transmission time-based mechanism to detect wormhole in ad-hoc networks tran van phuong u-security...
TRANSCRIPT
Transmission Time-based Mechanism to Detect Wormhole in
Ad-hoc Networks
Tran Van PhuongU-Security Group
RTMM Lab, Kyung Hee Uni, Korea2006.11.10
Copyright© 2006-2008 Company name . All rights reserved
Wormhole Attacks
Related Work
Motivation
Proposed Mechanism
Simulation Results
Evaluation & Conclusion
Content
Wormhole attack – two phase process: get as much data as possible, take advantage of these data.
2 malicious node which are able to tunnel packets to each other: out-of-band channel, encapsulation, …
One node overhear packets, tunnels to the other node which then replay into the network at that point.
More nodes want to send data via the wormhole link
Wormhole Attack (1)
The attack can also still be performed even if the network communication provides confidentiality and authenticity and even if the attacker has no cryptographic key.
Fig. Wormhole Attack
Wormhole Attack (2)
Hidden Attack:The attackers do not modify either the content or the header of packets. W1, W2 are invisible to other nodes.
S → A1 → B1 → DA1, B1: fake neighbors
Exposed Attack:The attackers do not modify the content of the packets but include themselves in the packet header following the route setup procedure.
S → A1 → W1 → W2 → B1 → DOther nodes know the existence of wormhole nodes but they do not know wormhole nodes are malicious
The main difference: neighborhoodHidden Attack creates many fake neighbors but Exposed Attack does not.
Related work (1)
Temporal packet leashes:The sender A puts a time stamp (sending time) into the header.The receiver B will estimate the distance between A & B based on the transmission time & speed of the packet.
D = (<receiving time> – <sending time>) * <transmission speed>If the distance is longer than maximum radio range -> reject communication.Require tightly synchronized clock
Geographical packet leashes:The sender A puts its location & the time of sending into the packet’s header.The receiver B will estimate the distance between A & B. Require every node to know its location
These two mechanisms are impractical with current technology
[1] Yih-Chun Hu, Adrian Perrig, David B. Johnson, Packet leashes: a defense against wormhole attacks in wireless networks, INFOCOM 2003.
Related work (2)Neighbor Authentication:
Round Trip Time: A node A send a special packet to node B, requiring immediate reply from node B. RTT between A & B is the delay time between A sending the packet & receiving reply.A node A will calculate every RTTs between A & its neighbors.RTT between A & its fake neighbors are much greater than RTT between A & its real neighbors.Can not detect exposed attack
2
1
w w
4
3
A
RTT1
RTT2
RTT4
RTT3
[2] Jane Zhen, Sampalli Srinivas, Preventing Replay Attacks for Secure Routing in Ad Hoc. Networks, ADHOC-NOW 2003, LNCS 2865, pp. 140-. 150, 2003
Fig 2. Round Trip Time Fig 3. Neighbor Authentication
Related work (3)
DelPHI: Delay Per Hop Indication:When a node A establishes a path to node B, A will search for all disjoint paths & calculates their lengths & RTTs.Per-Hop RTT = RTT / lengthUnder normal situation, Per-Hop RTTs should be similar between paths.Per-Hop RTT of wormhole paths will be higher.
[5] Hon Sun Chiu King-Shan Lui, Wormhole Detection Mechanism for Ad Hoc Wireless Networks, Wireless Pervasive Computing, 2006 1st International Symposium on, 2006
Motivation
Exposed Attacks
Hidden Attacks
Pinpoint Location
No special hardware required
Performance/Overhead
Packet Leashes (2003)
x x Low
Neighbor Authentication (2003)
x x x Medium High
Neighbor Number Test (2005)
x x Medium
SAM (2005) x x x Medium High
DelPHI (2006) x x x Medium
Ideal Mechanism x x x x High
To design a mechanism to detect both exposed & hidden attack, being able to pinpoint wormhole location, requiring no special hardware, having good performance.
Route Setup in AODV
When a route A wants to communicate with another node B and there’s no valid route in its routing table, A will broadcasts a Route Request.
An intermediate node which receives the RREQ for the first time will forward RREQ to all of its neighbors if there’s no valid route in its routing table.
When the destination get the RREQ, it will reply with a RREP in the reverse path.
RFC 3561 — Ad hoc On-Demand Distance Vector (AODV) Routing
Proposed Mechanism (1) We calculate all transmission times between two successive nodes along the path e
stablished between the source & the destination. Each intermediate node calculates the transmission time between it and the destina
tion, put the value into RREP & send back to the source node.
Time
S A B C D
Processing Time
Processing Time
TSREQ
TAREQ
TBREQ
TCREQTDREQ
TDREPTCREP
TBREP
TAREP
TSREP
RTTS,D
RTTA,D
RTTB,D
RTTC,D
RTTA,B
RTTB,C
RTTS,A
RTTC,D
Proposed Mechanism (2)
We define RTT of an intermediate node as the time between its sending the RREQ and receiving the RREP from the destination.
Each intermediate node will add its RTT into the RREP and forward to the next hop.
The source node will have all RTTs of intermediate nodes along the path from the source to the destination (RTTi – Round Trip Time of node i in the path).
Fig 8. A Path with a Wormhole link
Proposed Mechanism (3)
We set: Δi = RTTi – RTTi+1
Δi - the RTT between two successive nodes i & i+1 in the path
Under normal situation Δi are similar Under wormhole attack, Δi between fake neighbors are considerabl
y higher.
Threshold?
Fig 9. Delay Per Hop
RREP format
RREP format with extensions
Simulation Result
Size 1000m x 1000m
Number of nodes 50
Transmission range 250m
Node movement no
Background traffic light
Wormhole exposed
Simulation Parameters
False detection rate
Fig. Transmission Time between two wormhole nodes Fig. False positive rate & False negative rate
Detection rate
Fig 3. Detection rate & False positive rate
Evaluation (1)• N : number of nodes• L : length of the established route• E0 : number of bytes transmitted in each route request when there’s
no wormhole prevention mechanism• E1 : number of bytes transmitted in each route request when TTM is
deployed.
• In each route request in AODV, we have:E0 = 32N + 20L
• In our mechanism, the size of RREP will be: 20 + 4L (bytes). We have:E1 = 32N + L(20 + 4L)
In our simulation:• E0 = 1691.58878• E1 = 1775.47382
Overhead: 5.83%
Evaluation (2)
Memory used:
Intermediate nodes: 4.k (octets)
Source nodes: 4.k + 4.l (octets)
k – number of route request comes at the same time.l – route length
Conclusion
Proposed mechanism is able to detect both exposed & hidden attack, pinpoint wormhole location, require no special hardware, and have little overhead & good performance.
Exposed Attacks
Hidden Attacks
Pinpoint Location
No special hardware required
Performance/Overhead
Packet Leashes x x Low
Neighbor Authentication
x x x Medium High
DelPHI x x x Medium
Neighbor Number Test
x x Medium
SAM x x x Medium High
Proposed Mechanism x x x x High
References1. Yih-Chun Hu, Adrian Perrig, David B. Johnson, “Packet leashes: a defense against wormhole attacks
in wireless networks”, INFOCOM 2003.
2. Jane Zhen, Sampalli Srinivas, Preventing Replay Attacks for Secure Routing in Ad Hoc. Networks, ADHOC-NOW 2003, LNCS 2865, pp. 140-. 150, 2003.
3. Ning Song, Lijun Qian, Xiangfang Li, "Wormhole Attacks Detection in Wireless Ad Hoc Networks: A Statistical Analysis Approach," ipdps, p. 289a, 19th IEEE International Parallel and Distributed Processing Symposium (IPDPS'05) - Workshop 17, 2005.
4. L. Buttyán, L. Dóra, and I. Vajda, “Statistical Wormhole Detection in Sensor Networks, Second European Workshop on Security and Privacy in Ad Hoc and Sensor Networks (ESAS 2005), Visegrád, Hungary, July 13-14, 2005.
5. Hon Sun Chiu King-Shan Lui, Wormhole Detection Mechanism for Ad Hoc Wireless Networks, Wireless Pervasive Computing, 2006 1st International Symposium on, 2006
6. RFC 3561 — Ad hoc On-Demand Distance Vector (AODV) Routing
Questions & Comments