. 65
( 87 .)


(according to the prior authentic hash value) assures the authenticity of the received infor-
mation if the calculated hash value and the authentic hash value match.
The source of each routing update message in SEAD must also be authenticated since,
otherwise, an attacker may be able to create routing loops through the impersonation at-
tack. The authors propose two different approaches to provide node authentication: the
first is based on a broadcast authentication mechanism such as TESLA, and the second is
based on the use of Message Authentication Codes, assuming a shared secret key between
each couple of nodes in the network.
SEAD does not cope with wormhole attacks, although the authors propose, as in the
ARIADNE protocol, to use the TIK protocol to detect the threat.

12.2.3 Notes on the Wormhole Attack
The wormhole attack is a severe threat against ad hoc routing protocols that is particularly
challenging to detect and prevent. In a wormhole attack, a malicious node can record
packets (or bits) at one location in the network and tunnel them to another location
through a private network shared with a colluding malicious node. Without some mecha-
nism to defend them against the wormhole attack, most existing ad hoc routing protocols
would be unable to find consistent routes to any destination, severely disrupting commu-
A dangerous threat can be perpetrated if a wormhole attacker tunnels all packets
through the wormhole honestly and reliably since no harm seems to be done; the attacker
actually seems to provide a useful service in connecting the network more efficiently.
However, when an attacker forwards only routing control messages and not data packets,
communication may be severely damaged. As an example, when used against an on-de-
mand routing protocol such as DSR, a powerful application of the wormhole attack can be
mounted by tunneling each RREQ message directly to the destination target node of the
request. This attack prevents routes more than two hops long from being discovered be-
cause RREP messages would arrive to the source faster than any other replies or, worse,
RREQ messages arriving from nodes next to the destination other than the attacker would
be discarded as already seen.
Hu, Perrig, and Johnson propose an approach to detect a wormhole based on packet
leashes [10]. The key intuition is that by authenticating either an extremely precise time-
stamp or location information combined with a loose timestamp, a receiver can determine
if the packet has traversed a distance that is unrealistic for specific network technology

Temporal leashes rely on extremely precise time synchronization and extremely pre-
cise timestamps in each packet. The travel time of a packet can be approximated as the
difference between the receive time and the timestamp. Given the precise time synchro-
nization required by temporal leashes, the authors propose efficient broadcast authentica-
tors based on symmetric primitives. In particular, they extend the TESLA broadcast au-
thentication protocol to allow the disclosure of the authentication key within the packet
that is authenticated.
Geographical leashes are based on location information and loosely synchronized
clocks. If the clocks of the sender and the receiver are synchronized within a certain
threshold and the velocity of any node is bounded, the receiver can compute an upper
bound on the distance between the sender and itself and use it to detect anomalies in the
traffic flow. Under certain circumstances, however, bounding the distance between the
sender and the receiver cannot prevent wormhole attacks: when obstacles prevent commu-
nication between two nodes that would otherwise be in transmission range, a distance-
based scheme would still allow wormholes between the sender and the receiver. To over-
come this problem, in a variation of the geographical leashes, the receiver verifies that
every possible location of the sender can reach every possible location of the receiver
based on a radio propagation model implemented in every node.
In some special cases, wormholes can also be detected through techniques that do not
require precise time synchronization or location information. As an example, it would be
sufficient to modify the routing protocol used to discover the path to a destination so that
it could handle multiple routes; a verification mechanism would then detect anomalies
when comparing the metric (e.g., number of hops) associated with each route. Any node
advertising a path to a destination with a metric considerably lower than all the others
could raise the suspect of a wormhole.
Furthermore, if the wormhole attack is performed only on routing information while
dropping data packets, other mechanisms can be used to detect this misbehavior. When a
node does not correctly participate in the network operation by not executing a particular
function (e.g., packet forwarding) a collaborative monitoring technique can detect and
gradually isolate misbehaving nodes. Lack of cooperation and security mechanisms used
to enforce node cooperation in network operation is the subject of the next section.


As opposed to networks using dedicated nodes to support basic networking functions like
packet forwarding and routing, in ad hoc networks these functions are carried out by all
available nodes in the network. There is no reason, however, to assume that the nodes in
the network will eventually cooperate with one another since network operation consumes
energy, a particularly scarce resource in a battery powered environment like MANET. The
new type of node misbehavior that is specific to ad hoc networks is caused by lack of co-
operation and goes under the name of node selfishness. A selfish node does not directly
intend to damage other nodes with active attacks (mainly because performing active at-
tacks can be very expensive in terms of energy consumption) but it simply does not coop-
erate in network operation, saving battery life for its own communications.
Damage caused by selfish behavior cannot be underestimated: a simulation study pre-
sent in the literature [11] shows the impact of a selfish behavior in terms of global net-

work throughput and global communication delay when the DSR routing protocol is used.
The simulation results show that even a small percentage of selfish nodes present in the
network leads to a severe degradation of performance. Furthermore, any security mecha-
nism that tries to enforce cooperation among the nodes should focus not only on one par-
ticular function, but on both the routing and the packet forwarding function. As an exam-
ple, if a source routing mechanism such as DSR is used, any node that does not participate
to the routing protocol cannot claim to participate in the packet forwarding function since
it cannot appear in any route, meaning that it will never be asked to relay packets for oth-
er nodes of the network.
The node selfishness problem has only recently been addressed by the research commu-
nity, and there are still few mechanisms provided to combat such misbehavior. Mechanisms
that enforce node cooperation in a MANET can be divided into two categories: the first is
currency-based (see Section 12.3.1) and the second uses a local monitoring technique (see
Sections 12.3.2 and 12.3.3). Currency-based systems are simple to implement but rely on a
tamperproof hardware. The main drawback of this approach is in the difficulty of estab-
lishing how the virtual currency has to be exchanged, making their use not realistic in a
practical system. Cooperative security schemes based on local monitoring seem to offer the
most suitable solution to the selfishness problem. Every node of the MANET monitors its
local neighbors, evaluating for each of them a metric that is directly related to the nodes™ be-
havior. Based on that metric, a selfish node can be gradually isolated from the network. The
main drawback of this approach is related to the absence of a mechanism that securely iden-
tifies the nodes of the network: any selfish node could elude the cooperation enforcement
mechanism and get rid of its bad reputation just by changing its identity.
In the following, the main research efforts toward the solution of the node selfishness
problem are presented.

12.3.1 Nuglets
In [14], ] Buttyan and Hubaux present two important issues targeted specifically at the
ad hoc networking environment: first, endusers must be given some incentive to coop-
erate in the network operation (especially to relay packets belonging to other nodes);
second, endusers must be discouraged from overloading the network. The solution pre-
sented in their paper consists of the introduction of a virtual currency (which they call
Nuglets) used in every transaction. Two different models are described: the Packet Purse
Model and the Packet Trade Model. In the Packet Purse Model, each packet is loaded
with nuglets by the source and each forwarding host takes out nuglets for its forwarding
service. The advantage of this approach is that it discourages users from flooding the
network, but the drawback is that the source needs to know exactly how many nuglets it
has to include in the packet it sends. In the Packet Trade Model, each packet is traded
for nuglets by the intermediate nodes: each intermediate node buys the packet from the
previous node on the path. Thus, the destination has to pay for the packet. The direct ad-
vantage of this approach is that the source does not need to know how many nuglets
need to be loaded into the packet. On the other hand, since the packet generation is not
charged for, malicious flooding of the network cannot be prevented. There are some fur-
ther issues that have to be solved: concerning the Packet Purse Model, the intermediate
nodes are able to take out more nuglets than they are supposed to; concerning the Packet
Trade Model, the intermediate nodes are able to deny the forwarding service after tak-
ing out nuglets from a packet.

The acronym given to the cooperation mechanism proposed by Buchegger and Le Boudec
stands for “Cooperation Of Nodes, Fairness In Dynamic Ad-hoc NeTworks” [15, 16] and it
detects malicious nodes by means of observation or reports about several types of attacks,
thus allowing nodes to route around misbehaving nodes and to isolate them. CONFIDANT
works as an extension to a routing protocol such as Dynamic Source Routing (DSR).
Nodes have a monitor for observations, reputation records for first-hand and trusted
second-hand observations about routing and forwarding behavior of other nodes, trust
records to control trust given to received warnings, and a path manager to adapt their be-
havior according to reputation and to take action against malicious nodes. The term repu-
tation is used to evaluate routing and forwarding behavior according to the network proto-
col, whereas the term trust is used to evaluate participation in the CONFIDANT
The dynamic behavior of CONFIDANT is as follows. Nodes monitor their neighbors
and change the reputation accordingly. If they have reason to believe that a node misbe-
haves, they can take action in terms of their own routing and forwarding and they can de-
cide to inform other nodes by sending an ALARM message. When a node receives such
an ALARM either directly or by promiscuously listening to the network, it evaluates how
trustworthy the ALARM is based on the source of the ALARM and the accumulated
ALARM messages about the node in question. It can then decide whether to take action
against the misbehaved node in the form of excluding routes containing the misbehaved
node, reranking paths in the path cache, reciprocating by noncooperation, or forwarding
an ALARM about the node.
The first version of CONFIDANT was, despite the filtering of ALARM messages in
the trust manager, vulnerable to concerted efforts of spreading wrong accusations. This
problem has been addressed by the use of Bayesian statistics for classification and the ex-
clusion of liars.
Simulations with nodes that do not participate in the forwarding function have shown
that CONFIDANT can cope well, even if half of the network population acts maliciously.
Further simulations concerning the effect of second-hand information and slander have
shown that slander can effectively be prevented while still retaining a significant detection
speed-up over using merely first-hand information.
The limitations of CONFIDANT lie in the assumptions for detection-based reputation
systems. Events have to be observable and classifiable for detection, and reputation can
only be meaningful if the identity of each node is persistent, otherwise it is vulnerable to
spoofing attacks.

12.3.3 CORE
The security scheme proposed by Michiardi and Molva [18, 19], stimulates node coopera-
tion by a collaborative monitoring technique and a reputation mechanism. Each node of
the network monitors the behavior of its neighbors with respect to a requested function
and collects observations about the execution of that function. As an example, when a
node initiates a Route Request (e.g., using the DSR routing protocol) it monitors that its
neighbors process the request, whether with a Route Reply or by relaying the Route Re-
quest. If the observed result and the expected result coincide, then the observation will
take a positive value, otherwise it will take a negative value.

Based on the collected observations, each node computes a reputation value for every
neighbor using a sophisticated reputation mechanism that differentiates between subjec-
tive reputation (observations), indirect reputation (positive reports by others), and func-
tional reputation (task-specific behavior), which are weighted for a combined reputation
value. The formula used to evaluate the reputation value avoids false detections (caused,
for example, by link breaks) by using an aging factor that gives more relevance to past ob-
servations: frequent variations on a node behavior are filtered. Furthermore, if the func-
tion that is being monitored provides an acknowledgement message (e.g., the Route Reply
message of the DSR protocol), reputation information can also be gathered about nodes
that are not within the radio range of the monitoring node. In this case, only positive rat-
ings are assigned to the nodes that participated to the execution of the function in its total-
The CORE mechanism resists attacks performed using the security mechanism itself:
no negative ratings are spread between the nodes, so that it is impossible for a node to ma-
liciously decrease another node™s reputation. The reputation mechanism allows the nodes
of the MANET to gradually isolate selfish nodes: when the reputation assigned to a
neighboring node decreases below a predefined threshold, service provision to the misbe-
having node will be interrupted. Misbehaving nodes can, however, be reintegrated into the
network if they increase their reputation by cooperating in the network operation.
As for the other security mechanism based on reputation, the CORE mechanism suf-
fers from spoofing attacks: misbehaving nodes are not prevented from changing their net-
work identity, allowing the attacker to elude the reputation system. Furthermore, no simu-
lation results prove the robustness of the protocol even if the authors propose an original
approach based on game theory in order to come up with a formal assessment of the secu-
rity properties of CORE.

12.3.4 Token-Based Cooperation Enforcement
In the approach presented by Yang, Meng, and Lu [20], each node of the ad hoc network
has a token in order to participate in network operations, and its local neighbors collabo-
ratively monitor it to detect any misbehavior in routing or packet forwarding services.
Upon expiration of the token, each node renews its token via its multiple neighbors; the
period of validity of a node™s token is dependent on how long it has stayed and behaved
well in the network. A well-behaving node accumulates its credit and renews its token less
and less frequently as time evolves.
The security solution proposed by the authors is composed of four closely interacted
components: neighbor verification, which describes how to verify whether each node in
the network is a legitimate or malicious node; neighbor monitoring, which describes how
to monitor the behavior of each node in the network and detect occasional attacks from
malicious nodes; intrusion reaction, which describes how to alert the network and isolate
the attackers; and the security enhanced routing protocol, which explicitly incorporates
the security information collected by the other components into the ad hoc routing proto-
Concerning the token issuing/renewal phase, the authors assume a global secret/public
key pair SK/PK, where PK is well known by every node of the network. SK is shared by k
neighbors who collaboratively sign the token requested or renewed by local nodes. Token
verification follows three steps: 1) identity match between the node™s ID and the token ID,
2) validity time verification, and 3) issuer signature. If the token verification phase fails,

the corresponding node is rejected from the network and both routing and data packets are
dropped for that node.
Routing security relies on the redundancy of routing information rather than crypto-
graphic techniques. The routing protocol that the authors use as a basis is the Ad hoc On
demand Distance Vector protocol (AODV), which is extended in order to detect false rout-
ing update messages by comparing routing information gathered from different neighbor-
ing nodes. Packet forwarding misbehavior is also detected using a modified version of the
watchdog technique presented in [17], bypassing the absence of any source route informa-
tion by adding a next-hop field in the routing messages.
The proposed solution presents some drawbacks: the bootstrap phase needed to gener-
ate a valid collection of partial tokens that will be used by a node to create its final token
has some limitations. For example, the number of neighbors necessary to complete the
signature of every partial token has to be at least k, suggesting the use of such security
mechanism in rather large and dense ad hoc networks. On the other hand, the validity pe-
riod of a token increases proportionally to the time during which the node behave well.
This interesting feature has less impact if node mobility is high. Frequent changes in the
local subset of the network that shares a key for issuing valid tokens can cause high com-
putational overhead, not to mention the high traffic generated by issuing/renewing a to-
ken, suggesting that the token-based mechanism is more suitable in ad hoc networks
where node mobility is low. Spoofing attacks, whereby a node can request more than one
token by claiming different identities, are not taken into account even if the authors sug-
gest that MAC addresses can be sufficient for node authentication purposes.


Providing security support for ad hoc networks is challenging for a number of reasons:


. 65
( 87 .)