Collusion-Resistant Sybil Attack Detection Scheme in Mobile Ad hoc ...

20 14 National Software Engineering Conference (NSEC)

Collusion-Resistant Sybil Attack Detection Scheme in Mobile Ad hoc Networks

Muhammad Sajid Khan

Naima Iltaf

Adnan Rashdi

National University of Sciences and Technology (NUST) Islambad, Pakistan Email: [email protected]



Abstract-MANET is a collection of number of nodes that formulates; either, a temporary or permanent, self-organized wireless network that dont rely on any pivotal central architecture or control. They are designed to use in situations where infras tructure network is either non-existent or its extremely costly to deploy. MANETs require a distinctive, unique and insistent identity for each node for its security protocols to be ef1'ective; Sybil attacks present a grave threat to such networks. We can create large number of logical identities in a Sybil attack on a single physical device by a selfish malicious node which gives a false impression to the network that they are different benign nodes and uses them to launch a harmonized attack against the network or a node. Node cooperation is very important for detection of Sybil attack, but unfortunately nodes may not always behave cooperatively and may collude in hostile environments for disrupting the detection accuracy of such systems. Sybil nodes cannot be accurately detected in the presence of malicious collusion which results in serious impact on detection accuracy of Sybil attacks. This paper proposed a novel scheme in order to detect a Sybil attack resistant to collusion by incorporating a trust based mechanism that would mitigate the benefit (the payof1' gained) from collusion. Experimental results show that our proposed scheme detects Sybil or whitewashers new identities accurately and reduces the benefits of collusion in the presence of mobility.

Index Terms-Collusion Attack, Sybil Attack, Recommenda tion model, Malicious Recommendations

I.

INTRODUCTION

A Mobile ad hoc Network (MANET), a collection of several nodes that formulates; either, a temporary or permanent, self organized wireless network that dont rely on any pivotal central architecture or control. Initially MANETs were commenced as supervised networks normally having ownership by a sole unit called offline authority, like military, but due to the increase in the mobile communication devices, an entirely self-organized and managed MANET may be produced. The end users cooperate with each other to form a purely ad hoc network. Users are normally strangers having no pre-existent security association having different interests and objectives; sharing their resources only with the motive to connect globally [ 1] [2]. Douceur [3] pointed out that a malicious node can generate and control a large number of logical identities on a single physical device which gives the false impression to the network as if it were different legitimate nodes and uses them to launch a coordinated assault against the network or 978-1-4799·6162·7/14/$3\.00 2014 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses,in any current or future media,including reprinting/republishing this material for advertising or promotional purposes,creating new collective works,for resale or redistribution to servers or lists,or reuse of any copyrighted component of this work in other works.

a node called Sybil attack. A Sybil attack presents a serious threat to MANETs and can disrupt important protocols, such as Distributed Storage, Routing, Data Aggregation, Voting, Misbehavior Detection, and Traffic Congestion in VANET's [4]. In order to defend against Sybil attacks, Perrig et al. [5] proposed three ifferent techniques that are radio resource testing, registration and position verification/ localization. For localizing a node to detect a Sybil attack, cooperation of other nodes is very important, but nodes often belong to different entities with their own interests. Consequently, nodes may not always behave cooperatively and may collude in such environments. Collusion attacks in location verification involve multiple opponents coordinating to deceive the verifiers of the system into believing that there is a node at the stated position, i.e. to protect one or more Sybil identities or to disrupt the detection accuracy. A successful collusion attack often works on the principle that nodes shows itself as reliable and trustworthy by cooperating in one type of interactions, usually direct interaction. While on the other hand these nodes deceive the same node in witness interactions. Means they provide false information about other nodes to support colluding group or defame or degrade other benign nodes for disrupting the detection accuracy of such systems. Malicious collusion will have a serious impact on detection accuracy of Sybil attacks. Sybil nodes cannot be accurately detected in the presence of malicious collusion. There is no formal model of detecting Sybil attacks while considering malicious collusion. All of the location based Sybil detection schemes is based on the assumption that there is collusion amongst the malicious nodes. This research work is based on Sybil attack detection in Mobil ad hoc networks in the presence of malicious collusion. The focus remains on the revealing of malicious or selfish colluding nodes while detecting Sybil identities. Special attention has been given to incorporate a trust based mechanism that would mitigate the benefit (the payoff gained from collusion) transfer among nodes. This notion of trust will act as an incentive for nodes which will motivate nodes to cooperate. Our work is the extension of Abbas et al. [6]. Furthermore a collusion detection scheme has been proposed to accurately detect Sybil identities, expose and exclude the malevolent colluding nodes from the

30

network. We define a threshold that differentiates between the trusted and colluded nodes based on direct interactions and witness recOlmnendations. Our contributions include; development of a novel Sybil attack detection scheme resistant to collusion and incorpo rating trust based mechanism that would mitigate the benefit (the payoff gained) from collusion. The proposed scheme is evaluated against different experiments and produced efficient results with high true positives, i.e. accurate detection of Sybil and Colluded nodes and low false positives, i.e. false detection of Sybil and Colluded nodes, in mobile environments. In our scheme, nodes share and control identities and recommenda tions of Sybil and colluded nodes in distributed manner. Further paper is structured as; Section II provides a detail of the related work. Section III explains the proposed approach for Collusion-resistant Sybil attack detection in MANETs. Section IV discusses the implementation and performance analysis of the proposed scheme and Section V concludes the paper. II.

RELATED WORK

To defend the wireless system from Sybil attacks, the following techniques have been proposed by Perrig et al. [5] and Levine et al. [7]. Radio resource testing: based on supposition that sending and receiving will be on a single channel by a radio simultaneously.. In Registration: TTP par ticipation is needed which is not feasible in MANETs. Trusted Certification: in which a centralized authority is installed to allocate IDs, which is not suitable for MANETs. Resource Testing: Resources have been monitored because Sybil nodes wont own many resources for extra functions. But malicious nodes can acquire extra resources for additional functions. In Recurring Costs and Fee: Each ID is charged with entry fee, i.e. monetary fee, CAPTCHAs [8] or coordination to the network [9]. Monetary fee required centralize banks, and network coor dination again vulnerable to collusion attacks. Trusted Devices: Mapping of each hardware device to distinct ID, but malicious nodes can again acquire extra hardware devices like installation of two network cards. Position verification, based on signal strength, seems most proficient among the three because of lightweight and no additional hardware requirement. i.e. GPS. Demirbass [ 10] implements localization Zhong [ 1 1] algo rithm by performing a large number of indoor experiments of static MICA 2 motes. Three cooperating nodes measure the Signal Strength upon receiving a message. After exchanging obtained values, the ratio is calculated from them and stored in the message senders record in neighbors database. A dis tinctive ratio determines a distinctive position of a node. The cooperation amongst nodes is very essential for the scheme to be feasible; yet, there may be no trust amongst the nodes and they may collude. The scheme proposed by Jiangtao's [ 12] detects Sybil node using the RSSI and the status information accumulated in the head nodes for static clustered wireless network. In this method, jakes channel model is established by imitating real network space situation of WSN. In order to improve the

detection preCISIon, two methods are proposed; judging the member nodes and judging the head nodes. The scheme judges Sybil Attack from both the received signals strength of nodes and the status messages of member nodes which are aggregated in head nodes unsystematically. In order for the scheme to be viable, node cooperation is essential. Nodes may not be trusted and they may collude in unfriendly environments. Xiao et al.s [ 13] proposed a distributed technique to detect Sybil attacks in VANETs. The technique works on the basis of vehicular traffic models and roadside base stations. If a vehicle found in some suspicious activity, its signal power is observed and analyzed for a period of time that how it is distributed to detect Sybil attackers. Each vehicle will participate in three different roles as per requirement and situation; claimer, witness, and verifier. Again node cooperation is very necessary for the scheme to be practical; nodes may not be trusted and may collude. The scheme proposed by Abbas et al.s [6] is lightweight in order to distinguish the Sybil attacker identities without any use of external hardware, like directional antennae or GPS. They exploit the neighborhood joining behavior to differentiate between a new benign node and a Sybil node, i.e. when one node becomes neighbor of other node as it approaches to its radio range; its first signal strength will be low enough and will increase gradually as it approaches towards it. The scheme states that node cooperation is very important for the detection of Sybil nodes and assumed the nodes are cooperative and wont collude. III.

PROPOSED ApPROACH FOR COLLUSION-RESISTANT SY BIL ATTACK DETECTION

A. Attack Model

Abbas et al. [9] differentiated Sybil identities and new legitimate nodes on the basis of how they emerge into their neighborhood, i.e. benign nodes appears in the neighborhood of other nodes as they come into their radio range; therefore the signal strength they initially receive will be quite low. On the other hand, in case of a Sybil attacker that is already in the neighborhood has higher signal strength for identities, when they are created so that they get distinguished from newer neighbors. Natural entrance of a mobile node into another nodes neighborhood or radio range is shown in Figure 1, when a new node N come into the radio range or neighborhood of another node A, node N enters progressively with time. Due to this natural way of entry and exit, when one node lets say (A) stays stationary and another node N entering into As radio range with some speed, node A will notice its received signal strength continuously increasing. Let suppose in this case, N (good identity) enters into As radio range normally as discussed above. Whereas W (Sybil identity), did not enter normally (higher initial RSS values) into neighborhood or radio range of node A. Node A will compare W's initial RSS value with a threshold, i.e. minimum readable RSS value, and would detect W as Sybil node and broadcast the detection update packet. 31

I I

I

...........

/

'

--

Bls R

�'c(�o Range ,, ,,

: I J

,

N

"

H

...... -- �V - -_/

/

-E

Figure. 1: Natural Entrance Behavior Of Nodes, Sybil and Collusion Attacks

The weakness in the above scenario is that, if node A colludes with node W then detection of node W will be very difficult. If node D and C wants to communicate with W, they will ask for recommendations about W. Node A in collusion with W will provide elevated ratings for malicious nodes, i.e. W (other members of the colluding group) thus encouraging victim nodes to interact with them. If node A and E colludes with W, node B cant detect W as Sybil, even A and E can promote W as trustworthy user. Node A and B can promote D (a benign node) as Sybil node or defame D as malicious node. Abbas et al. [6] assumed that malicious nodes do not collude with one another. [6] did not accurately detect Sybil nodes in the presence of malicious collusion. We have proposed a recOlmnendation based trust model; an extension of the Abbas et al. [6] scheme, for detecting collusion in Sybil attack to improve the detection accuracy of Sybil identities. Three roles are defined in case of the Collusion Attack while detecting Sybil nodes. These include; Evaluator nodes (the victim) are requesting recommendations (trust information) about a target node. Target nodes are those nodes whose trust and reputation is being requested. Enticer nodes (the witnesses) provide required recommendations or trust information to the evaluator nodes about the target nodes. Among these three, enticer nodes and target nodes formulate the colluding group for the purpose of exploiting the victim nodes. The enticer nodes exhibits trustworthy behavior in direct interactions with the evaluator node and evolved as trustworthy neighbor of evaluator node. Subsequently, when evaluator node tends to look for recommendations or ratings of other (malicious) nodes, i.e. either the target node is benign and trustworthy or a Sybil identity. Evaluator node then ask their trustworthy neighbors (the enticer nodes). These trustworthy neighbors provide high ratings for malicious nodes in order to protect

one or more Sybil identities or other member of the colluding group. These high ratings thus encourage the victim nodes (the evaluators) to interact with these malicious nodes and help them. Ultimately, evaluator nodes will be exploited by them. Malicious collusion will have a serious impact on detection accuracy of Sybil attacks. Sybil nodes cannot be accurately detected in the presence of malicious collusion.

B. Collusion-Resistant Sybil Node Detection The proposed method is designed to calculate trustworthi ness of every node, detect and thwart collusion and Sybil attacks. Instead of designated nodes, the packets passing through the network are monitored by every mobile node and the observations will be exchanged for the detection of the Sybil and attacks. False recommendations that are produced by the malicious nodes will be detected and made ineffective. We have defined two types of trust, i.e. trust in direct interaction and trust in indirect interaction. The idea of having two types of trust is that we believe trust has different aspects. For example, a node that is trustworthy in a one type of interaction, i.e. direct interaction, is not undoubtedly trustworthy in indirect (witness) interaction. Every node keep a list of nodes in its neighborhood, RSS values of any directly received or overheard frames of 802. 1 1 protocol i.e. RTS, CTS, DATA and ACK messages, in the form < Address, Rss - List < time,ISS > > in a table. Means, each and every node will overhear and store the signal strength of the communication received from nodes in its neighborhood. Our approach works as follows: •

Nodes interact with each other; every node gives a rating to another nodes performance and stores the history. Every node will compute a Trust value (recOlmnendation) for every other node with the technique used in the FIRE [ 14]. Trust values stores in a table in the form:

Hi = {Direct/lndirect,nj,Ti,j,ttl}

•

•

32

Where Direct/ Indirect means that the value is from direct interaction or from witness nodes, nj is the target node, Ti,j is trust value of node nj in the range [0, 1], ttl is the time stamp when the trust value is determined. Case 1: To check the credibility of a node that either it is a legitimate node or Sybil attacker, upon detection of new RSS (by evaluator node), node will check the nodes address in Table < Address, Rss-List < time,ISS > > to verify the received RSS, its reception time and the transmitter address. If address is in the Table, then benign node and add RSS value to the table. If the address of the interacting node is not in the RSS table, means that this is the first interaction of the node and the RSS captured or overheard is its first acknowledged presence. Compare RSS with RSS_UB_THRESHOLD. This threshold determines the node penetrated normally, i.e. new node, or already a node present in the neighborhood in case if its RSS is greater than or equal to the threshold. If RSS >= RSS_UB_THRESHOLD, then Add node

•

•

ID to Malicious node list as Sybil ID. We are using the technique by Abbas et. al [6]. Then evaluator node will ask for Recommendations about the target node. Evaluator node will Sort and Analyze the Recommenda tions according to the method defined by I1taf et. al [ 15]. - Finding Dissimilarity of every Reconunendation Re ceived - Finding Smoothing Factor (SF) for determining the set of dishonest (colluding) recommendation classes from the set of all recommendations. - Concluding and Separating Dishonest Recommen dation class and its Reconunenders (the malicious colluders)

•

Case 2: If a node gets Sybil detection update packet from another node which is out of radio range of the evaluator node, i.e. node that received the Sybil detection update packet.

If evaluator node receives the same detection packet from more than two trusted nodes, then; node target node will be added to malicious nodes list. Condition II: But, if the detection update packet is from two or less than two nodes (or from untrusted nodes), then evaluator node will also request for recommendations about node target node.

- Condition I:

•

Again the evaluator node will Sort and Analyze the received recommendations, find dissimilarity values of every recommendation, calculating smoothing factor to determine the set of dishonest (colluding) recommenda tion class and finally concluding and separating Dishonest Recommendation class and its Recommenders (the mali cious colluders).

Malicious colluding nodes can provide two types of dishon est recommendations: 1) Colluding nodes can launch Ballot stuffing attack in which the aim of the attacker is to give false recommen dations that will cause the evaluated trustworthiness of an entity to increase. Means they will give high ratings about the Sybil identity to promote it as a trustworthy user to defraud other users and to escalate the utilization of the colluding group. 2) They can launch Bad mouthing attack in which the aim of the attacker is to send false recommendations that will cause the evaluated trustworthiness of an entity to decrease. Means they will defame other trustworthy nodes by promoting them as Sybil or untrustworthy nodes to isolate it from the network, again, to defraud other users and to escalate the utilization of the colluding group. The above explanation means that there will be a wide discrepancy between the recommendations provided by the colluding group and trustworthy nodes. C. Working Examples

Here are two working examples of our proposed approach.

1) Example 1: Direct Detection of Colluding Nodes: Let a node S has been detected as Sybil by the evaluator node A (and at least 1 or 2 other nodes). Before sending a detection update packet; Node A will request for recommendation/ trust values about node S (the Sybil node). Naturally, benign nodes will share actual values of node S, i.e. as distrusted malicious node with low trust values or their will be no recommendations from trusted benign nodes (because of newly created Sybil identity with no previous records); but, malicious colluded nodes, i.e. node in collusion with S, will give high ratings for node S. So these nodes (considered) are/ will be definitely in collusion with the Sybil/ malicious node S, i.e. malicious nodes and Sybil node S may collude in order to produce false positive recommendation to the evaluator and at the same time promoting the malicious target as a trusted user. These (colluded) nodes will also be added to distrusted nodes list and their trust value will be decremented. This technique will thwart witness based collusion attack. After this a detection update packet will be send to one-hop neighbors.

Node

A will

RSS

UB

\8

THRESHOLD

for detection as normal or

\

J

compare node

X'sRSSwilh

abnormal entry (Sybil

j

Ident;ty)

X

, ,

\�

�,�,��:;I \

H

S (Target

-

II

D

�",,;,

"

I

/�ode � detected as Sybil Idenllty by evaluator then requests for

A,

recommendations about S from its neighbors

... .,- ... ;

Figure. 2: Example I - Direct Detection Of Colluding Nodes

2) Example ll: Indirect Detection of Colluding Nodes: Let node A get a Sybil detection packet from node C (broadcast upon detection of Sybil identity) about node S (out of radio range of A). Condition I: If node A receives the same detection packet from more than two (n >2) trusted nodes (T > 0.5), then; node S will be added to malicious nodes list. Condition II: But, if the detection update packet is from two or less than two nodes (or from untrusted nodes, T = RSS_UB_THRESHOLD Then:

Add to Malicious node list as Sybil ID AND:

Ask for Recommendations Sort and Analyze the Recommendations Step 5: Finding Dissimilarity of every Recommendation Received Step 6: Finding Smoothing Factor (SF): To determine the set of dishonest recommendation classes from the set Step 7: Concluding and Separating Dishonest Recommen dation Domain and its Recommenders Case 2: If: Got Sybil ID detection update packet Step 3: Step 4:

Then:

Check Address in Table If:

Address is NOT in the Table Then:

IV.

PERFORMANCE EVALUATION/ EXPERIMENTAL RESULTS

The proposed scheme has been implemented and evaluated using NS-2 (Network Simulator) with the parameters shown in Table 1. The value of the averaged received signal strength is VB_THRESHOLD calculated in Watts when the transmitter moving with a speed of 10rn/s. The detection accuracy is improved with lower speed threshold. Nodes have to listen from other nodes in an average time TIME_THRESHOLD or will be detected as malicious, i.e. Sybil ID, on its next transmission. For simulation purposes we used 5 records per identity however, depending upon the memory capacity, this value can be increased.

the following Steps Ask for Recommendations Step 4: Sort and Analyze the Recommendations Step 5: Finding Dissimilarity of every Recommendation Received Step 6: Finding Smoothing Factor (SF): To determine the set of dishonest recommendation classes from the set Step 7: Concluding and Separating Dishonest Reconunen dation Domain and its Recommenders - Result: Finally, the set of dishonest recommenders or colluded nodes will be separated and add to malicious table Repeat: Step 3:

34

The aim of this simulation is the establishment of detec tion rate in different scenarios by our detection scheme. As already discussed, some attributes are responsible in affecting collusion resistance Sybil attack detection accuracy in our scheme, i.e. number of network connections, node density and transmission. Speed is the main concern. The results shown are calculated with an average 15 different numbers of scenarios. In the following sections, detection metrics will be dis cussed and simulation results will be analyzed based on node speed, connection rates, node densities and packet transmission rates.

Sybil Node Detection False Positive Rate (FPR) (in Presence of Collusion)

i � �

:�

�

100% 80% 60% 40% 20% 0% ��--�----��-� � ��

1

Q) III

'iii .!:!:.

N o

c:: c.. u..

� o

()O 0

0> o

..... 0 o

TABLE I: Simulation Parameters Parameter Area (Topography size) Speed Pause Time Radio Propagation Model Radio Range Carrier Sense Range Number of Nodes MAC Simulation Time Mobility Model Malicious Population Sybil Ids per Malicious Node UB_RSS_ THRESHOLD Interaction Type Trust Value

_

-

N � 0

N ()O o

� .,J:::I. 0

� 00 0

N N 0

N Q) 0

OJ o o

It will be difficult to distinguish other nodes posItIOn in case of fewer connections because fewer connections imply fewer number of source and destination nodes. Similarly it will result greater number of FPR. There is no effect on TPR because of the connections and almost 90% TPR remained in our experimental results as shown in Figure 5.

'UOO% .... �80% Q.I .:: 60% .... '�40% c.. �20% t:. 0%

The detection accuracy of the proposed scheme can be determined using four metrics i.e. Collusion detection rate, Sybil node detection rate, True Positive Rate (TPR) and False Positive Rate (FPR). TPR shows correct node detection and FPR means false detection of legitimate node or legitimate node is detected maliciously.

. .

N 0 0

Figure. 4: FPR In Sybil Node Detection

A. Metrics

F aIse P asdwe Rate

� 0> 0

Time Steps

Level 1000m 1000m 8 to 12 m/s 10 to 20 s Two-ray Ground Reflection 250m 550m 40 - 50 802.11 1000 s Random Waypoint Model 25% 5 6.4510-10 Watts Direct & Indirect [0,1]

CarrectlyDetectedSybil! Ds . . TrueP asdtve Rate TatalSybil!Ds

� N o

c:: c.. ....

(1)

Sybil Node Detection True Positive Rate (TPR) (in Presence of Collusion)

...... N 0

� 0

co 0

(J) 0

...... 0 0

..... N 0

...... 0> 0

N 0 0

N � o

N ()O 0

..... � 0

...... co 0

N N 0

N (J) o

(,oJ 0 0

Time Steps

InCarrectlyDetectedBenignIDs . TataIBemgnIDs (2)

Figure. 5: TPR In Sybil Node Detection

In Figure 6, we have shown the Collusion detection rate of our scheme on the basis of Collusion detection method defined CarrectlyDetectedCalludedIDs . . CaIIuswnDetectwn Rate in Section C. Again the Figure shows very efficient detection TataICaIIudedIDs (3) rate of Colluded nodes. This shows that the policies proposed for detection of Colluded nodes are adequate in reducing the B. Analysis risky associations among malicious nodes and benign nodes, The Sybil and collusion attack can be efficiently detected preventing the promotion of malicious node or defaming a by proposed scheme shown in the Figure 4. FPR is very low. benign node, thus preventing the collusion attack. Node density and FPR of our scheme are inversely proportional In the final Figure 7, as shown, our scheme detects colluded nodes very efficiently. Node density is inversely proportional to each other. Sensing of movement or the received RSS is an to the false positives of our scheme in the network. The figure important factor for detection. The node needs to be involved in communication for the purpose of receiving RSS value. If shows the True Positive and False Positive detection rates of Colluded nodes. And as depicted in Figure 7, our experiments a node will send and receive packets frequently then there shows true positives remained around the 95% level and false is more chance for the neighbor node to detect it in case of positives around 10% level. This shows that our scheme works misbehavior or to behave as a Sybil node. _

3 5

Collusion Detection Q) .... .. a:: !: 0 '+l

u

Q) .... Q) c

100% 80% 60% 40% 20% 0% f-> !'oJ 0

� 0

co 0

(J'l 0

f-> 0 0

f-> !'oJ

?

f-> � 0

f-> (J'l

!'oJ 0

f-> co 0

!'oJ !'oJ 0

?

?

!'oJ �

!'oJ co

!'oJ (J'l 0

OJ 0 0

?

?

Time Steps

Figure. 6: Collusion Detection Rate

computation for malicious collusion in Sybil attack detection. The model is based on dissimilarity metric in the recom mendations of nodes takes part in Sybil attack detection. We have shown the Vulnerability of uni-dimensional trust models against collusion attacks. We found that trust and reputation models need to be multi-dimensional in order to be resistant against collusion attacks. We proposed strategies for dealing with witness-based collusion attacks in Sybil attack detection in colluded environments. Experimental results of the proposed approach are also presented that clearly indicates the better performance of the proposed approach. This shows that the policies proposed in our scheme for detection of Colluded nodes are adequate in reducing the risky associations among malicious and benign nodes, promoting a malicious node or defaming a benign node, thus preventing the collusion attack in the detection of Sybil nodes. REFERENCES

better in the mobile environments where the users conspire together for the purpose of defrauding one or more user by taking advantage of the breaches in the trust model. The results show that our scheme overcomes the collusion problem to a great extent.

TPR & FPR in Collusion Detection ----..-FPR �TPR

Q) .... .. a:: !: 0 '+l u

Q) .... Q) c

100% 80% 60% 40% 20% 0%

1=", ::.= f-> !'oJ 0

�

co

(J'l 0

f-> 0 0

?

?

f-> !'oJ 0

f-> (J'l 0

!'oJ 0 0

!'oJ � 0

!'oJ co 0

f-> � 0

f-> co 0

!'oJ !'oJ 0

!'oJ (J'l 0

OJ 0 0

Time Steps

Figure. 7: TPR And FPR In Collusion Detection From the analysis shown above it clearly shows that the proposed scheme is better in the MANET environment in the presence of 25% - 40% malicious nodes, node density, packet transmission rate and high network connection. With the lower speed of the nodes there will be improved detection accuracy. In simulation its value will be less than lOmJs and at most 2m/s in the real world. The main objective of the performed experiments is the demonstration of the benefits when using in the multi-dimensional trust model in the presence of the direct and witness based collusion attack. The impact of the malicious nodes on aggregating the ratings can be reduced when using the witness interaction trust and witness based reputation. V.

CONCLUSION

This paper proposed a decentralized multi-dimensional trust model to detect dishonest recommendation in indirect trust

[1] S. Niraj, D R. Verman, Distributed Position Localization and Tracking (DPLT) of Malicious Nodes in Cluster Based Mobile Ad hoc Networks (MANET), WSEAS Transactions on Communications, ISSN: 11092742,Issue 11,Volume 9,November 2010. [2] J. Merwe,D. Dawoud,and S. McDonald, "A survey on peer-to-peer key management for mobile ad hoc networks," ACM Computing Surveys, vol. 39,p. 1,2007. [3] J. R. Douceur, "The Sybil Attack," in Revised Papers from the First International Workshop on Peer-to-Peer Systems: Springer-Verlag,2002. [4] S. Abbas, M. Merabti, and D.LleweUyn-Jones "Signal Strength Based Sybil Attack Detection in Wireless Ad Hoc Networks " (2009) Second International Conference on Developments in eSystems Engineering (DESE),UAE. [5] J. Newsome,E. Shi,D. Song,and A. Perrig, "The Sybil Attack In Sensor Networks: Analysis & Defence," in Third International Symposium on Information Processing in Sensor Networks (IPSN'04) 2004,p. 259-268. [6] S. Abbas, M. Merabti, and D.Llewellyn-Jones, "A Lightweight Sybil Attack Detection in MANETs," IEEE Systems Journal,2012. [7] B. N. Levine,C. Shields,and N. B. Margolin, "A Survey of Solutions to the Sybil Attack," Technical Report 2006-052, University of Mas sachusetts Amherst,Amherst,MA October 2006. [8] Y. A. Luis, B. Manuel, and L. John, "CAPTCHA: Using Hard AI Problems For Security," presented at the Proceedings of Eurocrypt,2003. [9] S. Abbas,M. Merabti,and D. Llewellyn-Jones, "Deterring Whitewashing Attacks in Reputation based Schemes for Mobile Ad hoc Networks," in Wireless Days (WD),IFIP,p. 1-6,2010 . [10] M. Demirbas and Y. Song, "An RSSI-based Scheme for Sybil Attack De tection in Wireless Sensor Networks," in Proceedings of the International Symposium on World of Wireless, Mobile and Multimedia Networks: IEEE Computer Society,2006. [11] Z. Sheng,L. Li,L. Yanbin,and Y. Richard, "Privacy-Preserving Location based Services for Mobile Users in Wireless Networks," Department of Computer Science,Yale University,Technical Report ALEUlDCSfTR1297,2004. [12] J. Wang, G. Yang, Y. Sun, and S. Chen, "Sybil Attack Detection Based on RSSI for Wireless Sensor Network," in International Confer ence on Wireless Communications, Networking and Mobile Computing (WiCom'07), p. 2684-2687,2007. [13] B. Xiao,B. Yu,and C. Gao, "Detection and Localization of Sybil Nodes in VANETs," in Proceedings of the 2006 workshop on Dependability issues in wireless ad hoc networks and sensor networks Los Angeles, CA,USA: ACM,2006. [14] Huynh,T.D.,Jennings,N.R.,Shadbolt,N.: FIRE: An integrated trust and reputation model for open multi-agent systems. Journal of Autonomous Agents and Multi-Agent Systems Vol. 13,No. 2,pp. 119154,2006. [15] N. Iltaf,A. Ghafoor and U. Zia, A mechanism for detecting dishonest recommendation in indirect trust computation. EURASIP Journal on Wireless Communications and Networking 2013 2013: 189. [16] Y. Hao,J. Tang,and Y. Cheng, "Cooperative Sybil attack detection for position based applications in privacy preserved VANETs ",in Proc. IEEE GLOBECOM,Houston,Texas,Dec. 5-9,2011.

36