WO2009122437A2 - Security in mobile ad hoc networks - Google Patents

Security in mobile ad hoc networks Download PDF

Info

Publication number
WO2009122437A2
WO2009122437A2 PCT/IN2009/000204 IN2009000204W WO2009122437A2 WO 2009122437 A2 WO2009122437 A2 WO 2009122437A2 IN 2009000204 W IN2009000204 W IN 2009000204W WO 2009122437 A2 WO2009122437 A2 WO 2009122437A2
Authority
WO
WIPO (PCT)
Prior art keywords
node
nodes
suspicious
means adapted
data
Prior art date
Application number
PCT/IN2009/000204
Other languages
French (fr)
Other versions
WO2009122437A3 (en
Inventor
Jaydip Sen
Original Assignee
Tata Consultancy Services Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tata Consultancy Services Limited filed Critical Tata Consultancy Services Limited
Publication of WO2009122437A2 publication Critical patent/WO2009122437A2/en
Publication of WO2009122437A3 publication Critical patent/WO2009122437A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/18Self-organising networks, e.g. ad-hoc networks or sensor networks

Definitions

  • This invention relates to security in mobile ad hoc networks.
  • this invention envisages a novel way of detecting routing misbehavior in mobile ad hoc networks.
  • this invention relates to development of a security mechanism against gray hole attack in mobile ad hoc networks.
  • a mobile ad hoc network is a group of mobile nodes that cooperate and forward packets for each other.
  • Such networks extend the limited wireless transmission range of each node by multi-hop packet forwarding, and thus they are ideally suited for scenarios in which pre-deployed infrastructure support is not available. These networks are particularly suited to mission critical tactical battlefield applications.
  • MANETs have some special characteristic features such as unreliable wireless links used for communication between hosts, constantly changing network topologies, limited bandwidth, battery power, low computation power and the like. While these . characteristics are essential for the flexibility of MANETs, they introduce specific security concerns that are either absent or less severe in wired networks. Gray Hole attack is one such security threat.
  • a gray hole is a node that probabilistically drops data packets in order to disrupt communications in a MANET. Due to its probabilistic nature, it is difficult to detect existence of a gray hole node in a MANET. The requirement of a security mechanism for detection of gray hole nodes in a MANET is thus very important.
  • the present invention is an attempt towards this direction.
  • U.S. Patent Application 20090049546 discloses a method of detecting malicious behavior in mobile ad-hoc wireless networks which comprises establishing a decoy instance of actual node operating software on an actual node in a mobile ad-hoc network; and monitoring communications involving the decoy instance to identify malicious behavior within the mobile ad-hoc network.
  • Patent Application numbered WO2008073573 discloses a method and apparatus for alerting nodes about a malicious node in a mobile ad-hoc communication system. This application banks more on probability of existence of a group of peripheral supposedly 'good' nodes to identify a supposed 'bad' node. This non- comprehensive method of detection is inherently ridden of errors relating to false positive detection, false negative detection and the like.
  • GB2428315 discloses methods of analyzing network nodes such as web servers using mobile software agents, and the network nodes themselves which interact with said agents.
  • the method includes determining a set of combinations of the target nodes, each combination having m number of nodes which is less than the total number of nodes in the network n; generating an assessment agent for each combination of target nodes, the agent having a migration path through the insecure network which includes each target node in the respective combination; dispatching the agents to the insecure network for the agents to interact with target nodes according to their respective migration path; receiving the agents following the interactions; identifying an agent which has not interacted with a misbehaving target node, and determining the misbehaving nodes as the nodes which are not on said agent's migration path.
  • An object of the invention is to provide an efficient, secure, uninterrupted and error-free communication among the nodes in a MANET.
  • Another object of the invention is to locate and eliminate any malfunctioning node in a network.
  • Yet another object of the invention is to accurately locate and eliminate malfunctioning nodes of a network.
  • an apparatus and method for gray hole detection for MANETs that has a high detection efficiency and low overhead of communication.
  • Experiments conducted with the system and method in accordance with this invention on a network simulator show the effectiveness and efficiency of the invention.
  • the security mechanism for detection of gray hole nodes some assumptions are made regarding the network.
  • Each node in the MANET is considered to be identical.
  • Each node may freely roam, or remain stationary in a location for an arbitrary period of time.
  • each node may join or leave the network or fail at any time.
  • the nodes perform peer-to-peer communication over shared, bandwidth-constrained, error-prone, and multi-hop wireless channel.
  • it is assumed that each node has a unique nonzero ID.
  • All the links in the network are assumed to be bi-directional. However, unlike most of the current security frameworks for MANETs, this invention does not assume promiscuous mode of operation of the wireless interfaces of the nodes.
  • the promiscuous mode may not only incur extra computation overhead and energy consumption in order to process the transit packets, but also it will not be feasible in cases where the nodes are equipped with directional antennas.
  • the invention involves means both for local and cooperative detection to identify any malicious gray hole nodes in the network. Once a node is detected to be really malicious, the scheme has a notification mechanism for sending messages to all the nodes that are not yet suspected to be malicious, so that the malicious node can be isolated and not allowed to use any network resources.
  • the invention comprises typically four means which are invoked sequentially. These means are: (1) Neighborhood Data Collection means, (2) Local Anomaly Detection means, (3) Cooperative Anomaly Detection means, and (4) Global Alarm Raiser means.
  • a system for detecting malicious gray-hole nodes in a mobile ad hoc network (MANET) comprising a plurality of nodes.
  • the system consists of the following means: a) node mapping means adapted to map each node of the MANET; b) data collection means adapted to collect data forwarding (routing) information from each of said mapped nodes to obtain a data routing record of said mapped nodes.
  • the data routing records enables identification and creation of a list of good nodes and suspicious nodes; c) local anomaly detection means adapted to determine the level of suspicion of each of said suspicious nodes; d) co-operative anomaly detection means adapted to identify one suspicious node at a time and monitor routing activity of said identified suspicious node with other nodes of the MANET to achieve a conformity status of said level of suspicion; e) global alarm raiser means adapted to send an alarm message in relation to said identified suspicious node to each of the other nodes of the MANET; and f) isolator means adapted to isolate each of said suspicious node from the MANET to achieve an error-free network.
  • the node mapping means is a timer based mapping means adapted to carry out mapping of said nodes of the MANET at pre-defined intervals of time.
  • the data collection means is a timer based data collection means adapted to carry out data collection of said mapped nodes of the MANET at pre-defined intervals of time.
  • the Neighborhood data collection means has further means to enable each node in the network to collect the data forwarding information in its neighborhood and store it in a table designated as Data Routing Information (DRI) table.
  • DRI Data Routing Information
  • said data collection means includes: a) sender detector means adapted to detect the node from which data is sent; b) sender recorder means adapted to record information relating to whether data is sent from said detected node; c) receiver detector means adapted to detect the node where data is received; d) receiver recorder means adapted to record information relating to whether data is received by a receiver node from said detected node; e) computation means adapted to compute a ratio of request-to-send to clear-to- send messages for said detected node; and f) check bit means adapted to check whether the data sent from said detected node is received by said receiver node.
  • the Local anomaly detection means is invoked by a node when it identifies a suspicious node (SN) by examining its DRI table.
  • the Local anomaly detection means then adapts the 'Initiator Node' (IN) to initiate a local detection process by identifying a 'Cooperative Node' (CN).
  • the Local anomaly detection means further adapts the IN to involve all its neighbors and the CN in a detection procedure that computes the level of suspicion in the SN. If the level of suspicion exceeds a threshold then the Cooperative Anomaly Detection means is invoked.
  • said local anomaly detection means comprises: a) first designator means adapted to designate an initiator node in relation to said suspicious node; b) second designator means adapted to designate at least one co-operative node in relation to said suspicious node; said co-operative node being a neighbouring node; c) engaging means adapted to engage a subnetwork, for test routing of data, involving said designated initiator node and said co-operative nodes in relation to said suspicious node; d) invoking means adapted to invoke a detection procedure to compute a level of suspicion for said suspicious node, in relation to data sent to said suspicious node, data received by said suspicious node, data sent by said suspicious node, and data received by said co-operative nodes; and e) comparator means adapted to compare said level with a pre-defined level to verify said level of suspicion.
  • the objective of the Cooperative Anomaly Detection means is to increase the detection reliability by reducing the probability of false detection by the local anomaly detection means.
  • the cooperative detection means adapts the nodes in the neighborhood of the suspected node to actively participate and exchange messages amongst them so as to arrive at a conclusion regarding the true nature of the suspected node i.e. whether it is malicious or honest. If the SN is found to behave like a gray hole it is isolated from the network by invocation of the Global Alarm Raiser means.
  • said co-operative anomaly detection means comprises: a) selecting means to select one suspicious node; b) routing means adapted to engage routing of information between a selected suspicious node and its neighbouring nodes; and c) monitoring means adapted to monitor activity during the said routing of information between said selected suspicious node and its neighbouring cooperative nodes to achieve a conformity status of said level of suspicion.
  • the Global Alarm Raiser means is invoked to establish a network wide notification system for sending alarm messages to all the nodes in the network about the gray hole node that has been detected by the Cooperative Anomaly Detection means. It also ensures that the identified malicious node is isolated so that it cannot use any network resources.
  • the invention is evaluated in network simulator ns-2 for the purpose of evaluation of its performance.
  • the metrics that are used for evaluating performance are: (1) False positive rate- the probability of incorrectly identifying a legitimate node as malicious, (2) Misdetection (false detection) - the probability of failure in detecting a malicious node, (3) Data packet delivery ratio - the percentage of data packets that are successfully delivered, and (4) Communication overhead due to the control packets of the security system in accordance with this invention.
  • misdetection rate is maximum in a static network and starts dropping with the mobility of the nodes. This is because in a static network if a gray hole node remains stationary in a sparsely populated region, its neighbors may not be able to punish it since there may not be requisite minimum number of neighboring nodes to arrive at a consensus. On the contrary, in a mobile network, mobility increases the probability that other nodes roam into the region of the gray hole node, or the gray hole node enters into a densely populated region. As a result, it is less likely that a gray hole would be able to escape without being detected.
  • Communication overhead of the invention is also studied. It is found that with the increase in number of gray holes, the overhead increases.
  • the communication overhead is measured by the percentage of control packets required to route different number of data packets in the network.
  • the normal AODV performance is taken as the baseline. It is observed that the overhead of the invention drops as the number of data packets transmitted is increased. This demonstrates the efficiency of the system and apparatus in accordance with this invention.
  • Figure 1 shows Topology of a MANET
  • Figure 2 shows the configuration of the apparatus in the system
  • Figure 3 shows Table 1 : DRI table of Node 7;
  • Figure 4 shows Table 2: Probe Check Table for Node 7;
  • Figure 5 shows Table 3 : simulation parameters
  • Figure 6 shows a graph of False detection rate vs. nodes' mobility in m/s
  • Figure 7 shows a graph of Misdetection rate vs. nodes' mobility
  • Figure 8 shows graph of Data packet delivery rate vs. no. of gray hole nodes
  • Figure 9 shows: Control packet overhead for different no. of data packets.
  • the invention involves both local and cooperative detection to identify any malicious gray hole node in the network. Once a node is detected to be truly malicious, a notification mechanism is sent to all the nodes in the network, so that the malicious node can be isolated and not allowed to use any network resources.
  • the invention has four security means that are invoked sequentially. These means are described in detail with reference to figure 2 of the accompanying drawings:
  • Node Mapping means (05) A MANET typically comprises a plurality of nodes. Nodes may either be good nodes capable of effective transmission or may be bad/suspicious nodes which are potentially malicious and can disrupt communication in the network.
  • the node mapping means (05) maps each node of the network to a unique non-zero Node ID for proper identification of each node in the MANET.
  • Each node in the network collects the data forwarding information in its neighborhood and stores it in a table known as the Data Routing Information (DRI) table.
  • DRI Data Routing Information
  • Table 1 The DRI table of node 7 in Figure 1 is shown in Table 1 in Figure 3.
  • node 7 maintains packet routing information of its neighbor nodes 1, 2, 6, 8, and 9.
  • An entry ' 1 ' for a node under the column 'From' implies that node 7 has forwarded data packet coming from that node and an entry ' 1 ' for a node under the column 'Through' implies that node 7 has forwarded data packets to that node.
  • node 7 has neither forwarded any data packet from node 1 nor it has forwarded any data packet to node 1. However, node 7 has forwarded data packets to node 2 and also has forwarded data packets that have come from node 2. In this way, each node constructs its DRI table. After a certain threshold time interval, (this depends on the mobility of the network) each node identifies its neighbors with which it has not interacted and invokes subsequent detection means to probe them further. This identification is done on the basis of the nodes that have '0' entries both in the 'From' and 'Through' columns in the DRI table. For example, as shown in Table 1 in Figure 3, node 7 has not communicated to node 1.
  • the node 7 invokes the local anomaly detection means 20 for node 1.
  • the 'RTS/CTS' column in the DRI table gives the ratio of the number of request to send (RTS) messages to the number of clear to send (CTS) messages for the corresponding node. This gives a rough idea about the number of requests arriving at the node for data communication and number packet transmission that the node is actually doing. The significance of the column 'CheckBit' in the DRI table will be discussed whilst discussing the local anomaly detection means (20).
  • This security means is invoked by a node when it identifies a suspicious node by examining its DRI table.
  • the node that initiates the local anomaly detection means (20) is called Initiator Node (IN).
  • the IN first chooses a Cooperative Node (CN) in its neighborhood based on its DRI records and broadcasts a RREQ message to its 1-hop neighbors requesting for a route to the CN. In reply to this RREQ message, the IN will receive a number of RREP messages from its neighboring nodes.
  • CN Cooperative Node
  • the IN After receiving the RREP from the SN, the IN sends a probe packet to the CN through the SN. After the time to live (TTL) value of the probe packet is over, the IN enquires the CN whether it has received the probe packet. If the reply to this query is affirmative, then the IN updates DRI table by making an entry ' 1 ' under the column 'CheckBit' against the node ID of the SN. However, if the probe packet is found to have not reached the CN, the IN increases its level of suspicion about the SN and activates the cooperative anomaly detection means (30).
  • TTL time to live
  • node 7 acts as the IN and initiates the local anomaly detection means (20) for the SN (node 1) and chooses node 2 as the CN.
  • Node 2 is the most reliable node for node 7 as both the entries under columns 'From' and 'Through' for node 2 are ' 1 '.
  • Node 7 broadcasts a RREQ message to all its neighbor nodes 1, 2, 6, 8 and 9 requesting them for a route to the CN, i.e., node 2 in the example.
  • node 7 After receiving a RREP from the SN (node 1), node 7 sends a probe packet to node 2 via node 1. Node 7 then enquires node 2 whether it has received the probe packet.
  • node 7 If node 2 has received the probe packet, node 7 makes an entry ' 1' under the column 'CheckBit' in its DRI table corresponding to the row of node 1. If node 2 has not received the probe packet, then node 7 invokes the cooperative anomaly detection means (30).
  • Cooperative Anomaly Detection means (30) The objective of this means is to increase the detection reliability by reducing the probability of false detection of local anomaly detection means (20).
  • This means (30) is activated when an IN observes that the probe packet it had sent to the CN through the SN did not reach the CN.
  • the IN invokes the cooperative detection request message to all the neighbors of the SN.
  • the neighbors of the SN receive the cooperative detection request message each of them sends a RREQ message to the SN requesting for a route to the IN.
  • the SN responds with a RREP message, each of the requesting nodes sends a 'further probe packet' to the IN along that route.
  • This route will obviously include SN, as SN is a neighbor of each requesting node and the IN as well.
  • Each neighbor of the SN (except the IN) now notifies the IN that a 'further probe packet' has already been sent to it.
  • the IN now constructs a ProbeCheck table.
  • the ProbeCheck table has two fields: NodeID and ProbeStatus. Under the NodeID field, the IN enters the identifiers of the nodes which have sent notification messages to it. An entry ' 1 ' is made under the column 'ProbeStatus' for the nodes from which the IN has received the 'further probe packet'.
  • An example ProbeCheck table for node 7 of the network in Figure 1 is presented in Table 2 of Figure 4. It can be observed that node 7 has received the 'further probe packet' from all the neighbors of the SN (node 1) except node 2. There may be a possibility that the probe packet might not have been maliciously dropped by the SN, rather it has been lost because of collision or buffer overflow. To avoid mathematical complexity, the invention involves a simple mechanism where each node sends three 'further probe packets' interspersed with a small time interval. If none of these three packets from a neighbor are received by the IN, the SN is believed to be behaving like a gray hole for that node during that time.
  • This gray hole behavior may be exhibited for a single node (as node 2 is Table 2 in Figure 4) or may be for a group of nodes.
  • the frequency of invocation of the detection means in accordance with this invention is important for ensuring the desired throughput in the network as a gray hole may quickly change its phase from 'good' to 'bad'.
  • the periodicity of invocation is to be based on the maximum percentage of packet drop that the network application can afford. In the worst case, a gray hole will just change its phase from 'good' to 'bad' immediately after the invocation of one round of the detection system in accordance with this invention is over and will switch back to 'good' phase just before the next invocation. Although such a situation may be quite unlikely, the invocation frequency should be based on the estimation of the number of packets that the gray hole may drop during that period and the maximum rate of packet drop that the application may afford.
  • Global Alarm Raising Procedure (40): This means is invoked to establish a network-wide notification system for sending alarm messages to all the nodes in the network about the gray hole node that has been detected by the Cooperative Anomaly Detection means (30). It also ensures that the identified malicious node is isolated so that it cannot use any network resources.
  • the detection and isolation mechanism of malicious nodes may involve a security problem.
  • a group of malicious nodes can collude together to launch a bad mouthing attack by falsely accusing a legitimate node and isolating it from the network.
  • the present invention proposes a mechanism that is similar to threshold cryptography.
  • this mechanism when a node identifies a suspected node to be malicious by invocation of the cooperative detection procedure, it sends a digitally signed (using its private key) alarm message to all its neighbors.
  • the full signature is constructed when at least k nodes put their signatures into the alarm message. Once the alarm message is authenticated with the full signature, the suspected node is isolated from the network.
  • a node ID is entered into a global list of malicious nodes called 'faulty list'. The faulty list is periodically flooded in the network, as and when an update is made into it.
  • the invention is implemented in network simulator ns-2 for the purpose of evaluation of its performance.
  • the MAC layer protocol and the routing protocol used are 802.11 DCF and AODV respectively.
  • An improved version of 'random waypoint' is used as the mobility model.
  • the host pause time is chosen to be zero to simulate a continuously mobile network.
  • Malicious gray holes are simulated using a two-phase Markov Chain Machine. While in the good phase none of the gray holes drop any packet, in the bad phase, packets are dropped based on a function that generates a random number between a maximum value (MAX RATE) and a minimum value (MIN RATE).
  • the simulation parameters are presented in Table 3 in Figure 5. Following metrics are used for evaluating the performance:
  • Data packet delivery ratio it is the percentage of data packets that are successfully delivered.
  • Communication overhead it is the overhead due to control packets of the invention.
  • Figure 6 shows how false positive rate varies with mobility of the nodes for different percentages of gray hole nodes in the network.
  • the maximum value of the observed false positive rate is found to be 7%.
  • the false positive rate increases as the nodes move faster. If a node constantly moves at a high speed, it can gather only partial information about its transmission with its current neighbors. As a result, it is more likely to make mistakes.
  • Figure 7 depicts the variation of misdetection rate with nodes' mobility for different percentages of gray hole nodes. It is seen that misdetection ratio is maximum (12%) in a static network and starts dropping with the mobility of the nodes. This is because in a static network, if a gray hole remains in a sparsely populated region, its neighbors may not be able to punish it since there may not be requisite k number of nodes to arrive at the consensus. On the contrary, in a mobile network, the mobility increases the probability that other nodes roam into the region of the gray hole node, or the gray hole node enters into a densely populated region. As a result, it is less likely that the gray hole would be able to escape without being detected.
  • Figure 8 shows how the data packet delivery ratio varies with respect to the number of gray hole nodes for the normal AODV protocol and for the current invention. It is observed that even when 20% of the nodes in the network are malicious gray holes, the percentage of packets successfully delivered is more than 90% if the proposed security protocol is applied. However, 100% packet delivery ratio is not achieved even with the current invention. A careful analysis of the trace files has shown that most of the packet loss occurs during the detection and reaction phase of the system in accordance with this invention.
  • Figure 9 shows the overheads due communication of control packets for different no. of data packets. It has been observed that with the increase in number of gray holes, the overhead increases. The results have been reported for the worst case scenario when the percentage of malicious node in the network is 20%.
  • the communication overhead is shown as the percentage of the number of the number of control packets required to route different number of data packets in the network.
  • the normal AODV performance is taken as the base line. It is observed that the overhead drops as the number of data packets transmitted is increased. This demonstrates the efficiency of the invention in terms of communication overhead.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A system for detecting malicious gray-hole nodes in a mobile ad hoc network (MANET) comprising a group of nodes, said system comprising node mapping means adapted to map each node in the MANET.; data collection means adapted to collect data forwarding (routing) information from each node to obtain a data routing record of the node, in order to enable identification and creation of a list of good nodes and suspicious nodes; local anomaly detection means adapted to determine level of suspicion of each of said suspicious nodes; co-operative anomaly detection means adapted to identify one suspicious node at a time and monitor routing activity of said identified suspicious node with other nodes of said network to achieve a conformity status of said level of suspicion; global alarm raiser means adapted to send an alarm message in relation to said identified suspicious node to each of the other nodes of the MANET; and isolator means adapted to isolate each of said suspicious node from the MANET to achieve an uninterrupted communication in the network.

Description

SECURITY IN MOBILE AD HOC NETWORKS
Field of the Invention:
This invention relates to security in mobile ad hoc networks.
In particular, this invention envisages a novel way of detecting routing misbehavior in mobile ad hoc networks.
Still particularly, this invention relates to development of a security mechanism against gray hole attack in mobile ad hoc networks.
Background of the Invention:
A mobile ad hoc network (MANET) is a group of mobile nodes that cooperate and forward packets for each other.. Such networks extend the limited wireless transmission range of each node by multi-hop packet forwarding, and thus they are ideally suited for scenarios in which pre-deployed infrastructure support is not available. These networks are particularly suited to mission critical tactical battlefield applications. MANETs have some special characteristic features such as unreliable wireless links used for communication between hosts, constantly changing network topologies, limited bandwidth, battery power, low computation power and the like. While these. characteristics are essential for the flexibility of MANETs, they introduce specific security concerns that are either absent or less severe in wired networks. Gray Hole attack is one such security threat. A gray hole is a node that probabilistically drops data packets in order to disrupt communications in a MANET. Due to its probabilistic nature, it is difficult to detect existence of a gray hole node in a MANET. The requirement of a security mechanism for detection of gray hole nodes in a MANET is thus very important. The present invention is an attempt towards this direction.
Prior Art:
U.S. Patent Application 20090049546 discloses a method of detecting malicious behavior in mobile ad-hoc wireless networks which comprises establishing a decoy instance of actual node operating software on an actual node in a mobile ad-hoc network; and monitoring communications involving the decoy instance to identify malicious behavior within the mobile ad-hoc network.
Patent Application numbered WO2008073573 discloses a method and apparatus for alerting nodes about a malicious node in a mobile ad-hoc communication system. This application banks more on probability of existence of a group of peripheral supposedly 'good' nodes to identify a supposed 'bad' node. This non- comprehensive method of detection is inherently ridden of errors relating to false positive detection, false negative detection and the like.
GB2428315 discloses methods of analyzing network nodes such as web servers using mobile software agents, and the network nodes themselves which interact with said agents. The method includes determining a set of combinations of the target nodes, each combination having m number of nodes which is less than the total number of nodes in the network n; generating an assessment agent for each combination of target nodes, the agent having a migration path through the insecure network which includes each target node in the respective combination; dispatching the agents to the insecure network for the agents to interact with target nodes according to their respective migration path; receiving the agents following the interactions; identifying an agent which has not interacted with a misbehaving target node, and determining the misbehaving nodes as the nodes which are not on said agent's migration path.
All these patents/patent applications do not have substantive means and accompanying methods for accurate location of a malicious gray-hole node in a network, and further verification of the activities of such suspected malicious gray- hole nodes is absent. Thus, there is a possibility that the network may be vulnerable to attacks if a comprehensive detection policy is not established. Hence, there is a need for a detection system to identify, locate and isolate malicious gray- hole nodes from a mobile ad hoc network.
Object of the Invention:
An object of the invention is to provide an efficient, secure, uninterrupted and error-free communication among the nodes in a MANET.
Another object of the invention is to locate and eliminate any malfunctioning node in a network.
Yet another object of the invention is to accurately locate and eliminate malfunctioning nodes of a network.
Summary of the Invention:
In accordance with this invention, there is provided an apparatus and method for gray hole detection for MANETs that has a high detection efficiency and low overhead of communication. Experiments conducted with the system and method in accordance with this invention on a network simulator show the effectiveness and efficiency of the invention. For development of the security mechanism for detection of gray hole nodes, some assumptions are made regarding the network. Each node in the MANET is considered to be identical. Each node may freely roam, or remain stationary in a location for an arbitrary period of time. In addition, each node may join or leave the network or fail at any time. The nodes perform peer-to-peer communication over shared, bandwidth-constrained, error-prone, and multi-hop wireless channel. For the purpose of differentiation, it is assumed that each node has a unique nonzero ID. All the links in the network are assumed to be bi-directional. However, unlike most of the current security frameworks for MANETs, this invention does not assume promiscuous mode of operation of the wireless interfaces of the nodes. The promiscuous mode may not only incur extra computation overhead and energy consumption in order to process the transit packets, but also it will not be feasible in cases where the nodes are equipped with directional antennas.
The invention involves means both for local and cooperative detection to identify any malicious gray hole nodes in the network. Once a node is detected to be really malicious, the scheme has a notification mechanism for sending messages to all the nodes that are not yet suspected to be malicious, so that the malicious node can be isolated and not allowed to use any network resources.
The invention comprises typically four means which are invoked sequentially. These means are: (1) Neighborhood Data Collection means, (2) Local Anomaly Detection means, (3) Cooperative Anomaly Detection means, and (4) Global Alarm Raiser means. According to this invention, there is provided a system for detecting malicious gray-hole nodes in a mobile ad hoc network (MANET) comprising a plurality of nodes. The system consists of the following means: a) node mapping means adapted to map each node of the MANET; b) data collection means adapted to collect data forwarding (routing) information from each of said mapped nodes to obtain a data routing record of said mapped nodes. The data routing records enables identification and creation of a list of good nodes and suspicious nodes; c) local anomaly detection means adapted to determine the level of suspicion of each of said suspicious nodes; d) co-operative anomaly detection means adapted to identify one suspicious node at a time and monitor routing activity of said identified suspicious node with other nodes of the MANET to achieve a conformity status of said level of suspicion; e) global alarm raiser means adapted to send an alarm message in relation to said identified suspicious node to each of the other nodes of the MANET; and f) isolator means adapted to isolate each of said suspicious node from the MANET to achieve an error-free network.
Typically, the node mapping means is a timer based mapping means adapted to carry out mapping of said nodes of the MANET at pre-defined intervals of time.
Typically, the data collection means is a timer based data collection means adapted to carry out data collection of said mapped nodes of the MANET at pre-defined intervals of time. The Neighborhood data collection means, has further means to enable each node in the network to collect the data forwarding information in its neighborhood and store it in a table designated as Data Routing Information (DRI) table. The records in the DRI table provide an indication of the existence of any suspicious node in the neighborhood of a node.
Typically, said data collection means includes: a) sender detector means adapted to detect the node from which data is sent; b) sender recorder means adapted to record information relating to whether data is sent from said detected node; c) receiver detector means adapted to detect the node where data is received; d) receiver recorder means adapted to record information relating to whether data is received by a receiver node from said detected node; e) computation means adapted to compute a ratio of request-to-send to clear-to- send messages for said detected node; and f) check bit means adapted to check whether the data sent from said detected node is received by said receiver node.
The Local anomaly detection means is invoked by a node when it identifies a suspicious node (SN) by examining its DRI table. The Local anomaly detection means then adapts the 'Initiator Node' (IN) to initiate a local detection process by identifying a 'Cooperative Node' (CN). The Local anomaly detection means further adapts the IN to involve all its neighbors and the CN in a detection procedure that computes the level of suspicion in the SN. If the level of suspicion exceeds a threshold then the Cooperative Anomaly Detection means is invoked.
Typically, said local anomaly detection means comprises: a) first designator means adapted to designate an initiator node in relation to said suspicious node; b) second designator means adapted to designate at least one co-operative node in relation to said suspicious node; said co-operative node being a neighbouring node; c) engaging means adapted to engage a subnetwork, for test routing of data, involving said designated initiator node and said co-operative nodes in relation to said suspicious node; d) invoking means adapted to invoke a detection procedure to compute a level of suspicion for said suspicious node, in relation to data sent to said suspicious node, data received by said suspicious node, data sent by said suspicious node, and data received by said co-operative nodes; and e) comparator means adapted to compare said level with a pre-defined level to verify said level of suspicion.
The objective of the Cooperative Anomaly Detection means is to increase the detection reliability by reducing the probability of false detection by the local anomaly detection means. The cooperative detection means adapts the nodes in the neighborhood of the suspected node to actively participate and exchange messages amongst them so as to arrive at a conclusion regarding the true nature of the suspected node i.e. whether it is malicious or honest. If the SN is found to behave like a gray hole it is isolated from the network by invocation of the Global Alarm Raiser means.
Typically, said co-operative anomaly detection means comprises: a) selecting means to select one suspicious node; b) routing means adapted to engage routing of information between a selected suspicious node and its neighbouring nodes; and c) monitoring means adapted to monitor activity during the said routing of information between said selected suspicious node and its neighbouring cooperative nodes to achieve a conformity status of said level of suspicion.
The Global Alarm Raiser means is invoked to establish a network wide notification system for sending alarm messages to all the nodes in the network about the gray hole node that has been detected by the Cooperative Anomaly Detection means. It also ensures that the identified malicious node is isolated so that it cannot use any network resources.
The invention is evaluated in network simulator ns-2 for the purpose of evaluation of its performance. The metrics that are used for evaluating performance are: (1) False positive rate- the probability of incorrectly identifying a legitimate node as malicious, (2) Misdetection (false detection) - the probability of failure in detecting a malicious node, (3) Data packet delivery ratio - the percentage of data packets that are successfully delivered, and (4) Communication overhead due to the control packets of the security system in accordance with this invention.
It is observed that false positive rate increases with the mobility of the nodes in the network. The reason for this is that if a node constantly moves at a high speed, it can gather only partial information about its transmissions with its current neighbors. As a result, it is more likely to make mistakes.
It is also observed that misdetection rate is maximum in a static network and starts dropping with the mobility of the nodes. This is because in a static network if a gray hole node remains stationary in a sparsely populated region, its neighbors may not be able to punish it since there may not be requisite minimum number of neighboring nodes to arrive at a consensus. On the contrary, in a mobile network, mobility increases the probability that other nodes roam into the region of the gray hole node, or the gray hole node enters into a densely populated region. As a result, it is less likely that a gray hole would be able to escape without being detected.
The variation of the data packet delivery ratio with respect to the number of gray hole nodes for a normal AODV routing protocol and for the current invention is also studied. It is observed that even when 20% of nodes in the network are malicious gray holes, the percentage of packets successfully delivered is more than 90% when the invention is applied.
Communication overhead of the invention is also studied. It is found that with the increase in number of gray holes, the overhead increases. The communication overhead is measured by the percentage of control packets required to route different number of data packets in the network. The normal AODV performance is taken as the baseline. It is observed that the overhead of the invention drops as the number of data packets transmitted is increased. This demonstrates the efficiency of the system and apparatus in accordance with this invention.
Brief Description of the Accompanying Drawings:
The invention will now be described with reference to the accompanying drawings, in which:
Figure 1 shows Topology of a MANET;
Figure 2 shows the configuration of the apparatus in the system;
Figure 3 shows Table 1 : DRI table of Node 7; Figure 4 shows Table 2: Probe Check Table for Node 7;
Figure 5 shows Table 3 : simulation parameters;
Figure 6 shows a graph of False detection rate vs. nodes' mobility in m/s;
Figure 7 shows a graph of Misdetection rate vs. nodes' mobility;
Figure 8 shows graph of Data packet delivery rate vs. no. of gray hole nodes; and
Figure 9 shows: Control packet overhead for different no. of data packets.
Detailed Description of Invention:
The invention involves both local and cooperative detection to identify any malicious gray hole node in the network. Once a node is detected to be truly malicious, a notification mechanism is sent to all the nodes in the network, so that the malicious node can be isolated and not allowed to use any network resources. The invention has four security means that are invoked sequentially. These means are described in detail with reference to figure 2 of the accompanying drawings:
Node Mapping means (05): A MANET typically comprises a plurality of nodes. Nodes may either be good nodes capable of effective transmission or may be bad/suspicious nodes which are potentially malicious and can disrupt communication in the network. The node mapping means (05) maps each node of the network to a unique non-zero Node ID for proper identification of each node in the MANET.
Neighborhood Data Collection means (10): Each node in the network collects the data forwarding information in its neighborhood and stores it in a table known as the Data Routing Information (DRI) table. The DRI table of node 7 in Figure 1 is shown in Table 1 in Figure 3. In its DRI table, node 7 maintains packet routing information of its neighbor nodes 1, 2, 6, 8, and 9. An entry ' 1 ' for a node under the column 'From' implies that node 7 has forwarded data packet coming from that node and an entry ' 1 ' for a node under the column 'Through' implies that node 7 has forwarded data packets to that node. Thus, as per Table lin Figure 3, node 7 has neither forwarded any data packet from node 1 nor it has forwarded any data packet to node 1. However, node 7 has forwarded data packets to node 2 and also has forwarded data packets that have come from node 2. In this way, each node constructs its DRI table. After a certain threshold time interval, (this depends on the mobility of the network) each node identifies its neighbors with which it has not interacted and invokes subsequent detection means to probe them further. This identification is done on the basis of the nodes that have '0' entries both in the 'From' and 'Through' columns in the DRI table. For example, as shown in Table 1 in Figure 3, node 7 has not communicated to node 1. Therefore, the node 7 invokes the local anomaly detection means 20 for node 1. The 'RTS/CTS' column in the DRI table gives the ratio of the number of request to send (RTS) messages to the number of clear to send (CTS) messages for the corresponding node. This gives a rough idea about the number of requests arriving at the node for data communication and number packet transmission that the node is actually doing. The significance of the column 'CheckBit' in the DRI table will be discussed whilst discussing the local anomaly detection means (20).
Local Anomaly Detection means (20): This security means is invoked by a node when it identifies a suspicious node by examining its DRI table. The node that initiates the local anomaly detection means (20) is called Initiator Node (IN). The IN first chooses a Cooperative Node (CN) in its neighborhood based on its DRI records and broadcasts a RREQ message to its 1-hop neighbors requesting for a route to the CN. In reply to this RREQ message, the IN will receive a number of RREP messages from its neighboring nodes. It will certainly receive a RREP message form the Suspected Node (SN), if the latter is really a gray hole (since gray holes always send RREP messages but drop data packets probabilistically). After receiving the RREP from the SN, the IN sends a probe packet to the CN through the SN. After the time to live (TTL) value of the probe packet is over, the IN enquires the CN whether it has received the probe packet. If the reply to this query is affirmative, then the IN updates DRI table by making an entry ' 1 ' under the column 'CheckBit' against the node ID of the SN. However, if the probe packet is found to have not reached the CN, the IN increases its level of suspicion about the SN and activates the cooperative anomaly detection means (30).
In Figure 1, node 7 acts as the IN and initiates the local anomaly detection means (20) for the SN (node 1) and chooses node 2 as the CN. Node 2 is the most reliable node for node 7 as both the entries under columns 'From' and 'Through' for node 2 are ' 1 '. Node 7 broadcasts a RREQ message to all its neighbor nodes 1, 2, 6, 8 and 9 requesting them for a route to the CN, i.e., node 2 in the example. After receiving a RREP from the SN (node 1), node 7 sends a probe packet to node 2 via node 1. Node 7 then enquires node 2 whether it has received the probe packet. If node 2 has received the probe packet, node 7 makes an entry ' 1' under the column 'CheckBit' in its DRI table corresponding to the row of node 1. If node 2 has not received the probe packet, then node 7 invokes the cooperative anomaly detection means (30).
Cooperative Anomaly Detection means (30): The objective of this means is to increase the detection reliability by reducing the probability of false detection of local anomaly detection means (20).
This means (30) is activated when an IN observes that the probe packet it had sent to the CN through the SN did not reach the CN. The IN invokes the cooperative detection request message to all the neighbors of the SN. When the neighbors of the SN receive the cooperative detection request message each of them sends a RREQ message to the SN requesting for a route to the IN. After the SN responds with a RREP message, each of the requesting nodes sends a 'further probe packet' to the IN along that route. This route will obviously include SN, as SN is a neighbor of each requesting node and the IN as well. Each neighbor of the SN (except the IN) now notifies the IN that a 'further probe packet' has already been sent to it. This 'notification message' from each neighbor is sent to the IN through routes which do not include the SN. This is necessary to ensure that the SN is not aware about the on-going cross checking process. The IN will receive numerous 'further probe packets' and 'notification messages'. The IN now constructs a ProbeCheck table. The ProbeCheck table has two fields: NodeID and ProbeStatus. Under the NodeID field, the IN enters the identifiers of the nodes which have sent notification messages to it. An entry ' 1 ' is made under the column 'ProbeStatus' for the nodes from which the IN has received the 'further probe packet'.
An example ProbeCheck table for node 7 of the network in Figure 1 is presented in Table 2 of Figure 4. It can be observed that node 7 has received the 'further probe packet' from all the neighbors of the SN (node 1) except node 2. There may be a possibility that the probe packet might not have been maliciously dropped by the SN, rather it has been lost because of collision or buffer overflow. To avoid mathematical complexity, the invention involves a simple mechanism where each node sends three 'further probe packets' interspersed with a small time interval. If none of these three packets from a neighbor are received by the IN, the SN is believed to be behaving like a gray hole for that node during that time. This gray hole behavior may be exhibited for a single node (as node 2 is Table 2 in Figure 4) or may be for a group of nodes. The frequency of invocation of the detection means in accordance with this invention is important for ensuring the desired throughput in the network as a gray hole may quickly change its phase from 'good' to 'bad'. The periodicity of invocation is to be based on the maximum percentage of packet drop that the network application can afford. In the worst case, a gray hole will just change its phase from 'good' to 'bad' immediately after the invocation of one round of the detection system in accordance with this invention is over and will switch back to 'good' phase just before the next invocation. Although such a situation may be quite unlikely, the invocation frequency should be based on the estimation of the number of packets that the gray hole may drop during that period and the maximum rate of packet drop that the application may afford.
Global Alarm Raising Procedure (40): This means is invoked to establish a network-wide notification system for sending alarm messages to all the nodes in the network about the gray hole node that has been detected by the Cooperative Anomaly Detection means (30). It also ensures that the identified malicious node is isolated so that it cannot use any network resources.
The detection and isolation mechanism of malicious nodes may involve a security problem. A group of malicious nodes can collude together to launch a bad mouthing attack by falsely accusing a legitimate node and isolating it from the network. To prevent this, the present invention proposes a mechanism that is similar to threshold cryptography. In this mechanism, when a node identifies a suspected node to be malicious by invocation of the cooperative detection procedure, it sends a digitally signed (using its private key) alarm message to all its neighbors. The full signature is constructed when at least k nodes put their signatures into the alarm message. Once the alarm message is authenticated with the full signature, the suspected node is isolated from the network. This makes the invention robust against collusion involving maximum k-1 malicious nodes in a neighborhood. When a node is finally identified to be malicious, its node ID is entered into a global list of malicious nodes called 'faulty list'. The faulty list is periodically flooded in the network, as and when an update is made into it.
Performance Evaluation:
The invention is implemented in network simulator ns-2 for the purpose of evaluation of its performance. The MAC layer protocol and the routing protocol used are 802.11 DCF and AODV respectively. An improved version of 'random waypoint' is used as the mobility model. The host pause time is chosen to be zero to simulate a continuously mobile network. Malicious gray holes are simulated using a two-phase Markov Chain Machine. While in the good phase none of the gray holes drop any packet, in the bad phase, packets are dropped based on a function that generates a random number between a maximum value (MAX RATE) and a minimum value (MIN RATE). The simulation parameters are presented in Table 3 in Figure 5. Following metrics are used for evaluating the performance:
(a) False positive rate: it is the probability of incorrectly identifying a legitimate node as malicious.
(b) Misdetection (False positive) rate: it is the probability of failure in detecting a malicious node.
(c) Data packet delivery ratio: it is the percentage of data packets that are successfully delivered. (d) Communication overhead: it is the overhead due to control packets of the invention.
Figure 6 shows how false positive rate varies with mobility of the nodes for different percentages of gray hole nodes in the network. The maximum value of the observed false positive rate is found to be 7%. The false positive rate increases as the nodes move faster. If a node constantly moves at a high speed, it can gather only partial information about its transmission with its current neighbors. As a result, it is more likely to make mistakes.
Figure 7 depicts the variation of misdetection rate with nodes' mobility for different percentages of gray hole nodes. It is seen that misdetection ratio is maximum (12%) in a static network and starts dropping with the mobility of the nodes. This is because in a static network, if a gray hole remains in a sparsely populated region, its neighbors may not be able to punish it since there may not be requisite k number of nodes to arrive at the consensus. On the contrary, in a mobile network, the mobility increases the probability that other nodes roam into the region of the gray hole node, or the gray hole node enters into a densely populated region. As a result, it is less likely that the gray hole would be able to escape without being detected.
Figure 8 shows how the data packet delivery ratio varies with respect to the number of gray hole nodes for the normal AODV protocol and for the current invention. It is observed that even when 20% of the nodes in the network are malicious gray holes, the percentage of packets successfully delivered is more than 90% if the proposed security protocol is applied. However, 100% packet delivery ratio is not achieved even with the current invention. A careful analysis of the trace files has shown that most of the packet loss occurs during the detection and reaction phase of the system in accordance with this invention.
Figure 9 shows the overheads due communication of control packets for different no. of data packets. It has been observed that with the increase in number of gray holes, the overhead increases. The results have been reported for the worst case scenario when the percentage of malicious node in the network is 20%. The communication overhead is shown as the percentage of the number of the number of control packets required to route different number of data packets in the network. The normal AODV performance is taken as the base line. It is observed that the overhead drops as the number of data packets transmitted is increased. This demonstrates the efficiency of the invention in terms of communication overhead.
Although the invention has been described in terms of particular embodiments and applications, one of ordinary skill in the art, in light of this teaching, can generate additional embodiments and modifications without departing from the spirit of or exceeding the scope of the claimed invention. Accordingly, it is to be understood that the drawings and descriptions herein are offered by way of example to facilitate comprehension of the invention and should not be construed to limit the scope thereof.

Claims

Claims:
1. A system for detecting malicious gray-hole nodes in a mobile ad hoc network (MANET)comprising a group of nodes, said system comprising: a) node mapping means adapted to map each node in the MANET.; b) data collection means adapted to collect data forwarding (routing) information from each node to obtain a data routing record of the node, in order to enable identification and creation of a list of good nodes and suspicious nodes; c) local anomaly detection means adapted to determine level of suspicion of each of said suspicious nodes; d)co-operative anomaly detection means adapted to identify one suspicious node at a time and monitor routing activity of said identified suspicious node with other nodes of said network to achieve a conformity status of said level of suspicion; e) global alarm raiser means adapted to send an alarm message in relation to said identified suspicious node to each of the other nodes of the MANET; and f) isolator means adapted to isolate each of said suspicious node from the MANET to achieve an uninterrupted communication in the network.
2. A system as claimed in claim 1 wherein, said node mapping means is a timer based mapping means adapted to carry out mapping of said nodes of said network at pre-defined intervals of time.
3. A system as claimed in claim 1 wherein, said data collection means is a timer based data collection means adapted to carry out data collection of said mapped nodes of said network at pre-defined intervals of time.
4. A system as claimed in claim 1 wherein, said data collection means includes: a) sender detector means adapted to detect the node from which data is sent; b) sender recorder means adapted to record information relating to whether data is sent from said detected node; c) receiver detector means adapted to detect the node where data is received; d) receiver recorder means adapted to record information relating to whether data is received by a receiver node from said detected node; e) computation means adapted to compute a ratio of request-to-send to clear-to- send messages for said detected node; and f) check bit means adapted to check whether data sent from said detected node is received by said receiver node.
5. A system as , claimed in claim 1 wherein, said local anomaly detection means , comprises: a) first designator means adapted to designate an initiator node in relation to said suspicious node; b) second designator means adapted to designate at least one co-operative node in relation to said suspicious node, said co-operative node being a neighbouring node; c) engaging means adapted to engage a sub network, for test routing of data, involving said designated initiator node and said co-operative nodes in relation to said suspicious node; d) invoking means adapted to invoke a detection procedure to compute a level of suspicion for said suspicious node, in relation to data sent to said suspicious node, data received by said suspicious node, data sent by said suspicious node, and data received by said co-operative node; and e) comparator means adapted to compare said level with a pre-defined level to verify said level of suspicion.
6. A system as claimed in claim 1 wherein, said co-operative anomaly detection means comprises: a) selecting means to select one suspicious node; b) routing means adapted to engage routing of information between a selected suspicious node and its neighbouring nodes; and c) monitoring means adapted to monitor activity during said routing of information between said selected suspicious node and its neighbouring cooperative node to achieve a conformity status of said level of suspicion.
7. A method for detecting malicious gray-hole nodes in a mobile ad hoc network (MANET) comprising a group of nodes, said method comprising: a) mapping each node of the MANET; b) collecting data forwarding (routing) information from each of the mapped nodes to obtain a data routing record of the mapped nodes in order to enable identification and creation of a list of good nodes and suspicious nodes; c) determining the level of suspicion of each of said suspicious node in a predefined manner; d) identifying one suspicious node at a time and monitoring routing activity of said identified suspicious node with other nodes of the MANET to achieve a conformity status of said level of suspicion; e) sending an alarm message in relation to said identified suspicious node to each of the other nodes of the MANET; and f) isolating each of said suspicious node from the MANET to achieve an uninterrupted communication in the network.
8. A method as claimed in claim 7 wherein, the step of mapping each node of said network includes a step of carrying out mapping of said nodes of said network at pre-defined intervals of time.
9. A method as claimed in claim 7 wherein, the step of collecting data forwarding (routing) information includes a step of carrying out data forwarding (routing) information at pre-defined intervals of time.
10. A method as claimed in claim 7 wherein, the step of collecting data forwarding (routing) information includes a steps of: a) detecting the node from which data is sent; b) recording information relating to whether data is sent from said detected node; c) detecting the node where data is received; d) recording information relating to whether data is received by a receiver node from said detected node; e) computing a ratio of request-to-send to clear-to-send messages for said detected node; and f) checking whether data sent from said detected node is received by said receiver node.
11. A method as claimed in claim 7 wherein, the step of determining level of suspicion of each of said suspicious node in a pre-defined manner includes the steps of: a) designating an initiator node in relation to said suspicious node; b) designating at least one co-operative node in relation to said suspicious node, said co-operative nodes being neighbouring nodes of the detected node; c) engaging a subnetwork for test-routing of data, involving said designated initiator node and said co-operative nodes in relation to said suspicious node; d) invoking a detection procedure to compute a level of suspicion for said suspicious node, in relation to data sent to said suspicious node, data received by said suspicious node, data sent by said suspicious node, and data received by said co-operative nodes; and e) comparing said level with a pre-defined level to verify said level of suspicion.
12.A method as claimed in claim 7 wherein, said step of identifying one suspicious node at a time and monitoring routing activity of said identified suspicious node with other nodes of said network to achieve a conformity status of said level of suspicion includes the steps of: a) selecting one suspicious node; b) routing information between a selected suspicious node and its neighbouring nodes; and c) monitoring activity during said routing of information between said selected suspicious node and its neighbouring co-operative nodes to achieve a conformity status of said level of suspicion.
PCT/IN2009/000204 2008-03-31 2009-03-26 Security in mobile ad hoc networks WO2009122437A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN718/MUM/2008 2008-03-31
IN718MU2008 2008-03-31

Publications (2)

Publication Number Publication Date
WO2009122437A2 true WO2009122437A2 (en) 2009-10-08
WO2009122437A3 WO2009122437A3 (en) 2012-11-29

Family

ID=41136022

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IN2009/000204 WO2009122437A2 (en) 2008-03-31 2009-03-26 Security in mobile ad hoc networks

Country Status (1)

Country Link
WO (1) WO2009122437A2 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101827311A (en) * 2010-02-10 2010-09-08 北京播思软件技术有限公司 Method for realizing interconnection of mobile communication terminals in AD-HOC network
CN102291712A (en) * 2011-08-16 2011-12-21 清华大学 Adaptive active defense realizing method and system in WSN (wireless sensor network)
CN103297973A (en) * 2013-06-04 2013-09-11 河海大学常州校区 Method for detecting Sybil attack in underwater wireless sensor networks
EP2898439A4 (en) * 2012-09-18 2016-10-05 Univ George Washington Emergent network defense system
US20170004196A1 (en) * 2010-12-28 2017-01-05 Amazon Technologies, Inc. Data replication framework
CN108989465A (en) * 2018-08-30 2018-12-11 清华大学 Common recognition method, server, storage medium and distributed system
WO2020160557A1 (en) 2019-02-01 2020-08-06 Nuodb, Inc. Node failure detection and resolution in distributed databases
US10990609B2 (en) 2010-12-28 2021-04-27 Amazon Technologies, Inc. Data replication framework
CN115276935A (en) * 2022-07-14 2022-11-01 深圳鹏龙通科技有限公司 Signal frame sending method and device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040028000A1 (en) * 2002-08-12 2004-02-12 Harris Corporation Mobile ad-hoc network with intrusion detection features and related methods
WO2005104455A2 (en) * 2004-04-27 2005-11-03 Nokia Corporation Providing security in proximity and ad-hoc networks

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040028000A1 (en) * 2002-08-12 2004-02-12 Harris Corporation Mobile ad-hoc network with intrusion detection features and related methods
WO2005104455A2 (en) * 2004-04-27 2005-11-03 Nokia Corporation Providing security in proximity and ad-hoc networks

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011097889A1 (en) * 2010-02-10 2011-08-18 北京播思软件技术有限公司 Method for interconnecting mobile communication terminals in ad-hoc network
CN101827311A (en) * 2010-02-10 2010-09-08 北京播思软件技术有限公司 Method for realizing interconnection of mobile communication terminals in AD-HOC network
US10990609B2 (en) 2010-12-28 2021-04-27 Amazon Technologies, Inc. Data replication framework
US20170004196A1 (en) * 2010-12-28 2017-01-05 Amazon Technologies, Inc. Data replication framework
CN102291712A (en) * 2011-08-16 2011-12-21 清华大学 Adaptive active defense realizing method and system in WSN (wireless sensor network)
EP2898439A4 (en) * 2012-09-18 2016-10-05 Univ George Washington Emergent network defense system
US9860276B2 (en) 2012-09-18 2018-01-02 The George Washington University Emergent network defense
CN103297973A (en) * 2013-06-04 2013-09-11 河海大学常州校区 Method for detecting Sybil attack in underwater wireless sensor networks
CN108989465A (en) * 2018-08-30 2018-12-11 清华大学 Common recognition method, server, storage medium and distributed system
CN108989465B (en) * 2018-08-30 2021-03-12 交叉信息核心技术研究院(西安)有限公司 Consensus method, server, storage medium and distributed system
WO2020160557A1 (en) 2019-02-01 2020-08-06 Nuodb, Inc. Node failure detection and resolution in distributed databases
US20220147426A1 (en) * 2019-02-01 2022-05-12 Nuodb, Inc. Node Failure Detection and Resolution in Distributed Databases
EP3918355A4 (en) * 2019-02-01 2022-10-26 NUODB Inc. Node failure detection and resolution in distributed databases
US11500743B2 (en) * 2019-02-01 2022-11-15 Nuodb, Inc. Node failure detection and resolution in distributed databases
US11822441B2 (en) 2019-02-01 2023-11-21 Nuodb, Inc. Node failure detection and resolution in distributed databases
CN115276935A (en) * 2022-07-14 2022-11-01 深圳鹏龙通科技有限公司 Signal frame sending method and device
CN115276935B (en) * 2022-07-14 2023-04-07 深圳鹏龙通科技有限公司 Signal frame sending method and device

Also Published As

Publication number Publication date
WO2009122437A3 (en) 2012-11-29

Similar Documents

Publication Publication Date Title
Sen et al. A mechanism for detection of gray hole attack in mobile Ad Hoc networks
Mohanapriya et al. Modified DSR protocol for detection and removal of selective black hole attack in MANET
WO2009122437A2 (en) Security in mobile ad hoc networks
Bindra et al. Detection and removal of co-operative blackhole and grayhole attacks in MANETs
Shila et al. Defending selective forwarding attacks in WMNs
Aware et al. Prevention of black hole attack on AODV in MANET using hash function
Singh et al. A mechanism for discovery and prevention of coopeartive black hole attack in mobile ad hoc network using AODV protocol
Gambhir et al. PPN: Prime product number based malicious node detection scheme for MANETs
Roshani et al. Techniquesto mitigate grayhole attack in MANET: A survey
Chelani et al. Detecting collaborative attacks by malicious nodes in MANET: An improved bait detection scheme
Ramesh et al. Link Aware Multipath Routing to Defend Against Black Hole Attacks for MANETs
Marin-Perez et al. SBGR: A simple self-protected beaconless geographic routing for wireless sensor networks
Kumar et al. Intrusion detection technique for black hole attack in mobile ad hoc networks
Santhanam et al. Distributed self-policing architecture for fostering node cooperation in wireless mesh networks
Azer et al. Intrusion Detection for Wormhole Attacks in Ad hoc Networks: A Survey and a Proposed Decentralized Scheme
El Mahdi et al. Analyzing security in smart cities networking and implementing link quality metric
Singh et al. Routing Misbehabiour In Mobile Ad Hoc Network
Kaur et al. DOS attacks in MANETs: Detection and Countermeasures
Roy et al. MCBHIDS: Modified layered cluster based algorithm for black hole IDS
Jatti et al. Performance improvements of routing protocol by blackhole detection using trust based scheme
Bansal et al. Use of cross layer interactions for detecting denial of service attacks in WMN
Indhumathi SOLSR: Secure OLSR with denial contradiction rules to detect and prevent gray hole attack in VANET
Pahal et al. A Cryptographic Handshaking Approach to Prevent Wormhole Attack in MANET
Arora et al. Detecting and Preventing Attacks in MANET
Thanvi et al. Literature Survey of MANET under Blackhole and Grayhole attack

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09728757

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09728757

Country of ref document: EP

Kind code of ref document: A2