an efficient scheme for detecting malicious nodes in ...·open peer to peer network architecture...

An Efficient Scheme for Detecting An Efficient Scheme for Detecting

Malicious Nodes in Mobile ad Hoc Malicious Nodes in Mobile ad Hoc

NetworksNetworks

December 1. 2006

Jong Oh ChoiDepartment of Computer ScienceYonsei [email protected]

2/21

Contents

� Motivation / Introduction� Related works� Proposed Scheme: efficient scheme for detecting

malicious nodes in mobile ad hoc network � Scenarios

� Case 1 : A malicious node drops data� Case 2 : A malicious node modifies data

� Case 3 : disguise of another node (false report)

� Case 4 : another node � temporary false report

� Case 5 : normal node � malicious node (false report)

� Apply to AODV-based Proposed scheme

� Environments for performance Evaluation

� Conclusions

3/21

Motivation

� MANET� Have focused on wireless channel access

� Multi hop routing based on an assumption that network elements operate in friendly and cooperative environment.

� Actual network environment � Malicious nodes and uncooperative situation may occur in

MANET

� There is growing need for security scheme that guarantees secure communications between mobile nodes

� In this paper

� Propose a scheme capable of effectively detecting malicious node that normally operates during

determination of route over MANET

4/21

Introduction

� MANET( challenges to security design)

· Open Peer to Peer network architecture· Wireless medium share· Stringent resource constraints· Highly dynamic network topology · battlefield, emergency, conference

Vulnerable

& Critical

To attack

Must be Prevented, detected and reacted As soon as possible !

� Two approaches to protect MANET

� Proactive : Prevention (secure routing)

� Reactive : detection and reaction (secure packet forwarding)

5/21

� Two approach to protect the MANET� Proactive : Malicious node is detected and excluded from

network so as to determine a routing route with only frendlyand cooperative nodes

� Reactive

� When attacker compromises the MANET, malicious node is detected and excluded from the network

� In this paper : Reactive method � In Exist study :

� focus on detection of node that maliciously drops or modifies data

� Is not provide method of identifying malicious node that makes a false report of normal node

� In this paper� Propose scheme that not only identifies malicious node,

which drops or modifies packets, using a reporting tablestoring previous report lists, but also detect malicious node that make a false report of normal node, thus degrading the network performance.

Introduction

6/21

Related works

� Attack of Routing� All actions that are not delivery routing information from

being transmitted according to routing scheme for MANET

� DSR : modify source route in the RREQ & RREP

� Deleting node, appending node, Switching order

� AODV : advertise false routing information

� Smaller distance metric, large sequence number

� In this Result

� Attract network traffic certain destination (under their control)

� Non-optimal or non existent route

� Routing loops, Congestion, partition in the network

7/21

Algorithms for detecting malicious node in MANET

� Proposed Algorithm� A method of detecting malicious node that falsely reports normal

node using report table listing report and suspect.

Report Report Report Report TableTableTableTable

SSSS AAAA BBBB CCCC DDDD

datadatadatadata datadatadatadata datadatadatadataDataDataDataData

dropdropdropdrop

ReportReportReportReport

overhearoverhearoverhearoverhear overhearoverhearoverhearoverhear

CB

SuspectReporter

Node A, B, …

GGGG HHHH

FFFFEEEE


CB

SuspectReporter

Node A, B, …


CB

SuspectReporter

Node A, B, …


CB

SuspectReporter

Node A, B, …

8/21

� In this Proposed Algorithm processing � After node B transmits data to node C,

stores copy of data in buffer of node B � Node B overhears data transmission of node C (to

determine whether node C transmits data to destination node D)

� IF node B does not overhear data transmission of node C within time

� �node B increase failure tally of node C � If tally>threshold, misbehavior,

� the misbehavior is reported to all nodes in proposed scheme

� � immediately detecting and removing malicious(but, node S is report unicast in watchdog )

� If all node receiving report determine same reporter and suspect in its report table � � ignore

� Else added to list in report table

9/21

Operations of proposed Scheme

� Operations of proposed scheme (Flowchart)store copy of data in buffer after

data transmission

next node’s

transmission overhear

within time

Increase Failure tally

Delete of copy data in

buffer

Threshold excess

Broadcast of report message

Receive of report message

The same report list exists in report table

Update report table,

re-broadcast of report message

Report message drop

Ignore

Y

N

Y

Y

N

Y

N

Y

Y

10/21

Scenarios

� Case 1 : A malicious node drops data

� Malicious node C is not transmit data to destination D and

drops the data

� Node B cannot overhear transmission of node C within

predetermined length of time.

� Node B understand node C does not transmit data .

� Thus, Node B reports node C as malicious node

SSSS AAAA BBBB CCCC DDDDdatadatadatadata

overhearoverhearoverhearoverhear

datadatadatadata


datadatadatadata

DataDataDataData

dropdropdropdrop


11/21

Scenarios

� Case 2 : A malicious node modifies data� Malicious node C arbitrarily modify header and data content receiving from node B

� transmits the modified data to node D

� Node B overhears data transmission of node C

� After node B compares transmitted data with copy of data stored in buffer of node B

� copy of data stored in buffer of node B Node C’s transmission data

� Node B reports node C as malicious node

SSSS AAAA BBBB CCCC DDDDdatadatadatadata


datadatadatadata


datadatadatadataDataDataDataDatamodifymodifymodifymodify


ReportReportReportReportHHHH IIII

KKKKJJJJ

12/21

� Measures against Case 1,2� In the report, ①’s report list is recorded in total report table

� After node S received B’s report,

� IF S is not receive ACK from destination D

� Node S determines malicious node in current route, sets up a new route

� other node (L,K) will report node C as a malicious node(②,③)

� when Malicious node is not data forward, malicious node continuously record in suspect list.

� when number of malicious node = 2, and number of suspect node C’s list=3 ↑↑↑↑(suspect node count >malicious node count)(suspect node count >malicious node count)(suspect node count >malicious node count)(suspect node count >malicious node count)

� node C is as malicious node and exclude it from further network

CL

CK

CB

SuspectReporter

Node AReport Report Report Report TableTableTableTable

①②③

SSSS AAAA BBBB CCCC DDDDdatadatadatadata datadatadatadata datadatadatadata Data Data Data Data

drop/drop/drop/drop/

modifymodifymodifymodify


overhearoverhearoverhearoverhear overhearoverhearoverhearoverhear

LLLL

KKKK

13/21

� Case 3 : disguise of another node (false report)

� To prevent false report, disguising itself as normal node using other node ID, Asymmetric encryption using Private key and public key

� If node B disguise itself as normal node X and submit a false report message R, node B does not known private key Kx- and must encrypt the false report message R using its Private key KB

- and broadcast the false report message R

� Each nodes receiving false report consider node X’s report and decodes it using the public Key Kx+ of node X

� But report message R was not encrypted using Private key Kx-

False report message R cannot be encrypted � error

Scenarios

Report, RReport, RReport, RReport, R EncryptionEncryptionEncryptionEncryption????????????DecryptionDecryptionDecryptionDecryption

KKKKBBBB----

(Private Key)(Private Key)(Private Key)(Private Key)

KKKKXXXX++++

(Public Key)(Public Key)(Public Key)(Public Key)

KKKKBBBB----(R)(R)(R)(R)

KKKKXXXX++++(K(K(K(KBBBB----(R))=?(R))=?(R))=?(R))=?

Node BNode BNode BNode BNode KNode KNode KNode K

……

Node LNode LNode LNode L

Node JNode JNode JNode J

14/21

� Case 4 : another node � temporary false report

� Malicious node M is false report temporary node X irrespective data forwarding �① report list

� After Malicious node M is current location and move to other location,

� M is false report to temporary node(Y ,Z) : ②③

� List of report node M > threshold in Report table

� node M identifies false report, thus is not participate networkoperation

YM

ZM

XM

SuspectReporter

Node A


SSSS AAAA BBBB CCCC DDDDdatadatadatadata datadatadatadata datadatadatadata datadatadatadata

①

②

③

MMMM



ReportReportReportReportReportReportReportReport

Scenarios

15/21

� Case 5 : normal node � malicious node (false report)

� IF Malicious node B is false report to the normal node C

� Malicious node B drops ACK from normal node D,

� Node S sets up new route without whether Report of Node B is false

� Total node is added list with report of node B : ①

� Node B is false report in new route → ②③ report list add

� List of False report node B is added in report list,

� Common suspect node not exist in suspect list

� detect Node B’s false report

MB

JB

CB

SuspectReporter

Node A

SSSS AAAA BBBB CCCC DDDD

datadatadatadata datadatadatadata datadatadatadata datadatadatadatareportreportreportreport


①

②

③

overhearoverhearoverhearoverhearoverhearoverhearoverhearoverhear overhearoverhearoverhearoverhear

Scenarios

16/21

� A method of applying the proposed scheme to AODV

� In the below Fig, when node A broadcasts RREQ message, malicious node B receives and re broadcasts RREQ message.

� Normal node (E,C,F) receive RREQ message from malicious node B, realize that node B is malicious node from their report tables.

� do not allow transmission of RREQ message to other nodes in the network, so excluding node B from route.

AODV-based proposed Scheme

17/21

Evaluation

� Average Loss rate : Analytic Loss rate(%) vs. Time (sec)

� Performance improvement : loss rate decrease (10-20%)

� The Longer time, the less loss rate in proposed Scheme

� Proposed scheme identifies malicious node over network and excludes them from new determined route, thereby preventing attacks by malicious node, reducing loss rate.

� Average loss rate of Malicious node(3) decrease to malicious node(6)

Malicious node : 6, Pause time : 0,600 Sec Malicious node : 3, Pause time : 0,600 Sec

18/21

Evaluation

� Average Transmission rate : Analytic Delivery vs. Time� Transmission rate of Proposed Scheme is higher than in AODV

(loss rate of proposed scheme is lower than AODV)� Malicious node(3) is numerous data transmission than Malicious

node(6)� In case of Pause time(600 sec)

� Loss rate is low, Data Transmission is numerous※ when malicious nodes frequently move, they are highly likely to be

included in new route. Network loss rate is high, data transmission is low.

Malicious node : 6, Pause time : 0,600 Sec Malicious node : 3, Pause time : 0,600 Sec

19/21

Evaluation

Transmission gains and overhead in AODV and proposed scheme

- Overhead : Proposed Control Packet – AODV Control Packet (byte)

- Transmission gains : Transmission data of Proposed scheme -Transmission data of AODV (byte)

※ Proposed scheme generates numerous control message than AODV in network layer ( when malicious node is identified in Proposed scheme, broadcasting of report table in network)

※ but, As Control Packet is several byte, Data Packet is severalhundred=> Proposed scheme obtains more transmission gains with less overhead in overall network transmission rates.

20/21

Conclusions

� summarize � detects malicious node that normally operates during determination of a route but abnormally operates during data transmission over network, using a report message and a report table specifying a pair of a reporter node and a suspect node.

� The more malicious nodes over network, the more mobility of malicious node, the greater rate of data loss, the less rate of transmission � Proposed Scheme better than AODV

� In future work� Must further be improved to provide more extensive security during determination of route over the MAMET

21/21

Thank you

an efficient scheme for detecting malicious nodes in ...·open peer to peer network architecture...

Documents