Security and Cooperation in Clustered Mobile Ad Hoc ... - IEEE Xplore

IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 24, NO. 2, FEBRUARY 2006

329

Security and Cooperation in Clustered Mobile Ad Hoc Networks With Centralized Supervision Spyridon Vassilaras, Member, IEEE, Dimitrios Vogiatzis, and Gregory S. Yovanof, Senior Member, IEEE

Abstract—Although individual node cooperation is necessary for the correct execution of network protocols in mobile ad hoc networks (MANETs), it is not always guaranteed. In this paper, we present a node reputation scheme aiming at reinforcing node cooperation in MANETs with centralized control. This scheme was designed for centralized ad hoc network architecture (CANA), an ad hoc enhancement to the HIPERLAN/2 WLAN standard. Misbehavior detection techniques for protocol attacks in both the cluster formation and data transmission phases of the network operation are developed. Statistical methods for selecting the optimal parameters of the reputation scheme are investigated and their efficiency is illustrated through theoretical analysis and simulation results. Throughout this paper, the specific aspects of CANA that impose particular design decisions are outlined and the applicability of our scheme to other network architectures is discussed. Index Terms—Ad hoc networks, cooperation, HIPERLAN/2, misbehavior detection, random walk, reputation mechanism, security.

I. INTRODUCTION

A

DDRESSING the need for security in wireless networks is of paramount importance for their widespread usage. Apart from classical security issues (such as user, host and packet authentication, data integrity and privacy, nonrepudiation, key management, etc.) ensuring the cooperation of nodes emerges as a crucial and complicated problem in mobile ad hoc networks (MANETs). The correct execution of network functions in MANETs relies on the cooperation of the individual nodes that constitute the network. Malicious nodes that intentionally fail to execute their part of a network protocol in order to cause damage and selfish nodes that do not cooperate in order to save precious resources (such as battery power) can severely disrupt proper network operation. Thus, providing incentive mechanisms that will convince selfish nodes to cooperate and detection mechanisms that will identify malicious nodes and isolate them from the network is a critical issue, which has received considerable attention recently from the research community. In this paper, we investigate the security aspects (focusing on node cooperation and preventing protocol attacks) of a special type of wireless network architecture, the centralized ad hoc network architecture (CANA), which has been developed Manuscript received October 1, 2004; revised August 15, 2005. This work was supported in part by the Commission of the European Community under the BROADWAY Project IST-2001-32686. This paper was presented in part at the IEEE International Conference on Information Technology (ITCC), April 2005, Las Vegas, NV. The authors are with Athens Information Technology, 19002 Peania, Athens, Greece (e-mail: [email protected]; [email protected]; [email protected]). Digital Object Identifier 10.1109/JSAC.2005.861391

under the IST BROADWAY project (IST-2001-32686). CANA ([13], [14]) is a hybrid architecture which combines infrastructure-based wireless network and clustered MANET features in order to increase network capacity. Although our scheme for detecting misbehaving nodes and reinforcing their cooperation is designed for this specific network, we strongly believe that it can provide insights and useful ideas for reputation schemes in other network environments. In the literature of node cooperation enforcement, the proposed solutions can be subdivided into two main categories: trade-based schemes and reputation-based schemes (see [1] for a more rigorous taxonomy of incentive schemes). In trade-based schemes, a node that provides some service to a peer node (e.g., packet forwarding) is rewarded by either another immediate service in exchange or some monetary token that it can later use to buy services from another node (e.g., [2]–[4]). In reputation-based schemes, each node keeps a reputation metric for other nodes it deals with and provides services only to nodes that exhibit good reputation (e.g., [5]–[12]). In all reputation-based mechanisms for cooperation reinforcement, each node in the network performs two distinct functions: rating the behavior of neighboring nodes and using these ratings to adjust its own behavior toward them. Rating the conformance of neighboring nodes to the network protocols in single-channel MANETs is simply performed through monitoring of the common channel. However, in clustered MANETs which use different channels in each cluster and bridge nodes to relay packets between clusters (such as CANA and Bluetooth scatternets) a node cannot receive all transmissions of all its neighbors. Hence, a different technique for rating the services provided by them has to be devised. This situation is very common in wired networks where routers and bridges cannot use common channel monitoring to rate their neighbors. In [23], a method for detecting routers that drop or misroute packets based on the conservation of flow principle is developed. This method is not intended to detect malicious routers that alter the contents of packets. This could be achieved by an end-to-end authenticated acknowledgment (ACK) scheme. However, digitally signing each ACK using asymmetric cryptography would put a tremendous overhead on the network. The authors in [21] propose a solution based on symmetric cryptography which allows the source of a packet to detect misbehaving links (pairs of adjacent routers) in the packet’s path. The limitation of this protocol is that a malicious source node can wrongfully accuse well-behaving links of misbehaving. Therefore, the information gathered about faulty links in a route is trusted only at the source node. In this paper, we develop a new approach for gathering ratings of the forwarding behavior of nodes by a

0733-8716/$20.00 © 2006 IEEE

330


central trusted authority in networks where common channel monitoring is not always possible. Our method is based on the TESLA ([25], [26]) broadcast authentication protocol which uses symmetric cryptography. It allows a central authority to obtain information with equivalent value to that obtained when the results of common channel monitoring are reported to the central authority. Another set of protocol attacks against CANA is related to the neighborhood discovery (ND) and cluster formation operation of this network. So far, research on secure protocols for MANETs has focused on secure routing and cooperation for packet forwarding. In this paper, we investigate cooperation enforcement for ND and cluster formation in the context of CANA. Last but not least, our work sheds some new light into the problem of wrongfully accusing a node for misbehavior due to nonintentional failures to cooperate. Most reputation schemes available in the literature deal with this issue by allowing nodes to misbehave with a certain small probability. This can be achieved by maintaining a reputation metric which is reduced or increased according to the observed behavior (e.g., [5], [6], and [12]). A node is considered selfish or malicious if its reputation metric falls below a given threshold. In a related approach ([10], [11]), instead of a scalar reputation metric, a parametric Beta function is used to depict the belief distribution [or prior probability density function (pdf)] of a node’s probability to misbehave. Updates of beta functions are performed based on the assumption that observations of a node’s behavior are independent identically distributed (i.i.d.). In this paper, we take the former approach of scalar reputation metrics and perform a quantitative analysis on methods for selecting step sizes and threshold values. We treat the evolution of the reputation metric over time as a stochastic process and select its parameters with the goal of keeping the probability of accusing a cooperating node very low, while detecting misbehaving nodes (even those which misbehave occasionally) with high probability. Both time dependent and independent stochastic models are considered and the results are evaluated with simulation experiments. The rest of this paper is organized as follows. In Section II, a brief description of CANA is provided focusing on its centralized routing and cluster formation protocols. The security framework of CANA is presented in Section III. In Section IV, noncooperative attacks against the cluster formation protocol are described. We develop a general framework for detecting such attacks and introduce a reputation scheme for distinguishing between unintentional misbehavior and malicious or selfish behavior of mobile nodes. Section V deals with detecting misbehavior and reinforcing cooperation during data transmission. Finally, conclusions are drawn in Section VI. II. CANA SYSTEM ARCHITECTURE Existing wireless local area network (WLAN) technologies like IEEE 802.11 or HIPERLAN/2 (HL/2) cannot always satisfy the needs of modern multimedia network applications for increased data rates, due to the nature of the wireless channel. Indeed, in the case where a large number of users with high traffic needs are in the transmission range of each other, hotspot areas are formed. To increase the capacity of such networks, the

CANA has been introduced ([13], [14]). CANA incorporates ad hoc characteristics in the standard HL/2 operation and allows for the support of high data rates in highly dense areas based on a dual mode of operation, i.e., the standard mode at 5 GHz and an ad hoc extension of HL/2 at 60 GHz [13]. Therefore, in order to describe CANA and its specific security and node cooperation needs, a brief description of HL/2 is required. HIPERLAN/2 ([16], [17]) is a standard specification for WLANs developed by the European Telecommunication Standards Institute (ETSI). The physical layer of HL/2 is based on an orthogonal frequency-division multiplexing (OFDM) modulation scheme which supports data rates up to 54 Mb/s. The medium access control (MAC) layer is based on a scheme called time-division multiple-access/time-division duplex (TDMA/TDD), where a central entity, usually the access point (AP), grants resources to the mobile terminals (MTs), upon request. A small part of each MAC frame consists of a random access channel used by MTs for functions that cannot be centrally scheduled (e.g., to initially associate with an AP). The standard specifies two different operation modes: the centralized mode (CM) and the direct mode (DM). In CM, an AP is connected to a wired core network which serves the MTs associated to it. All traffic has to pass through the AP, regardless of whether the data exchange is between an MT and a terminal elsewhere in the core network or between MTs belonging to this AP. In DM, the medium access is still managed in a centralized manner by a central controller (CC). However, user data traffic is exchanged between terminals without going through the CC. CANA’s primary aim is to offload the 5 GHz band by using resources from the 60 GHz band. A specific set of MTs that are closely located and want to exchange data at a high rate, create an ad hoc network in the form of a cluster of MTs that operate in the 60 GHz mode of operation for a certain number of frames. MTs can alternate between the 5 GHz and the 60 GHz mode of operation depending on the network topology and their current communication needs. The 60 GHz mode of operation is characterized by increased data rates and shorter transmission range (around 7 m) compared with the operation at 5 GHz (around 50 m). Hence, at 60 GHz, not all MTs are in direct communication with the AP. For this reason, the MTs form clusters that are similar in operation to the HL/2 cell, where the role of the AP is assumed by a designated MT called clusterhead (CH) [15]. Each cluster operates at a different frequency channel in the 60 GHz band in order to avoid interference with neighboring clusters. Communication between MTs that belong to different clusters is achieved with the help of forwarding nodes (FNs). FNs belong to two adjacent clusters and forward data packets among them. A snapshot of a CANA system configuration is shown in Fig. 1. The AP is in charge of deciding on the cluster formation, assigning CHs and FNs and predefining routes, based on communication needs and connectivity information provided by the MTs. This is achieved by a ND algorithm [15], which is performed repeatedly in order to adapt to dynamic network conditions. When a broadcast “NextND Phase” message is received by the MTs, they all enter the ND phase and send “ND messages” in specific time slots (so that collisions do not occur) at 60 GHz. Then, each MT sends to the AP an MTi-table, each row

VASSILARAS et al.: SECURITY AND COOPERATION IN CLUSTERED MANETS WITH CENTRALIZED SUPERVISION

Fig. 1.

331

CANA system architecture.

of which is filled with the source MAC address of an “ND message” it has received and the quality of reception (link status). Based on input from all MTs, the AP then decides on the exact cluster topology and communicates it to the MTs. III. CANA SECURITY FRAMEWORK The HL/2 standard includes a data link-layer security framework which provides for confidentiality and integrity to transferred data and ensures that only legitimate users have access to the wireless network ([16], [17]). To this end, encryption of the transmitted data on the radio link and mutual authentication between AP and MTs is performed. Finally, key management is a supporting function for both encryption and authentication. The standard defines three different authentication methods: no authentication at all, preshared key authentication or RSAbased authentication. No authentication is used for open systems where the mobile stations do not need to be authenticated. The latter two define methods to support mutual authentication between MT and AP. Data encryption in HL/2 can be performed using two encryption algorithms, DES and its stronger variant 3DES, to support differentiated levels of security service. Data can be encrypted both uplink and downlink between the AP and MTs (centralized mode) and directly between two MTs (direct mode). For the exchange of the encryption keys, the Diffie–Hellman (DH) protocol is used, based on the long term, preshared keys. There is also a mechanism for key refresh so that the same symmetric key is not used for too long. For each connection between the AP and an MT or between two MTs, a different encryption key is used for data integrity and confidentiality. Let us denote by the symmetric key shared between the AP and the th MT and the DM key shared between the th and th MTs. Note that as soon as encryption is agreed upon and symmetric encryption keys have been exchanged all user data as well as part of the control data

exchanged between the nodes are being encrypted. In an AP-MT link, user and control data are encrypted with the same key. This policy gives the AP access to the user data. If this is unwanted, higher layer encryption should be employed for end to end user data confidentiality. Conclusively, HL/2 exhibits relatively strong link-layer security features. Indeed, there is no known security weakness and the only possible objection is that the specified primitives are computationally expensive [27]. This might put a severe computational burden both to “light” portable MTs and, due to the centralized architecture to the AP. Several security enhancements are presented in [28] to make the overall security mechanism of HL/2 more robust. The general philosophy of the overall CANA architecture is to build on the HL/2 standard, keeping its main structure and modifying it only to make the necessary enhancements for the 60 GHz mode of operation. Our approach to analyzing the security aspects of CANA is the same: utilizing as much of the security infrastructure of HL/2, while identifying the security implications of the new architecture and proposing suitable ways of addressing them. The main difference between HL/2 and CANA from a security point of view is that in the former, a trusted entity (the AP) can always receive the transmissions of all MTs in its jurisdiction. This has two important consequences: The AP can police the whole cell for misbehaving nodes and there is no need to rely on a not necessarily trusted MT to forward packets or assist in cluster formation and routing decisions. The fact that the range of 60 GHz transmission is much smaller than the 5 GHz cell radius opens the door to ND and routing protocol attacks and requires a slightly different key distribution scheme to keep user data confidential from CHs and FNs. In the CANA architecture, the AP assumes the role of a trusted Security Manager and Cooperation Enforcer. Its main responsibilities are access control, key distribution. and maintaining a reputation mechanism for misbehavior detection.

332


In HL/2, user and control data sent over the same link (for both CM AP-MT and DM MT-MT links) are encrypted with the same symmetric key, which is always known to the AP. In a CANA cluster, the CH is not necessarily trusted by the MTs, so we do not want the CH to have access to the user data. This can be achieved by having control and user data exchanged between the CH and the th MT encrypted by a symmetric key (which we denote by ) and user data exchanged between the th and th MT’s (relayed by one or more CHs and FNs) encrypted . This is facilitated by the by their shared symmetric key complete separation of control and user data in different logical channels encountered in HL/2 and CANA. Another critical issue concerns the method of establishing symmetric keys between a CH and the MTs in its cluster. There is a tradeoff between having the AP distributing these keys using the secure links at 5 GHz (more work for the AP) or letting the cluster members perform a DH key exchange (much more work for the CH and MTs in the cluster). Since the whole design philosophy of CANA is centralized, we tend to favor the former approach. The AP is also aware of the data sessions between MTs at 60 GHz (this information is used in cluster formation ’s decisions) so it can provide the MTs with the required before they switch to the 60 GHz mode. The above security mechanisms in CANA guarantee the same level of authentication, confidentiality, and data integrity achieved in HL/2. They are not sufficient, however, in terms of protection against protocol attacks from malicious or selfish (though authenticated) nodes. Such attacks/misbehavior can happen during the ND phase and during 60 GHz data transmission. In other words, since CANA moves to a more ad hoc architecture compared with HL/2, it is prone to (well known in the literature of MANETs) noncooperative behavior issues. The key mechanism for addressing these issues is a node reputation mechanism implemented by the AP. The goal of this mechanism is to keep track of misbehaving MTs so that they can be isolated from the network and penalized appropriately. This reputation mechanism has to be incorporated within the general security framework since it is tightly coupled with authentication and higher layer security policies. In the following sections, we investigate methods for preventing noncooperating behavior during the ND and data transmission phases in centralized ad hoc networks based on a reputation mechanism implemented at the AP. IV. REINFORCING COOPERATION DURING THE ND PHASE A. General Framework In the ND phase, the MT’s exchange “ND messages” in order to provide 60 GHz connectivity information to the AP, as described in the previous section. Unfortunately, the ND protocol is prone to a multitude of noncooperative scenarios: A malicious node may send a false “ND message” masquerading as another node, modify the MTi-table by adding or removing rows, or refuse to send an “ND message.” It can also replay “ND messages” it has received from other nodes or launch a so called wormhole attack in cooperation with another MT (forward received “ND messages” via a private channel to an accomplice

which will replay them). Replaying and wormhole attacks aim to create the false impression that MTs which are out of range of each other can actually communicate, thus creating disconnected clusters. A selfish node may refuse to send “ND messages” and/or send an empty MTi-table to the AP so that it will not be asked to participate in any cluster and need to consume energy. All the above attacks against the correct execution of the ND protocol can be divided into two categories. •

MTi-table row removal and refusal to send “ND messages” constitute passive attacks, which attempt to conceal connectivity information from the AP. • The remaining illegal actions constitute active attacks, which provide the AP with false connectivity information. The simple authentication scheme presented below, which is based on security primitives of CANA (inherited from HL/2), is able to defend against all active attacks by one or more noncolluding nodes. We assume that an attacker has not access to the physical layer characteristics of the MT transceivers. Hence, he is not able to perform physical layer attacks such as modifying the transmission power, use sectored antennas for transmission, or make the MT act as a repeater (retransmitting what it is receiving with no time lag). For each new ND phase, the AP generates and includes in the “Next ND Phase” message a random number, “Next ND RN.” Each MT encrypts this random number with the symmetric key that it shares with the AP and includes the result in the “ND message,” as a form of a digital signature. The MTi-tables are also modified to include a column with these encrypted values and a column with the time slot when the “ND message” was received (to defend against replaying attacks). In this way, an addition of a false row to the MTi-table will be detected by the AP, since the encrypted random number in this entry will not decrypt to the correct “Next ND RN” with the associated symmetric key. For the same reason an MT cannot impersonate another MT by putting the other MT’s MAC address in its own “ND message.” Replaying attacks are also detected by the proposed scheme because each MT gets a specific time slot in which to send “ND messages” and the “Next ND RN” prevents replaying “ND messages” from previous time slots of the present or a past ND phase. However, two colluding attackers can mount successful active attacks because the first attacker can transmit its encrypted “Next ND RN” through a private channel or, worse yet, divulge its secret key to the second one which will be able to successfully impersonate the first one. In order to defend against colluding attackers, a more sophisticated algorithm which relies on tamper-proof hardware inside all nodes must be implemented. Under this scheme, different symmetric keys will be used for data encryption and signing of ) the “Next ND RN.” This second secret key (denoted by as well as the preshared authentication key of the node, will be known only inside a tamper-proof hardware module. This module will perform the initial authentication of the MT and sign outgoing “ND messages” by computing a Message Authentication Code of the “Next ND RN” using . This authentication token will be released to the MT by the secure module only at the time slot when the “ND message” is to be transmitted. This time slot will be communicated encrypted from the AP to the secure module, so that the nontamperproof


333

TABLE I SUMMARY OF PASSIVE ATTACKS AGAINST THE ND PROTOCOL

part of the MT cannot trick the secure module to an earlier release of the token. For simplicity, a given MT can be expected to transmit its “ND message” during the same time slot in all ND phases. Upon reception of an “ND message” by the th MT, this should be handed to the recipient’s secure module which will compute a Message Authentication Code (using ) on the concatenation of and the time slot in which this “ND message” was received. Both and have to be transmitted to the AP by node . This way the AP can verify that node has directly received an “ND message” by node and not through a colluding malicious node . Active attacks are characterized by the fact that they aim at deceiving the AP into believing that two MTs that are out of range of each other can actually communicate. Therefore, upon detecting an active attack, the AP just ignores the fake connectivity information and proceeds with cluster formation without trying to discover the offender and take action against it. Since all active attacks are detected and can cause no damage to the correct execution of the ND protocol, malicious nodes have no incentive to launch an active attack. B. The Need for a Reputation Mechanism On the contrary, passive attacks aim at concealing the fact that two MTs can communicate from the AP. In some cases, the omitted connectivity information cannot be reliably reconstructed by the AP and, thus, selfish or malicious MTs have a motive to exhibit this kind of behavior. To discourage them from doing so, the AP should try to determine which MT has misbehaved and take appropriate action. Passive attacks can be detected by comparing the received MTi-tables from different MTs. Let us assume for example that the received MTi-tables at the AP from nodes A and B are inconsistent, indicating that node A has heard from node B, but B has never heard from node A. Then, two things might be happening: either B is lying (has removed from its MTi-table the entry corresponding to node A) or node A has not sent “ND messages” at all (note that the defense mechanism against active attacks prevents the possibility that node A has maliciously added an extra row to its MTi-table). But, if the AP has received at least one other MTi-table containing node A, it can be certain that A actually sent an “ND message” and, thus, B is probably the misbehaving node. We say “probably” because there is a small chance that B never received A’s “ND message” or received it incorrectly due to node mobility or communication link failure. In this case, we have a “false positive,” where B will be accused of having a row removed from its MTi-table while this is not

true. There is also the possibility of a “false negative,” where B removes A from its MTi-table but goes undetected from the AP. This happens when: 1) A has no well-behaving neighbors; 2) both A and B have removed each other from their MTi-tables; or 3) A has not received B’s “ND message” due to link failure. Similarly, the AP suspects a node B of having kept silent during the ND phase if no MT reported having received B’s “ND message.” A “false positive” in this case occurs when: 1) there were no other MTs in B’s vicinity or 2) all of B’s neighbors removed it from their MTi-tables or did not receive B’s “ND message” due to link failure. Table I, summarizes AP’s ways of suspecting a passive attack by node B and lists all “false positive” and “false negative” cases. In order to limit the effect of false positives, the AP can observe each MT for a larger amount of time than a single ND phase, and compare their behavior to the expected behavior of a well-behaving node. One common way of keeping track of a node’s long-term behavior is by assigning to it a reputation metric which will be reduced if the node is suspected to have misbehaved and increased, otherwise. If this metric falls below a given threshold, the node is considered misbehaving. This way, not only nodes that exhibit consistent misbehavior, but also nodes that misbehave with a certain probability will get detected. Although this scheme is popular in the literature (e.g., [5], [6], and [12]) it has not been, to the best of our knowledge, analyzed quantitatively. In the remainder of Section IV, we model the evolution of a reputation metric in time as a random process and investigate its efficiency in detecting misbehaving nodes, while keeping the probability of wrongly accusing a well-behaving node very low. C. Reputation Metric as a Random Walk Process Because of the different nature of the “false positives” in each type of passive attack, the AP will keep two reputation metrics for each MT: for row removals and for keeping silent. Both metrics should be initialized at some positive value , i.e., , , 2. is increased for each legitimate entry in the MT’s MTi-table and reduced when there are suspicions that the MT has removed a row from the table. is updated once at each ND phase according to whether the MT is contained in at least one MTi-table. Therefore, after the th “event,” we have with: , if a suspicious event occurs; • , otherwise. •

334


TABLE II SUMMARY OF NOTATIONS I

If the th reputation metric of a node becomes smaller than or equal to 0, this node is considered to have performed a type passive attack. Clearly, the random process is a random walk in which the event of a node getting accused for misbehavior is a threshold crossing event [19]. For a well-behaving node, we expect suspicious events of type 1 to occur more or , as they are less independently with a small probability caused by fluctuations in the quality of the wireless link. False positives of type 2 will probably exhibit strong time dependencies, particularly, in networks with low node mobility where the number of neighbors a given MT has changes slowly with time. for a well-behaving node, Let us first concentrate on which is a random walk with i.i.d. steps. Assuming that we can with a reasonable accuracy,1 we want to set the estimate parameters of the random walk in such a way that the threshold crossing probability (i.e., the probability of wrongly accusing a . well-behaving node) does not exceed a very small value A logical choice for the value of is

which results in a zero drift random walk by making the mean value of the per step change in the reputation metric equal to 0. It is well known that a zero drift random walk with infinite horizon will eventually cross any finite threshold with probability 1. To avoid this, we can select an appropriate window size , and update the reputation metric for , as follows:

An upper bound to the threshold crossing probability for a random walk in a finite horizon is given by (1) where

is the minimizing in

and

. Unfortunately, an exact value for this probability cannot be obtained. An exact value can be calculated for the case where 1In any case, a conservative estimate of upper end of a 99% confidence interval.

P

can be used instead, e.g., the

Fig. 2. Probability of a malicious node getting detected as a function of its misbehavior probability P .

(and suspicious events are i.i.d.), and we will take a little detour to investigate this case before continuing with the zero mean random walk approach. D. Measuring Empirical Frequencies of Suspicious Events The reputation metric scheme with is similar to measuring the empirical frequency of suspicious events in a window of size n and comparing it to the probability of such events. The probability that a well-behaving node experiences exactly suspicious events out of events follows the binomial distribution: (2) Based on this expression, we can find an integer , such that and . is the maximum In other words, the value of the threshold the maximum relative frenumber (and the ratio quency) of suspicious events in a sliding window of size that we can accept without accusing the MT of having misbehaved. Clearly, under this scheme, a consistently misbehaving node events. However, a more sophisticated will get caught after malicious node can try to evade detection by misbehaving with and independently from previous events. some probability The probability that an MT which behaves in such a way prois reduces exactly suspicious events is given by (2) if placed by . In Fig. 2, we plot the base 10 logarithm of the probability of a misbehaving MT getting ac. To generate this plot, we assumed cused as a function of 10 and , requested that 10 and used these parameters to compute . Fig. 2 shows that the probability of detecting the malicious MT grows very fast 10 . approaching 1 for Fig. 3 shows the effect of varying the window size n in the probability of detecting a node which behaves maliciously with 10 when 10 and 10 , as in is a function of (plotted in the previous graph. Of course, Fig. 4) and the seesaw pattern in Fig. 3 is due to the fact that takes only integer values.


335

10 when compared with 0.31 with a only . sliding window of Thus, a concurrent use of a number of window sizes that span several orders of magnitude can provide reliable detection of small deviations from the normal behavior, while guaranteeing fast reaction to a significant increase in the probability of malicious behavior. E. Dealing With Time Dependent Suspicious Events

Fig. 3. Probability of a malicious node getting detected as a function of the sliding window size.

Coming back to the reputation metric scheme with zero mean increments, we have repeated the analysis of the previous section, using upper bounds for the probabilities of accusing a wellbehaving or a misbehaving MT instead of exact values. The results are analogous to those presented in the previous subsection. In fact, for the case of i.i.d. suspicious events, we see no advantage in using a zero-mean increments scheme instead of the scheme. In the case of time dependent suspicious events, however, threshold crossing probabilities cannot be easily computed and resorting to using upper bounds or approximations seems unavoidable. Take for example the case of the passive attack of type 2 described in Section IV-B. Nodes that have no neighbors are expected to remain in this state for some time, especially when the node mobility and/or node density are low, thus generating a string of suspicious events. We can model this time dependence with a Markov chain with two states (state 0: the node has 0 neighbors—state 1: the node has at least one neighbor) and transition probability matrix

.

Then, is a Markov modulated random walk in which the upper bound to the 0 crossing probability in a finite horizon is given by (1) with

Fig. 4. Misbehavior detection threshold a as a function of the sliding window size. TABLE III PROBABILITIES OF DETECTING A MALICIOUS NODE AND THRESHOLD LEVELS FOR SLIDING WINDOW SIZES OF 1000, 10 000, AND 100 000

Clearly, the larger the window size, the better the chance of catching the misbehaving node. However, if a well-behaving node suddenly starts misbehaving with a significantly high probability it will get detected sooner if a sliding window 10 , with a smaller size is used. For example, for 10 and 10 , the threshold levels and detecting probabilities for three sliding windows sizes differing by an order of magnitude are shown in Table III. But if a perfectly behaving node suddenly turns malicious at time , then the probability that it will be detected at time is

where denotes the largest eigenvalue of matrix . In order to check the applicability of these theoretical results, we have simulated a CANA 70 m 70 m cell with nodes (49 MTs the AP) under the random waypoint mobility model (see [20] and references therein) with zero stopping time and random velocities uniformly distributed in [1, 3] m/time slot. The AP is located at the center of the cell. In all simulations, the initial positions and velocities of all MTs were generated according to their steady-state distributions established in [20]. Note that it was only recently discovered that when starting a random waypoint mobility simulation with uniformly distributed velocities and positions, a common practice in many simulation studies, it takes a lot of time for the system to reach steady-state. Furthermore, if the minimum velocity is taken equal to zero, then the velocity of all nodes will tend to zero as time goes to infinity! Running the simulation for 100 000 time slots, we have estimated

and the marginal probability

of a node to have no neighbors . For zero-mean . Assuming a increments, we set and requiring the upper bound in (1) window size of to be equal to 10 , we calculated .

336


Fig. 5. Probability of a malicious node getting detected as a function of its = 1 and = 5. misbehavior probability, for

m

m

Fig. 6. Probability of a well-behaving node getting accused as a function of = 1 and = 5 malicious malicious nodes’ misbehavior probability, for nodes.

m

m

Then, we ran 100 000 simulations for 1000 time slots each, in which MTs were keeping silent with probability and all other MTs were behaving properly, to estimate the probabilities of accusing the misbehaving and the well-behaving MTs. The solid line in Fig. 5 shows the probability of a misbehaving MT getting caught and in Fig. 6 the probaof a well-behaving MT getting wrongly bility when . The dashed accused, both as a function of . Observe that a malicious node gets lines correspond to detected with probability approaching 1 for . Fig. 6 as intended. In fact, the pashows that rameters of the random walk selected using (1), guarantee that only when all nodes are well-behaving. is expected to increase with increasing and/or as depicted in Fig. 6. However, the very presence of the reputation mechanism will reinforce cooperation, thus reat minimum levels. stricting and

Fig. 7. Probability of a malicious node getting detected as a function of the number of nodes in the cell. The percentage of malicious nodes is kept constant at 10%.

Note that because of the fact that is quite large (greater by a few orders of magnitude), we aim for a much than compared with the previous subsection. larger This means that eventually, even well-behaving MTs will be accused and, therefore, the penalty imposed to an accused MT should be more lenient than when accused for a type 1 passive attack. For example, MTs accused for a type 2 attack can be excluded from using the 60 GHz mode for a small amount of time, whereas when accused for a type 1 attack they can be excluded from the network on a long-term basis. Clearly, decreases with the number of nodes in the cell. Hence, for higher node densities, we can achieve higher probabilities of detecting constant. Fig. 7 shows malicious nodes, while keeping this probability as a function of the number of nodes in the cell . The percentage of malicious for four different values of MTs in the cell is 10% for all . For each value of , is calculated as described above in order to keep . In the previous subsection, we saw that if a well-behaving node suddenly starts misbehaving with a significantly high probability it will get detected sooner if a sliding window with a smaller size is used. This is true for time dependent behavior as well. Take for example the case of a malicious node which before and after exhibits . In Fig. 8, we plot the cumulative probability of this node getting detected as time progresses for different sizes of a sliding window. It can be seen that a sliding window of a smaller size reacts faster to this sudden change of behavior. V. REINFORCING COOPERATION DURING THE DATA TRANSMISSION PHASE A. Detecting Misbehaving Nodes in Various Types of Networks During the data transmission phase at 60 GHz, packets are transmitted from source to destination through a number of relaying MTs, that are either CHs or FNs (Fig. 1). The AP imposes an upper bound to the length of all source-destination paths which is dynamically adjusted together with the time until


337

TABLE IV SUMMARY OF NOTATIONS II

Fig. 8. Probability of a malicious node getting detected as time progresses for different sizes of a sliding window.

the next ND phase occurs, based on the AP’s estimation of node mobility. Increased mobility results in smaller paths and shorter times between ND phases. Typically, paths with more than four hops will be quite rare. The fact that an MT has cooperated during the ND phase and was assigned the role of CH or FN does not guarantee that it will behave properly during data transmission. An intermediate MT can act maliciously and attempt to modify the contents of a data packet or retransmit a packet in an erroneous time slot or act selfishly and refuse to forward it in order to save resources. As in the ND phase, any cooperation enforcement mechanism consists of two parts: identifying misbehaving nodes and punishing them appropriately in order to convince selfish nodes to cooperate and limit the damage that malicious nodes can inflict to the network. There are two intuitive ways for a node to rate the forwarding service provided by its peers: Listening to the transmissions of neighboring nodes (when this is possible) and using ACK. In most reputation schemes for single-channel MANETs, MTs continuously listen to the wireless channel to make sure that each packet they send to their neighbors gets forwarded without being altered. MTs might also rate the forwarding service that their neighbors provide to other common neighbors. In this case, a significant additional computational and storage cost is induced, since a node has to store and crosscheck all received packets until they get retransmitted by the FN. (However, if nodes only care for the correct forwarding of the packets they transmit, then two colluding sequential nodes in the path can drop packets without being detected; the first downstream node will forward the packet correctly, its accomplice will drop it and the first node will not complain about it.) The first hand reputation information gained by monitoring the common channel can then be shared with other MTs so that the whole network can learn quickly about misbehaving MTs. Merging reputation ratings from multiple nodes is a complicated task in view of the possibility that some nodes are spreading false information. We will talk about methods of combining reputation ratings in Section V-C.

On the other hand, when the FN sends and receives packets on different channels (e.g., a router in a fixed network or a bridge in a Bluetooth scatternet), there is no single node that can police the FN. In this case, authenticated ACK can be used to detect misbehaving nodes. For example, the authors in [21] use such a scheme to allow the source of a packet to detect a faulty link in a route. The term faulty link indicates a link for which at least one of its two edges or the link itself is faulty, i.e., fails to correctly execute the protocol. The scheme uses source routing, packet authentication, destination (end-to-end) ACKs, timeouts and fault announcements (FAs). Packets (including ACKs and FAs) must be authenticated in such a way that intermediate nodes can verify the originator of the packet but be unable to impersonate it (in the following, we will use the term authenticated packet to mean just that). The most straightforward way to achieve this is with digital signatures. However, asymmetric cryptography (even the lightweight elliptic curve algorithms) is very expensive computationally and replacing it with a symmetric cryptography-based scheme would significantly increase performance. For this reason, [21] introduced a symmetric cryptography protocol (revised in [22]) that can be used to authenticate packets sent from a source to a destination, as well as ACKs and FAs sent from the destination or intermediate nodes back to the source. The correctness of the protocol is based on the assumption that the source is trusted. Therefore, the information gathered about faulty links in a route is trusted only at the source node and used only by this node in future routing decisions. Hence, this scheme lacks in efficiency compared with asymmetric digital signatures which would permit all nodes in the path to gain accurate information about faulty links. An alternative would be to use TESLA ([25], [26]), a broadcast authentication protocol which relies on symmetric key cryptography, loose clock synchronization, hash chains, and delayed key disclosure. Compared with digital signatures, TESLA trades in bandwidth, delay, and buffer space overheads for a significant gain in computational performance. Packets cannot be authenticated immediately, but have to be stored in

338


a buffer until their associated key is disclosed (alas this opens the door to DoS attacks aiming at overflowing this buffer).2 Furthermore, a node is supposed to forward unauthenticated packets to their destination (and waste bandwidth in case these packets prove to be forged later on). Albeit these drawbacks, TESLA can be used to authenticate packets and ACKs in a way equivalent to digital signatures in the sense that information about faulty links in the path obtained by intermediate nodes does not rely on the trustworthiness of the source. B. End-to-End Authenticated ACKs in CANA Having described the two main approaches about rating forwarding service, we are now turning our attention to the specifics of CANA. During the data transmission phase in CANA, an MT (or FN) can continuously listen to the wireless channel to make sure that packets sent to its CH got forwarded unaltered and in the correct time slot. However, a CH cannot use this method to detect foul play by an FN, since FNs use two different frequencies for packet reception and forwarding. Therefore, a solution based on authenticated ACKs is needed for paths that traverse cluster borders via FNs. However, since such a scheme introduces considerable overhead (in bandwidth, memory and computational power) common channel monitoring is more preferable for two-hop intracluster paths. In addition, by monitoring the common channel, MTs can gain valuable information about their CHs forwarding behavior toward other MTs in the same cluster. In order to describe the exact end-to-end authenticated ACKs protocol for faulty link detection in CANA, consider a data . Let us denote by the transmission path to . Since maximum delay of transmitting a packet from the AP assigns the same amount of bandwidth for traffic of this path on all links of the path, there will not be any queueing delay consists of transmission and processing and, therefore, delay only. The AP knows the maximum processing delay for s to all s every MT in its cell and can communicate all at the end of the ND phase.3 In order to use TESLA ([25], [26]) for ACK authentication, and genthe destination chooses a random initial key erates a one-way key chain by repeatedly computing a one (i.e., way hash function ) and communicates to all nodes in the path through the AP (for easier authentication) at the end of the ND phase. Each transmitted packet is assigned by the source a unique serial number (SN). The source sends the packet (SN included) downstream without any form of authentication. Recall that routing in CANA is predefined for each source-destination pair of the packets by the AP. Each node maintains a counter counts the packets the source transmits and it forwards ( the packets that the destination receives). Upon reception of a packet, the destination computes a MAC for the received and sends back to packet using a TESLA symmetric key the source an ACK consisting of , the SN of the received 2This attack is not possible if TESLA is used for ACK authentication only, since ACKs that do not correspond to a transmitted packet can be immediately dropped. 3For simplicity, we will assume symmetric delays, i.e., d d

=

packet and its associated MAC. A packet containing and is sent from the destination to the source according to the TESLA protocol based on the key disclosure schedule [25]. Confirmation of the received MAC is only possible after the reception of the associated key. Instead of a pessimistic upper bound to the end-to-end network delay, the destination uses . Also, the maximum time synchronization error between any two nodes in the path (denoted by ) can be kept small with the help of the AP. Finally, the key publication interval should be relatively small so that only a few packets are authenticated with the same key. in the path starts a timer for Each node ) packet belonging to each transmitted (i.e., forwarded for this source-destination pair whose ACK has not being received expires after . Each time a yet. The timer expires, a counter for the number of unacknowltimer edged or incorrectly acknowledged packets is incremented by and are initialized at zero at the beone. All counters ginning of each data transmission phase. This timer will detect both dropped and excessively delayed packets. Well behaving nodes are supposed to forward valid packets and ACK’s unaltered to the appropriate node. If a node (including the destination) receives a packet whose SN has been already encountered, it has to drop this packet. The same holds for ACKs already seen, ACKs for packets not yet received and ACKs indicating a key that might have been already published (according to the TESLA protocol). Because packets containing keys can also be should be set dropped or excessively delayed, another timer to expire at , where is the scheduled time when is published. If expires, then all packets whose ACKs are associated with are considered is increased by . Upon unauthenticated and the value of has reception of a packet containing a key by node , if expired, the packet is dropped. Otherwise the key is checked . If it is valid, for validity using the one way hash function then the MAC in the associated ACKs is checked for correctis augmented by the number of incorrect ACKs and ness, is incremented the key is forwarded upstream. Otherwise, by the number of associated ACKs and the key packet is dropped. During the next ND phase every node transmits the values of and to the AP which uses them to obtain centralized ratings of the nodes’ behavior during the data transmission phase. at all times. The purpose of our end-to-end By default authenticated ACK protocol is to identify faulty links in the path according to the following proposition. Proposition 1: If all s are equal to zero and all s are equal to each other, then all nodes behaved according to the protocol, provided that the source and destination are well-behaving nodes and that enough time has passed since any protocol violation for the detecting timeouts to have expired. Otherwise, the AP can identify at least one faulty link: for each and/or the link is considered faulty, that is either the wireless link failed to transmit all packets unaltered, or at least one of the edge nodes violated the data transmission protocol or manipulated their counters. Furthermore, a misbehaving source and/or destination can only conceal another node’s misbehavior but cannot wrongfully accuse a nonfaulty link.


A couple of remarks about this statement are in order: First, coundetection of faulty links is possible with the use of the counters are used mainly to determine the ters alone. The empirical frequencies of link failures. If links are allowed to fail with a small probability, as in the ND phase, then measuring empirical frequencies of link failures is important. Neverthecounters can also mitigate a couple of less, the use of the unwanted (yet not so critical) node behaviors as explained in counters alone, the sequel. On the other hand, the use of the can detect packet drops and redirections but not packet modification or forwarding with excessive delays. The authors in [23] use such a scheme in a distributed setting to detect routers that drop or misroute packets based on the conservation of flow principle. Second, as with many secure protocols, there is no way to formally prove the validity of Proposition 1. We can only show how the AP will identify a faulty link under a multitude of possible protocol attacks, but there can always be an attack, that we have not thought of, which could break the protocol. In the following investigation of possible attacks, altering a data, ACK or key packet includes modifying any part of them such as the SN, the data payload, the MAC, , or . drops, delays excessively or modifies a If of data packet, its ACK or the associated key packet, then all honest nodes will be increased for but will remain the . Note that when modifies a data packet, then same for all downstream nodes will get a matching ACK for the modified packet and will not increment . Now, if chooses to increase to make it equal to , then and the AP will faulty. Otherwise, and the consider link faulty. In both cases, a link AP will consider link will be detected as faulty. If containing the offending node all nodes downstream of collude with to hide its attack , then link by increasing all counters with which contains dishonest node will be at all times and, therefore, detected as faulty. Note that a link will be labeled as faulty even if all downstream nodes including the destination are colluding dishonest nodes. On the other hand, if all nodes upstream of collude with to hide with its attack by failing to increasing all counters , then link which contains dishonest will be detected as faulty. Note that from node the hypothesis of Proposition 1 that the source is well-behaving. In a related attack, one or many sequential malicious nodes can erroneously increase or decrease the value of their and/or counters by the same amount and independently of any packet transmissions in order to hide guilt or wrongfully accuse a nonfaulty link. However, this attack can only implicate a link which is adjacent to one of the attackers and this is by definition a faulty link. Moreover, if the source is well-behaving for ’s and both source and destination are well-behaving for ’s the guilt can only be transferred as explained in the previous paragraph: acquitting a faulty link will result in accusing another faulty link. By not requiring data packets to be authenticated, we open the door to intermediate nodes to inject their own traffic into the path. Let us first assume that the protocol uses only the counters. Consider the case where both the source and an ingenerate a packet with the same SN. Since termediate node

339

packets that have the same SN with already received packets are dropped by well-behaving nodes, if the legitimate packet arrives first, the injected packet will soon be dropped without causing any damage. If the injected packet arrives first, then the legitimate packet will be dropped and, therefore, will not receive any valid ACK for the lost packet. The attack will have the same result as altering the legitimate packet. If an intermediate node uses SNs that will not be used by the source it can take a share of the bandwidth dedicated to this path for its own packets. However since paths are assigned a predetermined amount of resources by the AP (due to the TDMA nature of CANA) can only take the unused bandwidth dedicated to this path without dropping any legitimate packets. But if it drops packets, it will be detected as described above. Now, with the use of the s and assuming that there is at least one honest node on either side of (e.g., the source and destination nodes) injecting packets will violate the conservation of flow principle resulting to at least one faulty link to be detected as such. Replaying attacks are neutralized by the duplicate SN packet dropping rule. Wormhole attacks fail as well. If forward data via a covert channel, and returns packets to , will drop the ACK as no data packet the ACK to will not be with the reported SN has been received. Hence, able to produce a valid ACK and one of its adjacent links will to via be considered faulty. (If the ACK is returned from the same shortcut that the data packet has taken and forwarded back to the source, then this is not an attack but a favor.) If the data packet and/or the ACK are forwarded from both the correct and/or node will path and the shortcut, then node reject one of the two duplicate data packets and/or ACKs. A trickier attack is when the data packet is forwarded along the path but the ACK is returned through the covert channel only. Although this does not disrupt acknowledged end-to-end data transmission, it can be used by two colluding nodes to “transfer guilt” from to . To see this, suppose that before the attack, and as a consequence link is considered faulty. After the attack, the timers of only the nodes will time out causing the associated counters between and to be increased by 1. Hence, we will have and one of the links or will be considered faulty ( can choose which one), while at is acquitted. the same time link It is also important to validate that the time-out values defined in our protocol do not allow a malicious node to accuse a nonfaulty link by delaying the delivery of a packet. It suffices is nonfaulty and ’s timer to show that if link does not expire, then ’s timer cannot expire either. As far as for the the ACK timers are concerned, it takes at most packet to reach node , for the ACK to (from the hypothesis that does come back to node for the ACK to arrive to node not expire) and at most . These times sum up to at most and, therefore, will not expire either. Regarding the timeouts for key packets, assume that when the destination releases the key (and according to its clock the time is ) it is and according to the clocks of and , respectively. Since the maximum synchronization error of any two clocks in the path is

340


, it holds . Assuming that is well-behaving, it forwards the key packet only if its clock has not reached at the time. At this point, ’s clock reads , so when receives the packet its clock reads at most: and, therefore, its timer has not expired. In an ideal network, where packets are only lost or altered intentionally (by selfish or malicious nodes) and where the source has stopped transmitting long enough before the end of the data transmission phase to guarantee that there are no running timers or packets in transit, any gap in the values of the counters is caused by a misbehaving node. In practice, we have to excuse a small fraction of unintentional link failures and account for packets transmitted near the end of the data transmission phase. , the AP As an indicating factor of the behavior of link of the number of packets wants to measure the ratio over that were unacknowledged at node due to link the number of transmitted data packets across this link. As an indicator of this ratio, the AP will use the quantity

denominator of report the true value of

and the fact that node . Indeed

will

where the second inequality is due to the fact that (unless injects packets which will be detected as described , if , then in order above). For , we must have , to achieve . For instance, if which is equivalent to 10 , then needs (which is only slightly greater than 10 ) in order to be able to evade detection. Things are even worse for a misbehaving when trying to decrease by manipulating . Now, reports the correct value of which is at best the result of the minimization operation. This makes . C. Employing Reputation Ratings to Reinforce Cooperation

To explain the rational behind this ratio, let us denote by the number of data packets that the wireless link dropped or scrambled and by the number of unacknowldue to a lost or altered ACK or key edged packets at node . If both and are well-behaving, packet by link then

and, therefore

Normally, will not be allowed to exceed a threshold . Now, suppose that one of the two nodes is misbehaving by manipulating and wants to lower the value of its counters. (The case that the malicious node tries to accuse the link is not considered since the link is by definition faulty if one of its edge nodes is malicious.) If the misbehaving node by reporting a lower . is , then it can decrease However, this will result in distributing the gap of the unauthenticated packet counters between two links, increasing the risk of both links adjacent to node to be considered as faulty. (Simis misbehaving it can spread the gap among ilarly, when .) Node its two adjacent links by reporting a higher value of can also decrease by increasing . Apart of risking creating a second faulty link by introducing a gap beand , this method cannot gain a significant detween due to the minimization operator at the crease in

So far, we have explained how common channel monitoring and authenticated end-to-end ACKs can be used to rate the cooperation among pairs of individual MTs. With both mechanisms the AP identifies faulty links but has no way of knowing which one of the edge nodes in the link has misbehaved (not even which one has a higher probability of having misbehaved as is the case in the ND phase). In pure MANETs, if node A receives bad forwarding service by node B, it can stop routing its packets through B and retaliate by refusing to forward B’s packets. If B continues to be unresponsive to its neighbors’ requests for packet forwarding, it will soon be isolated from the network. This will probably convince a selfish node to be cooperative in the first place (see, for example, [8] for a game theoretic approach in supporting this claim) and will limit the damage that a malicious node can cause. Similarly, in CANA, is considered faulty, then the AP can avoid using if link this link in future route formations. In this case, only first-hand information is used for the evaluation of neighboring nodes’ behavior and, therefore, an MT has nothing to gain by lying about its neighbors’ cooperation. There is only one subtle difference between these two distributed and centralized schemes of handling reputation ratings: In the centralized scheme, if node A mistakenly thinks that it is not receiving an appropriate level of service by its neighbor B, then it can stop providing services to B, and automatically B will stop providing services to A, too. On the contrary, in a distributed scheme, if node B stops providing services to A, A has to discover B’s behavioral change using its own ratings which might take some time. Combining link reputation rating in order to infer node reputation ratings is a desirable but difficult task. Node reputation follows an MT even if it moves to a new neighborhood and creates new, not yet rated links. On the other hand, if such an approach is used malicious nodes can collude to wrongfully accuse


a well-behaving node. There are a few proposals in the literature of reputation mechanisms for pure MANETs about merging first-hand with second-hand reputation ratings obtained from other nodes. For example, under the scheme presented in [10] and [11], each node maintains two metrics, a reputation rating and a trust rating for every other node and uses an elaborate Bayesian approach (first developed in [24]) to continuously update these ratings based on first-hand observations and indirect information. Nodes are not penalized for low trust ratings but their opinions about other nodes is taken less seriously. However, the possibility of a well-behaving node getting classified as misbehaving by other good nodes (in case it is surrounded by malicious nodes) is not eliminated. For such a case, redemption of nodes over time is employed so that nodes that have been temporarily judged as malicious can be tested again and redeem themselves. The evaluation of reputation ratings combining schemes in MANETs with or without centralized supervision is outside of the scope of this paper. VI. CONCLUSION This paper has introduced a comprehensive security and cooperation enforcement framework for the class of clustered MANETs with a centralized controller, specifically designed for the CANA enhancement to HIPERLAN/2. Compared with HL/2, additional security issues arise as a result of the more ad hoc nature of CANA. The fact that the AP (which is assumed to be a trusted entity) is outside of the 60 GHz transmission range of many MTs, permits certain ND and data transmission protocol attacks and requires a slightly different key distribution scheme to keep user data confidential from CHs and FNs. In developing a reputation scheme for CANA, we have exploited the fact that the AP is a central trusted authority which can communicate with all nodes and implement a centralized reputation scheme. The centralized knowledge of nodes reputations alleviates the need for sharing locally kept reputation metrics with other nodes in the network. This is a huge advantage compared with pure MANETs, where spreading this information raises additional issues of trust and increases communication overhead. On the other hand, when compared with single-channel MANETs, CANA has the disadvantage of a clustered architecture, where neighboring clusters use different communication channels to avoid interference. This complicates the task of rating the forwarding service provided by a node’s neighbors. The proposed solution accomplishes this task using an end-to-end authenticated ACK scheme which relies on the TESLA symmetric key broadcast authentication protocol. Although our cooperation reinforcement mechanism has been designed to fit the specifics of CANA, the issue of appropriately selecting the parameters of a reputation scheme (initial value/ruin threshold, step value, and sliding window size) is not different regardless of this scheme being distributed or centralized. Thus, the introduced random walk model for the reputation metric and the associated parameter selection technique can be applied to distributed reputation mechanisms for pure ad hoc networks, as well.

341

REFERENCES [1] P. Obreiter and J. Nimis, “A taxonomy of incentive patterns—The design space of incentives for cooperation,” Tech. Rep. Nr. 2003-9, May 21, 2003. [Online]. Available: http://www.ipd.uka.de/DIANE/ en/index.html. [2] L. Buttyan and J. P. Hubaux, “Stimulating Cooperation in Self-Organizing Mobile Ad Hoc Networks,” ACM/Kluwer Mobile Netw. Appl., vol. 8, no. 5, pp. 579–592, Oct. 2003. [3] N. Salem, L. Buttyan, J. P. Hubaux, and M. Jakobsson, “A charging and rewarding scheme for packet forwarding in multi-hop cellular networks,” in Proc. MobiHoc, Annapolis, MD, June 1–3, 2003, pp. 13–24. [4] S. Zhong, J. Chen, and R. Yang, “Sprite: A simple, cheat-proof, creditbased system for mobile ad-hoc networks,” in Proc. IEEE INFOCOM, San Francisco, CA, 2002, pp. 1987–1997. [5] S. Marti et al., “Mitigating routing misbehavior in mobile ad hoc networks,” in Proc. ACM Int. Conf. Mobile Compu. Netw., MobiCom, 2000, pp. 255–265. [6] S. Bansal and M. Baker, “Observation-Based Cooperation Enforcement in Ad hoc Networks,” Stanford Univ., Stanford, CA, Res. Rep. cs.NI/0307012, 2003. [7] P. Michiardi and R. Molva, “Analysis of coalition formation and cooperation strategies in mobile ad hoc networks ,” Ad Hoc Netw. J. (Special Issue), vol. 3, no. 2, pp. 193–219, 2003. , “Game theoretic analysis of cooperation enforcement in mobile [8] ad hoc networks,” Res. Rep. RR-03-092, Oct. 2003. [Online]. Available: http://www.eurecom.fr/~michiard/pub.html. [9] S. Buchegger and J. Y. Le Boudec, “Performance analysis of the CONFIDANT protocol (cooperation of nodes—fairness in dynamic ad-hoc networks),” in Proc. MobiHoc, Lausanne, pp. 226–236. , “A robust reputation system for P2P and mobile ad-hoc networks,” [10] in Proc. 2nd Workshop on the Economics of Peer-to-Peer Syst., Jun. 2004. [Online]. Available: www.eecs.harvard.edu/p2pecon/confman/papers/s2p2.pdf. [11] , “The effect of rumor spreading in reputation systems for mobile ad-hoc networks,” in Proc. Modeling and Optimization in Mobile Ad Hoc and Wireless Networks, 2003. [Online]. Available: www.sims.berkeley.edu/~sonja/effect.pdf. [12] H. Miranda and L. Rodrigues, “Friends and foes: Preventing selfishness in open mobile ad hoc networks,” in Proc. Int. Workshop on Mobile Distrib. Comput., Providence, RI, May 2003, pp. 440–445. [13] M. de Courville, S. Zeisberg, M. Muck, and J. Schönthier, “BROADWAY—The way to broadband access at 60 GHz,” in Proc. 1st Mobile Wireless Telecom. Summit, Thessaloniki, Greece, Jun. 2002. [Online]. Available: www.ist-broadway.org/documents/papers/200206ist_summit_greece_thessaloniki-broadway.pdf. [14] K. Oikonomou et al., “A centralized ad-hoc network architecture (CANA) based on enhanced HiperLAN/2,” in Proc. 14th IEEE PIMRC, Beijing, China, Sep. 7–10, 2003, pp. 1336–1340. [15] “Overall DLC and CS layer architecture for dual mode of operation,” IST-2001-32686 BROADWAY, deliverable WP2, D9, Jan. 2004. [16] “Broadband radio access networks (BRAN); HIPERLAN type 2; Data link control (DLC) layer Part 1: Basic data transport functions,” ETSI TS 101 761-1, Tech. Spec., Apr. 2000. [17] “Broadband radio access networks (BRAN); HIPERLAN Type 2; Data link control (DLC) layer Part 2: Radio link control (RLC) sublayer,” ETSI TS 101 761-2, Tech. Spec., Apr. 2000. [18] S. Vassilaras, D. Vogiatzis, T. Dimitriou, and G. Yovanof, “Security considerations for the centralized ad-hoc network architecture,” in Proc. IEEE Int. Workshop on Ad-Hoc Networks, Oulu, Finland, Jun. 2004, CD-ROM, pp. 1–5. [19] R. G. Gallager, Discrete Stochastic Processes. New York: Kluwer. [20] W. Navidi and T. Camp, “Stationary distributions for the random waypoint mobility model,” IEEE Trans. Mobile Comput., vol. 3, no. 1, pp. 99–108, Jan.–Mar. 2004. [21] I. Avramopoulos, H. Kobayashi, R. Wang, and A. Krishnamurthy, “Highly secure and efficient routing,” in Proc. INFOCOM Conf., Hong Kong, Mar. 2004. [Online]. Available: www.ieee-infocom.org/2004/Papers/05_3.PDF. [22] Amendment to: Highly secure and efficient routing [Online]. Available: www.princeton.edu/~iavramop/amendment.pdf [23] K. Bradley et al., “Detecting disruptive routers: a distributed network monitoring approach,” in Proc. IEEE Symp. Security and Privacy, May 1998, pp. 115–124.

342


[24] A. Josang and R. Ismail, “The beta reputation system,” in Proc. 15th Bled Electronic Commerce Conf., Bled, Slovenia, Jun. 2002. [Online]. Available: security.dstc.edu.au/papers/JI2002-Bled.pdf. [25] A. Perrig, R. Canetti, D. Song, and D. Tygar, “Efficient and secure source authentication for multicast,” in Proc. Netw. Distri. Syst. Security Symp, San Diego, CA, 2001. [Online]. Available: www.isoc.org/isoc/conferences/ndss/01/2001/papers/perrig.pdf. [26] A. Perrig, J. D. Tygar, D. Song, and R. Canetti, “Efficient authentication and signing of multicast streams over lossy channels,” in Proc. IEEE Symp. Security and Privacy, May 2000, pp. 56–73. [27] M. Casole, “WLAN security—status, problems and perspective,” in Proc. Eur. Wireless, Florence, Italy, Feb. 2002. [Online]. Available: docenti.ing.unipi.it/ew2002/proceedings/sec002.pdf. [28] J. Ferrer et al., “Enhancing HIPERLAN/2 security aspects,” in Proc. WONS, Madonna di Campiglio, Italy, Jan. 2004, pp. 389–394.

Spyridon Vassilaras (M’05) received the Engineering Diploma in electrical and computer engineering from the National Technical University of Athens, Athens, Greece, in 1995, and the M.Sc. and Ph.D. degrees in Computer engineering from Boston University, Boston, MA, in 1997 and 2001, respectively. He was a Teaching and Research Assistant from 1995 to 2001 at Boston University. He has also worked as a Software Developer for ABB Industrial Systems, Sweden, and as a software developer/IT consultant in Greece. He joined Athens Information Technology, Athens, Greece, as a Postdoctoral Researcher in November 2003. His current research interests include performance analysis of telecommunication networks using stochastic modeling, queueing theory, large deviations theory, advanced simulation techniques (such as variance reduction), linear and nonlinear optimization. He is also involved in research projects on network and data security, focusing on node cooperation issues in mobile ad hoc networks.

Dimitrios Vogiatzis was born in Volos, Greece, in 1979. He received the Engineering Diploma in computer engineering and informatics from the University of Patras, Patras, Greece, in 2002, and the M.Sc. degree in information networking from Carnegie Mellon University, Pittsburgh, PA, in 2003. He is currently working towards the Ph.D. degree at the University of Thessaly, Volos, Greece. Since March 2004, he has joined Athens Information Technology, Athens, Greece, as a Research Scientist in the Broadband Wireless and Sensor Networks Group. His research interests cover the field of wireless and ad hoc networking, including quality-of-service, network security, routing, multicasting, and cross-layer design.

Gregory S. Yovanof (M’82–SM’97) received the Engineering Diploma from the National Technical University of Athens, Athens, Greece, in 1982, and the M.Sc. and Ph.D. degrees from the University of Southern California (USC), Los Angeles, in 1984 and 1988, respectively, all in electrical engineering. He was a Research Assistant from 1982 to 1988 at the University of Southern California. From 1988 to 1997, as a Staff Scientist first at Eastman Kodak Research Laboratories and later at Hewlett-Packard Laboratories, Palo Alto, CA, he was engaged in multimedia signal processing for computer peripheral devices. From 1997 to 2002, he led the development of several ICs for the DVD market first as Director of Multimedia at Cyclonics, Inc., and later as cofounder of and Vice President of Business Development at Bitmath, Inc., where he was also responsible for managing strategic alliances, licensing, and venture fund-raising efforts. Since 2002, he has been with the Athens Information Technology, Athens, Greece, leading a group on broadband wireless and sensor networks. He is the holder of four U.S. and European patents on imaging systems. His general research interests span the areas of communications and multimedia signal processing. Current research topics include QoS and security issues in the delivery of multimedia data over ad hoc wireless networks, multicarrier modulation schemes and ultra-wideband radio.