J. Parallel Distrib. Comput. 63 (2003) 214–227

Strategies for enhancing routing security in protocols for mobile adhoc networks$

Lakshmi Venkatraman and Dharma P. Agrawal�

Department of Electrical and Computer Engineering and Computer Science (ECECS), Center for Distributed and Mobile Computing, University of

Cincinnati, Cincinnati, OH 45221-0030, USA

Received 17 October 2002; accepted 21 October 2002

Abstract

Mobile ad hoc network (MANET) is a new emerging field with its potential applications in extremely unpredictable and dynamic

environments. These characteristics require the networks to have much harder security requirements than the contemporary

networks. While current routing protocols do seem to adjust well to dynamically changing conditions, they offer either no security

mechanisms at all or have only partial solutions for ensuring the correct routing. It is hard to simultaneously achieve both security

and robustness in the routing protocols. In this paper, we analyze various possible threats to the routing protocols and introduce

strategies to address the same. On one hand, routing protocol can be disrupted due to attacks from intruder nodes that do not

belong to the network. On the other hand, routing is severely affected by the presence of compromised nodes that inflict

unpredictable and undetectable Byzantine failure. We have addressed the issue of attacks from intruders by means of authentication

techniques that rely on mutual trust between nodes. We also study the behavioral patterns of the nodes and isolate compromised

nodes using a distributed approach. The effectiveness of our schemes is illustrated by means of extensive simulations using ns-2

simulator. The routing protocol chosen for the study is AODV. We have observed the performance of the network with and without

our secured routing scheme.

r 2003 Elsevier Science (USA). All rights reserved.

Keywords: Ad hoc network; Authentication; Delay; Internal and external attacks; Public and private keys; Routing protocol; Security; System key;

Throughput

1. Introduction

Wireless networks are typically much easier to snoopon, as signals go through the air and only physicalproximity is required to gain access to the medium.Mobile ad hoc network (MANET) is a class of wirelessnetworks with no fixed infrastructure (or base stations)and are formed on ad hoc basis. Peer-to-peer routing isdone in these networks; The absence of any centralauthority makes MANETs more vulnerable to variousforms of attacks than a typical wireless network. Theimpromptu nature of the MANETs formation makes ithard to distinguish between trusted and untrusted

nodes. The dynamic nature of MANETs makes thetrust relationship between nodes also change. Anysecurity solution for networks with static configurationwould not only be inadequate but also inappropriate asthe security mechanisms should be able to adapt tothose changes on the fly. In most ad hoc routingprotocols, the routers exchange information about thetopology of the network itself. As the topology changesdynamically, update messages need to be sent frequentlyfrom one node to another. As all these messages aretransmitted through air, any intruder could act as amalicious router, giving incorrect routing updates orprevent packets from being forwarded. This could alsoresult in packets never reaching the rightful destinationand therefore, total failure of the network. In addition,the routing protocol can be an easy target for denial ofservice (DOS) type attacks if a malicious node floods thenetwork with spurious routing messages. The othernodes may be innocently propagating such messages

$This work has been supported by the Ohio Board of Regents,

Doctoral Enhancement Funds and the National Science Foundation

under grant CCR-0112361.�Corresponding author.

E-mail addresses: lvenkatr@ececs.uc.edu (L. Venkatraman),

dpa@ececs.uc.edu (D.P. Agrawal).

0743-7315/03/$ - see front matter r 2003 Elsevier Science (USA). All rights reserved.

doi:10.1016/S0743-7315(02)00065-5

following the underlying routing protocol. Though thesemessages may be harmless, it results in waste ofbandwidth and battery power, which is a scarceresource. Moreover, the nodes of an ad hoc networkare roaming and more often in hostile environments.Therefore, they are susceptible to physical attacks too.Nodes with insufficient physical protection are likely tobe captured or compromised. These compromised nodescan disrupt the routing protocol by not cooperating orfunctioning maliciously. The routing strategy must bemade robust enough to guarantee availability ofresources, even in the presence of compromised nodes.In this paper we have studied various possible threats torouting protocols and put forth schemes to handle them.We have chosen on-demand distance vector, (AODV)protocol [20,21,24] for our study.

2. Issues in secure routing

The fundamental requirement of computer securitylike confidentiality, integrity, authentication and non-repudiation [22,23] are also valid when protection ofcorrect routing behavior is to be considered in any typeof network. Confidentiality of routing information [13]is important so that not only the payload data but alsothe routing message headers e.g., the location informa-tion of the mobile nodes can be exchanged securely.Moreover, the integrity and authentication of therouting messages must be guaranteed so that everypiece of routing information can always be confirmed tobe valid and to have originated from the correct sender.Non-repudiation means that the node cannot denyhaving sent or handled certain piece of routinginformation in the past. Authentication mechanismsallow partial non-repudiation, but additional means aretypically required to protect the routing traffic frombeing tampered, such as replaying or delaying of routingmessages.

2.1. Attacks and threats

Security issues always involve identification of poten-tial attacks, threats and vulnerabilities of a system. Themost severe vulnerability in MANETs is the poorphysical security of the mobile nodes. The ad hocrouting protocols [8,22] need to discover the routes priorto forwarding all data packets. This involves exchangeof control packets. The route discovery and mainte-nance process is susceptible to various forms of attacks.We can divide potential attacks against routing into twogroups [25]:(i) passive attacks that typically involve only eaves-

dropping of the routing messages, and

(ii) active attacks that involve actions performed byadversaries such as routing message replication anddeletion.We can further classify active attacks into:

* External attack: An attack that is caused by a nodethat does not belong to the network. These aretypically active attacks that may lead to thetransmission of false routing information, generationof routing loops, partitioning of the network andcongestion.

* Internal attacks: Attacks are from nodes belonging tothe network and are primarily due to being compro-mised or captured. Internal attacks are more severeattacks, since the malicious nodes sending incorrectrouting traffic are already processed through thesecurity mechanisms imposed by the routing frame-work.

2.2. Challenges

Compromised nodes could constitute and becomeone of the most central security threats in MANETs,since the whole routing scheme is being generatedand maintained by the nodes themselves, without anyhelp from a fixed backbone or a base station. A set ofthe nodes could be compromised in such a waythat the incorrect and malicious behavior canbecome transparent and cannot be noticed directly atall. The compromised nodes may seemingly operatecorrectly, but at the same time, they may make useof the flaws and inconsistencies in the routingprotocol to distort the routing table of the network.The key management is difficult due to lack of anycentralized control while the security scheme needs tobe distributed.

3. Related work

In wired networks, IPSec security architecture [11,14–16] provides security mechanisms for IP version 4 (IPv4)and IP version-6 (IPv6). The IP Authentication header isdesigned to provide integrity and authentication withoutconfidentiality to IP datagrams. Every pair of nodesneed to share a key and therefore the number ofinvolved keys for the whole network becomes extremelyhigh.There has been a continuous effort to enhance privacy

in wireless networks and match that achievable withwired networks. One of the goals is the simulation ofphysical access control by denying access to unauthen-ticated stations. The security system in WLANS basedon 802.11 standard [26] consists of a data encapsulationtechnique called wired equivalent privacy (WEP) and anauthentication algorithm called shared key authentica-

L. Venkatraman, D.P. Agrawal / J. Parallel Distrib. Comput. 63 (2003) 214–227 215

tion. Several problems have been identified with 802.11security [2,4]. Distributed security management systemsfor wireless telecommunication networks has also beenproposed [18]. The primary focus here is to reduce theuse of clone mobile telephones. On-line security systemfor fraud detection of impostors for improper use ofmobile phone operations based on a neural networkclassifier has recently been presented [5].The research in security for MANETs is in its infancy.

Zhou and Haas [28] have introduced a distributed keymanagement service to be applied to MANETs. Theproposal utilizes redundancies in the network topologyto provide reliable enough key management mechanismfor routing. The idea is to divide the task fortransmitting routing information in such a redundantway so that if some of the routes fail or a relatively smallamount of nodes become compromised, the nodes canstill exchange correct routing information reliably. Theapproach does require that the routing protocol canmanage multiple routes in a distributed manner [28]. Ifthe upper limit for the number of compromised servernodes can be set to t; then at least n ¼ 3t þ 1 nodes areneeded to maintain an adequate security level and trustrelationship. It may, however, not always be possible tosatisfy such thresholds in different MANET environ-ments. The public-key cryptography can be employed toget the benefits of public key management services anddigital signatures in achieving and maintaining integrityand non-repudiation protection.An architecture for distributed and cooperative

intrusion detection has been presented [27], whereineach node participates and is responsible for detectingsigns locally and independently, but neighboring nodescan collaborate. Experiments have been performedwhere authentication of MAC and IP address exchangehas been attempted [3]. The MANET authenticationarchitecture has also been proposed where the emphasisis on building an hierarchy of trust in order toauthenticate the IMEP messages [12]. This would bedifficult to implement in practice, as the nodes areconstantly moving and there is no underlying infra-structure. Therefore, it may be very hard to findcommon certification authorities for any two commu-nicating nodes.A malicious node could eavesdrop on route requests

for example, if any control message is sent from node‘‘A’’, then move and replay to another node ‘‘B’’. Thenode ‘‘B’’ then considers ‘‘X’’ as the next hop to ‘‘A’’and forwards all packets meant for ‘‘A’’ to ‘‘X’’.This kind of undesirable situation cannot be pre-vented by simply using sequence numbers. Althoughthe example presented is specific to AODV [20,21,24],these kinds of attacks are possible on any other routingprotocol. There has hardly been any solution tohandle the problem of compromised nodes, which isextremely critical for military applications. All these

aforementioned issues have been studied in this paperand suitable solutions have been presented.

4. Overview of our approach

External attacks can be prevented by incorporatingappropriate authentication and encryption techniques.But, factors like dynamically changing topology result-ing in changing trust relationships and the lack ofcentralized control pose a major challenge in keydistribution and security schemes. Moreover, nodes ofa MANET are deployed in a hostile environment andmay not be possible to prevent nodes from beingcompromised. We can only attempt to detect themalicious nodes and respond appropriately. In the caseof MANETs, it is relatively difficult to identifycompromised nodes, as all the protocols are assumedto be cooperative. Since malicious nodes can subvert therouting protocol so that the malicious actions cannot bedetected until perhaps severe damage has been done,sometimes the attack is never noted or it may beidentified incorrectly as a configuration, network orhardware error.We have therefore put forth a two-tier solution in

this paper as indicated in Fig. 1. The model comprises oftwo systems, an ‘external attack prevention system(EAPS)’ and an ‘internal attack detection and correctionsystem (IADCS)’ [1]. The EAPS proactively preventsexternal attacks by using an authentication scheme thatassumes mutual trust among all network nodes. Theassumption of mutual trust among network nodesenables ease of key distribution and authentication.The problem of compromised nodes, i.e., internalattacks is handled by IADCS by having mutualsuspicion among the network nodes. In our algorithm,each node actively monitors the routing behavior of itsneighbors and analyzes it to detect misbehaving nodes.These attacks are detected and efforts are made to

Security Issues in Routing Protocol

Secure Route discovery

Secure DataForwarding

External Attacks Internal Attacks

(EAPS) (IADCS)

External Attack Prevention System Correction System

Internal Attack Detection and

Fig. 1. Framework for our approach.

L. Venkatraman, D.P. Agrawal / J. Parallel Distrib. Comput. 63 (2003) 214–227216

isolate these nodes from performing any cooperativefunctions as a part of the route discovery andmaintenance process.Our model is based on the following assumptions:

1. EAPS assumes that the network consists of a groupof mutually trusting nodes. This is used for mutualauthentication so that no external entity can intrude.If any node is captured or compromised, theassumption would still be valid because the compro-mised node will be detected and isolated by IADCS.

2. All links between the nodes are bi-directional.3. Although hosts can get into promiscuous receive

mode, they do not make any changes to route cache,because relying on unauthenticated messages couldjeopardize security.

4. The nodes are computationally powerful enough toexecute encryption algorithms.

5. Each node has sufficient memory to store informa-tion about many other nodes. This is a reasonableassumption because MANETs are expected to becomprised of a few hundred nodes.

6. IADCS assumes that the compromised nodes do notwork in a team or collaborate while causing attacks.

7. The number of compromised nodes at any time is asmall fraction of the total number of nodes. This isbecause, if a large number of network nodes were tobe compromised, the network would be disrupted bytheir malicious actions.

Routing in ad hoc networks has been extensivelyresearched. Several routing protocols have been pro-posed [6,19,24]. Although the issues and our proposedmodel are applicable to most of other routing protocols,we have focused on demand-driven protocols. Theprotocol chosen for our study and simulation is AODV.The scheme could be modified to adapt to other reactiveprotocols like DSR [6] as well.

4.1. Brief description of AODV routing protocol

To understand details of our scheme, a brief descrip-tion of AODV routing protocol is provided.In AODV, whenever a route from a source to a

destination needs to be found, the route discoveryprocess is initiated by broadcasting route requests fromthe source and propagated through the entire network.When a destination or an intermediate node with routeto the destination receives the route request, it sendsback a reply to the initiator of the route request. Thesecontrol messages that are sent during the routediscovery phase, are responsible for updating the routetable of the source, destination and all intermediatenodes. They are used by the routing protocol to routethe data packets [9,20,21,24]. However, we primarily

focus on the strategies to minimize the effect of attacksagainst these protocols.

4.2. Key distribution technique

In this subsection, we described the key distributionscheme for our system. These keys are essential for thefunctioning of EAPS and IADCS. Since these networksdo not have a centralized control, management of keysis a challenging issue.

1. Our scheme is based on public key cryptography [23].The governing authority that creates the network isthe only entity that has the system private key whileeach node is given a public/private key pair by theauthority when the system is initially set. Each node isalso given the system public key.

2. Whenever two nodes interact for the first time, thecertified public keys are exchanged. Since the nodeshave the system public key, the authenticity of thecertificate can be confirmed. The nodes can thenmutually authenticate one another using their in-dividual public/private keys.

3. Only the governing authority has the system privatekey and it is secure. Moreover, this authority can bewell protected since it is not mobile like the othernodes.

Once considerable time has elapsed, and if thenode mobility are relatively high, each node mightneed to store the public key of large number ofnodes, potentially all system nodes. However, this isthe worst case and might never occur in actual practice.If it is detected that any of the nodes has beencompromised, then a key revocation list containing thekey of the compromised nodes is propagated into thenetwork.In the subsequent sections, we describe our techniques

to handle external and internal attacks.

5. External attack prevention system (EAPS)

The EAPS prevents attacks from intruders that donot belong to the network. Prior to presenting oursolutions, we would like to define the effect of possibleattacks to routing protocols. The route discovery andmaintenance involves frequent exchange of controlpackets. On the other hand, routing of data packetsinvolves forwarding of a packet from one router toanother. The routing protocol could be brought downby attacks to either of the two phases. The natureof attacks may hold good for protocols other thanAODV. The external attacks that we have identified arelisted below:

L. Venkatraman, D.P. Agrawal / J. Parallel Distrib. Comput. 63 (2003) 214–227 217

* Causing routing table inconsistencies: This wouldoccur if, a malicious node impersonates another nodeand sends false routing updates. False route requests,replies and updates could cause inconsistencies in therouting table. Replay of the control messages likeroute requests, route replies and route errors are alsoto be taken care of.

* Misrouting of packets: Tampering of control mes-sages could result in incorrect route information. Therouting process is adversely affected if integrity ofdata is not ensured. For example, if the fields in theroute request or reply are modified, the protocolfunctioning is considerably affected.

* Denial of service: This can be done by generating falsebroadcast packets like route requests. The networkcan be flooded with wasteful packets, therebypreventing channel access to rightful users.

5.1. Proposed solution

In order to address aforementioned attacks, we haveproposed an authentication scheme. Whenever the routefrom a source ‘A’ to a destination ‘B’ needs to be found,the route discovery process is initiated. Just like anyconventional scheme, route requests are broadcast bythe source and propagated through the network. Whenthe destination or an intermediate node with route to thedestination receives the route request, it sends back aroute reply to the initiator of the route request. Thecontrol messages sent during the route discovery phase,are responsible for updating the route table of thesource, the destination and all intermediate nodes. Thesemessages, therefore, must be authenticated, before theroute tables are modified so that the route tables do notcontain any incorrect information provided by anymalicious nodes. If such an authentication is performedduring the route discovery process, the network becomesoverwhelmed with flooding of messages. To address thisbottleneck effectively, we propose a scheme whereinauthentication is performed between every pair of nodesand every intermediate node updates is done in therouting table only after a route discovery, therebyeliminating excessive flooding due to authenticationduring the route discovery process, while withoutsacrificing the quality of security.

5.2. EAPS for routing protocol

We explain our scheme with the help of an exampleshown in Fig. 2, where the edges represent a bi-directional link between the nodes of a MANET. Inthe example, a route from node A to node D is to bediscovered. The arrows show the path along which theroute requests propagate. When a node receives a routerequest from its neighbor it updates the route table entryfor the source of the request. The neighbor who sent the

request is stored as the next hop for the request source.For example, in the above case, E is stored as the nexthop by F for all messages intended for A. Whendestination D receives the request it sends back a replyto the first request it receives. Nodes J and F reply to therequest as they are assumed to have in their table anentry for node D from earlier route discoveries. Thereply paths are as shown in Fig. 3.When the route replies are received at node A, all the

intermediate nodes update the route table entry for thedestination (D in the example). This is similar to theroute table updating done during propagation ofrequests, except that it is performed for the reversedirection. Since the route tables are updated by route

requests as well as route replies, all the nodes thatsend and receive these messages must mutually authen-ticate one another. This will ensure the correctness of

B C

E G

H

I

F

KJ

DA

M

I

Fig. 2. Example of route request propagation in ad hoc networks.

B C

E G

H

I

L

F

KJ

DA

M

Fig. 3. Example of route reply in ad hoc networks.

L. Venkatraman, D.P. Agrawal / J. Parallel Distrib. Comput. 63 (2003) 214–227218

information present in the route table. For strong

authentication between nodes, challenges have to besent back and forth for each of these messages. Everypacket carrying control data would result in at least twomore packet exchanges between each pair of nodes. Thispacket overhead would be extremely high for routerequests because the network is flooded with therequests. Moreover these requests are broadcast pack-ets. Therefore, authentication needs to be performedbetween one sender and several receivers. This results inconvergence of packets towards a single node, causingexcessive collisions. We have therefore adopted adifferent approach that handles these issues and alsokeeps the overheads substantially low.In our scheme, we do not perform strong authentica-

tion during propagation of route requests. The integrityof the route requests is ensured by making use ofMessage authentication codes. The hash of the messageis computed and then encrypted with the sender’sprivate key for authentication. The HMAC algorithm[16] is used in conjunction with MD5 for this purpose.When the neighbors receive the route request, thevalidity of the node is verified using the sender’s publickey. Even though message authentication code is used,the updated entry is marked as unauthenticated. This isprimarily because message authentication code can onlycheck for integrity, but cannot prevent the replayproblem. It may be noted that unauthenticated routesmay be used ONLY for sending insensitive data similarto route request. Once the path has been established,strong authentication is performed between ALLadjacent pairs that transmit route replies. For example,Fig. 4 gives the exchange of information between twoneighbors for strong authentication.A node sends a pre-reply to inform its neighbor that it

wishes to send a reply. The pre-reply has a field thatcontains a random challenge string for the neighbor.The neighbor that receives the pre-reply generates a newchallenge and sends it to the node that sent the pre-reply. It also appends to the challenge the stringobtained by encrypting the received challenge with itsprivate key. If the two neighbors do not know eachother’s public key, i.e., if they are interacting for the firsttime, the certified public keys are also exchanged. Thechallenges are small in size to keep the overhead low. Ifan authentication fails during the route request, thepacket is dropped. If an intruder is detected during thestrong authentication of reply, the path established bythe reply is purged.

Since the replies are authenticated, these routes arevalid and can be used for sending data packets. Whenthe authenticated reply is received, the route tables entryfor the source, initially marked as unauthenticated, isnow marked as valid. Therefore, all intermediate nodesin the reply path have a valid route to the source too.The nodes that are not in the reply paths (nodes K, H,L, G, M in our example) have unauthenticated routeentries for the source (A in our example). If they need touse the unauthenticated routes to send critical data, theywould send a unicast route request along the unauthen-ticated route to confirm its validity. Since the request isnot flooded, there is a considerable reduction in thepacket overhead. This is shown in Fig. 5 where node Mneeds to send data to node A. If authentication alongthe reply path fails, it implies that the request that is sentis an invalid one. Therefore, the modifications made inthe route tables of intermediate nodes in the reply pathdue to the propagation of reply packet is purged. Inorder to achieve this, a control packet called Purger-

eplyroute is sent by the node that discovers the attack.The third kind of control message is the route error

message. This error message is sent whenever a nodedetects a break in the link with its neighbor. It is sent toall neighbors that use the link for routing. The break inthe link is realized by using the MAC layer detection.We have not used hello messages because this by itself isan overhead and authentication of these messages wouldresult in a huge packet overhead. The route errormessages need to be authenticated too because theyaffect the routing table. The overhead due to thisauthentication is, at best marginal because in a networkwith moderate mobility, the number of route errorpackets sent is very small. Moreover, the error messages

Reply + Encrypt(challenge2)

Encrypt(challenge1) + challenge2

Pre-Reply + challenge1

Fig. 4. Three-way communication during route reply.

B C

E G

H

I

F

KJ

DA

M

I

Fig. 5. Route request unicast along unauthenticated route.

L. Venkatraman, D.P. Agrawal / J. Parallel Distrib. Comput. 63 (2003) 214–227 219

propagate to very small distances, i.e., a few hops. Asthey have negligible effect on the results, we havetherefore ignored it and have used message authentica-tion codes for them as well. We simulated our schemeusing the ns-2 simulator. The details of our simulationand results obtained are presented in the Experimentsand results section.

6. Internal attack detection and correction system

(IADCS)

In this section we identify possible internal attacks forAODV protocol and have presented details of IADCS.The compromised nodes could cause sufficient damageby merely not cooperating. The types of maliciousactivities depend on the functioning of the protocol. Wehave identified possible kinds of node misbehavior forthe AODV protocol. Some of these attacks aredeterministic and can be detected by IADCS. Thenon-deterministic attacks can only be identified afterthorough analysis of the traffic patterns and is beyondthe scope of this work. The assumption here is that thecompromised node works alone, without the aid of anyother network node, i.e. the nodes do not work in teams.Although, in reality, it is possible that the nodes teamup, we consider our work to be an initial step towardsdetecting compromised node. Following are the internalattacks handled by IADCS:

* Generation of false messages: This could be done bygenerating false control messages like route requests.It is extremely difficult to differentiate between amisbehaving node and a node that genuinely needs toestablish routes to many other nodes.

* Tampering of data: The integrity of certain para-meters that change from hop to hop cannot beachieved by using message authentication codes(MAC). A compromised node could tamper withsuch information and cause havoc in the network.

* Not forwarding packets: Not forwarding data/controlpackets could cause considerable damage and packetsmight never reach the rightful destination. The pathdiscovery is always a costly one, certain nodes maynever find routes to some nodes.

* Sending false replies: An intermediate node that doesnot have a route to the destination, can falsely reply,thereby causing discovery of wrong routes.

* Forwarding packets to incorrect nodes: If a packet isforwarded to an incorrect node, the packet may eithernever reach the destination or the path it takes maybe a very expensive one. In both cases, the damagescould be excessive and could be a serious threat to thesecurity.

* Refusal to cooperate as defined by the protocol: A nodecould refuse to cooperate and thereby cause harm.Some examples are refusal to send route replies onreceipt of route request. This could result inunnecessary retransmissions. There could be manyother possible attacks. We have analyzed the afore-mentioned kind of misbehaviors.

6.1. IADCS implementation

The sequence of actions for IADCS is shown in Fig. 6.Each node has an agent that takes advantage of itsneighborhood knowledge to detect misbehavior of itsneighbors. When the misbehavior threshold for aparticular node has been reached, it sends out thisinformation to other nodes, reporting its findings aboutthe misbehaving node. Each of the neighbors whoreceive it, could add their reports to the initiator’sreport. All the network nodes would now have a reportfrom the misbehaving node’s neighbors and could makea fairly confident decision. Nodes that are confidentabout the malicious nature of a particular node, canavoid using it for all subsequent network functions. Ourapproach is based on the model presented by YonguangZhang and Wenke Lee [27]. We have implemented thedetecting agent for each node by incorporating it as a

ANALYZE DATA TO DETERMINE

STUDY OF LOCAL DATA

POSSIBLE INTERNAL ATTACKS

DETECTION > THRESHOLD ?NO

YES

PROPAGATE RESULTS

RESPONSE TO ATTACK

Fig. 6. Sequence of events in IADCS.

L. Venkatraman, D.P. Agrawal / J. Parallel Distrib. Comput. 63 (2003) 214–227220

part of the AODV. We aggregate local information toisolate the malicious node from further networkfunctions.

6.2. Local detection agent

The local agent is present at all the nodes toconstantly monitor and analyze the behavior of itsneighbors to determine if any neighbor has beencompromised. For many of our solutions we needtwo-hop information. We have therefore modified theprotocol so that two-hop information is maintained ateach node for each route. The agent handles each of theattacks as follows:

* Generating of false route requests to flood the packets:A node might generate frequent, unnecessary routerequests. A node generates a route request wheneverit has data to be sent to a particular destination. Thenode’s neighbor that sent the reply, waits for the datato be sent. If the data is not sent within a timeoutinterval twait, it can be thought of as abnormalbehavior and the misbehavior count for the node isincremented by its neighbor. If the node gets multiplereplies, only one of the routes is chosen. Theneighbors through whom other replies were routed,would not know if they should be expecting data. Theoriginator of the request resolves this by selecting apath based on metrics like hop count and sequencenumber and its neighbor are informed that it wouldbe sending data through another node. As proof of asigned message from its neighbor, a reply acknowl-edgment packet is sent to the source, indicating thatthe neighbor knows about the source node transmit-ting data through another node. Each node periodi-cally checks the table that contains the list of nodesfrom which it expects data. If the timer expires, thenode becomes a suspected node. A count of suchdeviation from normalcy is maintained for each node.If this exceeds a pre-specified threshold, the node isconsidered as a compromised node.

* Generating false route replies to cause inconsistencies

in routing tables: If a false route reply is sent, thereceiving node checks to see if a route request wassent, else just drops the packet and increments themisbehavior count. If a request was sent and the replywas forged, the previous node along the path wouldnot have put the information that it should have putfor verification. All replies contain information froma previous hop and the node prior to it. Thisverification information is used for other cases too.Replies received earlier cannot be replayed, as the idswouldn’t match.

* Sending false replies: Whenever a node finds a routeto a particular destination, it also records the message

authentication code (MAC) from the packet received.This is then sent, whenever an intermediate nodereplies as this could be used to verify that the nodeindeed has a route to the destination node.

* Tampering of data like hop count/TTL: The data likehop count and time-to-live (TTL) varies from hop tohop and can be tampered by the intermediate node.We again make use of two-hop information. Thenode prior to the previous node adds the hashreceived from the previous node. Therefore, a nodereceiving a packet also knows the hash that it shouldbe receiving.

* Forwarding packets to incorrect nodes: If two-hopinformation is on the packet, the node receiving thepacket know if it is the rightful receiver.

* Not forwarding packets: As suggested in the paper byMarti and Baker [17], every node promiscuouslylistens if the succeeding node forwards the datapacket. This would help in identifying maliciousnodes.

6.3. Response to local detection

When a node discovers that another has beencompromised, it propagates this information to theentire network. If any other node suspects that the nodehas been detected as compromised, it also reports itssuspicion to close by neighbors. If two or more nodesreport about a particular node, that node is isolatedfrom the network. All nodes that have a route throughthe compromised node need to look for alternate routes.All packets received from the compromised node aredropped. We have incorporated all the aforementionedfunctionalities into the routing protocol and observedthe performance of the protocol as well as the precisionof detection. The results are presented in the experi-ments section.

7. Simulation and performance enhancements

We have used the ns-2 simulator [10] for ourimplementation. The IEEE 802.11 [26] is used for theMAC layer. The AODV protocol simulation is availableas a part of the simulator. We have incorporated EAPSand IADCS into the simulator. We used UDP, transportprotocol for our simulation.

7.1. Traffic and mobility models

Traffic sources used are constant-bit-rate (CBR). Thetraffic files have been generated such that the source anddestination pairs are randomly spread over the entirenetwork. The rate of packet generation and the numberof sources are varied to get different data rates andtraffic patterns. Each data packet is 512 bytes long.

L. Venkatraman, D.P. Agrawal / J. Parallel Distrib. Comput. 63 (2003) 214–227 221

The scenario files determine the mobility of the nodes.These scenario files have been generated using the scenegenerator of the simulator. The mobility model usesrandom waypoint [7] model in a rectangular field of1500 m� 300 m with 50 nodes. These nodes move froma random starting point to a random destination with aspeed that is randomly chosen (the speed is uniformlydistributed between 0–20 m=s). Once the destination isreached, another random destination is targeted after apause time. The pause times are varied to change themobility of the nodes. A pause time of 0 s indicatesmaximum mobility. Each simulation is performed for900 s: The simulation has been performed for theAODV protocol with our security scheme as well asfor the original AODV protocol under similar condi-tions. The results for both cases have been observed andcompared.

7.2. Performance metrics

We used the following metrics to evaluate theperformance of our scheme:

* Packet delivery fraction: This is the ratio of CBRpackets delivered to that generated and is themeasured throughput.

* Routing overhead: The number of routing packetstransmitted per data packet. Each hop of the routingpacket is treated as a packet. We have used thenormalized routing load for our comparison, which isthe ratio of routing packets to the data packets.

* Average end-to-end delay: This is the average ofdelays of all packets successfully transmitted.

* Number of data packets dropped: This represents thenumber of data packets dropped in both the cases.This is an important parameter because if the dropincreases, the throughput would decrease.

For the IADCS, we observe the system performancein the presence of compromised nodes and measured theperformance enhancements due to our proposed strate-gies. We also observed the precision of our anticipatedsecurity measures. The metrics mentioned above areimportant determinants of network performance andare used to observe enhancements provided by ourscheme. We have done this study to illustrate that ourscheme works for many security issues in the routingprotocol, without causing any substantial degradationin the network performance.

7.3. Performance results

In the following paragraphs, we present the resultsobtained for our test cases performed for EAPS andIADCS.

7.3.1. EAPS simulation results

We have observed the effect of our scheme on thenetwork by varying the data rate and the mobility. Weperformed simulations [9] for a network of 50 with 10data sources. The simulation has been carried out for900 s:

Varying mobility: The mobility of the nodes is changedby varying pause times from 0 to 900 s in steps of 100 s:The data rate is maintained constant at 4 packets=s: Thegraphs in Fig. 7 compare the performance of the originalrouting protocol and that of AODV with EAPS. Weobserve from Fig. 7 that the routing load increasesslightly due to incorporation of security. It also showshow our scheme affects the packet delivery fraction andend-to-end delay. The packet delivery fraction is margin-ally reduced.

Varying load: We have performed experiments fornetworks with 50 nodes. The number of data sourceshave been still maintained at 10. We have chosen thehighest mobility for our simulation by setting the pausetime to 0 s: This is with the intention of carrying the testsunder most challenging conditions. The offered load isvaried by changing the rate at which the source sends thepacket. Test cases have been executed for data ratesranging from 20 packets/s to 4 packets/s. Each packetlength is 512 bytes. Therefore, the offered load variesfrom 819 kbits=s to 10 kbits=s: The graphs in Fig. 8compares the network performance for different loadconditions and using the two routing protocols, theoriginal AODV and AODV with our security schemeincorporated. The graphs show that the overhead interms of routing load is very low. The effect onthroughput which is measured as the packet deliveryfraction, is negligible. There is a small increase in the end-to-end delay and this is due to the exchange of packetsduring authentication step of the security process.

7.3.2. Evaluation of results

In this subsection we discuss the significance of theresults that we have presented.

* Routing load: The number of packets needed forrouting increases when our scheme is incorporated.This is expected as the authentication of route replypackets involves exchange of additional packets. Wehave brought down the packet overhead by restrict-ing authentication to route replies alone. The increasein routing load is higher at larger mobilities andsmaller for lower mobilities. This is because at highermobilities, routes need to be found more frequentlyand therefore increased number of authenticationsare needed. The difference in the routing overheadfor the routing protocol with and without authentica-tion is substantially low for higher data rates. Insummary, varying data rates does not significantly

L. Venkatraman, D.P. Agrawal / J. Parallel Distrib. Comput. 63 (2003) 214–227222

affect the authentication overhead as it does notrequire any additional route discoveries.

* Packet delivery fraction: This is a measure of thenetwork throughput. For most cases of mobilities,the throughput achieved after incorporation of ourscheme is slightly lower (upto 2%). As the number ofrouting packets increases, the relative number of datapackets reaching the destination decreases. Again,varying the data rates does not affect the packetdelivery fraction significantly.

* Average end-to-end delay: This is the average delaysof all data packets. The delays of only the datapackets that wait for route discovery increaseswhereas delays for all other data packets is un-affected. Therefore, increase in end-to-end delay isfairly low.

7.3.3. IADCS simulation results

We performed simulations with the IADCS incorpo-rated into AODV. We studied the impact of IADCS on

0

1

2

3

4

5

6

7

8

9

10

11

0 100 200 300 400 500 600 700 800 900

norm

aliz

ed r

outin

g lo

ad

data rates (kbits/sec)

Normalized Routing Load vs Data Rates

with authenticationwithout authentication

0

0.2

0.4

0.6

0.8

1

0 100 200 300 400 500 600 700 800 900

pack

et d

eliv

ery

frac

tion

data rates (kbits/sec)

Packet Delivery Fraction vs Data Rates

with authenticationwithout authentication

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

0 100 200 300 400 500 600 700 800 900

aver

age

end-

to-e

nd d

elay

data rates in kbits/sec

Average end-to-end delay vs data rates

With authenticationWithout authentication

Fig. 8. Comparison for a network with 50 nodes and 10 data sources

obtained by varying offered load (with and without EAPS).

0

0.2

0.4

0.6

0.8

1

1.2

1.4

0 100 200 300 400 500 600 700 800 900

norm

aliz

ed r

outin

g lo

ad

pause times (sec)

Normalized Routing Load Vs Pause Times

with authenticationWithout authentication

0

0.2

0.4

0.6

0.8

1

0 100 200 300 400 500 600 700 800 900

pack

et d

eliv

ery

frac

tion

pause time (seconds)

Packet Delivery Fraction vs Pause Time

with authenticationwithout authentication

0

0.02

0.04

0.06

0.08

0.1

0 100 200 300 400 500 600 700 800 900

aver

age

end-

to-e

nd d

elay

pause time on seconds

Average end-to-end delay vs pause times

with authenticationwithout authentication

Fig. 7. Comparison of routing load and throughput in a network with

50 nodes and 10 data sources obtained by varying pause times (with

and without EAPS).

L. Venkatraman, D.P. Agrawal / J. Parallel Distrib. Comput. 63 (2003) 214–227 223

AODV by examining the protocol performance undernormal conditions, i.e. without any compromised nodes.This is to ensure that routing is not adversely affecteddue to our proposed strategies. The aforementionedperformance metrics are used for this purpose.We also observed the performance of our scheme in

the presence of compromised nodes. Some of thenetwork nodes are made to misbehave. These nodesare chosen randomly. The number of compromisednodes is varied, for a particular mobility and data rate.The pause times of 300 s is used for the simulations. Thesimulation is performed with the malicious nodes forAODV protocol with our detection scheme incorpo-rated and for the original AODV. The results for bothcases have been observed. We used the following metricsto evaluate the performance of our scheme.

* Load including spurious packets generated: Thisincludes all the false control messages generated.Therefore the routing load increases due to compro-mised nodes. We have observed the effect of detectionand response on routing load.

* Packet delivery fraction: We have also studied theeffect of our scheme on the throughput. This is theratio of the number of CBR packets successfullydelivered to the number generated.

* Accuracy of detection: For all our simulations we alsoobserved the accuracy of our detection scheme.

We have varied the mobility by varying pause timefrom 0 to 1200 s: Fig. 9 shows the results obtained fromour simulations. We have varied the number ofmalicious nodes and measured the aforementionedparameters. Fig. 10 shows the comparisons for normal-ized routing load and throughput for AODV with ourscheme and original AODV. The number of maliciousnodes is varied from 0% to 12%.

7.3.4. Evaluation of IADCS results

In this subsection, we analyze the results that we haveobtained for IADCS.

Network performance without misbehaving nodes: Theresults from the simulations without any maliciousnodes show that there is a small overheads due to securerouting. The activities of neighbor monitoring andsubsequent analysis is the cause of the overheadsincurred.

Network performance with misbehaving nodes routing

load: Our scheme decreases the routing load consider-ably due to the incorporation of our scheme. This isprimarily because the malicious nodes do generatespurious messages. Our scheme detects these nodesand isolates them from the network. Therefore, there isa considerable decrease in the control messages.

Throughput: The throughput is affected to a negligibleextent. A marginal decrease is due to isolation of

nodes that were participating in the routing action.If the spurious messages are high enough to affect thethroughput, our scheme provide an improvement inthe throughput. This is because the incorporation ofour scheme removes the effect of the compromisednodes.

Accuracy of predictions: Detection of malicious nodesare observed to be very accurate for all the cases andnone others have been wrongly accused of misbehaving.

0

0.2

0.4

0.6

0.8

1

0 200 400 600 800 1000 1200

Nor

mal

ized

rou

ting

load

pause time in seconds

Normalized Routing Load Vs Pause time

without Detectionwith Detection

0.6

0.65

0.7

0.75

0.8

0.85

0.9

0.95

1

0 200 400 600 800 1000 1200

pack

et d

eliv

ery

frac

tion

pause time in seconds

Packet delivery fraction vs Pause time

with detectionwithout detection

0

0.1

0.2

0.3

0.4

0.5

0.6

0 200 400 600 800 1000 1200

avg

end-

to-e

nd d

elay

pause time in seconds

Average End-to-end delay Vs pause time

without Detectionwith Detection

Fig. 9. Comparison of routing load, throughput and average end-to-

end delay in a network with 50 nodes and 10 data sources obtained by

varying pause times (with and without IADCS).

L. Venkatraman, D.P. Agrawal / J. Parallel Distrib. Comput. 63 (2003) 214–227224

The predictions made by IADCS have less than 5%errors. Although, we performed adequate number ofsimulations, the results definitely indicate the trend inenhancing the performance of the network in presenceof compromised nodes.

8. Conclusions

We have proposed a security architecture for routingprotocols that pro-actively prevents external attacks andalso detects the presence of compromised nodes. Theattacks and the presented solutions have been targetedfor on-demand routing protocols, specifically AODV.The scheme ensures authentication and integrity ofcontrol messages, the key management required for this

purpose is also done without involving any significantoverheads. The results of our implementation show thatthe overheads caused by our scheme is marginal, while isascertained that the system withstands attacks fromnumerous types of security breakers.The IADCS system is a good start and is rather a

primitive detecting system that may be inadequate forcases when several nodes work in a team to bringdown the system. Several types of misbehaviors havebeen identified and means to detect them by observingthe patterns of control messages has been proposed.In order to have an absolutely reliable detection system,we would probably need more formal techniques likeneural network classifiers etc. Extensive research hasbeen done in this area for mobile phone operations[5,18]. We propose to focus on these aspects for

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0 2 4 6 8 10 12

rout

ing

load

% compromised nodes

Load (including spurious packets) vs # Compromised nodes

with detectionwithout detection

0.4

0.5

0.6

0.7

0.8

0.9

1

0 2 4 6 8 10 12

pack

et d

eliv

ery

frac

tion

% compromised nodes

Packet Delivery Fraction vs # Compromised Nodes

With detectionWithout detection

Fig. 10. Comparison of routing load (including spurious packets) and throughput in a network with 50 nodes and 10 data sources obtained by

varying the number of malicious nodes (with and without IADCS).

L. Venkatraman, D.P. Agrawal / J. Parallel Distrib. Comput. 63 (2003) 214–227 225

MANETS in future. This would help to improvise ourcurrent system.

References

[1] D.P. Agrawal, L. Venkataraman, Authentication scheme for ad

hoc and sensor wireless networks, November 2000, Patent

disclosure filed by the University of Cincinnati, file number

100-060.

[2] W.A. Arbaugh, N. Shankar, J. Wang, Your 802.11 network has

no clothes, http://www.cs.umd.edu/waa/wireless.pdf, December

2001.

[3] J. Binkley, Authenticated ad hoc routing at the link layer for

mobile systems, http://citeseer.nj.nec.com/cachedpage/121413/1.

[4] N. Borisov, I. Goldberg, D. Wagner, Intercepting mobile

communications: the insecurity of 802.11, in: Seventh Annual

International Conference on Mobile Computing and Networking,

2000, pp. 180–188.

[5] A. Boukerche, M.S.M. Notare, Neural fraud detection in mobile

phone operations, in: Fourth IEEE BioSP3, Bio-Inspired Solu-

tions to Parallel Processing, May 2000, pp. 636–644.

[6] J. Broch, D.B. Johnson, D.A. Maltz, The dynamic source routing

protocol for mobile ad hoc networks, http://www.monarch.cs.c-

mu.edu/internet-drafts/draft-ietf-manet-dsr-02.txt, June 1999.

[7] J. Broch, D.A. Maltz, D.B. Johnson, Y-C. Hu, J. Jetcheva, A

performance comparison of multi-hop wireless ad hoc network

routing protocols, in: Proceedings of the Fourth International

Conference on Mobile Computing and Networking (ACM

MOBICOM’98), October 1998, pp. 85–97.

[8] S. Corson, J. Macker, Mobile ad hoc networking (manet): routing

protocol performance issues and evaluation considerations,

http://www.sunsite.dk/RFC/rfc/rfc2501.html.

[9] S.R. Das, C.E. Perkins, E.M. Royer, Performance comparison of

two on-demand routing protocols for ad hoc networks, in: IEEE

Conference on Computer Communications (INFOCOM), March

2000, pp. 3–12.

[10] K. Fall, K. Varadhan (Kannan), ns Notes and documentation,

http://www-mash.cs.berkely.edu/ns/, 1999.

[11] N. Haller, R. Atkinson, On internet authentication, http://

www.sunsite.dk/RFC/rfc/rfc1704.html, October 1994.

[12] S. Jacobs, M.S. Corson, Manet authentication architecture,

http://www.ietf.org/internet-drafts/draft-jacobs-imep-auth-arch-

00.txt, August 1998.

[13] V. Karpijoki, Signalling and routing security in mobile and

ad-hoc networks, http://www.hut.fi/vkarpijo/iwork00/, May

2000.

[14] S. Kent, R. Atkinson, Security architecture for the internet

protocol, http://www.sunsite.dk/RFC/rfc/rfc2401.html, Novem-

ber 1998.

[15] S. Kent, R. Atkinson, Ip authentication header, http://www.sun-

site.dk/RFC/rfc/rfc2402.html, November 1998.

[16] C. Madson, R. Glenn, The use of hmac-md5-96 within esp and ah,

http://www.sunsite.dk/RFC/rfc/rfc2403.html, November 1998.

[17] S. Marti, T.J. Giuli, K. Lai, M. Baker, Mitigating routing

misbehavior in mobile ad hoc networks, in: Sixth International

Conference on Mobile Computing and Networking (MOBI-

COM’00), August 2000, pp. 255–265.

[18] M.S.M. Notare, A. Boukerche, F. Cruz, B. Risco, C. Westphall,

Security management against cloning mobile phones, in: IEEE

Globecom, pp. 969–973.

[19] C.E. Perkins, P. Bhagwat, Highly dynamic destination-sequenced

distance vector routing (dsdv) for mobile computers, in:

Proceedings of the ACM SIGCOMM 94, October 1994,

pp. 234–244.

[20] C.E. Perkins, S.R. Das, E. Royer, Ad-hoc on-demand distance

vector (aodv) routing, http://www.ietf.org/internet-drafts/draft-

ietf-manet-aodv-05.txt, March 2000.

[21] C.E. Perkins, E. Royer, Ad-hoc on-demand distance vector

routing, in: Second IEEE Workshop on Mobile Computing

Systems and Applications, February 1999, pp. 90–100.

[22] E.M. Royer, C.K. Toh, A review of current routing protocols for

ad hoc mobile wireless networks, IEEE Personal Comm. 6 (1999)

pp. 46–55.

[23] W. Stallings, Cryptography and Network Security: Principles

and Practice, 2nd Edition, Prentice-Hall, Englewood Cliffs,

NJ, 1999.

[24] I. Stojmenovic, Handbook of Wireless Network and Mobile

Computing, Wiley, New York, 2002.

[25] L. Venkatraman, D.P. Agrawal, A novel authentication in

ad hoc networks, in: Proceedings of the second IEEE

Wireless Communications and Networking Conference, Chicago,

September 2000.

[26] Wireless LAN medium access control (MAC) and physical layer

(PHY) specifications, IEEE Standard 802.11-1997, 1997.

[27] Y. Zhang, W. Lee, Intrusion detection in wireless ad-hoc

networks, in: Sixth International Conference on Mobile

Computing and Networking (MOBICOM’00), August 2000,

pp. 275–283.

[28] L. Zhou, Z.J. Haas, Securing ad hoc networks, IEEE Network

Mag. 13 (November/December 1999) 24–30.

Lakshmi Venkatraman has completed Master of Science, computer

science, from the Department of Electrical & Computer Engineering

and Computer Science, University of Cincinnati, OH. Her masters

thesis was focussed on security for mobile ad hoc networks, specifically

to issues pertaining to the routing protocol. She was a student of Prof.

Dharma P. Agrawal, the Ohio Board of Regents Distinguished

Professor of computer science and computer engineering. She has

been actively involved in helping Prof. Agrawal organize workshops,

seminars and tutorials in the University.

She is currently employed at Bosch Research and Technology

Center, and is looking into the feasibility of using bluetooth for fairly

large ad hoc networks.

Dharma P. Agrawal is the Ohio Board of Regents Distinguished

Professor of computer science and computer engineering and the

founding director for the Center for Distributed and Mobile Computing

in the Department of Electrical & Computer Engineering and

Computer Science, University of Cincinnati, OH. He has been a

faculty member at the N.C. State University, Raleigh, NC (1982–1998)

and the Wayne State University, Detroit (1977–1982). His recent

research interest includes energy efficient routing, information

retrieval, and secured communication in ad hoc and sensor networks,

effective handoff handling and multicasting in integrated wireless

networks, interference analysis in piconets and routing in scatternet,

use of directional antennas for enhanced QoS, Scheduling of periodic

real-time applications and automatic load balancing in heterogeneous

workstation environment. He has published over 300 papers and four

approved patents.

He has edited a tutorial text on Advanced computer architecture

(IEEE Computer Society Press, Los Alamitos, CA, 1986), co-edited

texts entitled Distributed computing network reliability, and Advances in

distributed system reliability (IEEE Computer Society Press, Los

Alamitos, CA, 1990), and a self study guide on Parallel processing

(IEEE Press, New York, 1991) and his new text book on Introduction

to wireless and mobile systems is to be published Brooks/Cole in August

2002.

Dr. Agrawal is an editor for the Journal of Parallel and Distributed

Systems and the International Journal of High Speed Computing. He

has served as an editor of the IEEE Computer magazine, and the IEEE

L. Venkatraman, D.P. Agrawal / J. Parallel Distrib. Comput. 63 (2003) 214–227226

Transactions on Computers. He has been the Program Chair and

General Chair for numerous international conferences and meetings.

He has received numerous certificates and awards from the IEEE

Computer Society. He was selected for the ‘‘Third Millennium Medal’’

by the IEEE for his outstanding contributions. He has also delivered

keynote speech for five international conferences. Four of his patents

in wireless networking area have also been approved recently. He

has also been a Computer Science Accreditation Board visitor, an

ABET team visitor and a Fellow of the IEEE and a Fellow of the

ACM.

L. Venkatraman, D.P. Agrawal / J. Parallel Distrib. Comput. 63 (2003) 214–227 227