scispace - formally typeset

Journal ArticleDOI

A model of data forwarding in MANETs for lightweight detection of malicious packet dropping

20 Jul 2015-Computer Networks (Elsevier North-Holland, Inc.)-Vol. 87, Iss: 87, pp 44-58

TL;DR: This work introduces a model of data forwarding in MANETs which is used for recognizing malicious packet dropping behaviors and proposes an anomaly-based IDS system based on an enhanced windowing method to carry out the collection and analysis of selected cross-layer features.

AbstractThis work introduces a model of data forwarding in MANETs which is used for recognizing malicious packet dropping behaviors. First, different legitimate packet discard situations are modeled, such as those generated by collisions, channel errors or mobility related droppings. Second, we propose an anomaly-based IDS system based on an enhanced windowing method to carry out the collection and analysis of selected cross-layer features. Third, a real deployment of the IDS is also considered by suggesting a methodology for the collection of the selected features in a distributed manner. We evaluate our proposal in a simulation framework and the experimental results show a considerable enhancement in detection results when compared with other approaches in the literature. For instance, our scheme shows a 22% improvement in terms of true positives rate and a remarkable 83% improvement in terms of false positives rate when compared to previous well-known statistical solutions. Finally, it is notable the simplicity and lightweightness of the proposal.

Topics: Network packet (52%)

Summary (5 min read)

1. Introduction

  • Wireless networks have considerably evolved in the last years, leading to the appearance of different related technologies, architectures and applications [1].
  • One of the architectures that have attracted much attention, especially by the research community, are the so called Mobile Ad hoc NETworks .
  • Malicious nodes drop received data or control messages instead of relaying them, thus affecting the traffic in the network [5].
  • There are different types of dropping attacks, depending on the particular strategy adopted by the attacker [6].
  • The analytical model of the forwarding process which is used as the basis for their detection proposal is presented in Section 3.

2.1. ACK-based Schemes

  • Here, nodes in the network communicate with their neighbors to explicitly request acknowledgments and confirm the reception of sent packets.
  • These two schemes fail when any two-hop neighbors do not cooperate.
  • Besides, to reduce the routing overhead, authors present in [12] an improvement of their scheme called 2ACK, where only a portion of the packets are acknowledged.
  • Nodes use 3hop ACK packets to acknowledge TC messages, while HELLO rep packets advertise two-hop neighbors to a requesting MultiPoint Relay (MPR) node.
  • The collected information is afterwards used as the basis for an accusation-based collaborative mechanism for node isolation.

2.2. Reputation-based Schemes

  • The basic idea behind these techniques is that each node first generates an opinion with respect to others.
  • A trust manager sends and receives alarm messages, informing about detected adversaries.
  • Finally, a path manager is responsible for launching an appropriate response.
  • The authors in [17] propose Friends and Foes, a scheme to punish selfish nodes.
  • The concept of inner-circle consistence was adopted in [18] to identify forged route replies and prevent packet dropping attacks.

2.3. Detection-based Schemes

  • Marti et al. [19] proposed a system called Watchdog, where a monitor node compares the packets that it sends with the overheard packets forwarded by the next hop.
  • Classifiers like Naı̈ve-Bayes, RIPPER or C4.5 are then used for the detection.
  • They perform the intrusion detection in application, routing and MAC layers.
  • Other authors also propose dynamic adaptations in their works, like those in [24, 25].
  • The authors in [28] incorporate a Bayesian filter into the standard watchdog implementation in order to reduce the number of false positives.

3. Model for the Forwarding Process in MANETs

  • The model considers different legitimate circumstances in communications (collisions, channel errors or mobility) as well as malicious behaviors, and allows inferring how they all may affect the performance of the overall retransmission procedure.
  • If all of the previous events occur, the node tries to forward the packet.
  • To do this, two subsequent actions are taken.
  • Let us term this event as RTS event, and its associated probability PRTS .
  • All these circumstances cause messages to be lost and CTS packets not to be received, thus leading to an RTS retransmission.

4. Malicious Packet Dropping Detection

  • A new detection methodology for packet dropping in MANETs is explained.
  • First, the authors describe the attack model and the underlying scenario.
  • Second, the authors detail the proposed detection approach.
  • Next, the authors provide details about parameters estimation and suggest a windowing methodology.

4.1. Attack Model and Scenario Description

  • The authors also 1Although there are other reasons to consider a link as broken, like node failures, congestion or others, in this work, for simplicity, they will use indistinctly the terms mobility or broken link to encompass all these situations.
  • Of course, this aspect does not affect to the fundamentals of their proposal.
  • The authors additionally consider the existence of M malicious nodes, with the same behavior as the legitimate ones, except that they will also drop received packets instead of forwarding them.
  • A further extension of their work would imply the combination and evaluation of their technique with others which specifically deal with collusion attacks.
  • Their scheme might be complemented by performing some end-to-end checking, like the one proposed in [31].

4.2. Overview of the Detection Approach

  • This way, a set of network related features is first obtained for each node in a given temporal window of analysis.
  • From these features, the probability values given in Section 3 are afterwards estimated.
  • If PDROP is greater than this threshold and according to an anomaly-based approach, the authors conclude that the analyzed node is malicious, and legitimate otherwise: node = { malicious, if PDROP ≥ θ legitimate, otherwise (5) Obviously, the operating point of the detector depends on the value used for the detection threshold.
  • If θ is set to a low value, more malicious nodes in the network will be detected, but also more legitimate nodes will be misclassified as malicious (i.e., false positive rate increases).
  • On the contrary, the use of high values for θ will result in fewer malicious nodes being detected, but it will also produce low false positives.

4.3. Parameters Estimation

  • Here the authors discuss how to calculate the probabilities involved in their analytical model taking into account different features obtained from the network.
  • P̂MOB is set to 1 when the number of RTS retransmissions exceeds the SRL limit in a measuring window, since here the node considers that it does not have a connection with the next hop.
  • AODV (Ad hoc On-demand Distance Vector) routing protocol [35] is considered as a case study in this work.
  • In the case that the broken link is closer to the source node than to the destination one, the intermediate node throws the route away and sends back a Route ERRor message (RERR) to alert its precursors about the link fail.
  • For that, it sends a RREQ message in a similar way that the source node would do.

4.4. Enhanced Windowing for Collecting Features

  • This methodology presents two main drawbacks: i. The first one is related to situations where the temporal window ends just after the transmission of an RTS packet.
  • That is, the features are obtained for non-overlapping windows of P received data packets for each node in the network.
  • Fig. 3 evidences that, by employing the event-based windowing, the authors ensure that mobility situations can be fully collected.
  • Besides the solution of these reported problems, an additional significant advantage should be mentioned for the proposed event-based windowing scheme.

4.5. Complexity

  • Here the authors briefly discuss the complexity of the proposed scheme, taking into consideration both storage and computational requirements for each IDS instance.
  • Regarding memory needs, each IDS procedure running in a given node just requires to handle 5 features (4 of them integers and 1 boolean) for each node monitored.
  • In terms of computational overhead, for each node to be monitored their scheme executes a maximum of 13 basic operations (arithmetic, comparisons and assignments) per analysis window.
  • Expressed in Big O notation, the complexity of the proposed detector is O(1) per analysis window and monitored node, which is lower than that of most data mining techniques, usually of order O(n), O(n2), or even greater.
  • The detection performed by the SVM classifier used in [27] requires between 2,700 and 9,000 computations per analysis window and monitored node.

4.6. Summary of the Detection Approach

  • It must be noted that the detection proposal is based on an analytical model which employs simple features to carry out the detection process.
  • The use of this methodology incurs lower computational overhead in comparison with more sophisticated techniques based on data mining or machine learning algorithms, which require higher AC CE PT ED M AN US CR IP T computational complexity.
  • The operating point of their system must still be empirically obtained for specific scenarios or network conditions.

5. Implementing the Packet Dropping Detection Scheme

  • Beyond the theoretical development of their cross-layer malicious packet dropping detection method, in the following the authors discuss how to deploy their proposal.
  • The IDS has access not only to the statistics of sent packets by a given node, but also to those corresponding to the received packets.
  • The features for estimating the potential malicious behavior of a given node are indirectly collected by other nodes, which cooperate in order to provide a collaborative data collection process.
  • In the experimentation presented in Section 6 the authors show the effect of this estimation and demonstrate that it does not degrade significantly the performance of the detection system.
  • This way, the set of trustworthy monitor nodes can be substituted by the own neighbor nodes of a given one in the network.

6. Performance Evaluation

  • This section describes the experimental framework used to validate the packet dropping IDS approach proposed here, and the results obtained from that evaluation.
  • The authors have carried out extensive experiments to verify the proper performance of their proposal.

6.1. Experimental Environment

  • Network Simulator 2 (NS-2) [38] has been adopted as evaluation platform [39] to simulate several deployments for a MANET environment.
  • Other parameters chosen for simulation are those shown in Table 1 and Table 2.
  • The pause time is 15 s, that is, after reaching the desired destination the node waits for 15 s before choosing a new random destination and repeating the procedure.
  • Malicious nodes in the environment are configured to drop 20% of the data packets received to be forwarded towards a final destination.

6.2. Detection Results

  • The detection performance of the introduced IDS is evaluated by means of two well known parameters, namely the True Positives Rate (TPR), or detection accuracy/rate, and the False Positives Rate (FPR).
  • Repeating 75 times (with different seed values) each of the simulations2.
  • As expected, the results obtained for the distributed-collection IDS approach are a little bit worse than the ones got in the stand-alone case.
  • On the contrary, lower detection thresholds result in better TPR values, but in increasing FPR figures.

6.2.1. Influence of Window Size

  • The size of the selected event-based window for collecting the features has also been chosen through experimental results.
  • Operating Point for Different Window Sizes, also known as Table 3.
  • As expected, the bigger the window the better detection capabilities in terms of FPR, although the size of the window cannot grow indefinitely, since this fact leads to increasing delays in the detection process.

6.2.2. Influence of Mobility

  • The authors now study the detection efficiency for different mobility conditions.
  • Six scenarios are thus simulated, with speed values from 5 m/s to 30 m/s to consider a wide range of possibilities.
  • Fig. 6 shows graphically both TPR and FPR for such different scenarios.
  • As shown, both the stand-alone and the distributed implementations achieve excellent results regarding the two metrics considered.
  • AC CE PT ED M AN US CR IP T meanwhile FPR always remains below 4%.

6.2.3. Influence of Channel Error Probability

  • The detection efficiency under different channel error probabilities has also been studied.
  • The authors have also considered higher error probabilities to test the performance of their scheme when different channel characteristics, like shadowing or multipath fading, cause large packet losses.
  • Fig. 7 depicts graphically both TPR and FPR in these situations.
  • As shown, TPR degrades for the stand-alone implementation as channel error probability increases.
  • This is mainly due to the fact that, for every received packet, it is more likely that the node has to retransmit it several times.

6.2.4. Influence of Number of Malicious Nodes

  • Another set of experiments are aimed at analyzing the performance of both detection approaches for an increasing number of malicious nodes.
  • The results obtained are presented in Fig. 8.
  • That is, the proposal provides again very good detection results.

6.2.5. Discussion and Comparison of Detection Results

  • From the above figures, it is clear that their IDS related proposal can efficiently detect the malicious nodes in the environment with an overall accuracy upper to 93%.
  • The authors have also carried out a more realistic comparison among their results and those exhibited by other similar schemes and comparable scenarios) in [22, 23, 27].
  • In order to show the suitability of this comparison among detection results, Table 4 presents for each scheme some parameters defining the scenarios considered.
  • This scheme integrates three different subsystems (a Bayes-based classifier, Markov chains and an association rule algorithm), which results in a more complex approach.

Did you find this useful? Give us your feedback

...read more

Content maybe subject to copyright    Report

Accepted Manuscript
A Model of Data Forwarding in MANETs for Lightweight Detection of
Malicious Packet Dropping
Leovigildo S
´
anchez-Casado, Gabriel Maci
´
a-Fern
´
andez,
Pedro Garc
´
ıa-Teodoro, Roberto Mag
´
an-Carri
´
on
PII: S1389-1286(15)00172-3
DOI: 10.1016/j.comnet.2015.05.012
Reference: COMPNW 5575
To appear in: Computer Networks
Received date: 10 October 2014
Revised date: 15 May 2015
Accepted date: 22 May 2015
Please cite this article as: Leovigildo S
´
anchez-Casado, Gabriel Maci
´
a-Fern
´
andez,
Pedro Garc
´
ıa-Teodoro, Roberto Mag
´
an-Carri
´
on, A Model of Data Forwarding in MANETs
for Lightweight Detection of Malicious Packet Dropping, Computer Networks (2015), doi:
10.1016/j.comnet.2015.05.012
This is a PDF file of an unedited manuscript that has been accepted for publication. As a service
to our customers we are providing this early version of the manuscript. The manuscript will undergo
copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please
note that during the production process errors may be discovered which could affect the content, and
all legal disclaimers that apply to the journal pertain.

ACCEPTED MANUSCRIPT
ACCEPTED MANUSCRIPT
A Model of Data Forwarding in MANETs for Lightweight
Detection of Malicious Packet Dropping
Leovigildo S
´
anchez-Casado
, Gabriel Maci
´
a-Fern
´
andez, Pedro Garc
´
ıa-Teodoro,
Roberto Mag
´
an-Carri
´
on
Department of Signal Theory, Telematics and Communications
School of Computer Science and Telecommunications
CITIC-UGR, University of Granada
C/ Periodista Daniel Saucedo Aranda s/n, 18071 Granada, Spain
Abstract
This work introduces a model of data forwarding in MANETs which is used for recog-
nizing malicious packet dropping behaviors. First, different legitimate packet discard
situations are modeled, such as those generated by collisions, channel errors or mobil-
ity related droppings. Second, we propose an anomaly-based IDS system based on an
enhanced windowing method to carry out the collection and analysis of selected cross-
layer features. Third, a real deployment of the IDS is also considered by suggesting
a methodology for the collection of the selected features in a distributed manner. We
evaluate our proposal in a simulation framework and the experimental results show a
considerable enhancement in detection results when compared with other approaches
in the literature. For instance, our scheme shows a 22% improvement in terms of true
positives rate and a remarkable 83% improvement in terms of false positives rate when
compared to previous well-known statistical solutions. Finally, it is notable the sim-
plicity and lightweightness of the proposal.
Keywords: IDS, Malicious node, MANET, Packet dropping attacks
1. Introduction
Wireless networks have considerably evolved in the last years, leading to the ap-
pearance of different related technologies, architectures and applications [1]. One of
the architectures that have attracted much attention, especially by the research commu-
nity, are the so called Mobile Ad hoc NETworks (MANETs).
A MANET is a kind of network composed of mobile devices distributed in a geo-
graphic area where there is a lack of fixed infrastructure or centralized administration.
Corresponding author. Tel.:+34-958241717
Email addresses: sancale@ugr.es (Leovigildo S
´
anchez-Casado), gmacia@ugr.es (Gabriel
Maci
´
a-Fern
´
andez), pgteodor@ugr.es (Pedro Garc
´
ıa-Teodoro), rmagan@ugr.es (Roberto
Mag
´
an-Carri
´
on)
Preprint submitted to Computer Networks May 27, 2015

ACCEPTED MANUSCRIPT
ACCEPTED MANUSCRIPT
Nodes within a communication range communicate directly, while those out of the
range make use of other nodes to forward the messages to a given destination. These
features make this kind of networks attractive for their application to areas like envi-
ronmental monitoring, military applications, disaster management, etc. [2].
As MANETs proliferate, many other engineering and research problems appear.
First, security issues associated with this communication paradigm are becoming more
and more relevant and, thus, they need to be conveniently addressed. In addition, there
is a number of specific factors that must be taken into account in the design or imple-
mentation of security systems related to MANETs. These peculiarities usually refer
to the constrained nature of the nodes, in terms of their reduced bandwidth, short life-
time of the battery, power-constrained processing, etc. Due to the inherent complexity
of MANETs, most of the off-the-shelf techniques and procedures developed for wired
networks and even for Wireless Local Area Networks (WLANs) are not suitable for
mobile ad hoc networks [3].
Among other threats [4], packet dropping attacks have remarkable consequences in
MANETs. Malicious nodes drop received data or control messages instead of relaying
them, thus affecting the traffic in the network [5]. There are different types of dropping
attacks, depending on the particular strategy adopted by the attacker [6]. Blackhole at-
tacks imply malicious nodes dropping all the packets they receive. Grayhole attacks are
similar but, here, malicious nodes drop packets statistically, following a predetermined
probability distribution.
The motivations for striking such attacks are different. First, malicious nodes might
seek to save energy resources (selfish behavior). Second, an attacker might be trying
to affect to the performance of a single node, or even disrupt the whole network oper-
ation. Nevertheless, regardless of the particular motivation for carrying out the attack,
the final behavior exhibited by the dropper node and thus its effects is the same. Con-
sequently, the developed scheme will be able to detect the attack anyway.
This paper proposes a cross-layer anomaly-based Intrusion Detection System (IDS),
where features from Medium Access Layer (MAC) and network layers are consid-
ered. First, we suggest a model of normality for the forwarding process of nodes in
MANETs. This model considers the existence of events that might cause legitimate
drops, such as collisions, channel errors or mobility related situations. Modeling these
events, we are able to distinguish between that circumstances and actual malicious
dropping actions, i.e., anomalies in the expected behavior.
Based on the proposed model, we develop an IDS system for the detection of drop-
ping attacks. The main benefits are: (a) the promising results exhibited prove the detec-
tion capabilities of the developed approach; (b) the computational overhead is reduced
as a consequence of using a simple analytical model, so that the IDS is lightweight
and can be used in constrained environments; (c) the IDS is efficient from an energy
point of view, since it does not waste resources in nodes with scarce activity due to the
enhanced windowing method proposed.
The organization of the rest of the paper is as follows. Some related work in the
field is reviewed in Section 2. The analytical model of the forwarding process which is
used as the basis for our detection proposal is presented in Section 3. The IDS system
for the detection of dropping attacks is explained in Section 4. After that, we discuss
how to implement the system in a real network in Section 5. Section 6 describes the
2

ACCEPTED MANUSCRIPT
ACCEPTED MANUSCRIPT
experimental results obtained. Finally, we draw our conclusions in Section 7.
2. Related Work
A wide variety of solutions that handle packet dropping attacks in MANETS can be
found in recent research [7, 8]. Below, we discuss and classify them in three categories
according to their basic operation, ACK-, reputation- and detection-based schemes.
We have deliberately omitted some other solutions, such as credit-based schemes, as
we consider them as prevention mechanisms.
2.1. ACK-based Schemes
Here, nodes in the network communicate with their neighbors to explicitly request
acknowledgments and confirm the reception of sent packets.
A two-hop ACK-based scheme is proposed in [9]. It uses authentication to prevent
nodes in a single hop from forging ACK packets on behalf of the two-hop neighbors.
For reducing the communication overhead, they propose to ask the two-hop neighbors
randomly [10]. These two schemes fail when any two-hop neighbors do not cooperate.
TWOACK [11] detects malicious links by sending two-hop acknowledgment pack-
ets in the opposite direction of the routing path, each sender having a list of not ac-
knowledged packets and a counter of the forwarded and missed data packets. Besides,
to reduce the routing overhead, authors present in [12] an improvement of their scheme
called 2ACK, where only a portion of the packets are acknowledged.
Djahel et al. [13] investigate how to mitigate the loss of topological information
due to the dropping of Topology Control (TC) messages in the OLSR (Optimized Link
State Routing) protocol. They propose a three-hop acknowledgment-based scheme,
which adds two extra control packets. Nodes use 3hop ACK packets to acknowledge
TC messages, while HELLO rep packets advertise two-hop neighbors to a requesting
MultiPoint Relay (MPR) node. If the number of missed TC / 3hop ACK packets sur-
passes a given limit, the MPR node is considered malicious.
The authors in [14] complete their previous works in [9] and [10] by employing
two-hop cryptographic acknowledgments for unicast packets, and a passive feedback
mechanism for monitoring broadcast packets. The collected information is afterwards
used as the basis for an accusation-based collaborative mechanism for node isolation.
In [15], the rank of intermediate nodes is updated whenever an acknowledgment is
received in the source. If this rank drops to zero, the node is classified as malicious.
The main problem of these approaches is that, if acknowledgments are lost due to
any legitimate reason (as it will be seen in Section 3), this fact can increase the number
of false positives provided by the detection scheme.
2.2. Reputation-based Schemes
The basic idea behind these techniques is that each node first generates an opinion
with respect to others. Afterwards, all of them collectively detect low reputation nodes.
In [16], the CONFIDANT protocol is designed to revoke malicious nodes. It is
composed of four components. A monitor supervises, through a passive-feedback tech-
nique, the behavior of its first-hop neighbors. Whenever a suspicious event is detected,
3

ACCEPTED MANUSCRIPT
ACCEPTED MANUSCRIPT
details are passed to a reputation system, which maintains a table with the ratings for
all the nodes. A trust manager sends and receives alarm messages, informing about de-
tected adversaries. Finally, a path manager is responsible for launching an appropriate
response.
The authors in [17] propose Friends and Foes, a scheme to punish selfish nodes.
Here, each node maintains credits for each other and classifies the rest in three cate-
gories periodically updated: friends, i.e., those for which the node will relay packets;
foes, when no service is given at all; and selfish, corresponding to those that consider
the node as a foe. When a node sends a packet, it searches for a friend as a next hop.
Similarly, when it is requested to forward a packet, it only does it for friend requesters.
The concept of inner-circle consistence was adopted in [18] to identify forged route
replies and prevent packet dropping attacks. The idea is to let each node discover its
k-hop neighborhood. All its neighbors form its inner-circle, responsible for filtering
malicious outgoing data. Specifically, route replies need to get approval from its inner-
circle, which verifies the validity. If a reply contains false routing information, an attack
is detected and prevented by a voting process performed by each inner-circle node.
The major drawback of this type of techniques is the excessive traffic required for
sharing the reputation information.
2.3. Detection-based Schemes
Marti et al. [19] proposed a system called Watchdog, where a monitor node com-
pares the packets that it sends with the overheard packets forwarded by the next hop.
If a packet is not localized in a given period, a counter is incremented for the next
hop. A counter with a value higher than a given threshold indicates a malicious be-
havior. When a malicious node is identified in the path towards the destination node, a
response mechanism called Pathrater is launched to avoid routing through the misbe-
having node.
Zhang et al. [20] suggest a scheme in which each node in the network runs an IDS
agent based on Support Vector Machines (SVM) that monitors local traces, collecting
data like user and system activities or communications within the radio range. Also,
each agent is responsible for detecting, locally and independently, signs of intrusions.
However, if an anomaly is detected in the local data, or if evidence is inconclusive and
needs further investigation, neighboring IDS agents will collaboratively investigate in
a broader range.
In [21], a data mining analysis is performed to extract correlations among features.
Classifiers like Na
¨
ıve-Bayes, RIPPER or C4.5 are then used for the detection.
In [22], the authors follow a multi-layer approach combining three different subsys-
tems that use an association rule algorithm, Markov chains and a Bayesian classifier.
They perform the intrusion detection in application, routing and MAC layers. The re-
sults from all the classifiers are combined locally, and the final result is sent to a global
decider.
Kurosawa et al. [23] introduce an anomaly detection scheme which uses a dynamic
training method. In this scheme, the number of control packets and the average of the
differences between the destination sequence numbers in the routes are employed to
detect deviations from the normal network state. This state is dynamically updated to
4

Citations
More filters

Journal ArticleDOI
TL;DR: An active trust verification mechanism is innovatively proposed in the VTE mechanism, which evaluates the trust of MVs by sending UAVs to perceive IoT devices data as baseline data, which is a fundamental change to the previous passive and unverifiable trust mechanism.
Abstract: Billions of sensors and devices are connecting to the Internet of Thing (IoT) and generating massive data which are benefit for smart network systems. However, low-cost, secure, and efficient data collection from billions of IoT devices in smart city is a huge challenge. Recruiting mobile vehicles (MVs) has been proved to be an effective data collection scheme. However, the previous approaches rarely considered the security. In this paper, a novel Baseline Data based Verifiable Trust Evaluation (BD-VTE) scheme is proposed to guarantee security at a low cost. BD-VTE scheme includes Verifiable Trust Evaluation (VTE) mechanism, Effectiveness-based Incentive (EI) mechanism, and Secondary Path Planning (SPP) strategy, which are respectively used for reliable trust evaluation, reasonable reward, and efficient path adjustment. Among them, an active trust verification mechanism is innovatively proposed in the VTE mechanism, which evaluates the trust of MVs by sending UAVs to perceive IoT devices data as baseline data. This is a fundamental change to the previous passive and unverifiable trust mechanism. The simulation results show that BD-VTE scheme reduces the cost by at least 25.12% ∼ 38.03%, improves the collection rate by 0.91% ∼ 9.65% and increases the accuracy by 10.28% on average compared with the previous strategies.

42 citations


Journal ArticleDOI
TL;DR: 2020 is anticipated as the turning point where deployments become common, not merely just a topic of conversation but where the need for collective, intelligent detection agents work across all layers of the IoT becomes a reality.
Abstract: Transition to the Internet of Things (IoT) is progressing without realization. In light of this securing traditional systems is still a challenging role requiring a mixture of solutions which may negatively impact, or simply, not scale to a desired operational level. Rule and signature based intruder detection remains prominent in commercial deployments, while the use of machine learning for anomaly detection has been an active research area. Behavior detection means have also benefited from the widespread use of mobile and wireless applications. For the use of smart defense systems we propose that we must widen our perspective to not only security, but also to the domains of artificial intelligence and the IoT in better understanding the challenges that lie ahead in hope of achieving autonomous defense. We investigate how intruder detection fits within these domains, particularly as intelligent agents. How current approaches of intruder detection fulfill their role as intelligent agents, the needs of autonomous action regarding compromised nodes that are intelligent, distributed and data driven. The requirements of detection agents among IoT security are vulnerabilities, challenges and their applicable methodologies. In answering aforementioned questions, a survey of recent research work is presented in avoiding refitting old solutions into new roles. This survey is aimed toward security researchers or academics, IoT developers and information officers concerned with the covered areas. Contributions made within this review are the review of literature of traditional and distributed approaches to intruder detection, modeled as intelligent agents for an IoT perspective; defining a common reference of key terms between fields of intruder detection, artificial intelligence and the IoT, identification of key defense cycle requirements for defensive agents, relevant manufacturing and security challenges; and considerations to future development. As the turn of the decade draws nearer we anticipate 2020 as the turning point where deployments become common, not merely just a topic of conversation but where the need for collective, intelligent detection agents work across all layers of the IoT becomes a reality.

32 citations


Journal ArticleDOI
TL;DR: A novel technique using Localized Secure Architecture for MANET (LSAM) routing protocol is proposed to detect and prevent co-operative black hole attack and it is shown that the proposed protocol is more secured and efficient.
Abstract: Black hole attack refers an attack by single or more number of malicious nodes which forcibly captures the route from source to destination by sending reply with largest sequence number and smallest hop count. In this paper, a novel technique using Localized Secure Architecture for MANET (LSAM) routing protocol is proposed to detect and prevent co-operative black hole attack. Security Monitoring Nodes (SMNs) would be activated only if the threshold value is exceeded. If malicious nodes are detected, other SMNs in its proximity area are intimated to isolate the malicious nodes. Network simulator tool is implemented to analyze the network performance of different scenarios with various number of nodes. Packet delivery ratio (PDR), routing overhead, control overhead, packet drop rate, throughput and end-to-end delay (EED) are the factors taken into consideration for performance analysis and it is shown that the proposed protocol is more secured and efficient. PDR is been increased by 27 % in the presence of 40 % misbehaving nodes, while it increases the percentage of overhead on proposed routing protocol from 1 to 4 %. EED is greatly reduced from 0.9 to 0.3 % in LSAM.

31 citations


Journal ArticleDOI
TL;DR: An Active and Verifiable Trust Evaluation (AVTE) approach is proposed to identify the credibility of IoT devices, so to ensure reliable data collection for Edge Computing with low cost and theoretical analysis shows that AVTE approach can improve the data collection rate by 0.5 ~ 23.16% while ensuring long network lifetime compared with the existing scheme.
Abstract: Billions of Internet of Thing (IoT) devices are deployed in edge network. They are used to monitor specific event, process and to collect huge data to control center with smart decision based on the collected data. However, some malicious IoT devices may interrupt and interfere with normal nodes in data collection, causing damage to edge network. Due to the open character of the edge network, how to identify the credibility of these nodes, thereby identifying malicious IoT devices, and ensure reliable data collection in the edge network is a great challenge. In this paper, an Active and Verifiable Trust Evaluation (AVTE) approach is proposed to identify the credibility of IoT devices, so to ensure reliable data collection for Edge Computing with low cost. The main innovations of the AVTE approach compared with the existing work are as follows: (1) In AVTE approach, the trust of the device is obtained by an actively initiated trusted detection routing method. It is fast, accurate and targeted. (2) The acquisition of trust in the AVTE approach is based on a verifiable method and it ensures that the trust degree has higher reliability. (3) The trust acquisition method proposed in this paper is low-cost. An encoding returned verification method is applied to obtain verification messages at a very low cost. This paper proposes an encoding returned verification method, which can obtain verification messages at a very low cost. In addition, the strategy of this paper adopts initiation and verification of adaptive active trust detection according to the different energy consumption of IoT devices, so as to reliably obtain the trust of device under the premise of ensuring network lifetime. Theoretical analysis shows that AVTE approach can improve the data collection rate by 0.5 ~ 23.16% while ensuring long network lifetime compared with the existing scheme.

18 citations


Cites background from "A model of data forwarding in MANET..."

  • ...Because most applications are based on the data sensed and acquired by IoT devices [13, 14], many emerging applications sensitive to latency and bandwidth, such as virtual reality, augmented reality and infrastructure for smart cities, benefit from edge computing....

    [...]


Journal ArticleDOI
TL;DR: A fully decentralized mechanism that allows a node to monitor and detect neighbors that are malicious even if they have a changing behavior, based on a Bernoulli Bayesian model for nodes behavior classification and a Markov chain model for behavior evolution tracking is proposed.
Abstract: A Mobile Ad hoc Network (MANET) is a dynamic network composed of mobile nodes that can communicate without relying on an existing infrastructure. In such decentralized environment, packet forwarding and other routing services are provided by network nodes cooperatively without any central administration. Most of existing Ad hoc routing protocols are based on the assumption that all network nodes are trustworthy. However, this assumption may be inconsistent when a malicious node decides to drop packets that are supposed to be forwarded in the aim of disrupting the routing services. Furthermore, the malicious node can change its behavior over time in order to appear as a legitimate node and still disrupting the network without being detected. To address this problem, we propose in this paper a fully decentralized mechanism that allows a node to monitor and detect neighbors that are malicious even if they have a changing behavior. Our mechanism is based on a Bernoulli Bayesian model for nodes behavior classification and a Markov chain model for behavior evolution tracking. Performance analysis of numerical results obtained using NS2 simulations show an accurate detection of malicious nodes, which can be used to guarantee a reliable and secure packet forwarding among network nodes.

17 citations


References
More filters

Book
15 Jan 1996
Abstract: From the Publisher: The indispensable guide to wireless communications—now fully revised and updated! Wireless Communications: Principles and Practice, Second Edition is the definitive modern text for wireless communications technology and system design. Building on his classic first edition, Theodore S. Rappaport covers the fundamental issues impacting all wireless networks and reviews virtually every important new wireless standard and technological development, offering especially comprehensive coverage of the 3G systems and wireless local area networks (WLANs) that will transform communications in the coming years. Rappaport illustrates each key concept with practical examples, thoroughly explained and solved step by step. Coverage includes: An overview of key wireless technologies: voice, data, cordless, paging, fixed and mobile broadband wireless systems, and beyond Wireless system design fundamentals: channel assignment, handoffs, trunking efficiency, interference, frequency reuse, capacity planning, large-scale fading, and more Path loss, small-scale fading, multipath, reflection, diffraction, scattering, shadowing, spatial-temporal channel modeling, and microcell/indoor propagation Modulation, equalization, diversity, channel coding, and speech coding New wireless LAN technologies: IEEE 802.11a/b, HIPERLAN, BRAN, and other alternatives New 3G air interface standards, including W-CDMA, cdma2000, GPRS, UMTS, and EDGE Bluetooth wearable computers, fixed wireless and Local Multipoint Distribution Service (LMDS), and other advanced technologies Updated glossary of abbreviations and acronyms, and a thorolist of references Dozens of new examples and end-of-chapter problems Whether you're a communications/network professional, manager, researcher, or student, Wireless Communications: Principles and Practice, Second Edition gives you an in-depth understanding of the state of the art in wireless technology—today's and tomorrow's.

16,896 citations


01 Jul 2003
TL;DR: A logging instrument contains a pulsed neutron source and a pair of radiation detectors spaced along the length of the instrument to provide an indication of formation porosity which is substantially independent of the formation salinity.
Abstract: The Ad hoc On-Demand Distance Vector (AODV) routing protocol is intended for use by mobile nodes in an ad hoc network. It offers quick adaptation to dynamic link conditions, low processing and memory overhead, low network utilization, and determines unicast routes to destinations within the ad hoc network. It uses destination sequence numbers to ensure loop freedom at all times (even in the face of anomalous delivery of routing control messages), avoiding problems (such as "counting to infinity") associated with classical distance vector protocols.

11,293 citations


Additional excerpts

  • ...AODV (Ad hoc On-demand Distance Vector) routing protocol [35] is considered as a case study in this work....

    [...]


01 Jan 1994
Abstract: An ad hoc network is a collection of wireless mobile hosts forming a temporary network without the aid of any established infrastructure or centralized administration. In such an environment, it may be necessary for one mobile host to enlist the aid of other hosts in forwarding a packet to its destination, due to the limited range of each mobile host’s wireless transmissions. This paper presents a protocol for routing in ad hoc networks that uses dynamic source routing. The protocol adapts quickly to routing changes when host movement is frequent, yet requires little or no overhead during periods in which hosts move less frequently. Based on results from a packet-level simulation of mobile hosts operating in an ad hoc network, the protocol performs well over a variety of environmental conditions such as host density and movement rates. For all but the highest rates of host movement simulated, the overhead of the protocol is quite low, falling to just 1% of total data packets transmitted for moderate movement rates in a network of 24 mobile hosts. In all cases, the difference in length between the routes used and the optimal route lengths is negligible, and in most cases, route lengths are on average within a factor of 1.01 of optimal.

8,541 citations


Book ChapterDOI
01 Jan 1996
TL;DR: This paper presents a protocol for routing in ad hoc networks that uses dynamic source routing that adapts quickly to routing changes when host movement is frequent, yet requires little or no overhead during periods in which hosts move less frequently.
Abstract: An ad hoc network is a collection of wireless mobile hosts forming a temporary network without the aid of any established infrastructure or centralized administration. In such an environment, it may be necessary for one mobile host to enlist the aid of other hosts in forwarding a packet to its destination, due to the limited range of each mobile host’s wireless transmissions. This paper presents a protocol for routing in ad hoc networks that uses dynamic source routing. The protocol adapts quickly to routing changes when host movement is frequent, yet requires little or no overhead during periods in which hosts move less frequently. Based on results from a packet-level simulation of mobile hosts operating in an ad hoc network, the protocol performs well over a variety of environmental conditions such as host density and movement rates. For all but the highest rates of host movement simulated, the overhead of the protocol is quite low, falling to just 1% of total data packets transmitted for moderate movement rates in a network of 24 mobile hosts. In all cases, the difference in length between the routes used and the optimal route lengths is negligible, and in most cases, route lengths are on average within a factor of 1.01 of optimal.

8,185 citations


"A model of data forwarding in MANET..." refers methods in this paper

  • ...The mobility model for the nodes refers to the Random Waypoint Model (RWP) [41], with a fixed minimum speed equal to 1 m/s and a maximum speed varying from 5 to 30 m/s....

    [...]


Proceedings ArticleDOI
01 Aug 2000
TL;DR: Two techniques that improve throughput in an ad hoc network in the presence of nodes that agree to forward packets but fail to do so are described, using a watchdog that identifies misbehaving nodes and a pathrater that helps routing protocols avoid these nodes.
Abstract: This paper describes two techniques that improve throughput in an ad hoc network in the presence of nodes that agree to forward packets but fail to do so. To mitigate this problem, we propose categorizing nodes based upon their dynamically measured behavior. We use a watchdog that identifies misbehaving nodes and a pathrater that helps routing protocols avoid these nodes. Through simulation we evaluate watchdog and pathrater using packet throughput, percentage of overhead (routing) transmissions, and the accuracy of misbehaving node detection. When used together in a network with moderate mobility, the two techniques increase throughput by 17% in the presence of 40% misbehaving nodes, while increasing the percentage of overhead transmissions from the standard routing protocol's 9% to 17%. During extreme mobility, watchdog and pathrater can increase network throughput by 27%, while increasing the overhead transmissions from the standard routing protocol's 12% to 24%.

3,697 citations


"A model of data forwarding in MANET..." refers background in this paper

  • ...[19] proposed a system called Watchdog, where a monitor node compares the packets that it sends with the overheard packets forwarded by the next hop....

    [...]


Frequently Asked Questions (2)
Q1. What have the authors contributed in "A model of data forwarding in manets for lightweight detection of malicious packet dropping" ?

This work introduces a model of data forwarding in MANETs which is used for recognizing malicious packet dropping behaviors. Second, the authors propose an anomaly-based IDS system based on an enhanced windowing method to carry out the collection and analysis of selected crosslayer features. The authors evaluate their proposal in a simulation framework and the experimental results show a considerable enhancement in detection results when compared with other approaches in the literature. Third, a real deployment of the IDS is also considered by suggesting a methodology for the collection of the selected features in a distributed manner. 

Different schemes can be analyzed for that, e. g., obtaining an average of previous AC CE PT ED M AN US CR IP T threshold values, computing the threshold as a function of the mobility speed, etc. • Finally, the authors are planning to extend their approach to include an attack model where several nodes work in collusion to evade the detection process.