Security in Ad-hoc Networks

Arun Kumar Bayya Siddhartha Gupte Yogesh Kumar Shukla Anil Garikapati CS 685 Computer Science Department University of Kentucky

Abstract
Ad-hoc networks are an emerging area of mobile computing. There are various challenges that are faced in the Ad-hoc environment. These are mostly due to the resource poorness of these networks. They are usually set up in situations of emergency, for temporary operations or simply if there are no resources to set up elaborate networks. Ad-hoc networks therefore throw up new requirements and problems in all areas of networking. The solutions for conventional networks are usually not sufficient to provide efficient Ad-hoc operations. The wireless nature of communication and lack of any security infrastructure raise several security problems. In this paper we attempt to analyze the demands of Ad-hoc environment. We focus on three areas of Ad-hoc networks, key exchange and management, Ad-hoc routing, and intrusion detection. The key issues concerning these areas have been addressed here. We have tried to compile solutions to these problems that have been active areas of research.

CONTENTS
1. Introduction 1.1 Security Goals 1.2 Challenges 1.3 Key Management 1.4 Secure Routing 2. Key management 2.1 New Key Management Scenarios *Obvious Problems 2.2 Password based authenticated key exchange 2.2.1 Desirable Properties for such a protocol 2.2.2 Generic protocol 2.3 Password Authenticated Deffie Hellman Key exchange 2.3.1 Two Party version 2.3.2 Multi Party version 3. Secure Ad-hoc Routing in Ad-hoc networks 3.1 Problems associated with Ad-hoc routing 3.1.1 Infrastructure 3.1.2 Frequent Changes in network topology 3.1.3 Problems associated with wireless communication 3.1.4.Problems with existing Ad Hoc routing protocols 3.1.4.1 Implicit Trust relationship 3.1.4.2 Throughput 3.1.4.3 Attacks using modification of protocol field 3.1.5 Attacks using impersonation 3.1.6 Attacks using fabrication 3.1.6.1 Falsifying route error messages 3.1.6.2 Route Cache poisoning 3.1.6.3 Routing table overflow 3.1.7 Misbehaving Nodes 3.1.8 Revealing network topology 3.1.9 Lack of self-stabilization property 3.2 Solutions to problems in Ad-hoc routing 3.2.1 Using pre-deployed security infrastructure 3.2.2 Concealing network topology 3.2.3 Installing extra facilities in the network 3.2.4 Security Aware Ad-hoc routing 3.2.5 Secure routing protocol 4. Intrusion detection 4.1 Need for intrusion detection 4.2 General Overview Page No. 6 6 6 7 7 8 8 8 8 9 9 12 12 12 14 14 14 15 15 15 15 15 16 17 17 17 18 18 18 18 19 19 19 24 24 29 30 35 35 35

4.3 Unsuitability of current IDS techniques 4.4 New proposed architecture 4.4.1 Intrusion response 4.5 Anomaly detection in Ad hoc networks 4.5.1 Detecting abnormal updates to routing tables 4.5.2 Detecting anomalous activities in other layers 5. Conclusion 6. References

36 36 40 40 40 41 42 43

Acknowledgement
We thank Dr. Mukesh Singhal for his invaluable guidance throughout the compilation of this term paper.

1. Introduction
Ad-hoc networks are a new paradigm of wireless communication for mobile hosts. No fixed infrastructure such as base stations as mobile switching .Nodes within each other radio range communicate directly via wireless links while these which are far apart rely on other nodes to relay messages. Node mobility causes frequent changes in topology.

1.1 Security Goals

1) Availability: Ensures survivability despite Denial Of Service ( DOS ) attacks. On physical and media access control layer attacker can use jamming techniques to interfere with communication on physical channel. On network layer the attacker can disrupt the routing protocol. On higher layers, the attacker could bring down high level services e.g.: key management service. 2) Confidentiality: Ensures certain information is never disclosed to unauthorized entities. 3) Integrity: Message being transmitted is never corrupted. 4) Authentication: Enables a node to ensure the identity of the peer node it is communicating with. Without which an attacker would impersonate a node, thus gaining unauthorized access to resource and sensitive information and interfering with operation of other nodes. 5) Non-repudiation Ensures that the origin of a message cannot deny having sent the message.

1.2 Challenges
Use of wireless links renders an Adhoc network susceptible to link attacks ranging from passive eavesdropping to active impersonation, message replay and message distortion. Eavesdropping might give an attacker access to secret information thus violating confidentiality. Active attacks could range from deleting messages, injecting erroneous messages, impersonate a node etc thus violating availability, integrity, authentication and non-repudiation. Nodes roaming freely in a hostile environment with relatively poor physical protection have non-negligible probability of being compromised. Hence, we need to consider malicious attacks not only from outside but also from within the network from compromised nodes. For high survivability Adhoc networks should have a distributed architecture with no central entities, centrality increases vulnerability. Ad-hoc network is dynamic due to frequent changes in topology. Even the trust relationships among individual nodes also changes, especially when some

nodes are found to be compromised. Security mechanism need to be on the fly(dynamic) and not static and should be scalable. Hundreds of thousand of nodes.

1.3 Key Management

Cryptographic schemes such as digital signatures are often employed to protect both routing info as well as data. Public key systems are generally espoused because of its upper hand in key distribution. In public key infrastructure each node has a public/private key pair. Public keys distributed to other nodes, while private keys are kept to nodes themselves and that too confidentially. Third party (trusted) called Certification Authority (CA) is used for key management.CA has a public/private key pair, with its public key known to every node and signs certificates binding public keys to nodes. The trusted CA has to stay online to reflect the current bindings, since the bindings could change overtime. Public key should be revoked if the owner node is no longer trusted or is out of network. A single key management service for an Ad-hoc network is probably not a good idea, since it's likely to become Achilles heel of the network. If CA is down/unavailable nodes cannot get the current public keys of other nodes to establish secure connection. Also if a CA is compromised, the attacker can sign any erroneous certificates with the private key. Naive replication of CA can make the network more vulnerable, since compromising of a single replica can cause the system to fail. Hence it's more prudent to distribute the trust to a set of nodes by letting these nodes share the key management responsibility.

1.3 Secure Routing

The contemporary routing protocols for Adhoc networks cope well with dynamically changing topology but are not designed to accommodate defense against malicious attackers. No single standard protocol. Capture common security threats and provide guidelines to secure routing protocol. Routers exchange network topology informally in order to establish routes between nodes - another potential target for malicious attackers who intend to bring down the network. External attackers - injecting erroneous routing info, replaying old routing info or distorting routing info in order to partition a network or overloading a network with retransmissions and inefficient routing. Internal compromised nodes - more severe detection and correction more difficult Routing info signed by each node won't work since compromised nodes can generate valid signatures using their private keys. Detection of compromised nodes through routing information is also difficult due to dynamic topology of Adhoc networks. Can make use of some properties of adhoc networks to facilitate secure routing. Routing protocols for Adhoc networks must handle outdated routing information to accommodate dynamic changing topology. False routing information generated by compromised nodes can also be regarded as outdated routing information. As long as there are sufficient no. of valid nodes, the routing protocol should be able to bypass the compromised nodes, this however needs the existence of multiple, possibly disjoint routes between nodes. Routing protocol should be able to make use of an alternate route if the existing one appears to have faulted.

2. Key Agreement in Wireless Ad-hoc Networks

2.1 New key agreement scenario
Consider a group of people getting together for an Adhoc meeting in a room and trying to establish a wireless network through their laptops. They trust one another personally, however don't have any a priori shared secret (password) to authenticate one another. They don't want anybody outside the room to get a wind of their conversation indoors. This particular scenario is vulnerable to any attacker who not only can monitor the communication but can also modify the messages and can also insert messages and make them appear to have come from somebody inside the room. This is a classic example of Adhoc network and the most simple way to tackle this example would be through location based key agreement - to map locations to name ladles and then use identity based mechanisms for key agreement. e.g.: participants writing the IP addresses on a piece of paper and passing it around. Then a certificate based key agreement mechanism can be used. These public key certificates can allow participants to verify the binding between the IP address and keys of other participants. Two obvious problems a) Difficult to determine if the certificate presented by the participant has been revoked. b) Participants may be divided into 2 or more certification hierarchies and that they don't have cross certification hierarchies. One obvious solution A trusted third party capable of locating players, however not always feasible due to non-infrastructure nature of Adhoc networks. Physically secure channel limited to those present in the room to negotiate the session key before switching to the insecure wireless channel.

2.2 Password based Authenticated Key Exchange

A fresh password is chosen and shared among those present in the room in order to capture the existing shared context. If this password is a long random string, can be used to setup security association, but less user friendly. Natural language phrases, more user friendly, however vulnerable to dictionary attacks. Need to derive a strong session key from a weak shared password.

2.2.1 Desirable properties for such a protocol Secrecy Only those players that know the initial shared weak secret password should learn the session key and nobody else should. Perfect Forward Secrecy Warrants that if an attacker who succeeds in compromising one of the participants at a later time would be unable to figure out the session key resulting from previous runs of protocol. Contributory key agreement If each and every player participates in the creation of the final session key, by making a contribution, then it is called contributory key agreement. Tolerance to disruption attempts Not only strong attackers who can disrupt communication by jamming radio channels etc but even the weaker attackers who can insert but cannot modify or delete messages sent by players are also provided for. 2.2.2 Generic Protocol A and B are two communicating parties with a shared secret (password) p. (EA, DA) are the keys of A. (1) A --> B : A, P(EA). A encrypts EA with the password and sends it to B. It also sends a label 'A' to identify itself. (2) B knows 'P' so decrypts p(EA) extracts EA. B generates 'R' randomly, encrypts it using EA and the whole thing is encrypted with P and sent to A. B --> A : P(EA (R)). This message authenticates B to A, since B could extract EA from the message sent by A to B only if B knew password 'P'. (3) A decrypts this message, extracts R, generates (challenge)A and SA , encrypts it using R and sends it to B. A --> B : R((challenge)A, SA).

This message authenticates A to B, since A could extract R only if it knew password P. (4) B decrypts this message, extracts (challenge)A and SA. It then computes h( ((challenge)A) where h() is a hash function. B then generates (challenge)B and SB and then sends h((challenge)A), ((challenge)B and SB to A, encrypted by R. B --> A : R(h((challenge)A), (challenge)B, SB). This message serves as an acknowledgement to A's previous message from step:3 and also notify A that SA has been successfully noted.(5) A decrypts this message, extracts (challenge)B and SB. A computes h((challenge)B), encrypts it using R and sends it to B. A --> B : R((challenge)B). This message serves as an acknowledgement to B saying that SB has been noted. Now both parties A and B know both S A and SB, so both can compute the session key K = f(SA, SB) and start communicating. This protocol can be easily extended to multi-party case by electing a leader. The leader will broadcast the message in step1, the rest of the messages will be point to point with A acting as the leader. At the end of each protocol run, each player shares a key with the leader. An additional round will be needed for the leader to pick a common session key and to distribute it among other players using the pair wise key the user shares with the participants. The main drawback is that this protocol is non-contributory since the key is chosen only by the leader. However, we can slightly modify the protocol for it to act as a contributory multiparty protocol. The challenges (challenge)A and (challenge)B are used by A and B to confirm that the other knows the password P. The random quantities SA and SB which already have been generated could be used for the purpose of confirmation instead of the challenges. These quantities are used to generate the final session key K = f(SA, SB), these SA and SB could be easily used to confirm each other's knowledge of K. Thus the modified protocol follows. (1) A --> B : A, P(EA). (2) B --> A : P(EA (R, SB)). Note: (challenge)B replaced by SB. (3) A --> B : R(SA). SA used instead of (challenge)A.

10

(4) A --> B : K(SA, h(SA, SB)). (5) B --> A : K(SB, h(SA, SB)). The last two steps 4 and 5 are used by the receiving party (B and A respectively) that the sending party (A and B respectively) knows K (and hence P). The h(., .) is a public hash function. This protocol can be easily extended to multiple parties. Let Mi i = 1 to n be the set of n players with Mn as the leader, Si being the random share contributed by Mi towards the generation of the final session key K. (1) Mn --> ALL : Mn, P(E). (2) Mi --> Mn : Mi, P(E(Ri, Si)), i = 1 to n-1. (3) Mn --> Mi : Ri({Sj, j = 1 to n}), i = 1 to n-1. (4) Mi --> Mn : Mi. The last step confirms to each player that one other player knows the same key K. The multiparty protocol is contributory as every player makes its contribution towards generating the final session key. Mn takes contributions from every player and combines each one of them to generate the session key 'K'. The protocol also provides perfect forward secrecy for all parties except for the one who knows the decryption key D, unless the decryption key is also destroyed at the end of the protocol run. The attacker who succeeds in compromising the leader Mn will be able to decipher a copy of the past session. The protocol is also tolerant of disruption attempts by anyone except Mn. If the attacker doesn't know garbage it would send garbage message. Thus the true players agree on a key which has a contribution from the attacker, however the attacker cannot determine the session key as it does not have the knowledge of the initial shared secret (password) P. Since the protocol is contributory, a certain amount of delay is introduced with it, since the leader has to wait for contributions from each player before it can start sending out messages. Drawbacks 1) Any quantity encrypted using the weak secret (password) P should be random. Thus E cannot be well known long term encryption key, hence it is important to use a fresh key pair for every run of the protocol and this is computationally expensive.

11

2) The parts of encryption key E may have special properties which might help the attacker attempting a dictionary attack on P(E), thus care must be taken only to encrypt the unpredictable parts of E, thus increasing the computational cost of the protocol.

2.3 Password authenticated Diffie - Hellman key exchange

2.3.1 Two party version In the elementary DH protocol, two parties A and B agree on a prime p and a generator g of the multiplicative group Zp* (i.e. the set {1, 2, , p-1}). A and B choose random secrets SA and SB such that 1 <= SA, SB <= p-1. (1) A computes gSA, encrypts it with the shared secret password P and sends it to B. A --> B : A, P(gSA). (2) B extracts gSA from the message computes gSB and also computes the session key K = (gSA)SB. B then chooses a random challenge CB and encrypts it using the key K. B encrypts SB using P. It then sends the two quantities to A. B --> A : P(SB), K(CB). (3) A extracts SB from P(SB) and computes the key K = (gSA)SB. It then extracts CB by decrypting K(CB). A then generates challenge (random) CA, encrypts both CA and CB with K and sends it to B. A --> B : K(CA, CB). (4) This message(3) convinces B that A was able to decrypt the message in (2) correctly. B then encrypts CA using K and sends it to A. B --> A : K(CA). A decrypts the message to see if the plaintext is indeed C A. This would convince A that B knew K. This would in turn convince A that B knew P. 2.3.2 Multi-party version There are let's just say n players M1, M2, , Mn who all share a password P, each generating a random quantity Si which is its contribution to the eventual session key K = g S1S2_ _ _Sn-1Sn. The protocol is divided into 3 parts. In the first part (steps 1 and 2) players M i to Mn-1 generate an intermediate key PI = g S1S2_ _ _Sn-1 in n-1 steps.

12

In the second part (steps 3 and 4) each M i (i = 1 to n-1) has a separate with M n, at the end of which all the players are in a position to compute K. The third part (step 5) being the key confirmation. (1) Mi --> Mi+1 : g S1S2_ _ _Si, i = 1 to n-2 in sequence. (2) Mn-1 --> ALL : PI = g S1S2_ _ _Sn-1, broadcast. (3) Mi --> Mn : P(Ci), i = 1 to n-1, in parallel, where Ci = PI factor that is randomly choosen by Mi. (4) Mn --> Mi : (Ci) Sn, i = 1 to n-1, in parallel. (5) Mi --> ALL : Mi, K(Mi, h(M1, M2,, Mn) broadcast. Step 1 consists of (n-2) sub steps. In the first sub step player M1 computes gS1 and sends it to M2 etc. At the end of the (n-2)th sub step, Mn-1 receives g S1S2_ _ _Sn-2, which it then raises by (S n-1) to get the intermediate key PI = g S1S2_ _ _Sn-1. In step 2, Mn-1 broadcast this PI to everyone. Now every Mi (i = 1 to n-1) removes its contribution i.e, Si (i = 1 to n-1) from the PI respectively but also inserts a randomly chosen blinding factor Si, encrypts the whole thing with the shared password P. In step 3,each Mi will in parallel send the encryption to Mn. Mn decrypts the received message to extract Ci. It then raises each Ci by Sn and returns the result in parallel to each Mi. At this point each player can compute the session key as follows K = g S1S2_ _ _Sn-1Sn. Mn raises PI by Sn : K = (PI)Sn. Each Mi unblinds the quantity it receives from Mn and re inserts its original contribution Si to construct the session key K = g S1S2_ _ _Sn-1Sn = (PI)Sn. Finally, some player broadcasts a key confirmation message that allows each player to verify that at least one another player has decided on the same key K. The blinding factor Si is needed for the following reasons. (a) Without the blinding, the quantity encrypted with P by Mn-1 from step 3 is the same as what it receives in step 1. (b) An attacker could send g S1S2_ _ _Si to Mi in step 2 instead of the broadcast message (intermediate key) PI. If Mi uses this quantity to generate its message in step 3, the resulting message is same as the message received by Mi in step 1. To thwart dictionary attacks, blinding is necessary. This protocol does provide perfect forward secrecy. It is also quasi-resilient to disruption except when Mn is compromised/disrupted.
Si/Si

and Si is the blinding

13

3. Secure routing in Ad-hoc networks

3.1 Problems associated with Ad-hoc routing
3.1.1 Infrastructure An Ad-hoc network is an infrastructure less network. Unlike traditional networks there is no pre-deployed infrastructure such as centrally administered routers or strict policy for supporting end-to-end routing. The nodes themselves are responsible for routing packets. Each node relies on the other nodes to route packets for them. Mobile nodes in direct radio range of one another can communicate directly, but nodes that are too far apart to communicate directly must depend on the intermediate nodes to route messages for them.

Direct Radio Reach

Trusted Router

Fig 3.1 Routing in Ad-hoc networks

Fig 3.2 Routing in traditional networks using router.

3.1.2 Frequent changes in network topology Ad-hoc networks contain nodes that may frequently change their locations. Hence the topology in these networks is highly dynamic. This results in frequently 14

changing neighbors on whom a node relies for routing. As a result traditional routing protocols can no longer be used in such an environment. This mandates new routing protocols that can handle the dynamic topology by facilitating fresh route discoveries. 3.1.3 Problems associated with wireless communication As the communication is through wireless medium, it is possible for any intruder to tap the communication easily. Wireless channels offer poor protection and routing related control messages can be tampered. The wireless medium is susceptible to signal interference, jamming, eavesdropping and distortion. An intruder can easily eavesdrop to know sensitive routing information or jam the signals to prevent propagation of routing information or worse interrupt messages and distort them to manipulate routes. Routing protocols should be well adopted to handle such problems. 3.1.4 Problems with existing Ad-hoc routing protocols 3.1.4.1 Implicit trust relationship between neighbors Current Ad-hoc routing protocols inherently trust all participants. Most Ad-hoc routing protocols are cooperative by nature and depend on neighboring nodes to route packets. This naive trust model allows malicious nodes to paralyze an Ad-hoc network by inserting erroneous routing updates, replaying old messages, changing routing updates or advertising incorrect routing information. While these attacks are possible in fixed network as well, the Ad-hoc environment magnifies this makes detection difficult. 3.1.4.2 Throughput Ad-hoc networks maximize total network throughput by using all available nodes for routing and forwarding. However a node may misbehave by agreeing to forward packets and then failing to do so, because it is overloaded, selfish, malicious or broken. Misbehaving nodes can be a significant problem. Although the average loss in throughput due to misbehaving nodes is not too high, in the worst case it is very high.

M Fig. 3.3 a

Fig 3.4 b

15

3.1.4.3 Attacks using modification of protocol fields of messages Current routing protocols assume that nodes do not alter the protocol fields of messages passed among nodes. Routing protocol packets carry important control information that governs the behavior of data transmission in Ad-hoc networks. Since the level of trust in a traditional Ad-hoc network cannot be measured or enforced, enemy nodes or compromised nodes may participate directly in the route discovery and may intercept and filter routing protocol packets to disrupt communication. Malicious nodes can easily cause redirection of network traffic and DOS attacks by simply altering these fields. For example, in the network illustrated in Figure3.3, a malicious node M could keep traffic from reaching X by consistently advertising to B a shorter route to X than the route to X, which C is advertising. The attacks can be classified as remote redirection attacks and denial of service attacks. Let us look at them now. (a) Remote redirection with modified route sequence number (AODV) Remote redirection attacks are also called black hole attacks. In the attacks, a malicious node uses routing protocol to advertise itself as the shortest path to nodes whose packets it wants to intercept. Protocols such as AODV instantiate and maintain routes by assigning monotonically increasing sequence numbers to routes towards a specific destination. In AODV, any node may divert traffic through itself by advertising a route to a node with a destination sequence number greater than the authentic value. Figure 3.3 illustrates an example ad hoc network. Suppose a malicious node, M, receives the RREQ that originated from S for destination X after it is re-broadcast by B during route discovery. M redirects traffic towards itself by unicasting to B a RREP containing a significantly higher destination sequence num for X than the authentic value last advertised by X. (b) Redirection with modified hop count (AODV) A redirection attack is also possible in certain protocols, such as AODV, by modification of the hop count field in route discovery messages. When routing decisions cannot be made by other metrics, AODV uses the hop count field to determine a shortest path. In AODV, malicious nodes can attract route towards themselves by resetting the hop count field of the RREP to zero. Similarly, by setting the hop count field of the RREP to infinity, routes will tend to be created that do not include the malicious node.

16

Once the malicious node has been able to insert itself between two communicating nodes it is able to do anything with the packets passing between them. It can choose to drop packets to perform a denial of service attack, or alternatively use its place on the route as a first step in man-in-the-middle attack. (c) Denial of service with modified source routes DSR is a routing protocol, which explicitly states routes in data packets. These routes lack any integrity checks and a simple denial-of-service attack can be launched in DSR by altering the source routes in packet headers. Modification to source routes in DSR may also include the introduction of loops in the specified path. Although DSR prevents looping during the route discovery process, there are insufficient safeguards to prevent the insertion of loops into a source route after a route has been salvaged. 3.1.5 Attacks using impersonation Current Ad-hoc routing protocols do not authenticate source IP address. A malicious node can launch many attacks by altering its MAC or IP address. Both AODV and DSR are susceptible to this attack. 3.1.6 Attacks using fabrication Generation of false routing messages is termed as fabrication messages. Such attacks are difficult to detect. 3.1.6.1. Falsifying route error messages in AODV or DSR AODV and DSR implement path maintenance measures to recover broken paths when nodes move. If the destination node or an intermediate node along an active path moves, the node upstream of the link break broadcasts a route error message to all active upstream neighbors. The node also invalidates the route for this destination in its routing table. The vulnerability is that routing attacks can be launched by sending false route error messages. Suppose node S has a route to node X via nodes A, B, and C, as in Figure3.3. A malicious node M can launch a denial of service attack against X by continually sending route error messages to B spoofing node C, indicating a broken link between nodes C and X. B receives the spoofed route error message thinking that it came from C. B deletes its routing table entry for X and forwards the route error message on to A, who then also deletes its routing table entry. If M listens and broadcasts spoofed route error messages whenever a route is established from S to X, M can successfully prevent communications between S and X. 3.1.6.2. Route cache poisoning in DSR

17

This is a passive attack that can occur in DSR due to promiscuous mode of updating routing table which is employed by DSR. This occurs when information stored in routing table at routers is deleted, altered or injected with false information. In addition to learning routes from headers of packets, which a node is processing along a path, routes in DSR may also be learned from promiscuously received packets. A node overhearing any packet may add the routing information contained in that packet's header to its own route cache, even if that node is not on the path from source to destination. The vulnerability is that an attacker could easily exploit this method of learning routes and poison route caches. Suppose a malicious node M wanted to poison routes to node X. If M were to broadcast spoofed packets with source routes to X via itself, neighboring nodes that overhear the packet transmission may add the route to their route cache. 3.1.6.3. Routing table overflow attack In routing table overflow attack, the attacker attempts to create route to nonexistent nodes. The goal of the attacker is to create enough routers to prevent new routes from being created or overwhelm the protocol. Implementation and flush out legitimate routes from routing tables. Proactive routing algorithms attempt to discover routing information even before they are needed, while reactive algorithms create only when they are needed. This makes proactive algorithms more vulnerable to table overflow attacks. 3.1.7 No way to detect and isolate misbehaving nodes As we observed earlier in section 4.1, misbehaving nodes can affect network throughput adversely in worst-case scenarios. The existing Ad-hoc routing protocols do not include any mechanism to identify misbehaving nodes. It is necessary to clearly define misbehaving nodes in order to prevent false positives. It may be possible that a node appears to be misbehaving when it is actually encountering temporary problem such as overload or low battery. A routing protocol should be able to identify misbehaving nodes and isolate them during route discovery operation. 3.1.8 Easily leak information about network topology Ad-hoc routing protocols like AODV and DSR carry routes discovery packets in clear text. These packets contain the routes to be followed by a packet. By analyzing these packets any intruder can find out the structure of the network. The attack might use information gained to know which other nodes are adjacent to the target or the physical location of a particular node. Such an attack can be done passively. It can reveal roles of nodes in the network and their location. Intruders can use this information to attack command ad control nodes.

18

3.1.9 Lack of self-stabilization property Routing protocols should be able to recover from an attack in finite time. An intruder should not be able to permanently disable a network by injecting a smaller number of mal-informed routing packets. E.g. AODV, however is prone to selfstabilization problems as sequence numbers are used to verify route validity times, and incorrect state may remain stored in the routing tables for a long time.

3.2 Solutions to problems in Ad-hoc-routing

3.2.1 Using pre-deployed security infrastructure Here we assume existence of certain amount of security infrastructure. The type of Ad-hoc environment that we are dealing with here is called managed-open environment. Assumptions A managed-open environment assumes that there is opportunity for predeployment. Nodes wishing to communicate can exchange initialization parameters before hand, perhaps within the security of an infrastructured network where session keys may be exchanged or through a trusted third party like a certification authority. ARAN protocol in managed-open environment ARAN or Authenticated Routing for Ad-hoc Networks detects and protects against malicious actions by third parties and peers in Ad-hoc environment. ARAN introduces authentication, message integrity and non-repudiation to an Ad-hoc environment. ARAN is composed of two distinct stages. The first stage is simple and requires little extra work from peers beyond traditional ad hoc protocols. Nodes that perform the optional second stage increase the security of their route, but incur additional cost for their ad hoc peers who may not comply (e.g., if they are low on battery resources). ARAN makes use of cryptographic certificates for the purposes of authentication and non-repudiation. (1) Stage 1 It contains a preliminary certification stage and a mandatory end-end authentication stage. It is a lightweight stage and does not demand too many resources. (a) Preliminary Certification

19

ARAN requires the use of a trusted certificate server T. Before entering the Adhoc network, each node requests a certificate from T. For a node A, T -> A: CertA = [IPA, KA+, t, e]KTThe certificate contains the IP address of A, the public key of A, a timestamp t of when the certificate was created, and a time e at which the certificate expires. These variables are concatenated and signed by T. All nodes must maintain fresh certificates with the trusted server and must know Ts public key. (b) End-to-End authentication The goal of stage 1 is for the source to verify that the intended destination was reached. In this stage, the source trusts the destination to choose the return path. (i)Source node A source node, A, begins route instantiation to a destination X by broadcasting to its neighbors a route discovery packet (RDP): A -> broadcast: [RDP, IPX, CertA, NA, t]KAThe RDP includes a packet type identifier (RDP"), the IP address of the destination (IPx), A's certificate (CertA), a nonce NA , and the current time t, all signed with A's private key. Each time A performs route discovery, it monotonically increases the nonce. Nodes then store the nonce they have last seen with its timestamp. (ii) Intermediate node for RDP Each node records the neighbor from which it received the message. It then forwards the message to each of its neighbors, signing the contents of the message. This signature prevents spoofing attacks that may alter the route or form loops. Let A's neighbor be B. B -> broadcast: [[RDP, IPX, CertA, NA, t]KA-]KB-, CertB Nodes do not forward messages for which they have already seen the (N A ,IPA) tuple. Upon receiving the broadcast, B's neighbor C validates the signature with the given certificate. C then rebroadcasts the RDP to its neighbors, first removing B's signature. C -> broadcast: [[RDP, IPX, CertA, NA, t]KA-]KC-, CertC

(iii) Destination node

20

Eventually, the message is received by the destination, X, who replies to the first RDP that it receives for a source and a given nonce. There is no guarantee that the first RDP received traveled along the shortest path from the source. The destination unicasts a Reply (REP) packet back along the reverse path to the source. X -> D: [REP, IPA, CertX, NA, t]KX(iv) Intermediate node for REP Nodes that receive the REP forward the packet back to the predecessor from which they received the original RDP. All REPs are signed by the sender. Let D's next hop to the source be node C. D -> C: [[REP, IPA, CertX, NA, t]KX-]KD-, CertD C validates D's signature, removes the signature, and then signs the contents of the message before unicasting the RDP to B. C -> B: [[REP, IPA, CertX, NA, t]KX-]KC-, CertC A node checks the signature of the previous hop as the REP is returned to the source. This avoids attacks where malicious nodes instantiate routes by impersonation and re-play of X's message. (v) Source node When the source receives the REP, it verifies that the correct nonce was returned by the destination as well as the destination's signature. Only the destination can answer an RDP packet. Other nodes that already have paths to the destination cannot reply for the destination. While other protocols allow this networking optimization, we note that removing it also removes several possible exploits and cuts down on the reply traffic received by the source. Because only the destination can send REPs, loop freedom is guaranteed easily. Disadvantages ARAN requires that nodes keep one routing table entry per source-destination pair that is currently active. This is certainly more costly than per-destination entries in non-secure ad hoc routing protocols. (2) Stage 2 Stage (2) is done only after Stage (1) is over. This is because the destination certificate is required in Stage (2). This stage is primarily used for discovery of shortest path in a secure fashion. Since a path is already discovered in Stage (2), data transfer can be pipelined with Stage (2)'s shortest path discovery operation.

21

(i) Source The source begins by broadcasting a Shortest Path Confirmation (SPC) message to its neighbors (the same variables are used as in stage 1). A -> broadcast: SPC, IPX, CertX, [[IPX, CertA, NA, t]KA- ]KX+ The SPC message begins with the SPC packet identifier (SPC"), X's IP address and certificate. The source concatenates a signed message containing the IP address of X, its certificate, a nonce and timestamp. This signed message is encrypted with X's public key so that other nodes cannot modify the contents. (ii) Intermediate Node A neighbor B that receives the message, rebroadcasts the message after including its own cryptographic credentials. B signs the encrypted portion of the received SPC, includes its own certificate, and re-encrypts with the public key of X. This public key can be obtained in the certificate forwarded by A. B ->broadcast: SPC, IPX, CertX, [[[IPX, CertA, NA, t]KA-]KX+]KB-, CertB]KX+ Nodes that receive the SPC packet create entries in their routing table so as not to forward duplicate packets. The entry also serves to route the reply packet from the destination along the reverse path. (iii) Destination Node Once the destination X receives the SPC, it checks that all the signatures are valid. X replies to the first SPC it receives and also any SPC with a shorter recorded path. X sends a Recorded Shortest Path (RSP) message to the source through its predecessor D. X -> D: [RSP, IPA, certX, NA, route]KXThe source eventually receives the packet and verifies that the nonce corresponds to the SPC is originally generated. Advantages The onion-like signing of messages prevents nodes in the middle from changing the path in several ways. First, to increase the path length of the SPC, malicious nodes require an additional valid certificate. Second, malicious nodes cannot decrease the recorded path length or alter it because doing so would break the integrity of the encrypted data.

Route Maintenance

22

ARAN is an on-demand protocol. Nodes keep track of whether routes are active. When no traffic has occurred on an existing route for that route's lifetime, the route is simply de-activated in the route table. Data received on an inactive route causes nodes to generate an Error (ERR) message that travels the reverse path towards the source. Nodes also use ERR messages to report links in active routes that are broken due to node movement. All ERR message must be signed. For a route between source A and destination X, a node B generates the ERR message for its neighbor C as follows: B -> C: [ERR, IPA, IPX, CertC, NB, t]KBThis message is forwarded along the path towards the source without modification. A nonce and timestamp ensures the ERR message is fresh. Because messages are signed, malicious nodes cannot generate ERR messages for other nodes. The non-repudiation provided by the signed ERR message allows a node to be verified as the source of each ERR message that it sends. A node which transmits a large number of ERR messages, whether the ERR messages are valid or fabricated, should be avoided. Key revocation ARAN attempts a best effort key revocation that is backed up with limited time certificates. In the event that a certificate needs to be revoked, the trusted certificate server, T, sends a broadcast message to the ad hoc group that announces the revocation. Calling the revoked certificate cert r, the transmission appears as: T -> broadcast: [revoke, CertR]KTAny node receiving this message re-broadcasts it to its neighbors. Revocation notices need to be stored until the revoked certificate would have expired normally. Any neighbor of the node with the revoked certificate needs to reform routing as necessary to avoid transmission through the now-untrusted node. This method is not failsafe. If an untrusted node, whose certificate is being revoked, is the only link between 2 parts of an Ad-hoc network, it may not propagate the revocation message to the other part - leading to a partitioned network. To detect this situation and to hasten the propagation of revocation notices, when a node meets a new neighbor, it can exchange a summary of its revocation notices with that neighbor. If these summaries do not match, the actual signed notices can be forwarded and re-broadcasted to restart propagation of the notice.

3.2.2 Concealing Network topology or structure

23

1) Using independent Security Agents (SA) This method is called the Non-disclosure method (NDM). In NDM a number of independent security agents (SA) are distributed over the network. Each of these agents SAi owns a pair of asymmetric cryptographic keys KSAi and KSAi-. Sender s wishes to transmit a message M to receiver R without disclosing his location. S sends the message using a number of SAs: SA1 SA2 SAN R. The message is encapsulated N times using the public keys KSA1KSAn as follows. M = KSA1(SA2, (KSA2 (SA3 ((KSAN(R, M)))))) To deliver the packet, S sends it to the first security agent SA1 which decrypts the outer most encapsulation and forwards the packet to the next agent. Each SA knows only the address of the previous and the next hop. The last agent finally decrypts the message and forwards it to R. It introduces a large amount of overhead and hence is not preferred for routing. 2) Zone Routing Protocol (ZRP) It is a hierarchical protocol where the network is divided in to zones. The zones operate independently from each other. ZRP involves two separate routing protocols. Such a hierarchical routing structure is favorable with respect to security since a well designed algorithm should be able to contain certain problems to small portion of the hierarchy leaving other portions unaffected. ZRP has some features that appear to make it somewhat less susceptible to routing attacks. Its hierarchical organization hides some of the routing information within the zones. ZRP provides some form of security against disclosing network topology by dividing routing into zones, which conceal the internal organization. 3.2.3. Installing extra facilities in the network to mitigate routing misbehavior Misbehaving nodes can reduce network throughput and result in poor robustness. Sergio Marti Et al propose a technique to identify and isolate such nodes by installing a watchdog and a pathrater in the Ad-hoc network on each node. Assumptions It is assumed that the wireless links are bi-directional. Most MAC layer protocols require this. It also assumes support for promiscuous mode of operation for the nodes. This helps the nodes supervise each other operation. The third assumption is that the underlying Ad-hoc routing protocol is DSR. It is possible to extend the mechanism to other routing protocols as well.

Mechanism

24

The watchdog identifies misbehaving nodes, while the pathrater avoids routing packets through these nodes. When a node forwards a packet, the nodes watchdog verifies that the next node in the path also forwards the packet. The watchdog does this by listening promiscuously to the next nodes transmissions. If the next node does not forward the packet, then it is misbehaving. The pathrater uses this knowledge of misbehaving nodes to choose the network path that is most likely to deliver packets. Watchdog The watchdog method detects misbehaving nodes. Figure3.4 illustrates how the watchdog works. Node A cannot transmit all the way to node C, but it can listen in on node Bs traffic. Thus, when A transmits a packet for B to forward to C, A can often tell if B transmits the

Fig 3.4 Operation of the watchdog.

packet. If encryption is not performed separately for each link, which can be expensive, then A can also tell if B has tampered with the payload or the header. We implement the watchdog by maintaining a buffer of recently sent packets and comparing each overheard packet with the packet in the buffer to see if there is a match. If so, the packet in the buffer is removed and forgotten by the watchdog, since it has been forwarded on. If the packet has remained in the buffer for longer than a certain timeout, the watchdog increments a failure tally for the node responsible for forwarding on the packet. If the tally exceeds a certain threshold bandwidth, it determines that the node is misbehaving and sends a message to the source notifying it of the misbehaving node. Advantages The watchdog mechanism can detect misbehaving nodes at forwarding level and not just the link level. Weakness

25

It might not detect misbehaving nodes in presence of 1) ambiguous collusions 2) receiver collusions 3) limited transmission power 4) false misbehavior 5) collision 6) partial dropping. Analysis of Watchdog's weaknesses

Fig 3.5 Ambiguous Collision.

1) Ambiguous collision The ambiguous collision problem prevents A from overhearing transmissions from B. As figure3.5 illustrates, a packet collision occur at A while it is listening for B to forward on a packet. A does not know if the collision was caused by forwarding on a packet as it should or if B never forwarded the packet and the collision was caused by other nodes in As neighborhood. Because of this uncertainty, A should instead continue to watch B over a period of time.

Fig 3.6 Receiver Collision.

2) Receiver collision In the receiver collision problem, node A can only tell whether B sends the packet to C, but it cannot tell if C receives it. If a collision occurs at C when B first forwards the packet, A only sees B forwarding the packet and assumes that C successfully

26

receives it. Thus, B could skip retransmitting the packet and evade detection. Figure 3.6 3) False misbehavior False misbehavior can occur when nodes falsely report other nodes as misbehaving. A malicious node could attempt to partition the network by claiming that some nodes following it in the pat h are misbehaving. For instance, node A could report that node B is not forwarding packets when in fact it is. This will cause S to mark B as misbehaving when A is the culprit. This behavior, however, will be detected. Since A is passing messages onto B (as verified by S), then any acknowledgements from D to S will go through A to S, and S will wonder why it receives replies from D when supposedly B dropped packets in the forward direction. In addition, if A drops acknowledgements to hide them from S, the node B will detect this misbehavior and will report it to D. 4) Limited transmission power Another problem is that a misbehaving node that can control its transmission power can circumvent the watchdog. A node could limit its transmission power such that the signal is strong enough to be overheard by the previous node but too weak to be received by the true recipient. 5) Multiple colluding nodes Multiple nodes in collusion can mount a more sophisticated attack. For example, B and C from figure3.4 could collude to cause mischief. In this case, B forwards a packet to C but does not report to A when C drops the packet. Because of its limitation, it may be necessary to disallow two consecutive untrusted nodes in a routing path. 6) Partial dropping A node can circumvent the watchdog by dropping packets at a lower rate than the watchdogs configured minimum misbehavior threshold. Although the watchdog will not detect this node as misbehaving, this node is forced to forward at the threshold bandwidth. In this way the watchdog serves to enforce this minimum bandwidth. For the watchdog to work properly it must know where a packet should be in two hops. Pathrater Just like the watchdog, the pathrater is run by each node. It combines the knowledge of misbehaving nodes with link reliability data to pick. The most reliable route. Each node maintains a rating for every other node it knows about in the

27

network. It calculates a path metric by averaging the node ratings in the path. We choose this metric because it gives a comparison of the overall reliability of different paths and allows pathrater to emulate the shortest length path algorithm when no reliability information ahs been collected, as explained below. If there are multiple paths to the same destination, we choose the path with the highest metric. Since the pathrater depends on knowing the exact path a packet has traversed, it must be implemented on top of a source routing protocol. The pathrater assigns ratings to nodes according to the following algorithm. When anode in the network becomes known to the pathrater (through route discovery), the pathrater assigns it a neutral rating of 0.5. A node always rates itself with a 1.0. This ensures that when calculating path rates, if all other nodes are neutral nodes (rather than suspected misbehaving nodes); the pathrater picks the shortest length path. The pathrater increments the ratings of nodes on all actively used paths by 0.01 at periodic intervals of 200 ms. An actively used path is one on which the node has sent a packet within the previous rate increment interval. The maximum value a neutral node can attain is 0.8. We decrement a nodes rating by 0.05 when we detect a link break during packet forwarding and the node becomes unreachable. The lower bound rating of a neutral node is 0.0. The pathrater does not modify the ratings of nodes that are not currently in active use. We assign special highly negative value, -100 in the simulations, to nodes suspected of misbehaving by the watchdog mechanism. When the pathrater calculates the path metric, negative path values indicate the existence of one or more suspected misbehaving nodes in the path. If a node is marked as misbehaving due to a temporary malfunction or incorrect accusation it would be preferable if it were not permanently excluded from routing. Therefore nodes that have negative ratings should have their ratings slowly increased or set back to a non-negative value after a long timeout. Performance Throughput and Overhead The watchdog and pathrater mechanism with DSR algorithm improves throughput by 27% while increasing the overhead from 12% to 24%. But this overhead is due to the way DSR operates to maintain routes. The watchdog itself adds very little overhead. Although the overhead is significant, these extensions still improve net throughput. In networks with moderate mobility throughput improves by 17% while overhead transmission increases from 9% to 17%.

3.2.4 Security-Aware Ad-hoc Routing (SAR)

28

It makes use of trust levels (security attributes assigned to nodes) to make informed, secure routing decision. Current routing protocols discover the shortest path between two nodes. But SAR can discover a path with desired security attributes (E.g. a path through nodes with a particular shared key). A node initiating route discovery sets the sought security level for the route i.e. the required minimal trust level for nodes participating in the query/ reply propagation. Nodes at each trust level share symmetric encryption keys. Intermediate nodes of different levels cannot decrypt in-transit routing packets or determine whether the required security attributes can be satisfied and drop them. Only the nodes with the correct key can read the header and forward the packet. So if a packet has reached the destination, it must have been propagated by nodes at the same level, since only they can decrypt the packet, see its header and forward it.

Shortest route

Secure route

Secure Node with the key

Other nodes in the network Implementation SAR can extend any routing protocol. Here we see how to extend AODV and call it SAODV. Most of AODVs original behavior such as on-demand discovery using

29

flooding, reverse path maintenance and forward path setup via Route Request and Reply (RREP) messages is retained. The RREQ (Route REQuest) and the RREP (Route REPly) packets formats are modified to carry additional security information. The RREQ packet has an additional field called RQ_SEC_REQIREMENT that indicates the required security level for the route the sender wishes to discover. This could be a bit vector. An intermediate node at the required trust level, updates the RREQ packet by updating another new field, RQ_SEC_GUARANTEE field. The RQ_SEC_GUARANTEE field contains the minimum security offered in the route. This can be achieved if each intermediate node at the required trust level performs an AND operation with RQ_SEC_GUARANTEE field it receives and puts the updated value back into the RQ_SEC_GUARANTEE field before forwarding the packet. Finally the packet reaches the destination if a route exists. In the RREP packet one additional field is also added. When an RREQ successfully traverses the network to the sender, the RQ_SEC_GUARANTEE represents the minimum security level in the entire path from source to destination. So the destination copies this from the RREQ to the RREP, into a new field called RP_SEC_GUARANTEE field. The sender can use this value to determine the security level on the whole path, since the sender can find routes which offer more security than asked for, with which he can make informed decisions. Drawbacks A lot of encryption overhead, since each intermediate node has to performs it.

3.2.5 Secure Routing Protocol

Assumptions A Security Association (SA) exists between the source node (S) and destination node (T).One way of establishing this SA is negotiating a shared secret key by the knowledge of the public key of the other end. The existence of the SA is justified, because the end hosts choose a secure communication scheme and consequently should be able to authenticate each other. The SA would be established by any of group key exchange schemes. However the exists of SAs with any of the intermediate nodes is unnecessary. It is required that the end nodes be able to use non-volatile memory to maintain state information regarding relayed queries, so that previously seen route requests are discarded. It is also expected that a one to one mapping exists between MAC and IP addresses exists.

30

Finally the broadcast nature of the radio channels requires that each transmission is received by all neighbors, which are assumed to operate in promiscuous mode (i.e. able to overhear all transmissions from nodes within the range of their transceiver).

Working

4 1 T

S M1

M2

6 2 3

The source node (S) initiates the route discovery by constructing a route request packet. The route request packet is identified by a random query identifier (rnd#) and a sequence number (sq#). We assumed that a security association (a shared key KST) is established between source (S) and destination (T). S constructs a Message Authentication Code (MAC) which is a hash of source, destination, random query identifier, sequence number and KST i.e. MAC = h(S, T, rnd#, sq#, KST). In addition the identifier (IP addresses) of the traversed intermediate nodes are accumulated in the route request packet.

31

Intermediate nodes relay route requests. The intermediate nodes also maintain a limited amount of state information regarding relayed queries (by storing their random sequence number), so that previously seen route requests are discarded. More than one route request packet reaches the destination through different routes. The destination T calculates a MAC covering the route reply contents and then returns the packet to S over the reverse route accumulated in the respective request packet. The destination responds to one or more route request packets to provide the source with an as diverse topology picture as possible. Advantages Computing the MAC is not computationally expensive. Message integrity is preserved. If confidentiality of data is required we could encrypt the pay load with the shared key KST

Different attacks on routing and how they are countered Let M1, M2 be two malicious intermediate nodes. We denote the query request as a list { QST; n1, n2, . nk}. QST denotes the SRP header for a query searching for T and initiated by S. ni , i not = {1,k} are the IP addresses of the intermediate nodes and n1= S, nk= T. Similarly, a route reply is denoted as { RST; n1, n2, . nk} Case 1: When M receives { QST; S} it tries to mislead S by generating{ RST; S, M1, T} i.e. it fakes that destination T is its neighbor. This is possible in a regular routing protocol, but not here, since only T can generate the MAC which is verified by S. Case 2: If M1 discards request packets that it receives, it narrows the topology view of S. But at the same time it practically removes itself from Ss view. Thus it cannot inflict harm to data flows originating from S, and route chosen by S would not include M1.

Case 3: When M1 receives { RST; S,1, M1, S, 4, T} it tampers with its contents and relays{ RST; S, 1, M, Y, T}. Y being any sequence of nodes. S readily discards the reply due to the integrity protection provided by MAC.

32

Case 4: When M2 receives { QST; S, 2, 3 } it corrupts the accumulated route and relays { QST; S, X, 3, M2} to its neighbors, where X is a false IP address. This request arrives at T, which constructs the reply and routes it over {T, M2, 3, X, S} towards S. but when node 3 receives the reply it cannot forward it any further since X is not its neighbor and the reply is dropped. Case 5: If M1 replays route requests to consume network resources, they will be discarded by intermediate nodes, since they maintain a list of query identifiers seen in the past. The query identifier is a random number, so that it is not guessable by the malicious node. Case 6: If M1 attempts to forward { QST; S, M*} i.e. it spoofs its IP address. Consequently S would accept { RST; S, M*, 1, 4, T} as a route. But the connectivity information conveyed by such a reply is correct. However, in practice, neighbor discovery that maintain information on the binding of the MAC and IP address can strengthen the protocol. Packets would be discarded when relayed by same data link interface i.e. same MAC address with more than one different IP address.

Attacks on SRP Protocol

Tunneling If 2 nodes collude during the 2 phases (request and reply) of a single route discovery, then the protocol could be attacked. e.g.: if M1 received a route request, it can tunnel it to M2 i.e. discover a route to M2 and send the request encapsulated in a data packet. Then M2 broadcasts a request with the route segment between M1 and M2 falsified { QST; S, M1, Z, M2}. T receives the request and constructs a reply which is routed one {T, M2, Z, M1, S}. M2 receives the reply and tunnels it back to M1, which then returns it to S. As a result the connectivity information is only partially correct. Replay If M1 rewrites the RND# with some other random number, its neighbors think that it is a genuine packet and keep forwarding it, thus wasting their resources. Only when the packet reaches the destination can this misuse be detected using the MAC.

33

4. Intrusion detection in wireless ad-hoc networks

4.1 Need for intrusion detection

34

The use of wireless links renders a wireless ad-hoc network vulnerable to malicious attacks, ranging from passive eavesdropping to active interference. In wired networks however the attacker needs to gain access to the physical media eg: network wires etc or pass through a plethora of firewalls and gateways. In wireless networks the scenario is much different , there are no firewalls and gateways in place hence attacks can take place from all directions. Every node in the ad-hoc network must be prepared for encounter with the adversary. Each mobile node in ad-hoc network is an autonomous unit in itself free to move independently. This means a node with not adequate physical protection is very much susceptible to being captured , hijacked or compromised. Its is difficult to track down a single compromised node in a large network , attacks stemming from a compromised nodes are far more detrimental and much harder to detect. Hence every node in a wireless ad-hoc network should be able to work in a mode wherein it trusts no peer. Ad-hoc networks have a decentralized architecture, and many ad-hoc network algorithms rely on cooperative participation of the member nodes. Adversaries can exploit this lack of centralized decision making architecture to launch new types of attacks aimed at breaking the cooperative algorithms. Furthermore, Ad-hoc routing presents more vulnerabilities than one can imagine, since most routing protocols for ad-hoc networks are cooperative by nature. The adversary who compromises a ad-hoc node could succeed in bringing down the whole network by disseminating false routing information and this could culminate into all nodes feeding data to the compromised node. Intrusion prevention techniques like encryption and authentication can reduce the risks of intrusion but cannot completely eliminate them eg: encryption and authentication cannot defend against compromised nodes.

4.2 General overview

In general terms Intrusion is defined as any set of actions that attempt to compromise integrity , confidentiality or availability of the resource. The protocols and systems which are meant to provide services can be the target of attacks such as Distributed Denial of Service ( DDOS ). Intrusion detection can be used as a second line of defense to protect network systems because once an intrusion is detected response can be put in place to minimize the damage or gather evidence for prosecution or launch counter offensives. Intrusion detection assumes that user and program activities are observable , which means that any activity which the user or an application program initiates , gets logged somewhere into system tables or some kind of a system log and intrusion detection systems (IDS) have an easy access to these system logs. This logged system/ user related data is called audit data. Thus, Intrusion detection is all about capturing audit data , on the

35

basis of this audit data determining whether it is a significant aberration from normal system behavior, if yes then IDS infers that the system is under attack. Based on the type of audit data , IDS can be classified into 2 types viz. a) Network based : Network based IDS sits on the network gateway and captures and examines network packets that go through the network hardware interface. b) Host based : Host based IDS relies on the operating system audit data to monitor and analyze the events generated by the users or programs on the host.

4.3 Unsuitability of the Current IDS techniques for Ad-hoc paradigm

Wireless ad-hoc networks dont have no fixed infrastructure, since almost all of current network based IDS sit on the network gateways and routers and analyze the network packets passing through them, these type of network based IDS are rendered ineffective for the wireless ad-hoc networks. In case of wireless ad-hoc networks the only available audit data is restricted to the communication activities taking place within the radio range, and any IDS meant for these type of networks should be made to work with this partial and localized kind of audit data. Anomaly Detection models of IDS cannot be used for wireless ad-hoc networks, since the separating line between normalcy and anomaly is obscure. A node that transmits erroneous routing information ( fabrication ) can be either a compromised or is currently out of sync due to volatile physical movement. Hence in wireless ad-hoc networks it is difficult to distinguish between false alarms and real intrusions.

4.4 New proposed architecture

IDS should be both distributed and cooperative to suit the needs of wireless ad-hoc networks. What is meant by this statement is that every node in the wireless ad-hoc network should participate in intrusion detection. Each node is responsible for detecting intrusion locally and independently but neighboring nodes can form an association and collaboratively investigate in a broader range. Each node within the network has its own individual IDS agent and these agents run independently and monitor user and system activities as well as communication activities within the radio range. If an anomaly is detected in the local data or if the evidence is inconclusive, IDS agents on the neighboring nodes will cooperatively participate in a global intrusion detection scheme. These individual IDS agents constitute the IDS system to protect the wireless ad-hoc network.

36

IDS

IDS

IDS IDS

IDS

IDS

The IDS Architecture for Wireless Ad-hoc network

37

IDS AGENT Local Response Global Response

Local Detection Engine

Cooperative Detection engine

Local Data Collection

Secure Communicatio n

System calls activities Communication activities etc.

neighboring IDS agents

Fig : A Conceptual model for an IDS agent.

A Typical IDS Agent consists of following modules viz. 1) Local Data Collection: Local Data Collection module gathers streams of real time audit data from eclectic sources, which might include user and system activities within the mobile node, communication activities by this node as well as any communication activities within the radio range of this node and observable to this node. 2) Local Detection Engine: Local detection engine analyzes the local audit data for evidence of anomalies. This requires the IDS to maintain some expert rules for the node against which the audit data collected would checked. However as more and more appliances are becoming wireless, the types of planned attacks against these appliances is going to increase and this may make the existing expert rules insufficient to tackle these newer attacks. Moreover, updating these already existing expert rules is not a simple job. So any IDS meant for a wireless ad-hoc network 38

should resort to statistical anomaly detection techniques. The normal behavior patterns called Normal Profiles are determined using the trace data from a training process where all activities are normal. During the testing process any deviations from the normal profiles are recorded if at all any occur. A detection module is computed from the deviation data to distinguish anomalies from normalcy. There are always going to be normal activities which have not been observed and recorded before, however their deviations from the normal profile is going to be much smaller than those of intrusions. 3) Cooperative Detection : If a node locally detects a known intrusion with strong evidence it can very well on its own infer that the network is under attack and can initiate a response or a remedial action. However if the evidence of an anomaly or intrusion is a weak one or is rather inconclusive then the node decides it needs a broader investigation and can initiate a global intrusion detection procedure, which might consist of transmitting the intrusion detection state information among neighbors and further down the network if necessary. The intrusion detection state information may be a mere level-of-confidence value expressed as percentage. With p% confidence , node A after analyzing its local data concludes that there is an intrusion. With p% confidence , node A after analyzing the local data as well as that from its neighbors that there is an intrusion. With p% confidence , node A, B, C,. Collectively conclude that there is an intrusion. To a more specific state that lists the suspects like, With p% confidence, node A concludes after analyzing its local data that node X has been compromised. A distributed consensus algorithm is then derived to compute the new intrusion detection state for the node under consideration , with the help of the state information recently received from the other nodes in the network. The algorithm might involve a weighted computation assuming that nearer nodes have greater effect than the far away ones. A majority based Intrusion Detection Algorithm can include following steps : 1) The node sends to its neighboring node an intrusion state request. 2) Each node , including the one which initiates this algorithm then propagates the state information, indicating the likelihood of an intrusion to its immediate neighbors. 3) Each node then determines whether the majority of the received reports point towards an intrusion, if yes then it concludes that the network is under attack.

39

4) Any node which detects an intrusion to the network can then initiate the remedial/response procedure. As a rule of thumb , audit data from other nodes should not be trusted as compromised nodes might tend to send misleading data. However for compromised node sending audit data doesnt hold any incentives , in doing so it might create a situation which would result in its expulsion from the network. Hence , unless majority of nodes are compromised, and there exists at least one valid node the remedial procedure wont be initiated. 4.4.1 Intrusion response The type of intrusion response for wireless ad-hoc networks depends on the type of intrusion, the type of network protocols and the confidence in the veracity of the audit trace data. The response might range from resetting the communication channels between nodes or identifying the compromised nodes and precluding them from the network. The IDS agent can notify the end user to do his/her own investigation and take the necessary action. It also sends a re-authentication requests to all the nodes in the network, to prompt their respective end users to authenticate themselves . Only the re-authenticated nodes participate in negotiating a new communication channel and will recognize each other as legitimate nodes. Thus the malicious nodes can be precluded.

4.5 Anomaly detection in wireless ad-hoc networks

4.5.1 Detecting Abnormal Updates to Routing Tables For Ad-hoc routing protocols , the primary concern is that false routing information generated and transmitted by a compromised node will be used by other nodes in the network, hence a good candidate for audit data would be the updates of routing information. A routing table basically holds the next hop to each destination node and the distance in terms of number of hops. A legitimate change in the routing table is caused by physical motion of the nodes or changes in the membership of the network. For a node , it own movement and the change in its own routing table are the only data it can trust and hence we use it as a basis of the trace data. The physical movement is measured by distance , direction and velocity. The routing table change is measured by Percentage of changed routes (PCR), and the percentage changes in the sum of hops of all routes (PCH). We use percentages as measurements because the number of nodes/route is not fixed due to dynamic nature of the wireless ad-hoc networks. During the training process, a wide variety of normal situations is simulated and the corresponding trace data is gathered for each node. The audit/trace data of all the nodes in the network are then merged together to get a set of all normal changes to the routing table for all nodes. The normal profile specifies the correlation of the physical movement of the node and the changes in the routing table. The classification algorithm classifies available trace data into ranges. Now for a particular trace data, if the PCR and/or PCR values are beyond the

40

valid range for a particular movement ( velocity, direction & distance ) then it is considered to be an anomalous situation and the necessary procedures are initiated. 4.5.2 Detecting Anomalous activities in other layers For MAC protocols , trace data could be in the form of total number of channel requests, the total number of nodes making those requests etc, for last s seconds. The class can be the range of the current requests by a node. The classifier of the trace data describes the normal profile of a request. Anomaly detection model can then be computed on the basis of the deviation of the trace data from the normal profile. Similarly, at the Wireless Application layer can use service as the class and can contain following features for the past s seconds, the total number of requests to the same service, total number of services requested, the average duration of service, the number of nodes that requested service, the total number of service errors etc. A classifier for each service then describes the for each service a normal behavior for its requests.

41

6. Conclusion
We have presented an overview of the existing security scenario in the Ad-Hoc network environment. Key management, Ad-hoc routing and intrusion detection aspects of wireless Ad-hoc networks were discussed. Ad-hoc networking is still a raw area of research as can be seen with the problems that exist in these networks and the emerging solutions. The key management protocols are still very expensive and not fail safe. Several protocols for routing in Ad-hoc networks have been proposed. There is a need to make them more secure and robust to adapt to the demanding requirements of these networks. Intrusion detection is a critical security area. But it is a difficult goal to achieve in the resource deficient Ad-hoc environment. But the flexibility, ease and speed with which these networks can be set up implies they will gain wider application. This leaves Ad-hoc networks wide open for research to meet these demanding application.

42

References:
1) Intrusion Detection in Wireless Ad-hoc Networks, Yongguang Zhang, Wenke Lee 2) Key Agreement in Ad-hoc Networks, N.Asokan, Philip Ginzboorg 3) Securing Ad-hoc Networks, L. Zhou, Z.J.Haas 4) A Secure Routing Protocol for Ad Hoc Networks, Bridget Dahill, Brian Neil, Elizabeth Royer, Clay Shields 5) Routing Security in Ad Hoc Networks, Janne Lundberg, Helsinki University of Technology 6) Security-Aware Ad-Hoc Routing for Wireless Networks, Seung Yi, Prasad Naldurg, Robin Kravets, Department of Computer Science. 7) Mitigating Routing Misbehaviour in Ad Hoc Networks, 8) Key Establishment in Ad Hoc Networks, Maarit Hietalahti, Helsinki University of Technology. 9) Key Agreement in Dynamic Peer Groups, Michael Steiner, Gene Tsudik, Michael Waidner, IEE Computer Society. 10) Mobile Ad Hoc Networking (MANET): Routing Protocol Performance Issues and Evaluation Consideration, S. Corson, J. Macker. 11) The Resurrecting Duckling: Security Issues for Wireless Ad Hoc Mobile Networks. , F. Stajano and R. Anderson. 12) A Review of Current Routing Protocols for Ad Hoc Mobile Wireless Networks, E. M. Royer and C.K. Toh . 13) The Dynamic Source Routing Protocol for Mobile Ad Hoc Networks. J. Broch and D.B. Johnson 14) Ad Hoc On-Demand Distance Vector Routing Protocol. C. E. Perkins and E. M. Royer. 15) The Zone Routing Protocol (ZRP) for Ad Hoc Networks, Z. Haas and M. Pearlman.

43