats a posteriori and react accordingly. Due to the absence of a clear line of defense, a complete security solution for MANETs should integrate both approaches and encompass all three components: prevention, detection, and reaction. For example, the proactive approach can be used to ensure the correctness of routing states, while the reactive approach can be used to protect packet forwarding operations. In [4] a survey on existing secure routing protocols is given. Security is a chain, and it is only as secure as the weakest link. Missing a single component may significantly degrade the strength of the overall security solution. Table 1 presents the security solutions for MANETs should provide complete protection spanning the entire protocol stack [5].

TABLE I. THE SECURITY SOLUTIONS FOR MANETS SHOULD PROVIDE COMPLETE PROTECTION SPANNING THE ENTIRE PROTOCOL STACK

[5]

Layer Security Issues

Application Layer

Detecting and preventing viruses, worms, malicious codes, and application abuses

Transport Layer

Authenticating and securing end to end communications through data encryption

Network Layer Protecting the ad hoc routing and forwarding protocol

Link Layer Protecting the wireless MAC protocol and providing link layer security support

Physical layer Preventing signal jamming denial of service attacks

B. Security Measures in MANETs Several security measures have been used to secure

MANETs. In this section we introduce briefly the threshold cryptography, certification authorities, reputation schemes, and authentication.

1) Threshold Cryptography. It is the base stone for

distribution of trust protocols. The idea of (k, n) threshold

scheme was introduced by Shamir in [6]. A (k, n) scheme allows a secret, to be split into shares, such that for a certain threshold k < n, any k components could combine and generate a valid signature; whereas, k-1 or fewer shares are unable to do so. Zhou and Haas in [7], proposed the idea of utilizing threshold cryptography to distribute trust in ad hoc networks. According to [7], the challenges associated with key management services such as issuing, revoking and storing of certificates in ad hoc networks can be resolved by distributing Certification Authority (CA) duties amongst the network nodes. Threshold cryptography has been subject to many suggestions and modifications, amongst them were hierarchical schemes such as in [8], some threshold schemes that exploit redundancies in the partial signatures and use error correcting codes to mask incorrect partial signatures [9], anonymous and certificateless Public-Key Infrastructure (AC-PKI) to efficiently and securely provide public-key services without using public-key certificates as in [10], combination of two cryptographic techniques: ID based and threshold cryptography as in [11], and using Maximum Distance Separable codes and Symmetric Key Generation System (SKGS) to provide a practical cryptographic system capable of operating in a dynamic environment as in [12]. To evaluate the performance of a threshold secret sharing scheme in ad hoc networks,Fork/join queuing theory was used in [13] to develop a general model .

If threshold cryptography is used, it is important to know the value of the threshold k. A very high threshold level ensures greater security, but the QoS requirement may not be satisfied. If the threshold level is lowered, it becomes easy for a node to construct its digital certificate within the QoS requirements or specified authentication delay time, but the security aspect is compromised. The threshold level selection process is also influenced by various network dynamics such as network density, node speed, node transmission range, system stability, security level, link bandwidth and power loss. Suggestions for threshold level calculation were presented in [10], [13], and [14].

2) Certification Authorities. In ad hoc networks, trust is

managed locally at the individual nodes. A node is not trusted by a given node until it presents a certificate, and the node in question verifies that the certificate was issued by a trusted CA, and it has not expired nor been revoked. The CAs are responsible of issuing, storing, validating, and revoking certificates [15]. Beyond managing certificates, it is also the CA’s responsibility to disseminate the public keys of principals to inquiring clients. Every response from the CA is signed with the CA’s private key, and so can be validated with the CA’s public key. The success of this approach lies in maintaining the secrecy of the private key of the CA. It is also necessary for the CA to remain on-line (i.e. available) to provide these services.

There are three major parameters to a distributed key management framework: fault tolerance, vulnerability and

205

availability. The first parameter is associated with the number of node failures the system can handle; the second is associated with the number of compromised nodes the system can withstand, whereas the third is associated with the ability of the client to contact the required number of CAs. The optimization of any one of these parameters may adversely affect other parameters and so adversely affect the success of the system. In addition, mobile networks present hostile environments where nodes may easily die or be compromised and no guarantees can be made about the ability to access the necessary nodes for authentication. An ideal key management service for ad hoc networks should provide the best of both worlds: it must be light-weight and simple to mobile nodes, and it must be available in highly dynamic networks.

A single centralized authentication server is unsuitable for ad hoc networks. However, if replicated CAs are used, with each replica having full knowledge of the system secret, the approach becomes vulnerable against any attacks that compromise a single replica, which should not be considered too difficult considering the inherent physical vulnerability of mobile nodes. The threshold digital signature scheme was proposed to address this problem [16]. In order to increase the availability of the CA(s), it has been proposed to distribute the CA functionality over all nodes participating in an ad hoc network. For example, in [17], every node carries a piece of the CA’s secret key. An ad hoc network is expected to have a wide variety of nodes with differing computational power as well as differing levels of physical security. Based on this heterogeneity assumption, it is interesting to consider distributing the CA functionality only to relatively secure and relatively powerful nodes [18].

Different certification schemes have been presented in the literature. These schemes can be classified into cluster-based schemes [19], [20], [21], [22], and non cluster-based schemes [18], [23], [24], and [25].

3) Reputation Schemes. There is a natural incentive for

nodes [26] to only consume, but not contribute to the services of the system. Intentional misbehavior can aim at an advantage for the misbehaving node or just constitute vandalism, such as enabling a malicious node to mount an attack or a selfish node to save power. The use of reputation systems in many different areas of IT is increasing, they are used to decide who to trust, and to encourage trustworthy behavior. Resnick and Zeckhauser [27] identify three goals for reputation systems:

1. To provide information to distinguish between a trustworthy principal and an untrustworthy principal.

2. To encourage principals to act in a trustworthy manner.

3. To discourage untrustworthy principals from participating in the service the reputation mechanism is present to protect.

A great effort has been done in the literature to develop reputation schemes, and several issues have been raised from which we mention: elements of a monitoring scheme in MANETs were presented in [28] assigning trust level to nodes and dynamically updating it, distinguishing selfish peers from cooperative ones [29], dealing with liars that use brain washing, intoxication, or identity spoofing [26], using second hand information [30], detecting malicious incorrect packet forwarding attacks as in [31], designing trust-based reactive routing protocols as in [32] where the source and destination collect reports from intermediate nodes on the routing path..

4) Authentication. Due to the ad hoc networks

characteristics, the authentication protocols used for routing and data packet delivery in ad hoc networks should be lightweight and scalable. To verify the correctness of a received packet, the method to put the e-signature on the packet by the public key is basic on an ad hoc network. However, since a portable terminal used in ad hoc networks has relatively small calculation ability and a lot of calculation time is needed for giving and verification of e-signature.

Several authentication solutions have been proposed for ad hoc networks from which we mention: using a digital signature and a comparatively high-speed hash function[33], interleaved message authentication [34], deniable electronic voting authentication [35], a solution that accomplishes end-to-end authentication of ACKs based on the TESLA symmetric key broadcast authentication protocol [36], authentication using efficient hash chains and one-time hash tag commitments[37], Authentication service based on trust and clustering [21]. It is worth mentioning that authentication performance is based on two factors: threshold level and authentication delay.

V. RISK MANAGEMENT IN MANETS Due to the special features of ad hoc networks, the

security measures mentioned in the previous section are costy use form the limited resources point of view. Therefore, it is important to evaluate the need to those measures, depending on the risk they encounter. A five step procedure was given in [38] to calculate vulnerabilities and risks of a critical network resource. The same procedure could be customized and applied for ad hoc networks. The risk management method for ad hoc networks, using attack graphs is illustrated in Figure 2 and has the following steps:

Step 1->Creation of an attacker Profile: The profile gives

the expendable resources associated with the attacker. Creating an attack profile would help in identifying the probable attacks and the probable network resources that can be compromised by the attacker. An attacker may be classified depending on: his effects to active and passive, his source to external and internal, depending on his capabilities

206

to mote and laptop-class and finally based on the target operation of the attack to routing and packet forwarding attacker.

Step 2->Creation of Attack Graph: Attack graphs depict ways in which an adversary exploits system vulnerabilities to achieve a desired state. System administrators use attack graphs to determine how vulnerable their systems are and to determine what security measures need to be deployed in order to defend their systems. Using this graph, we can learn how intruders culminate sequence of state transitions for achieving an attack. To build an attack graph, the ad hoc network should be modeled as a finite state machine, where state transitions correspond to atomic attacks launched by the intruder. Also a desired security property could be specified and the intruder’s goal generally corresponds to violating this property. Attack graphs construction depends on the knowledge of different types of attacks to which the network is vulnerable. In ad hoc networks, there are two main types of passive attacks; the eavesdropping and the traffic analysis attack. Active attacks can be subdivided into the following categories: impersonation, masquerade, replay, modification of messages, and denial of service.

Step 3-> Labeling Attack Paths with Behavior Attributes: Based on the type of the attacker, the attack paths are considerably different depending on the type of quantifying variable in consideration. This helps us in deducing all the vulnerable resources in a network for a given attack profile.

Step 4->Risk Computation: In this step, a risk level for all the critical resources is calculated based on the set of paths, attributes and attacker type. Bayesian networks-based estimation is used for calculating the aggregated risk value of the resource. Next, a resource is marked as attack prone if this value is more than a threshold. Bayesian networks encode the probability relationships between various random variables or nodes in a causal graph and therefore we can model the attack trees by reducing them to causal graphs and associating the nodes or random variables with probabilities. Therefore, we document all the attack paths for a given resource and calculate the Bayesian probabilities of the root nodes of each attack path when the evidence regarding the leaf is available.

Step 5-> Optimizing the risk level: In a typical network, patching vulnerability may impact other network elements. Steps 1-4 need to be performed repeatedly for an optimum risk value.

VI. CONCLUSION

Due to their characteristics, securing ad hoc networks is very challenging. In this paper we discussed the reasons of vulnerability of ad hoc networks to attacks and the attacks as well. We surveyed some of the security approaches used for securing ad hoc networks. These approaches are: threshold cryptography, certification authorities, reputation

and trust, and authentication. There are still many challenges and research openings in the area of ad hoc networks security. Although there were suggestions for the optimum threshold level for threshold cryptography, however there is still a need for more research to answer many questions as: What are the upper and lower bound threshold values and the optimum threshold value. Also, is the partial key provided valid all the time? What if corrupted nodes provide incorrect partial keys? Can error correcting codes be used in conjunction with threshold cryptography to compensate for the effects of malicious partial key shares? What about the dynamic adjustment of the partial key validity time? Also more research is needed to compare between fixed and dynamic threshold levels, taking into consideration the geographical distribution of nodes in ad hoc networks.

Also despite the great effort that has been consumed in the study and design of certificate distribution schemes, there are still lots of openings and challenges in this area. For example there is no clear criteria for the CAs selection such as depending on their roles, power, reputation, age in the network,..etc. Also the number of CAs with respect to the total number of nodes in the network, and their distribution needs to be formulated while taking into considerations the network topology and the mobility of the nodes within the network which dynamically affects the nodes’ distribution within the network. Some schemes have suggested a time out for certificates; it needs to be calculated as well. For CAs revocation voting and reputation schemes can be used to gain a better judgment on a CA behavior, to isolate it and discard certificates issued from that CA. Moreover, a lightweight method for propagating the revocation news needs to be investigated to decide whether the periodic announcement or the on demand is more suitable in the case of ad hoc networks. We surveyed the different reputation and trust based schemes that were proposed for ad hoc networks in the literature ranging between collaborative and independent node based schemes. Several reputation schemes can be modified or blended together to enhance their performance and obtain an optimum scheme that is suitable to the ad hoc networks very specific characteristics. Some of the authentication schemes proposed in the literature need to be combined with other security schemes like reputation and trust based schemes. This paper also presented a risk management scheme for ad hoc networks. In the future we plan to investigate some of those challenging research areas such as to obtain a more secure scheme for ad hoc networks.

207

Figure 1. Risk management for ad hoc networks using behavior based attack graphs.

REFERENCES

[1] J. Kong, X. Hong, and M. Gerla, “A New Set of Passive Attacks in Mobile Ad Hoc Networks”, in Military Communications Conference, MILCOM2003, Vol.2, pp796-801.

[2] M. Just, E. Kranakis, and T. Wan, .Resisting Malicious Packet Dropping in Wireless Ad Hoc Networks,” in Proc. ADHOC-NOW, Oct. 2003.

[3] P. Brutch and C. Ko, “Challenges in intrusion detection for wireless ad-hoc networks”, in 2003 Symposium on Applications and the Internet Workshops (SAINT’03 Workshops), 2003.

[4] Dongbin Wang, Mingzeng Hu, Hui Zhi, "A Survey of Secure Routing in Ad Hoc Networks," The Ninth International Conference on Web-Age Information Management, pp. 482-486, 2008.

[5] H. Yang, et al.,”Security in Mobile Ad Hoc Networks: Challenges and Solutions,” IEEE Wireless Communications, vol. 11, no. 1, February 2004.

[6] A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612–613, November 1979.

Create attack

graph

Input Risk management step

Attackers

Active

Passive

External

Internal

Mote

Laptop

Packet

Routing

Create an attacker profile and see

attacker resources

Attacks

Active Passive

Eavesdropping

Traffic Analysis

Impersonation

Masquerade

Replay

Modification

Denial of service

Label attack paths with behavior

attributes

Risk Computation

Patching vulnerabilities and repeating previous steps Optimizing risk level

Identify probable attacks

and network resources that

can be compromised

Learn sequence of state

transitions for achieving an

attack

Deduce all vulnerable

resources in the network for a given attack

profile

Risk level for critical resources

is computed. If risk level >threshold,

resource is attack prone

Optimum risk value

Benefit from risk management

208

[7] L. Zhou and Z. J. Haas, “Securing ad hoc networks,” IEEE Network Magazine, vol. 13, no. 6, pp. 24–30, November/December 1999.

[8] S. Seys and B. Preneel, “Authenticated and Efficient Key Management for Wireless Ad Hoc Networks,” Proceedings of the 24th Symposium on Information Theory in the Benelux, Werkgemeenschap voor Informatie- en Communicatietheorie, pp. 195-202, 2003.

[9] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, "Robust threshold DSS signatures," In U. Maurer, editor, Advances in Cryptology – Proceedings of Eurocrypt ’96, number 1070 in Lecture Notes in Computer Science, pages 354–371, Zaragoza, Spain, May 1996. Springer-Verlag.

[10] Y. Zhang, W. Liu, W. Lou, Y. Fang and Y. Kwon , "AC-PKI: Anonymous and Certificateless public-key infrastructure for mobile ad hoc networks," ICC 2005 - IEEE International Conference on Communications, no. 1, May 2005, pp. 3515 – 3519.

[11] A. Khalili, J. Katz, and W. Arbaugh, “Toward Secure Key Distribution in Truly Ad-Hoc Networks,” Proceedings of the 2003 Symposium on Applications and the Internet Workshops (SAINT-w’03).

[12] M. Al-Shurman, S. Yoo, and B. Kim, "Distributive Key Management for Mobile Ad Hoc Networks," mue,pp.533-536, 2008 International Conference on Multimedia and Ubiquitous Engineering (mue 2008), 2008.

[13] W. Chen, H. Li, "Modelling Threshold Secret Sharing Schemes in Ad Hoc Networks," International Conference on Networking, Architecture, and Storage, pp. 207-214, 2008.

[14] P. Muppala, J. Thomas, and A. Abraham. "QoS-Based Authentication Scheme for Ad Hoc Wireless Networks," itcc, International Conference on Information Technology: Coding and Computing (ITCC'05) - Volume I, pp. 709-714,2005.

[15] C. R. Davis, “A localized trust management scheme for ad hoc networks”, Proceedings of the 3rd International Conference on Networking (ICN'04), pp. 671-675, March 2004.

[16] V. Shoup, “Practical Threshold Signatures”, In Theory and Application of Cryptographic Techniques, pp 207–220, 2000.

[17] J. Kong, P. Zerfos, H. Luo, S. Lu, and L. Zhang, “Providing Robust and Ubiquitous Security Support for Mobile Ad-Hoc Networks”, in Proceedings of ICNP ’01.

[18] S. Yi, and R. Kravets, “Key Management for Heterogeneous Ad Hoc Wireless Networks”, ICNP 2002, pp. 202-205.

[19] M. Bechler, H.-J. Hof, D. Kraft, F. Pählke, and L. C. Wolf, “A Cluster-Based Security Architecture for Ad Hoc Networks”, INFOCOM 2004.

[20] A. Rachedi, and A.Benslimane, "Trust and Mobility-based Clustering Algorithm for Secure Mobile Ad Hoc Networks," icsnc, p. 72, International Conference on Systems and Networks Communication (ICSNC'06), 2006.

[21] E. C.H. Ngai, Michael R. Lyu, "An Authentication Service Based on Trust and Clustering in Wireless Ad Hoc Networks: Description and Security Evaluation," IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing -Vol 1 (SUTC'06), sutc, pp. 94-103, 2006.

[22] A. Rachedi, A. Benslimane, H. Otrok, N. Mohammed, M. Debbabi, "A Mechanism Design-Based Secure Architecture for Mobile Ad Hoc Networks," wimob, 2008 IEEE International Conference on Wireless & Mobile Computing, Networking & Communication, pp.417-422, 2008.

[23] G. Hadjichristofi, W. Adams, and N. Davis ,"A Framework for Key Management in Mobile Ad Hoc Networks," itcc, International

Conference on Information Technology: Coding and Computing (ITCC'05) - Volume II, pp. 568-573, 2005.

[24] J. Luo, J. Hubaux, and P. Eugster. "DICTATE: DIstributed CerTification Authority with probabilisTic frEshness for Ad Hoc Networks," IEEE Transactions on Dependable and Secure Computing, vol. 2, no. 4, pp. 311-323, October-December, 2005.

[25] S. Raghani, D. Toshniwal, and R. Joshi, "Dynamic Support for istributed Certification Authority in Mobile Ad Hoc Networks," ichit, 2006 International Conference on Hybrid Information Technology - Vol1 (ICHIT'06), pp. 424-432, 2006.

[26] S. Buchegger, and J. Le Boudec, “Self-Policing Mobile Ad Hoc Networks by Reputation Systems,” IEEE Communications Magazine, vol. 43, no. 7, July 2005.

[27] P. Resnick and R. Zeckhauser, “Trust among strangers in internet transactions: Empirical analysis of ebay’s reputation system,” in M. Baye, editor, Advances in Applied Microeconomics: The Economics of the Internet and E-Commerce, volume 11, pp. 127–157. Elsevier Science Ltd., November 2002.

[28] R. Savola, and I. Uusitalo, "Towards Node-Level Security Management in Self-Organizing Mobile Ad Hoc Networks," aict-iciw, p. 36, Advanced International Conference on Telecommunications and International Conference on Internet and Web Applications and Services (AICT-ICIW'06), 2006.

[29] B. Wang, S. Soltani, J. Shapiro, and P. Tan. "Local Detection of Selfish Routing Behavior in Ad Hoc Networks," ispan, 8th International Symposium on Parallel Architectures,Algorithms and Networks (ISPAN'05), pp. 392-399, 2005.

[30] J. Mundinger, J. Le Boudec. "Analysis of a Reputation System for Mobile Ad-Hoc Networks with Liars," wiopt, Third International Symposium on Modeling and Optimization in Mobile, Ad Hoc, and Wireless Networks (WiOpt'05), pp. 41-46, 2005.

[31] Y. Rebahi, V. Mujica, and D. Sisalem. "A Reputation-Based Trust Mechanism for Ad Hoc Networks," iscc, 10th IEEE Symposium on Computers and Communications (ISCC'05), pp. 37-42, 2005.

[32] A. Pirzada, C. McDonald, and A. Datta, "Performance Comparison of Trust-Based Reactive Routing Protocols," IEEE Transactions on Mobile Computing, vol. 05, no. 6, pp. 695-710, June, 2006.

[33] F. Sato, H. Takahira, and T. Mizuno. "Message Authentication Scheme for Mobile Ad hoc Networks," icpads, 11th International Conference on Parallel and Distributed Systems (ICPADS'05), pp. 50-56, 2005.

[34] H. Vogt. "Increasing Attack Resiliency of Wireless Ad Hoc and Sensor Networks," icdcsw, Second International Workshop on Security in Distributed Computing Systems (SDCS) (ICDCSW'05), pp. 179-184, 2005.

[35] C. Li, M. Hwang, and C. Liu, “An electronic voting protocol with deniable authentication for mobile ad hoc networks”, Source Computer Communications archive Volume 31 , Issue 10 (June 2008) .

[36] S. Vassilaras, D. Vogiatzis, and G. Yovanof. "Misbehavior Detection in Clustered Ad-hoc Networks with Central Control," itcc, International Conference on Information Technology: Coding and Computing (ITCC'05) - Volume II, pp. 687-692, 2005.

[37] Q. Huang, I. Avramopoulos, H. Kobayashi and B. Liu, "Secure Data Forwarding in Wireless Ad Hoc Networks, " ICC 2005 - IEEE International Conference on Communications, no. 1, May 2005, pp. 3525 – 3531.

[38] R. Dantu, K. Loper, and P. Kolan, “Risk Management using Behavior based Attack Graphs”, International Conference on Information Technology: Coding and Computing (ITCC'04) Volume 1

209