Testimony-based Isolation: New Approach To Overcome Packet Dropping Attacks in MANET Djamel Djenouri1 , Nadjib Badache2 1: CERIST Center of Research, Algiers 16030, Algeria. 2: USTHB University, Algiers, Algeria. E − mails: [email protected], [email protected]

Abstract— Attackers could take advantage of the cooperative nature of MANET’s routing protocols, by participating in the route discovery procedure to include themselves in routes, then simply drop data packets during the forwarding phase, aiming at a DoS (Denial of Service) attack. In this paper we deal with the detection and isolation of such malicious nodes. We first propose a monitoring technique different from the promiscuous overhearing (watchdog) used by almost all the current solutions, that overcomes many watchdog’s shortcomes. After that we propose a testimony-based isolation protocols basing on our monitoring technique.

I. I NTRODUCTION Security in MANET attracts more and more researchers, with its variety of fields, problems, and challenges arisen from the features of this infrastructureless environment [1]. One of the complex problems is detecting and isolating nodes that drop packets they receive to forward. Current secure routing protocols [2] aim at protecting the route discovery and route maintenance procedures. However, the packet dropping attack is launched during the forwarding phase. Although it could be launched easily, it is difficult to detect it. In the context of selfish nodes detection and isolation, many solutions have been proposed [1]. Selfish nodes also drop data packet, they only differ from them with respect to their purpose. Like malicious nodes, selfish nodes drop packets to save their resource, they do not aim damaging others. Still, all the detective solutions could be used in the context of malicious nodes. All these solutions, however, relay on the watchdog technique, thus inherent all its drawbacks. The principle of the watchdog is that each node in the source route monitors its successor after it sends it a packet to forward, by overhearing the channel. A monitor accuses a monitored node as misbehaving when it detects that this latter drops more than a given number (threshold) of packets. This basic technique of monitoring has no overhead when nodes do not misbehave. Nevertheless, it suffers from some problems, especially when using the transmission power control technique employed by some new power-aware routing protocols following the watchdog’s proposal, such as [3]. Assume three aligned nodes: A, B and C, such that A sends B a packet and monitors its forwarding to C, and lets assume that B uses the power control technique. When A is closer to B than C, B could circumvent the watchdog by using a transmission power strong enough to reach A but less than the one required to reach C, which is power efficient for B. On the other hand, when C is closer to B than A, and B behaves

correctly but uses the power control technique, A could not overhear B’s forwarding to C and will wrongly notice a packet dropping, which might result in false detections when the number of packets falsely detected exceeds the configured threshold. Further, packet collisions either at C or A during the monitoring could cause false detections, and after a collision at C, B could circumvent to A by not retransmitting the packet. In this proposal we suggest a novel monitoring approach to overcome the watchdog’s problems with reasonable overhead. We also propose a Baysien approach for nodes accusation, that enables nodes redemption before judgment. Finally, we suggest a social-based approach to approve detections and safely isolate guilty nodes. This approach’s aim is to consider and avoid false accusation attacks (rumors) vulnerability, as well as decreasing false positives that might be caused by channel conditions and nodes mobility. In contrast to the current solutions [4], [5], where each node unilaterally isolates nodes it judges as misbehaving, our isolation mechanism safely enables that all nodes together isolate the attacker. Unilateral isolation could cause problems as we will see later. The remainder of the paper is organized as follows: Next, our solution will be presented, followed by some analysis and discussions in section 3. Section 4 will be devoted to the simulation study, and finally the last section will conclude the paper, and sketches our perspectives. II. S OLUTION

OVERVIEW

Our solution consists of three related steps: the monitoring step, in which nodes control each other when forwarding packets. The judgment step, in which nodes decide about the behavior of each monitored node basing on the result of the previous step. And finally an isolation step, in which a detector node launch the execution of a testimony-based protocol to isolate the detected node. A. Monitoring Like the watchdog, in our solution each node A in the source route 1 monitors its successor B, and checks whether this latter forwards to C each packet it provides. We define a new kind of feedbacks we call two-hop ACK, an ACK that travels two hops. Node C acknowledges packets sent from A by sending this latter via B a two-hop ACK. Node B could, however, escape from the monitor without being detected by simply 1 like

the watchdog, our protocol is also implemented with DSR [6]

sending A a falsified two-hop ACK. Note that performing in this way is power economic for B, since sending a short packet like an ACK consumes too less energy than a data packet. To get over this vulnerability we use an asymmetric cryptography based strategy as follows: Node A generates a random number and encrypts it with C’s public key (PK), then appends it in the packet’s header. When C receives the packet it retrieves the number, decrypts it using its secret key (SK), encrypts it using A’s PK, and puts it in a two-hop ACK it sends back to A via B. In the first hop (C,B), the ACK is piggybacked to the ordinary MAC ACK (using a cross-layer implementation) , instead of being transmitted in a separate packet. When A receives the ACK it decrypts the random number and checks whether the number within the packet matches with the one it has generated, to validate B’s forwarding regarding the appropriate packet. However, if B does not forward the packet A will not receive the two-hop ACK, and it will be able to detect this malicious after a time out. This strategy needs a security association between each pair of nodes to ensure that nodes share their PK with each other. This requires a key distribution mechanisms, which can be achieved by continuously appending public keys to route request (RREQ) and route reply (RREP) packets during each route discovery of DSR [6] until all public keys reach every node. To ensure authenticity of keys, a mechanism like the chain of trust [7] can be used. Note that the same keys could be employed for other security purposes at other layers. The watchdog’s problems related to detection are mitigated with this approach, as long as B’s forwarding validation at A is not only related to B’s transmission, but to C’s reception. Nevertheless, the problem with this first solution is that it requires a two-hop ACK for each packet on each coupe of hops, which might result in important overhead. To decrease this cost we propose to randomize the ACK ask, viz. A does not ask C an ACK for each packet, but upon sending a packet to forward it randomly decides whether it asks an ACK or not, with a probability p, then it conceal this decision in the packet. A simple way to conceal the decision is to exploit the random number. For instance, when the node decides to ask an ACK it selects an even number, and an odd number when it decides to not ask the ACK. This random selection strategy prevents the monitored node from deducting which packets contain ACK requests. Note that getting such information allows a misbehaving to drop packets with no requests without being detected. The probability p is continuously updated as follows: It is set to 1 (the initial value) when a timeout exceeds without receiving the requested ACK, and set to ptrust upon receiving the requested ACK.

This way more trust is given to well-behaving nodes, and by setting p to 1 the ACK request is enforced after a lack of ACK, which allows to achieve all by the same performance in misbehaving true detections (true positives) like the ordinary two-hop ACK as we will see later.

B. Judgment The new monitoring method (random two-hop ACK) allows to confirm the correct forwarding of packets. Though, when a monitoring node notices that some packet has been dropped over a link it should not directly accuse the monitored as misbehaving, since this dropping could be caused by collisions or nodes’ mobility. Indeed, a threshold of tolerance should be fixed. In the following we propose a Bayesian approach allowing nodes to decide about the behavior of each other. In our approach, the threshold is not constant but increases with the nodes well-behaving. The Bayesian approach [8] is a mathematical estimation method, that consists of estimating a parameter the observations of which follow a Bernouli distribution by a Beta distribution. The Bayesian approach for nodes reputation regarding packet forwarding in MANET has already been used by Buchegger and Le-Boudec [4], but their solution requires periodic transmissions of huge control packets. Since misbehaving is usually exception rather than the norm, information exchange in our solution is limited to negative impressions, thereby it is simpler and engenders no overhead when nodes well-behave. Hereafter, we describe our Bayesian-based approach. Each node i thinks that each other node j misbehaves with probability θj , which is a random variable estimated by a Beta distribution Beta(a, b). For brevity we remove the indices in the following, and simply denote this probability by θ. Initially with no prior information, θ is assumed uniform in [0,1], which is idem to Beta(1,1). As observations, that follow a Bernoulli distribution with parameter θ, are made, a and b are updated as follows: a = a + u, b = b + 1 − u where u=1 if the observation consists of a dropping, and 0 otherwise. A dropping in our solution is a lack of a required two-hop ACK. If the monitor does not ask a two-hop ACK, the observation is considered as non-dropping. After as many observations as the decision could be made (θ could be approximated by the mathematical expectation E(Beta(a, b))), j will be judged. This point is denoted by the decision point, and the number of observations is expressed by a+b. j will be accused as misbehavior as soon as: E(Beta(a, b)) > Emax . Note that: E(Beta(a, b)) = a/(a + b). Emax could be fixed to 0.5, or for more efficiency it should be estimated empirically for each network as follows: 1) Make simulations with no misbehaving and compute E at each node for different scenarios that estimate the network. 2) Retrieve the maximum value in all scenarios from the decision point then consider it as Emax In Buchegger’s approach [4], every node periodically broadcasts in its neighborhood each θj . Nodes used this information (known as second hand information) to update their own opinion on nodes’ behavior. To decide about the acceptance

of a provided information, each node performs complicated tests on the trustworthiness of the provider. The problem with this proactive solution is the important overhead, even if nodes well-behave. Our approach is rather reactive, thus no such information are exchanged. Indeed, each node performs monitoring separately and informs the others in order to isolate the attacker as soon as it judges it, as we will see in the following with more details.

k validation from its neighbors, with at least one provided by direct experience (without asking the successor of the accused), it broadcasts in the network an accusation packet (AC), containing signatures of all validating nodes. The requirement of at least one direct witness will be argued later. Each node receiving such a valid accusation isolates the guilty. Otherwise, if the detector fails to collect k validation it does not isolate the detected node, but keeps it in the suspicious set.

C. Isolation Isolating a misbehaving node means: • do not route packets through it, to avoid losing them • do not forward packets for it, to punish it A node X that judges some other node Y as misbehaving should not isolate it unilaterally, but it must ensure its isolation by all nodes. This because when X unilaterally isolates Y, the others could consider X as misbehaving when they realize that it does not forward packets for Y. In social life, a person that accuses another for a crime must show proofs. One possible way to do so is to get a witness against the accused person. Identically, we suggest a testimony-based protocol to isolate a detected node. Upon a detection, the detector informs nodes in its neighborhood about the dropper (the accused), and asks for witnesses by broadcasting a WREQ (Witness REQuest) packet. It also put the detected node in a special nodes set we call suspicious set. Each node receiving WREQ immediately sends a signed WREP (Witness REPly) packet to the accuser in the following two cases: • if its suspicious set includes the accused • if the accused’s misbehaving expectation is close to Emax and/or the number of control packets detected dropped is close to the configured maximum threshold Otherwise, when it has not enough experience with the accused, and if it is its neighbor then it asks the successor of the accused node whether it has received packets forwarded from this latter, by sending an ACREQ (ACcusation REQuest) packet using a route that does not include the accused. But first, in order to ovoid false accusations, the investigator should ensure that the accuser has really sent a packet to the accused to be forwarded to the appropriate successor. One possible way to do this is to check whether such a packet has been recently overheard using the promiscuous mode. The node also should check whether the accused has sent the accuser an ACK just after overhearing the data, to ensure that it has really received the packet and that the accuser is not impressing it, as it will be illustrated later. Note that unlike the watchdog, the information provided from the promiscuous mode are not used for the monitoring, but only for testifying, aiming at improving efficiency on detections. If the accused’s successor has not recently received any packet forwarded from the accused, it sends a signed ACREP (ACcusation REPly) packet to the investigator, then this latter testifies to the accusation and sends the accuser a signed WREP (Witness REPly) packet. When the detector collects

III. A NALYSIS Getting rid of the promiscuous mode based monitoring makes our monitoring solution independent of transmission powers, and resolves the watchdog false detection problem related to the employment of the power-control technique. Moreover, our solution resolves some watchdog’s problems related to collisions. If we assume the average path length is H hops, the average communication complexity of our monitoring technique for n packet is: O( (1+p2trust ) × (H − 1) × n) two-hop ACK transmissions, it converges to O(ptrust × (H − 1) × n) when all nodes on the route well-behave. This reduces the communication complexity of the ordinary two hop ACK (our first monitoring solution) which is O((H − 1) × n). That is by a factor of 1/Ptrust . Now, we discuss the efficiency in detection of the random two-hop ACK vs. the ordinary two-hop ACK. We assume that there is no packet loss. Later in our simulation study we will make more investigations of more realistic scenarios with mobility and collusion. Like in the Bayesien judgment, we suppose that the monitored node misbehaves (drop the packet) with a probability θ, i.e the behavior of the node for each packet follows a Bernoulli distribution with a parameter θ. Monitoring n packets could be considered as simply the repetition of the previous operation (monitoring one packet) n times. Therefore, the number of packets dropped (pdr) for n packets is a random variable that is the sum of n random variables which follows a Bernoulli distribution with parameter θ, thus follows a Binomial distribution with expectation: E(pdr) = θ × n. Theoretically, the ordinary two hop ACK detects all this number of packets (when the assumption of no packet loss is held). The purpose now is to asses the number of packets dropped and detected (pd) by the random two hop ACK, i.e E(pd). The probability of requesting an ACK is continuously updated, it differs from one operation (monitoring one packet) to another according to the result of the previous operation and the previous behavior. We denote the algorithm’s probability of requesting an ACK for a packet i (the value of p set by the algorithm for the packet i, which is a random variable) by Pi . Consequently, The real probability (in the execution) of asking an ACK for packet i + 1 would be expressed by E(Pi ). Pi is fixed to 1 if in the previous operation the packet was dropped and

The number of packets detected by the random strategy (pd) also follows a Binomial distribution, since it is the results of repeating a Bernoulli operation n times with parameter θ × Pi , but the only difference from the continuous requesting is that in this latter strategy (Pi ) is not constant. We have: E(pd) =

n X

E(θPi ) = θ

i=1

Not that P1 = 1.

n X

E(Pi )......(2)

i=1

Lemma 1: ∀i ≥ 1, E(Pi ) = θi−1 (1 − Ptrust )i + Ptrust

i−1 X

θj (1 − Ptrust )j

j=0

Proof: We prove this lemma by recurrence on i. For i=1. We simply replace i by 1 in the formula, then we get E(P1 ) = 1 which is correct. Now assume the formula is held for i-1 then we will prove it for i. Hence by assumption: i−2 X i−2 i−1 E(Pi−1 ) = θ (1 − Ptrust ) + Ptrust θj (1 − Ptrust )j j=0

By replacing this expression of E(Pi−1 ) in (1) we obtain: E(Pi ) = Ptrust + θ(1 − Ptrust ) × (θi−2 (1 − Ptrust )i−1 + i−2 X θj (1 − Ptrust )j ) = Ptrust + θi−1 (1 − Ptrust )i + Ptrust j=0

Ptrust

i−1 X

θj (1 − Ptrust )j =

j=1

θi−1 (1 − Ptrust )i + Ptrust (1 +

i−1 X

θj (1 − Ptrust )j ).

j=1

Since θ0 (1 − Ptrust )0 = 1, we conclude: i−1 X θj (1 − Ptrust )j  E(Pi ) = θi−1 (1 − Ptrust )i + Ptrust j=0

Using this lemma, formula 2 could be developed into: n

n

1−θ (1−Ptrust ) θP trust E(pd) = 1−θ(1−P trust) × n + θ(1 − Ptrust ) 1−θ(1−Ptrust ) × θPtrust (1 − 1−θ(1−P )......(3) trust )

The steps of simplification are removed due to space limitation. This probability depends on many parameters, we will try 2 The probability of detection is the probability of asking an ACK in the (i − 1)th operation

1 0.9 0.8 Detection Ration

detected, that is with the probability 2 θ × E(Pi−1 ), since the events dropping the ith packet and requesting ACK for the (i − 1)th packet are independent. Otherwise, it is fixed to Ptrust , i.e with probability 1 − θ × E(Pi−1 ). Therefore, the mathematical expectation of Pi could be expressed by: 1 × θE(Pi−1 ) + Ptrust (1 − θE(Pi−1 )). Hence: E(Pi ) = Ptrust + θ(1 − Ptrust )E(Pi−1 )......(1)

0.7 0.6 0.5 0.4

Ptrust=1/4 Ptrust=1/2 Ptrust=3/4

0.3 0.2 0.1

0.2

0.3

Fig. 1.

0.4

0.5 0.6 Theta

0.7

0.8

0.9

1

Detection Ratio

to investigate it vs some usual values of Ptrust . θ For Ptrust = 1/4, E(pd) ≈ 4−3θ ×n θ for Ptrust = 1/2, E(pd) ≈ 2−θ × n 3θ and finally, for Ptrust = 3/4: E(pd) ≈ 4−θ ×n Figure 1 illustrates the approximated detection ratio according to θ. We mean by detection ratio E(pd)/E(pdr) Ptrust = 0.5 strikes a balance between efficiency and cost. It decreases the complexity overhead as much as half, while keeping the detection ratio good enough. Contrary to Ptrust = 0.25 that has too low values for low and average misbehaving, and to Ptrust = 0.75 that does not reduces the overhead enough. Thus, we fix Ptrust = 0.5 later in our simulation study. As illustrated, authentication of the two-hop ACK packet is ensured by employing encreption/decreption operations on the random number generated by the monitor and piggybacked to the monitored packet. For this, we propose to use the ECC encryption algorithm [9], which is more time-efficient than the standard RSA. The encryption time completely depends on the computation power of nodes and the length of keys. Anyway, our encryption operations have minor impact, since they are applied merely on the random number and not on the whole packet holding it. Because a packet dropping might be unintentional due to nodes mobility and channel conditions, accusation should not be made upon one dropping detection, but more observations must be noted. We have proposed a Bayesian approach to make such a judgment, where each node estimates each other’s misbehavior with a probability that follows a Beta(a,b) distribution, whose parameters (a,b) are updated as observations are made. When enough observations with regard to a given monitored node are collected such that the judgment point is reached, the monitoring node will accuse the monitored one as soon as the estimated probability (E(Beta(a, b))) exceeds the configured maximum tolerance, i.e E(Beta(a, b)) > Emax . E(Beta(a, b)) > Emax ←→

a a+b

> Emax ←→ a >

b∗Emax : 1−Emax

b∗Emax This latter ( 1−E ) represents the tolerable number of max packets, which is proportional to b, the number of packets forwarded. More the node forward packets, more its tolerable threshold increases.

Forwarding packets after an unintentional or intentional droppings that does not results in accusation would decrease E, which allows redemption before accusation. This redemption could not be possible when setting the tolerable threshold to a fixed number of packets. Note that the strategy of dropping up to the tolerable threshold is not efficient for an attacker, since it cannot know whether and how much the monitor will notice false observations due to channel conditions or node’s mobility. Upon the detection of a misbehaving, the detector launches locally in its neighborhood a call for witnesses using a broadcast control packet. This costs only one transmission. Neighbors that considers the accused as suspicious, or those that are monitoring the accused node and whose misbehaving estimations against it are close to the tolerable threshold testify against it by sending the requestor a signed reply packet. Those which have not enough experience with the accused investigate this accusation and ask the accused’s successor whether it has recently received packets from the accused. But first, they ensure that the accuser really sent the packet to the accused to forward to the claimed successor. To do this they must be neighbor of the accused, otherwise they do not testify. The following example illustrates and analyzes the investigation: Assume three aligned nodes A, B and C, and another node D in A’s range, as illustrated in figure 2. When A accuses B to not forward packets to C and sends a call for witnesses, D investigates the issue. But before asking C it ensures that A has really sent the packet and B has received it, by checking the data packet and ACK overheard. If it has recently received the data packet, D could not ensure that B has received it. For instance, if D is closer to A than B, A (attempting a DoS attack against B) could send the packet in a power strong enough to be overhead by D, but not by B. Requiring the ACK 3 reception from B just after the data ensures that B has really received the data from A. To do this, D simply safeguards the overheard packets (their headers) during a short period. This way, a node that asks the accused’s successor has no doubt that the accused has received a data packet to forward to the successor in question. Any collision at D prevents it from testifying, but has no effect on false detections. Upon the reception of the ACREQ, the asked node (C) replies with a signed ACREP packet if it has not received any packet from B. A coincidental collision at C at that moment, however, would result in a false reply if A is attempting a DoS attack, then in a false testimony. Nevertheless, the requirement of at least one direct testimony (provided from a direct experience) mitigates wrong accusation caused by this kind of false testimonies. The signature of the packets prevents their spoofing, thus no node could testify using the ID of another. The accuser have to collect k different signatures to approve its accusation. Theoretically, k − 1 is the maximum number of misbehaving nodes that could exists at any time. In practice, 3 The source of this ACK should be authenticated at the MAC level, to prevent spoofing MAC addresses

Fig. 2.

Example of a nodes’ connections

however, it is hard to determine such a number, so it should be fixed to strike a balance between efficiency and robustness. Setting k to a high value increases the robustness of the protocol against false detections and rumors, but decreases its efficiency regarding true detections. On the other hand, a low value of k allows high detections, but opens the vulnerability of rumors and increases the unintentional false detections (false positives), since k nodes could collude to accuse maliciously any node, or could wrongly accuse it. This issue related to k will be investigated later in our simulations. Once the accuser collects k valid signatures, it broadcasts an accusation packet including all signatures through the network to isolate the guilty. This broadcast is costly, but it is not performed until a node is detected and approved as misbehaving. Expect for monitoring, our solution requires no overhead as long as nodes well-behave, as no opinions are exchanged periodically. This makes our solution reactive, unlike the current solutions reputation-based solutions [1]. Regarding monitoring, the randomization of the two-hop ACK reduces dramatically the overhead, as it will be shown in the following section. Also, the inclusion of two-hop ACK in the ordinary ACK for each first hop reduces the number of twohop ACK packets as much as half compared with a separate transmission on each hop. IV. S IMULATION - BASED ASSESSMENT To asses the performance of our solution in mobile environment, we have driven a GloMoSim-based [10] simulation study we present hereafter. We have simulated a network of 50 nodes, located in an area of 1500 × 1000m2, where they move following the random waypoint model during the 900 seconds of simulation time. To generate traffic, we used three CBR sessions between remote nodes, each session consists of continually sending a 512 bytes data packet each second. On each hop, each data packet is transmitted using a controlled power according to the distance between the transmitter and the receiver. In these conditions we remarked many link changes and collisions. First, we remarked that our monitoring approach improves dramatically the detection rate compared to the watchdog, i.e decreases the false detections and increases the true detections. We also remarked that the random version reduces the overhead while keeping the efficiency to close to the ordinary twohop ACK. Figure 3 shows the false detection rate of the two versions of our monitoring approach and the watchdog vs the rate of misbehaving nodes. Figures regarding the true detection and the overhead are omitted because of space limitation. To investigate the impact of the parameter k (the required

False Detection rate

False positive rate

0.24

0.3 2HopACK Random2HopACK WD

0.22

Detection

2Witness 1Witness

0.25 False positive rate

0.2 0.18 0.16 0.14 0.12

0.2 0.15 0.1

0.1 0.05 0.08 0.06

0 0

5

10

15

20

25

30

35

40

45

50

0

Misbehaving nodes rate

Fig. 3.

5

10

15

20

Misbehaving monitored nodes rate

False detection vs. Misbehaving rate

Fig. 5.

False detection vs. Misbehaving rate

True positive rate

True positive rate

1

0.8

0.6

0.4 2Witness 1Witness

0.2

0 2

Fig. 4.

4

6

8 10 12 14 16 Misbehaving monitored nodes rate

18

20

True detection vs. Misbehaving rate

number of witnesses) we compare two versions, respectively denoted by one witness and two witness (the first with k = 1 while the second with k = 2). As illustrated in figure 4 and 5, two witness considerably improves (decreases) false positive rate, but losses a little bit on true positive rate compared with one witness, especially when misbehaving rate exceeds 10%. False detections in our scenarios are due to nodes’ mobility and collisions. The one-witness version has unacceptable values with respect of this metric, particulary when misbehaving rate is low. Two-witness mitigates this shortcoming, and also cut down the vulnerability of collusive false accusation attack compared with one-witness, since more than two nodes have to collude to isolate a node. The parameter k could be increased to be less tolerant on false detections and false accusations attacks, but should depend on nodes’ connectivity to not loss efficiency on detections. In networks with low connectivity, it should not be increased lots, because this would prevent nodes from finding witnesses, and consequently reduces the detection efficiency. V. C ONCLUSION In this work we have proposed a solution to monitor and safely isolate malicious nodes that drop packets in MANET. Instead of relying the promiscuous monitoring (the watchdog), used by all the current solutions, our monitor is based on an efficient technique (namely random two hop ACK) that gets over the watchdogs limitations. Simulation results also show that the random requesting reduces the overhead, while keeping the efficiency on detection good enough. After detection, we proposed a testimony-based protocol, that enforces the detector to collect at least k witnesses before isolating the

detected node. Fixing k is a trade-off problem, high values mitigates rumors aiming DoS attacks as well false detections (especially for control packets with which we have been more sever), but reduces the efficiency on detections, contrary to low values. In our simulation, the protocol with two witnesses showed considerable improvement regarding false accusation while keeping the true detection good enough. This parameter could be risen to ensure more robustness, but should depend on the connectivity to keep efficiency. In this proposal we have focused on data packets. As perspective, we plan to complete the solution to deal with selfishness misbehavior. Contrary to an attacker, a selfish dropper is not interested in dropping only data packets, but also control packets, to exclude itself from routes. We especially aim at proposing solutions for control packets. R EFERENCES [1] D. Djenouri, L. Khalladi, and N. Badache, “A survey of security issues in mobile ad hoc and sensor networks,” IEEE Communications Surveys and Tutorials, vol. 7, no. 4, pp. 2–28, 2005. [2] Y.-C. Hu and A. Perrig, “A survey of secure wireless ad hoc routing,” IEEE Security and Privacy, vol. 2, no. 3, pp. 28–39, 2004. [3] D. Djenouri and N. Badache, “New power-aware routing for mobile ad hoc networks,” The International Journal of Ad Hoc and Ubiquitous Computing (Inderscience), vol. 1, no. 3, 2005. [4] S. Buchegger and J.-Y. Le-Boudec, “A robust reputation system for p2p and mobile ad-hoc networks,” in Second Workshop on the Economics of Peer-to-Peer Systems, Barkeley, CA, USA, June 2004. [5] P. Michiardi and R. Molva, “CORE: A collaborative reputation mechanism to enforce node cooperation in mobile ad hoc networks,” in Communication and Multimedia Security Conference, Portoroz, Slovenia, September 26-27 2002. [6] B. David and A. David, “Dynamic source routing in ad hoc wireless networks,” in Mobile Computing. Kluwer Academic, 1996, vol. 353, pp. 153–181. [7] S. Capkun, L. Buttyan, and J.-P. Hubaux, “Self-organized public-key management for mobile ad hoc networks,” IEEE Transactions on Mobile Computing, vol. 2, no. 1, pp. 52–64, January 2003. [8] A. Davison, Bayesian Models, Chapter 11 in Manuscript. Springer, 2000. [9] V. Miller and N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of Computation, pp. 203–209, 1985. [10] X. Zeng, R. Bagrodia, and M. Gerla, “Glomosim: A library for the parallel simulation of large-scale wireless networks,” in The 12th Workshop on Parallel and distributed Simulation. PADS’98, Banff, Alberta, Canada, May 1998, pp. 154–161.