A Security Enhanced AODV Routing Protocol Based On the Credence Mechanism Liu Jun, Li Zhe, Lin Dan and Liu Ye Institute of Telecommunications and Information Systems, Faculty of Information Science & Engineering, Northeastern University Shenyang 110004, China [email protected] Abstract—Ad Hoc networks are characterized by open medium, dynamic topology, distributed cooperation and constrained capability. These characteristics set more challenges for security. Routing security is the most important factor in the security of the entire network. However, few of current routing protocols have the consideration about the security problems. This paper analyzes the potential insecurity factors in the AODV protocol. A security routing protocol based on the credence model is proposed, which can react quickly when some malicious behaviors in the network are detected and effectively protects the network from kinds of attacks and guarantees the security of Ad Hoc networks. Keywords: Mobile Ad Hoc network; routing security; credence; AODV routing protocol

I. INTRODUCTION MANET (Mobile Ad Hoc Networks) [1] comprised of a collection of mobile nodes connected with wireless link is a multi-hop and self-organized system. The features of Ad Hoc networks are autonomy, provisionality, infrastructureless and easily–constructed. It is primarily used in military information system of battle field, civil emergency search-and-rescue operations and other occasion. According to durative and random motion of the nodes in Ad Hoc network, the topology of the network keeps changing and unstable, additionally the features of Ad Hoc network are the same as that of normal wireless system, all of which make security problems of Ad Hoc network more complex than the traditional wired network, especially the security of routing protocols [2]. II. SECURITY PROBLEMS IN AODV PROTOCOL AODV (Ad Hoc On-Demand Distance Vector Routing) [3] has been one of the most popular on-demand (only when one node need to communicate with someone, the route to the destination will be built) routing protocols, which has been standardized by IETF. However, the security of AODV isn’t concerned. Several main attacks have been listed as follows: A. Black Hole Attack The attacker broadcasts some fraudulent messages to make others believe that data can be transmitted through itself with the shortest path or least cost, while this trickster never

0-7803-9335-X/05/$20.00 ©2005 IEEE

forwards these data packets, which forms a “black hole”, that is, absorbing in everything but never giving out. B.

Routing Table Overflow Attack A malicious node keeps sending a large number of Route Request (RREQ) message for some node that don’t exist, which consumes lots of computation and network bandwidth and causes failure to build normal route, even the paralysis of entire network. C. Network Segmentation Attack • Fabricating RERR Packet Attack: Malicious nodes broadcast fabricated Route Errors (RERR) packets to destroy the route table of its neighbors, which causes network segmentation and lower performance. •

Interrupt Routing Attack: The selfish node drops the received routing messages from its neighbors for limited power and computation ability, which also causes network segmentation.

Currently, a feasible method to guarantee the protocol safety is encryption and certification [4, 5]. But the topology changes much frequently in Ad Hoc networks, and the implementation of messages encryption and decryption is complicated, so this may consumes great computing resources of the node systems, which is a big challenge to the Ad Hoc nodes’ limited battery energy. III.

A SECURITY MECHANISM BASED ON AODV PROTOCOL

A security mechanism based on AODV protocol is proposed in this paper. It reinforces the protocol function, proposing AODV-AD (AODV with Attack Detection). On the other hand, it builds a credence mechanism for the network: when a malicious node is judged as an attacker by the credence mechanism, the protocol implements routing reconstruct to isolate the attacker from the network. Meanwhile, in order to provide secure and reliable data forwarding services, nodes should priorly use the route with high credence value when routing packets. Both of them collaboratively implement the evaluation of the credence value, and complete the network security defense.

719

A.

AODV-AD protocol Some modifications are made on AODV protocol to be able to detect the attacks. •

Black Hole Attack Detection. Using further request mechanism (FRQ): adds the next hop in the Route Reply (RREP) of the intermediate node. When the source S receives RREP sent by B and knows that B has a fresh route to destination D and next-hop is N, S would send a FRQ to N along another route without B and inquire that whether N is the neighbor of B and whether N has a fresh route to D. If both of the answers are yes, B is not malicious.

•

Routing Table Overflow Attack (DDOS) Detection. If there is massive RREQ in the network, it can be found that the table overflow attack is happening. The detecting solution is creating a table recorded the number of RREQ from other nodes and a timer. If during a period of time, the number of RREQ is bigger than the threshold, the sender would be suspicious.

•

Fabricating RERR Packet Attack Detection. The detecting method of RERR fabrication is sending test packets. When a node with lower credence value sends a RERR packet, to prevent partitioning attack, the receiver would send a test packet to make out whether the nodes marked in RERR are really unreachable. If the RERR receiver receives reply of the test packet, the RERR sender may be malicious.

•

Interrupt Routing Attack (Selfish Node) Detection. The credence mechanism can detect this selfish behavior through neighbor monitoring.

B. Credence mechanism built on AODV protocol Definition 1: A belief that the entity (human) will behave without malicious intent and a belief that the rational entity (system) will resist malicious manipulation.

Credence is just the trust degree between network entities. Thus, the establishment of credence is much close to monitoring behavior of the entities. According to the network hierarchy, the nodes' behavior can be classified into three kinds:

•

Providing reliable information to decide whether a node is trustful.

•

Encouraging cooperation among nodes.

•

Preventing the cooperation service protected by the mechanism from being accessed by malicious nodes.

The credence value is obtained from monitoring neighbors' behavior and exchanging information with other nodes. The value is recorded in credence table, and each node has an entry. 1) Credence Establishment

0-7803-9335-X/05/$20.00 ©2005 IEEE

Behavior 1: Route packet processing;

•

Behavior 2: Data packet forwarding;

•

Behavior 3: Four kinds of attacks on AODV protocol concluded in part II.

Correspondingly, credence is also sorted into three categories, which represent different aspects of a node's credit. For example, a node can provide reliable forwarding data packet service, but it can not forward routing information. The credence categories can make more accurate evaluation on nodes' behavior, which will benefits making better use of network resources and finding malicious nodes more quickly. The credence categories are: •

Routing information credence category: evaluating behavior 1.

•

Forwarding data information credence category: evaluating behavior 2.

•

Malicious behavior credence category: evaluating behavior 3.

2) Credence Quantization Credence quantization means manner of representing credit. There are usually two ways: discrete and continuous. Discrete manner doesn't fit for Ad Hoc networks, because its dynamic topology makes credence value changing all the time. Further, the credence model in this paper also demands continuous representation. The reasons are:

Definition 2: Credence is just a credit measurement of entities in the network. The credence mechanism is mainly used to prevent the security threat brought by malicious nodes, especially selfish nodes. All nodes evaluate their neighbors' credence dynamically. When finding suspect nodes, they will not communicate with these nodes at all. The main goals are as follows:

•

•

Credence evaluation needs plenty of entities' behaviors information. With discrete form, it's hard to decide the number of correct behaviors and the mapping relation with the degree of discrete credence.

•

When two or several of credence categories are not in the same degree, it's hard to evaluate the whole credence of the entity.

Thus, continuous representation is adopted, and the credence value changes from -1 to 1. "-1" means untrusty at all; smaller than 0 means untrusty; bigger than 0 means trusty; "+1" means completely trusty. 3) Credence Computation a) Computation of Routing Credence Category Routing Credence Computation Rr denotes the value of routing credence category, depending on two parameters: Rrs – the number of forwarding routing packet successfully, Rrf – the number of failing to forward routing packet. When forwarding routing packet successfully, the credence value is increased and the node is considered credible, then the Rr value changing range should be [0, +1]. Moreover, as Rrs increases Rr becomes closer to 1. Hence, it can be prompt for 720

the new nodes to join in the network when they forward routing packet successfully. The formula used is (1). Rr = 1−

2 * Rrf Rrs + Rrf

in which Rrs + Rrf ≠ 0 ; otherwise Rr = 0

(1)

When failing to forward routing packet, the credence value is decreased and the node is considered incredible, then the Rr value changing range should be [-1, 0]. And as Rrf increases Rr becomes closer to -1. The formula used is (2). 2 * R rs Rr = − 1 in which R rs + R rf ≠ 0 ; otherwise R r = 0 R rs + R rf

(2)

According to (1) (2), we can generalize the formula of routing credence category, as (3). Rr =

R rs − R rf R rs + R rf

in which R rs + R rf ≠ 0 ; otherwise R r = 0

(3)

b) Forwarding Credence Computation In a similar way, the formula of forwarding credence category is as follows: Rf =

R fs − R ff R fs + R ff

in which R fs + R ff ≠ 0 ; otherwise R f = 0

(4)

Rf denotes the value of forwarding credence category, Rfs denotes the number of forwarding data packet successfully, Rff denotes the number of failing to forward data packet. c) Malicious Behavior Credence Computation Rm denotes the value of malicious behavior credence, in which m means the number of node’s behaviors. •

Increasing credence value for legitimate behavior.

•

When illegitimate behavior happens:

This credence category evaluates whether an entity has attack behavior. The credence value should be decreased largely when attack happens. If this entity’s previous works are normal (Rm >0), its credence will be cut into a half. when entity has   Rm + ∆R legitimate behavior  (5) when entity has  Rm +1 =  Rm / 2 − ∆R Rm > 0 illegitimate behavior  when entity has  Rm − 2 * ∆R Rm < 0 illegitimate behavior  Meanwhile, if Rm is close to zero, the value will be further decreased by ∆R besides halving; if the entity has had abnormal performance before (Rm <0), its credence will be decreased greatly according to linearity strategy. Thereby the formula of attack behavior credence is (5): When the behavior of the entity (node in the network) is legitimate, ∆R denotes the increment of credence for each normal behavior. The formula, Rm = m*∆R+ R0, can be derived from Rm +1= Rm +∆R. This is a linear function about m, in which Rm is increasing along with the incremental of m.

0-7803-9335-X/05/$20.00 ©2005 IEEE

Moreover, the speed of credence changing depends on the value of ∆R. For example: When Rm is bigger than zero, according to Rm +1= Rm /2 – ∆R, we can get: Rm = 2 * R0 − 2 * ∆R * (1 − 2 − m )

(6)

Make Rm =0, then: m = log 2 (

R0 + 1) 2 * ∆R

(7)

If the entity is completely trusty (R0 =1) and the entity is considered trusty after just six legitimate behaviors (∆R=1/6), m equals 2. That is, if the entity suddenly makes an attack after a series of legitimate behaviors and gets complete trust, just malicious behaviors for twice could make the credence returned to zero. Thus the malicious node can be found promptly. Discussing Rm <0 condition as follows: When Rm<0, Rm is reduced in term of linear rule. Speeding up the reduction make it fast to reach the alarm threshold. d) The Whole Credence Computation Under different conditions, the expectation of one entity to the service provided by others is also different. For example, A hope B forward data packet but don’t care about whether the routing information provided by B is reliable. That is, A requires high forwarding data credence to B. Therefore, the whole credence is the weight sum of all credence categories. The weight of each credence category is configured manually according as network using. The computing formula is as follows: R 0 = W f * R f + W r * R r + Wm * R m

(8)

In which, Ro denotes the whole credence of entity in network, Rf denotes forwarding credence category, Rr denotes routing credence category, Rm denotes malicious behavior credence category, Wf denotes the weight of forwarding credence, Wr denotes the weight of routing credence, Wm denotes the weight of malicious behavior credence. 4) Credence Purge When a node has a malicious behavior, its credence will be accordingly decreased. If the credence drops to a certain threshold, the detecting node may send alarm information. After ascertaining it as malicious node, it is recorded in the black sheet of other nodes. What’s more, all other nodes won’t communicate with it and delete its credence information, which complete the credence purge. IV. PERFORMANCE ANALYSIS OF THE ALGORITHM NS2.26 with open source code is adopted as the simulation platform of this experiment. The scenario is defined with a set of parameters as follows: Number of nodes: 30; Topology range: 1000m*1000m;

721

Date rate: 2 packets/s; Packet size: 512 byte; Motion of nodes: random motion with 20m/s as the highest speed High-level flow: CBR (with the node 29 as destination)

TABLE I.

Index Attack Sequence number attack Fabricating distance vector attack Routing table overflow attack Fabricating RERR attack Interrupt routing attack

A. Impact of these attacks on the network performance Packet delivery ratio is the important index to evaluate overall performance of networks, which is selected to evaluate the percentage of delivered packets that are affected by the attack and the improvement that it is achieved through the use of the improved AODV. Fig. 1 illustrates the throughput curve under fabricating distance-vector attack. In this diagram, the fabricating distancevector attack performed against the normal AODV has a very big impact in the delivery ratio decreasing it to lower than the half compared to the normal AODV. The security enhanced AODV manages to keep the delivery ratio higher in around 70% having a significant improvement. Fig. 2 illustrates the throughput curve under fabricating error packet attack. The fabricating error packet attack has a major impact in network connectivity and this is obvious by the very low delivery ratio that is achieved when the normal AODV is under attack. Packet delivery ratio

1 0.8 0.6 0.4

normal AODV AODV under attack security enhanced AODV

0.2 0 5

10

15

20

25

30

Counts of nodes destined to No.29 node Figure 1. Delivery rate in the FDV attack

ATTACK DETECTION ALGORITHM PERFORMANCE Accuracy

Inaccuracy

Reaction time(s)

81.2%

14.8%

12.7

73.6%

22.6%

12.5

74.8%

9.2%

13.2

70.5%

27.6%

16.3

71.5%

13.8%

21.4

The result indicates that the loss caused by the two attacks can be greatly reduced and the robustness of the security routing mechanism is improved. B. Precision of the detection algorithm The two indexes weighting detecting effect are: attack detecting accuracy—the ratio of the number of detected attackers to the number of actual attackers; detecting inaccuracy—the ratio of the number of incorrect decisions to the number of normal nodes. The security routing protocol was tested in terms of detection accuracy and the percentages of detection accuracy for the five attacks are as table 1. V. CONCLUSION Ad Hoc networks require high-level security routing protocols, without which attacks will occur easily and even make the system paralysed. In this paper, these routing security issues have been studied, and the security bugs of AODV protocol have been patched. An intrusion detecting credencebased security mechanism is proposed in this paper, which can provide rapid detection and reaction to malicious behaviors inside or outside the network. After simulation analysis under NS2, it is proved that the performance of the revised AODV protocol is better than before, which makes Ad Hoc networks safer and enhances the availability.

1 Packet deliver rate

REFERENCES

0.8

[1]

0.6

[2]

0.4 normal AODV AODV under attack security enhanced AODV

0.2 0

5 10 15 20 25 30 Counts of nodes destined to No.29 node Figure 2.

[3]

[4]

[5]

Delivery rate in the RERR attack

0-7803-9335-X/05/$20.00 ©2005 IEEE

722

C.-K. Toh. Ad Hoc Mobile Wireless Networks: Protocols and Systems[M]. Prentice Hall PTR. 2002:55-77 Yang H. Security in mobile Ad Hoc networks: challenges and solutions[J]. IEEE Wireless Communications, 2004,11(1)38-47 Perkins CE ， Royer EM ， Das S R. Ad-hoc On-Demand Distance Vector Routing (AODV)[EB/OL]. http://www.ietf.org/internetdrafts/draft-ietf-manet-aodv-12.txt, Nov. 2002 H Luo，P Zerfos，J Kong，S Lu，L Zhang. Self-securing Ad Hoc wireless networks[A]. Seventh IEEE Symposium on Computers and Communications(ISCC)[C]，Taormina，Italy，2002. Ingo Riedel. Security in Ad Hoc Networks: Protocols and ECC on Embedded System[D]. Diploma Thesis of Ruhr University Bochum,2003.