A Message from the General Chairs The workshop on Research Challenges in Security and Privacy for Mobile and Wireless Networks (WSPWN) was held in Miami, Florida on March 15 & 16, 2006 and was funded by the National Science Foundation (NSF), in cooperation with the Department of Electrical Engineering and Computer Science of the College of Engineering at the University of Toledo, and with the Telecommunications and Information Technology Institute (IT2) of the College of Engineering and Computing at the Florida International University (FIU) to establish the main research challenges in security and privacy for Mobile and Wireless networks, to serve the rapidly emerging security area for mobile and wireless community of researchers and practitioners. The workshop provides a single, cohesive, and high-quality forum for disseminating research and experience in this emerging field. Of significance is the integration of many diverse communities. The areas of security and privacy for mobile and wireless networks combine the best of both worlds, namely academia and industry. The objective of the workshop is to define and establish a common infrastructure of the discipline and to develop a consensus-based document that will provide a foundation for implementation, standardization, and further research. The Workshop Program Chairs Dr. Peter Reiher (University of California at Los Angeles), Dr. Kami. Makki (University of Toledo) assembled a truly impressive program committee. Together with the program committee, they worked diligently to select papers and speakers that met the criteria of high quality and relevance to our various fields of interest. It takes time and effort to review a paper carefully, and every member of the program committee is to be commended for his/her contribution to the success of this workshop. The papers contained in these proceedings focus on original research results in the areas of theory, design, implementation, and applications of the security and privacy for mobile and wireless networks. They identify challenging problems facing the development of such technologies and provide novel, innovative, and fundamental advances in the areas. We sincerely believe you will find the manuscripts included in these proceedings to be of significant technical merit. A lot of work went into organizing this workshop, forming this program, and producing the proceedings. We would like to express our deepest personal thanks to keynote speakers, invited speakers, speakers, and the various workshop organizers for their efforts. We take this opportunity to acknowledge the excellent work done by Program Chairs Peter Reiher and Kami Makki. We are grateful to NSF who generously funded this workshop. Specifically, we would like to thank the honorary conference chair Dr. Joseph Evans, National Science Foundation (NSF). It was our great honor and pleasure to accept the responsibilities and challenges of general chairs. We are pleased to offer an excellent program, and we hope that you all took advantage of these opportunities for professional development. We hope that the workshop was stimulating, informative, enjoyable, and a fulfilling experience for all who attended. Kia Makki, Florida International University Niki Pissinou, Florida International University i A Message from the Program Chairs On behalf of the program committee it gives us a great pleasure to present the program and the proceedings for the workshop on Research Challenges in Security and Privacy for Mobile and Wireless Networks (WSPWN06), which was held in Miami, Florida on March 15 & 16, 2006. The workshop has got off to an excellent start with a very strong program for the inaugural offering. We have papers on many important current and emerging topics ranging from modeling worms that take advantage of mobility to new models of sensor nets that are more resilient to important forms of attack. These papers are results of latest research activities in the exciting and rapidly expanding area of privacy and security in the mobile and wireless world. Each manuscript was reviewed by at least three reviewers. The quality of the accepted papers shows the diligent work of the authors and reviewers. I wish to thank all authors of submitted papers for their hard work and ideas; it has been a difficult job selecting papers for inclusion in the proceedings. The workshop accepted a total of 10 papers from 21 submissions an acceptance ratio of 47 percent. We also have two invited papers. We would like to thank the keynote speakers and invited presenters for agreeing to present special sessions at the workshop. These sessions have greatly enhanced the program. We would like to thank the workshop Program Committee members for helping to organize the program and for doing an outstanding job in referring the submitted papers. Our thanks go also to the external reviewers, particularly those who were given short notice to do some extra reviews. Our special thanks go to the Applied Computational Electromagnetic Society (ACES) for handling the submission of the papers, registrations and all the other logistics. We are sure you will find the workshop on Research Challenges in Security and Privacy for Mobile and Wireless Networks (WSPWN) an interesting and exciting workshop. Peter Reiher, University of California at Los Angeles Kami Makki, University of Toledo ii Organizing Committee Honorary Conference Chair Joseph Evans, National Science Foundation/The University of Kansas General Co-Chairs Kia Makki, Florida International University Niki Pissinou, Florida International University Program Co-Chairs Peter Reiher, UCLA Kami Makki, University of Toledo International Vice-Chairs Xiaohua Jia, City University of Hong Kong Mohsen Guizani, Western Michigan University Workshop Proceedings Chair Shamila Makki, Florida International University Finance Co-Chairs E.K. Park, University of Missouri, Kansas City Senad Busovaca, California State University, Sacramento Local arrangement Chair Kang Yen, Florida International University Osama Mohammad, Florida International University Program Committee Ehab Al-Shaer, DePaul University John Baras, University of Maryland Bharat Bhargarva, Purdue University Mike Burmester, Florida State University Senad Busovaca, California State University, Sacramento Roy Campbell, University of Illinois, Urbana Champaign Christos Douligeris, University of Piraeus, Greece Ophir Frieder, Illinois Institute of Technology Virgil Gligor, University of Maryland Xiaohua Jia, City University of Hong Kong Parviz Kermani, IBM Watson Jiejun Kong, UCLA Birgitta Koenig-Ries, Karlsruhe University Wenke Lee, Georgia Tech Jinbao Li, Heilongjiang University Xuan Liu, IBM Watson iii Douglas Maughan, HSARPA, Department of Homeland Security Jelena Mirkovic, University of Delaware Wuxu Peng, Texas State University Adrian Perrig, Carnegie Mellon University Frank Seliger, IBM Pervasive Computing, Germany Mani Srivastava, UCLA Peng-Jun Wan, Illinois Institute of Technology Weili Wu, University of Texas at Dallas Jie Wu, Florida Atlantic University Guoliang Xue, Arizona State University Yelena Yesha, University of Maryland, Baltimore County Yongguang Zhang, HRL Labs iv Table of Contents A message from the General Chairs………………………………………………….....……. i A message from the Program Chairs……………………………………………..................... ii WSPWN 2006 Organizing Committee……………………………………………….…........ iii WSPWN 2006 Technical Committee……………………………………………….……….. iii Keynote Address: Joseph Evans, NSF/UK Session 1: Trust Pervasive systems: Enhancing trust negotiation with privacy support….......................... 1 Kajetan Dolinar, Tomaz Klobucar, and Jan Porekar An Overview of Models applying Trust Management as a Component of Security Services in MANETs……………………………………………………………………….. 11 Dagmara Speiwak and Thomas Engel A Framework for Computing Trust in Mobile Ad Hoc Networks………………...…..... 31 Tirthankar Ghosh, Niki Pissinou, Kia Makki, and Ahmad Farhat Session 2: Invited papers Reactive and Proactive approaches to Secure Routing in MANETs…………………… 45 Mike Burmester and Tri Van Le Toward Efficient Solutions to Resist Mobile Traffic Sensors: How Much Performance Cost is Paid by On-demand Anonymous Routing Protocols…………............................. 61 Jiejun Kong, Jun Liu, Xiaoyan Hong, and Mario Gerla Session 3: Miscellaneous Topics Computer Ecology: Responding to Mobile Worms with Location-Based Quarantine Boundaries………………………………………………………………………………..… 71 Baik Hoh and Marco Gruteser Approaches for Ensuring Security and Privacy in Unplanned Ubiquitous Computing Interactions………………………………………………………………………….…….... 86 V. Ramakrishna, Kevin Eustice, and Matthew Schnaider Mobile Handset Authentication and Authorization in Distributed Wireless Environments……………………………………………………………………………… 104 Pankaj Aggarwal, Kartikeya Tripathi, Janise McNair, and Haniph A. Latchman Session 4: Ad Hoc and Sensor Networks Hardware/Software Solution to Improve Security in Mobile Ad-hoc Networks……... 116 Sirisha Medidi and Jose G. Delgado-Frias An Anonymous MAC Protocol for Wireless Ad Hoc Networks…………...…………... 122 Shu Jiang Opportunistic Networks: The Concept and Research Challenges in Privacy and Security………………………………………………………………………….…………. 134 Leszek Lilien, Zille Huma Kamal, and Ajay Gupta v Pervasive systems: Enhancing trust negotiation with privacy support Kajetan Dolinar 1, Jan Porekar 1, Aleksej Jerman-Blažič 1 and Tomaž Klobučar 2 1 SETCCE (Security Technology Competence Centre) Jamova 39, Ljubljana, Slovenia kajetan@setcce.org , jan@setcce.org, aljosa@setcce.org 2 Jožef Stefan Institute Jamova 39, Ljubljana, Slovenia klobucar@e5.ijs.si Abstract: This paper covers topics related to privacy and trust negotiation applied in pervasive information systems. We consider the turbulent nature of pervasive environments and highlight special privacy and trust issues that arise from it. The current state of trust negotiation is summarized. We propose an extended negotiation model that not only enables parties’ access control but produces a privacy agreement as the outcome of the negotiation. This privacy agreement needs to be mutually signed by both parties and is the starting point for enforcement strategies in the event of abuse of agreed privacy practices. In the paper we also describe privacy risks of the state-of-the-art trust negotiation methods. Keywords: Pervasive systems, ubiquitous systems, trust negotiation, privacy negotiation, privacy threat, privacy agreement 1. Introduction Pervasive or ubiquitous systems have been the subject of intense conceptual research in recent years [1, 2]. In favour of the sceptics, who believe that a physical world around us is complicated enough and that humankind has more important things to do than to build its digital counterpart, one can easily observe that such pervasive systems are still pure science fiction in terms of technical implementation today. The number of electronic devices connected to the network is expected to rise exponentially and will eventually outnumber humans living on the planet. Mobile devices such as laptops, personal digital assistants and cellular phones will steadily increase in number. Standard household appliances and machines will be connected to the network and new intelligent appliances and biosensors will emerge. The vision of pervasive systems is to integrate all those different devices in a world where computer technology will slowly disappear from everyday lives and eventually become invisible - A world in which computer systems will seamlessly adapt to user context and will help a user perform tasks by inferring his intent. A world in which a digital representation of the user, the user’s data and the user’s digital workplace will constantly be copied across various network nodes in order to follow the user in his real world geographical movements. Many of these devices will have a certain degree of passive and active intelligence built in and will act as sensors or reality aware processing nodes. Aside from these peripheral devices, a vast network of intelligent middleware will have to be provided in order to achieve the synchronous intelligent behaviour of the whole pervasive network. In order for this to be achieved, a large amount of private user data, preferences, behavioural habits and other information about the user will need to be processed and exchanged among various network nodes and subsystems. With the data inferred, related conclusions will again be exchanged all over the system. In such a system, it is of paramount importance to assure privacy and maintain control of turbulent private information flow, whilst preventing leakages of sensitive private information. Another aspect which further blurs privacy issues is diminishing of conventional role of thin, not-trusteduser-client and large-corporate-service. Pervasive systems are service oriented platforms where everything can potentially act as a service, including the user. The opposite is also true: every service will potentially be able to take on the role of a user. In pervasive systems, a user and service are simply roles that can be swapped or interchanged. These two roles merely describe the nature of the communication, since the user is the party that initiates the communication and the service is the party that replies and grants access to the user. To avoid confusion, we will use terms supplicant for the user and supplier for the service. Distributed systems are traditionally seen as environments where the user is normally not a trusted party and services are more or less trusted. In pervasive systems such as the DAIDALOS pervasive platform [9], this relation between a small user and fat service disappears or can even be intertwined. The concepts of privacy protection are supported by three distinguishable mechanisms which conduct the process of privacy terms agreement, data access control and anonymization of the subjects involved in the process. These concepts are also known as privacy or trust negotiation, virtual identities and (access control) credentials. The first step towards protecting a user’s private data is a multiparty understanding of the terms, conditions and content of private data collected and used. When a bilateral (or multilateral) agreement is reached, a selection of virtual identities is generated and activated, interpreting subjects and their context behind different levels of anonymous identifiers. The final step in the process is to relate selected identities with the user context to be used by the service and to unveil private data access control rules enforcing credentials. The initial and principal step of privacy mechanisms is the negotiation process which defines the framework for private data protection. We therefore investigate the current state of trust or/and access control negotiation and highlight the need for it to be extended with assertions about privacy in order to satisfy the privacy constraints of the pervasive environment. The result of such a negotiation would be: the granting of access to services and a privacy agreement that could be used by privacy enforcement systems. In the paper we also describe privacy risks of the state-of-the-art trust negotiation methods. 2. Trust Negotiation Trust negotiation is a process through which mutual trust is incrementally established by the gradual exchange of digital credentials and requests for credentials among entities that may have no pre-existing knowledge of each other. Digital credentials are an electronic analogue of paper credentials used to establish trust in the every day world. Upon successful trust negotiation the supplicant is granted access to the protected resource [3, 4]. During trust negotiation, the disclosure of credentials is governed by access control policies. Trust negotiation has been intensely discussed in various publications in recent years [3-6, 12, 13]. You will also find a brief description of a trust negotiation protocol in this document. The parties involved in trust negotiation will be named the supplicant and the supplier. The supplicant is the party that requests access to resource R, and the supplier is the service providing it. Trust negotiation protocol consists of two types of messages which are exchanged between the supplicant and supplier: 1. Requests for credentials or resources; 2. Disclosures of credentials or resources. In the text below we describe a typical negotiation example. In the first step of negotiation a supplicant sends a request to a supplier for access to the resource R. The supplier can either grant access to the resource R directly or request an additional set of credentials C1 to be sent first. In this case, the supplicant can decide whether he trusts the supplier enough to disclose C1. If the supplicant doubts about the supplier’s trustworthiness, he can reply by requesting an additional set of credentials C2 from the supplier. When the supplier replies by presenting credentials C2, the supplicant replies by sending credentials C1 back to the supplier. Because all requests have been satisfied and appropriate credentials presented by both parties, the supplicant is granted access to the requested resource R. For better clarity, the example is presented in Fig. 1. Fig. 1: Trust negotiation schema In general, negotiation may consist of several steps. In each step, one of the two parties may disclose some credentials that were requested by the other party during the previous step. In addition to the disclosure of credentials a party may choose to request additional credentials to be disclosed by the other negotiating party, before it trusts the other party enough for the requested credential to be revealed. The exact flow of the exchanged credentials depends on decisions made by each party involved in negotiation and is referred to as “strategy” [4, 6]. Strategies determine which credentials are to be revealed, at what times and when to terminate the negotiation. Strategies can be either more liberal or more conservative in terms of willingness to disclose the information. In this manner the trust is gradually established between both negotiating parties. 3. Weaknesses of trust negotiation We define privacy risk, or privacy threat, as a measure of the possibility that private data, which is desired to stay private, is revealed without the owner having the ability to prevent this. A Privacy leak is defined as any unintentional disclosure of private data, either as a consequence of negligence, weak privacy provision methods, or capability to compromise these. Thus, any leak is also a threat, fulfilled threat, and it depends on degree of information leaked how big threat it is. The main goal of the trust negotiation process described above is to grant the supplicant access to the requested resource. The very fact that sensitive attributes are revealed during the negotiation process calls for attention, in fact under certain conditions even access control policies can be regarded as private or sensitive information that needs to be handled with special care. Apart from the straightforward disclosure of private information during manipulation, privacy can be at risk in a far more indirect and opaque sense. Pervasive environments make information processing highly intensive and penetrating and can render small pieces of information which can be stepping stones to the disclosure of greater secrets. Quite naturally, a large amount of personal information will already be available to systems in the pervasive environment after a longer period of use of the system. Although data have probably been made adequately anonymous as far as possible (compare methods for pseudonymizing in [7] or the virtual identity approach in [9]), inference capabilities of a pervasive environment can aid in correlating sets of anonymous data with each other. This can make aggregating correlated data possible and resolving personal profiles to an extent where it is finally unambiguous in relation to one unique person. This possibility is called linkability of (anonymous) personal information. We want to avoid this is the effect by all means and aggravating this is one of the major concerns of identity management systems in a pervasive environment (compare again [7] and [9]). For this reason we compare the pervasive environment to the example of a chaotic dynamic system with respect to the degree and significance of information disclosed over time. Any information available can consequently result in a disclosure of certain private data which was not intended in the first place – thereby resulting in a privacy leak. The measures taken to prevent linkability can therefore never be exaggerated and every procedure involved in disclosing private data has to be evaluated from this viewpoint. In this section we study weaknesses of the described trust negotiation methods that can lead to privacy leaks in the sense of the straightforward disclosure of private data, for example disclosing a sensitive credential, or due to linkability. Some of the weaknesses have already been discussed in literature [4] and some of them reflect our original work. The related leaks and threats pertain to supplier as well as to supplicant, especially straightforward disclosure. But while the supplier is often (but not necessary) a publicly known entity, it is characteristic for the supplicant to focus more relative importance on maintaining anonymity and thus linking is of more threat to supplicant. Disclosing credentials could be a privacy risk. When the supplicant is requested to disclose certain credentials during the negotiation, it may react to the request in various ways. If the credential is not valuable enough to the supplicant in the context of the current negotiation, the supplicant may choose to willingly present the credential without much hassle. An example of such a negotiation situation would the case where a supplicant is trying to buy a camera from an online store and he gets offered a discount if he is willing to present credentials that prove that they are a citizen of the European Union. If user is not concerned with anyone finding out that he or she is indeed a citizen of EU, disclosing the credential results in minimal privacy threat. On the other hand if a British Secret Service agent is asked to provide an MI5 membership credential in order to get discount on a camera he is trying to buy, it is a obviously a different matter. MI5 membership credentials is sensitive information that is not to be shown to just anyone and disclosing it could be a serious privacy risk, thus highlighting another category of linking private data. Obviously a disclosure of credentials is a potential privacy leak. But the answer to the request for certain credentials can also potentially yield information. An example of such an information leak would be that of a supplier requesting a supplicant present an “MI5 Membership Credential”. In order for the supplicant to determine if the supplier is trusted enough, the supplicant asks the supplier to provide the “Ring of Secret Service trusted Membership” credential. When the supplier receives the additional request from the supplicant it can assume with a certain degree of probability that the supplicant possesses the credential that was requested in the first place. The amount of probability depends on different negotiation strategies that supplicant chooses to pursue and his ability to bluff. Not disclosing credentials could in some cases also yield useful information for linking. The sole fact that the supplicant has attempted to access a supplier resource could limit the scope of possible supplicants. Credentials may indicate that the supplicant belongs to one of two mutually disclosing classes of supplicants. Inability to provide the requested credential, either due to disagreement or failing to posses one, could also enable the supplier to categorise the supplicant and thus to help linking of data in the future. Disclosing access control policies could be a privacy risk. When a supplier is asked to grant access to the requested resource it can provide the feedback about requested credentials back to the supplicant in many different ways. If the supplier has its access control policies on public display, it is fully acceptable for it to return the whole policy back to the supplicant. Afterwards the supplicant accepts can then navigate through many parallel options in order to find the combinations of credential disclosures that are optimal for him. While this is fully acceptable if the supplier is a governmental organisation that provides its services to citizens and has published access control policies; it is not the case when a supplier is a service providing sensitive resources. For example if a supplier is a server of the British Secret Service, which is providing sensitive topsecret data to its agents on the road it will not publish its policies to the public, since the policies contain valuable data on the organisational hierarchy of the supplier, and revealing the policies would provide valuable information which could be potentially misused. Instead, the supplier will try to minimize the amount of information provided at each step of negotiation by requesting one credential after the other or maybe choosing not to provide information detailing which credentials should be disclosed to the user at all. Exploiting negotiation to steal private data – trust negotiation piracy. With careful design of trust negotiation algorithms it can be possible to exploit the trust negotiation protocol to serve private information under pretext of a legal purport. The purport is more likely to be abused by a supplier role in the context of a service provider with a range of services, promised large enough to relate to a wide scope of interesting categories about supplicants. Consider following example. The supplier is a service offering bets in several categories, depending on the supplicant profile. The supplicant is provided a possibility to apply for the service as a pseudonymous user with its true identity hidden. Systems for auditing in a pervasive platform architecture make non-repudiation of debts possible (compare [10] for example). Although the service might actually provide what it has claimed to provide (it has also been certified so), let us suppose that it also has the intention to aggregate the profile information of supplicants in order to (at least partially) determine their identity. The handshaking could possibly proceed as follows: 1. Supplicant: accesses the service web portal. 2. Supplier: “We offer several categories for bets: bets on the outcome of sport events, bets on the outcome of political events, bets on the results of science research … Select your interest …” 3. Supplicant: chooses politics. 4. Supplier: “Which event from following: the outcome of upcoming elections, …, the outcome of the acceptance of last week’s formal proposal for amendment to act 26.8/2005, …” 5. Supplicant: chooses an event. 6. Supplier: demands a credential that supplicant’s age is above 18. 7. Supplicant: demands credential that supplier will not use this information for any other purpose than service provisioning. 8. Supplier: provides the credential. 9. Supplicant: provides the credential. 10. Supplier: “We only allow bets above 1.000,00 for this category.” Demands a credential on supplicant’s financial liability. 11. Supplicant: demands credential that supplier will not use this information for any other purpose than service provisioning. Supplicant: provides the credential. 12. Supplier: provides the credential. 13. Supplicant: provides the credential. 14. Supplier: demands a credential that supplicant is not employed in a state department service. The supplier imposes the restriction based on the fact that access to privileged information would help to win bets, and is not allowed. 15. Supplicant: withdraws. If we analyze the above sequence we can figure out that supplier could deliberately design categories to address classes of people and their interest. When the supplicant has revealed his interest via selection in step 3, the supplier can then assign the supplicant to this category. Further suppose that the supplicant designed events according to increasing political awareness, as carefully as it can imply certain political skills and positions. Then selection under step 5 further scopes the category. After step 5 the true exchange of credentials in the sense of trust negotiation starts. The resource here negotiated for is a betting account on a respective event. After each credential is received, the supplicant can determine a more focused scope of potential persons satisfying specific attributes: age, financial profile and associated implications … And finally, the supplicant can also determine why a supplicant has withdrawn – possible causes could involve people with significant political positions. Moreover, the sequence could be designed as to gradually lead the supplicant through the disclosure of credentials with less privacy threat, and then to present requests for credentials with higher threat so that many credentials will have already been disclosed before the supplicant finally refuses to make further disclosures and withdraws. Similar services already exist in today’s Internet world and there is no reason to think that such scenarios would not appear in a pervasive environment. The supplier could have sophisticated systems for reasoning in place, as this is not unusual aspect of pervasive system capabilities. If we assume an appropriate degree of information processing and a large enough period of time, the supplier can deduce information about people concerning their bets, their financial status, and their interests – and can enable the linking of this information to real persons and then use this for blackmailing and other illegal activities. With this in mind, the above resolutions are not really unbelievable. The first weakness of trust negotiation apparent from the above example is that disclosing interest in step 3 and 5 is not included in trust negotiation. If we consider that in pervasive systems it will be practically impossible for a supplicant to perform or even only supervise privacy related procedures because of the high degree of information exchanged in very short time periods, trust negotiation and the remaining subsequent enforcement has to be done in a computer aided manner. The supplicant will rely on the privacy subsystem in order to have privacy adequately maintained. Disclosure of this kind of information as in steps 3 and 5 was done willingly, but supplicant software components were not given the chance to evaluate the consequences and make this subject to identity management. Thus this could represent a privacy threat and allow future privacy leaks. General terms about the attitude towards abstract notions of disclosing, as for example a specific interest, which needs to be identified in the overall negotiation and provided for processing to enforcement systems. For example, this is necessary for identity management if it should be able to extract information on how big a threat of linking is with respect to the disclosed interest and what virtual (or partial) identity should be selected. The second weakness is that at the end of the above sequence the supplicant didn’t get access to the resource, but has still revealed quite a large amount of personal information. Trust negotiation cannot happen in pure general terms arguing on meaning of resources and credentials in advance. By applying purely general terms of negotiation we could resolve collisions in attitudes of supplier and supplicant before any resources or credentials are disclosed, and thus supplier is left only information about supplicant attitudes, while credentials were preserved. 4. Extending trust negotiation to support privacy In the document above we have shown the need for current trust negotiation to be extended to support privacy issues. Generally speaking two different approaches could be undertaken to achieve this. The first one is to introduce negotiation of general terms of privacy practices exercised on information both parties are about to disclose in the future and do this before trust negotiation. We have chosen to name this new kind of negotiation a privacy negotiation. Here we keep this separated from trust negotiation. To facilitate such a negotiation no resource is explicitly necessary to be disclosed in order to achieve a resulting agreement; instead we argue about the attitude towards opposite side practices with respect to manipulating private data. A way of formal description of resources is required, and related semantics and a means of semantic processing so that reasoning on relevant statements can be performed. For a possible example of a suitable framework see [14]. Privacy policies need to be specified in a formal way suitable for computer processing. Privacy policies need to be specified in a formal way suitable for computer processing. Much interesting research for this has been done with respect to an ontology approach; compare for example [16]. We will avoid presenting here detailed techniques to technically facilitate such a formal negotiation as the scope of this paper focuses mostly on specific problems of protocols and related threats. The outcome of a negotiation is a set of statements expressing the attitude of a supplier and supplicant to the matters exposed in the negotiation, whose meaning can be resolved against resources. This set is respected as a privacy agreement, a formal document which is mutually signed. After this negotiation the parties would proceed and start a well known trust negotiation. The second approach extends current models of trust negotiation to support privacy negotiation requests and corresponding privacy negotiation agreements as responses, relying on the approach from the previous paragraph. After successful negotiation all privacy agreements from various levels of negotiation are merged into a final privacy agreement, while trust negotiation itself is still performed in parallel. In a naive way the first approach could be implemented using existing solutions. For the privacy negotiation practice, P3P policies can be used [15]. The user is presented the P3P privacy policy when trying to use the service. The only option for the user is to accept the privacy policy presented by the service and opt in, or out, of certain issues. Beside the mentioned opting not much of negotiation takes place using P3P policies. With user accepting the P3P terms of the privacy policy privacy agreement is reached. The next stage would be to negotiate for access to requested resource using one of the negotiation systems available today (i.e. Peer Trust, Trust Builder, etc.) (see [12, 13]). The problem with this approach is that in many cases trust cannot be evaluated solely on a general basis but some credentials have to be disclosed in order to proceed. There are several reasons why pure privacy negotiation cannot efficiently bring the negotiation to an end. Negotiating general terms would result in resolving a very huge problem space of possible solutions to the negotiation because a peer (supplier or supplicant) doesn’t have options clearly defined; a peer explicitly requests a credential in order to continue negotiation; etc. This leaves us with no other option than merging privacy negotiation and trust negotiation into a common framework. 5. Proposed trust protocol extended to support privacy Based on the statements in the previous section we construct a protocol supporting integration of privacy measures into trust negotiation. Four different types of assertions are part of the protocol: 1. request for credentials or resources 2. disclosure of credentials or resources 3. request to agree with certain privacy practices (proposals of privacy agreements) 4. acceptance of privacy practices proposals (accepted and signed privacy agreements) The parties involved in a process of negotiation are a supplicant and a supplier. An example of negotiation is described below that corresponds to Fig. 2. The supplicant is the party requesting access to a specified resource R and the supplier is the service providing this resource. In the first step of negotiation the supplicant sends a request to access R to the supplier. The supplier can either grant access to the supplicant or request additional credentials C1 to be revealed. In case of additional credentials being requested the supplicant can either disclose the requested credential or reply back to the supplier with another request. Fig. 2: Schema of privacy extended trust negotiation But, as a difference to an ordinary trust negotiation, it is now possible to follow data minimisation principles (for definition see [8]): we don’t want to disclose the requested credential at this point as we’re not sure whether negotiation will succeed at all. In case the negotiation was unsuccessful, we would end with a series of credentials disclosed, but no real effect achieved (as described in Chapter 3). From the data minimisation principle aspect this is not allowed. Data minimisation principle imposes a requirement for amount of private data disclosed for service provisioning being as small as possible, disclosing only really necessary information. But in this case we have possibly already disclosed a significant amount of private information before negotiation failed by revealing credentials about various attributes associated to user’s private life. Instead of this here we rather argue about privacy terms in general at this point, applying only privacy negotiation until this is still possible from logical viewpoint. The partial agreement that was done in sense of privacy negotiation sequence will from now on be called a micro-agreement to avoid confusion with a cumulative privacy negotiation agreement that aggregates all the micro-agreements which were reached and signed during the process of privacy negotiation. This cumulative privacy negotiation agreement is mutually signed as well. 6. Privacy agreement The privacy negotiation agreement consists of many independent micro-agreements (MA). Each of the micro-agreements being mutually signed by both parties involved in negotiation in order to limit potential repudiation of the agreement. No matter of the result of negotiation the micro-agreements are bound into privacy negotiation agreements after the negotiation is finished. If negotiation outcome was successful, the privacy negotiation agreements are mutually signed by both parties. In case the negotiation was terminated before access control was granted, the micro-agreements can still be bundled into a privacy negotiation agreement. This way potential misuse of information about sensitive attributes is prevented in at least a formal juridical way. Privacy agreement can be viewed as a digital analogue of the paper based contracts and agreements exchanged by parties every day, which consist of obligations that both parties involved in a contract or agreement need to fulfil. In real world examples these obligations are usually payment on one hand and providing resources, products or services on the other. In the context of privacy agreements the obligations are private or sensitive information on one hand and privacy practices on the other. By the term privacy practices we refer to the way private information is handled, to which 3rd parties it will be transferred and how it is inferred, aggregated or statistically manipulated. Privacy agreement is a starting point for different privacy enforcement systems to act upon. These systems can either be identity management components or components that are analogous to legal prosecution systems of real world, such as auditing and logging components in DAIDALOS [9]. The agreements are taken as input information for systems determining whether the services or users comply with promised privacy practices. If one of the parties denies signing the privacy negotiation agreement when negotiation was not successful and resulted in termination, it can be treated as intent of privacy agreement misuse and this can immediately be reported to privacy enforcement components of the system. Fig. 3: Privacy Negotiation Agreement is an aggregation of micro-agreements 7. Conclusions The privacy policy negotiation process involves gradual step-by-step disclosure of attribute values between both the supplier and the supplicant and is therefore a possible source of privacy leakage. Both supplier and supplicant need to negotiate firmly and conservatively in order to minimize this leakage. If a conservative strategy is used consistently, less and less negotiations will end in a positive resolution. In the current model there is no way for the user to determine the type of negotiation strategy to use with the given service – whether the user initially should have conservative or liberal stance towards the service. In order to expand this, the current privacy negotiation models should be composed with existing trust modelling techniques using the trust and risk computation modelling techniques. Fusion of these trust management systems, privacy negotiation and identity management models should introduce a concept of initial measure of trust between user and service. Upon this trust the negotiation strategy could be chosen (either conservative – privacy paranoid, neutral, or liberal – give all information away like). This trust would be constantly updated through a loop – like feedback of trust reporting. The initial measure of user’s trust is based on the aggregation of previous experience of users with the service using different trust and risk computation techniques [11]. References [1] D. Saha, A. Mukherjee. Pervasive Computing: A Paradigm for 21st century, IEEE Computer Society, March, 2003. [2] M. Satyanarayanan. Pervasive computing: Vision and Challenges, IEEE Personal Communications, IEEE Computer Society, August, 2001. [3] B. Bhargava, L. Lilien, A. Rosenthal, M. Winslett. The Pudding of Trust, IEEE Intelligent Systems, IEEE Computer Society, September / October, 2004. [4] K. E. Seamons, M. Winslett, T. Yu, L. Yu, R. Jarvis. Protecting Privacy During On-line Trust Negotiation, Lecture Notes in Computer Science, Springer-Verlag GmbH, 2002, Volume 2482 / 2003, pp. 129 – 143. [5] K. E. Seamons, M. Winslett, T. Yu. Limiting the Disclosure of Access Control Policies during Automated Trust Negotiation, Proc. symposium on network and distributed systems security, NDSS, 2001. [6] W. Chen, L. Clarke, J. Kurose, D. Towsley. Optimizing Cost-sensitive Trust-negotiation Protocols, Technical Report 04-29, Dept. of Computer Science, UMass, Amherst, 2004. [7] Prime Consortium. PRIME – Architecture version 0 - Deliverable D14.2.a, 2004. [8] Prime Consortium. PRIME – Framework version 1 - Deliverable D14.1.a, 2005. [9] DAIDALOS Consortium. DAIDALOS pervasive systems privacy and security framework and mechanisms - Deliverable D421, 2004. [10] DAIDALOS Consortium. A4C Framework Design Specification – Deliverable D341, 2004. [11] M. Richardson, R. Agrawal, P. Domingos. Trust Management for the Semantic Web, Proc. 2nd International Semantic Web Conf., LNCS 2870, Springer-Verlag, 2003, pp. 351-368. [12] W. Nejdl, D. Olmedilla, M. Winslett. PeerTrust: Automated Trust Negotiation for Peers on the Semantic Web, Secure Data Management, pp. 118-132, 2004. [13] M. Winslett , T. Yu, K.E. Seamons, A. Hess, J. Jacobson, R. Jarvis, B. Smith, L. Yu. Negotiating trust in the Web, Internet Computing, IEEE, Nov/Dec 2002, Vol. 6, pp. 30-37. [14] OpenCyc, http://www.opencyc.org. [15] Wenning, R. (Ed.). The Platform for Privacy Preferences 1.1 (P3P1.1) Specification, W3C Working Draft, July 2005. [16] W. Nejdl, D. Olmedilla, M. Winslett, C.C. Zhang. Ontology-Based Policy Specification and Management, European Semantic Web Conference (ESWC 2005), May/Jun. 2005, Heraklion, Greece. An Overview of Models applying Trust as a Component of Security Services in MANETs Dagmara Spiewak and Thomas Engel SECAN-Lab University of Luxembourg, 6, r. Richard Coudenhove-Kalergi, L-1359 Luxembourg Dagmara.Spiewak@uni.lu SECAN-Lab University of Luxembourg, 6, r. Richard Coudenhove-Kalergi, L-1359 Luxembourg Thomas.Engel@uni.lu Abstract: Mobile ad-hoc networks (MANETs) are systems of wireless and mobile nodes that interconnect in an arbitrary way. Because of the dynamical self-organized network topologies and the principally missing infrastructure, required to achieve correct and secure communications and to ensure proper behavior, security in MANETs is assumed trickier than in conventional and hierarchical network systems. Unfortunately, traditional and approved security mechanisms such as Public Key Infrastructures (PKI) with central certification authorities (CA) or other trusted third parties (TTP) are not applicable in such almost anarchistic network structures. Thus, the establishment of Trust as a component of security services in networks or as an essential foundation for succeeding security procedures is virtually ubiquitous and could lead to a milestone regarding security in mobile ad-hoc networks. In this paper, we present an overview of several trust evaluation, trust evidence and trust evidence distribution approaches with regard to their applicability to mobile ad-hoc networks. Additionally, to our description of already existing trust models, such as Pretty Good Privacy (PGP) or the Distributed Public Key Trust Model, we discuss a new Trust Evidence Distribution Model founded on an Ant-Based Algorithm (ABED). Keywords: Trust, MANET, Security, Attacks 1. Introduction Security-sensitive data and applications transmitted within mobile ad-hoc networks require a high degree of security. Because of the absence of fixed base stations and infrastructure services like routing, naming and certification authorities, mobile ad-hoc networks differ highly from traditional hierarchical and wireless IP networks. In MANETs nodes form and leave the network dynamically, sometimes even without leaving a trace and the network topology may change rapidly. Consequently, it is very important to provide security services such as authentication, confidentiality, access control, non-repudiation, availability and integrity. Due to the fact that certification authorities (CA) as trusted third parties (TTP) are not applicable in mobile ad-hoc networks the notion of Trust becomes more and more important. Although Trust is well known in everybody’s life, the formal definition poses several challenges. In [13] Pradip Lamsal presents a wide expertise on the description of trust in networks and its relationship towards Security. Nowadays the concept of Trust mainly appears in combination with the Internet, especially when considering online banking or online shopping using for example the PayPal Payment System that can be utilized for securely transferring money over the Internet. In [14] we find a direct comparison between trust systems applied in the Internet and the requirements on trust systems in spontaneous emerged mobile ad-hoc networks, where the trust establishment has to be performed without the presence of a trust infrastructure. Due to the dynamical character and quick topology changes, trust establishment in MANETs should support among others a short, fast, online, flexible, uncertain and incomplete trust evidence model and should be independent of pre-established trust infrastructures. In this context Pirzada and McDonald [16] emphasize the interdependency of trust and security, while security is highly dependent on trusted key exchange and trusted key exchange on the other side can only proceed with requisite security services. Ad-hoc networks rest on trust-relationships towards the neighbors that evolve and elapse on the fly and have typically only short durability. Assuming such an environment misleadingly as cooperative by default would ignore the high vulnerability to attacks on these trust relationships. Because selfish, malicious, or faulty nodes can pose a threat to availability in mobile ad-hoc networks or even exploit these trust relationships in order to reach desired goals. To overcome these difficulties, trust in mobile ad-hoc networks has been established, introducing several conditions, such as the presence of a central authority. Unfortunately, these solutions are mainly against the real nature of spontaneous ad-hoc networks. Trust Management is defined by Audun Josang, Claudia Keser and Theo Dimitrikos in [1] as "The activity of creating systems and methods that allow relying parties to make assessments and decisions regarding the dependability of potential transaction involving risk, and that also allow players and system owners to increase and correctly represent the reliability of themselves and their systems". This paper presents an overview of different methods on how to establish trust, to evaluate trust and to distribute trust evidence in mobile ad-hoc networks. In Section 2 we present the possible security attacks in MANETs before Section 3 will subsequently give a summary of already existing Trust Models. Section 4 discusses the idea of ant-based algorithm for trust evidence distribution in mobile ad-hoc networks. Finally Section 5 concludes the paper. 2. Attack Analysis for MANETs Two different kinds of security attacks can be launched against mobile ad-hoc networks, passive and active attacks. The attacker rests unnoticed in the background while performing a passive attack. He does not disturb the functions of the routing protocol, but he is able to eavesdrop on the routing traffic in order to extract worthwhile information about the participating nodes. Running an active attack, the attacking node has to invest some of its energy to launch this attack. In active attacks, malicious nodes can disturb the correct functionality of the routing protocol by modifying routing information, by redirection of network traffic, or launching Denial of Service attacks (DoS) by altering control message fields or by forwarding routing messages with falsified values. Below are detailed several of the attack categories that can occur associated with vulnerabilities of mobile ad-hoc systems. 2.1 Passive Attacks A malicious node in the mobile ad-hoc network executes a passive attack, without actively initiating malicious actions in order to fool other network participants, by ignoring operations, supposed to be accomplished by it. Hence, the malicious node attempts to learn important information from the system by monitoring and listening on the communication between parties within the MANET. For instance, if the malicious node observes that the connection to a certain node is requested more frequently than to other nodes, the passive attacker would be able to recognize, that this node is crucial for special functionalities within the MANET, like for example routing. Switching its role from passive to active the attacker at this moment has the ability to put the certain node out of operation, for example by performing a Denial of Service attack, in order to collapse parts or even the complete MANET. An additional example of passive attacks represent selfish nodes. They derivate from the usual routing protocol for the reason of preventing power loss for instance by not forwarding incoming messages. In [5] the importance of trust is stressed in order to isolate these malicious nodes and to be able to establish reputation systems in all nodes that enable them to detect misbehavior of network participants. 2.2 Active Attacks Active attacks mainly occur subsequent to passive attacks, for example after the malicious node finished eavesdropping the required information on the network traffic. The variety of active attacks on mobile ad-hoc networks is similar to the attacks in traditional and hierarchical networks. But due to the lack in infrastructure and the vulnerability of wireless links, the currently admitted routing protocols for mobile ad-hoc networks allow launching also different types of attacks. Compared to passive attacks, malicious nodes running an active attack can interrupt the accurate execution of a routing protocol by modifying routing data, by fabricating false routing information or by impersonating other nodes. So basically, active security attacks against ad-hoc routing protocols can be classified in three groups [17], such as integrity, masquerade and tampering attacks. 2.2.1 Integrity Attacks in MANETs Especially attacks using modifications are aimed against the integrity of routing information. By launching this type of attack the malicious entity can drop messages, redirect traffic to a different destination, or compute longer routes to the destination in order to increase the communication delays. For example, by sending fake routing packets to other nodes, all traffic can be redirected to the attacker or another compromised node. An example of a modification attack is the set-up of a Blackhole [23]. First of all, the malicious node analyzes the routing protocol by the use of a passive attack, like eavesdropping information on the network traffic. Subsequently, this node lies and announces itself, during the route discovery phase of a routing protocol, as knowing an accurate path to the requested target node, in order to be able to intercept packets. Finally, all packets are transferred to the attacker’s node and he discards all of them. Consequently, the malicious node controlled by the attacker represents the Blackhole in the MANET, where all packets will be swallowed. As an extension of the Blackhole attack, the active attacker might generate a Greyhole [24]. In this case, the malicious grey node has the ability to switch its course of action from forwarding routing packets or discarding others. The decisions of its behavior depend on the intention of the attack. For example, for the purpose of isolating particular nodes in the MANET the malicious grey node drops packets which pilot towards their destination. Packets meant for other nodes rest unmodified und are forwarded to their destination accordingly. Even trickier is the generation of a tunnel in the network between two or more cooperating and by the attacker compromised malicious nodes that are linked through a private network connection within the MANET. This attack is known as Wormhole [25]. It allows the attacker to short-cut the normal flow of routing messages by the construction of a fictitious vertex cut in the network that is controlled by the two cooperating malicious nodes. The attacker records packets or parts of packets at one selected location in the MANET. After tunneling them to another point in the MANET, the attacker replays the packets into the network. Especially, ad-hoc network routing protocols are vulnerable to Wormhole attacks. For instance, launching this attack against a routing protocol allows the attacker to tunnel each ROUTE REQUEST packet, which is transmitted during the route discovery phase, straight to the target destination node. Consequently, any routes other than through the Wormhole are avoided from being discovered. By this technique the attacker has the capability to create an appearance to know the shortest path to a desired destination node. This grants the attacker an exceptionally high probability of being selected by the routing protocol to forward packets. Once selected, the attacker is able to subsequently launch a Blackhole or Greyhole attack by discarding selected packets. Furthermore, Wormhole attacks empower the attacker to be able to influence the neighbor discovery functionality of several routing protocols. For example, assuming node A wishes to communicate with its neighbors and tries to knock at their doors by sending a HELLO broadcast packet. At the same time the attacker uses the Wormhole to tunnel this packet directly to node B. On the other side he tunnels all HELLO packets sent by B directly to node A. Finally, A and B belief that they are neighbors, which would cause the routing protocol to fail to discover routes when they are not really neighbors. Additional advantages of the Wormhole for the attacker are his possibility to discard selected data packets or to maintain a Denial of Service attack, because no other route to the destination can be determined as long as the attacker controls the Wormhole. Yin-Chun Hu, Adrian Perrig and David B. Johnson introduce in [25] a mechanism, called “Packet Leashes” for effectively detecting and defending against Wormhole attacks by limiting the transmission distance of a link. The authors present the TIK protocol which implements temporal leashes using hash trees. Both Blackhole and Wormhole attacks belong to the group of Byzantine Attacks in Ad Hoc Networks and are discussed in [3]. In this contribution the authors extend the scheme of Wormhole to the concept of Byzantine Wormhole attacks. The difference to traditional Wormhole attacks is the fact that in traditional Wormhole attacks the attacker can fool two honest nodes into believing that there exists a direct link between them. But in the Byzantine case the Wormhole link exists between the compromised nodes and not between the honest nodes, which means that the end nodes cannot be trusted to follow the protocol accordingly. Therefore, the previously mentioned “Packet Leashes” [25] are effective against traditional Wormhole attacks but they can not be used to discover and to prevent the extended Byzantine Wormhole attacks. Figure1 shows the classification of these attacks in MANETs. Fig 1. Classification of Attacks in MANETs 2.2.2 Masquerade Attacks in MANETs By masquerading as another node, malicious nodes can run many attacks in a network. These types of attack are often known as Spoofing. The attacker modifies either the MAC or the IP address in outgoing packets in order to adopt another identity in the network and appear as a good-natured node. By this technique he is then able to operate as a trustworthy node and can for example advertise incorrect routing information to other participants of the network. Creation of loops in the routing computation is one famous example of this exploit and results in unreachable nodes or a partitioned network. Another dangerous attack in MANETs is known as the Sybil Attack [26]. Here malicious nodes may not only impersonate one node but can even represent multiple identities by maintaining false identities. This attack particularly weakens systems and protocols that employ redundancy. Redundancy is deployed to resist security threats from faulty or malicious network participants and is often used to ensure that transmitted packets are forwarded from node A to node B accordingly. By launching a Sybil Attack the attacker can pretend that the allegedly different paths are formed by disjoint nodes, although in reality these paths share at least one node which is the attacker’s one. Especially MANETs that apply a Recommendations-Based Trust Model are vulnerable to Sybil attacks. Here the malicious node, which represents multiple identities, can generate fake recommendations about the trustworthiness of a particular node in order to attract more network traffic to it. This offers the attacker an ideal starting point for subsequent attacks, like for example the Byzantine Wormhole attack. Furthermore, forging of multiple identities for malicious intent leads to a set of faulty nodes in the network represented through a larger set of identities. Another purpose of such an attack is to compromise a disproportionate share of the system in order to overthrow any assumption of designed reliability based on a limited proportion of faulty nodes. 2.2.3 Tampering Attacks in MANETs This group of attacks, often called Fabrication Attacks, is based on the generation of falsified routing messages. Because of the fact that these routing packets are received as valid, fabrication attacks are very difficult to identify and trace. An example for such an attack is the in [19] introduced Rushing Attack that acts as an effective Denial of Service attack against all currently proposed on-demand ad-hoc network routing protocols, including those designed to be secure. Here an attacker rapidly spreads routing messages all through the network, disabling authorized routing messages with the consequence that other nodes delete them as multiple copies. Obviously, also computational routes to a destination can be canceled by constructing routing error messages, asserting that the neighbor can not be reached. So, since flooding is the famous mechanism used by on-demand routing protocols to establish paths, disturbing flooding is an effective attack against these kinds of protocols. Considering the routing strategy of an on-demand ad-hoc network protocol, where node A wishes to obtain a route to a destination node B. Node A floods the MANET with ROUTE REQUEST packets. In order to limit the network traffic, each intermediate node C forwards only one ROUTE REQUEST packet from any Route Discovery phase or even only the ROUTE REQUEST packet that arrives C at first will be forwarded by C. If the attacker launches falsified ROUTE DISCOVERY sessions for non-existing destination nodes and if the attacker’s ROUTE REQUEST packet reaches the intermediate node C prior to the ROUTE REQUEST packet from node A, then the legitimate REQUEST will be discarded by C and the attacker’s REQUEST will be forwarded accordingly. With this technique the attacker is able to isolate certain nodes in the MANET or can even partition the network. Otherwise, if the attacker’s rushed ROUTE REQUEST packets are the first to reach every neighbor of the target node B, then any route discovered by this ROUTE DISCOVERY process will include a hop through the attacker. Hence, node A will be unable to discover any trusted route, without the attacker’s influence, to the target node B. In order to speed-up the broadcast of falsified ROUTE REQUEST packets the attacker can combine the Rushing attack with the Byzantine Wormhole attack to create a tunnel for his ROUTE REQUEST packets. Actually, the fact that only the first ROUTE REQUEST packet is forwarded by an intermediate node C is not necessary for the attacker to be able to launch this kind of attack. The Rushing Attack can be extended to compromise the functionality of any protocol that forwards any particular ROUTE REQUEST packet for each ROUTE DISCOVERY process. 3. Existing Trust Models The establishment of Trust as a component of security services in networks or as a foundation for succeeding security tasks resounds throughout the land. In our opinion, many solutions misleadingly introduce Trust as a matter of course but simultaneously using it as the basis for further security issues, such as for the goal of confidentiality, integrity, authentication or non-repudiation, without even constructing a conclusive trust metric. In this section we present already existing trust models, with the aim to expose their differences, before we start to examine new research results in the following section 4. As in [18] clarified, “trust is interpreted as a relation among entities that participate in various protocols ". The trustworthiness of a certain entity depends on the former behavior within the protocol. 3.1 PGP Trust Model Pretty Good Privacy or PGP, is an important milestone in the history of cryptography, because for the first time it makes cryptography available to a wide community. PGP was principally created for encrypting or signing e-mail messages and offers a hybrid cryptosystem. In a public cryptosystem it’s not necessary to protect public-keys form disclosure. Actually, public-keys ought to be widely accessible by all network participants for encryption. But it’s very important to protect public keys from tampering, to make sure that a public-key really belongs to the person to whom it appears to belong. Pretty Good Privacy (PGP) [21] supports the idea, that all users operate as autonomous certification authorities, which gives them the authorization to sign and verify keys of other entities. The absence of a central trusted third party (TTP) was the innovation in this model. The introduction of the decentralized Web of Trust allows each entity to sign other keys in order to build a set of virtual interconnections of trust. For example, A knows that B’s public-key certificate is authentic and signs it with its private-key. In the following, C wants to communicate with B privately and B forwards its signed certificate to C. C trusts A and finds A among B’s certificate signers. Therefore, C can be sure that B’s public-key is authentic. However, had C not trusted any of B’s certificate signers, including A, C would be skeptical about the authenticity of B’s public-key and B would have to find another network participant whom C trusts to sign its public-key certificate. Generally, PGP uses the terminology that if A signs B’s publickey then A becomes an introducer of B’s key. As this process goes on, it establishes a Web of Trust. Public-key certificates are essential to PGP and are indispensable to bind the public-key to a network member. Each certificate contains the key owner’s user ID, the public-key itself, a unique key ID and the time of creation. Everything may be signed by any number of network participants. There are two areas where Trust is currently introduced into the PGP Model. At fist, PGP combines three levels of confidence from “undefined” to “marginal” and to “complete” trust for the trustworthiness of public-key certificates. This value defines whether a PGP public-key certificate is reliable or not in the binding between the ID and the public-key itself. Secondly, four levels of trustworthiness to a public-key are assigned, ranging from “don’t know”, “untrustworthy” and “marginal” to “full” trust. This value corresponds to how much C thinks B as the owner of the public-key can be trusted to be the signer or introducer to another trustworthy public-key certificate. PGP requires one “completely” trusted signature or two “marginal” trusted signatures to establish a key as valid. However, why is PGP not suitable for mobile ad-hoc networks even though it sounds obvious that this Trust Model might be applied to the idea of decentralized systems without the existence of a centralized certification authority? Although the establishment of a central certification authority in the PGP model is not necessary, because public-keys are established and signed by network participants themselves, the distribution of public keys is based on continuously accessible public-key directories that reside on centrally managed servers. For this reason, PGP is not well applicable for mobile ad-hoc networks where nodes interconnect in an arbitrary way. Additionally, in MANETs nodes form and leave the network dynamically and therefore it is not possible to determine nodes that act as always available public-key certificate servers. For this reason PGP is suitable for wired networks, where this central key server or more central key servers can maintain all keys in a secure database. But the dynamic of wireless links in mobile ad-hoc networks and their spontaneous topology make PGP not applicable in MANETs. 3.1.1 Applying an adjusted PGP Model in MANETs Although PGP public-keys are issued by the participants of the network themselves, the distribution of public-keys is based on uninterrupted and accessible public-key directories that reside on centrally managed servers. In [9] Jean-Pierre Hubaux, Levente Buttyan and Srdjan Capkun extend the design of PGP by establishing a public-key distribution system that better fits to the self-organized nature of mobile ad-hoc networks. Similar to PGP, public-key certificates are issued, signed and verified by nodes in the MANET themselves based on their individual acquaintances. But, in contrast to PGP no continuously accessible public-key directories for the distribution of public-key certificates are necessary. As a substitute, publickey certificates are stored and distributed by the nodes. The main idea in [9] is that each node maintains a public-key certificate storage area, called local certificate repository that contains a subset of public-keys of other entities in the MANET. The relationships between nodes are represented as a directed graph, called Trust Graph that contains all nodes in the network. The vertices characterize the nodes or public-keys and the edges represent the public-key certificates issued by other nodes. For instance, there is a directed edge from vertex A to vertex B if node A issued a public-key certificate to node B. The directed path from vertex A to vertex B corresponds to a public-key certificate chain from node A to node B. Thus, the existence of a public-key certificate chain from node A to node B means that vertex B is reachable from vertex A in the directed graph. The local certificate repository of every node in the MANET consists of two parts. One part to maintain all public-key certificates issued by the node itself and the second part to store several selected public-key certificates issued by other nodes in the MANET. This means that each node A stores the outgoing edges in conjunction with the corresponding vertices from vertex A as well as an additional set of selected edges in conjunction with the corresponding vertices of the Trust Graph. The set of selected edges and vertices of node A, which is also the local certificate repository, is called the Subgraph that belongs to node A. In the event that node A wants to verify the public-key of node B, A and B merge their local certificate repositories and A tries to discover a suitable public-key certificate chain from node A to node B in the merged public-key certificate storage area. In view of the graph model, A and B merge both Subgraphs and in the following A tries to find a path from vertex A to vertex B in the merged Subgraph. A and B use the same Subgraph Selection Algorithm. After node A has verified B’s public-key as valid A can start using B’s public-key for example to prove his digital signature. An important element of this model is the Subgraph Selection Algorithm because it influences the performance of the system. One characteristic of the Subgraph Selection Algorithm is the size of the Subgraphs that it selects. Obviously, the performance of Subgraph Selection Algorithm and consequently the performance of the system can be increased by selecting larger Subgraphs, but then nodes need more memory to store their Subgraphs, which may lead to scalability problems. This shows that the small amount of memory storage of a node and the performance of the Subgraph Selection Algorithm are opposite requirements in this model. The authors introduce the Shortcut Hunter Algorithm as Subgraph Selection Algorithm. It assumes that there are a dense number of nodes in a small area in order to provide good performance. Shortcuts are found between nodes to keep the Subgraphs small in order to reduce the storage space on each node. They are stored into the local certificate repository based on the number of the shortcut certificates connected to the nodes. A shortcut certificate is a certificate that, when removed from the graph makes the shortest path between two nodes A and B previously connected by this certificate strictly larger than two. The algorithm selects a Subgraph by computing an out-bound and an in-bound path from node A to node B. Both path selection techniques are similar. However the out-bound path algorithm selects in each round an outgoing edge whereas the in-bound path algorithms selects in each round an incoming edge. In conclusion, a public-key certificate chain from node A to node B is found. So far, this solution assumes that each user is honest and does not issue falsified public-key certificates. In order to compensate for dishonest users an authentication metric is introduced into the model. In this sense, an authentication metric is a function with two nodes A and B and the Trust Graph as input. This function returns a numeric value that represents the assurance with which A can obtain the authentic public-key value of B using the information in the Trust Graph. The big advantage of this solution is the self-organized distribution of public-key certificates in the MANET without the requirement of continuously accessible public-key directories. However, the authors emphasize that before being able to verify a public-key, each node must first build its local certificate repository, which is a computationally complex operation. Although this initialization phase is performed very rarely, it should be noted that local certificate repository become outdated if a large number of public-key certificates are revoked. Consequently, the certificate chains might no longer be valid. Hence, due to the limited memory and computational power of communicating devices in MANETs, which mainly consist of Personal Digital Assistants (PDAs) or mobile phones and the extensive computational and memory requirements of this self-organized model, this model is considered as confining for mobile ad-hoc networks. Furthermore, while analyzing the Shortcut Hunter Algorithm for Subgraph Selection it strikes that verifying a public-key certificate chain from node A to node B, node A must trust the issuer of the publickey certificate for correctly checking that the public-key in the certificate indeed belongs to node B, because of the fact that node A has to select an incoming edge during the in-bound path algorithms. When public-key certificates are issued by mobile nodes of an ad-hoc network, like in MANETs, this method is very vulnerable to malicious nodes that issue false certificates. In order to minimize this problem the authors introduce an authentication metric to determine the degree of authenticity of a public-key by computing the output of a function f that uses two nodes A and B and the Trust Graph as input parameters. Function f could, for example, return the number of disjoint public-key certificate chains from A to B. Unfortunately, this assumption is vulnerable to Sybil Attacks where a malicious node may generate multiple identities for itself to be used at the same time. By launching a Sybil Attack the attacker can pretend that different paths are formed by disjoint nodes, although in reality these paths share at least one node which is the attacker’s one. Finally, a disproportionate share of the system can become compromise although public-key certificates are utilized. 3.2 Decentralized Trust Model In 1996 appearing as pioneers Matt Blaze, Joan Feigenbaum and Jack Lacy supported the idea of "Decentralized Trust Management" [4] as an important component of security in network services. Decentralized Trust Management model was the first system to take a comprehensive approach to trust problems independent of any particular application or service.The main achievement was the construction of a system called PolicyMaker in order to define policies and trust relationships. Handling of queries is the fundamental function of the PolicyMaker with the aim to determine whether a specific public-key has the permission to access certain services according to local policy. Policies are composed in the special PolicyMaker Language. A central authority for evaluating credentials is not necessary. Although locally managed, each entity has the competence to achieve own decisions. An important point in this model targets the typical problem that, although the binding of the publickey to a network identity was successfully verified, usually the application itself has to subsequently ensure that this network participant is authorized to perform certain actions or is authorized to access security sensitive data. The application for instance looks-up the network identity’s name in a database and tries to verify that it matches the required service. The Decentralized Trust Model approach wants to establish a generic method that should facilitate the development of security features in a wide range of application, unlike other systems like for example PGP. So this approach extends the common identity-based certificates, which bind a public-key to a unique identity, by means of reliably mapping identities to the actions they are trusted to perform. In this sense, the specification of policies is merged with the binding of public keys to trusted actions. Consequently, both questions “Who is the holder of the public-key?” and “Can a certain public-key be trusted for a certain purpose?” are clarified with the Decentralized Trust Model. Basically, each network entity that receives a request must have a policy that serves as the ultimate source of authority in the local environment. Currently, the PolicyMaker approach binds public-keys to predicates rather than to the identities of the public-key holders. The PolicyMaker Language is provided in order to express conditions under which a network participant is trusted to sign a certain action. Consequently, a network entity has the ability to distinguish between the signatures of different entities depending on the required services. By this means for instance, network entity A may trust certificates from signed by network entity B for small transaction but may insist upon certificates from more reliable network entity C for large transactions. Abstractly, the PolicyMaker service appears to applications like a database query engine and functions as a trust management engine. The input is composed of a set of local policy statements (credentials) as well as a string describing the desired trusted action. After evaluating the input, the PolicyMaker system finally returns either a yes/no answer or propositions that make the desired action feasible. All security policies are defined in terms of predicates, called filters that are combined with publickeys. The function of the filters is to assure if the owner of the corresponding secret-key is accepted or rejected to perform the desired action. A specific action is considered acceptable if there is a chain from the policy to the key requesting the action, in which all filters are traversed successfully. The design and interpretation of action descriptions, called action strings, is not part or even not known to the PolicyMaker. Action strings are interpreted only by the calling application and might confer various capabilities as signing messages or logging into a computer system. Action strings are accepted or rejected by the filters. Signatures can be verified by any public-key cryptosystem, for instance PGP. The main reason for it is that the PolicyMaker system does not verify the signatures by itself and that the associated action strings are also application specific. Generally, an application calls the PolicyMaker after composing the action string and determining the identity, from which the desired action originated. Finally, PolicyMaker decides whether the action string is permitted according the local security policy. So the basic function of the PolicyMaker system is to process queries composed with the PolicyMaker Language of the form: key1 , key2, …, keyn REQUEST Action String A query is a request for information about the trust that can be placed in a certain public-key. The PolicyMaker system processes queries based on trust information that is included in assertions. Assertions assign authority on keys and are of the form: Source ASSERTS AuthorityStruct WHERE Filter In this sense, each a credential is a type of assertion, which binds a filter to a sequence of public-keys, called an authority structure. Source indicates the origin of the assertion and AuthorityStruct specifies the public-key(s) to whom the assertion applies. Hence, a Filter is the predicate that action strings must satisfy for the assertion to hold. For example, the following PolicyMaker credential pgp:“0x01234567abcdefa0a1b2c4d5e6a4f7“ ASSERTS pgp:“0xb0034261abc7efa0a1b2c5d4e6a4a3“ WHERE PREDICATE=regexp:“From A“; indicates that the source PGP key “0x01234567abcdefa0a1b2c4d5e6a4f7“asserts that A’s PGP key is “0xb0034261abc7efa0a1b2c5d4e6a4a3“. There are two types of assertions: certificates and policies. The major difference is that policies are unconditionally trusted locally and certificates are signed messages binding a particular Authority Structure to a filter. The Source field in a policy assertion is the keyword “POLICY”, rather than the public-key of an entity granting authority. While this approach provides a basis for expressing and evaluating trust, it does not consider the simultaneous problem of how to continuously control and manage trust over a longer period of time. These problems are discussed by Brent N. Chun and Andy Bavier in [6], where a layered architecture for mitigating the trust management problem in federated systems is proposed. The authors stress that the PolicyMaker approach presumes the existence of secure, authenticated channels, for example using preexisting public-key infrastructure, which makes it inapplicable for trust management in MANETs. 3.3 Distributed Trust Model The Distributed Trust Model in [2] applies a recommendation protocol to exchange, revoke and refresh recommendations about other network entities. Therefore each entity needs its own trust database to store different categories of trust values ranging form -1 (complete distrust) to 4 (complete trust). By executing this recommendation protocol, the network entity can determine the trust level of the target, while requesting for a certain service. The accordant trust level for a single target is obtained by computing the average value for multiple recommendations. Although this model does not explicitly target ad-hoc networks it could be used to find the selfish, malicious, or faulty entities in order to isolate them so that misbehavior will result in isolation and thus cannot continue. 3.4 Distributed Public-Key Trust Model The core of the Distributed Public-Key Trust Model, examined by Lidong Zhou and Zygmund J.Haas [20] is the use of threshold cryptography in order to build a highly secure and available key management service. The difficulty of the establishment of a Certification Authority (CA) for key management in MANETs was mentioned in the introductory paragraph. Obviously, the CA, which is responsible for the security of the entire network, is a vulnerable single point of failure that must be continuously accessible by every node. Threshold cryptography implicates sharing of a key by multiple entities called shareholders involved in authentication and encryption. In [20] the system, as a whole, has a public-/private-key pair and the private-key is distributed over n of nodes. Consequently, a central Certification Authority is not necessary. All nodes in the network know the public-key and trust any certificate signed using the corresponding private-key. Additionally, each node has a pubic-/private-key pair and can submit requests to get the public-key of another node or requests to change their own public-key. The ingenious idea is that (t+1) out of n shareholders have the ability to compute the private-key by combining their partial keys but not less then (t+1). In order to obtain the private-key, (t+1) nodes must be compromised. For the service of signing a certificate, each shareholder generates a partial signature for the certificate using its private key share and submits the partial signature to one arbitrary shareholder, called combiner. With (t+1) correct partial signatures the combiner is able to compute the signature for the certificate. In the case of one or more incorrect partial signatures generated by compromised nodes, it is not possible to unnoticeably establish a legal signature for the certificate. Fortunately, the combiner has the ability to verify the correctness of the signature by using the system public-key. However, if the verification fails, the combiner tries other sets of (t + 1) partial signatures and continues this process until a verifiably correct signature from (t+1) truthful partial parts can be established. In order to tolerate mobile adversaries and to adapt to changes in the network the Distributed PublicKey Trust Model employs a share refreshing method. Mobile adversaries have the capacity to temporarily compromise one or more shareholders and can then move to the next victim. By this technique an adversary may compromise all shareholders and gather more than t or even all private-key shares over an extended period of time. Finally, the adversary would be allowed to generate any valid certificate signed by the private-key. Share refreshing allows shareholders to compute new private-key shares from their old ones in collaboration but without disclosing the private-key. The new shares are independent from the old and because of this the adversary cannot combine old with new shares in order to recover the privatekey. Although the model offers strong security, like authentication of communicating nodes, it has some factors that inhibit its deployment to mobile ad-hoc networks. The pre-establishment of a distributed central authority requires a huge computational complexity and asymmetric cryptographic operations are known to consume precious node battery power. Additionally, the (t+1) parts of the private key may not be reachable to a node requiring authentication and following asymmetric cryptographic services. Furthermore, the establishment of the system’s public-/private-key pair as well as the generation and distribution of private-key-shares to the shareholders is not examined and could initiate subsequent security problems. Finally, the distribution of signed certificates within the MANET is not sufficiently discussed and questionable. 3.4.1 RSA-Based Threshold Cryptography in MANETs Levent Ertaul and Nitu Chavan visualize in [7] the potentialities and difficulties of RSA-based threshold cryptography in MANETs. The examined RSA threshold scheme involves key generation, encryption, share generation, share verification, and share combining algorithm. It employs the Shamir’s t-out-of-n scheme based on Lagrange’s interpolation. The central idea of this secret sharing scheme is the construction of a (t – 1)-degree polynomial over the field GF(q) in order to allow t out of n entities to construct the secret. f(x) = a0 + a1 x + …+ at-1 xt-1 The coefficient a0 is the secret and all other coefficients are random elements in the field. The field is known by all entities and each of the n shares is a pair (xi, yi) fulfilling the following condition: f(xi) = yi and xi ≠ 0 With t known shares, the polynomial is uniquely determined and the secret a0 can be computed. The success of the scheme is based on the fact that using t-1 shares, the secret can be any element of the field and is not determinable. The RSA-Based Threshold Cryptography approach makes use of this secret sharing scheme in the following way. After node A has constructed its public-/private-key pair (e,d), the threshold is determined. If node A has n neighbors than the private-key d is partitioned into n partial keys and the neighbors act as shareholders. The threshold t is randomly selected under certain conditions: t ≥ (n+1)/2, t < n, where n ≥ 2 In the subsequent step Shamir’s secret sharing scheme is applied to calculate key shares and for combining partial messages. Depending on the type of threshold scheme, the secret, and this is always the coefficient a0 of the polynomial, is different. For threshold encryption, the coefficient a0 would be e, while for threshold decryption it would be set to d. Considering a RSA-Based Threshold Cryptography based signature scheme between nodes A and B. At first, node A distributes the key shares together with the xi – values among its n neighbors acting as shareholders. xi – values are selected by A and are public coordinates. The threshold t is not published to the shareholders and A notifies only B about t and its public-key e. Consequently, each neighbor has the ability to calculate the partial key f(xi). Then, A sends the message M securely to all shareholders for partial signature generation. Shareholders apply f(xi)s to M and send the partial signature Cis along with the xi – values to node B. After obtaining at least t partial signature Cis, B sends t selected Cis to A for recovery of C. B encrypts xi – values using A’s public-key e. In the following, A calculates xi ´- values using Lagrange interpolation and sends them back to B. Finally, B combines the xi ´- values to the partial e signatures in order to get the original C. With C = M, node B gets the message M for verification. Due to the exponential computations, the RSA-Based Threshold Cryptography scheme requires lots of computational capacity, bandwidth, power and storage. Thus, the authors stress that this approach is unsuitable in resource-constrained MANETs. Another crucial vulnerability of this system is the fact that the neighbors acting as shareholders must not authenticate towards node A, from which they get the message M as well as the xi – values. If the attacker compromises n-t or even more shareholders he will be able to fake partial signatures in order to disturb the communication between A and B. Although RSABased Threshold Cryptography does not need a central party to generate shares, it does not consider the vulnerability of wireless links and does not apply to mobility and the dynamically changing network topology in MANETs. 3.4.2 ECC-Based Threshold Cryptography in MANETs As a result of previous achievements, Levent Ertaul and Nitu Chavan adapt their idea to ECC -based threshold cryptography in [8]. Due to the combination of threshold cryptography and Elliptic Curve Cryptography , to securely transmit messages in n shares within mobile ad-hoc networks, the performance of ECC is more efficient in comparison to RSA-based threshold cryptography. Table 1 [15] demonstrates, that key sizes can be selected to be much smaller for ECC than for RSA achieving the same level of security and protection against known attacks. Table 1. Key sizes for equivalent security levels (in bits) Although threshold cryptography is a significant approach to build a key management service by distributing the key among a group of entities, the amount of communication for generating the keys, determining the threshold and generating the share could be beyond the scope of available resources in mobile ad-hoc networks, such as computational power, without even considering the problem of finding out a number of routes of disjoint nodes between the sender and receiver in order to choose a number of n shares. All in all, this approach is not well applicable for MANETs. 3.5 Subjective Logic Trust Model Josang emphasizes in [12] that public-key certificates alone do not assure authentication in open networks including mobile ad-hoc networks, for example because of the missing reliable certification authority acting as a Trusted Third Party. His solution introduces an algebra for the characterization of trust relations between entities. A statement such as: "the key is authentic" can only be either true or false but nothing in between. However, because of the imperfect knowledge about reality it is impossible to know with certainty wheatear such statements are true or false, so that it is only feasible to have an opinion about it. This introduces the notion of belief and disbelief as well as uncertainty. Therefore, uncertainty can bridge the gap in the presence of belief and disbelief. The relationship between these three attributes can be mathematically formulated as follows: b + d+ u = 1, {b,d,u} є[ 0, 1] ³ where b, d and u designate belief, disbelief and uncertainly. Triples ω = {b, d, u} that satisfy the above condition b + d+ u = 1 are called opinions. Figure 1 demonstrates that the condition b + d+ u = 1 defines a triangle. An opinion ω can be uniquely described as a point {b, d, u} in the triangle. Fig 2. Opinion Triangle The line between disbelief and belief corresponds to situations without uncertainty. Generally, uncertainty is caused by missing evidences in order to either support belief or disbelief. Obviously, opinions are 2-dimensional measures for binary events and binary statements, that either take place or not. Opinions are composed by a probability dimension and an uncertainty dimension and are according to this determined by uncertain probabilities. By mapping the 2-dimensional measures to 1-dimensional probability space a probability expectation value is produced: E({b,d,u}) = b + u/2 Opinions of two different entities about the same subject, like for example the binding of a key to an identity, may differ and are not automatically objective. Consequently, the notion of subjectivity is introduced in order to express these circumstances. The mathematical technique to characterize subjectivity is called Subjective Logic. It offers an algebra for determining trust chains by using various logical operators for combing opinions that are characterized by uncertain probabilities. By enhancing the traditional Logic, which typically consists of three operators (AND for conjunction, OR for disjunction and NOT for negation), with non-traditional operators such as recommendation and consensus, the Subjective Logic approach is able to deal with opinions that are based on other entities’ recommendations as well as to produce a single opinion about a target statement in the presence of more then one recommendations. As a result, this scheme expands the idea of public-key certificates by introducing trust relations between entities to guarantee authentication. In the following scenario node A receives the public-key of an unknown node B. After ensuring that node B is not included in A’s list of opinions about the key authenticity, which offers an opinion about the binding between keys and key owners, and consequently ensuring that B is not included in A’s list of opinions about the recommendation trustworthiness, which explains how much A trusts the key owners to actually recommend keys of other entities, A examines B’s public-key certificate. The certificate contains opinions about the key authenticity as well as opinions about the recommendation trustworthiness assigned by other nodes. Although there might be more then one recommended certification paths to B’s key, node A has the capability to determine the authenticity of B’s key by computing the consensus between the authenticities obtained for each path. An important assumption of the Subjective Logic Trust model is that only opinions based on firsthand evidence should be recommended to other nodes in order to guarantee the independence of opinions. Thus, opinions based on recommendations from other nodes (second-hand evidence) should never be passed to other nodes. By introducing uncertainty in trust it is possible to estimate the consequences of decisions based on trust and recommendations. However, trustworthy authentication of B’s public-key requires an unbroken chain of certificates and recommendations. This is a critical condition taking the characteristics of MANETs into account, including the vulnerability to breakage of wireless links and the dynamically changing topology. Finally, we can conclude that although the Subjective Logic Trust approach appears as it needs no Central Trusted Third Party since authenticity of public-keys is based on recommendations, it is not well applicable to mobile ad-hoc networks. 4. Recent Trust Models in MANETs In this section several state-of-the-art approaches to establish and evaluate Trust in mobile ad-hoc networks are presentd. The first is performed by Tao Jiang and John S. Baras at the University of Maryland [11] within the Institute for Systems Research and introduces the idea to utilize Ant-based algorithm in order to compute Trust Evidence. George Theodorakopoulus and John S. Baras focus in the second approach on Trust Evaluation in [18]. 4.1 Ant-based Trust Algorithm The work of Tao Jiang and John S. Baras [11] presents a scheme for distributing Trust Certificates, which is absolutely distributed and adaptive to the spontaneous and dynamical nature of mobile ad-hoc networks called ABED- Ant-Based Evidence Distribution Algorithm. Their approach is fundamentally based on the Swarm Intelligence Paradigm that is used for optimization problems, like for instance the Traveling Salesman Problem (TSP) and routing [22]. The major idea of the paradigm is the term stigmergy offering a method of communication in systems in which the individual parts communicate with one another by modifying the environment. A typical example of stigmergy is pheromone laying on the paths. Ants, for instance, interact with one another by laying down pheromones along their trails and they follow those trails that have the highest pheromone concentration in order to find the optimal path toward their food. The presented trust model consists of mainly two parts. The first, so called trust computation model evaluates the trust level of each entity in the network based on previously retrieved behavioral data or trust evidence. The problem of trust evaluation is dedicated to another performed work and not addressed in this approach. The second part of a trust model, which is fairly independent of the specific computation of trust, is responsible for the trust evidence distribution in order to distribute the calculated trust values to the participating entities. Evidence is presented by trust certificates that are signed by their issuers’ private-key and can contain different information depending on the trust model, like for example the public-key or access rights. Jiang and Baras emphasise the importance of trust evidence distribution because it offers the input for the first part of the trust model, which is accordingly the evaluation model. The main contribution in this work is the reactive ABED- Ant-Based Evidence Distribution Algorithm. The procedure starts with several ants that are sent out, when a certain certificate, which serves as a trust evidence of the participating entity, is required. Each node holds its own certificate table, while each entry in this table matches with one certificate. The metric is the probability of choosing a neighbor as the next communicating entity (next hop) instead of the count to destinations. Two different kinds of forward ants can be mobilized to deliver the required certificate. So-called Unicast ants are send out to the neighbors that have the highest probability in the certificate table. Broadcast ants on the other hand are only sent out when there is no preference to the neighbors, if for example there is no entry in the certificate table for the required certificate. This can occur in the case when either no path to the certificate has been ascertained or the information is outdated. The density of pheromone decides whether the information is valid or outdated. Generally, pheromone is utilized in order to route the ants to discover the most favorable path to the required certificate. Furthermore, the decrease of the pheromone density allows the system to update information in order to prevent the mentioned outdated information and to look for new paths. The decrease of pheromone is a function of elapsed time, which can be interpreted as a function of mobility. In this manner, a higher mobility means a faster decrease of the pheromone. A threshold value τ0 is determined in order to assure the freshness of the pheromone. Once a forward ant has found the required certificate, a backward ant is generated. This ant retraces the path of the forward ant back to the source and hands the claimed certificate. By the use of a special Reinforcement Rule that is comparable with a learning rule, which is the heart of the ABED, backward ants have the ability to induce certificate table modifications to perform changes. Each node on the path of the backward ant stores the certificate so that trust certificates are distributed and the certificate table entries of nodes are updated each time the backward ants visit the nodes. A simple Reinforcement Rule can be mathematically formulated as follows: Pi (n) = (Pi (n-1) + ∆p) / ( 1+ ∆p) Pj (n) = (Pj (n-1) + ∆p) / ( 1+ ∆p) jє Nk , where Nk is the neighbor set of node k i≠j and i is the neighbor the backward ant came from ∆p = k / f(c) k > 0 is a constant and f(c) is a non-decreasing cost-function Parameter c corresponds to the cost which reveals the information of evidence and could for instance be a measure of hops from the current node to the node where the certificate is located. The authors stress the possibility of including a security metric into this model for example by assigning a trust value to a path as the cost c and concluding that the higher this trust value is, the lower the cost is. The Reinforcement Rule is more complex for the purpose of exploring all information carried by the backward ant and it contains the pheromone deposit τi. The main striking question in this approach is, how flexible are ants, particularly backward ants to mobility and especially to link breaks e.g. in the case when two nodes move far apart? ABED introduces a special parameter ηj representing the goodness of a link between the current node and its neighbor j, which is included in the enhanced Reinforcement Rule. In the scenario of link break this parameter is set to a small value and it only assigns a negative reinforcement to the certificate. However, the procedure of finding a secure path from the source to the target node has to be repeated. In a quickly changing MANET this solution would lead to long delay. On the other hand the pheromone, which is used by the ants to mark the crossed path, can be utilized to find much quicker a suitable and trustworthy path to the target node. The authors have simulated the ABED algorithm and have compared the results with those of the P2P Freenet scheme by taking the following three aspects into consideration: the number of hops that ants transit to carry the certificate back to the requestor, the delay time elapsed from sending out the forward ant until receiving the first backward ant and finally the Success Rate measured in percentage of requests for which the requestor successfully receives the certificate. The cost-function f(c) of the Reinforcement Rule is the number of hops to the node storing the certificate. Both algorithms converge to the same value, but ABED shows faster convergence at the beginning, which is extremely desired for MANETs. Finally, the ABED algorithm outperforms the Freenet-based scheme in the terms of Success. Nevertheless the Ant-Based Evidence Distribution Algorithm assumes that trust certificates are signed by a well known and authenticated signer and that the authentication process takes place before the setup of the network. This assumption does not satisfy the nature of mobile ad-hoc networks where nodes may join or leave the network dynamically. Allowing new nodes to join the network would implicate the requirement of continuous and secure access to the signer in order to authorize the nodes’ public-key by his signature. The main weakness of the ABED approach is its vulnerability to Denial of Service attacks. Obviously, a malicious and by the attacker compromised node has the capacity to send a huge amount certificate requests for non-existing certificates simultaneously by sending broadcast ants to all its neighbors. Each request will provoke the neighbor nodes to create broadcast ants, because they won’t be able to find an entry in their certificate table matching the requested certificate. Consequently, the traffic load increases and may result in a network breakdown. Furthermore the attacker may launch a Wormhole attack considering the following scenario based on the fact that the pheromone deposit which is integrated in the Reinforcement Rule and is used to attract ants can only be modified by backward ants. In ABED, backward ants are only generated once a forward ant has found the requested certificate and they retrace the path of the forward ant back to the node that has requested the certificate. If the attacker’s node behaves inconspicuously and generates unicast and broadcast ants in accordance with the algorithm, forward ants will find the path to the requested certificate and generate a backward ant passing the attacker’s node. In the moment the backward ant reaches the attacker’s node and wants to modify its certification table the attacker discards the backward ant and may obtain the certificate out of the backward ant’s packet. As a result the requesting node won’t be able to receive the certificate as trust evidence. However, the ant-based evidence distribution algorithm offers an innovative approach to obtain the distribution of previously, by the trust model defined, trust values within a network, like a mobile ad-hoc network. 4.2 Using Cooperative Games and Distributed Trust Computation in MANETs In [10] Tao Jiang and John S. Baras demonstrate that dynamic cooperative games provide a natural framework for analyzing several problems in MANETs and concentrate on the distributed trust computation in addition to trust distribution, explained in the above paragraph. Assuming that trust computation is distributed and restricted to only local interaction, a MANET is modeled as an undirected graph (V,E) and the edges represent connections to exchange trust information. In this context it is not necessary that two end-nodes of an edge are neighbors in geometrical distance although they have a trust relationship. The distributed trust computation model is based on elementary voting methods and only nodes in node’s neighborhood have the right to vote. By this technique it is possible to mark a node as trustworthy or not. A secure path in this concept is a path consisting only of trusted nodes. Unfortunately, this approach is vulnerable to Sybil attacks, where the attacker can represent multiple identities and has then the capacity to generate fake recommendations about the trustworthiness of a certain node in order to attract more traffic to this node. 4.3 Using Semirings to evaluate Trust in MANETs In [18] George Theodorakopoulos and John Baras introduce a concept on how to establish an indirect trust relationship without previous direct interactions within an ad-hoc network. By the use of the theory of semirings, the presented approach is also robust in the presence of attackers. The significant idea is to view the trust inference problem as a generalized shortest path problem on a weighted graph G(V,E), also referred to as trust graph. A weighted edge corresponds to the opinion, consisting of two values the trust value and the confidence value that an entity has about another entity in the graph (network). In this approach, a node has the ability to rely on other’s past experiences and not just his own, which might be insufficient, to ascertain if the target node is trustworthy. The second problem addressed in this work is finding a trusted path of nodes, so that the traffic can be routed securely though them. This scheme does not need any centralized infrastructure and users need not have personal, direct experience with every other user in the network in order to compute an opinion about them. 5. Conclusions Security-sensitive data and applications transmitted within mobile ad-hoc networks require a high degree of security. Trust as a concept of security services has the ability to achieve the required level of security with respect to mobility and constraints in resources of the participating devices. In this paper, we presented several trust models, such as PGP as well as new approaches taking the dynamic and mobile nature of mobile ad-hoc networks into consideration. We belief that trust as a security concept turns out to be more and more important in MANETs, because using trust recommendations and second-hand information, based on trusted relationships, can significantly speed up the discovery and consequent isolation of malicious nodes in mobile ad-hoc networks. Especially, the discussed Ant-based Adaptive Trust Evidence Distribution Model provides the necessary adaptivity to network changes and tolerance of faults in networks and offers a dynamic method to obtain trust evidence in MANETs. We encourage and support the idea of ant-based trust algorithms also for the collection of trust evidences in mobile ad-hoc networks. Combining both, the trust evidence collection and trust evidence distribution will satisfy our ambition of designing an independent Trust Management system for mobile ad-hoc networks. References [1] A. Josang, C. Keser, and T. Dimitrakos, Can We Manage Trust?, In the Proceedings of the Third International Conference on Trust Management (iTrust) 2005. [2] AAlfarez Abdul-Rahman and Stephen Hailes, A distributed trust model, n Proceedings of the 1997 workshop on New security paradigms 1997. [3] Baruch Awerbuch, Reza Curtmola, David Holmer, Cristina Nita-Rotau and Hubert RubensMitigating Byzantine Attacks in Ad Hoc Wireless Networks, Technical Report Version 1, March 2004. [4] Matt Blaze and Joan Feigenbaum and Jack Lacy, Decentralized Trust Management, In Proceedings IEEE Conference on Security and Privacy, Oakland, 96-17, May 1996. [5] S. Buchegger and J. Le Boudec, Self-Policing Mobile Ad-Hoc Networks by Reputation, IEEE Communication Magazine, 2006. [6] AB. Chun and A. Bavier, Decentralized Trust Management and Accountability in Federated Systems, In Proceedings of the 37th Annual Hawaii International Conference on System Sciences (HICSS'04), Jan. 05-08, 2004, Big Island, Hawaii , 2005. [7] Levent Ertaul and Nitu Chavan, Security of Ad Hoc Networks and Threshold Cryptography, 2005 International Conference on Wireless Networks, Communications, and Mobile Computing, Wirelesscom, 2005 . [8] Levent Ertaul and Weimin Lu, ECC Based Threshold Cryptography for Secure Data Forwarding and Security Key Exchange in MANET (I), NETWORKING 2005: 4th International IFIP-TC6 Networking Conference, Waterloo, Canada, 2005 Proceedings, May 2005. [9] Jean-Pierre Hubaux, Levente Buttyan and Srdjan Capkun, The Quest for Security in Mobile Ad Hoc Networks, roceeding of the ACM Symposium on Mobile Ad Hoc Networking and Computing (MobiHOC),2001. [10] Tao Jiang and John S. Baras, Cooperative Games, Phase Transition on Graphs and Distributed Trust in MANET, in the Proceedings of 43rd IEEE Conference on Decision and Control, 2004, Atlantis, Bahamas, 2004. [11] Tao Jiang and John S. Baras, Ant-based Adaptive Trust Evidence Distribution in MANET, in the Proceedings of the 2nd International Workshop on Mobile Distributed Computing (MDC), March 2004. [12] A. Josang, An Algebra for Assessing Trust in Certification Chains, In Proceedings of the Network and Distributed Systems Security (NDSS’99) Symposium, 1999. [13] Pradip Lamsal, Understanding Trust and Security, Department of Computer Science, University of Helsinki, Finland , 2001. [14] Laurent Eschenauer, Virgil D. Gligor and John S. Baras, On trust establishment in mobile ad-hoc networks, ACM Conference on Computer and Communications Security 2002: 41-47, 2002. [15] Kristin Lauter, The Advantages of Elliptic Curve Cryptography for Wireless Security, IEEE Wireless Communications , February 2004. [16] Asad Amir Pirzada and Chris McDonald, Establishing trust in pure ad-hoc networks, CM International Conference Proceeding Series in Proceedings of the 27th conference on Australasian computer science, 2004. [17] K. Sanzgiri and B. Dahill and B. Levine and E. Belding-Royer, A secure routing protocol for ad hoc networks, In International Conference on Network Protocols (ICNP), Paris, France, November 2002 [18] George Theodorakopoulos and John S. Baras, Trust Evaluation in Ad-Hoc Networks, in the Proceedings of the 2004 ACM workshop on Wireless security {WiSE`04} , 2004. [19] Yih-Chun Hu, Adrian Perrig and David B. Johnson, Rushing Attacks and Defense in Wireless Ad Hoc Network, WiSE 2003, San Diego, California, USA, September 19, 2003. [20] Lidong Zhou and Zygmunt J. Haas, Securing Ad Hoc Networks, IEEE Network, 1999. [21] Philip R. Zimmermann, The Official PGP User's Guide, Department of Computer Science, University of Helsinki, Finland, MIT Press, 1995. [22] Baruch Awerbuch, David Holmer and Herbert Rubens, Swarm Intelligence Routing Resilient to Byzantine Adversaries, 2004 [23] Sanjay Ramaswamy, Huirong Fu, Manohar Sreekantaradhya, John Dixon and Kendall Nygard. Prevention of Cooperative Black Hole Attack in Wireless Ad Hoc Networks, in Proceedings of the International Conference on Wireless Networks, Las Vegas, June, 2003. [24] Yih-Chun Hu, Adrian Perrig, and David B. Johnson. Ariadne: A secure on-demand routing protocol for ad hoc networks. In Proceedings of the 8th Annual ACM International Conference on Mobile Computing and Networking (MobiCom ’02), September 2002. [25] Yih-Chun Hu, Adrian Perrig, and David B. Johnson. Packet Leashes: A Defense against Wormhole Attacks in Wireless Ad Hoc Network, Rice University Department of Computer Science, Technical Report TR01-384, December 2001. [26] John R. Douceur. The Sybil Attack. In Proceedings of the IPTP02, Cambridge, MA (USA), March 2002. A Fr amewor k for Computing Tr ust in Mobile Ad Hoc Networ ks Tir thankar Ghosh Department of Statistics and Computer Networking St. Cloud State University College of Science and Engineering St. Cloud, Minnesota, USA tghosh@stcloudstate.edu Niki Pissinou, Kia Makki, Ahmad Far hat Telecommunications and Information Technology Institute College of Engineering and Computing Florida International University Miami, Florida, USA Abstr act In this paper we have proposed a framework for computing trust in ad hoc networks. Our proposed framework is unique and different from the other schemes in that it tries to analyze the behavioral pattern of the attacker and quantifies the malicious behavior in the computational model. The trust computation, distribution and maintenance are all incorporated in the network layer to avoid any unnecessary layering interoperability. We have carried out extensive simulation to show that the protocol is scalable as well as efficient with network size and mobility. 1. Intr oduction Modeling and computing trusts in ad hoc network applications is a challenging problem. It is very difficult to form a true and honest opinion about the trustworthiness of the nodes, as they can be engaged in malicious activities in different ways. This intricacy in trust computation, together with frequent topology changes among nodes, quite often causes the whole network to get compromised or disrupted. Different malicious activities of the nodes can very well be misinterpreted as the regular erratic behavior of the wireless networks in general and ad hoc networks in particular, thus making trust computation all the more difficult. In this paper we have proposed a framework for modeling and computing trusts that take into account different malicious behavior of the nodes. Our proposed model tries to explore the behavioral pattern of the attacker in different ways and quantifies those behaviors to form a computing framework. Selfish behavior in ad hoc networks has been prevented by proposed schemes that used either a reputation-based incentive mechanism [13,28,32], or a price-based incentive mechanism [30]. In both the mechanisms, nodes are given incentives to suppress their malicious intention in favor of the network. But nodes with malicious intention at their subconscious self always try to find ways to bypass these incentive mechanisms. In our work, instead of forcing the nodes to act in an unselfish way, we propose to develop a trust model by collaborative effort and use this model in the trusted routing solution proposed by us in our earlier work [19, 29]. 2. Related wor k Establishing security associations based on distributed trust among nodes in an ad hoc network is an important consideration while designing a secure routing solution. Although some work has been done lately to design trusted routing solution in ad hoc networks, not much work has been done to develop a trust model to build-up, distribute and manage trust levels among the ad hoc nodes. Most of the proposed schemes talk about the general requirement of trust establishment [22,23,24,34,40]. Some work has been done to propose models for building up trust [45,46], but they do not specify the detailed incorporation of different malicious behavior in those models. In [46] the authors proposed a trust establishment model based on the theory of semirings. A trust distribution model has been proposed in [45] using distributed certificates based on ant systems. However, none of the models proposed so far have tried to analyze the behavioral pattern of the attacker and quantify those behaviors in the computational framework. Modeling and computing trust for a distributed environment has been actively researched for quite a long time [25,26,33]. Most of these distributed trust models combine direct and recommended trusts to come up with some sort of trust computations, although we do not encourage such a framework for our computational model. The reason for that will be discussed in later sections when we describe the model in detail. Watchdog mechanism [31], based on promiscuous mode operation of the ad hoc nodes, has been the fundamental assumption in any trust computational model. In [15] the authors have proposed a trust evaluation-based secure routing solution. The trust evaluation is done based on several parameters stored in a trust matrix at each ad hoc node. However, the mechanism for collecting the required parameters was not discussed by the authors. Also, some of the parameters suggested by the authors are not realistic in a highly sensitive application. In [16] the authors have proposed a model for trust computation based on parameter collection by the nodes in promiscuous mode. However, the trust computation is based only on the success and failure of transmission of different packets and does not take into account different forms of malicious behavior. In [18] the authors have proposed an authentication scheme based on Public Key infrastructure and distributed trust relationship. The trust relationship is established by direct as well as recommended trusts. Composite trust is computed by combining both direct and recommended trust relationships. Some work has also been done to establish trust based on distribution of certificates. In [21] the authors have proposed such a trust management scheme. Trust revocation is done by carrying out a weighted analysis of the accusations received from different nodes. However, the proposed scheme lacks any specific framework for computing the indices. Another model has been proposed based on subjective logic [17]. The concept of subjective logic was first proposed by Josang [42,43,44]. Subjective logic is “a logic which operates on subjective beliefs about the world, and uses the term opinion to denote the representation of a subjective belief” [42]. An opinion towards another entity x is represented by three states: belief [b(x)], disbelief [d(x)] and uncertainty [u(x)], with the following equality: b(x) + d(x) + u(x) = 1 The concept of subjective logic has been extended to propose a trusted routing solution in [17]. Each node maintains its trust relationships with neighbors, which are updated depending on positive or negative impression based upon successful or failed communication with neighboring nodes. The opinion of a node about another node is represented in a three-dimensional metric representing trust, distrust and uncertain opinions. However, this scheme fails to save the network from an internal attack, where a malicious node either refuses to forward the packets and duly authenticates itself to the source, or it cooperates with the source node and acts as a black hole. Some mechanisms have been proposed to give incentives to the nodes for acting unselfishly. In [28] authors have proposed a secure reputation-based incentive scheme (SORI) that prevents the nodes from behaving in a selfish way. The scheme, however, does not prevent a malicious node from selectively forwarding packets or from other malicious behavior. 3. Pr oposed model 3.1 Under standing differ ent malicious behavior Our motivation for developing the trust model is to form a true and honest impression about the trustworthiness of the nodes and to punish the nodes with the slightest malicious intention. To do this we need to understand clearly the ways a node can engage itself in different malicious acts. Below we highlight the different malicious behavior. ‚ A node engaging in selfish behavior by not forwarding packets meant for other nodes, or selectively forwarding smaller packets while discarding larger ones. ‚ A node falsely accusing another node for not forwarding its packets, thus isolating the node from normal network operation. ‚ A node placing itself in active route and then coming out to break the route, thus forcing more route request packets to be injected into the network. By repeating this malicious act, a large number of routing overhead is forcefully generated wasting valuable bandwidth and disrupting normal network operation. 3.2 Assumptions The model that we are going to propose is based on certain assumptions. First, all the nodes communicate via a shared wireless channel and all communication channels are bi-directional. Second, all the nodes operate in a promiscuous mode, i.e., any node can overhear all the communication of any other node within its transmission range. Third, there is an existence of an on-demand routing protocol on top of which our proposed trust computational model can be built. Last, but not the least, we do not encourage the notion of trust transitivity, i.e., “if A trusts B and B trusts C, then A trusts C”. This is to prevent any colluding malicious behavior among nodes where two or more nodes can conspire to claim themselves trustworthy. 3.3 The model Our model has been developed with a view to form a true and honest opinion about the trustworthiness of the nodes with collaborative effort from their neighbors and to punish the nodes with the slightest malicious intention. In the following section we analyze different malicious behavior and quantify them to gradually develop the model. 3.3.1 Tr ust model against selfish behavior The development of the model to punish a node for selfish behavior is based on the Secure and Objective Reputation-based Incentive (SORI) scheme proposed in [28] with several modifications. We will elaborate more on these modifications as we describe the trust model. The parameters are described below: (i) NNL N = Neighbor Node List (each node maintains a list of its neighbors, either by receiving Hello messages, or by learning from overhearing). (ii) RFN * X + (Request for Forwarding) = total number of packets node N has forwarded to node X for further forwarding. (iii) HFN * X + (Has Forwarded) = total number of packets that have been forwarded by X and noticed by N. We are not discussing the details of updating these parameters, which can be found in [28]. With the above parameters, node N can create a local evaluation record (denoted by LER N * X + ) about X. The record LER N * X + consists of two parameters shown below: LER N * X + = Local Evaluation Record of node N of node X. It reflects the evaluation of the behavior of node X by another node N. where, G N * X + = Forwarding ratio of node N on node X. C N * X + = Confidence level of N on X. In [28] the authors have set C N * X + = RFN * X + . This gives quite an accurate estimation about the trustworthiness of a node when weighted by the confidence level. But the trust computation does not take into account a node’s “selective forwarding” behavior, where it only forwards small packets while selectively discarding larger ones. To reflect this kind of malicious behavior in our trust model, we compute the confidence level CN(X) as given below: Â *HF * X + / RF * X + + , *Pkt _ size + *X + ? Â *Pkt _ size + N CN N i i i i i i Node N computes its confidence level on X after sending a specified number of packets to X. The computation is weighted by the packet size to reflect the “selective forwarding” behavior of a node. We propose a similar propagation model proposed in SORI. Each node updates its local evaluation record (LER) and sends it to its neighbors. When a node N receives the LERi(X) from node i, it computes the overall evaluation record of X (denoted by OERN(X)), as given below: OER N * X + ? Â C *i + , C * X + , G * X + Â C *i + , C * X + iŒNNL ,i ” X N iŒNNL ,i ” X i N i i where, CN(i) = confidence level of node N on node i from which it receives LERi(X) Ci(X) = confidence level of node i on node X Gi(X) = forwarding ratio of node i on X 3.3.2 Tr ust model against malicious accuser In this section we extend the above model to take into account the malicious accusation of a node about another node. We foresee a threat where a node falsely accuses another node of not forwarding its packets, eventually to isolate that node as an untrustworthy one. This malicious act should also be reflected in the trust computation, where every node should be given a chance to defend itself. We have modified the equation above to reflect such a malicious act in the computation of the confidence level. The modified equation is shown below: Â *HF * X + / RF * X + + , *Pkt _ size + *X + ? Â *Pkt _ size+ N CN N i i i i , c X *N + i i where, cx(N) = accusation index of N by X 0; if X falsely accuses N = 1; otherwise Node N keeps a track of the packets it received from X and packets it forwarded. If N finds out that X is falsely accusing it for non-cooperation, it recomputes its confidence level on X by taking into account the accusation index. It then broadcasts the new LERN(X) with new CN(X), thus resulting in computation of a new OERN(X), which is low enough to punish X. Thus, any sort of malicious behavior of X by falsely accusing other nodes gets punished eventually. 3.3.3 Tr ust model against malicious topology change In this section our proposed model is extended to reflect the malicious behavior of a node where it forces the network topology to change frequently, eventually generating a large overhead. If such a behavior is detected, the confidence level must be changed in order to punish the malicious node. However, detection of such a behavior is not easy, as any such topology change can be viewed as a normal characteristic of an ad hoc network. We have tried to capture such a malicious act by statistically modeling the action and reflecting it in the computation of trust. To develop the model, we require each node to maintain a table called a neighbor remove table, where it keeps track of any node moving out of the path. The table is populated by successive Hello misses in AODV, or from the unreachable node address field in the RERR packet in DSR. A snapshot of the table is shown below: Table 1 Snapshot of Neighbor Remove Table Node Addr ess X X X X Time of Leaving T1 T2 T3 T4 Time Differ ence t0 = 0 t1 = T2 – T1 t2 = T3 – T2 t3 = T4 – T3 Mean = t Each node periodically scans the table to find whether any particular node is leaving at frequent intervals. It computes the mean, ot of the time difference of any particular node leaving the network. If ot is found lower than a threshold value (denoted by tthreshold), then the node is identified as malicious and the confidence level is computed as follows: Â *HF * X + / RF * X + + , *Pkt _ size + *X + ? Â *Pkt _ size+ N CN N i i i i , m* X + i i where, m(X) = malicious index of node X 0; if ot <= tthreshold = 1; otherwise The choice of the threshold value can be selected based on the typical application for which the ad hoc network is deployed. A network that demands frequent topology change can have a higher threshold to accommodate the normal network behavior. The choice is not discussed in this paper and is left for future consideration. Finally, to combine all the malicious behavior discussed earlier and to reflect those behavior in trust computation, the confidence level of node N on X is computed as shown below: Â *HF * X + / RF * X + + , *Pkt _ size + *X + ? Â *Pkt _ size+ N CN N i i i i , c X * N + , m* X + i i The final overall evaluation record (OER), when computed based on the local LERs, will reflect the different malicious behavior of a node as computed in the confidence level, and finally any malicious act gets detected and punished. 4. Simulation and Results We have used Glomosim [39] for our simulation. Glomosim is a scalable simulation software used for mobile ad hoc networks. We have carried out the simulation with two different scenarios. We defined a region of 2 Km by 2 Km and placed the nodes randomly within that region. In the first scenario, the nodes moved with uniform speed chosen between 0 to 10 meters/sec with 30 seconds pause between each successive movement. We increased the number of nodes and studied the network performance. In the second scenario, we have increased the node speed, keeping the similar infrastructure, to carry out our analysis. The parameters for both the scenarios are shown in the table below. Table 2 Parameters chosen for simulation Scenario 1 Scenario 2 Independent variable Number of nodes Independent variable Node speed Set of parameters compared Routing overhead Number Number of routes of route selected errors Set of parameters compared Routing overhead Number of routes selected Number of route errors We have incorporated trust computation directly into the routing protocol to avoid any unnecessary layering interoperability. We have extended the Ad Hoc On-Demand Distance Vector (AODV) routing protocol [41] to incorporate the trust computation and exchange. The modified protocol has been benchmarked with AODV to study its scalability and efficiency. To avoid any unwanted overhead we have ensured the trust information exchange to be piggybacked with the route request packet header. From figure 1 we can see that our protocol scales as good as the original AODV with increasing number of nodes. Even though we have incorporated extensive trust computation at each node both by its own spying mechanism as well as by exchanging information from its neighbors, we can see that our protocol does not add any significant overhead. Figure 1. Comparison of routing overhead with number of nodes Similar results can be seen from figures 2 and 3 where we have benchmarked our modified protocol with AODV in terms of routes selected and route errors sent. Number of routes selected and route errors are dependent on several factors like localized clustering of the nodes, MAC layer load and also routing and transport layer load. The parameters show random variation as quite expected from the ad hoc nature of the whole network. In both the cases we can see that the modified protocol scales as good as AODV even with large network size. Figure 2. Comparison of routes selected with number of nodes Figure 3. Comparison of route errors with number of nodes Figures 4 and 5 compare the average end-to-end delay (in seconds) and throughput (in bits per second) respectively for the base AODV and the modified protocol. It can be concluded from the results that the modified protocol scales as good as the original one with respect to these parameters as well. These parameters also depend upon the localized clustering of the ad hoc nodes and overall network load including MAC layer, network layer and transport layer loads. Hence these parameters also show random variation for the two protocols. Figure 4. Comparison of average end-to-end delay with number of nodes Figure 5. Comparison of throughput with number of nodes Our next set of simulation is to evaluate the modified protocol with increasing node speed. This parameter has been selected to see the protocol scalability and efficiency with frequent changes in network topology. We can see from figure 6 that our modified protocol does not add any overhead, even with higher node movement. Figures 7 and 8 conclude in a similar way that the protocol scales very well in terms of routes selected and route errors sent. As we have piggybacked the confidence information into the route request messages to control routing overhead, we can conclude that mobility will help in updating trust and confidence information in our modified protocol. As the topology of the network changes more frequently necessitating more and more route request packets to be generated, more recent information about the trusts are circulated in the network. Thus, we can conclude that our modified protocol is not only efficient and scalable with network size and node speed, it also gives a better picture of trust and confidence with higher node speed. Figure 6. Comparison of routing overhead with node speed Figure 7. Comparison of route errors with node speed Figure 8. Comparison of routes selected with node speed Figure 9 compares the average end-to-end delay (in seconds) for the base AODV and the modified protocol. We can see that the modified protocol scales as good as the original AODV with increasing node speed with respect to the delay. As we can see from Figures 6 to 9, the parameters for the modified protocol vary randomly with comparison to the base AODV with sometimes lower and sometimes higher values. This is attributed mainly to the ad hoc nature of the network with random waypoint mobility model. The parameters are dependent upon factors like localized node clustering, MAC layer load and also transport and network layer load, as we have discussed previously. These factors change with every simulation run with random waypoint mobility, which attributes to the somewhat random variation between the two protocols. Figure 9 Comparison of Average End-to-end Delay 5. Conclusion We have developed a model for trust computation in ad hoc networks based on different malicious behavior of the nodes. Our model is unique in the sense that it tries to explore different behavioral pattern of the attacker in various ways and quantifies those behaviors to form a computing framework, where any malicious act eventually gets detected. This model for computing and updating trusts is to be integrated with the trusted routing protocol proposed by us [19,29] to come up with a secure and robust routing solution that can efficiently withstand attacks from malicious nodes acting either independently or in collusion. Although our proposed model forms a foundation for trust computation based on different malicious behavior in an ad hoc network, we feel that there is much to be done in this area. More malicious behaviors need to be identified and quantified into the model. Furthermore, trust updating in case of false accusation must resolve a trust level conflict where both the accused and the accuser have same trust levels. We are currently working on developing a more robust and full-proof trust computational model and integrating it with the trusted routing solution proposed by us in our earlier work [19,29]. Refer ences [1] Seung Yi, Prasad Naldurg and Robin Kravets, “Security-Aware Ad hoc Routing for Wireless Networks”, Report No. UIUCDCS-R-2001-2241, UILU-ENG-2001-1748, August 2001. [2] Panagiotis Papadimitratos and Zygmunt J. Haas, “Secure Routing for Mobile Ad hoc Networks”, In Proc. SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002), San Antonio, TX, January 27-31, 2002. [3] Panagiotis Papadimitratos and Zygmunt J. Haas, “Secure Link State Routing for Mobile Ad hoc Networks”, In Proc. IEEE Workshop on Security and Assurance in Adhoc Networks, in conjunction with the 2003 International Symposium on Applications and the Internet, Orlando, FL, January 28, 2003. [4] Yih-Chun Hu, Adrian Perrig and David B. Johnson, “Ariadne: A Secure On-Demand Routing Protocol for Ad hoc Networks”, MobiCom ’02, September 23-26, 2002, Atlanta, Georgia, USA. [5] Yih-Chun Hu, David B. Johnson and Adrian Perrig, “SEAD: Secure Efficient Distance Vector Routing for Mobile Wireless Ad hoc Networks”, In Fourth IEEE Workshop on Mobile Computing Systems and Applications (WMCSA ’02), June 2002, pages 3-13, June 2002. [6] Manuel Guerro Zapata and N. Asokan, “Securing Ad hoc Routing Protocols”, WiSe’02, September 28, 2002, Atlanta, Georgia, USA. [7] Kimaya Sanzgiri et al, “A Secure Routing Protocol for Ad hoc Networks”, In Proc. of the 10th IEEE International Conference on Network Protocols (ICNP’02), 2002 [8] Hao Yang, Xiaoqiao Meng, Songwu Lu, “Self-Organized Network Layer Security in Mobile Ad hoc Networks”, WiSe ’02, September 28, 2002, Atlanta, Georgia, USA. [9] Lidong Zhou and Zygmunt J. Haas, “Securing Ad hoc Networks”, IEEE Network, November/December 1999. [10] Frank Stajano and Ross Anderson, “The Resurrecting Duckling: Security Issues for Ad hoc Wireless Networks, 15th September, 1999. [11] Patrick Albers et. al., “Security in Ad hoc Networks: a General Intrusion Detection Architecture Enhancing Trust Based Approaches”, Wireless Information Systems, Ciudad Real, Spain, 2002. [12] Hongmei Deng, Wei Li and Dharma P. Agrawal, “Routing Security in Wireless Ad Hoc Networks”, IEEE Communications Magazine, October 2002. [13] Sonja Buchegger and Jean-Yves Le Boudec, “Performance Analysis of the CONFIDANT Protocol (Cooperation Of Nodes: Fairness In Dynamic Ad-hoc Networks), MOBIHOC ’02, June 9-11, 2002, Switzerland. [14] Bradley R. Smith, Shree Murthy, J.J. Garcia-Luna-Aceves, “Securing Distance-Vector Routing Protocols”, In Proceedings of Internet Society Symposium on Network andDistributed System Security, San Diego, CA, February, 1997. [15] Zheng Yan, Peng Zhang, Teemupekka Virtanen, “Trust Evaluation Based Security Solution in Ad Hoc Networks”, http://www.nokia.com/library/files/docs/Trust_Evaluation_Based_Security_Solution_in_Ad_Hoc_Networ ks.pdf. [16] Asad Amir Pirzada and Chris McDonald, “Establishing Trust in Pure Ad-hoc Networks”, appeared in 27th Australian Computer Science Conference, The Univ. of Otago, Dunedin, New Zealand, 2004. [17] Xiaoqi Li, Michael R. Lyu, Jiangchuan Liu, “A Trust Model Based Routing Protocol for Secure Ad Hoc Networks”, Proceedings 2004 IEEE Aerospace Conference, Big Sky, Montana, U.S.A., March 6-13 2004. [18] Edith C. H. Ngai and Michael R. Lyu, “Trust and Clustering-Based Authentication Services in Mobile Ad Hoc Networks”, Proceedings of the 2nd International Workshop on Mobile Distributed Computing (MDC'04), Tokyo, Japan, March 23-26 2004. [19] Niki Pissinou, Tirthankar Ghosh, Kia Makki, “Collaborative Trust Based Secure Routing in Multihop Ad Hoc Networks”, in Proceedings of The Third IFIP-TC6 Networking Conference (Networking '04): Springer Verlag, Series:Lecture Notes in Computer Science, Vol. 3042, pp. 1446 – 1451, Athens, Greece, May 9-14, 2004. [20] Tirthankar Ghosh, Kia Makki, Niki Pissinou, “An Overview of Security Issues for Multihop Mobile Ad Hoc Networks”, Network Security: Technology Advances, Strategies, and Change Drivers, ISBN: 0931695-25-3, 2004. [21] Carlton R. Davis, “A Localized Trust Management Scheme for Ad Hoc Networks”, in Proceedings of the 3rd International Conference on Networking (ICN ’04), March 2004. [22] Raja Rai Singh Verma, Donal O’Mahony and Hitesh Tewari, “NTM – Progressive Trust Negotiation in Ad Hoc Networks”, in Proceedings of the 1st joint IEI/IEE Symposium on Telecommunications Systems Research, Dublin, November 27, 2001. [23] Laurent Eschenauer, Virgil D. Gligor and John Baras, “On Trust Establishment in Mobile Ad Hoc Networks”, in Proceedings of the Security Protocols Workshop, Cambridge, U.K.: Springer-Verlag, April 2002. [24] Lalana Kagal, Tim Finin and Anupam Joshi, “Moving from Security to Distributed Trust in Ubiquitous Computing Environments”, IEEE Computer, December 2001. [25] Huafei Zhu, Bao Feng, Robert H. Deng, “Computing of Trust in Distributed Networks”, http://eprint.iacr.org/, 2003/056. [26] Thomas Beth, Malte Borcherding, Bitgit Klein, “Valuation of Trust in Open Networks”, Proceedings of the European Symposium on Research in Computer Security (ESORICS), 1994, Brighton, UK, pp.3-18, LNCS 875, Springer-Verlag. [27] Matt Blaze, Joan Feigenbaum, Jack Lacy, “Decentralized Trust Management”, Proc. IEEE Conference on Security and Privacy, Oakland, CA, May 1996. [28] Qi He, Dapeng Wu, Pradeep Khosla, “SORI: A Secure and Objective Reputation-based Incentive Scheme for Ad-hoc Networks”, WCNC 2004. [29] Tirthankar Ghosh, Niki Pissinou, Kia Makki, “Collaborative Trust-based Secure Routing Against Colluding Malicious Nodes in Multi-hop Ad Hoc Networks”, in Proceedings of 29th IEEE Annual Conference on Local Computer Networks (LCN), Nov 16-18, 2004, Tampa, Florida, USA. [30] Levente Buttyán and Jean-Pierre Hubaux, “Stimulating Cooperation in Self-Organizing Mobile Ad Hoc Networks”, MONET Journals of Mobile Networks, 2002. [31] Sergio Marti, T.J. Giuli, Kevin Lai and Mary Baker, “Mitigating Routing Misbehavior in Mobile Ad Hoc Networks”, in Proceedings of the 6th annual international conference on Mobile computing and networking (MobiCom), August 06 - 11, 2000, Boston, Massachusetts, United States. [32] Pietro Michiardi and Refik Molva, “CORE: A Collaborative Reputation Mechanism to Enforce Node Cooperation in Mobile Ad hoc Networks”, [33] Alfarez Abdul-Rahman & Stephen Hailes, “A Distributed Trust Model”, ACM New Security Paradigm Workshop, 1997. [34] Pradip Lamsal, “Requirements for Modeling Trust in Ubiquitous Computing and Ad Hoc Networks”, Ad Hoc Mobile Wireless Networks- Research Seminar on Telecommunications Software, 2002. [35] Po-Wah Yau and Chris J. Mitchell, “Reputation Methods for Routing Security for Mobile Ad Hoc Networks”, [36] Elizabeth Gray, et.al. “Trust Propagation in Small Worlds”, in Proceedings of the 1st International Conference on Trust Management, 2002. [37] Karl Aberer, Zoran Despotovic, “Managing Trust in a Peer-2-Peer Information Systems”, CIKM’01, November 5-10, 2001, Atlanta, Georgia, USA. [38] Tirthankar Ghosh , Niki Pissinou, Kia Makki, "Towards Designing a Trusted Routing Solution in Mobile Ad Hoc Networks", in the ACM Journal “Mobile Networks and Applications (MONET)” vol. 10, no. 6, pp: 985 - 995, December 2005. [39] Xiang Zeng, Rajive Bagrodia and Mario Gerla, “Glomosim: A Library for Parallel Simulation of Large-scale Wireless Networks”, Proceedings of the 12th Workshop on Parallel and Distributed Simulations – PADS ’98, May 26-29, Alberta, Canada, 1998. [40] Sonja Buchegger, Jean-Yves Le Boudec, “Nodes Bearing Grudges: Towards Routing Security, Fairness, and Robustness in Mobile Ad Hoc Networks”, in Proceedings of the Tenth Euromicro Workshop on Parallel, Distributed, Network-based Processing, pages 403-410, Canary Islands, Spain, January 2002. [41] C. Perkins and E. Royer, “Ad hoc On-Demand Distance Vector Routing”, In Proc. IEEE Workshop on Mobile Computing Systems and Applications, 1999. [42] A. Josang, “A Logic for Uncertain Probabilities”, International Journal of Uncertainty, Fuzziness and Knowledge-based Systems, 9(3): 279-311, 2001. [43] A. Josang, “A Subjective Metric of Authentication”, in Proceedings of ESORICS: European Symposium on Research in Computer Security, LNCS, Springer-Verlag, 1998. [44] A. Josang, “Prospectives for Modelling Trust in Information Security”, in Proceedings of Australasian Conference on Information Security and Privacy, pages 2-13, 1997. [45] David B. Johnson and David A. Maltz, “The Dynamic Source Routing Protocol for Mobile Ad Hoc Networks”, Internet Draft, MANET Working Group, IETF, October, 1999. [45] Tao Jiang, John S. Baras, “Ant-based Adaptive Trust Evidence Distribution in MANET”, in Proceedings of the 24th International Conference on Distributed Computing Systems Workshops (ICDCSW’04), 2004. [46] George Theodorakopoulos, John S. Baras, “Trust Evaluation in Ad-Hoc Networks”, WiSE’04, Philadelphia, PA, October 1, 2004. Reactive and Proactive Approaches to Secure Routing in MANETs⋆ Mike Burmester and Tri Van Le Department of Computer Science, Florida State University Tallahassee, Florida 323206-4530 {burmester,levan}@cs.fsu.edu Abstract: Mobile ad hoc networks are collections of wireless mobile nodes with links that are made or broken in an arbitrary way. They have constrained resources, restricted broadcast range and no fixed infrastructure. For these networks communication is achieved via routes whose nodes relay packets. Several routing algorithms have been proposed in the literature. These focus mainly on efficiency with security relegated to weak adversary models. In this paper we consider the problem of secure routing in malicious environments. We propose two complementary solutions: an optimistic algorithm that traces malicious behavior and an adaptive multipath algorithm that tolerates malicious behavior, and prove that they are secure. Keywords: Ad hoc Networks, Routing Algorithms, Provable Security. 1 Introduction Mobile ad hoc networks are collections of self-organizing mobile nodes with dynamic topologies and no fixed infrastructure. The nodes can be regarded as wireless mobile hosts with limited power (operating off batteries) and constrained bandwidth. Transmission is in a broadcast medium. The recent rise in popularity of mobile wireless devices and technological developments have made possible the deployment of such networks for several applications, such as emergency deployments, disaster recovery, search and rescue missions and military operations. Finding and maintaining communication routes in an ad hoc network is a major challenge, especially with respect to fault tolerance and security. To date, most of the research has focused on performance and services (see e.g., [3, 21, 22]) with security being given a lower priority, and in many cases, regarded as an add-on afterthought technology rather than a design feature (e.g., [1, 20]). Although such an approach may be appropriate for networks with predictable faults, it is not suitable for networks with unpredictable, malicious faults. In particular one cannot trace malicious behavior by exploiting only stochastic network ⋆ This material is based on work supported in part by the U.S. Army Research Laboratory and the U.S. Research Office under grant number DAAD19-02-1-0235 and in part by the National Science Foundation under grant number NSF-009316. aspects, because malicious nodes may avoid detection by colluding and behaving normally whenever a fault detection mechanism is triggered. Of particular concern in military applications is the possibility that an established route is taken over by the adversary, and then used at a critical time when damage is maximized and when there is not sufficient time to fix the route or to find alternative routes. In such cases multipath routing and communication is of benefit. Multipath routing will also enhance bandwidth usage, load balancing and more generally efficiency (see e.g., [25]). Another concern is that, besides packet dropping, malicious nodes may render a network useless by disseminating confusing information regarding the state of the system, e.g., by blaming non-faulty nodes for failures and for dropping or corrupting packets. It is therefore important to trace malicious behavior and to prevent faulty nodes from taking part in future attacks. In this paper we consider the problem of secure routing in mobile ad hoc networks when there are malicious faults. We first overview the current security threats of such networks and discuss countermeasures, focusing on routing issues. We consider networks with a varying degree of ad hocness, ranging from almost static to extremely mobile. Our main contribution is to propose two novel routing algorithms that address malicious behavior. The first is proactive and traces malicious behavior while the second is reactive and tolerates malicious behavior. We prove that both algorithms are secure in our model. The paper organized as follows. In Section 2 we present our model that captures at an appropriate degree of abstraction the basic stochastic aspects of mobile ad hoc networks and give our definitions. In Section 3 we overview the security threats of routing algorithms. In Section 4 we present an algorithm that traces malicious faults and in Section 5 we present an adaptive multipath routing algorithm that tolerates malicious behavior. 2 2.1 Models and Definitions A model for ad hoc networks There are several ways in which one can model the unpredictable nature of a mobile ad hoc network. Whichever way is used, there are important mobility aspects that must be reflected in the model. In particular, ad hoc networks are stochastic finite state systems. The following definition captures this requirement. Definition 1. Let V be a finite state system with state space S. The elements of V are mobile nodes: each node is a probabilistic finite state machine. A mobile ad hoc network is a random process G = {(G1 , S1 )}, {(G2 , S2 )}, . . . , {(Gt , St )}, . . . , {(GT , ST )}, where Gt = (V, Et ), t = 1, 2, . . ., is a graph with node set V , link set Et , and St ∈ S, t = 1, 2, . . ., is the internal state of V at time t, subject to the following constraints: 2 (i) Markov constraint. Given the current network state (Gt , St ), the next state (Gt+1 , St+1 ) is independent of all previous states (G1 , S1 ), . . . , (Gt−1 , St−1 ). (ii) Mobility constraint. The transitional probabilities Pr [(Gt+1 , St+1 ) | (Gt , St )], t = 1, 2, . . . , are independent of t. The distribution generated by these probabilities is called the mobility distribution µ of the network. (iii) Medium constraints. The communication medium, – is promiscuous: if node x transmits a packet at time t then this will be received at time t′ > t simultaneously by all its neighbors (linked to it at time t′ ). The time taken for a single transmission to be received (one hop) is bounded by a constant τ . – is bidirectional: if x, y are neighbors, then x can transmit a message to y and vice versa y can transmit a message to x. – has limited bandwidth: simultaneous transmissions in a neighborhood beyond a certain threshold will result in transmission failure, irrespective of the number of nodes in the area. This model is time dependent: changes in the topology of the network occur over time and transmissions are time bounded. The mobility distribution µ is determined by the internal states of the nodes of G and Nature. Nature’s contribution comes from the environment and the fact that the communication is wireless. A wide variety of factors may affect the communication, ranging from weather to radio interference and physical obstacles. Our definition specifies the basic requirements of a mobile ad hoc network system. We do not exclude the possibility that some nodes may have additional out-of-system links, either out-of-band or by using more powerful broadcasting devices. These are out-of-system facilities and may be used by nodes that do not adhere to the system specifications. Such nodes are regarded as faulty and will be discussed in Section 2.2 below. Definition 2. A mobile ad hoc network G is simulatable if there is an efficient algorithm σ called the simulator that simulates G according to its mobility distribution µ. That is, σ generates random samples (Ĝ1 , Ŝ1 ), (Ĝ2 , Ŝ2 ), . . . , such that: Pr[(Ĝ1 , Ŝ1 ), . . . , (Ĝt , Ŝt )] = Pr[(G1 , S1 ), . . . , (Gt , St )], for all t ≥ 1. Communication in ad hoc networks is achieved by forwarding packets via routes. Traditionally, a route is a path that links a source node to a destination node. However the notion of a route can be extended to allow for a more general definition. Definition 3. A route R(s, d) with source s and destination d is a list of nodes of G, that starts at s and ends at d, through which packets are forwarded. This list may not be known to s, or to any other node. Nodes on the list may know their successor, or may not. Routes may change over time and may not be connected for any time period: it is sufficient that the links of adjacent nodes are connected in turn, over time. We shall also consider multipath routes that have several node-disjoint path lists linking s, d. 3 2.2 The threat model Our model allows for a very powerful adversary. The adversary interacts with the network via nodes that are under her control. These nodes are regarded as faulty. Faulty nodes may have hidden channels (used for wormhole and rushing attacks [14]) and may also vary their transmission range or use directional antennas. For example, a malicious node x may present itself as a neighbor to a non-faulty node, when it is not. With a directional antenna x may also “select” its neighbors. Furthermore, faulty nodes may replicate. Definition 4. Let Γ be a family of subsets V ′ of the node set V . We call Γ an Adversary Structure [11]. The adversary Adv = AdvΓ selects a subset V ′ ∈ Γ and can corrupt all its nodes during the lifetime of the system.1 Adv controls the nodes of V ′ and may use them to undermine the security of the network. We call these nodes corrupted or faulty and refer to Adv as a Γ -adversary. The adversary may be passive or active. A passive adversary (also called honest-butcurious) will only eavesdrop on the network communication. An active adversary may use the corrupted nodes to prevent the normal functioning of the network via snooping, dropping, modifying, and/or fabricating network messages. Nodes that are actively involved in such attacks and the corresponding faults are called malicious or Byzantine. Malicious nodes may use hidden (covert) channels or “wormholes” through which they can communicate or tunnel packets. A particular case of the Adversary Structure model is the Byzantine faults model [24] for which Γ = {V ′ ⊂ V | |V ′ | ≤ k}, for some threshold k. In this model the number of faulty nodes that Adv = Ak can control is bounded by a threshold k. We call Ak a k-adversary. Definition 5. Let G be a mobile ad hoc network and P a distributed algorithm of G. We say that P tolerates a Γ -adversary if for all Γ -adversaries Adv, the P that P terminates successfully when Adv is active is the same probability πAdv as the probability π0P that P terminates successfully when Adv is passive. We say P that P tolerates a Γ -adversary with error ε if | πAdv − π0P |< ε. The probabilities P P π0 and πAdv are taken over the random coin tosses of P and Adv and the input of P . Normally we require that the “reliability” distribution π0P is close to 1, but we do not exclude other values. In this definition ε specifies the level of Γ -tolerance. For ε = 0 we get perfect Γ -tolerance. We can also define computational tolerance, P by requiring that the distributions πAdv , π0P are computationally indistinguishable [9]. Although our definition is not formal, it can easily be described in the formal security framework of [2, 19]. We note however that in our threat model we allow for the distribution of π0P to be bounded away from 1. For example we 1 There are several generalizations of this model. One such generalization allows Γ to be dynamic: at regular intervals Adv can replace V ′ by V ′′ ∈ Γ , that is, release the nodes of V ′ \V ′′ and replace them by the nodes of V ′′ \V ′ . Another generalization involves hybrid faults: malicious faults and physical faults. We shall not consider these models here. 4 may have π0P ≈ 0.75, in which case the “application” P may have to be repeated a few times (the functionality of P allows for random failures). 2.3 Security mechanisms For data integrity, Message Authentication Codes (MACs) may be used. For authenticity and integrity, digital signatures are used. For confidentiality (privacy) encryption mechanisms are used [24]. These are all keyed cryptosystems. There are two types of cryptosystems: symmetric and public key. Symmetric cryptosystems require one shared secret key. Public key cryptosystems require two keys, a public key and a secret key. In our algorithms we shall use the following notation: – [data]sd : data, and its keyed MAC with the shared key of s, d. – [data]x : data, and its digital signature with the signing key of x. – hash(data): the (cryptographic) hash of data [24]. We assume in this paper that all MACs and digital signatures are unforgeable. In particular, that the network nodes and the adversary are polynomially bounded in the security parameter of the signatures. Consequently, the security is conditional, and the error probability must take into account the error probabilities of these cryptographic mechanisms. The computational cost of public key cryptosystems is relatively high for most ad hoc network applications. This can be reduced by using Elliptic Curve (EC) cryptosystems or the NTRU [24], but it is preferable to use symmetric key mechanisms whenever appropriate. However with symmetric key mechanisms, integrity can only be checked by those who share the secret key. In particular, symmetric mechanisms will not support non-repudiation. For authentication we must therefore use digital signatures. We shall assume that each network node is assigned a unique secret signing key and given a list of public keys that correspond to the assigned secret keys. This will allow nodes to link digitally signed messages to their owners and to authenticate nodes. It is important however to note that malicious nodes may choose to share their secret signing keys. This will make it possible for them to appear to be present in several virtual places of the network at the same time (this is the Sybil attack [5] which we shall discuss in Section 3.2). We therefore view malicious nodes as collections of virtual nodes, each one corresponding to a unique signing key. The inability to bind entities (or messages) to a unique physical node is an inherent limit of Public Key Cryptography. It is not restricted to networks and applies to all protocols that rely on cryptographic primitives for authentication. 3 Security issues for routing algorithms Depending on where most of the routing effort takes place, there are two types of routing: network-centric and source-centric. With network-centric routing (such as DSDV [21], WR [3] and AODV [22]) the routing effort is distributed within 5 the network; with source-centric routing (such as DSR [16]) most of the routing effort is done by the source node. Network-centric routing requires considerable cooperation between the nodes of the network in order to update and maintain a distributed database of routing information such as routes, cost, distance, reliability, time, etc. This type of routing is appropriate for networks whose node mobility is low and changes are less frequent. Its advantage is that the routing service is always available and communication can start almost immediately. ¿From a security point of view, network-centric routing requires substantial cooperation between network nodes and strong trust relationships. These algorithms are therefore more vulnerable to malicious faults. There is no way to prevent such faults, because the routing service is provided by remote nodes (that may be faulty). With source-centric routing, the source s is responsible for discovering the topology of the network, for finding a route and for updating any changes, with less help from other nodes. When a node needs to send a packet, a route to the destination is constructed on-demand by the node and updated according to the changes in the network. Cooperation from other nodes is often limited to forwarding packets or collecting local information. Since there is almost no status information to maintain, this kind of routing is flexible and appropriate for networks that change frequently. Source-centric routing lessens the dependence on intermediate node cooperation, and thus is less vulnerable to malicious attacks. Furthermore, since the source and destination have control over the routes, they are also more flexible in dealing with DoS. For these reasons, when security issues are of concern, source-centric routing is preferable. 3.1 Denial of Service attacks and countermeasures There are several ways in which a DoS can be triggered. For example, the adversary can cause a DoS by flooding the network with irrelevant packets (via faulty nodes). Another way to trigger a DoS is by flooding queries in dense networks. We also have DoS attacks on routes. If the adversary succeeds in taking control of a route, for example by having one or more nodes under his control selected by a route discovery algorithm, then the adversary will establish routes that may not exist or that may have loops, which could prevent routing updates from settling and route convergence. DoS is also triggered by packet dropping. For example, malicious nodes in a route discovery algorithm may drop packets to prevent the source getting path information. Packet dropping can also take place during communication. This problem is aggravated when malicious nodes collude. Non-malicious DoS caused by flooding in dense networks is controlled by reducing the broadcast redundancy. Gossip protocols [10, 4] use this approach. Malicious DoS caused by flooding may be controlled by using Intrusion Detection mechanisms. One way to deal with malicious DoS attacks on routes is to use fault tracing algorithms. Awerbuch-Holmer-Nita Rotaru-Rubens [1] use an adaptive fault probing algorithm that is triggered when faults occur at a rate higher than that of ordinary link failures (non-malicious). There are several problems 6 with such an approach, due primarily to the fact that a malicious node need not exhibit faulty behavior when probed, but only during communication. Furthermore, malicious nodes may collude to prevent failure reports reaching the source and make bogus reports to confuse other nodes. In Section 4 we describe an algorithm that will trace malicious behavior when it occurs. 3.2 Man-in-the-Middle attacks and countermeasures In a man-in-the-middle attack the adversary takes control of the communication channel between the source and destination by interposing between them. In their simplest form these attacks are passive, with the adversary relaying packets between two nodes x, y via nodes under his control. The relaying node(s) is (are) transparent to x and y, and x is fooled into believing that y is in range (a neighbor). In particular x, y will appear to be adjacent in any route containing them. The attacker will not be listed on the route, but the nodes x, y will be. Consequently, the route will appear to be shorter than it actually is, and may be selected in preference to other routes. In this way the adversary can take control of the route. Authentication mechanisms are of no help: the adversary simply relays the authenticators. Active man-in-the-middle attacks in which the attacker is an “insider”, that is a malicious node that is trusted, are the hardest to control. In such attacks, the attacker is properly authenticated and controls nodes on routes originating at the source. In a wormhole attack [14] the adversary succeeds in fooling a source node into believing that a route is short by tunneling packets intended for the destination via nodes under her control. A rushing attack [14] is a wormhole attack in which the adversary succeeds in sending packets through the wormhole faster than normal network traffic. With such attacks it may not possible to distinguish non-faulty nodes from malicious nodes because the adversary may disguise the attack to mimic (stochastically) a failure caused by Nature. In a Sybil attack [5] a malicious node z presents multiple identities. In this way z succeeds in fooling the source into believing that there are many short routes to the destination. These routes “pass through” conspiring nodes zi that may actually be far away (in broadcast hops), but are used as proxy nodes by the nearby node z. In this attack z knows the secret authentication keys of the conspiring nodes zi and uses them to authenticate the zi . Man-in-the-middle attacks in ad hoc networks are hard to counter, if not impossible. There are two general approaches that can be used with such attacks: a temporal and a locational approach. The former exploits the time taken for each broadcast hop. In most cases this can be used to prevent the attacker from falsifying the length of routes. The latter uses the physical location of the nodes. Each node certifies its own position. In most cases this approach will trace nodes that claim false positions (by non-faulty neighbor nodes). 7 3.3 Security at the physical and data link layers There are two types of faults that may occur in a routing algorithm: faults whose effect is stochastically indistinguishable from ordinary link failures caused by the mobility of the system, radio interference, power failure etc, and faults whose effect can be distinguished. Malicious faults tend to be of the second type, although the first type should not be excluded. For example, as observed earlier, the adversary may try to evade detection by causing faults that mimic the statistics of natural failures. Furthermore, malicious physical faults may affect the mobility of the system. Faults that deviate from ordinary failures can be controlled by using redundancy. In particular, error detection, error correction and erasure mechanisms. These faults are best dealt with at the physical or data link layer of the protocol stack with Medium Access Control protocols. At these layers one can also deal with jamming attacks (using frequency-hopping spread spectrum techniques) and most isolated DoS attacks. Faults of the second type, although by definition statistically detectable, can be quite hard to trace or locate. They include malicious faults. Malicious faults may occur when they are least expected, and may not be traceable with statistical failure analysis. The reason for this is that any analysis based on reported failures can be manipulated by the adversary. Faults of this type have to be addressed at the network layer. In this paper we are concerned with such faults. 3.4 Security issues of Ariadne, SEAD and SAODV Several routing protocols in the literature address security issues (see e.g., [20]). Here we discuss three of the more popular ones: Ariadne [12], SEAD [13] and Secure AODV [27]. Ariadne is a source-centric routing algorithm based on DSR that uses an authentication mechanism with a keyed hash chain called TESLA for path integrity. The security of this algorithm is based on the assumption that all nodes on a route (insiders) will protect the integrity of path information. It therefore will not tolerate insider faults. In particular it does not tolerate DoS caused by packet dropping. SEAD is a source-centric variant of Ariadne. This algorithm also does not tolerate insider faults. Secure AODV (SAODV) is a network-centric routing algorithm that is based on the AODV algorithm [22]. It uses digital signatures and hash chains to protect the integrity of path information. As with the previous two algorithms it will not tolerate insider faults. Rushing attacks on routing algorithms are the hardest to control. With these attacks two colluding nodes, one close to the source s the other close to the destination d, tunnel packets intended for d and sent by s via a wormhole, slightly faster than normal network traffic. The colluding nodes are authenticated and may insert conspiring nodes (using a Sybil attack) on the path to make its length appear “normal” and be selected in preference to other paths. Such attacks are not tolerated by Ariadne, SEAD and SAODV. 8 4 Tracing malicious faults In this section we describe a routing algorithm that will trace malicious faults by identifying malicious behavior. Faulty nodes that are traced may have their keys invalidated by the non-faulty nodes, thus preventing future attacks. Observe that failure rates based on reported failures of nodes to forward packets may be inaccurate. This is because faulty nodes may fail to report such events –even worse, fabricate events. Consequently tracing mechanisms that are triggered by failure rates exceeding a certain threshold may fail. Furthermore it is not possible in general to tell from a report by a node that claims that another node is faulty, which node is actually faulty: the reporting or the reported node. Two approaches can be used with malicious k-adversaries. In the first, malicious behavior is established when more than k (distinct) reports are available. In the second, each time a node is reported as malicious, both the reporting and the reported node are treated as malicious and eliminated. In this case the malicious nodes can cause up to k faults, but will then be eliminated together with up to k non-faulty nodes. 4.1 An optimistic algorithm that traces malicious faults We describe an optimistic2 algorithm that will trace malicious node behavior. For this algorithm there is no additional cost when there are no faults. When faults do occur, the cost to locate a fault is one tracing round and one digital signature. Compared to [1], our algorithm will locate faults when malicious nodes collude and it also uses less rounds. Each participating node only needs to know its neighbors on the path. In this algorithm faults that can be dealt with at the data link layer by error correction and re-sending packets are treated as nonmalicious. The protocol is described in Figure 1. We use the following notation: – pkts = [s, d, sn, seqs , data]sd : a packet consisting of identifiers s, d, a session number sn for tracing algorithm (unique to each session), the sequence number seqs for pkts , and data. – ackd = [s, d, sn, seqs ]sd : an acknowledgment by the destination d. – probs = [s, d, sn, seqs , hash(pkts )]s : a probing request by s. – nacky = [s, d, y, succ(y), sn, seqs ]y : an acknowledgment of failure of succ(y) reported by y. – timerxy : a bound on time taken for a round trip from x to y for pkts . – prec(x), succ(x): the node that precedes, succeeds x on the path taken by pkts . In the protocol, the source s sends a packet pkts to succ(s) to be delivered to the destination d. If there are no faults then the packet reaches d that will send back to s an authenticated acknowledgment ackd . If there is a fault and this is detected by an intermediate nodes y, then a nacky will be sent to s. Otherewise the source s will send a probs with details of ackd requesting from 2 Optimistic algorithms have optimal performance when they are no faults. 9 intermediate nodes to check the validity of any received nacky or ackd . Thus, for an intermediate node x, either succ(x) is faulty or x should have received from succ(x), pkts 1. after x −→ succ(x) and before timerxd timeouts: a valid nacky (when node y has detected faulty behavior by succ(y)) or an ackd for which (s, d, sn, seqs ) have the correct values, or probs 2. after x −→ succ(x) and before the reset timerxd timeouts: a valid nacky . It follows that s will receive a valid nacky and consequently a fault will be traced. Observe that in the protocol s, d check the validity of pkts and ackd , and if there are no faults, the intermediate nodes check only for matching acknowledgments ackd ; if there are faults, intermediate nodes will also check the validity of nacky and probs . Source s. Set seqs = 0. While a connection to d has not terminated do: 1. Set timersd and send pkts to succ(s). 2. If a valid ackd for pkts is received before timeout then set seqs = seqs + 1. 3. Else if a valid nacky for pkts is received before timeout then y or succ(y) is malicious. 4. Else if an invalid ackd is received: (a) Reset timersd and send probs to succ(s). (b) If a valid nacky for pkts is received before timeout then y or succ(y) is malicious. (c) Else succ(s) is malicious. 5. Otherwise succ(s) is malicious. Intermediate node x. When pkts is received: 1. Set timerxd and send pkts to succ(x). 2. If a matching ackd is received before timerxd timeouts then (a) Set timerxs and send ackd to prec(x). (b) If a valid probs for pkts is received before timerxs timeouts then i. Reset timerxd and send probs to succ(x) ii. If a valid nacky for pkts is received before timerxd timeouts then Send nacky to prec(x). iii. Else construct and send nackx to prec(x). 3. Else If a valid nacky for pkts is received before timerxd timeout then (a) Send nacky to prec(x). 4. Otherwise construct and send nackx to prec(x). Destination d. When a valid pkts is received: 1. Construct and send ackd to prec(d). Fig. 1. An optimistic tracing algorithm. 10 Theorem 1. For any Γ -adversary, the tracing algorithm in Figure 1 will either deliver pkts to the destination d or will trace at least one faulty node. In particular: 1. If all nodes adhere to the protocol then d will receive pkt s and the source s will receive ackd before its timeout. 2. If s receives an ackd before its timeout then d has received pkts . 3. If s does not receive an ackd before its timeout then at least one faulty node is traced. Proof. (Sketch) We consider each part separately. 1. Clearly if all nodes adhere to the protocol then d will get pkts and s will get ackd . 2. If s gets ackd , then because signatures are unforgeable and d will only sign a matching ackd if the received pkts is valid, d must have received pkts . 3. If s has not received ackd before its timeout, it will send a probe probs downstream requesting intermediate nodes to check the last transmitted pkts . Note that any non faulty intermediate node x that has received pkts upstream will send back upstream either an ackd , a nackx or a nacky , for some y, before its timeout. If s did not receive a valid nacky for some y before its timeout, then succ(s) must faulty, and if s did receive a valid nackx = [s, d, sn, seq, x, y] for some x, y before its timeout, then at least one of {x, y} is faulty. In both cases s succeeds in tracing at least one faulty node. The full proof will be given in the journal version of this paper.  In this tracing algorithm when there are no faults, a short ack is sent back. When faults do occur, a short prob and nack are sent. In either case, a packet is confirmed successfully delivered, or a fault location is determined with only two digital signatures. This is the most efficient routing algorithm that will trace malicious behavior even when faulty nodes collude. It improves on the fault tracing algorithm in [1], which requires at least log(n) communication rounds and signatures to locate a malicious fault, and does not consider collusions. 4.2 Tracing malicious behavior with AODV and DSR Most of the routing algorithms can easily be extended to incorporate our tracing mechanism in the communication phase. For example, for distance vector based routings such as DSDV and AODV, malicious faults will be traced by using Step 2, Step 3 and Step 4 of the source and intermediate nodes in the tracing algorithm, for packet processing (the store-and-forward process). With the DSR algorithm, we trace malicious faults by adding Step 2, Step 3 and Step 4 of the source and intermediate nodes in the tracing algorithm at the network layer, i.e., after error checking at the data link layer. In this case, the error reporting at the data link layer is redundant, although it can be useful to optimize the tracing time. 11 5 Adaptive Multipath Routing Multipath routing involves the establishment of multiple paths between source and destination pairs. These paths may be used for redundant communication to control malicious attacks. A major advantages in using multipaths is that, by exploiting redundancy we can guarantee service continuity, even when the adversary is active. 5.1 An Adaptive Multipath Routing algorithm Finding routes with multiple paths in networks that do not have a fixed infrastructure is a challenge and in general requires a different approach to that used with fixed infrastructures. In this section we consider a multipath routing algorithm that combines in parallel a distributed version of Ford-Fulkerson Max Flow algorithm [6] (at the source) with a local network discovery algorithm (for nearby nodes) to find vertex-disjoint paths that link the source to the destination. When there are no malicious faults, a single route is used. Otherwise, the route is adaptively reconstructed to deal with the faults. Only the shortest route(s) is (are) are actually used, while the rest are kept alive. The protocol is given in Figures 2 and 3. Figure 2 describes the actions of the source s. Initially s broadcasts a request reqs for neighbor lists. A hop-by-hop Source s 1. 2. 3. 4. Set G∗ = ∅, f low = ∅, t = 1, radius = ∆. Start using f low for communication whenever value(f low) ≥ 1. AddLinks(s, neighbors(s); f low, G∗ ). While a connection to d has not terminated do (a) While value(f low) < t do i. Set seqs , ttls , timeouts and broadcast reqs . ii. For each valid repx received before timeouts do AddLinks(x, neighbors(x); f low, G∗ ). iii. Set radius = radius + ∆. (b) If errorrate(path) > ǫ0 for all path ∈ f low then i. t = t + 1. Fig. 2. An adaptive multipath routing algorithm, I (on-the-fly) version of Ford-Fulkerson Max Flow algorithm3 is used to construct a local graph G∗ = (V ∗ , E ∗ ) with neighbor lists obtained from network nodes. G∗ is a directed graph which is a vertex expanded version of the network graph G: each node x in G corresponds to two nodes x+ , x− linked by (x+ , x− ) in G∗ , 3 The Ford-Fulkerson Max Flow algorithm is given for static networks. Here we consider an extension for mobile environments. 12 and each link (x, y) of G corresponds to a link (x− , y + ) in G∗ , and conversely. Initially G∗ = ∅. The source adds to G∗ its neighbors and the links to them.The following variables are used: – f low: a list of vertex-disjoint paths that link s to d in G∗ ; value(f low): the number of paths in f low. – reqs = [s, d, sn, seqs , ttls ]s : a request by s for neighbor lists consisting of identifiers for s, d, a session number sn, a sequence number seqs for reqs , and the time-to-live ttls for reqs . – repx = [x, sn, seqs , ttlx , neighbor(x)]x : a report by x. – ctimez : the current time for node z. – radius: an upperbound of the hop distance for reqs ; ∆: an initial hop radius. – seqs = ctimes ; ttls = ctimes + radius × τ ; timeouts = ttls + radius × τ . – t: the number of disjoint paths of the multipath. – ǫ0 : a threshold for the error rate of a non faulty path. – errorrate(path): the error rate of path. Procedure AddLinks(x, neighbors(x); G∗ ) 1. G∗ = G∗ + {(x+ , x− ), (x− , y + ), (y + , y − ) | y ∈ neighbors(x)}. 2. Let reverse(S) := {(x, y) | (y, x) ∈ S}, for a set of links S of G. 3. For each path p from s− to d+ in G∗ such that p = (p − f low) + (p ∩ reverse(f low)), set f low = f low + p − reverse(p). Observe that each edge of G∗ has capacity 1. Consequently f low is a set of edge− + − + disjoint paths in G∗ . If (s− , x+ 1 , x1 , . . . , xn−1 , xn−1 , d ) is a directed path in f low then the corresponding path in G is (s, x1 , . . . , xn−1 , d) –provided all the reverse + − ∗ − + links (x− i , xi−1 ) are also in G . It is not hard to see that if {(s , x1 , x1 , . . . , − + + ∗ xn−1 , xn−1 , d )} is a set of edge-disjoint paths in G then the corresponding paths {(s, x1 , . . . , xn−1 , d)} in G are vertex-disjoint, and vice-versa. Figure 3 describes the actions of the intermediate nodes and the destination. On receiving a request reqs each intermediate node x checks its validity and Intermediate node x and the destination 1. If a (a) (b) (c) new valid reqs is received such that ttls ≤ ctimex then Set ttlx and timeoutx . Broadcast repx and reqs . For each new valid repy received before timeoutx do if ttly ≤ ctimex then broadcast repy . Fig. 3. The adaptive multipath routing algorithm, II ttls . If these are in order, x sends a report repx to s with its neighbor list and forwards reqs . Similarly, when x receives a report repy from a y it checks its validity and ttly . If these are in order, x broadcasts repy . 13 Theorem 2. The adaptive multipath routing algorithm tolerates any k-adversary, provided that the network graph is (k + 1)-connected, k ≥ 1. Proof. (Sketch) If there are no faulty nodes then, when the source s requests local connectivity information from the nodes in radius ∆, each node in range will forward the request and reply with its list of neighbors. By timeouts , s will have received a complete connectivity graph of the nodes that are no more than radius hop counts from it. Observe that radius increases adaptively, until s finds t disjoint paths from s to d, where t ≤ k + 1, and the graph is (k + 1)-connected. Then, by the property of the Ford-Fulkerson algorithm, s will eventually succeed in finding t such paths. Note that since there are no malicious faults in this case, the value of t stays at 1. Next consider the case when there are up to k malicious nodes. The faulty nodes may manipulate or fabricate packets but this will not affect the outcome of the algorithm because intermediate nodes always forward a new message before timeout, regardless of the actions or the states of their neighbors. Since we are assuming that the graph is (k + 1)-connected, there must be a non faulty path between any pair of nodes. Consequently the request reqs of s will reach every intermediate node x in range, and conversely a report by any intermediate node x in range of reqs will always reach s. In either case the route discovery always succeeds in finding routes. In the communication phase, the number of paths t needed increases adaptively until at least one good path is in the f low. Since the graph is (k + 1)-connected, this process takes at most k steps, at which point f low is assured to contains at least one non-faulty path. This adaptive approach avoids finding unnecessary paths when the adversary is partially active. The full proof will be given in the journal version of this paper.  5.2 Discussion The novelty of this route discovery algorithm is that it is resistant to malicious DoS attacks which are addressed adaptively. In particular, when there are no attacks a single route is used. With each malicious attack, the multipath is adaptively reconstructed to deal with the threat. Communication is activated as soon as a path becomes available, so there are no unnecessary delays. In general when faults in a t-multipath occur beyond a certain acceptable threshold, the source s will use a (t + 1)-multipath. Since the new set of paths is already constructed in the background, the delay caused by faults is minimized. Most of the time, there should be no delay. Furthermore, in our algorithm, the set of vertex-disjoint paths of the multipath is constructed incrementally, so that even when delays are unavoidable, they are minimal. For efficiency, each node on a path only needs to know its upstream and downstream neighbor. So the path information needs to be sent to intermediate nodes only at the beginning. When changes are made to the multipath, the source needs only send the changes to all nodes on the new paths. The nodes will discard unused information after a period of inactivity. 14 Observe that having local information available centrally is more effective than having it distributed. In particular, the procedure used in the adaptive routing algorithm by the source allows more vertex-disjoint paths to be found than by the distributed process used in most other multipath routing protocols (because all the routing information is available locally). As a consequence fewer communication rounds may be needed when faults occur. Finally, observe that we can combine our adaptive multipath routing algorithm with the Dynamic Source Routing algorithm [16] to get an adaptive multipath DSR algorithm. Similarly, we may combine the adaptive multipath routing algorithm with the tracing mechanism in Section 4.1 to get an adaptive routing algorithm that will trace malicious behavior. References 1. B. Awerbuch, D. Holmer, C. Nita-Rotaru and H. Rubens, An On-Demand Secure Routing Protocol Resilient to Byzantine Failures, ACM Workshop on Wireless Security – WiSe’02 2002. 2. D. Beaver, Foundations of secure interactive computing, Proc. CRYPTO ’91, Springer Verlag LNCS, vol. 576, pp. 377-391, 1991. 3. E.M. Belding-Royer and C.-K. Toh, A review of current routing protocols for adhoc mobile wireless networks, IEEE Personal Communications Magazine, pp. 46-55, 1991. 4. M. Burmester, Tri van Le and A. Yasinsac. Adaptive gossip protocols: managing security and redundancy in dense ad hoc networks. Journal of Ad hoc Networks, Elsevier, 2006. 5. J. R. Douceur, The Sybil attack, Proc. 1st International Workshop on Peer-to-Peer Systems – IPTPS ’02, 2002. 6. L.R. Ford and D.R. Fulkerson, Flows in Networks. Princeton University Press, Princeton, NJ, 1962. 7. D. Cavin, Y. Sasson and A. Schiper, On the Accuracy of MANET Simulators. Proc. of the 2nd ACM international workshop on Principles of mobile computing, Toulouse, France, pp.38-43, 2002. 8. M. Felegyhazi, L. Buttyan and J.-P. Hubaux, Equilibrium analysis of packet forwarding strategies in wireless ad hoc networks –the static case. Lecture Notes in Computer Science #2775, Springer-Verlag, pp. 776–789, 2003. 9. O. Goldreich, S. Micali, and A. Wigderson. How to play any mental game. Proc. of the 19th ACM conference on Theory of Computing, ACM Press, pp. 218–229, 1987. 10. Z.J. Haas, J.Y. Halpern and L. Li. Gossip-based ad hoc routing. Proc. INFOCOM’02, pp. 1707-1716, 2002. 11. M. Hirt and U. Maurer, Player Simulation and General Adversary Structures in Perfect Multiparty Computation, Journal of Cryptology, Vol 13 No 1, pp. 31-60, 2000. 12. Y-C Hu, D.B. Johnson and A. Perrig. Ariadne: A Secure On-Demand Routing protocol for Ad Hoc Networks. ACM Mobicom 2002. 13. Y-C Hu, D.B. Johnson and A. Perrig. SEAD: Secure Efficient Distance Vector Routing for Mobile Wireless Ad Hoc Networks. Proc. 4th IEEE Workshop on Mobile Computing Systems & Applications (WMCSA 2002), IEEE, Calicoon, NY, 2002. 14. Y-C. Hu, A. Perrig and D.B. Johnson. Rushing attacks and defense in wireless ad hoc network routing protocols – WiSe2003, pp. 30-40, 2003. 15 15. A. Jardosh, E. M. Belding-Royer, K. C. Almeroth and S. Suri, Towards realistic mobility models for mobile ad hoc networks, Proc. 9th Annual International Conference on Mobile Computing and Networking, pp. 217-229, 2003. 16. D.B. Johnson and D.A. Maltz, Dynamic Source Routing in Ad-Hoc Wireless Networks, ed. T. Imielinski and H. Korth, Mobile Computing, Kluwer Academic Publisher, pp. 152-181, 1996. 17. G. Koh, D. Oh and H. Woo, A graph-based approach to compute multiple paths in mobile ad hoc networks, Lecture Notes in Computer Science #2713, Springer-Verlag, pp. 323–331, 2003. Proc. ACM/IEEE MOBICOM ’98 (1998). 18. G. Lin, G. Noubir and R. Rajaraman, Mobility Models for Ad hoc Network Simulation. Proc. IEEE INFOCOM, 2004. 19. S. Micali, P. Rogaway, Secure Computation, Crypto ’91, LNCS 576, pp. 392-404, 1991. 20. P. Papadimitratos and Z.H. Haas. Secure Routing for Mobile Ad hoc Networks. Mobile Computing and Communications Review, Vol 6, No 4, 2002. 21. C.E. Perkins and P.Bhagwat, Highly Dynamic Destination-Sequenced DistanceVector Routing for Mobile Computers, Computer Communications Review, pp. 224244, 1994. 22. C.E. Perkins and E.M. Royer, Ad hoc on-demand distance vector routing, IEEE Workshop on Mobile Computing Systems and Applications, pp. 90-100, 1999. 23. N. Salem, L. Buttyan, J. Hubaux and M. Jakobsson, A charging and rewarding scheme for packet forwarding in multi-hop cellular networks. In Mobihoc 2003, pp. 13-24, 2003. 24. A.J. Menezes, P.C. van Oorschot and S.A. Vanscott, Handbook of Applied Cryptography, CRC Press, 1996. 25. A. Tsirigos and Z.J. Haas Analysis of multipath routing, part 1: The effect on the packet delivery ratio, IEEE Transactions on Wireless Communications, Vol. 3, No. 1, pp. 138-146, 2004. 26. Jungkeun Yoon, Mingyan Liu, Brian Noble, Random Waypoint Considered Harmful. Proc. IEEE INFOCOM, 2003. 27. M.G. Zapata. Secure Ad hoc On-Demand Vector (SAODV) Routing. IETF Internet Draft. draft-guerrero-manet-saodv-00.txt. Aug 2001 (work in progress). 16 Toward Efficient Solutions to Resist Mobile Traffic Sensors: How Much Performance Cost is Paid by On-demand Anonymous Routing Protocols ∗ Jiejun Kong†, Jun Liu∗ , Xiaoyan Hong∗ , Mario Gerla† † Department of Computer Science ∗ Department of Computer Science University of California University of Alabama Los Angeles, CA 90095 Tuscaloosa, AL 35487 Abstract The recent progress in embedded real-time system development has realized mobile traffic sensors, for example, embedded systems carried by palm-size Unmanned Aerial Vehicles (UAV). This has great impact on privacy design in mobile ad hoc networks because mobility introduces new privacy targets for the traffic sensors. In a mobile network, a node’s motion pattern, traffic pattern, standing venue and route-driven packet flows, and even the dynamic network topology, all become new interests of the mobile traffic sensors, bringing in new privacy challenges in addition to conventional identity privacy and message privacy. In particular, in wireless ad hoc networks mobile nodes must rely on ad hoc routing in communication. As the wireless medium is open to anyone within the transmission range, the baseline of the mobile traffic sensors is to exploit this routing opportunity to conduct various attacks threatening the network security and privacy. Recently, the on-demand routing approach has been used by several anonymous routing schemes to prevent mobile nodes from being traced by mobile traffic sensors[29]. In this paper we seek to compare the overhead incurred by security and anonymity operations of two recently proposed on-demand anonymous routing schemes, namely ANODR [28][27] (with an enhanced variant ASR [50]) and SDAR [8]. We use the standard on-demand scheme AODV [37] in the comparison to show how much overhead is paid by each anonymous on-demand scheme. Our simulation study shows that various design choices in anonymous routing trade performance with security protection. We conclude that extensive performance study is needed to evaluate the practicality of the existing and new anonymous routing schemes and their enhancements. Keywords—Performance study, Mobile traffic sensor, Anonymous routing, On demand routing ∗ Part of the work is funded by ONR MINUTEMAN grant N00014-01-C0016 and NSF NRT WHYNET grant ANI-0335302. 1 Introduction An ad hoc network can establish an instant communication structure for many time-critical and mission-critical applications. However, the intrinsic characteristics of ad hoc networks, such as wireless transmission and node mobility, make it very vulnerable to security threats. Even though many security protocol suites have been proposed to protect wireless communications, they nevertheless do not consider anonymity protection and leave identity information intercepted by nearby passive eavesdroppers. The goal of passive attacks is very different from other related routing security problems such as resistance to route disruption or prevention of “denialof-service” attacks. In fact, the passive enemy will avoid such aggressive schemes, in the attempt to be as “invisible” as possible, until it traces, locates, and then physically destroys legitimate assets. Consider for example a battlefield scenario with ad hoc, multi-hop wireless communications support. The adversary could deploy reconnaissance and surveillance sensor networks in the battlefield and maintains communications among them. Via intercepted wireless transmissions, they could infer the location, movement, number of participants, and even the goals of our task forces. Anonymity and location privacy guarantees for our ad hoc networks are critical, else the entire mission may be compromised. This poses challenging constraints on routing and data forwarding. 1.1 Mobile traffic sensor network Recent advances in manufacturing technologies have enabled the physical realization of small, light-weight, low-power, and low-cost miniature aerial vehicles (MAVs) [22][21]. These MAVs refer to a new breed of unmanned aerial vehicles (UAVs) or aerial robots that are significantly smaller than currently available UAVs. Figure 1 illustrates the WASP MAV recently tested by DARPA. It is a 32 cm ”flying wing” made of a plastic lithium-ion battery material that provides both electrical power and wing structure. The wing utilizes synthetic battery materials that generate an average output of more than nine watts during flight — enough power to propel the miniature aircraft for one hour forty-seven minutes. Such aerial robots, equipped with information sensing and trans- mission capabilities, extend the sphere of awareness and mobility of human beings, and allow for surveillance or exploration of environments too hazardous or remote for humans. Figure 1: Micro Aerial Vehicle (MAV) capable of tracing mobile wireless traffic sent from pedestrian nodes The MAV research group of our collaborator has established a long track record in designing, building, and testflying autonomous MAVs. The next-generation MAVs to be developed are expected to serve as an enabling technology for a plethora of civilian and military applications, including homeland security, reconnaissance, surveillance, tracking of terrorists/suspects, rescue and search, and highway/street patrol. With signal processing techniques (and other out-ofband techniques like visual perception which will not be discussed in this paper), one can use three MAVs to locate the position of a target such as a person’s or a car’s communication interface. Due to the small size of MAVs, the tracking of MAVs is almost unnoticed by the target being tracked. The velocity of an MAV is from 10 to 30 miles per hour, which is fast enough to track a human being or an automobile on local roads. In regard to ad hoc routing schemes, the mobile traffic sensors carried by MAVs can trace where a mobile wireless sender node is, infer the motion pattern of the mobile node, or identify a multi-hop path between a pair of nodes. 1.2 On-demand routing Most routing protocols in ad hoc networks fall into two categories: proactive routing and reactive routing (aka., on demand routing) [9]. In proactive ad hoc routing protocols like OLSR, TBRPF and DSDV, mobile nodes constantly exchange routing messages which typically include node identities and their connection status to other nodes (e.g., link state or distance vector), so that every node maintains sufficient and fresh network topological information to allow them to find any intended recipients at any time. On the other hand, on demand routing has become a major trend in ad hoc networks. AODV [36] and DSR [25] are common examples. Unlike their proactive counterparts, on demand routing operation is triggered by the communication demand at sources. Typically, an on demand routing protocol has two components: route discovery and route maintenance. In the route discovery phase, the source establishes a route towards the destination by first flooding a route request (RREQ) message, and then receiving a route reply (RREP) sent by the destination. In the route maintenance phase, nodes on the route mon- itor the status of the forwarding path, and report to the source about route errors. Optimizations could lead to local repairs of broken links. Clearly, transmitted routing messages and cached routing tables, if revealed to the adversary, leak a large amount of private information about the network. When this happens, proactive protocols and on-demand protocols show different levels of damages by design. With proactive routing, a compromised node has fresh topological knowledge about other proactive nodes during the entire network lifetime. It can also translate the topological map to a physical map using several anchor points (e.g., by techniques similar to sensor network’s localization service [33][46]). This way, a single-point of intrusion allows the adversary to visualize the entire network and know where each node is. On the other hand, with on demand routing, the adversary has reduced chance in tracing the mobile network in the sense that only active routing entries are in cache and in transmission, and the traffic pattern is probabilistic (depending on application needs) and expires after a predefined timeout. 1.3 Contributions In this paper, our goal is to carry out a systematic performance study of anonymous routing protocols following the on-demand approach. We illustrate the security overhead incurred by two recently-proposed on-demand anonymous routing schemes, namely ANODR [28][27] (enhanced by ASR [50]) and SDAR [8]. We use the standard on-demand scheme AODV [37] in the comparison to show how much overhead is paid by each anonymous on-demand scheme. Our simulation study shows that various design choices in anonymous routing trade performance with security protection. So far no anonymous routing scheme is able to surpass other competing schemes in all ad hoc scenarios studied. We conclude that extensive performance study is needed to evaluate the practicality of existing and new anonymous routing schemes. The rest of the paper is organized as follows. In Section 2 we describe ANODR, ASR and SDAR protocols in details. In Section 3 we evaluate their routing performance. Section 4 describes related work in wireless networks. Finally Section 5 summarizes the paper. 2 Anonymous routing revisited In this section we briefly review anonymous routing approaches that do not use an on-demand design style first. We then revisit the two recently-proposed on-demand anonymous routing schemes. We show the idiosyncrasies of each scheme and how the design choices affect routing protocol performance. 2.1 Anonymous routing not based on the ondemand approach Before ANODR [28], ASR [50] and SDAR [8], globalknowledge-based routing approach and proactive routing ap- proach were the dominant choices in anonymous routing design. Each route table holds two columns of virtual circuit identifiers (VCI) in the form of ‘vcix ↔vciy ’. If a node receives a packet and the packet is stamped with a vcix stored in its In global-knowledge-based routing approach, the network routing table, the node then accepts the packet, overrides the topology is fixed and pre-stored on each node. This includes stamp with the corresponding vci , and sends the changed y the following designs. (i) In Chaum’s DC-net [12], the net- packet to next stop. Both PipeNet and Onion Routing assume work topology is suggested as a fixed and closed ring. (ii) that the underlying proactive routing scheme has already proIn Chaum’s MIX-net [11], each message sender pre-stores vided the needed routing service. Besides, every node in the the entire network topology, and then selects a random path anonymous network knows its immediate previous stop (upfrom the known network topology in message routing. All stream node) and immediate next stop (downstream node). subsequent MIX-net designs [39][23][26][6] inherit this as- (iv) In MIX route [24], a backbone network is formed to cover sumption. (iii) In Crowds [43] and sorting network [41], all a mobile network. Every backbone node is a MIX, which uses nodes are one logical hop away, pairwise communications ex- proactive routing protocols to maintain fresh network topolist with uniform cost. Anonymous messages are forwarded ogy of the backbone MIX-net. to the next node which is selected in a random manner. If In a nutshell, these global-knowledge-based routing and this node is unavailable due to mobility or system crash, then proactive routing schemes treat the underlying network as eianother selection must be made following the same probather a stationary graph, or fresh snapshots that can be treated bilistic method. In other words, every Crowds node (named as stationary graphs per proactive period. A shortcoming of as “jondo” in [43]) or sorting network node is a member of applying these approaches in mobile networks comes from an overlay network. Although at the network IP layer evnode intrusions. If adequate physical protection cannot be ery node-to-node (or jondo-to-jondo) route is comprised of guaranteed for every mobile node, intrusion is inevitable multiple IP routers, at the anonymized overlay layer such a within a long time window. The adversary can compronode-to-node route is a single-hop logical link. This overlay mise one mobile node, gather fresh network topology from anonymous network assumes either a global routing design or the node’s knowledge, then use network localization schemes a proactive routing design at the IP network layer. In contrast, (e.g., distance vector based APS [33]) to pinpoint every mostatic and global topology knowledge is no longer available bile node in the network. in mobile ad hoc networks where the network topology constantly changes due to mobility, frequent route outage, and Therefore, although various anonymous mechanisms, such node joining/leaving. Maintaining the same global topology as anonymous virtual circuit [13], MIX-net onion and knowledge that is identical to fixed networks is very expen- backbone-style MIX-net [24] remain feasible in ad hoc netsive and reveals the changing topological knowledge to node works, the global routing topology caching and proactive intruders. routing topology acquisition approaches are gradually reIn proactive routing approach, every node proactively and placed by the on-demand routing approach. Now we deperiodically exchanges routing messages with other nodes. scribe the recently-proposed on-demand anonymous routing Similar to the global routing approach, every node main- schemes following the order of publication. tains fresh topology knowledge by paying routing communication overheads. In mobile ad hoc networks, various op- 2.2 ANODR and ASR timized proactive routing schemes, such as OLSR [1] and Like PipeNet [13] and Onion Routing [42], ANODR [28][27] TBRPF [34], have been proposed to reduce the incurred rout- and ASR [50] uses anonymous virtual circuit in routing and ing communication overheads. However, like their wired data forwarding. But unlike infrastructure-based PipeNet counterparts, the proactive ad-hoc routing schemes let ev- and Onion Routing, every ANODR and ASR node does not ery message sender maintain fresh topology knowledge about know its immediate upstream node and immediate downthe network (even though the incurred communication over- stream node in a mobile environment. Instead, the node only head is less than their wired counterparts). Based on the knows the physical presence of neighboring ad hoc nodes. proactively collected fresh routing knowledge, it is then pos- This is achieved by a special anonymous signaling procedure. sible to route anonymous messages to the next stop, which in Route discovery The source node initiates the anonymous turn routes the messages toward the final destination. This signaling procedure. It creates an anonymous global trapincludes the following designs. (i) All MIX-nets leverage door and an onion in a one-time route request (RREQ) flood proactive routing protocols at the IP layer to acquire network packet. topology knowledge, which is then used at the anonymized overlay MIX layer to route messages. (ii) Like MIX-nets, 1. Anonymous global trapdoor: The global trapdoor is a an overlay of Crowds [43] or sorting network [41] lever(semantically secure [17]) encryption of a well-known ages proactive routing information as well. (iii) In wired tag message (e.g., a pre-determined bit-string “You are Internet, PipeNet [13] and Onion Routing [42] employ anothe destination”) that can only be decrypted by the destinymous virtual circuit in data forwarding. After a connecnation. Once the destination receives the flooded RREQ tion establishment procedure, a sequence of routing tables packet, it decrypts the global trapdoor and sees the wellknown tag. But all other nodes see random bits after are created on the forwarding nodes to deliver data packets. decryption. The design of global trapdoor requires anonymous end-to-end key agreement between the source and the destination. 2. Onion: As the RREQ packet is flooded from the source to the destination, each RREQ forwarding node adds a self-aware layer to the onion. Eventually the destination receives an onion that can be used to deliver a route reply (RREP) unicast packet back to the source. The signaling procedure ends when the source receives RREP, and the anonymous virtual circuit is established during the RREP phase. RREQ flood is a very expensive procedure, while public key crypto-processing is also expensive. According to measurement reports [10] on low-end mobile devices, common public key cryptosystems require 30–100 milliseconds of computation per encryption or per signature verification, 80–900 milliseconds of computation per decryption or per signature generation. Therefore, combining public key crypto and RREQ flood likely degrades routing protocol’s performance. ASR [50] does not study how to establish the shared symmetric key between the source and the destination. ANODR [27] proposes to avoid public key crypto except in the first RREQ flood between a pair of communicators. In ANODR [27], each node is capable of doing encryption and decryption in both symmetric and public key cryptosystems. To establish the symmetric key shared between the source and the destination, the source must cache the certified public key of any intended destination prior to communication. (1) This implies that every network node must acquire a signed credential from an offline authority Ψ prior to network operations. The credential can be verified by the well-known P K Ψ . The credential is in the form of “[id, pkid , validtime]SKΨ ” signed by SKΨ , where a unique network address id is assigned to a node, pkid is the certified public key of the id, and validtime limits the valid period of the credential. Instead of using the unprotected plain id, the source remembers the credential and avoids using id in communication. (2) The credentials are not secret messages. They can be freely exchanged in the network to facilitate source nodes’ caching experience. In contrast, the selection of a destination’s pkid is a secret random choice of the source node. (3) The selected pkid of the destination is the global trapdoor key used in the first RREQ flood between the source and the destination. For better performance, a symmetric key is piggybacked in the first global trapdoor. Then the source would use the symmetric key in later global trapdoors between the same pair of source and destination. This spares the need of public key decryption in later RREQ floods. At route reply (RREP) phase, the onion1 is decrypted to establish routing tables en route. When the onion comes back from the destination in the reverse order of encryption. The RREP upstream node chooses a random number vci and 1 In onion encryption/decryption, ANODR uses AES [32], while ASR replaces AES with Vernam cipher [47]. places it with the onion. The RREP downstream node receives this vci, then functions as the successive upstream node to choose its own vci and overrides the same field in the packet. As the RREP packet is processed and forwarded towards the source node, each route table on a forwarder Y holds two columns of virtual circuit identifiers (VCI) in the form of ‘vcix ↔vciy ’, where vcix is choosen by Y ’s RREP upstream node X, and vciy is choosen by Y itself. Later in data packet delivery, if a node receives a packet and the packet is stamped with a vcix stored in its routing table, the node then accepts the packet, overrides the stamp with the corresponding vciy , and sends the changed packet to next stop (the source and the destination are denoted with special VCI tags vcisrc and vcidst ). Data delivery ANODR and ASR seek to make every data packet computationally one-time. This prevents traffic analysis and replay attacks. Hence a vci must be a secret shared on a forwarding hop. It is used as the cipher key to encrypt the link frame payload (i.e., IP header and payload). Besides, the explicit VCIs stamped on data packets are computationally one-time. They are cryptographically strong pseudorandom sequences generated from the shared vci, which is now used as the shared secret seed. To share the secret vci on a hop, a per-hop key exchange scheme is needed. (1) At RREQ phase, an RREQ upstream node (which is later the RREP downstream) must put a one-time temporary public key in the RREQ flood packet. This one-time temporary public key is recorded by the RREQ downstream node (which is later the RREP upstream) for the source/destination session. The RREQ downstream node then overrides the field with its own temporary public key. (2) At RREP phase, the RREP upstream node (earlier the RREQ downstream) uses the stored one-time public key to encrypt the contents of RREP packet including the vci and the coming-back onion. If a one-hop RREP receiver decrypts the encrypted contents and sees the onion it sent out previously at RREQ phase, then this receiver (earlier the RREQ upstream) is en route. The anonymous virtual circuit is established when the source node receives the onion core it sent out a while ago. This way, the one-time public keys are plain data bits during RREQ floods. Per-hop key agreement overhead (using public key encryption/decryption) is paid during RREP unicasts. Performance impact ANODR and ASR have to pay expensive public key crypto-processing overhead during the first RREQ flood between a pair of communicators and all RREP unicasts. This significantly affects their routing performance. In addition, all the anonymous routing schemes reviewed in this section, i.e., ANODR, ASR and SDAR, have not implemented route optimization techniques specified in AODV and DSR (e.g., gratuitous route reply, proactive route fix using constrained flooding, etc.). 2.3 SDAR SDAR [8] is a combination of proactive and on-demand route discovery. Unlike the purely on-demand ANODR and ASR, every SDAR node uses a proactive and explicit neighbor detection protocol to constantly see the snapshot of its one-hop mobile neighborhood. Every SDAR node periodically sends out a HELLO message holding the certified public key of the node. The SDAR HELLO messages are significantly longer than regular beacon messages because it holds long public keys (typically ≥1024-bit in a common public key cryptosystem like RSA and El Gamal). An SDAR node is named as the central node as it sits at the center of its own one-hop transmission circle. A central node X explicitly sees its neighbors’ network IDs and verifies associated credentials. X classifies its neighbors into three trust levels according to their behavior. Routing preference is given to the higher level nodes. This is implemented by group key management. X randomly chooses a key for all neighbors in the same trust level (except the lowest level, which is not protected by cryptoschemes). The key is then shared by X and these nodes. Routing messages intended for the highest level is encrypted with the group key corresponding to the highest level. Routing messages intended for the medium level is encrypted with either the group key corresponding to the medium level or the one corresponding to the highest level. Routing messages intended for the lowest level is not encrypted and thus seen by all listening nodes. the onion core and share D’s symmetric key with every RREP forwarder. Once the source S receives the coming-back RREP, both the source S and the destination D have made a symmetric key agreement with every intermediate forwarder. Like the way RREP packet is delivered, S and D use MIX-net onion to deliver data payloads to each other. Data delivery The SDAR literature [8] claims that the data delivery design is similar to Onion Routing [42] (which uses anonymous virtual circuit), but its data delivery protocol description matches MIX-net onion rather than Onion Routing’s virtual circuit. In fact, as described below in Section 3, adopting virtual circuit in data delivery has great impact on routing performance. Performance impact Compared to the purely on-demand ANODR, SDAR incurs extra neighbor detection overhead. Each neighbor detection message is significantly longer than short beacon messages, and also incurs a number of public key authentication and key exchange operations in the changing mobile neighborhood. In on-demand route discovery, SDAR incurs large cryptoprocessing and communication overheads. Every RREQ forwarding must pay the cost of a public key encryption using T P K. This incurs expensive public key encryption overhead Route discovery SDAR also employs an on-demand route in the entire network per RREQ flood. SDAR’s RREQ and discovery procedure to establish ad hoc routes. Similar to RREP packets are very long. Each RREQ packet holds l ′ ANODR and ASR, an SDAR source node S puts a global T P K-encrypted blocks where l ′ is the hop count from the trapdoor in its RREQ flood packet. While the global trap- source S to the current RREQ forwarder, each of the blocks door is encrypted with the destination D’s certified public is as long as the public key length (typically ≥1024-bit in a key, a symmetric key is piggybacked into the global trap- common public key cryptosystem like RSA and El Gamal). door to fulfill end-to-end key agreement. Nevertheless, unlike Every RREP packet and DATA packet has l MIX-net onion ANODR/ASR which uses identity-free tags, SDAR uses the layers, each of the layers is at least 128-bit long (a typical destination D’s ID in the global trapdoor. This differentiates symmetric key length). ANODR/ASR’s identity-free global trapdoor from SDAR’s ID-based global trapdoor. 2.4 Summary Unlike ANODR and ASR, SDAR’s RREQ forwarding events do not form any onion. Instead, a sequence of key Table 1 compares several design choices that may have sigagreement operations are implemented. the source node S nificant impact on routing protocol performance and on secuputs its one-time public key T P K in the RREQ flood packet. rity/performance tradeoffs. S also piggybacks the corresponding one-time private key Table 1: Protocol comparison T SK in the global trapdoor, so that both S and D can decrypt ANODR ASR SDAR any data encrypted by T P K. Each RREQ forwarder records Fully Fully Fully Proactive T P K, chooses a random symmetric key K, and uses T P K on-demand? neighbor detection to encrypt this per-stop K. This encrypted block is appended PKC in First First All to the current RREQ packet. Finally when a RREQ packet RREQ flood contact contact the time reaches the destination D after traversing l hops, it contains l Data Virtual Virtual MIX-net such appended T P K-encrypted blocks. D opens the global delivery circuit circuit onion trapdoor and knows T SK, then uses T SK to decrypt every Neighbor No No Exposed T P K-encrypted block and thus shares a symmetric key with exposure every forwarder of the received RREQ packet. Similar to MIX-net, now the SDAR destination D has the l (symmetric) keys to form an RREP packet in the form of MIX-net onion. The destination D puts all symmetric key Ks in the innermost core so that only the source S can decrypt We compare the above aspects due to the following reasons. (1) Proactive neighbor detection incurs periodic communication and computational overheads on every mobile node. (2) Using expensive public key cryptography (PKC encryption/decryption) with expensive RREQ flood incurs intensive communication and computational overheads per flood. (3) In terms of data delivery performance, virtual circuit based schemes are more efficient than MIX-net’s onion based schemes. The latter one incurs l real-time encryption delay on the source node and then a single real-time decryption delay on every packet receiving nodes. (4) In MIX-net, a one-hop neighborhood is exposed to an internal (and possibly external) adversary. This is not a security problem in fixed networks. But in mobile networks, this reveals the changing local network topology to mobile traffic sensors, which could quickly scan the entire network for once and assemble every neighborhood together to obtain an estimation of the entire network topology. (5) Recipient anonymity (of the destination’s network ID) is a critical security concern. Otherwise, every RREQ packet receiver (i.e., every node participating in the RREQ flooding) can see how busy a destination node is from the received RREQ packets. This traffic analysis can be used by the mobile traffic sensors to define the priority in node tracing. 3.1 3 Performance evaluation Clearly, different cryptosystems introduce different processing overhead, thus have different impact on anonymous routing performance. For all public key cryptographic operations in the simulation, we use ECAES with 160-bit key. For the symmetric cryptography, we use AES/Rijndael with 128-bit key and block. The coding bandwidth is about 29.2Mbps. As an example, in ANODR, computational delay is approximately 0.02ms for each onion construction during each RREQ and RREP forwarding, and another public key processing time 160 + 42 = 202ms for RREP packets. The KPS based ANODR trades link overhead for processing time, i.e., ANODR-DU-KPS uses 1344 bits and 1288 bits key agreement material for RREQ and RREP packets respectively. Each of them requires only 1ms extra time in symmetric key crypto-processing. The performance of the anonymous ad-hoc routing protocols discussed in this paper is evaluated through simulation in our empirical study. In the evaluation, the aforementioned anonymous ad-hoc routing protocols are presented for comparison together with the original AODV. Our evaluation concerns the influence from processing overhead incurred by the cryptosystems in use and also the influence of routing control overhead caused by different size of routing control packets. The simulation of the protocols are all implemented based on AODV. Each of them implements the main principles but uses different cryptosystems in establishing the secret hop key vci. The cryptosystems include the public key cryptography and a variant of efficient Key Pre-distribution Schemes (KPS). In a public key scheme, the network needs an offline authority to grant every network member a credential signed by the authority’s signing key, so that any node can verify a presented credential with the authority’s well-known public key. The standard ANODR, SDAR and ASR described in Section 2 uses public key cryptography. In a KPS scheme, the network needs an offline authority to load every node with personal key materials. Afterward, any two nodes can use their key materials and agree on a symmetric key. If the underlying KPS scheme is a probabilistic one [16][15] rather than a deterministic one [7], then the key agreement succeeds with a high probability. Besides the original public key based ANODR, a variants of ANODR using KPS (in RREP unicasts) is tested in our simulation study. It uses the probabilistic KPS scheme proposed by Du et al. [15] ( denoted as ANODR-DUKPS). In ANODR-DU-KPS, the probability of achieving a successful key agreement at each hop is 98%. In other words, key vci agreement fails with 2% at every RREP hop. A new route discovery procedure will be invoked eventually by the source. Crypto-processing performance measurement The processing overhead used in our simulation is based on actual measurement on low-end devices. Table 2 shows our measurements on the performance of different cryptosystems. For public key cryptosystems, the table shows processing latency per operation. For symmetric key cryptosystems (the five AES final candidates), the table shows encryption/decryption bit-rate. Table 2: Processing overhead of various cryptosystems (on iPAQ3670 pocket PC with Intel StrongARM 206MHz CPU) Cryptosystem ECAES (160-bit key) RSA (1024-bit key) El Gamal (1024-bit key) AES/Rijndael (128-bit key & block) RC6 (128-bit key & block) Mars (128-bit key & block) Serpent (128-bit key & block) TwoFish (128-bit key & block) 3.2 decryption 42ms 900ms 80ms 29.2Mbps 53.8Mbps 36.8Mbps 15.2Mbps 30.9Mbps encryption 160ms 30ms 100ms 29.1Mbps 49.2Mbps 36.8Mbps 17.2Mbps 30.8Mbps Simulation model The simulation is performed in QualNetT M [45], a packet level simulator for wireless and wired networks developed by Scalable Network Technologies Inc. The distributed coordination function (DCF) of IEEE 802.11 is used as the MAC layer in our experiments. It uses Request-To-Send (RTS) and Clear-To-Send (CTS) control packets to provide virtual carrier sensing for unicast data packets to overcome the wellknown hidden terminal problem. Each unicast data transmission is followed by an ACK. The radio uses the two-ray ground reflection propagation model and has characteristics similar to commercial radio interfaces (e.g., WaveLAN). The channel capacity is 2Mbps. The network field is 2400m×600m with 150 nodes initially uniformly distributed. The transmission range is 250m. Random Way Point (RWP) model is used to simulate node mobility. In our simulation, the mobility is controlled in such a way that minimum and maximum speeds are always the same (to Data Packet Latency (ms) fix a recently discovered problem [48]), but increase from 0 to All of the curves show a more or less yet steady descendant 10 m/sec in different runs. The pause time is fixed to 30 sec- when mobility increases. This is natural as increasing mobilonds. CBR sessions are used to generate network data traffic. ity will cause more packet loss. For each session, data packets of 512 bytes are generated at a rate of 4 packets per second. The source-destination pairs SDAR 3500 ASR are chosen randomly from all the nodes. During 15 minutes ANODR 3000 simulation time, a constant, continuously renewed load of 5 ANODR-DU-KPS Original AODV short-lived pairs is maintained. All simulations are conducted 2500 in identical network scenarios (mobility, communication traf2000 fic) and routing configurations across all schemes in comparison. All results are averaged over multiple runs with different 1500 seeds for the random number generator. 500 3.3 Routing performance measurement We evaluate the performance of these protocols in terms of five metrics: packet delivery ratio, average end-to-end data packet delay, average route acquisition delay, and normalized routing load in bytes and number of packets per data packet delivered. SDAR requires each node to periodical broadcast messages to neighboring one hop nodes. When we compare the five performance metrics, we leave out the periodical routing control overhead for SDAR and study it in a separate discussion. Original AODV ANODR-DU-KPS ASR ANODR SDAR Delivery Fraction 1.1 1 0.9 0.8 0.7 0.6 0.5 0 2 4 6 Mobility (m/s) 8 0 0 2 4 6 Mobility (m/s) 8 10 Figure 3: Data Packet Latency (ms) Figure 3 illustrates the data packet latency. Again, as SDAR uses public key cryptography throughout the round trip of route discovery, a node needs to wait longer time before a route is established. ANODR and ASR have similar average data packet latency and both of them only use public key encryption/decryption when forwarding route reply messages. ANODR-DU-KPS has nearly the same data packet delay with the original AODV, thanks to the efficient symmetric encryption algorithms and hash functions used. When there is little mobility, all protocols display small data packet latency, because once a route is established, a stable network allows a longer average route lifetime. When mobility increases, data packet latency increases accordingly. It generally stops increasing at some point and starts to decrease because beyond the summit, more and more data packets are lost due to mobility, thus only the routes with relatively small hop counts can survive and be used to transmit data packets efficiently. 10 Figure 2: Delivery Fraction Figure 2 shows the comparison of packet delivery ratio. No doubt that under an environment without any attackers, the original AODV protocol indicates the best performance possible on this metric. ANODR-DU-KPS has the similar performance with the original AODV, as it only uses efficient symmetric cryptography when exchanging routing packets, effectively accelerating the route discovery process and making the established routes more durable. The other three protocols result in significant degradation in delivery ratio, primarily caused by the longer delay required for asymmetric key encryption/decryption. In a mobile environment, excessive delay in route discovery process makes it harder to establish and maintain routes. SDAR has the worst performance, because SDAR requires public key encryption/decryption to forward both route request messages and route reply messages, while the other two protocols only run public key encryption/decryption when forwarding route reply messages. Average Route Acquisition Delay (ms) 1.2 1000 SDAR ANODR ASR Original AODV ANODR-DU-KPS 2500 2000 1500 1000 500 0 0 2 4 6 Mobility (m/s) 8 10 Figure 4: Average Route Acquisition Delay (ms) Figure 4 shows the average route acquisition delay under different node mobility. The overall trend is similar with figure 3, with the exception that unlike data packet latency, when mobility is small, the route acquisition delay is at a very high level. This can be explained by the fact that when nodes are ASR ANODR ANODR-DU-KPS SDAR Original AODV 25 20 15 16 0.6 15 0.55 14 0.5 13 12 0.45 11 0.4 10 0.35 9 0.3 8 0.25 10 0 2 4 6 8 10 Mobility (m/s) 5 0 0 2 4 6 Mobility (m/s) 8 10 Figure 5: Normalized Control Packets Figure 5 compares the number of normalized control packets over all of the protocols. All of the anonymous ad-hoc protocols have similar normalized control packets. They are all significantly higher than that of the original AODV, as the added cryptographic delay results in more route error messages and route repairs. Also, as the mobility increases, more route error will be generated. 10 Normalized Control Bytes 0.65 SDAR, Packets SDAR, Bytes Normalized Authentication Bytes Normalized Control Packets 30 17 Normalized Authentication Packets moving, it’s easier for them to encounter other nodes either closer to the destination or moving in the direction of the destination. 8 6 4 ANODR-DU-KPS ASR ANODR SDAR Original AODV Figure 7: SDAR Normalized Neighbor Authentication Overhead periodical control packets are not affected by mobility. However, since the number of packets delivered decreases as the mobility increases, the overhead packets increases gradually when mobility increases (the scale is given at the left side of Figure 7). Similar trend for overhead measured in bytes is observed (the scale is shown at the right side of Figure 7). On the other hand, the number of authentication packets are determined by the frequency of the Hello message. In this simulation we use the default AODV Hello frequency, i.e., one Hello message per second. Compared with the normalized routing overhead presented in Figures 5 and 6, the current periodic packet overhead close to the overhead generated by the route discovery and maintenance (Figure 5). Reduction of this neighbor authentication overhead could be achieved through possible adaption on Hello interval. However, SDAR has a lower lever of normalized authentication bytes than its routing control bytes (Figure 6). This is because that the size of Hello message is smaller than the sizes of RREQ and RREP packets in SDAR. 2 In summary, the simulation results explicitly demonstrate the existence of trade-offs between routing performance and 0 0 2 4 6 8 10 security protection. Because the ad hoc route discovery Mobility (m/s) (RREQ/RREP) procedure is time critical in a mobile netFigure 6: Normalized Control Bytes work, excessive crypto-processing latency would result in stale routes and hence devastated routing performance. In orFigure 6 compares the normalized control overhead in der to design a practical anonymous ad hoc routing scheme, terms of bytes. The trend of the curves is about the same we must find the optimal balance point that can both avoid with figure 5, however it’s clear that ANODR-DU-KPS in- expensive cryptographic processing and provide needed securs much more overhead. This is expected because having curity protection at the same time. Our results show that ANa similar number of normalized control packets, the compar- ODR and ASR are suitable in mobile ad hoc networks with ison of normalized control bytes will be determined by the heterogeneous nodes (including low-end nodes) and medium control packet size. As we can see, the size of the control mobility. SDAR is only suitable in mobile ad hoc networks packets (RREQ and RREP, primarily) of ANODR-DU-KPS with high-end nodes that can run public key cryptography efis about two times or more as that of ANODR, SDAR and ficiently. In addition, compared to ANODR’s anonymous virASR, three times or more as that of the original AODV. tual circuit design, SDAR’s onion-based data delivery design Figure 7 reports the overhead of the proactive key estab- incurs significant routing overhead per data packet. The anolishment of SDAR. It shows the normalized number and bytes nymous communication demand and the routing performance of neighbor authentication packets under different mobility demand together call for the future work to study more anocondition. SDAR uses periodical hello messages containing nymous ad hoc routing proposals in regard to their routing public keys for community management. Thus the number of performance and security guarantee. 4 Related Work We analyze various factors that affect their routing performance and security. We further demonstrate that tradeoffs exExisting anonymity schemes for wireless networks fall into ist between the performance and the degree of protection. Our a spectrum of classes. In “last hop” wireless networks (in- simulation study verifies that various choices in anonymous cluding cellular networks and wireless LANs), the demand of routing design have significant impact on anonymous routing user roaming requires more promising assurance on the pri- protocol performance. Our results show that ANODR and vacy of mobile users. The network participants considered ASR are suitable in mobile ad hoc networks with heterogein related research are typically the mobile users, the home neous nodes (including low-end nodes) and medium mobilservers of the users, the foreign agent servers local to the ity. SDAR is only suitable in mobile ad hoc networks with users, and the eavesdroppers (could be other mobile users). high-end nodes that can run public key cryptography effiIn [44][2], mobile users are associated with dynamic aliases ciently. We conclude that more extensive performance study that appear unintelligible to anyone except the home server. is needed to evaluate the practicality of the proposed anoThen the foreign agent server accepts the user’s connections nymous proposals, the enhancements of them, and the new upon the home server’s request. In [19], mobile users em- anonymous routing schemes. ploy Chaum’s blind signature to establish authenticated but anonymous connections to the foreign agent server. Hu and Wang [20] propose to use anonymous rendezvous, an ano- References nymous bulletin board, to let mobile nodes anonymously con- [1] C. Adjih, T. Clausen, P. Jacquet, A. Laouiti, P. Minet, P. Muhnect to their communicators. These efforts provide unlinkalethaler, A. Qayyum, and L. Viennot. Optimized Link State bility protections between node identities and their credenRouting Protocol. Internet Draft. tials during anonymous transactions. This design goal is or- [2] G. Ateniese, A. Herzberg, H. Krawczyk, and G. Tsudik. Unthogonal to anonymous on-demand routing. traceable Mobility or How to Travel Incognito. Computer NetIn wireless sensor networks, distributed sensor nodes monworks, 31(8):871–884, 1999. itor target events, function as information sources and send [3] ATM Forum. Asynchronous Transfer Mode. http://www. sensing reports to a number of sinks (command center) over atmforum.org/. multi-hop wireless paths. The sensor nodes and sinks are [4] D. Balfanz, G. Durfee, N. Shankar, D. K. Smetters, J. Staddon, typically stationary in WSN. Deng et al. [14] propose to use and H.-C. Wong. Secret Handshakes from Pairing-Based Key multi-path routes and varying traffic rates to protect recipient Agreements. In IEEE Symposium on Security and Privacy, anonymity for the network sinks. Ozturk et al. [35] prevent pages 180–196, 2003. a mobile adversary (e.g., a poacher) from tracing a sensor re- [5] A. R. Beresford and F. Stajano. Location Privacy in Pervasive port packet flow back to a mobile target’s location (e.g., a Computing. IEEE Pervasive Computing, 2(1):46–55, 2003. panda). The sensor nodes must report the mobile target’s sta[6] O. Berthold, H. Federrath, and S. Köpsell. Web MIXes: A tus to the sinks via phantom flooding, which is a sequential system for anonymous and unobservable Internet access. In combination of random walk and controlled flooding. Both H. Federrath, editor, DIAU’00, Lecture Notes in Computer Sciproposals seek to prevent the adversary from tracing network ence 2009, pages 115–129, 2000. packet flows back to the sources or the sinks. In these propos[7] R. Blom. An Optimal Class of Symmetric Key Generation als, routers (i.e., forwarding nodes) are stationary. They are System. In T. Beth, N. Cot, and I. Ingemarsson, editors, EUnot applicable to a network where every router is mobile. ROCRYPT’84, Lecture Notes in Computer Science 209, pages In geographic services, both Location-Base Services [18] 335–338, 1985. and Mix Zones [5] study how to use middleware service to en- [8] A. Boukerche, K. El-Khatib, L. Xu, and L. Korba. SDAR: A sure location privacy with respect to time accuracy and posiSecure Distributed Anonymous Routing Protocol for Wireless tion accuracy. They study user anonymity protection in static and Mobile Ad Hoc Networks. In 29th IEEE International “geographic regions” with boundary lines. The regions are Conference on Local Computer Networks (LCN’04), pages fixed during the network lifetime, and anonymity protection 618–624, 2004. degrades in a single region. Besides, since the anonymity [9] J. Broch, D. A. Maltz, D. B. Johnson, Y.-C. Hu, and protection stops at the middleware layer (typically above the J. Jetcheva. A Performance Comparison of Multi-Hop Wirenetwork IP layer), the adversary can trace a mobile node usless Ad Hoc Network Routing Protocols. In ACM MOBICOM, ing network identities/addresses at the network layer and the pages 85–97, 1998. link layer, or radio signatures at the physical layer. These [10] M. Brown, D. Cheung, D. Hankerson, J. L. Hernandez, middleware services protect upper layer user identities that M. Kurkup, and A. Menezes. PGP in Constrained Wireless are different from routing identities. Devices. In USENIX Security Symposium (Security ’00), 2000. 5 Conclusion [11] D. L. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM, 24(2):84–88, 1981. In this paper we have illustrated the connections amongst the two recently-proposed on-demand anonymous routing schemes, namely ANODR (and its variant ASR) and SDAR. [12] D. L. Chaum. The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability. Journal of Cryptology, 1(1):65–75, 1988. [13] W. Dai. PipeNet 1.1. http://www.eskimo.com/ ∼weidai/pipenet.txt, 1996. [32] National Institute of Standards and Technology. Advanced Encryption Standard. http://csrc.nist.gov/ encryption/aes/, 2001. [14] J. Deng, R. Han, and S. Mishra. Intrusion Tolerance and AntiTraffi c Analysis Strategies for Wireless Sensor Networks. In [33] D. Niculescu and B. Nath. Ad hoc positioning system (APS). IEEE International Conference on Dependable Systems and In IEEE GLOBECOM, 2001. Networks (DSN), pages 594–603, 2004. [34] R. Ogier, M. Lewis, and F. Templin. Topology Dis[15] W. Du, J. Deng, Y. S. Han, and P. K. Varshney. A Pairwise semination Based on Reverse-Path Forwarding (TBRPF). Key Pre-distribution Scheme for Wireless Sensor Networks. http://www.ietf.org/internet-drafts/ In ACM CCS, pages 42–51, 2003. draft-ietf-manet-tbrpf-07.txt, March 2003. [16] L. Eschenauer and V. D. Gligor. A Key-Management Scheme [35] C. Ozturk, Y. Zhang, and W. Trappe. Source-Location Prifor Distributed Sensor Networks. In ACM CCS, pages 41–47, vacy in Energy-Constrained Sensor Network Routing. In ACM 2002. SASN, pages 88–93, 2004. [17] S. Goldwasser and S. Micali. Probabilistic Encryption. Journal [36] C. E. Perkins and E. M. Royer. Ad-Hoc On-Demand Distance of Computer and System Sciences, 28(2):270–299, 1984. Vector Routing. In IEEE WMCSA’99, pages 90–100, 1999. [18] M. Gruteser and D. Grunwald. Anonymous Usage of Location-Based Services Through Spatial and Temporal Cloaking. In MobiSys03, 2003. [37] C. E. Perkins, E. M. Royer, and S. Das. Ad-hoc On Demand Distance Vector (AODV) Routing. http://www.ietf. org/rfc/rfc3561.txt, July 2003. [19] Q. He, D. Wu, and P. Khosla. Quest for Personal Control over Mobile Location Privacy. IEEE Communications Magazine, 42(5):130–136, 2004. [38] A. Pfi tzmann and M. Köhntopp. Anonymity, Unobservability, and Pseudonymity - A Proposal for Terminology. In H. Federrath, editor, DIAU’00, Lecture Notes in Computer Science 2009, pages 1–9, 2000. [20] Y.-C. Hu and H. J. Wang. A Framework for Location Privacy in Wireless Networks. In ACM SIGCOMM Asia Workshop, 2005. [21] P. G. Ifju, S. M. Ettinger, D. Jenkins, Y. Lian, W. Shyy, and M. Waszak. Flexible-wing-based Micro Air Vehicles. In 40th AIAA Aerospace Sciences Meeting, 2002. [22] P. G. Ifju, S. M. Ettinger, D. Jenkins, and L. Martinez. Composite materials for Micro Air Vehicles. SAMPE Journal, 37(4):7–13, 2001. [39] A. Pfi tzmann, B. Pfi tzmann, and M. Waidner. ISDNMixes: Untraceable Communication with Very Small Bandwidth Overhead. In GI/ITG Conference: Communication in Distributed Systems, pages 451–463, 1991. [40] A. Pfi tzmann and M. Waidner. Networks Without User Observability: Design Options. In F. Pichler, editor, EUROCRYPT’85, Lecture Notes in Computer Science 219, pages 245–253, 1986. [23] A. Jerichow, J. Müller, A. Pfi tzmann, B. Pfi tzmann, and [41] C. Rackoff and D. R. Simon. Cryptographic defense against M. Waidner. Real-Time MIXes: A Bandwidth-Effi cient Anotraffi c analysis. In Symposium on the Theory of Computation nymity Protocol. IEEE Journal on Selected Areas in Commu(STOC), pages 672–681, 1993. nications, 16(4), 1998. [42] M. G. Reed, P. F. Syverson, and D. M. Goldschlag. Ano[24] S. Jiang, N. Vaidya, and W. Zhao. A MIX Route Algorithm for nymous Connections and Onion Routing. IEEE Journal on Mix-net in Wireless Ad hoc Networks. In IEEE International Selected Areas in Communications, 16(4), 1998. Conference on Mobile Ad-hoc and Sensor Systems (MASS), [43] M. K. Reiter and A. D. Rubin. Crowds: Anonymity for Web 2004. Transactions. ACM Transactions on Information and System [25] D. B. Johnson and D. A. Maltz. Dynamic Source Routing in Security, 1(1):66–92, 1998. Ad Hoc Wireless Networks. In T. Imielinski and H. Korth, editors, Mobile Computing, volume 353, pages 153–181. Kluwer [44] D. Samfat, R. Molva, and N. Asokan. Untraceability in Mobile Networks. In ACM MOBICOM, pages 26–36, 1995. Academic Publishers, 1996. [26] D. Kesdogan, J. Egner, and R. Buschkes. Stop-and-go MIXes [45] Scalable Network Technologies (SNT). QualNet. http:// www.qualnet.com/. Providing Probabilistic Security in an Open System. Second International Workshop on Information Hiding (IH’98), Lec- [46] Y. Shang, W. Ruml, Y. Zhang, and M. P. J. Fromherz. Localture Notes in Computer Science 1525, pages 83–98, 1998. ization from Mere Connectivity. In ACM MOBIHOC, pages 201–212, 2003. [27] J. Kong. Anonymous and Untraceable Communications in Mobile Wireless Networks. PhD thesis, University of California, [47] G. S. Vernam. Cipher Printing Telegraph Systems for Secret Los Angeles, June 2004. Wire and Radio Telegraphic Communications. Journal American Institute of Electrical Engineers, XLV:109–115, 1926. [28] J. Kong and X. Hong. ANODR: ANonymous On Demand Routing with Untraceable Routes for Mobile Ad-hoc Net- [48] J. Yoon, M. Liu, and B. Noble. Sound Mobility Models. In works. In ACM MOBIHOC’03, pages 291–302, 2003. ACM MOBICOM, pages 205–216, 2003. [29] J. Kong, X. Hong, and M. Gerla. A New Set of Passive Routing Attacks in Mobile Ad Hoc Networks. In IEEE MILCOM, 2003. [30] F. J. MacWilliams and N. J. A. Sloane. The Theory of Error-Correcting Codes. Amsterdam, The Netherlands, NorthHolland, 1988. [31] R. Motwani and P. Raghavan. Randomized algorithms. Cambridge University Press, 1995. [49] Y. Zhang, W. Liu, and W. Lou. Anonymous Communications in Mobile Ad Hoc Networks. In IEEE INFOCOM, 2005. [50] B. Zhu, Z. Wan, M. S. Kankanhalli, F. Bao, and R. H. Deng. Anonymous Secure Routing in Mobile Ad-Hoc Networks. In 29th IEEE International Conference on Local Computer Networks (LCN’04), pages 102–108, 2004. Computer Ecology: Responding to Mobile Worms with Location-Based Quarantine Boundaries Baik Hoh WINLAB, ECE Department Rutgers, The State University of New Jersey baikhoh@winlab.rutgers.edu Abstract The local wireless links in mobile ad hoc networks allow worms to propagate, without passing through central gateways where service providers can deploy intrusion detection systems (IDS). On mobile nodes, conventional intrusion detection and intrusion response techniques such as address blacklisting and content filtering are more difficult to deploy due to the lack of central entities and the resource constraints of mobile nodes. We analyze the magnitude of this threat by characterizing the propagation speed and infection rates that worms could obtain using the example of a vehicular mobile ad hoc network environment. We then propose techniques for modeling the spread of such worms through ecologically inspired diffusionreaction and advection, and discuss their application in managing an intrusion response. Since infection patterns in ad hoc networks are highly correlated with geographic proximity, these models allow estimation of the origin and the current spread of a worm based on a set of intrusion reports and their geographic positions. Service providers could use these models for constructing a quarantine boundary and target a containment response, especially for devices that have both short-range radios for ad hoc communication and a low-bandwidth backhaul link to the service provider. 1 Introduction A current trend in pervasive devices is towards multi-radio support, allowing direct local interaction Marco Gruteser WINLAB, ECE Department Rutgers, The State University of New Jersey gruteser@winlab.rutgers.edu between devices in addition to maintaining long-haul links to infrastructure networks. Many current cell phones already contain Bluetooth radios that enable peer-to-peer exchange of files and usage of services from nearby devices. Bluetooth is also available in some automobiles and the US Federal Communications Commission has reserved spectrum for Dedicated Short Range Communications (DSRC), a wireless communications standard for inter-vehicle networks based on the IEEE 802.11 medium access protocol [6]. Example applications are collaborative crash warning and avoidance, dynamic traffic light control, or ad hoc forwarding of traffic probe information [30, 31]. Unfortunately, peer-to-peer interaction between devices provides an alternative propagation path for worms and virus. The Internet experience illustrates that worm attacks are a significant concern and a proof-of-concept Bluetooth worm, Cabir, has already been implemented.1 More aggressive worms that exploit bugs (e.g., buffer overflow in bluetooth software/protocol stack [32, 29] ) and make unwanted phone calls are not hard to imagine [5, 27], and likely as financial incentives increase. Regardless of the sophistication of the prevention strategies, in an environment with high reliability requirements it is only prudent to also plan for outbreaks with appropriate containment strategies. Peer-to-peer replication over short-range wireless networks creates a challenge for intrusion detection and response, because the worm cannot be observed and blocked by intrusion detection and response systems in the cellular 1 In fact, a Cabir outbreak was recently reported during a sporting event at the Helsinki Olympic Stadium [22]. service provider’s core network. Instead intrusion detection must be deployed on resource-constrained mobile devices or on specialized honeypot devices distributed in high-traffic zones [33, 2]. Regardless of the employed intrusion detection method, these constraints will lead to a delay between the time of outbreak and alarm because of distributed processing delays and human analysis. Thus, the intrusion response system only has at best an outdated few of the current worm propagation. In this work, we consider an intrusion response architecture where a service provider remotely administers mobile nodes over the wide-area infrastructure wireless network. Using ecologically inspired location-based quarantine boundary estimation techniques, the service provider can estimate a set of likely infected nodes. This allows the service provider to concentrate efforts on infected nodes and minimize inconvenience and danger to non-affected parties. The remainder of this paper is structured as follows. Section 2 clarifies threat model and system assumptions. It also defines the estimation problem that this paper addresses. Section 3 develops a quarantine boundary estimation algorithm from ecological diffusion-reaction and advection models. We evaluate our proposed algorithm by applying it to two ad hoc network scenarios: a pedestrian random-walk and an a vehicular network on a highway. These results are reported in section 4. In section 5, we analyze the simulation results and discuss the effectiveness of the approach. In addition, we discuss how to locate Patient 0 based on a set of intrusion reports. Section 6 compares our work with directly related prior works before we conclude. 2 Threat assessment We consider a network system that comprises mobile radio nodes with ad hoc networking capabilities and a wide-area wireless infrastructure network with central network management by a service provider. Each mobile node is connected to the infrastructure network, provided that radio coverage is available, and can directly communicate with other mobile nodes over a short-range radio interface. Examples of such a system are a CDMA/GSM cell-phone network with Bluetooth handsets or an automotive telematics sys- tem supporting CDMA and DSRC . We assume that the service provider can locate each mobile node. This could be implemented through Assisted GPS on the nodes or triangulation technology in the infrastructure. Hybrid approaches are also possible. In this network system, worms and viruses may spread through ad hoc connections over the shortrange interface, rather than the infrastructure network. Mobile nodes can be infected if they are a neighbor, meaning in the communication range Cr, of an already infected node. Typically, an infected node is able to identify its neighbors through network discovery mechanisms (e.g., IEEE 802.11 probe request, probe response protocol) or by monitoring communications within its range. Not all neighbors must be susceptible to the attack because an attack might depend on a vulnerability in a particular implementation or the configuration of the device.2 We can assume, however, that malware will infect these susceptible nodes through software vulnerabilities soon after they first enter the communication range of an infected node. On Bluetooth networks, the BlueSmack attack [18], however, already provides an example of malware that exploits a buffer overflow vulnerability in a Bluetooth implementation. BlueSmack sends an oversized L2CAP echo request packet to a Bluetooth host to overflow the allocated receive buffer. While this attack only crashes the Bluetooth stack, similar vulnerabilities will probably allow future malware to execute arbitrary code. Even though any specific realization of such an attack is to date unknown, this will likely allow malware to spread without any user intervention through software exploits, similar the spread of worms among Internet hosts. Malware spreading over the ad hoc network is more difficult to detect and contain than malware spreading over an infrastructure network, because the network does not contain concentration points (chokepoints) where centralized intrusion detection and traffic filtering techniques can be applied. Instead detection and response techniques must be implemented in a highly distributed architecture on the mobile nodes themselves. While it is plausible that malware propagates over both the short-range and the infrastructure 2 In particular, settings such as the Bluetooth non-discoverable mode might provide limited protection against some attacks while other brute force scan mechanisms are still possible [27]. network, we ignore this case here because the infrastructure connections can be prevented with traditional defenses.3 We are especially concerned with unknown malware, which signature-based intrusion detection systems cannot yet detect. The service provider may learn a new epidemic through different mechanisms ranging from mundane user calls to its service hotline to a sophisticated anomaly detection system. We observe that any of these mechanisms suffer from a high falsealarm probability and thus require the intervention of human analyst to verify that an actual outbreak exists. This leads to a detection delay of minutes in the best case. Even in a fully automated system, a distributed intrusion detection system would add delay due to the distributed detection processing and the latency overhead of delay-tolerant communication. During this time the malware can spread further (and anomaly reports from new nodes may again require verification) leaving the analyst with an incorrect, delayed view of the epidemic. This work assumes, however, that the analyst can accurately locate patient 0, the initially infected node. If every node runs an intrusion detection system with sufficient memory for logging events, the infection can generally be traced to its origin. An inaccurate estimate of patient 0’s position will lead to degraded system performance. We will discuss more about how to locate patient 0 from multiple intrusion reports of intrusion detection systems in section 5. We leave making the system more robust to the patient 0 estimate for future work. In summary, the service provider will determine from a range of clues whether an intrusion took place. The service provider characterizes an intrusion by a tuple (posx , posy , time) that describes the time and position of patient 0 at the start of the outbreak. 2.1 Intrusion Response Given that an intrusion event occurred, a service provider’s main interest lies in minimizing inconvenience and potential danger (e.g., users may depend on cell phones for 911/112 emergency calls or distractions from an infected in-vehicle system may cause car accidents) to customers. Responding effectively requires a secure management interface to the mobile nodes that allows service providers to remotely regain control of a compromised mobile node. Remote management interfaces are common practice for managing servers in larger data centers and have become increasingly prevalent in the cell phone world. For example, the Open Mobile Alliance Client Provisioning Architecture [1] allows over-theair configuration of mobile nodes. It also specifies a privileged configuration context, whose settings cannot be modified by users or applications. Such interfaces could be further hardened to ensure availability when malicious code controls the phone. On the whole, remote management can provoke a concern on user privacy but we do not consider an insider attack which is taken by authorized employees (e.g., a patch developer) maliciously inject an infected patch through a secured provisioning channel. Protection against unauthorized modification of patch can be achieved by ”message authentication code (MAC)” or ”digital signature”. Given an over-the-air provisioning architecture, possible responses to an intrusion event include: 1. Sending a warning to users of the mobile nodes 2. Deactivating mobile nodes 3. Disable the short-range network interface on mobile nodes 4. Installing port or content-based filters 5. Installing patches to remove exploits 3 Shigesada et al. modeled a biological invasion the expansion of which is driven by a combination of neighborhood diffusion and long-distance dispersal that occur within a species by a stratified dispersal process. Its early expansion mainly occurs by neighborhood interaction, but later new colonies are created by longjump migrants which accelerate the expansion. [24] This ecological study can have much correlation with one of our future studies. 6. Provisioning patches to remove the worm All of these responses can slow or stop the spread of the virus, however, they also incur user inconveniences of its own. For example, frequent use of response 1 may reduce its effectiveness, response 2 may Figure 1. Southern New Jersey highway network modeled in PARAMICS microscopic simulation software. The simulation model shown here contains 2162 nodes, approximately 4000 links and 137 demand zones. Probe vehicles are selected randomly during the simulation process as they leave their respective origin zones. At each time step of the simulation (0.5 seconds), the x and y coordinates of the probe vehicles are recorded until they reach their destination zones. prevent emergency calls, and response 3 may prevent the use of hands-free operation by drivers. Responses 3-6 require a more detailed understanding of the worm implementation and so may allow the worm to spread unrestricted for a period of hours or days. Even then, installing hastily developed patches often leads to failures on a subset of phones. We define the intrusion response planning problem as identifying an optimal set of nodes to minimize the impact of the worm and the inconvenience and dangers cause by (partial) service outages due to the response. An optimal response plan only targets nodes that have already been infected or will be infected until the provisioning process is completed. Figure 2. The propagation of mobile worms in southern New Jersey highway network. At each time unit, y value of each point depicts the Euclidean distance between the farthest infected vehicle and the origin of mobile worm. In terms of propagation speed, mobile worm spread has three phases: (a) Early stage, (b) Acceleration stage, and (c) Stable stage. 2.2 A Threat of Mobile Worms in Vehicular Networks To assess a threat posed by mobile worms in vehicular networks, we take a simple experiment which shows how fast mobile worms propagate (i.e., propagation speed) and how many vehicles can be infected over time (i.e., infection rate). Here we discuss our preliminary results on propagation speed and infection rate. Although they do not represent statistical result, they are enough to show a typical scenario. In this experiment, we take the section of the southern New Jersey highway network as a sample map in figure 1 and generate 1839 vehicles on it. We drop an initially infected node on the center of map and use a Susceptible-Infectious-Recovered (SIR) model for an epidemic dynamics. We set an ad hoc communication range to 200 meters. Each vehicle’s movement is modeled by a well-known microscopic traffic simulator, PARAMICS [20]. Details on simulation model will be explained in section 4.2. The case study in figure 2 shows that mobile worms can infect vehicles within 11.6 kilometers radius circle during only 10 minutes. At this speed, mobile worms less network. 3.1 A Macroscopic Model of Worm Propagation Figure 3. The infection rate over time in southern New Jersey highway network. Totally, 1839 vehicles are injected onto map and 90 percent of them are infected within 800 seconds, approximately 13 minutes. can traverse New Jersey from North to South in four hours (The vertical length of New Jersey is about 280 kilometers). This evaluation underestimates the spread of mobile worms due to the scarcity of susceptible vehicles in stable stage. In an acceleration stage where there are enough susceptible vehicles to be infected, propagation speed is 120 percent faster than in stable stage. Figure 3 shows that it takes about 13 minutes (800 seconds) to infect 90 percent of 1839 vehicles in southern New Jersey area. Staniford and Paxson [26] stated that conventional worms can infect up to 300,000 hosts within 8 hours and fast scanning worms such as flash worm can infect even faster (same number of hosts within 1 hour). Compared to Internet worms, mobile worms are slower but fast enough to make containment difficult (e.g., mobile worms can spread over New Jersey within only 4 hours). 3 Quarantine Boundary Estimation The optimal response set can be best found through an estimation technique because the service provider’s knowledge about the spread of the mobile worm is incomplete. Anomaly reports usually trickle in only after nodes are infected and may be severely delayed in areas of sparse coverage from the infrastructure wire- Diffusion-reaction and advection models [17] have been successfully applied to describe the spatial and temporal distributions of diverse phenomena ranging from animal dispersion 4 to groundwater contamination. The diffusion-reaction model comprises a diffusion process and a reproduction process. The diffusion process describes random movements and is characterized by the diffusion coefficient D. The reproduction process describes the exponential population growth and is specified by parameter α. Equation 1 specifies the diffusion-reaction model. It assumes polar coordinates centered at the position of an initially infected node (r indicates the distance from the origin), isotropic dispersal with constant diffusivity D, and growth proportional to the population density S. D ∂ ∂S = ∂t r ∂r  ∂S r ∂r  + αS (1) This model has a closed form solution by solving under the initial condition that at time t = 0, m infected nodes are concentrated at location of patient 0 (r = 0). From this solution shown in equation 2, the radius R of the frontal wave can be calculated from the propagation speed which depends on α and D as described in equation 3. S = (m/4πDt) exp(αt − r 2 /4Dt) (2) √ R = 2 αDt (3) Thus the propagation boundary is proportional to the time since the outbreak, t and the boundary moves √ with velocity v = 2 αD. The parameter α and D are depended on the exact scenario. Table 1) identifies the parameter dependencies in an automotive scenario. 4 An early notable application of diffusion-reaction model was designing a hostile barrier for stopping the dispersal of Muskrats. In 1905, Muskrat was imported to Europe but some of them escaped and started to reproduce in the wild [7]. Skellam [25] later modeled the dispersal of Muskrats though a diffusion-reaction equation. Model Parameter Diffusivity Growth rate Origin Correspondence in automotive scenario Models minor roads and collector streets or pedestrian movements Rate of new infections depends on density and distribution of susceptible nodes, communication range, and node velocity Positions of initially infected nodes Table 1. Mapping of model parameters to automotive networking scenario. When a toxic pollutant diffuses going along the groundwater paths, its model consists of a unidirectional movement by mean flows, called advection together with diffusion-reaction processes [23]. In vehicular network, advection term is governed by the velocity u in x-axis and v in y-axis in two-dimensional space. If we take an advection effect and ignore a diffusion process, equation 1 is changed into an advection equation model described by equation 4. ∂ ∂ ∂S =− (uS) − (vS) + αS ∂t ∂x ∂y (4) This model can be used in modeling the behavior of mobile worms in highway networks (e.g., Southern New Jersey Highway Networks). 3.2 Algorithms Given an initial position of each infected node i, (xi , yi ) for all i at time To , the algorithms should estimate the frontal wave of propagation at Tc = To + T∆ , where To is the time of outbreak and T∆ means time delay. We can divide the problem into estimating the worm propagation velocity and estimating the spatial distribution. In an ad hoc network where mobile nodes move randomly in x-y coordinates, the propagation speed is governed by equation 3. Constant diffusivity D and reproductivity α guarantee constant propagation speed. As long as the same node density and velocity is maintained, the propagation velocity remains constant (see figure 7 and figure 8). Figure 4. Different proportions of inter-vehicle distance to communication range lead to different worm propagation velocities. However, in the vehicular scenario, every road segment may have a different propagation velocity because vehicle speeds and inter-vehicle distances differ. Figure 4 illustrates how the relationship between communication range and inter-vehicle distance affects propagation velocity. In the case (a) the intervehicle distance R is greater than the communication range Cr , so that an infected car cannot communicate with neighboring cars. Thus, the propagation velocity V ′ is solely determined by the vehicle speed V . In case (b) however, the communication range is greater than the inter-vehicle distance. Thus the worm can travel over the wireless medium to the foremost car in communication range in addition to the vehicle speed. If a worm manages n such hops per second, this leads to the following equation.    if R ≤ Cr V + nR CRr ′ V = V else Because a one hop communication can never go farther than Cr , an upper bound for V ′ can be obtained by substituting Cr for R(Cr /R), yielding V ′ = V + nCr (5) The inter-vehicle distance R and mean vehicle speed V on each highway segment can be obtained from Department of Transportation inductive loop sensors on an hourly basis, for example. They could also be inferred from tracking the position of probe vehicles on the highway network. Given this propagation velocity, a straightforward isotropic estimate for worm distribution can be obtained with the diffusion-reaction equations. For each independent outbreak this approach yields a circular boundary estimate centered at the location of patient 0 (at the time of the outbreak). The radius of the circle increases linearly with the time duration T∆ since the outbreak. This approach is suitable when nodes movements do not exhibit any directional trends, such as in a random walk. Estimation can be improved, however, when mobile nodes move on an underlying network of roads or walkways. We frame our discussion of this algorithm in the context of an automobile vehicular ad hoc network, but the concepts are generally applicable to nodes that follow a network of paths. This algorithm assumes the availability of cartographic material so that the position of patient 0 at the initial outbreak can be mapped onto a road segment. The maps must contain road classifications and the geographical positions of roads and their intersections. For example, this data is available from the US Geological Survey which publishes detailed transportation network information in the spatial data transfer standard. These maps also classify roads into expressways, arterial, and collector roads, according to their size and traffic volume. The algorithm also requires a mapping of the position of patient 0 at the time of outbreak onto a road segment. This mapping can be achieved by finding the road segment with the minimum Euclidian distance to the patient 0 position. The key idea of this algorithm is to build an advection model using the transportation network information. The underlying heuristic is that the maximum propagation speed will be observed along the road network—propagation across parallel road segments in communication range and along smaller roads is ignored by this heuristic. The algorithm 1 follows all possible propagation paths using a traversal of the road network graph and a propagation speed estimate for each road segment. It outputs a polygon that includes all (partial) road segments that a worm could have reached in the time since the outbreak. For example, consider the section of the southern New Jersey highway network in figure 5. Assume that patient 0 lies on the link Ln between junction 3 (J3) and junction 4 (J4). If we know the propagation speed Algorithm 1 QuarantineBoundaryEstimation generates a polygon which estimates the frontal wave of mobile worms at Tr given P atient0 at T0 . 1: {Inputs: P atient0, the position of initially infected node; T0 , the time of outbreak; Tc , the time of intrusion response; vn , the average car speed on nth road segment; Rn , the average distance beween adjacent cars on nth road segment; Parameters: Jn , nth junction’s x and y coordinates and every junction should have information on its neighbor junctions; Cr , Communication range Outputs: Quarantine polygons} 2: (A) Estimate the worm propagation speed, Vn for all n with vn and Rn 3: if R ≥ Cr then 4: Vn = vn 5: else 6: Vn = vn + α ∗ Cr 7: end if 8: (B) Estimate the spatial distribution 9: Calculate T∆ [0][0] = Tc − T0 . 10: Locate the link (Ln ) which P atient0 lies on. 11: Set P atient0 as the starting points of traversal and push it into queue, Q[0] 12: Keep pushing all junctions in two ways to be visited next in Q until the last level 13: i = 0; 14: while Any T∆ [i][] ≥ 0 do 15: i++ 16: K = the number of elements in Q[i][] 17: for j = 1 to K do 18: Save the parent junction of Q[i][j] into P rev where n is the link index 19: Tj = D(P rev,Q[i][j]) Vn between Prev and Q[i][j] 20: T∆ [i][j] = T∆ [i − 1][parent] 21: if T∆ [i][j] ≥ Tj then 22: Generate a rectangular boundary from P rev to Q[i][j] 23: else 24: Generate a rectangular boundary from P rev to T∆ [i][j] ∗ Vn 25: end if 26: T∆ [i][j] = T∆ [i][j] − Tj 27: end for 28: end while 29: Merge all rectangular boundaries into polygon. 4 Evaluation 4 x 10 3 Junction 1 Junction 2 This evaluation studies the performance of the quarantine boundary estimation algorithms in a random walk and a vehicular ad hoc network scenario. We compare the accuracy of the macroscopic quarantine boundaries against infection patterns generated by a microscopic simulation model. 2.9 Junction 3 2.8 y (m) Junction 4 2.7 Junction 8 2.6 Junction 5 Junction 6 2.5 2.4 4.1 Metrics and Measures Junction 7 2.3 3.5 3.6 3.7 3.8 x (m) 3.9 4 4.1 4.2 4 x 10 Figure 5. In our target map, there are 8 junctions and 7 links between them. This region is the part of Southern New Jersey Highway Networks 1. Every black dot depicts the position of individual car at specific time. Vn on that link, we can calculate after how much time a mobile worm arrives at either junction. Let us denote T3 and T4 for the arrival time at J3 and J4. If the time since outbreak T∆ = Tc − To is greater than T3 , the mobile worm has already passed this junction and has most likely propagated along both the link J1-J3 and the link J2-J3. This process is repeated for each link until a junction with arrival time greater than T∆ is found. This segment is then only partially infected and the infection boundary is known based on the estimated link propagation speed. The same process is also repeated in the opposite direction from patient 0, towards J4. The algorithm then encloses each fully infected link in a rectangle with length and width set to the road length and road width, respectively. Partially infected links are only enclosed up to the infection boundary. All rectangles are then merged into a polygon.5 Once we get a polygon, we group nodes within a polygon into the optimal response set by using ’Point-In-Polygon Algorithm [8]’. 5 This can be implemented using well-known algorithms such as provided by the polybool function [13] in MATLAB Informally, the algorithm should maximize the number of infected nodes within the boundary and minimize the number of clean (uninfected) nodes within it. We measure the accuracy of the quarantine boundary estimation through detection and false-alarm probability. The detection probability is defined as the ratio of infected nodes within the boundary to all infected nodes. More formally, Pd = Ii , where Pd is the detection probability, i is the number of infected nodes within the boundary and I is the total number of infected nodes. We define the false-alarm probability as the ratio of clean nodes within the boundary to all c , where Pf is the clean nodes. Accordingly, Pf = i+c false alarm probability, c is the number of clean nodes within the boundary and C is the total number of clean nodes. Notice that c + i is the number of nodes within the quarantine boundary and C + I is the total number of nodes in the scenario. A perfect quarantine boundary has a detection probability of 1 and a false-alarm probability of 0. The Jaccard similarity J provides a convenient way to combine above two probabilities into one number as an ROC curve (i.e., receiver-operating characteristics) does in detection theory community. It is defined as shown in equation (6), where X is the optimum quarantine boundary in x-y coordinates and Y indicates an estimated quarantine boundary. T 2 (|X Y |) (6) J= |X| + |Y | It can be computed from detection and false alarm probabilities by substituting X = I and Y = i + c, yielding equation (7). J= 2Pd (1 − Pf ) 1 + Pd − Pf (7) The Jaccard similarity lies in the interval [0, 1] with 1 indicating a perfect estimate, corresponding to detection probability 1 and false-alarm probability 0. Jaccard similarity can be used to balance between detection probability and false alarm probability. 4.2 Simulation Model We use the SIR model [3] for implementing the dynamics among susceptible nodes, infected nodes and recovered nodes. This model is characterized by the fraction of nodes that are susceptible to infection, the infection probability when a susceptible node is in contact with an infected node, and a recovery probability. In our model a susceptible node is in contact with an infected node, if they are in communication range Cr of each other. Generally, we chose aggressive parameters for our simulations to evaluate a near worst-case worm. We set the infection probability to 1, which assumes the absence of any communication errors. In other words if a susceptible node is within the communication range of an infected node it becomes infected. We assume that infected nodes can only be recovered by the service provider only if they are within the quarantine boundary. Worm propagation then depends on the communication range and the exact mobility model. We choose the initially infected nodes randomly among all nodes in random walk scenario. However, in VANET scenario, we choose them only on the link between J3 and J4, which is at the center of the map in figure 5. The position of initially infected node is independent from the performance of our quarantine boundary algorithm, but placing them on that link enables us to extend the simulation duration. For a random walk scenario, we choose 5 seconds as T∆ . After T∆ elapsed in pedestrian scenario, the number of infected nodes amounts up to 40-50% of whole nodes and the propagation for each initially infected node covers up to the circle with about 13m radius. Because our network is 50m by 50m, this amount of T∆ is appropriate to measure detection, false alarm probabilities. In VANET case, we choose a time delay, T∆ from 25 seconds to 45 seconds. In the case of T∆ =45 seconds, the propagation approaches almost 5 links out of all 7 links. For the random walk model, we chose parameters to reflect dense pedestrian movements with short-range (e.g., Bluetooth) communications. Node density is varied from 100 to 300 in a 50m by 50m area with node velocity ranging between 1m/s to 3m/s. Communication range is set to 5m, 10m, and 20m, to represent different path loss and interference environments.6 For the vehicular scenario, we obtained location traces from a microscopic traffic model for the PARAMICS transportation system simulator [20]. The model is calibrated to real traffic observed in a section of the southern New Jersey highway network. [19] The full simulation model contains 2162 nodes, approximately 4000 links and 137 demand zones, from which serve as origins and destinations for vehicles. Out of all vehicles in the simulation model a fraction of susceptible vehicles are selected randomly during the simulation process as they leave their respective origin zones. This ensures that the overall traffic patterns remain realistic even though we assume that only a percentage of cars is equipped with susceptible communications equipment. At each time step of the simulation (0.5 seconds), the x and y coordinates of the susceptible vehicles are recorded until they reach their destination zones. For a low susceptibility scenario we selected 200 vehicles and for a moderate susceptibility scenario we chose about 1800 random cars. This represents about 5% of total traffic during the simulation which was restricted to 4min 10s, for computational tractability. The communication range is set to 50m, 100m and 200m in this scenario. 200m approximates free space propagation of a DSRC system [11, 21], while the shorter ranges model higher path loss environments, such as in congested traffic. 4.3 Pedestrian Scenario Results To gain a better understanding of the effect of different model parameters we first discuss results from the less complex diffusion-reaction estimation model. The estimator’s worm propagation speed is set to 2.56 m/s and the time delay T∆ is set to 5 seconds for these experiments. Figure 6 shows estimation accuracy of the diffusion-reaction estimator for different node densi6 These parameters approximate a sport event environment such as the one in the Helsinki Olympic Stadium, where an outbreak of the Cabir virus was reported [22]. 1.2 45 Detection probability False alarm probability 1.1 1 Radius of frontal wave [m] 35 Probability 0.9 0.8 0.7 0.6 0.5 30 25 20 15 10 0.4 5 0.3 0.2 50 V=1m/s V=2m/s V=3m/s 40 100 150 200 250 User density [numbers in fixed area] 300 350 Figure 6. Estimation accuracy of diffusion-reaction model for random-walk scenario. ties. Mean and standard deviation for one hundred trials are shown. A mean detection probability between 95%-100% can be achieved with a false alarm rate of approximately 40%-50%. Our quarantine method behaves slightly more effective in the 200 node network because the worm propagation speed best matched this case. A change of +/-100 nodes increases the false alarm probability by about 10%. The following results analyze the worm propagation speed in more detail. The speed is affected by node density, communication range, and node mobility. Figure 7 shows the distance of the farthest infected node from original position of patient 0 over differnt node velocities. Node density is set to 200 in the 50m by 50m region and communication range is 10m. Again, the graph shows mean and standard deviation over one hundred trials. As expected, propagation speed increases with node velocity. An increase in node velocity has an additive effect on propagation speed. The graph also exposes that propagation speed remains constant over time, further supporting that a linear model fits well. A linear regression for v=2m/s yields intercept 2.1 and slope 2.8m/s. The effect of changes in communication range Cr to worm propagation speed are shown in figure 8. Node velocity is set to 1m/s and other parameters remain the same as before. Propagation speed increases with higher node velocity. A larger communication range increases the likelihood that susceptible nodes are in 0 1 2 3 4 5 6 7 time [sec] 8 9 10 11 Figure 7. Distance of the farthest infected node from the outbreak position over time. Increasing node velocity has an additive effect on propagation speed. Propagation speed remains constant over time. rage, which hastens the spread of the worm. Propagation speed remains near-constant over time for each communication range. 4.4 Vehicular Scenario Results The first experiment measures the worm propagation velocity that can be expected in a highway outbreak. While prior works [28, 4, 10] have developed analytical equations for information propagation speed on road networks, these are not easily transferable to the worm scenario. The average radius of frontal wave is estimated by averaging 50 simulations and it is repeated for different communication ranges (50m, 100m and 200m). The estimated radius of frontal wave is shown in figure 9. The results show that for a communication range of 200m, the worm travels at a mean velocity of about 75m/s, significantly faster than typical highway traffic. Lower communication ranges result in reduced velocity. The next experiment compares the estimation accuracy of the advection model over the diffusion-reaction model in the highway scenario. The communication range is set to 100m. Figure 10 and figure 11 show the detection and false alarm probability, respectively. The results from the advection algorithm described in section 3 are labeled “advection with analytical model”. To allow a more detailed analysis, the graphs also con- 1.2 Only diffusion Only advection with same speed Only advection with different speed Only advection with analytical model 1.1 1 Cr=3m Cr=5m Cr=7m Cr=9m 50 Radius of frontal wave [m] Detection probability 60 40 0.9 0.8 0.7 30 0.6 20 0.5 20 25 30 35 time [sec] 40 45 50 10 0 1 2 3 4 5 6 7 time [sec] 8 9 10 11 Figure 8. Dependency of propagation speed on communication range Cr . A larger communication range increases the likelihood that susceptible nodes are in rage, which hastens the spread of the worm. 6000 Cr=50m Cr=100m Cr=200m Radius of frontal wave [m] 5000 4000 3000 2000 1000 0 0 20 40 60 time [sec] 80 Figure 10. Detection probability on highway network. The advection models achieve superior accuracy over the diffusion-reaction model. tain two additional curves, which assume that a more precise estimate of worm propagation speed is available. In the “advection with same speed” approach, we use the average worm propagation speed (obtained from the previously described simulation) for all road segments. The “advection with different speed” approach, uses more detailed speed estimates, one per road segment, also derived from simulations. These figures show that the advection models achieve superior detection probability over the diffusion-reaction model, while the false-alarm probability does not differ more than about 10% between advection and diffusion. The detailed knowledge about information propagation speed does not lead to a discernible improvement in detection probability. However, when worm propagation speed is known per road segment, the mean false alarm probability improves by up to 10%. This shows that at least slight improvements to the presented estimation techniques are possible. 100 5 Discussion Figure 9. Worm propagation in highway model with 5% of vehicles susceptible Our location-based quarantine boundary estimation is achieved in two steps: (1) locating patient 0 and (2) estimating a quarantine boundary with based on patient 0 location and propagation speed. Thus the quarantine boundary estimation depends on accurate 0.5 Only diffusion Only advection with same speed Only advection with different speed Only advection with analytical model 0.45 False alarm probability 0.4 0.35 0.3 0.25 0.2 0.15 0.1 20 25 30 35 time [sec] 40 45 50 Figure 11. False-alarm probability on highway network. The advection model’s better detection probability does not lead to a significant increase in false alarms. knowledge of patient 0 location. So far we assumed that the service provider can locate patient 0 accurately from a set of intrusion reports in this work. Here, we discuss how the location might be obtained, if initially unknown. We leave the detailed analysis for future work. We also discuss the the impact of slightly inaccurate quarantine boundaries and other synergies between computer security and ecology. 5.1 Estimating Patient 0 Location In a pedestrian scenario, triangularization can help a service provider locate the initially infected node. We assume that only a limited number of mobile units have intrusion detection systems due to high cost. If mobile worm originates from the point (x0 , y0 ) at time t0 and propagates isotropically with a speed v in two dimensional space, eventually a distributed intrusion detection system at (xi , yi ) reports an anomaly at time ti to the service provider. Every IDS report forms a nonlinear equation which says the mobile worm can propagate from (xi , yi ) to (x0 , y0 ) within t∆ = ti − t0 at the speed of v. Assuming prior knowledge of propagation speed and more than three intrusion reports, the service provider can apply triangularization algorithms (similar to the GPS localization problem). Without this prior knowledge numerical methods such as NewtonRaphson could be applied, but at a higher computational cost. Because the vehicle scenario confines mobile worm propagation to road network topology rather than an isotropic two-dimensional space, it requires a more complex solution with three steps: (1) guessing the approximate road segment on which the patient 0 location lies, (2) setting up and solving a set of linear equations using recursive least squares (RLS), and (3) repeating the second step over neighboring segments around the starting segment. Given at least three reports, triangularization might be used to obtain the approximate road segment. The second step refines the estimated patient 0 position within the approximate segment given from the previous step using linear equations where the unknown variables are time t0 and the relative position on the given road segment. After repeating this step for neighboring segments, the segment with the best least squares fit is chosen. 5.2 Effectiveness of Partial Containment Estimation will necessarily lead to imperfect containment. Can this effectively slow worm propagation? We model the accuracy of quarantine boundary through an immunization probability Pimm between 0.8 and 1 and simulate worm propagation in the pedestrian random-walk scenario after such an imperfect containment. Figure 12 depicts the infection rates after one containment was performed at Tc = 5seconds. Detection probabilities greater than 0.95%, such as achieved by the advection model, significantly slow the propagation of a worm, yielding additional analysis time for security engineers. So far, we assumed that the intrusion response is only performed once. Repeated application, however, could further slow worm propagation. One approach would be to wait for any intrusion reports after the first response and then retry with an enlarged boundary. Another approach would treat every remaining infectious node as a new outbreak. However, this requires changes to the estimation model because the worm will continue to spread from multiple locations, rather than a single origin. The current solution aims for a high detection probability, to effectively slow worms. In some scenar- have disconnections in the ad hoc network. The effect of dispersal on competing populations (e.g., PredatorPrey model) also holds promise for modeling competition7 or the cooperation of malicious codes [27]. As a further step of this work, we can model the mobile worm propagation which also uses infra-structure network such as MMS or SMS-based downloaders (long-distance dispersion) as well as a local interaction (neighborhood diffusion) by a stratified dispersal process [24]. 200 number of infected nodes (total=200) 180 160 140 120 100 80 no containment 80% containment 90% containment 95% containment 99% containment 100% containment 60 40 20 0 0 10 20 30 time [sec] 40 50 60 Figure 12. Effect of imperfect containment on worm propagation speed. Containment techniques with more than 95% detection probability can significantly slow worms. ios a more balanced approach that also minimizes the false alarm probability may be desirable. Higher Jaccard similarity values, for example, can be obtained when small reductions in detection probability yield large reductions in false-alarm probability. To optimize Jaccard similarity √ we could choose a smaller radius R̂ = γR = γ2 αDt for the random walk scenario (γ is less than 1). R̂ denotes the effective radius which equals the square root of the propagation area enclosed by a real boundary (not a circle) against time. Our usage of R instead of R̂ also explains the adaptation of our algorithm over different node densities. 5.3 Other Synergies between Ecology and Computer Security The successful application of ecological models to estimating worm propagation raises the question about other potential synergies between the fields. Biologically inspired interdisciplinary work has long affected computer security. For example, computer immunology improves virus defenses [9]. Epidemiology enables us to investigate the spread of computer viruses on a hybrid networks that combine computer network and social networks, such as email [16]. In ecology the Allee effect (or reduced per capita reproduction when animals are scarce) may be useful for describing the dynamic change of the infection rate when we 6 Related Work Moore and colleagues [15] investigated and compared the existing containment methods for Internet worms which can be implemented in gateway, firewall and router. The hierarchical structure of the Internet allows an administrator to partition and shut down a local sub-network which is infected. In wireless networks, however, an infected node can move and communicate with a susceptible node via localized interaction such as Bluetooth. Our work instead focuses on estimating the geographic propagation pattern of short-range wireless worms. The notion of locality is less meaningful in wired networks where worms often use random probing. Khayam and Radha [12] investigated the parameters governing the spread of active worms over VANET. They define the average degree of a VANET node and use a SIR model for the spread of worms. In our work, we provide a spatial and temporal distribution of the propagating worms rather than an infection rate over time. Wu and Fujimoto [28] presented an analytical model for information propagation in Vehicle-toVehicle Networks. Worm propagation is very similar to information dissemination except that it has an malicious purpose and it lacks cooperation of neighboring nodes. Our work concentrated on practical estimation algorithms that are tractable for larger highway networks. We also presented simulation results from a calibrated highway simulation. Several intrusion detection system for wireless ad hoc networks have been designed [33, 14]. Zhang and Lee present a collaborative intrusion detection system 7 In 2001, the counterattacking CodeGreen appeared to disinfect CodeRed. for ad hoc and assume that every node runs an IDS agent. Anjum and colleagues have investigated the optimal placement of intrusion detection nodes in an ad hoc network to reduce the need for one IDS agent per node [2]. This intrusion detection work concentrates mostly on external attacks such as distributing erroneous routing information. They do not address how to catch up with a propagating worm. Our work shows how to take advantage of a wireless infrastructure network and how to forecast the propagation of the worm. 7 Conclusions Wireless ad hoc networks requires a new worm intrusion response architecture and mechanisms because it lacks central infrastructure choke-points such as routers, gateways and firewalls where network intrusion detection such as address blacklisting or content filtering can take place. We have considered a scenario in which a service provider manages the security of an hybrid (ad hoc with wide-area network) network over a low-bandwidth, wide-area infrastructure wireless network. This work proposed to develop location-based quarantine boundary estimation techniques. These techniques let service providers identify the current set of likely infected nodes when intrusion information is incomplete or delayed. Specifically, we found that • a mobile worm could spread in a typical highway network with a mean velocity of about 75m/s even though only 5% of vehicles are susceptible to attack. • advection-based estimation techniques can estimate the group of currently infected nodes with a detection probability greater than 95% and a false-alarm rate of less than about 35%. This provides a significant improvement over having to target a response at all nodes in a large geographic region. Future Work There are several directions for future work. First, we should design an algorithm robust to the inaccuracy of geographic origin of the outbreak. Second, it appears valuable to develop techniques that effectively address partial outages of the wide-area wireless network. Finally, the system could take advantage of propagation speed information gained from the time difference in intrusion reports from different nodes. Acknowledgment The authors would like to thank Dr. Ozbay for providing a location trace file from Southern New Jersey Highway Network available for the purposes of this study. References [1] O. M. Alliance. Provisioning architecture overview. http://www.openmobilealliance.org/ release program/docs/ClientProv/ V1 1-20050428-C/OMA-WAP-ProvArch-v1 1-20050428-C.pdf, Apr 2005. [2] F. Anjum, D. Subhadrabandhu, and S. Sarkar. Intrusion detection for wireless adhoc networks. In Proceedings of Vehicular Technology Conference, Wireless Security Symposium. IEEE, October 2003. [3] N. T. Bailey. The Mathematical Theory of Infectious Diseases and its Applications. Hafner Press, New York, 1975. [4] L. Briesemeister, L. Schafers, and G. Hommel. Disseminating messages among highly mobile hosts based on inter-vehicle communication. In IEEE Intelligent Vehicles Symposium, October 2000. [5] D. Dagon, T. Martin, and T. Starner. Mobile phones as computing devices: The viruses are coming! IEEE Pervasive Computing, 3(4):11–15, 2004. [6] DSRC-5GHz-Standards-Group. Standard Specification for Telecommunications and Information Exchange Between Roadside and Vehicle Systems - 5GHz Band Dedicated Short Range Communications (DSRC) Medium Access Control (MAC) and Physical Layer (PHY) Specifications. ASTM E2213-03, 2003. [7] C. S. Elton. The Ecology of Invasions by Animals and Plants. Methuen Co. Ltd., London, 1958. [8] D. R. Finley. Point-in-polygon algorithm: Determining whether a point is inside a complex polygon. http://www.alienryderflex.com/ polygon/, 1998. [9] S. Forrest, S. Hofmeyr, and A. Somayaji. Computer immunology. Communications of the ACM, 40(10):88–96, 1997. [10] S. Goel, T. Imielinski, and K. Ozbay. Ascertaining the viability of wifi based vehicle-to-vehicle network for traffic information dissemination. In Proceedings of the 7th Annual IEEE Intelligent Transportation Systems Conference (ITSC), October 2004. [11] J. P. Hubaux, S. Capkun, and J. Luo. The security and privacy of smart vehicles. IEEE Security and Privacy Magazine, 2(3):49–55, June 2004. [12] S. A. Khayam and H. Radha. Analyzing the spread of active worms over vanet. In Proceedings of the first ACM workshop on Vehicular ad hoc networks, January 2004. [13] MathWorks-Inc. Overlaying polygons with set logic. http://www.mathworks.de/access/ helpdesk/help/toolbox/map/polybool. html, 2005. [14] A. Mishra, K. Nadkarni, and A. Patcha. Intrusion detection in wireless ad hoc networks. IEEE Wireless Communications, 11:48–60, 2004. [15] D. Moore, C. Shannon, G. M. Voelker, and S. Savage. Internet quarantine: Requirements for containing selfpropagating code. In INFOCOM. ACM, 2003. [16] M. E. J. Newman, S. Forrest, and J. Balthrop. Email networks and the spread of computer viruses. Physical Review, 66(035101), 2002. [17] A. Okubo and S. A. Levin. Diffusion and Ecological Problems: Modern Perspectives. Springer, 2002. [18] Open-Interface. Bluetooth security overview. http: //www.oi-us.com/service additions/ security whitepaper docpage.html, Dec 2005. [19] K. Ozbay and B. Bartin. South jersey real-time motorist information system. NJDOT Project Report, March 2003. [20] Quadstone-Limited. Paramics v4.0 - microscopic traffic simulation system. www.paramics-online. com. [21] M. Raya and J. P. Hubaux. The security of vehicular ad hoc networks. In Proceedings of SASN‘05, November 2005. [22] Reuters. Mobile phone virus infects helsinki championships: The cabir virus uses bluetooth to jump between cell phones. http://www. computerworld.com/securitytopics/ security/virus/story/0,10801,103835, 00.html, Aug 2005. [23] M. Sadiq. Toxic metal chemistry in marine environments. New York : Marcel Dekker, New York, 1992. [24] N. Shigesada, K. Kawasaki, and Y. Takeda. Modeling stratified diffusion in biological invasions. American Naturalist, 146(2):229–251, 1995. [25] J. G. Skellam. Random dispersal in theoretical populations. Biometrika, 38(4):196–218, 1951. [26] S. Staniford, V. Paxson, and N. Weaver. How to own the internet in your spare time. In Proceedings of the 11th USENIX Security Symposium, pages 149–167, Berkeley, CA, USA, 2002. USENIX Association. [27] P. Szor. The Art of Computer Virus Research and Defense. Addison-Wesley Professional, symantec press, 2005. [28] H. Wu, R. Fujimoto, and G. Riley. Analytical models for data dissemination in vehicle-to-vehicle networks. In Proceedings of IEEE 2004-fall Vehicle Technology Conference (VTC), September 2004. [29] Xatrix-Security. Widcomm bluetooth connectivity software multiple buffer overflow vulnerabilities. http://www.xatrix.org/article. php?s=3663, Aug 2004. [30] Q. Xu, R. Sengupta, and D. Jiang. Design and analysis of highway safety communication protocol in 5.9 ghz dedicated short range communication spectrum. In IEEE VTC Spring 2003, April 2003. [31] J. Yin, T. ElBatt, G. Yeung, B. Ryu, S. Habermas, H. Krishnan, and T. Talty. Performance evaluation of safety applications over dsrc vehicular ad hoc networks. In VANET ’04: Proceedings of the 1st ACM international workshop on Vehicular ad hoc networks, pages 1–9, 2004. [32] ZDNet-UK. Year-old bluetooth vulnerability invites mobile worm. http://news.zdnet. co.uk/internet/security/0,39020375, 39162400,00.htm, Aug 2004. [33] Y. Zhang and W. Lee. Intrusion detection in wireless ad-hoc networks. In The Sixth International Conference on Mobile Computing and Networking (MobiCom). ACM, August 2000. Approaches for Ensuring Security and Privacy in Unplanned Ubiquitous Computing Interactions V. Ramakrishna, Kevin Eustice and Matthew Schnaider Laboratory for Advanced Systems Research Computer Science Department University of California, Los Angeles, CA 90095 {vrama,kfe,matt}@cs.ucla.edu Abstract Modern technology and omnipresent computing and communication facilities are leading us closer to the ubiquitous computing vision. However, the very nature of ubicomp infrastructure, the openness of the environments and the characteristics of the interactions pose unique security and privacy challenges. We anticipate that the vast number of interactions will be unplanned and will occur among mutually unknown and untrusted systems. Mobile components will often find themselves in unfamiliar surroundings, forced to work with infrastructure whose trustworthiness cannot be determined. We must identify and address the security issues inherent in these types of interactions before a large-scale deployment of vulnerable infrastructure begins to pose a serious threat. Current security solutions for mobile computing and wireless communication are not sufficiently scalable or flexible to protect the heterogeneous and highly dynamic systems of the future; they do not even satisfactorily solve current mobile computing security issues. In this paper we address the problems inherent in the infrastructure and in the interacting devices themselves. We also identify device theft as a problem exacerbated by mobile and ubiquitous computing. We emphasize device-based approaches towards handling security and privacy, broadly classifying them into three categories which, when taken collectively, form a three-layer defense for devices. These categories are: 1) resource and content protection mechanisms, 2) secure protocols for service discovery and assignment of resource access, and 3) trust frameworks. These categories are neither mutually exclusive nor exhaustive, yet they collectively address challenges inherent in a wide range of ubicomp scenarios. We emphasize protocol-based solutions and, to a lesser extent, trust frameworks. These aproaches are being investigated in the context of the QED and policy-guided negotiation work currently underway as part of our Panoply ubiquitous computing project. 1. Introduction Ubiquitous computing promises a vision of computing capabilities at any place and at any time, supporting all kinds of human activities, including even the most mundane. A transition from mobile computing to ubiquitous computing is well underway thanks to both academic research efforts and commercial enterprises. Three important technological factors are contributing to this transition: 1) rapid growth and proliferation of wireless networking facilities, 2) computing and sensing components embedded in our surrounding environments, and 3) availability of smaller portable devices that can run most applications required by a mobile user. Mark Weiser envisioned a future in which computers would fade into the background [Weiser1991]. A more realistic vision, and one that is currently attainable, still involves devices 1 that are recognizable to users as computers. This model of computing is typically distinguished from ubiquitous computing (ubicomp) as pervasive computing. In the pervasive computing paradigm, devices and networks communicate with each other and deal with each other in a more aware and intelligent fashion, without involving a human unless absolutely necessary. Most of these interactions occur in a mobile context and in an unplanned fashion. The onus is upon the devices and the applications to ensure that tasks proceed smoothly, hiding details from users. The challenges in pervasive and ubiquitous computing are similar to mobile computing, but with a higher scale of mobility, dynamism, and heterogeneity. Primary networking challenges have more or less been addressed. These include the ability to discover networks and associate with them, and the addressing issues that are necessary to establish and maintain network connections. Efforts at the application layer have been made, and are still ongoing, to achieve seamless mobility of networked applications. As a result, the networking infrastructure can now handle complex tasks that were formerly relegated to the user. Even as we design technology with new and better functionality, we must explore potential pitfalls. What happens when one or more of the participants in a mobile interaction do not play by the rules the designers of the mechanisms envisioned? Attackers could use their anonymity and the nature of network-based protocols to breach the security of trusting devices or obtain sensitive information. The networking infrastructure that makes mobile computing possible could also be subverted for illegitimate purposes. We will further explore the vulnerabilities inherent in these unplanned interactions and discuss how a complex balancing act is required to make ubiquitous computing usable, as well as secure. 1.1 Characteristics of Ubiquitous Computing Interactions Ubiquitous interactions rely primarily on wireless network connectivity between numerous classes of devices. In this context, wired portable computing is significantly less interesting, and the networking and addressing issues have, for the most part, been dealt with; additionally, there is a much higher level of trust and accountability. Interactions among mobile devices and ubiquitous infrastructure components are directed towards the discovery and access of external resources and information that are required for local applications. These include services provided by the immediate environment—typically wireless connectivity, connections to remote computers through the Internet, and sensory output. Most current applications of mobile computing involve access of web-based services. This requires that devices be able to associate with networks and configure Internet connections; the remaining application tasks are explicitly performed by the users. The transformation to a pervasive computing environment will increase the demands on the devices and the networks to which they connect. A much wider variety of tasks will be supported, and the devices must be more intelligent and aware in order to minimize the work that users must do. Users will expect less intrusiveness, seamless communication, and better performance. Devices and networks will become more autonomic, specifically more self-configuring, self-adjusting, and self-healing. In the simplest form of mobile computing, where users explicitly handle applications and provide other input, the networking issues have relatively fewer security implications. When devices and applications are expected to perform tasks that satisfy user desires, without low-level user input, and sense and adapt to context changes, the security problems are magnified. Workable solutions must be provided so that users can trust their devices to run in an automated fashion and handle private data. Ad hoc or unplanned interactions, which we believe will be very common in the emerging computing landscape, will present situations where there is a lack of familiarity or trust 2 among the interacting entities. We cannot guarantee that different mobile devices and networks will have the same security or data privacy standards, and one challenge is to determine the opposite party’s standards. Even in cases where interactions occur between known entities or entities with verifiable security relationships, the lack of trustworthiness of the wireless communication medium calls for precautions. This medium enables anonymity of entities; if such entities turn out to be malicious or compromised, they could provide fake services and obtain sensitive information. It is conceivable that the problem could be mitigated somewhat through the imposition of strict security standards and a universal trust framework, but such a worldwide standard would be impractical and impossible to enforce. It would also limit the options for each independent domain to determine its security policies. It also does not solve the problem of adaptation with context, since all possible situations cannot be planned for in advance. 1.2 Trading off Security, Privacy and Usability Security has proven to be a challenge when it conflicts with user convenience and ease of use. Users dislike entering passwords repeatedly in order to perform tasks that require extra privilege. If the system provides an option of storing the password for subsequent use, many users would make use of it. Likewise, when a sensitive transaction requires the release of identity information and secret keys, privacy is often sacrificed with little thought. These examples and others indicate that there is a three-way tradeoff in security, privacy and usability that every system designer must address. In this context, we define usability as the ease of handling devices and applications, with minimal input and feedback required from the user for successful operation. This complex tradeoff acquires a new dimension in mobile and ubiquitous computing due to the wireless medium, the open environments, the unplanned nature of interactions, and the anonymity of computing entities. In a static context, there is an added degree of trust, which is absent in a mobile wireless context. When communicating with strangers, the more knowledge a device gains about the other party, the better it can assess the appropriate level of trust to place in that party. Intrusive procedures for assessing trust could be used, indirectly leading to more security. This would make an entity more confident about allowing access to a local resource or giving up some private information in the hope that this might result in some benefit without the cost of misuse. Trust-based security therefore inevitably results in a loss of privacy. Conversely, a conservative policy could result in more privacy but a lower probability of a successful interaction because neither entity will be able to gain sufficient trust in the other. Also, in order to be absolutely secure, many security decisions will have to be made explicitly by the user, which is contrary to the ubiquitous computing goal of reducing human intervention. Many applications will also require the free exchange of privileged information such as location, local capabilities, and constraints. Applications could run in an automated fashion if free exchanges were allowed, but privacy constraints could force a more conservative approach. Various service discovery and access mechanisms could also result in inadvertent exposure of private content and resources, owing to careless design or a lax policy. Submitting to privacy demands could detract from the user experience by restricting the performance of tasks. Alternatively, if the system cannot reconcile privacy demands with the task requirements, user intervention may be required. Privacy, therefore, will often be at cross-purposes with usability. This three-way tradeoff severely impacts and potentially restricts security and privacy choices in ubiquitous computing, where usability and performance are key. Most research efforts in wireless networking and ubiquitous computing have emphasized the usability aspect at the cost of security and privacy [Brooks1997] [Román2002]. Though this results in a richer set of applications and functionality, a retrofitted security solution usually employs fairly rigid policies 3 which interfere with many of the features that make the system usable. The approach we take is to analyze ubicomp interactions as a whole, rather than on a per-application basis. In this paper we attempt to identify the unique security threats and privacy and access control issues that are posed by device mobility and mutual anonymity of interacting devices and networks. In Section 2 we outline the threats posed by insecure infrastructure and malicious entities, and observe how mobility impacts systems in a negative way. In Section 3 we describe currently used and proposed approaches for maintaining security and privacy. We classify device-based security solutions into three categories, each providing security at a different level; this helps us to better understand and analyze these solutions. 2. Challenges of Unplanned Interactions In the traditional computing paradigm, devices operate in a few established environments. Ubicomp necessitates a break from this pattern. Traveling from well-known and presumably safe environments to unfamiliar and potentially hostile ones poses many security challenges in mobile and pervasive computing. Likewise, the computing elements embedded in the infrastructure will encounter new and possibly unsafe devices all the time. Though a certain amount of paranoia is both healthy and necessary, it should not prevent devices from running essential tasks for users. Both users and their devices must take precautions. Devices should be able to verify the authenticity of the networking infrastructure, and the machines with which they communicate. Additionally, they must be able to assess the security risks in carrying out such interactions. Similar caution must be exercised by infrastructural components when interacting with unknown mobile devices that have entered communication range. Even if the external environment does not pose a threat, it may hardly be friendly. In these circumstances, protecting the integrity of system resources and data, as well as maintaining a necessary amount of privacy, is difficult. Challenges arise primarily due to communication with strangers, but in the absence of a trustworthy networking infrastructure, similar problems may afflict communication with known entities too. We address security and privacy issues both from an infrastructural and a device point of view; these issues include device and service provider authentication, the risks of habitual mobility, intelligent failure modes, and software agents. Challenges in each area must be addressed by researchers in order to achieve a complete security solution. 2.1 Infrastructure Security and Privacy With traditional 802.3 Ethernet-based networking, when one plugs a device into a wall jack, it is typically assumed that the device receives connectivity from the local infrastructure. Clearly, there are possible attacks in this space, but in general this is a reasonable assumption since a physical wire acts as a physical metaphor tying the device to the physical environment. Wireless communications lacks this metaphor; absent policy, our mobile wireless devices can and will receive connectivity from any accessible service providers. This poses potential problems in that traditionally we have trusted our infrastructure to provide network services such as routing and name lookup. Malicious service providers can capture wireless clients and reroute requests to malicious services; such services are intended to duplicate legitimate services and capture personal identification information such as logins, passwords, credit card information, and so on. This type of session hijacking can be performed at the routing layer or by subverting DNS. e' There are several security problems here—one is the assumption that the networking infrastructure should provide routing and naming services in a secure and trusted manner; another is that on s device will associate with a given infrastructural component. These problems are related, especially if we seek to use trust relationships to deal with the former. The latter 4 f é ' c a ' o n challenge is a problem of device authentication—i.e., how do we make sure we connect to the s access point and not the malicious access point in a patr s backpack? This is a subset of the general device authentication problem—how do two mutually unknown devices authenticate one another? Apart from ensuring the authenticity of the service provider whose network a mobile device is using, we must also deal with issues of data confidentiality and location privacy. These problems are exacerbated by the broadcast nature of the wireless medium, where eavesdropping is trivial for any device with a wireless card. Data confidentiality can be handled through encryption, and much research has gone into developing standards for 802.11 networks, which are mentioned in Section 3.1. But even if the communicated data cannot be interpreted, an eavesdropper can still infer the location of the communicating device and the entities it is talking to, which is information mobile users might want to keep private. 2.2 Device Security and Privacy A number of security and access control problems lie within devices (or the end points of network connections) themselves. The problems arise due to misconfiguration, ineffective or bad security policies, vulnerable applications and insecure processes for remote discovery, access, and use of resources. Similar problems occur even in static desktop-based computing when communicating over the web, but the nature of devices in pervasive computing, mobility, and the frequency of contact with strangers worsens existing problems, as described below. The Risks of Mobility Mobility tends to exacerbate existing security and privacy challenges, such as system vulnerabilities and information leaks in network protocols. A mobile device moves in and out of environments with many unknown and potentially hostile devices, without the protection of infrastructure-based firewalls. This behavior exposes the device to more potential attackers, magnifying the risk of software vulnerabilities. When the mobile device is eventually taken home or to work, it passes behind traditional firewalls, possibly carrying an infection or an intruder. A next-generation security system needs to be aware of these peripatetic devices that operate within its purview. The knowledge that a device is mobile and transient may allow the infrastructure to provide better support. Steps need to be taken to ensure the integrity of mobile devices and protect the rest of the local network from potential abuse. Challenges here include developing techniques to protect the network from mobile nodes while not overly inhibiting functionality. Intelligent Failure Modes for Pervasive Security Failure is an unfortunate fact of life. Mobile devices will be compromised, either over the network or by theft. It is incredibly important that the failure modes of such devices be engineered to minimize the impact of compromise. To that end, we need to focus on theft mitigation, reducing the ability to use or harvest data from a stolen device, as well as application limitations that restrict the powers of a compromised application, thereby protecting system integrity. 5 Theft Mitigation Expensive and highly-portable mobile devices present tempting targets to thieves. In a time when identification theft is becoming all too common, these devices also represent a treasure trove of personal information. An important challenge thus is to mitigate the impact of theft—that is, reduce the utility of a stolen device, both in terms of actual functionality and in terms of extractable information. Additionally, recovery mechanisms including “phone home” features and secure remote localization capabilities would be valuable in the mobile device feature set. Restricting Capabilities and Information Leaks ' o n Mobility-oriented applications must be designed to limit the impact of compromise through segregation of functionality and by adopting the least privilege paradigm, limiting the applicati s privileges and data to those necessary to accomplish its tasks. This helps reduce the impact of malicious or compromised applications. Applications may deal with sensitive user data, including authentication information and financial data, as well as sensitive user context such as location or social relationships. A related challenge here is to limit the exposure of this data to the minimum necessary. Context can be made accessible at multiple fidelity levels, and only the necessary level of context should be exposed to the application. For example, location context can have levels such as “UCLA,” “Boelter Hall,” and “3564 Boelter Hall.” The level of context exported to the application may depend on user policy, application needs, or the security characteristics of the local environment. Similarly, the least privilege paradigm must be applied to information that is being transmitted. Remote computers should not be allowed to see more than is necessary for immediate purposes. Otherwise, information such as system or user identification information, system behavior patterns, etc., may be leaked to potentially hostile users. This information could be used by thieves to better target victims—i.e., the thief knows that one bus passenger has an expensive laptop and can determine which passenger, without even seeing the laptop. Similarly, if the presence of a given laptop in one s home is highly correlated with user presence, then radio emissions can be used to determine when someone is at home. In general, we need to be more careful about the radio emissions of our devices, as they do leak substantial information. ' Software Agents and Mobile Code Software agents and mobile code are frequently used in ubiquitous computing contexts to enable interoperability, application segmentation and migration, as well as customized handling of system operation. This raises serious security challenges. Mobile code may potentially harm the hosting device, or behave in unpredictable ways. The issuer of the mobile agent wishes to trust the result of the mobile code s execution, but the hosting device has control over the code. This poses a problem. Although this problem exists in the wired Internet, future pervasive environments may depend hugely on mobile agents to perform tasks, including the discovery of networks and services when devices are mobile. Such agents will be especially valuable in handling unplanned interactions. ' Today’s users already run a great deal of mobile code in the form of Java, JavaScript, Shockwave/Flash, and ActiveX controls. In many cases, mobile code intentionally or unintentionally has access to sensitive user data, often much more data than it strictly requires. We need reliable methods for protecting user data from disclosure and tampering while still permitting the execution of mobile code that is beneficial to the user. Accepting and running mobile code will require enhanced approaches for verification of code properties and establishment of trust. 6 3. Approaches The concerns raised in the previous section can be summarized as: 1) protecting the integrity of the devices and networks, 2) preventing unnecessary data exposure, and 3) granting unknown entities permission to access private resources. As discussed in Section 1, enabling open interactions among mobile and infrastructure-based devices is a primary ubicomp goal. An impenetrable security system, though desirable in principle, would restrict access to many types of ubiquitous computing services. Instead, an effective system must be flexible in its approach to ensure both security and usability. We can and must try to secure the networking infrastructure from malicious entities and eavesdroppers. Approaches to address this are discussed in Section 3.1. These will not solve the complete problem; traditional end-to-end security is still necessary. For the purposes of this discussion, we have chosen to define three subclasses within the solution space. While these subclasses are not exhaustive, we believe these are areas where further research could substantially address security and privacy challenges faced by most ubicomp scenarios. The first class of approaches (Section 3.2.1) attempts to secure resources and content directly at the time of access. Such approaches also include situations where the device in question falls under the control of external entities, directly through theft or indirectly using mobile code. The second class of approaches (Section 3.2.2) comprises secure processes and protocols for interactions between devices, resulting in discovery of external resources and assignment of permissions to access those resources. The security and privacy solutions are managed by the device and are not tied to individual resources; the devices here are containers and controllers for a set of resources and services. The third class of approaches (Section 3.2.3) consists of cross-domain security frameworks that impose security solutions in a top-down manner. Any two entities that come across each other in a pervasive computing world can determine the nature of their relationship and the scope of their interactions through such a shared framework. All trust frameworks, certificate hierarchies, and access control solutions for open systems fall under this category. From one perspective, these three classes of solutions could form three layers of defense for any kind of interaction that takes place in a ubiquitous environment [Eustice2003a]. The trust approaches could help to determine the security basis for interaction among computing entities. Protocols could be used by such entities to discover each other’s resources, securely configure permissions for access, and perform security-sensitive actions. At the innermost layer, once devices get to know each other’s resource capabilities, they could directly access those resources which are guarded by low-level protection mechanisms. These three sets of approaches are neither mutually exclusive nor exhaustive. Furthermore, it is unlikely that a complete security solution can be drawn from any one of them alone. Trust frameworks are usually coupled with secure protocols for determining trust in external entities before permitting discovery and access. Resource protection mechanisms can be used in a scalable way in this context only if they are accompanied by a dynamic process of discovery and reconfiguration of local security state. An ideal security solution would combine appropriate features from all three classes of approaches that prove well suited to deployment in dynamic environments. Before we look at examples of different approaches from each of the categories defined above, we consider some mechanisms for securing network infrastructure. 7 3.1 Networking Infrastructure Security and Privacy Approaches The most obvious technique used to maintain data confidentiality over any network link is encryption. As mentioned in Section 2, the broadcast nature of wireless communication makes this problem harder. Despite this, cryptographers and security engineers have developed workable security solutions for data confidentiality at the wireless MAC layer. Given the initial failure of the 802.11 WEP standard, [Borisov2001], WPA was developed to overcome WEP’s problems with stronger authentication schemes and a key management system. At higher layers in the network stack, devices have even more choices, and we can select from a variety of cryptographic schemes and key exchange protocols. Preventing an eavesdropper from inferring the location of a device and the identity of the devices it is communicating with is still hard, mainly because of the broadcast nature of the communication medium. Also of interest is research in secure network discovery and connection to authentic service providers. This handles simultaneous discovery and authentication of a wireless network through automated means, which is complementary to the problem of private communication after connection establishment. Secure enrollment of a device to a network promises to mitigate the security problems associated with service provider selection and authentication, as described in Section 2.1. Device Enrollment The general problem of secure network enrollment within pervasive computing environments has been considered by several other projects. The canonical reference is Stajano and Anderson’s Resurrecting Duckling [Stajano1999] where the authors presented a model for imprinting wireless devices with network membership information through brief physical contact. In the model, physical contact is required to create a logical connection between two otherwise wireless devices. The mother duck controlling device would maintain absolute control over a set of duckling devices and their respective policies. The duckling model has been further extended by PARC [Balfanz2002] and applied to home and enterprise-wide wireless LAN setup [Balfanz2004]. PARC removes the requirement for a secure side-band channel through the use of public key cryptography—this increases the baseline requirements for member devices, but allows more open side-band channels such as infrared. Recently, other approaches have investigated the use of embedded cameras to capture visual authentication information embedded in barcodes attached to devices [McCune2005], as well as the use of audio cues [Goodrich2005] coupled with displayed textual information. 3.2 Device-Based Security and Privacy Approaches In this section we discuss approaches for maintaining security and privacy that are executed locally on devices. In general, these solutions assume the presence of a trusted communication infrastructure, though some trust-based solutions circumvent the networking problem altogether by enforcing stringent authentication schemes at the end points. 8 3.2.1 Resource/Content Protection and Access Control In the world of pervasive and ubiquitous computing, data is often at risk for disclosure or tampering. Data lives on mobile and portable devices and may be subject to theft. One approach to protecting the privacy of user data is to integrate the protection mechanisms with the resources themselves. Secure File Systems Cryptographically secure file systems have been available for more than ten years [Blaze1993] [Wright2003]. In practice, though, such file systems are not widely in use. Furthermore, even when such systems are used, it is common for users to store sensitive key material on the same device that is being protected. As a result, when devices are lost or stolen, it is likely that the information on those devices can be easily accessed by even modestly skilled attackers. Additionally, when a device is taken over by malicious code, that code normally has full access to data on the device, including any encrypted data that the user may access. Typically, users rely on one master key or password to access their encrypted file systems. Thus, if the user accesses any encrypted data item, it is likely that all encrypted data items within that data-store are exposed to any malicious code that may be running on the device. In order to protect data in this scenario, portable devices should not be the custodians of the key(s) to the sensitive data they hold. Rather, keys should be stored elsewhere and provided to applications on demand, based upon context and policy. If this were the case, certain data would be completely inaccessible to even the most determined attacker if the device was lost or stolen. Even in the case of device infection, much, if not all, sensitive data would be protected, ideally until the malicious code was discovered and purged. Zero-Interaction Authentication One system that possesses many of the properties mentioned above is Zero-Interaction Authentication (ZIA) [Corner2002]. In ZIA, each file is encrypted under a symmetric key, and that key is then encrypted with a key-encrypting key. A small security token, separate from the device itself, is the only entity that can decrypt file keys. The device must be in the presence of the token in order to access its own encrypted files. Thus, in our loss or theft scenario, ZIA cryptographically protects user data from disclosure from even the most determined adversary. In addition to ZIA, other novel uses of cryptographic file systems and key management could greatly reduce the risk of disclosure of sensitive data through device loss or theft, or even device infection. Such systems should be informed by context and policy to provide more finegrained and flexible control over encrypted data and associated keys than is currently provided by ZIA and other encrypted file systems. Proof-Carrying Code Although we can mitigate the dangers of device loss and theft, and we can to some extent limit the amount of sensitive data that is exposed in any particular context, it may be desirable or useful to run foreign code in various ubiquitous computing scenarios. Though many mobile code systems employ some facility for sand-boxing, much mobile code still has far more access than 9 necessary, and often far more access than is safe. One possible approach to alleviating this problem is to use proof-carrying code [Necula1997]. In the ubiquitous world, devices will likely be offered mobile code from a variety of trusted and untrusted parties. In many cases, the user will explicitly run such code. In other instances, the device will be asked to run the code on behalf of the user. Proof-carrying code would maintain the usability we want, while preserving the safety and security of sensitive resources. Proof-carrying code can provide proof of programmatic side-effects and invariants that can be reconciled with local policy. Depending on the level of trust (if any) ascribed to the provider of the code, the device can make safe and informed decisions without having to involve the user every time the question of executing mobile code is raised. Not only can proof-carrying code protect against malicious code that steals or tampers with sensitive user data, it can also preserve the overall integrity of the device, and may also have the added benefit of increasing the reliability of the device as a whole. Proof-carrying code has addressed a very important problem, but we feel its complete potential has yet to be explored. A large number of ubicomp applications will depend on mobile code, and quick verification of security policy compliance would be very valuable. Application of proof-carrying code to ubicomp warrants further research. 3.2.2 Secure Interaction Protocols Various situations will occur in ubiquitous computing where devices will need to discover each other’s services and establish access permissions. The processes and protocols for managing secure discovery and assignment of access permissions comprise a different set of approaches, complementary to the resource protection mechanisms described above. Trust Management Trust management is a process that unifies security policies, credentials, authorization, and access control. This concept was introduced in PolicyMaker [Blaze1998] and refined in KeyNote [Blaze1999]. The process involves a request to perform a security-impacting action or to access private information or resources. The requestee runs a compliance checker taking as input the request, associated credentials from the requestor, and its local policies. If no conflict is detected, the request is granted; otherwise it is refused. This security or trust management solution requires a common trust framework, including a credential vocabulary, in order to be effective. In the mobile computing context, this solution maintains security and access control to the degree specified by the policies. One drawback is that the policies are static and are not sensitive to context changes. Although this process maintains the privacy and security of the requestee, it is not sensitive to the privacy considerations of the requester, who must provide all information and credentials demanded if the interaction is to succeed. Though both PolicyMaker and KeyNote were designed with traditional computing in mind, the technique could as well be used in pervasive computing when combined with a suitable process for discovery of networks and services. Quarantine and Examination for Mobile Computing We have explored a new paradigm for mobile and ubiquitous security called QED [Eustice2003b], or Quarantine, Examination, and Decontamination. In this paradigm, before mobile devices are allowed to join a wireless network, they are inserted into a quarantine zone. 10 This is done to protect other local network participants from potential malware carried by the mobile device. While in quarantine, the device is subjected to an examination process that can include a variety of techniques such as external port scans and service identification, as well as internal tests that require cooperation of the device, such as virus scans and service patch determination. If problems such as vulnerabilities, undesirable services, or compromised software are found, the device may go through a decontamination phase in which the problems are, if possible, rectified. Once the infrastructure is confident that the device poses no threat, it is allowed to fully participate in the local network. A system like QED demonstrates how security and privacy requirements may be at odds in a pervasive computing scenario. Security is enhanced if mobile devices run foreign code as instructed and report results truthfully. But this results in a loss of privacy for the device. Also, running arbitrary code itself requires a high measure of trust in the code provider. These are extremely important issues that require further research. The use of proof-carrying code techniques to verify policy compliance of examination modules deserves serious investigation. Also, verification of authenticity of returned examination results is an interesting problem; this could also have implications for digital rights management. The Cisco Network Admission Control (NAC) system [Cisco2003], a commercial product that is part of the Cisco Self-Defending Network Initiative, enforces access control in a domain through quarantine and examination. Access control decisions are based on a domain’s security policies and involve checking incoming devices for vulnerabilities and infections. NAC suffers from certain drawbacks compared to QED; notably, it does not provide support for decontamination. Also, QED is completely software-based and open source, whereas NAC is integrated with Cisco hardware products. Using QED, security policies could be enforced in a flexible manner with access limits varying with degree of compliance. Also, the relationship between the mobile device and the network is more symmetric; this allows both the network and the mobile device to consider the privacy implications of running foreign code or releasing sensitive information. The primary goal of NAC is to enable domains to enforce security policies, and the relationship is inherently asymmetric. This solution will only work when a device interacts with familiar networks, and it is not flexible or scalable enough for ubicomp interactions. Solutions performing QED functions are very valuable to mobile users who would be more tolerant of the added overhead. In the ubiquitous computing vision, applications must run smoothly in the face of frequent context changes. Scaling QED to work in those types of environments is well worth exploration. Automated Peer Negotiation We are exploring automated and flexible negotiation techniques among peers to enable interoperation among heterogeneous devices with diverse security and privacy policies [Eustice2003a]. Services can be discovered and resource access agreements can be reached via negotiation, while maintaining local security and privacy policies. Negotiation itself is not a new security mechanism, but rather ensures as much security as can be obtained through existing enforcement mechanisms. The policies, which are private to a system, describe the various constraints and inter-dependencies among system objects, and also describe the state of the system and the properties of its resources and mechanisms. The high level constructs are described in a common semantic language; we are leveraging Semantic Web frameworks like RDF and XML for this purpose. Negotiation is a flexible way for two entities in a ubicomp context to access each other’s resources up to the maximum allowable risk and within the resource usage policies local to each. 11 Most other approaches usually fall under extremes. At one end of the spectrum, some approaches for interaction obey rigid protocol semantics and are usually not applicable outside a particular domain. At the other end, open environments allow free and easy access without regard to security, such as early versions of Jini [Waldo1999]. Negotiation offers a way to balance the risk of resource access or exposure of private information and the utility of permitting that operation. The crucial aspects are: 1) a trust/risk model that allows assessment of the risk associated with an operation or the trust gained in the other party, 2) a utility model that allows assessment of the benefits of gaining certain resources, and 3) a set of heuristic functions that allows an entity to determine when utility outweighs risk. Of course, there will be situations where the other party could be determined to be malicious, or mobile code found to contain a virus, in which case utility will rarely balance risk. The functions can be computed using the policies local to a system, which include user preferences as well as knowledge of security properties; e.g., risk of opening up a network port, how much trust does possession of certificate X inspire, and so on. The negotiation protocol proceeds through a strategy whereby the parties can trade information, propose alternatives, and compromise within the limits of their policy constraints and the derived heuristic values. The policy language itself is backed by logical semantics and has a reasoning engine that enables query processing, knowledge chaining, and determination of conflicts. This is promising research, both from the security and privacy viewpoint and from the viewpoint of matching heterogeneous systems with available resources in a context-sensitive manner. Negotiation as described above enhances the scope of prior work in automated trust negotiation [Winslett2003], best illustrated by the TrustBuilder [Winslett2002] and PeerTrust [Gavriloaie2004] [Nejdl2004] projects. Automated trust negotiation is a way of controlling access to a private resource over the web through a gradual process of trust building. In a typical instance of the protocol, requests for resource access generate counter-requests for credentials or other information, which in turn generate similar counter-requests. The process continues until a point of trust is reached or until failure occurs due to a conflict of privacy policies. Though trust negotiation was designed for the web, it can be adapted to the mobile and wireless context, though it would have to be augmented with secure discovery protocols. Through this process, resource access can be requested and obtained with minimum privacy loss for either party. Zhu et al. [Zhu2005] outline a service discovery protocol for pervasive computing which preserves privacy without third party mediation. The service provider and client expose partial sensitive information in a progressive approach. The protocol terminates when both parties reach an agreement about the extent of exposure of the service and authentication information. Upon a mismatch or an unsatisfied request, the protocol can be terminated without loss of privacy. This protocol is meant to handle fake service providers as well as unauthorized clients. Since entities are assumed to share low-level security information, which is the basis on which they negotiate, the scalability of this approach is debatable. Still, protocols of this type provide novel ways to maintain security and access control constraints in a decentralized manner without sacrificing openness. 3.2.3 Cross-Domain Security Frameworks In a utopian world, all devices, networks, and enterprise domains would be completely open to any other entity that wished to interact with them. This is not practical, since every device cannot and does not trust every other device in mobile environments. Certain device properties, such as identity and relationships, reflect the amount of confidence that different humans have in each other, and by implication, affect device interactions. With perfect trust in the other party and in the communication channel, the process of interaction and the mechanisms used for resource and data access cease to matter. In practice, perfect trust is not feasible, especially when 12 interacting entities are mutually anonymous. For example, a user could take his laptop to his office and immediately obtain access to the local network, as well as a range of other resources, given his role as a trusted member of that organization. Apart from basic authentication mechanisms that allow his laptop to connect and be admitted to the network, and similar authentication by the laptop to verify the network access point, strict security is generally not required for discovering the available resources or accessing privileged information. If the authentication framework and the process for handing out authentication information are foolproof, this will work. If a device is compromised or the owner turns malicious, there are serious consequences. If we put aside the issue of trusted entities turned malicious, having an overarching trust framework could enable free interoperation among any set of devices and networks. Such trust-based security solutions are commonly in use within limited domains, but an enterprise-based framework does not scale globally, and bottom-up growth of infrastructure also poses an obstacle to deployment. Below, we examine solutions that help in assessment of trust and discuss their advantages and drawbacks. Centralized, Monolithic Security A globally centralized security solution is a potential approach. Currently, efforts are being made to deploy single-provider, city-wide 802.11 network connectivity in a variety of metropolitan areas [Google2005]. In theory, access to these services could be dependent on accepting a universal security policy. Every mobile device and network would be confident that all other entities would be constrained by that policy. This is conceptually a legitimate approach if it can be achieved at a worldwide scale, except for the fact that it would be undesirable to invest so much trust and power in one organization. This model creates a single point of failure which threatens user privacy as well as system reliability. In the absence of a global security framework and policy, as well as an enforcement scheme, we need to devise frameworks for the dynamic establishment and assessment of trust in order to verify communication channels and enroll securely into foreign environments. These approaches are discussed below. Certificate Hierarchies The traditional distributed computing trust solution involves certificates. A certificate, in its simplest form, is a public key signed by certificate authorities. Gaining or verifying trust using certificates requires a hierarchy of certificate authorities. An ad hoc interaction could involve the presentation of a certificate; if the recipient shares a common parent with the certificate owner at some level in the hierarchy, a trust relationship can be established. Though this approach provides a certain degree of trust in mobile and ubiquitous computing, it has serious drawbacks which limit its use. First, given the bottom-up growth of ubicomp infrastructure, it is difficult to force everyone to accept one particular certificate hierarchy, and the higher up the common authority lies, the lower the value of trust becomes. Second, with a huge and unwieldy infrastructure, revocation and updates will be very inefficient. Third, this does not handle cases where strangers meet in a virtual bubble, possibly having no connection with a common trust authority. Last, and most important, certificates in their basic forms (or the way they are currently used in web transactions) are identity-based, and do not say anything more; every mobile device or network has different concerns and priorities, and simply verifying that a particular authority has certified the opposite party may not mean anything. 13 Peer-to-Peer Trust Delegation has been proposed and used by various researchers to make the certificate distribution and verification scheme less strictly hierarchical and more suited to dynamic mobile environments. For example: entity A could delegate to entity B the right to issue certificates in A’s name. Therefore, a delegated certificate issued by B could be trusted if A is a trusted source. This scheme has the property of creating chains and webs of trust [Zimmermann1994], which effectively form a peer-to-peer security framework that could be used as a basis for interaction. Though more dynamic, decentralized, and more resilient to network partitions, this kind of framework suffers from the same problems that afflict certificate hierarchies; it is difficult to assess the value of a credential issued by any particular peer. What makes the issuer of the credential trust a particular entity is not clear, especially if the distance along the chain between the certificate owner and the examiner is long. Clearly these delegated credentials need to provide more information than just identities. In this respect, we are building a voucher mechanism in which a voucher can be provided by one entity to another, certifying certain properties such as rights, group affiliation, and state. The use of a rights-delegating voucher is similar to SPKI [RFC2693]. Closely associated with webs and chains of trust is the notion of reputation, which in theory adds some more weight to the trust or confidence level in another party. Reputation is a way of assessing the trustworthiness of entities based on what other known and trusted entities say about them [Xiong2004]. If this were to work, it would be a strictly more reliable framework than one based on identity. Reputation models have not seen much success due to the impact of lying or colluding parties, and the huge number of variables involved in trust assessment [Sen2002]. Still, this is one way of establishing an overarching web of trust that could potentially cover most unplanned ubicomp interactions, and research in this area should be watched closely. Role-based access control is a popular security framework adopted by open systems, where privileges are tied to a defined role. In its simplest form, this kind of access control works in the mobile context only if familiar entities interact. If strangers must interact securely, the system must be augmented by some process of role determination. Given a common credential vocabulary, a web of trust, and delegation permissions, privileges can be determined through a recursive process of proof-building, as demonstrated in the dynamic RBAC model [Freudenthal2002]. Combining role-based access control with delegation and trust chains has been employed in ubicomp middleware like Centaurus [Kagal2001a] and Vigil [Kagal2001b] [Kagal2002]. Quantitative Trust Models Newer approaches have argued for a more dynamic notion of trust, and one that reproduces the way humans interact among themselves, such as the Secure project [English2002] [Cahill2003]. The dynamic nature of trust can be reproduced through the processes of trust formation and trust evolution, both of which use the history of past interactions in the trust evaluation functions. This project, as its basis, advocates making personal observations of an entity’s behavior a part of the trust assessment function. A system for monitoring applications and reacting to events [English2004] is based on such dynamic trust models. This is a promising approach for managing dynamic environments, as it has the best potential for allowing secure interactions among strangers. Apart from identifying the important features of a trust framework, we need quantitative models to generate and make use of trust relationships. One approach could be a unified model that uses both identity and contextual properties and which expresses trust as a continuum [Shankar2002]. A different model attempts to model trust using probabilities, and in addition proposes ways to interpret the information during the actual process of performing a 14 security-sensitive action [Jøsang1999]. We feel that dynamic trust models of the type discussed above hold great promise, and indeed are some of the few trust frameworks that scale to ubicomp environments. We cannot of course abandon identity and possession of certificates as a means of assessing trust; these are and will be key mechanisms for trust building. Therefore, research must concentrate on producing trust frameworks that make use of identity, properties, and observed results of actions. These kinds of trust frameworks also form the basis of automated peer negotiation, which was discussed earlier, and this is a promising research area that we are actively investigating. 4. Conclusion We have discussed a wide spectrum of security and privacy issues that must be addressed before we can trust our devices to perform automated tasks on our behalf in a mobile context. Trustworthy and secure communication infrastructure is a prerequisite for secure mobile computing. Our own mobile devices and the other devices they interact with in the environment must have security and privacy solutions built in so that they can discover and access each other’s resources even when connections are established in an ad hoc manner. In a ubiquitous computing world, usability is of primary importance, and security and privacy solutions must be designed in such a way that they preserve this property. We have classified device-based solutions into three categories, roughly corresponding to three layers of defense for a mobile or infrastructure-based device interacting in dynamic circumstances with entities that may or may not be familiar. Each class of solutions has drawbacks if employed in isolation. Resource or content protection mechanisms employed without secure protocols for discovery and a trust basis either provides weak security (for interactions with strangers) or does not scale and would require some amount of manual configuration. Similarly, a secure negotiation protocol for sharing of resources without the enforcement mechanisms at the resource access level or a trust basis is not a comprehensive security solution. Trust frameworks without secure means of trust inference and enforcement at lower levels do not provide much value. A hybrid of the three classes of approaches is required for a scalable security solution, and for mobile devices to trust their surrounding environment and service providers when interactions are required. We have also identified a number of promising approaches that address security and privacy challenges faced by mutually unknown entities interacting in an unplanned manner. We envision secure enrollment schemes growing in importance. More applications inevitably lead to more software vulnerabilities, and QED-like integrity analysis will be indispensable for halting the spread of malware. Some flavor of negotiation will inevitably come into play when interacting with strangers, since this promises to address the subtle balance required between security, privacy, and usability. Trust frameworks that are not purely identity-based are the weak point in today’s research, and further investigation in this area would be very welcome. We can assume that decentralized operation and numerous unplanned interactions will be predominant features of emerging ubiquitous computing systems. Dealing with unknown entities and unplanned events will pose numerous challenges. By limiting the risks of exposure and compromise at multiple levels, systems may remain secure, despite the dangerous and hostile intent of others. Taking lessons from the approaches discussed in this paper, future security framework designs must focus on risk minimization as a primary goal. 15 References [Balfanz2002] D. Balfanz, D. K. Smetters, P. Stewart, and H. C. Wong, “Talking to Strangers: Authentication in Ad-Hoc Wireless Networks.” NDSS 2004. [Balfanz2004] D. Balfanz, G. Durfee, R. Grinter, D. K. Smetters, and P. Stewart, “Network-in-a-Box: How to Set Up a Secure Wireless Network in Under a Minute,” USENIX Security 2004. [Blaze1993] M. Blaze, “A cryptographic file system for UNIX,” 1st ACM Conference on Computer and Communications Security, pages 9-16, November 1993. [Blaze1998] M. Blaze, J. Feigenbaum, and M. Strauss, “Compliance Checking in the PolicyMaker Trust Management System,” Proceedings of the Financial Cryptography Conference, Lecture Notes in Computer Science, vol. 1465, pages 254-274, Springer, 1998. [Blaze1999] M. Blaze, J. Feigenbaum, J. Ioannidis, and A. D. Keromytis, “The KeyNote Trust Management System Version 2,” RFC 2704, September 1999. [Borisov2001] Nikita Borisov, Ian Goldberg, and David Wagner, “Intercepting Mobile Communications: the Insecurity of 802.11,” Proceedings of the 7th annual International Conference on Mobile computing and networking, pages 180-189, July 2001, Rome, Italy. [Brooks1997] R. Brooks, “The Intelligent Room Project,” Proceedings of the 2nd International Cognitive Technology Conference, 1997, Aizu, Japan. [Cahill2003] V. Cahill, E. Gray, J. Seigneur, C. D. Jensen, Y. Chen, B. Shand, N. Dimmock, A. Twigg, J. Bacon, C. English, W. Wagealla, S. Terzis, P. Nixon, G. di Marzo Serugendo, C. Bryce, M. Carbone, K. Krukow, and M. Nielsen, “Using Trust for Secure Collaboration in Uncertain Environments,” IEEE Pervasive Computing, vol. 02, no. 3, pages 52-61, July-September, 2003. [Cisco2003] White paper—“Network Admission Control Executive Positioning Document,” http://www.cisco.com/en/US/netsol/ns466/networking_solutions_white_paper0900aecd800fdd66.shtml. [Corner2002] M. Corner and B. Noble, “Zero-Interaction Authentication,” Conference on Mobile Computing and Networking (MobiCom), September 2002. [English2002] C. English, P. Nixon, S. Terzis, A. McGettrick, and H. Lowe, “Dynamic Trust Models for Ubiquitous Computing Environments,” Proceedings of Workshop on Security in Ubiquitous Computing, Ubicomp 2002. [English2004] C. English, S. Terzis, and P. Nixon, “Towards Self-Protecting Ubiquitous Systems: Monitoring Trust-based Interactions,” Journal of Personal and Ubiquitous Computing, Volume 10, Issue 1, December 2005, pages 50-54. [Eustice2003a] K. Eustice, L. Kleinrock, S. Markstrum, G. Popek, V. Ramakrishna, and P. Reiher, “Enabling Secure Ubiquitous Interactions,” Proceedings of the 1st International Workshop on Middleware for Pervasive and Ad-Hoc Computing (in conjunction with Middleware 2003), 17 June 2003, Rio de Janeiro, Brazil. [Eustice2003b] K. Eustice, L. Kleinrock, S. Markstrum, G. Popek, V. Ramakrishna, and P. Reiher, “Securing WiFi Nomads: The Case for Quarantine, Examination, and Decontamination,” Proceedings of the New Security Paradigms Workshop (NSPW) 2003. 2 ) '0 [Freudenthal2002] E. Freudenthal, T. Pesin, L. Port, E. Keenan, and V. Karamcheti, “dRBAC: Distributed Role-Based Access Control for Dynamic Coalition Environments,” Proceedings of the 22nd International Conference on Distributed Computing Systems (ICDCS , IEEE Computer Society, July 2002. [Gavriloaie2004] R. Gavriloaie, W. Nejdl, D. Olmedilla, K. Seamons, and M. Winslett, “No Registration Needed: How to Use Declarative Policies and Negotiation to Access Sensitive Resources on the Semantic Web,” Proceedings of the 1st First European Semantic Web Symposium, Heraklion, Greece, May 2004. [Goodrich2005] M. Goodrich, M. Sirivianos, J. Solis, G. Tsudik, and E. Uzun, “Loud and Clear: HumanVerifiable Authentication Based on Audio,” WISE 2005. 16 's r [Google2005] V. Kopytoff and R. Kim, “Google offers S.F. Wi-Fi—for free / Company’s bid is one of many in response to mayo call for universal online access,” http://www.sfgate.com/cgibin/article.cgi?file=/c/a/2005/10/01/MNGG9F16KG1.DTL. 9 ) '9 [Jøsang1999] A. Jøsang, “Trust-Based Decision Making for Electronic Transactions,” Proceedings of the Fourth Nordic Workshop on Secure IT Systems (NORDSEC , Stockholm, Sweden (Stockholm University Report, pages 99-105, 1999.) 1 ) '0 [Kagal2001a] L. Kagal, V. Korolev, H. Chen, A. Joshi, and T. Finin, “Centaurus: A Framework for Intelligent Services in a Mobile Environment,” 21st International Conference on Distributed Computing Systems Workshops (ICDCSW , April 16 - 19, 2001, Mesa, Arizona. [Kagal2001b] L. Kagal, T. Finin, and A. Joshi, “Moving from Security to Distributed Trust in Ubiquitous Computing Environments”, IEEE Computer, December 2001. [Kagal2002] L. Kagal, J. Undercoffer, F. Perich, A. Joshi, and T. Finin, “A Security Architecture Based on Trust Management for Pervasive Computing Systems,” Proceedings of Grace Hopper Celebration of Women in Computing, 2002. ) 7 '9 [McCune2005] J. M. McCune, A. Perrig, and M. K. Reiter, “Seeing is Believing: Using Camera Phones for Human-Verifiable Authentication,” IEEE Symposium on Security and Privacy, 2005. [Necula1997] G. Necula, “Proof-Carrying Code,” Proceedings of the 24th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Langauges (POPL , January 1997. [Nejdl2004] W. Nejdl, D. Olmedilla, and M. Winslett, “PeerTrust: Automated Trust Negotiation for Peers on the Semantic Web,” Secure Data Management 2004, pages 118-132. [RFC2693] C. Ellison, B. Frantz, B. Lampson, R. Rivest, B. Thomas, and T. Ylonen, “SPKI Certificate Theory.” [Román2002] M. Román, C. Hess, R. Cerqueira, A. Ranganathan, R. Campbell, and K. Nahrstedt, “Gaia: A Middleware Infrastructure to Enable Active Spaces,” IEEE Pervasive Computing, pages 74-83, Oct-Dec 2002. [Sen2002] S. Sen and N. Sajja, “Robustness of Reputation-Based Trust: Boolean Case,” Proceedings of the First International Joint Conference on Autonomous Agents and Multiagent Systems: part 1, July 1519, 2002, Bologna, Italy. [Shankar2002] N. Shankar and W. A. Arbaugh, “On Trust for Ubiquitous Computing,” Invited paper in Workshop on Security for Ubiquitous Computing, UBICOMP, October 2002. [Stajano1999] F. Stajano and R. Anderson, “The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks,” 7th International Workshop on Security Protocols, Cambridge UK, 1999. [Waldo1999] J. Waldo, “The Jini Architecture for Network-Centric Computing,” Communications of the ACM, Vol. 42, No. 7, pages 76-82, 1999. [Weiser1991] M. Weiser, “The Computer for the 21st Century,” Scientific American 265(30), pp. 94-104, 1991. [Winslett2002] M. Winslett, T. Yu, K. E. Seamons, A. Hess, J. Jacobson, R. Jarvis, B. Smith, and L. Yu, “Negotiating Trust on the Web,” IEEE Internet Computing, Nov-Dec 2002. [Winslett2003] M. Winslett, “An Introduction to Trust Negotiation,” 1st International Conference on Trust Management, Crete, Greece, May 2003. [Wright2003] C. P. Wright, M. Martino, and E. Zadok, “NCryptfs: A Secure and Convenient Cryptographic File System,” Proceedings of the Annual USENIX Technical Conference, pages 197-210, June 2003. [Xiong2004] L. Xiong and L. Liu, “PeerTrust: Supporting Reputation-Based Trust in Peer-to-Peer Electronic Communities,” IEEE Transactions on Knowledge and Data Engineering (TKDE), Special Issue on Peer-to-Peer Based Data Management, 2004. 17 [Zimmermann1994] P. Zimmermann, “PGP User’s Guide,” MIT, October 1994. [Zhu2005] F. Zhu, W. Zhu, M. W. Mutka, and L. M. Ni, “Expose or Not? A Progressive Exposure Approach for Service Discovery in Pervasive Computing Environments,” PerCom 2005, pages 225-234. 18 1 Mobile Handset Authentication and Authorization in Distributed Wireless Environments Pankaj Aggarwal Kartikeya Tripathi Janise McNair Haniph Latchman Dept. of Electrical & Computer Engineering University of Florida P.O. Box 116130, Gainesville, FL 32611 Phone: +1-352-392-2629, Fax: +1-352-392-0044 Email: mcnair@ece.ufl.edu Abstract This paper develops and analyzes a novel scheme for mobile handset authentication and authorization in a geographically wide spread area spanning the coverage of multiple network service providers. The existing technology provides for roaming for a mobile node by the exchange of a large number of control signals between the foreign network and mobile node, and between foreign network and home network for authentication and authorization. Such a large amount of information exchange is vulnerable to eavesdropping and malicious attacks. Our scheme provides a lesser number of transactions for this purpose and incorporates multiple layers of security against hacks. First, the mobile device is equipped with an encrypted bit sequence that contains its authentication and authorization information. Then, when it moves into the domain of a foreign network, its bit sequence is read in order to provide it with the appropriate services. By doing this, the procedure eliminates the need for the foreign network to communicate with the home network for establishing the mobiles identity. We show, through Op-Net simulations, its effectiveness by comparing the authentication time between the existing set up and the proposed scenario. Keywords: wireless, cellular, mobility, paging, handoff, Mobile IP I. I NTRODUCTION With the arrival of third generation technologies in the world of mobile and cellular systems and a growing user base demanding reliable and high data rate Internet and multi-media based services (both commercial and personal), extensive business deals between various service providers for anywhere-anytime coverage have begun to be forged [1]. Security from a wireless networks perspective has to be addressed in all layers of the system. For example, in modern wireless systems, Content Provider, Service Provider, Carrier Provider and User represent different players in business chain. Different mechanisms are used to secure these layers in terms 2 of open system interconnection (OSI) model, where IP spoofing is an attack at network layer, sniffing is at physical layer and data link layer and viruses enter through application layer. AAA (authentication, authorization, and accounting) is one of the areas of the security architecture that is needed at several layers, including the network layer and the application layer. AAA schemes maintain the status of the user in a network in terms of letting the right people use the services they are entitled to use, and maintaining log of their usage for billing purposes [2]. Authentication establishes the identity of a user to check if that user is actually recognized by the system. It is based on password-oriented access to services. Authorization, checks precisely which services the user can access. Accounting is a tab of how long the service has been used. In a centralized security architecture, the home network maintains a database of all users, so that a mobile node (MN) visiting a foreign network (FN) is always authenticated by home network (HN). Legacy wireless networks, such as GSM, are based on this centralized architecture implemented by the visitor and home location registers (VLR/HLR) and by the authentication center (AuC). This architecture requires heavy signaling traffic in the backbone network, and information exchange between the location registers, leading to a large overhead and drop in throughput. As a result, the issues of seamless inter-network handoffs in conjunction with the problems of eavesdropping and service theft are now being dealt with comprehensively [3], [4]. Current research focuses on the optimization of this exchange between foreign network and home network during the time of a handoff [5], [6]. This paper investigates a mobile-assisted authentication protocol that reduces the involvement of inter-system information exchange between location registers by employing a unique code for each user that can be exchanged locally between the user and a foreign network. Section II reviews existing authentication techniques, many of which have evolved from the GSM system. Then, Section III gives the overview of the Mobile Assisted Bit Sequence Authentication and Authorization (MABSAA) protocol. Section IV discusses the procedure to acquire the MABSAA bit sequence, and the key management scheme. Section V outlines the simulation approach, and Section VI shows the results. Section VII concludes the paper. II. R ELATED W ORK ON AUTHENTICATION A RCHITECTURES GSM authentication is based on a challenge-response mechanism that employs secret key algorithms. For each subscriber, the HLR stores authentication information in the form of a triplet, consisting of a subscriber-unique random challenge (RAND), and expected signature response (SRES), and a cipher-key. To authenticate a mobile node, the home network transmits a non-predictable number RAND to the mobile node, which then computes the signature using the ”A3” algorithm and a secret key. The mobile node then transmits the signature back to the ne- 3 Internet Loose coupling GGSN HSS HLR SGSN RNC 3GAAA server Tight coupling WLAN Gateway AP AP AP Node B MT GGSN: Gateway GPRS service node SGSN: Serving GPRS support node RNC: Radio network controller HSS: Home subscriber server HLR: Home Location register Fig. 1. Mobile Architecture towrk, which tests it for validity. When a mobile node is in a foreign network, the HLR can use the triplet to validate the node without revealing the secret key to the VLR. The mobile node sends its International mobile subscriber identity(IMSI) to the VLR, which then contacts the corresponding HLR to request the triplet. The HLR forwards the triplet after validating the VLR with the authentication center. The VLR can then send the challenge to a mobile node, which generates its response and sends it to VLR. The VLR can compare the response from the mobile node to the response included in the triplet. Matching reponses allow the VLR to authenticate the mobile node. UMTS employs a similar authentication procedure, based on the 3G architecture, shown in Figure 1. The authentication and key agreement procedures now involve the user subscriber identity module (USIM), the serving gateway support node (SGSN) , and the GSM authentication center (AuC/HLR). In addition, authentication is segregated between the circuit-switched mode of UMTS and the packet-switched mode of UMTS, with independent authentication mechanisms being carried out, respectively. A signifcant issue that arises out of distributed networks is the presence of unknown users. In the GSM and UMTS systems described above, each user is known and catalogued by the netowrk. In future integrated wireless systems, such as 3G/WLAN, unknown users may gain access to the UMTS infrastructure through the WLAN network. Thus, authentication now must occur at the WLAN level, as well as the UMTS level. The European Telecommunications Standards Institute (ETSI) specifies two generic approaches for interworking 3G/WLAN: loose coupling and tight coupling [7], as shown in Figure 1. With loose coupling the WLAN bypasses the UMTS core network, and directly connects to Internet. In this case, UMTS and WLAN use different mechanisms to handle authentication, mobility and billing. The WLAN is able to access the subscriber databases in the UMTS network for security, billing, etc, but has no data traffic interface 4 to UMTS core network. In tight coupling approach, the WLAN is connected to the UMTS core network via the Serving GPRS Support Node (SGSN) in the same manner as any other radio access network (RAN), such as GPRS RAN and UMTS terrestrial RAN (UTRAN). The WLAN gateway implements all the UMTS protocols required in UMTS terrestrial radio access network (UTRAN). Thus, the WLAN data traffic goes through the UMTS core network before reaching the external data network. As a result, the mechanisms for mobility and AAA in the UMTS core network can be reused directly over the WLAN. Finally, as the popularity of the Internet Protocol becomes a growing force in mobile and wireless networks, we discuss the authentication techniques for Mobile IP. In Mobile IP with AAA Extensions, a local AAA server (AAAL) in in a subnet shares a security association with a home AAA server (AAAH) of the roaming mobile node, so that the AAAL can securely transmit mobile node’s credentials. In this configuration, the local and the home authority share the trust relationship. Depending on the security model used, this configuration can cause a quadratic growth in the number of trust relationships, as the number of AAA authorities (AAAL and AAAH) increases. (This has also been identified as a problem by the roamops working group [8].) Using brokers is a possible solution to the scalability problems associated with requiring direct business/roaming relationships between every two administrative domains. In order to provide scalable networks in many service providers and large numbers of private networks, multiple layers of brokers should be used. AAA Extension with Mobility Support has also been proposed for seamless Internet roaming and mobility support in combination with AAA extensions for inter-domain roaming among networks [9], [10]. In this architecture, mobility support is integrated with AAA functions through carefully designed signaling messages. In this paper, the goal of the MABSAA architecture is to reduce the overhead and background signaling involved in the related techniques. The reduction in signaling will not only reduce interference and increase throughput, but will also increase security for control signaling operations. In the next section, the MABSAA architecture is described. III. MABSAA A RCHITECTURE The new Mobile Assisted Bit Sequence Authentication and Authorization (MABSAA) is based on a simple idea that information about the user is encrypted in the mobile node in the form of a pre-defined sequence of bits set in its memory. This sequence follows a fixed format [11], and the bits are set by the home network at the time of purchase of the device, or can be reconfigured by home network if required. Each segment of the sequence signifies some attribute of the user in terms of its identity and privileges. When the mobile user wanders into the coverage area of a foreign network that has a business association with the home network, the user can be 5 Fig. 2. Difference between MABSAA and Centralized Architecture authenticated by the foreign network. The foreign network reads the users bit sequence, decrypts it on the basis of a shared secret key, and provides services accordingly. Figure 2 shows the basic difference between MABSAA and the common procedures of existing systems like GSM and UMTS, in terms of the extent of signaling issued when a mobile user visits a foreign network. Specifically, in the existing system, there are four sets of messages being exchanged between the mobile, the foreign network and the home network: 1) Between the mobile and the foreign network, the mobile’s Electronic Serial Number (ESN) and Mobile Serial Number (MSN). 2) Between the foreign network and the home network, confirmation of the identity of the user and the types of services allowed for the user. 3) Between the home network and the foreign network, after the home network has processed the look-up request and updated its location database. 4) Between the foreign network and the user, to conform service, after having received information from home network and updated its visitor database. In comparison, the MABSAA approach has the following sets of message exchanges: 1) Between the mobile node and the foreign network, through the mobile’s MABSAA sequence. 2) Foreign network processes the sequence, and grants access to the user right away (if it can). Simultaneously, the foreign network informs the home network of the presence of this node. This parallel processing significantly reduces the time of authentication from the 6 Fig. 3. MABSAA Bit Sequence Encapsulation by a Software Interface sequential nature of the existing system. IV. S EQUENCE ACQUISITION AND K EY M ANAGEMENT The MABSAA bit sequence is both readable (by the home network and any authorized foreign network) and writable (only by the home network- in case some of the privileges have to be changed). To facilitate these operations, and to prevent accidental or malicious access to the sequence, it is encapsulated by a software interface that acts as an upper layer, as shown in the Figure 3. The interface has two Access Codes - one that can be matched only by the home network and the other that can be matched by any legitimate foreign network. The home networks code opens a read/write port to the bit sequence, and the foreign networks code opens a read-only port. On proper authorization (authentication), the interface either transmits the encrypted bit sequence or changes it. The foreign network requires the access code for the interface (all the foreign networks are given the same code), and a secret key with which to decrypt the received bit sequence. So any network in contract with several other networks will have the guests network ID, the access code from that network, and the shared secret key from that network. To buttress the security in MABSAA against the possibility of interception of the decryption key, the home network periodically changes the encryption key for its set of mobile nodes, when ever they are in range. The home network also distributes the new key to other partner foreign networks. In case the mobile node is not present in its home network, it will be bookmarked for change whenever it comes in the home network territory. The foreign network maintains both the present key and the old key for a guest network. When a visitor mobile node comes in, the latest key is used first to decrypt the bit sequence. If the mobile node hasnt had its bit sequence rewritten in accordance with the new key, the foreign network would not be able to read it. In fact it would recognize the fallacy of the decryption by the garbled network ID that doesnt match any 7 Fig. 4. OPNET Configuration existing guest networks ID. Then the previous key will be applied to the sequence for decryption. This way, the exchange of bit sequence will be more reliable and less prone to hacker intrusions. V. S IMULATION D ESCRIPTION To test MABSAA, we simulated the office enterprise architecture of OPNET with 4 office buildings, each having a single wireless local area network (WLAN) subnet. This is shown in Figure 4(a). Each subnet has a wireless access point that serves all of the resident mobile devices. It has the IP Gateway Function enabled with OPNET default Ethernet parameters, IGMP and TCP parameters. The WLAN has a data rate of 1 Mbps with frequency hopping spread spectrum physical characteristics and has a receive lifetime of 0.5 seconds. Each subnet supports 20 mobile devices, each of which supports MABSAA traffic. Each subnet also supports WLAN server running on SUN Ultra 10 333 MHz simple CPU. This server acts as a MABSAA authentication server. Therefore, a MABSAA server in that WLAN authenticates every mobile node in a particular subnet (thereby simulating a collection of home and foreign networks). The mobile terminals can access each of the servers with equal probability. All the nodes were configured as sources of HTTP, FTP and E-mail traffic. Nodes were modeled so that their traffic starts after the authentication phase. The subnet architecture is shown in Figure 4(b). For the purpose of comparison, both MABSAA as well as Secure Socket Layer (SSL) are generated. 8 A. MABSAA Traffic MABSAA traffic is modeled based on the sequence of information flow presented in Section III. The mobile device, on entering the foreign network, sends a hello message. The authentication server then replies by access codes. Depending upon the validity of access codes, mobile device sends the encrypted bit sequence. After receiving encrypted bit sequence, authentication server decrypts the bit sequence using the secret key. OPNET custom application design is used for traffic modeling. It comprises a hierarchy of objects. At the bottom of the hierarchy is the task, which is a basic unit of user activity within the context of the application. In MABSAA modeling a single task, known as MABSAA Authentication, is considered. Included in a task is a phase, which is an interval of related activity, e.g. a data transfer process. A task specification is a table that describes the sequence of phases and steps involved in a task. The next step in the hierarchy is an application. The application epitomizes a software product that is used to perform a task. At the top of the hierarchy lies the profile definition. The profile determines the manner of execution of the application, and on which objects it is executed. In MABSAA Authentication, six different phases, as shown in the Table V-A, are designed. These phases executes sequentially one after another. Phase Name Source Destination Initial Setup MABSAA Client MABSAA Server Server Access MABSAA Server MABSAA Client Client Processing MABSAA Client Not Applicable Client MABSAA BitSeq MABSAA Client MABSAA Server Server Processing MABSAA Server Not Applicable Final Setup MABSAA Server MABSAA Client TABLE I P HASES OF MABSAA A RCHITECTURE Table V-A presents the parameters of the MABSAA traffic model. The Request Packet Size was a major factor in the network traffic. It was dependent on the data being transmitted over the network for a particular phase. B. SSL Traffic Comparison The MABSAA protocol is compared with OPNETs secure sockets layer (SSL) application. SSL has become the de facto standard for secure communications between end users and 9 Attributes Values Initialization Exponential(0) Request Count Constant(1) Inter-request Time Constant(0) Request Packet Size Constant (1024) Packets per Request Constant (1) TABLE II T RAFFIC C HARACTERISTICS Internet sites, and today, SSL support is built into virtually every browser. The SSL protocol includes two sub protocols - the SSL handshake protocol and the SSL record protocol. Both provide authenticated, confidential and tamper-resistant connections to applications, particularly HTTP. SSL’s footprint fits into the Internet’s processing stack, above TCP/IP and below the application layer without significantly affecting the other protocol layers. OPNETs SSL application simulates the SSL Handshake protocol that authenticates the client and the server. The messages involved authenticate the server and the client to each other, and allow the client and the server to select cryptographic algorithms and the level of security that they want. Sequences of messages in the SSL model are: 1) Initial Setup 2) Processing in FN 3) Contact HN of Mobile Node 4) Processing by HN 5) Transmit to FN 6) Processing by FN 7) Final Setup VI. OPNET S IMULATION R ESULTS The first set of results, shown in Figure 5, describes the parameters related to the MABSAA authentication traffic. The traffic generated by the MABSAA can be categorized as the traffic received from the MABSAA server to the mobile node, and the traffic sent from the mobile node to the MABSAA server. The graph shows that initially when all the 20 nodes are unauthenticated, traffic generated is much greater than the traffic generated in the middle of the simulation, where any node, randomly picked, is getting authenticated. This also shows the maximum traffic generated is equals 1109 bytes per sec. 10 Fig. 5. MABSAA Signaling Traffic Statistic Average Maximum Minimum Data Dropped 0 0 0 Delay (sec) 0.128 0.0420 0.0077 Load (bps) 98115 344164 1604 Throughput 84362 316740 802 TABLE III WLAN S TATISTICS D URING MABSAA A RCHITECTURE Fig. 6. MABSAA Scenario Load and Delay Table VI shows the load in bits/sec when the FTP, HTTP and E-mail traffic is in the network. It can be seen that no data was dropped. Hence, it can be assumed that the resending of any of the packets did not generate the network load. 11 Fig. 7. Comparison between MABSAA and SSL Scenarios Figures 6(a) and (b) show the average load and average delay due to MABSAA traffic, respectively. The comparison between MABSAA and SSL scenarios is shown in Figures 7 (a) and (b) respect to the same metrics of load and delay. These clearly show that delay in MABSAA scheme is less than SSL. This initial delay corresponds to authentication time of the system. However with the lowering of authentication time, total load on the system is increased. For example, ¯ Increase in the load = 98115 88367 = 9748 (bytes/sec) ¯ Percentage increase in load = 9748/98115 = 11.03 % ¯ Decrease in authentication time = 0.0149 - 0.0128 = 0.0021(sec) ¯ Percentage decrease in authentication time 0.0021/0.0149 = 14.09%. With the increase in 11.03% load on the overall system, total authentication time is de- creased by 14.09%. VII. C ONCLUSION The goal of MABSAA is to significantly optimize resource utilization. As mentioned earlier, the current methodologies require the exchange of control and identification messages between home and foreign networks, apart from the extensive data base management for location databases. Our technique will not only limit the use of bandwidth for sending such signals and the delays incurred therewith, but also reduce the infrastructural and maintenance costs. In addition, the fact that the foreign network can simultaneously perform the two steps of providing services to the user and informing the home network of the users presence will cause the system to be much quicker. Extensive simulation scenarios that compare the performance of a typical wireless 12 communication system with MABSAA and other data exchange schemes usually employed show clearly the advantage in terms of time to authentication for roaming users. This benefit gains significance in the context of time sensitive applications like multimedia and VoIP. R EFERENCES [1] L. Robert, N. Pissinou, and S. Makki, “Third generation wireless network: The integration of gsm and mobile ip,” in IEEE Wireless Communicaitons and Networking Conference (WCNC), September 2000, vol. 3, pp. 1291–1296. [2] Internet Engineering Task Force, Authentication, Authorization and Accounting (AAA) Transport Profile, February 2006, available here: <http://www.ietf.org>. [3] W. Stallings, Cryptography and Network Security, Prentice Hall, 4 edition, 2006. [4] J. McNair and F. Zhu, “Vertical handoffs in multi-network fourth generation (4g) environments,” IEEE Wireless Communications, vol. 11, no. 3, pp. 8–15, June 2004. [5] A. Platt, “Cost implications of mobility management,” in IEEE Colloquium on Networking Aspects of Radio Communication Systems, 1996, pp. 1–5. [6] H. Kim and H. Afifi, “Improving mobile authentication with new aaa protocols,” in IEEE International Conference on Communications (ICC), 2003, pp. 497–501. [7] European Telecommunications Standards Institute (ETSI), Requirements and Architectures for Interworking between HiPerLAN/3 and 3rd Generation Cellular S7-ystems, August 2001, Technical Report ETSI TR 101 957. [8] B. Aboba and G. Zorn, “Criteria for Evaluating Roaming Protocols,” RFC 2477, December 1998. [9] M. Barton, D. Atkins, J. Lee, S. Narain, D. Ritcherson, K.E. Tepe, and K.D. Wong, “Integration of IP Mobility and Security for Secure Wireless Communications,” in 2002 IEEE International Conference on Communications,, 2002, pp. 1045–1049. [10] M. Cappiello, A. Floris, and L. Veltri, “Mobility amongst Heterogeneous Networks with AAA Support,” in IEEE ICC 2002, 2002, vol. 4, pp. 2064–2069. [11] P. Aggarwal, K. Tripathi, J. McNair, and H. Latchman, “Mobile assisted bit sequence authentication and authorization,” in Int’l Conference on Cybernetics and Information Technologies, Systems, and Applications, July 2004. Hardware/Software Solution to Improve Security in Mobile Ad-hoc Networks Sirisha Medidi and José G. Delgado-Frias School of Electrical Engineering and Computer Science Washington State University Pullman, WA 99164-2752 Abstract: In this position paper, we advocate for developing comprehensive software/hardware techniques to mitigate the effects of malicious nodes – these techniques must be integrated into routing protocols. The techniques include novel hardware monitoring schemes. One fundamental issue that needs to be addressed is how to secure these networks while guaranteeing a level of performance. We believe that research in this field needs to be focused on two major thrusts: (i) detection, identification and isolation of malicious nodes by software/hardware techniques and (ii) secure, Quality-of-Service-aware routing. Involving different layers of the protocol stack, identifying interdependencies of the problem solutions to fine-tune them, and using independent hardware monitoring schemes could accomplish these objectives. The proposed multi-layer software/hardware approach will greatly enhance ad-hoc networks security. Key Words: secure communication, malicious nodes, secure routing 1. Introduction Ad hoc networks are the preferred means of communication where infrastructure is not available in hostile environments for information gathering and time critical decision-making activities. Additionally it would helpful if networks are able to support secure communication while maintaining a high level of network performance. Ad hoc networking opens up a host of security issues, including: (1) Wireless links are especially vulnerable to eavesdrop. This may give an adversary access to secret/private information. (2) Establishing trust among the communicating parties is difficult. There is no centralized infrastructure to manage and/or to certify trust relationships. This is compounded by the fact these networks are often very dynamic –with nodes free to join and leave at will– and thus having network topology and traffic changing dynamically. (3) Malicious nodes are difficult to identify by behavior alone. Many perfectly legitimate behaviors in wireless networking may seem like an attack. (4) Selfish behavior or node misbehavior is also likely. Due to node limitations/constrains nodes may opt to go into selfish mode. Achieving security for ad-hoc networks - To achieve a secure ad-hoc network will undoubtedly require a more comprehensive approach with more sophisticated resources that are integrated into the information-gathering strategies of wireless ad-hoc routing protocols. The proposed approach takes a thorough look at secure wireless ad-hoc networking from a real-time perspective. We propose to incorporate design for security (or design for intrusion-intolerance) as an integral part of the ad-hoc networks operational specification. The integration includes augmentation of protocols with security and Quality-of-Service (QoS) primitives. Rather than relying on technologies designed for wired networks and currently implemented at the network layers on wireless systems, we believe that multiple strategies are needed to make ad-hoc systems wireless-aware, efficient, and secure. Handling malicious or unreliable nodes. There are three steps in handling a malicious node: detect malicious behavior, identify the malicious node, and remove the undesirable node from the network or otherwise cope with it. Ideally techniques to mitigate the effects of malicious or unreliable nodes should: (i) require no modification to protocols, (ii) work with existing routing protocols, (iii) have minimal or no security associations that require the cooperation of other nodes in the network, and (vi) not contribute itself for further attacks on the communication and the routing protocols. Hardware Monitor. Behavior monitoring by software alone definitely is effective in the detection mechanism. However, false positives could be higher due to the evolving nature of the ad-hoc networks. To have a control on this issue and to further enhance the security of the network, a hardware monitor that provides information to the software layers that is independent of the node’s software would be extremely valuable. The hardware monitor should ideally provide the software layers information about: (i) malicious packet drop, (ii) malicious misroute, and (iii) bogus routing information. Routing problems. Spurious route requests by malicious nodes could cripple the network by introducing broadcast-storm and route-reply storm problems. It is desirable to find a route that has a higher likelihood of surviving over a period of time in spite of node mobility and that has better network resources. Providing routes that are stable based on route statistics could reduce communication disruption time. For effective performance, one needs these features in the routing protocol (all must be energy-efficient): (i) mechanisms to distinguish between false and valid route requests, (ii) ability to adapt to dynamically changing QoS requirements such as battery life, signal strength, bandwidth and latency, and (iii) adaptive mechanisms to detect intrusions and non-cooperative or selfish behavior. Node i Node j Upper layers Node’s hardware Upper layers Software monitor Hardware monitor Software monitor Routing algorithm Routing cache monitor Routing algorithm Figure 1. Relationship between software/hardware monitoring and routing Our Approach. Once undesirable behavior is detected, the malicious nodes will be identified and isolated: doing this leads to secure and QoS-aware routing protocols that strengthen the process of identifying and isolating undesirable nodes. The strength of our approach lies in our ability to incorporate a hardware-monitoring scheme, which is independent of software monitoring techniques. This in turn provides a considerable advantage over existing hardware only or software only techniques. The proposed research aims at developing solutions for misbehavior detection for datagram traffic in addition to the common techniques that are based on TCP (transport control protocol) traffic without any additional security associations that is more common in other solutions. The status information from the hardware monitor will be effectively used in routing decisions to improving the network security as well as the performance. 2. Background and Related work 2.1 Detection, Identification, and Isolation of Malicious Nodes “Watchdog” [4] is a technique in which each node “snoops” the retransmission of every packet it forwards. If the watchdog detects that a node has not correctly retransmitted the packet, it raises a warning. This requires omni-directional antennas. We developed an unobtrusive monitoring technique [1,2,3], which relies on readily available information at different network levels to detect malicious nodes. The strength of the method is that a single source node can use it without relying on others, making it easy to implement and deploy. Further, there is also no need for security associations between the nodes. Local data such as route request and route error messages, ICMP time exceeded and destination unreachable messages, and TCP timeouts are used to detect misbehavior. Finally, the information is processed to determine if any malicious activity is taking place. In case of undesirable activity, the node is alerted so that it can act. Currently the technique can identify Byzantine faults such as packet drop attack and misrouting. Experiments were conducted using an ns-2 network simulator (details in [1,2,3]). The detection effectiveness improves with increase in the percentage of malicious nodes. We have proposed techniques to improve the performance of nodes in a network by means of novel hardware. This includes buffer schemes that use more efficiently the buffer space in a multiple port node [6]. We proposed an original high-performance cache technique for routing [7,8,9]. This technique takes advantage of temporal and geographical locality of packets. T. Chiueh and P. Pradhan [10] proposed to use a conventional cache; this approach has problems with collations due to its associativity limitations. 2.2 Secure and QoS-aware Routing To achieve optimal availability, routing protocols should be robust against both dynamically changing topology and malicious attacks. Routing protocols proposed so far do not handle security and quality of service with in the same protocol. Routing protocols proposed for ad-hoc networks cope well with a dynamically changing topology [11], but none can defend against malicious attacks. We proposed a source-initiated ad-hoc routing protocol (QuaSAR) [12] that adds quality control to all the phases of an on-demand routing protocol. QuaSAR gathers information about battery power, signal strength, bandwidth and latency during route discovery and uses it in route choosing. Also, our approach has proactive route maintenance features in addition to the reactive maintenance. Simulation experiments confirm that QuaSAR performs better than Dynamic Source Routing (DSR) in terms of throughput and delivery ratio [12]. 3. Comprehensive Software/Hardware Schemes for Security in Ad-hoc Networks In this section we present our proposed approach to security and QoS in Ad-hoc networks. We have divided this proposed research ideas into two broad categories: (i) Misbehavior detection, identification and isolation of malicious nodes, and (ii) Secure, QoS-aware routing. 3.1 Detecting Misbehavior, identifying and Isolating Malicious Nodes 3.1.1 Software Monitoring The algorithms we have developed for misbehavior include detection of packet dropping and packet misrouting done offline by analyzing the simulation traces. Algorithms to detect attacks on routing protocols also need to be developed. Techniques such as varying both detection interval and alert threshold will decrease false positives. To further generate triggers for potential attack scenarios or intrusions on the routing protocol, one can use a model-based pattern analysis technique that is loosely based on an expected model of behavior of the routing protocol being used. This can be done modeling the protocol activities as a finite state machine, identifying the sequence of unusual state changes, and getting information from the hardware monitor. Certain learning mechanisms will be incorporated to help with identifications. These techniques will help detect both non-cooperative and selfish behaviors such as nodes that refuse to provide routing service to others (perhaps to conserve battery power) but also ask for and accept service when in need. Experimental results from ns-2 simulations can be used to fine-tune the system. One good way to identify malicious nodes is for each node to initiate the identification process by itself. We can use TCP time out, ICMP destination unreachable message, and route error messages to narrow the malicious node to a set of two nodes. Once the malicious nodes are identified, the source nodes can use this information in their routing decisions. 3.1.2 Hardware Monitoring We propose a novel hardware based node monitoring approach. In this approach a number of monitoring schemes are implemented in hardware. These monitors are kept independent from the nodes software. The hardware schemes observe traffic within the node, status of queues, and status of neighboring nodes. The hardware monitor provides information about the nodes potential underperformances to neighbors. The information that is passed on to other nodes includes: packet drop rate above a preset threshold, input queue full rate, and routing modification. Software solutions to identify communication paths that may include a malicious node in Ad Hoc networks are usually good. But, these solutions have problems in pinpointing the exact node that is misbehaving. In these cases, the proposed hardware monitoring technique can help software to identify these nodes and, above all, the potential cause of the problem. Hardware detects the malicious behaviors through the mechanism called internal monitoring. A hardware monitor observes the behavior of the node’s software and reports to neighboring nodes accordingly. When a software layer drops packets, the hardware monitor determines the drop rate and reports this if the drop rate reaches a pre-defined threshold value to other nodes in the same Ad Hoc network. The assumption is that all the mobile nodes have the proposed hardware. The implementation of internal monitoring is through an adaptive counter that records the packet-dropping rate of the software layers. The counter registers the number of packets drop during a given period of time. If the counter reaches a threshold value, a reporting mechanism is triggered. Both the period of time and threshold are adaptive. They can be adjusted according to the traffic and other factors. For example, the detection period could be shortened for a heavy burdened node. Another hardware monitor checks the input buffer to determine the time that this buffer is full. This is an important issue since packet dropping may be due to lack of memory resources. If the time that the buffer is full is higher than a threshold value, the hardware will report this to other nodes. This in turn will indicate to the other nodes that the current node is handling many packets and it is not a malicious node. 3.1.3 Software/Hardware Monitoring The software monitoring will enable us in detecting, identifying and isolating malicious nodes. Through the help of hardware monitoring, the software layer will be assisted to make a more precise determination of malicious nodes and the causes of potential problems. The software layer will determine the actions that need be taken to avoid malicious nodes and to improve throughput, quality of service, and/or reliability. It should be pointed out that hardware flow monitor makes no decisions rather it provides independent information to its own node and adjacent nodes. Novel algorithms are going to be developed that take into account this additional information. Since there is a new independent source of information, the new algorithms for detecting, identifying and isolating malicious nodes will be more precise with far fewer false positive outcomes. Our groundwork on this project has yielded extremely positive results that need be fully studied and integrated in the proposed research. 3.2 Secure, QoS-aware Routing 3.2.1 Software Techniques To achieve IETF (Internet Engineering Task Force)-compatible protocol specification of the secure routing, we propose extensions of DSR that encapsulate source routing capabilities, but with minimal changes and overhead. Messages such as route request (RREQ) and route reply (RREP) need to be augmented to reflect the malicious nodes or suspicious activity by the nodes in the path, and also quality of service requirements. Above and beyond format specification, a key technical challenge lies in managing RREQ implosion (the “broadcast storm” problem). Some of the techniques we employed in quality of service routing [12] can apply to secure routing. A second issue is the route reply storm problem that is created due to the number of routes that are sent back to the source. Selective route replies that we developed in [12] can be adapted to alleviate this problem. A third issue is that there needs to be a proactive mechanism to preempt route breaks arising due to signal strength weakening (when the mobile node moves out of range), battery power depletion, and memory shortage (node becomes selfish and drops packets). One way to address this is to send a route change request (RCR) to find a new route. In [13], a proactive mechanism is proposed to preempt route breaks based on signal strength measurements. This idea can be enhanced to also include route breaks due to low battery power and memory shortage. Finally, one can incorporate learning mechanisms in the routing process to detect intrusions including spurious route requests and non-cooperative or selfish behaviors. The knowledge gained through our misbehavior detection and identification process will be integrated with the routing decisions to further improve the routing performance. Testing and refining these protocols and algorithms in an actual ad-hoc network test-bed would provide us insight into how the proposal works. 3.2.2 Hardware Support Routing cache monitor is another innovative technique to observe and report changes in the routing. As a routing path is established, information about this path is inserted in a cache memory. As packets for this path pass through the node, the cache checks packet forwarding. If the routing is changed, this may trigger a reporting mechanism of a potential problem. Our cache technique takes advantage of temporal and geographical locality of the packets [8]. When bogus routing information is reported, the routing protocol incorporates this into its routing decisions. We anticipate that using this additional information will further enhance the security and performance of the network. 4. Implications and Future Research In this position paper, we claim that to realize secure communication in ad-hoc networks, one needs to develop comprehensive techniques to detect, identify and isolate malicious nodes in the network and then integrate this information into routing decisions. Based on our preliminary results and our experience, we believe such integration would not only improve the security of the network but also its performance. In our experience, software only solutions have given us good detection effectiveness in terms of malicious behavior detection and reasonable false positive level. Providing an independent source of monitoring with hardware integrated into the software layers would greatly reduce the false positives and increase the detection effectiveness of our techniques. Further using route-cache monitor would greatly enhance routing security. This multi-layer hardware/software approach will significantly enhance the security and performance of mobile ad-hoc networks. As explained in this position paper, we have came to the conclusion that having two independent monitors (software and hardware monitors) could lead to a significant enhancement of security and performance of mobile ad-hoc networks. 5. References [1] S. Medidi, M. Medidi, and S. Gavini, “Detecting Packet Dropping Faults in Mobile Ad-hoc Networks,” In Proc. of IEEE ASILOMAR Conference on Signals, Systems and Computers, volume 2, pp. 1708–1712, 2003. [2] S. Medidi, M. Medidi, S. Gavini, and R. L. Griswold, “Detecting Packet Mishandling in MANETs,” In Proc. of Security and Management Conference, pp. 40–44, 2004. [3] R. L. Griswold and S. Medidi, “Malicious Node Detection in Ad-hoc Wireless Networks,” In Proc. SPIE AeroSense Conference on Digital Wireless Communications, volume 5100, pp. 40–49, April 2003. [4] S. Marti, T. J. Guili, K. Lai, and M. Baker, “Mitigating routing misbehavior in mobile ad hoc networks,” In Proc. of ACM SIGCOMM, pp. 255–265, 2001. [5] S. Buchegger and J. Y. Le Boudec, “Nodes bearing grudges: Towards routing security, fairness, and robustness in mobile ad hoc networks,” In Proc. of the Parallel, Distributed and Network-based Processing, pp. 403–410, Jan. 2002. [6] J. Liu and J. Delgado-Frias, “DMAQ Self-Compacting Buffer Schemes for Systems with Network-on-Chip,” In Proc. of Int. Conf. on Computer Design, pp. 97-103, 2005. [7] J. Nyathi and J. G. Delgado-Frias, “A Hybrid Wave-Pipelined Network Router,” IEEE Transactions on Circuits and Systems, 49(12): 1764–1772, Dec. 2002. [8] J. J. Rooney, J. G. Delgado-Frias, and D. H. Summerville, “An Associative ternary cache for IP routing,” In Proceedings of IEE Section E: Computers and Digital Techniques, volume 151, pp. 409–416, 2004. [9] D. H. Summerville, J. G. Delgado-Frias, and S. Vassiliadis, “A Flexible Bit-Associative Router for Interconnection Networks,” IEEE Transactions on Parallel and Distributed Systems, 7(5): 477– 485, 1996. [10] T. Chiueh and P. Pradhan, “Cache Memory Design for Internet Processors,” 6th Symposium on High Performance Computer Architecture (HPCA-6), Toulouse, France, January 2000. [11] D. B. Johnson, D. A. Maltz, Y. C. Hu, and J. G. Jetcheva, “The dynamic source routing protocol for mobile ad hoc networks (DSR),” Internet draft, Mar. 2003. www.ietf.org/proceedings/03mar/I-D/draft-ietf-manet-dsr-08.txt [12] S. Medidi and K. Vik, “QoS-Aware Source-Initiated Ad-hoc Routing,” In Proc. of IEEE Conference on Sensor and Ad Hoc Communications and Networks, pp. 108–117, Oct. 2004. [13] T. Goff, N. Abu-Ghazaleh, D. Phatak, and R. Kahvecioglu, “Preemptive routing in ad hoc networks,” Journal of Parallel and Distributed Computing, 63(2): 123–140, 2001. An Anonymous MAC Protocol for Wireless Ad Hoc Networks Shu Jiang Dept. of Computer Science Texas A&M University jiangs@cs.tamu.edu Abstract Anonymity is an important privacy feature in communication networks. Providing anonymity support in wireless ad hoc networks is a challenging task, which involves such issues as anonymous routing, anonymous data forwarding, etc. To make a data packet untraceable, an appealing approach is to hide the receiver of the packet at each hop on its forwarding route. This can be achieved conveniently in wireless ad hoc networks, with link encryption and broadcasting of the packet. We propose a MAC protocol that provides reliability service for anonymous data packets. The protocol is designed to be against a powerful adversary who can locate and track all nodes and link the source of each transmission to a particular node. It is shown that there is a trade-off between reliability and anonymity. Keywords: MAC protocol, Anonymous transmission, Reliability 1 Introduction A wireless ad hoc network can be formed by a set of mobile hosts that communicate over wireless medium. Due to ease of deployment, it has many applications in military (e.g., battlefield) as well as in civilian (e.g., conference) environments. However, the use of wireless medium makes it vulnerable to eavesdropping and node intrusion attacks. Therefore, communication privacy is a major concern for this type of network. As an important part of privacy, connection anonymity improves security by making it difficult for adversaries to trace network routes and nodes at the end of those routes. In tactical networks, the connection information, i.e., who is communicating with whom, may pose serious threats to the success of covert missions [7]. Achieving connection anonymity is challenging in wireless ad hoc networks, where routing of data packets require cooperation of all network nodes. There are two types of routing algorithms. Several routing algorithms such as AODV [9] and DSDV [8] maintain a routing table at each node, which contains the next hop information (e.g., node address) for delivering packets to different destination nodes. During data forwarding, the destination of a packet must be exposed so that a node currently holding the packet can query its routing table and decide where to forward the packet. Source routing algorithms such as DSR [6] maintain a route cache at each node, which contains “source routes” to other nodes. During data forwarding, each packet carries the entire route to its destination inside the packet header and all intermediate nodes forward a packet based on the route. Both types of routing algorithms allow eavesdroppers or compromised nodes to trace a data flow easily, unless suitable mechanisms are taken. To provide anonymity support in wireless ad hoc networks, several schemes have been proposed recently in the literature [7, 3, 14]. Generally, an anonymity scheme consists of two components, i.e., an anonymous routing protocol and an anonymous data forwarding protocol. The anonymous routing protocol finds routes between nodes without disclosing the source and destination of each route. It is also responsible for route maintenance when network topology changes. The anonymous data forwarding protocol enables forwarding of data packets along the established routes and prevents eavesdroppers or compromised nodes from detecting the source and destination of each packet. Take ANODR [7] as an example. An anonymous route discovery process establishes an on-demand route between two nodes. Each hop en route is assigned a unique route pseudonym, and each node on the route stores the correspondence between the route pseudonyms of its previous hop and its next hop in a forwarding table. Data packets are forwarded based on the route pseudonyms. Specifically, the source node of a connection stamps its packets with the route pseudonym of the first hop on the route and broadcasts each packet locally. The receiver MAC address of each packet is set to all-1’s, the predefined broadcast address. All local receiving nodes must look up the route pseudonyms in their forwarding tables. The node discards the packet if no match is returned. Otherwise, it changes the route pseudonym to the one associated with the next hop, and then broadcasts the changed data packet locally. The procedure is repeated until the data packet arrives at the destination. To make data forwarding untraceable, the protocol ensures unlinkability of route pseudonyms and payloads. It is appealing to transform a unicast packet to a broadcast packet, for the purpose of hiding its receiver, during data forwarding. This should make the adversaries more difficult to trace a packet. Also, it incurs negligible overhead, because broadcast is an inherent property of wireless transmission. ANODR employs this method and uses route pseudonym as an “implicit address” [11] of the receiver node of each local broadcast. This method can also be applied to source routing scheme with two levels of encryption involved. One is the encryption of source route. The objective is that each intermediate node only knows its previous and next neighbors on the route, instead of the entire route. For this purpose, we can either use the connectionless approach used by the Chaum’s MIX network [4], or use the connection-based approach used by the Onion Routing protocol [12]. Another level of encryption is per hop packet payload encryption, or link encryption. The IEEE 802.11 MAC protocol provides support for link encryption, usually referred as WEP (Wired Equivalent Privacy) [5]. A shared secret between two nodes at each end of a link is used as WEP key to encrypt and decrypt packet payload. With link encryption, the next hop node address of a packet at each hop can be hidden in an inserted and encrypted pseudo MAC header, while the apparent destination address in the MAC header is all-1’s. At each hop, the packet is broadcast locally. All local receiving nodes will try to decrypt the packet payload and extract the receiver node address in the pseudo header. If a node’s address matches with the receiver address, then it is the intended receiver of the packet. The node should find the address of the next hop node, change the pseudo header, reencrypt the packet payload and broadcast the packet. The procedure is repeated until the packet arrives at the destination. An anonymity scheme based on anonymous broadcast technique is resistant against both outside eavesdroppers and compromised nodes. As shown in [7], compromised nodes may expose multiple segments of a route, but it is hard to link together the compromised segments. Link encryption and use of mixing technique (e.g., dummy packet) effectively prevent outside eavesdroppers from launching traffic analysis attacks. However, this scheme cannot ensure reliable delivery of packet at each transmission, due to the lack of support in the IEEE 802.11 MAC protocol. To overcome the problem, ANODR proposes using anonymous acknowledgments. In the protocol, upon receipt of a data packet, the receiver should locally broadcast an anonymous ACK packet, and if the sender does not receive the anonymous ACK, it should retransmit the data packet (up to a maximum limit). In an anonymous ACK packet, the source and destination MAC address are both set to all-1’s. This prevents an eavesdropper from MAC header Frame Control Duration RA TA IV Sequence Padding FCS encrypted Figure 1: POLL frame format MAC header Frame Control Duration RA IV Sequence Bitmap Padding FCS encrypted Figure 2: REPLY frame format deducing the receiver of a data packet from the sender of the ensuing ACK packet. But if the adversary is capable of locating a transmitting node [1, 13], masking the source MAC address is not sufficient to hide the node identity. For example, the adversary can deploy many near-invisible sensors (e.g., camera) to locate and track all nodes in a particular area. In this case, the anonymous acknowledgment scheme could compromise untraceability of routes. In this paper, we propose a MAC protocol to improve reliability of anonymous broadcasts. Our protocol is resistant against powerful eavesdroppers we described above, who can reveal the senders of all transmissions. In our protocol, each node broadcasts a batch of data packets, instead of one data packet, at a time. The packets in the batch may be addressed to different receivers. It is possible that some packets are lost due to collisions or interferences. In order to deliver as many packets as possible, the sender needs to query every receiver about their receiving status and decide which packets need to be retransmitted. This is achieved by a polling scheme. The sender selects a subset of neighbors and sends POLL messages to each of them individually. Each node being polled should send a REPLY message back. All messages are encrypted, which contain information such as the sequence numbers of received packets. The polling list is constructed independently from the list of receivers to which data packets have been sent. So the adversary cannot build strong links between the two lists. The rest of the paper is organized as follows. In section 2, we describe the details of the protocol design. In section 3, we present a security analysis of the protocol. In section 4, we show the performance evaluation results of the protocol obtained from ns-2 [2] simulations. Finally, section 5 concludes the paper. MAC header Frame Control Duration RA pseudo header TA IV RA Sequence Padding encrypted Figure 3: Anonymous data frame Message FCS 2 Protocol Design In this section, we describe the details of the proposed anonymous MAC protocol. To conform with the IEEE 802.11 protocol, we call units of transmission as “frames”, instead of packets. This protocol serves two purposes. First, it can hide the receiver of a unicast data frame. This is achieved by transforming a unicast frame to a broadcast frame and encrypting the receiver node address along with the frame payload. We assume that the sender and receiver share a secret WEP key. Since the receiver of a transmitted data frame is not identified by explicit node address, each node within the sender’s transmission range has possibility of being the receiver. These nodes comprise the “anonymity set” [10] for the frame. Second, it provides reliability for anonymous data frames. This service is provided under the premise that it does not compromise receiver anonymity of the frames. We assume a strong adversary model, where the adversary can link the source of each transmission to a particular node. In other words, there is no source anonymity of frames. We design a sender-initiated polling mechanism to achieve the goal. In the following, we first define the formats of control frames and anonymous data frame, and then describe the sender’s protocol and the receiver’s protocol. 2.1 Frame Format Fig. 1 shows the format of a POLL frame. The RA is the address of the node being polled, and the SA is the address of the node transmitting the POLL frame. The duration value is the time required to complete ✁✂ interval. the current poll, which is calculated as the transmission time of a REPLY frame plus one The IV is the initiation vector used in WEP encryption. The sequence number is explained below. The padding is a number of random bytes produced to prevent content attack (explained in section 3). The last two fields comprise the plaintext for encryption. Fig. 2 shows the format of a REPLY frame. The RA is the address of the node transmitting POLL. The sequence number and bitmap fields are used by the ARQ protocol (explained below). The padding field has the same function as in POLL frame. Fig. 3 shows the format of an anonymous data frame. The pseudo header has three fields: RA is the address of the intended recipient node, Sequence is the sequence number assigned to the frame, Padding is a number of random bytes. 2.2 Sender’s Protocol Each node maintains a FIFO queue, holding frames that are waiting to be transmitted or retransmitted. When a new frame is received from the upper layer, it is given a sequence number. The sender and receiver use this sequence number to track and retransmit lost frames. For this purpose, each node ✄ ☎ ✆✝ ☎ ✆✝ maintains a variable with respect to each neighbor node ✞ . is initiated to 0 at the system setup ☎ ✆✝ ☎ ✆✝ time. For each new frame transmitted to ✞ , node ✄ assigns to the frame and increments by 1. This ensures that node ✞ receives frames from node ✄ with contiguous sequence numbers. If a number is missing, the frame must be lost during transmission. ✠ ☎ ✆✝ ✡ ☛ ☎ ✆✝ ☞ At each node ✄, with respect to each neighbor node ✞ , a sending window ✟ is main✠ ☎ ✆✝ tained to record the range of sequence numbers of frames stored in the queue. is the lowest ☛ ☎ ✆✝ sequence number of frames, from ✄ to ✞ , currently in the queue, while is the highest sequence ✠ ☎ ✆✝ number. Node ✄ advances in two cases: a) Node ✞ acknowledges receiving of the frame with sequence number ✠ ☎ ✆✝ ; 2 * SIFS POLL POLL REPLY SIFS SIFS POLL REPLY SIFS DATA DATA DATA SIFS time Figure 4: An illustration of the scheme b) Node ✄ fails to transmit the frame with sequence number attempts and discards it. ✠ ☎ ✆✝ after a maximum number of At each node ✄ , if the queue is not empty, the following algorithm is executed: 1. Node ✄ follows the CSMA/CA protocol in IEEE 802.11 to obtain the right to transmit. It works as follows. The node first senses the channel. If the channel is busy, it just waits until the channel ✁✂ period (= 50 ✁ s), the node enters becomes idle. If the channel has been idle for at least a state of collision avoidance and backs off from transmitting for ✂ slots of time, where ✂ is a random number within the contention window. In the collision avoidance state, if the channel is sensed busy, the node will suspend its backoff timer immediately and resume the timer only after ✁✂ the channel is again sensed free for a period. When the backoff timer counts down to zero, go to step 2. 2. Node ✄ constructs a polling set by adding all receivers of data frames currently in the queue. If ✁ ☎ ☎ ✆ ✠ ✠✁ ☎ ✝ ✞ ✟ ✁ ✠ ✞ , it randomly the polling set size is smaller than a preset value ✄ chooses nodes within the transmission range to add in. 3. Node ✄ polls nodes in the polling set at a☎ random order. If a polled node is ✞ , the corresponding ✆✝ ✠ POLL frame has the current value of in its sequence field. For each polled node, after node ✄ transmits the POLL✁ ✂frame, it switches to the receiving mode and waits for reply. If the channel is still free after two intervals, node ✄ assumes that the polled node does not receive the POLL frame and starts polling the next node. If a valid REPLY frame is received from the polled node, node ✄ will update its state based on the information in it (e.g., releasing acknowledged frames, advancing the sending window, incrementing retry counters of unacknowledged frames), and polls ✁✂ the next node after one ✁ ✂ interval. If node ✄ receives a corrupted REPLY frame or senses a busy medium during the interval, it will follow the binary exponential backoff algorithm in 802.11 and go to step 1. 4. If all nodes in the polling set have been polled, the nodes from which REPLY frames are successfully received are “available receivers”. Node ✄ transmits only frames to available receivers in the queue. So some frames may be skipped. For a retransmitted frame, node ✄ needs to change the padding value in the pseudo header and reencrypt the frame. Consecutive frames are spaced ✁✂ by intervals. There is a maximum number of frames that can be transmitted in a batch. ✟ ✌☛ ✁✠✞ This is a system parameter (referred as ✄ ✡☛ ☞ ✡ ✟ ✌ ☛ ✁ ✠) ✞whose value affects the system performance. In our experiments, we set ✄ ✡☛ ☞ ✡ to 4. The possibility exists, especially when network load is extremely high, that node ✄ received no REPLY frames from any polled nodes. In this case, node ✄ would abort the transmission, follow the binary exponential algorithm and go to step 1. If a node fails to reply consecutive pollings for a maximum number of times, the link is assumed to be broken and all frames to be sent on that link are purged from the sender’s queue. 2.3 Receiver’s Protocol At each node ✞ , with respect to each neighbor node ✄, a receiving window is maintained to record the sequence numbers of received frames. In Selective Repeat ARQ protocol, a common approach is to use ✝✆ ✠ ✝✆ two variables to implement a receiving window: a Lowest Bound ☞ and a one-byte Bitmap ☞ ✄ . ✝✆ ✠ ✝✆ All frames from ✄ with sequence numbers lower than ☞ have been received. The ☞ ✄ indicates the ✠ ✝✆ receiving status of frames whose sequence numbers higher than ☞ . Specifically, if the -th bit of ✝✆ ✠ ✝✆ ✁ has been received. For example, a ☞✠ ✄✝ ✆ is 1, it means that✝ ✆ the frame with sequence number ☞ ☞ of 100 and a ☞ ✄ of 11100110 indicate that node ✞ has correctly received frames 0-99, 101, 102, 105, 106, 107, whereas frames 100, 103, 104 were lost. Node ✞ advances its receiving window in two cases: ✠ ☎ ✆✝ ✂ ✠ ✝ ✆ a) When a POLL from node ✄ is received, if ☞ , it means that the sender node✠ ✄ ☎has ✆✝ advanced its sending window and given up its attempts to retransmit frames lower than . This could happen when node ✞ experienced temporary severe interference. In this case, node ✞ ✠ ✝ ✆ ✠ ☎ ✆✝ synchronizes its receiving window with node ✄’s sending window by advancing ☞ to . ✠ ✝✆ b) When a data frame from node ✄ is received, if its sequence number matches with ☞ , then node ✝✆ ✠ ✝✆ the ☞ ✄ ✞ can advance its receiving window, i.e., incrementing the ☞ by 1 and right-shifting ✝✆ for one bit. Node ✞ can repeat the adjustment until the lowest bit of ☞ ✄ is 0. If the sequence ✝✆ ✠ ✝✆ number of the received data frame is larger than ☞ and is not a duplicate, the ☞ ✄ is updated to indicate the receiving status. Unlike many Selective Repeat ARQ based protocols, we do not maintain a “receiver buffer” at the MAC layer to hold out-of-sequence frames. Instead, a receiver passes each received frame immediately to the upper layer (i.e., network). There are two reasons. First, this reduces the queueing delay. Second, frames transmitted on a link belong to different end-to-end flows and typically have different next hop receivers. Frame loss of one flow should not affect the frame delivery of other flows. This is similar to the head-of-line problem in router design. By relaxing the in-sequence constraint, we can increase the overall network throughput. Notice that to provide reliable message delivery for users, the destination node now has responsibility for sequencing. The described protocol is illustrated in Fig. 4. In the figure, the first polled node does not send a REPLY frame, probably not receiving the POLL. Therefore, the sender sends the second POLL (to a ✁✂ different node) after two intervals. Since any node can transmit if the channel remains free for ✁✂ , having sender transmitting the second POLL earlier, without waiting for the transmission time of a REPLY frame, prevents any neighbor from interrupting the polling process. The second ✁ ✂ and third POLLs are replied. Each polled node transmits the REPLY frame immediately, after one interval. ✁✂ spacing between two Data frames in the current batch are transmitted continuously, with one ✁✂ consecutive frames. So, during the entire process, the medium is never idle for more than ✄ ☎ . B MIX A (a) in a switching network (b) in an anonymous broadcast network Figure 5: Different attacking scenarios against MIX 3 Security Analysis In this section, we present a security analysis of the protocol. The objective of an adversary is to trace a packet from its source to its destination. To achieve this goal, the adversary needs to reveal the receiver of the packet at each hop while it is being forwarded. In our protocol, the receiver address at each hop is encrypted in the pseudo header of the packet. We assume that the adversary is not capable of breaking the link encryption through cryptanalysis. He or she has only two choices. One is to compromise nodes. Another is to launch traffic analysis attack. 3.1 Compromised node If a node is compromised, the adversary can immediately reveal partial route of each packet forwarded by the node. Whether the entire route of a packet can be revealed depends on whether there are enough compromised nodes on the route such that the exposed segments can be linked together. Kong et al’s analysis on route traceability in the presence of compromised nodes also applies here [7]. When there are compromised nodes in a sender’s neighbor set, the maximum receiver anonymity that can be achieved for a packet is determined by the number of uncompromised nodes in the set. In the current design, the polling set is a subset of the sender’s neighbor set. A more secure design is to make the polling set be exactly the sender’s neighbor set. However, our simulation results show that the performance of this design would be very poor when the average node degree is more than 6. The current design tries to implement a trade-off between security and performance. 3.2 Traffic analysis attack For a conventional MIX, the attacker tries to find correlation between an input message and an output message of the MIX. To achieve this goal, the attacker can utilize message content, size, timing information, or can manipulate the input and output messages. Specifically, content attack compares the contents of two messages bit by bit, looking for match; size attack examines the message lengths and is only effective against protocols using variable-length messages; timing attack searches for temporal ✂ dependencies between transmissions. Flooding attack (aka. node flushing attack, ✁ attack) is a special form of content attack. In case of a simple threshold MIX, which flushes after receiving messages, the attack proceeds as follows: When the attacker observes a targeted message entering the ✂ MIX, it sends ✁ messages into the MIX to make it fire. Since the attacker can recognize all his own messages when they leave the MIX, the remaining one must be the targeted message and its destination is revealed. The above description of traffic analysis attacks applies to MIXes in a switching network. In an anonymous broadcast network, each attack may take a bit different form, in that the attacker searches for correlation between apparently independent transmissions by different nodes (see Fig. 5). For example, ✁☎ . This node ✡ transmits a frame at time ✄ , and node ☞ , one of its neighbors, transmits at time ✄ may suggest that node ☞ is the receiver of node ✡ ’s frame and is forwarding the frame to its next hop. However, for this timing attack to succeed, the following conditions must be satisfied: 1. The queue is empty when node ☞ receives the frame, and 2. All other neighbors of node ✡ have no frames to transmit. If any of the above conditions is not satisfied, then the probability of a successful attack would be reduced, due to a larger delay between two transmissions of the same frame. This suggests that each node having a non-empty queue, i.e., always in saturation mode, has benefits to security. The queue here serves a similar function as the “pool” in a conventional MIX. Again, there is a trade-off between security and performance. In the current design, the scheme does not generate dummy data frames, and only generates dummy polls, based on the assumption that network users provide enough traffic loads. However, it can be easily extended to apply to low-traffic networks, by allowing nodes to generate dummy data frames. It worths noting that the proposed scheme does batching and reordering in a different fashion than a conventional MIX. Frames are transmitted first-in-first-out on a per each destination basis, but on the node level, frames are transmitted in a different order than when they arrive. The scheme is also very efficient in achieving the security goal. With one broadcast, all neighbors receive a masked data frame. To an unintended receiver, it provides a cover for the node’s ensuing transmissions. To achieve the same effect in switching network, multiple transmissions on explicit links to neighbors are needed. In addition to timing attack, the proposed scheme is also resistant to other attacks. As we mentioned, the padding in a frame’s pseudo header must be changed when the frame is retransmitted. This prevents content attack. Size attack is prevented by using fixed-size data frames. Per-hop encryption of frames effectively stops flooding attack. 4 Performance Evaluation In this section, we present the simulation experiments we have carried out to evaluate the performance of our protocol using the Network Simulator, ns-2 [2]. We present results obtained from experiments in a static wireless ad hoc network which consists of 50 nodes. The radio interface of each node simulates the commercial 914MHz Lucent WaveLAN DSSS radio interface with the transmission range of 250m and the nominal data rate of 2 Mbits/sec. The ns-2 simulator uses the Two-way Ground model to simulate radio signal propagation in open space. In our experiments, nodes are randomly distributed in a 1000m 1 0.95 0.9 Delivery Fraction 0.85 0.8 0.75 0.7 0.65 No Ack MIN_POLLING_SET_SIZE = 2 MIN_POLLING_SET_SIZE = 3 MIN_POLLING_SET_SIZE = 4 0.6 0.55 0.5 1 2 3 Packet Generation Rate (pkt/s) 4 5 Figure 6: Data Packet Delivery Ratio x 1000m square area, and there are 20 CBR connections in the network that generate traffic. The sourcedestination pairs are randomly chosen from all nodes. The source node of each connection continuously generates data packets of 512 bytes. The average packet generation rate is a parameter that can be varied to control the traffic load. For each connection, a shortest path set is computed at simulation start-up time. Then, when each packet is generated, a path in the set is selected for routing the packet. We do not use a dynamic routing algorithm because we wish to isolate the behavior of our protocol. In each experiment, the simulation run time is 600 seconds. Results are averaged over 10 runs with identical parameter values but different seeds for the random number generator. In Fig. 6, we show the end-to-end data packet delivery fractions under different traffic loads. For comparison purpose, we also show the performance of a “pure” broadcast scheme, i.e., without acknowledgment. We can see that even with light traffic load, the pure broadcast cannot ensure delivery of all frames, and when traffic load increases, its delivery fraction drops fast. At the same time, our scheme achieves significantly higher delivery fractions. The figure also illustrates the effects of the minimal polling set size on the performance. When a larger polling set is required, the duration of the polling process has to be longer, which increases the probability that a data frame is corrupted by hidden nodes’ transmissions. In Fig. 7, we show the average end-to-end data packet latency under different traffic loads. Since the network is static, there is no routing delay. We also ignore the CPU processing delay at each intermediate node. Therefore, the end-to-end packet latency here includes queueing delays, retransmission delays and propagation delays. It is shown that, on the average, our scheme has much higher packet latency than unreliable, pure broadcast scheme. This is caused by retransmission and batching. When the minimal polling set size increases, the packet latency increases very fast, especially when traffic load is high. The reason is that a larger polling set means higher probability of transmission failure, which makes each node wait for a longer time before next retry. If user’s application has delay constraint, a trade-off on security may be needed. In Fig. 8, we show the overhead of our scheme under different traffic loads. We use the metric Normalized control byte overhead, which is defined as the total bytes of transmitted control data (POLL, 900 No Ack MIN_POLLING_SET_SIZE = 2 MIN_POLLING_SET_SIZE = 3 MIN_POLLING_SET_SIZE = 4 800 Average Data Packet Latency (msec) 700 600 500 400 300 200 100 0 1 2 3 4 5 Packet Generation Rate (pkt/s) Figure 7: End-to-end Data Packet Latency 1.6 No Ack MIN_POLLING_SET_SIZE = 2 MIN_POLLING_SET_SIZE = 3 MIN_POLLING_SET_SIZE = 4 1.4 Normalized Control Bytes 1.2 1 0.8 0.6 0.4 0.2 0 1 2 3 Packet Generation Rate (pkt/s) 4 Figure 8: Normalized Control Bytes 5 REPLY, MAC header) divided by the total bytes of received data payloads by all nodes. For pure broadcast, this overhead is a constant, equal to the size of a MAC header divided by the size of a MAC frame body. It is shown that the normalized control overhead decreases as the traffic load increases. The reason is that, in this case, there tend to be multiple frames in a node’s queue, and each polling process can be followed by multiple data transmissions. In other words, each polling is more efficient. Another observation is that the normalized control overhead is high when the minimal polling set size is large. This is because more dummy POLLs may need to be generated to meet the minimal polling set size constraint. 5 Conclusions In this paper, we present the design of an anonymous MAC protocol for wireless ad hoc networks. We set two goals for the protocol. One is receiver anonymity. Another is reliability. The former is achieved with link encryption and broadcasting of data frames. The latter is achieved by a selective repeat retransmission scheme, combined with a polling mechanism. We present a security analysis of the protocol and discussed its behavior under different attacks. We also evaluated the performance of the protocol. Simulation results indicate that the protocol increases the packet delivery ratio at a cost of larger packet latency. It is also shown that different trade-offs between the two goals can be achieved by varying a parameter value. This protocol could be incorporated with source routing algorithm such as DSR to provide a good solution for connection anonymity in wireless ad hoc networks. 6 Acknowledgements We are extremely grateful to Prof. Nitin H. Vaidya for inspiring discussions and critical comments during the preparation of this paper. References [1] P. Bahl and V. N. Padmanabhan. RADAR: An in-building RF-based user location and tracking system. In IEEE INFOCOM, pages 775–784, 2000. [2] U. Berkeley, LBL, USC/ISI, and Xerox-PARC. ns notes and documentation, 2003. http://wwwmash.cs.berkeley.edu/ns. [3] A. Boukerche, K. El-Khatib, L. Xu, and L. Korba. A novel solution for achieving anonymity in wireless ad hoc networks. In ACM Workshop on Performance Evaluation of Wireless Ad Hoc, Sensor, and Ubiquitous Networks (PE-WASUN 2004), Venice, Italy, Oct. 2004. [4] D. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM, 24(2):84–88, Feb. 1981. [5] IEEE. IEEE std 802.11, 1999 edition, wireless LAN medium access control (MAC) and phyiscal layer (PHY) specifications. http://standards.ieee.org/getieee802/802.11.html. [6] D. Johnson and D. A. Maltz. Dynamic source routing in ad hoc wireless networks. In T. Imielinski and H. Korth, editors, Mobile Computing, volume 353, pages 153–181. Kluwere Academic Publishers, 1996. [7] J. Kong and X. Hong. ANODR: Anonymous on demand routing with untraceable routes for mobile ad-hoc networks. In MobiHoc’03, Annapolis, MD, USA, June 2003. [8] C. Perkins and P. Bhagwat. Highly dynamic destination-sequenced distance-vector routing (DSDV) for mobile computers. In ACM SIGCOMM’94 Conference on Communications Architectures, Protocols and Applications, pages 234–244, 1994. [9] C. E. Perkins. Ad-hoc on-demand distance vector routing. In MILCOM ’97, 1997. [10] A. Pfitzmann and M. Köhntopp. Anonymity, unobservability, and pseudonymity: A proposal for terminology. Draft, version 0.14, Jul 2000. [11] A. Pfitzmann and M. Waidner. Networks without user observability – design options. In EUROCRYPT’85, volume 219 of Lecture Notes in Computer Science. Springer-Verlag, 1985. [12] M. G. Reed, P. F. Syverson, and D. M. Goldschlag. Anonymous connections and onion routing. In IEEE Symposium on Security and Privacy, Dec. 1997. [13] A. Smailagic and D. Kogan. Location sensing and privacy in a context-aware computing environment. IEEE Wireless Communications, 9(10), Oct. 2002. [14] X. Wu and B. Bhargava. AO2P : Ad hoc on-demand position-based private routing protocol. IEEE Transaction on Mobile Computing, 2005. Opportunistic Networks: The Concept and Research Challenges in Privacy and Security Leszek Lilien, Zille Huma Kamal, Vijay Bhuse, and Ajay Gupta WiSe (Wireless Sensornet) Lab Department of Computer Science Western Michigan University, Kalamazoo, MI 49008, USA {llilien, zkamal, vsbhuse, gupta}@cs.wmich.edu Abstract: We introduce a new paradigm and a new technology, which we call opportunistic networks or oppnets. An oppnet grows from its seed—the original set of nodes employed together at the time of the initial oppnet deployment. The seed grows into a larger network by extending invitations to join the oppnet to foreign devices, node clusters, or networks that it is able to contact. A new node that becomes a full-fledged member, or helper, may be allowed to invite external nodes. All helpers collaborate on realizing the goals of the oppnet. They can be employed to execute different kinds of tasks, even though in general they were not designed to become elements of the oppnet that invited them. Oppnets, as an epitome of pervasive computing, are subject to significant privacy and security challenges, inherent to all pervasive systems. To the best of our knowledge, we are the first to define and investigate opportunistic networks. Keywords: Computer networks, opportunistic networks, privacy, security, pervasive computing, emergency response, disaster recovery 1. Introduction We propose a new paradigm and a new technology of opportunistic networks or oppnets to enable an integration of the diverse communication, computation, sensing, storage and other resources that surround us more and more. We not only find ourselves in their midst but depend on them increasingly as necessities rather than luxuries. Few would deny that communications and computing are more and more pervasive. The goal for oppnets is to leverage the wealth of pervasive resources and capabilities that are within our reach. This is often a treasure that remains useless due to “linguistic” barriers. Different devices and systems are either unable speak to each other, or do not even try to communicate. They remain on different wavelengths— sometimes literally, always at least metaphorically. This occurs despite devices and systems gaining ground in autonomous behavior, self-organization abilities, adaptability to changing environments, or even self-healing when faced with component failures or malicious attacks. It might look somewhat ironic to a person unaware of interoperability challenges that such ever more powerful and intelligent entities are not making equally great strides in talking to each other. With oppnets, we chart a new direction within the area of computer networks. To the best of our knowledge it is a direction not explored in this way by others. A co-author of this paper invented opportunistic sensor networks [BLWR04]. The idea was later generalized to opportunistic networks [LiGu06]. We are now the first to scrutinize oppnets and their inherent challenges. The oppnets and their salient features can be characterized as follows. Typically, the nodes of a single network are all deployed together, with the size of the network and locations of its nodes pre-designed (either in a fully “deterministic” fashion, or with a certain degree of randomness, as is the case with ad hoc or mobile networks). In contrast, the size of an oppnet and locations of all but the initial set of its nodes—known as the seed nodes—can not be even approximately predicted. This is the category of networks where diverse devices, not employed originally as its nodes, are invited to join the seed nodes to become oppnet helpers. Helpers perform certain tasks they have been invited (or ordered) to participate in. By integrating helpers into its fold, a seed oppnet grows into an expanded oppnet. The oppnet goals can be realized by alleviating first of all the communication problems—including bottlenecks and gaps—that are often the root causes of resource shortages (similarly as transportation inadequacies—not a lack of food in the world—are the root causes of famines). If the researchers, developers, and manufacturers succeed in building oppnets, the payoff will be swift and substantial. Armies of helpers, mobilized by oppnets, will be capable of contributing towards their objectives at a very low or no cost, especially in emergency situations. The potential of oppnets in all kinds of emergency situations—including man-made and natural disasters— is especially noteworthy. In the past few years we have seen great disasters, such as 9/11 terrorist attack, tsunami in the Southeast Asia and Hurricane Katrina. The casualties and damages are too often compounded by problems faced by the first responders and relief agency workers. There is a common thread to all these problems: lack of adequate communication facilities in the disaster areas and beyond. Therefore, providing means of dependable communication in emergencies must be viewed as a fundamental challenge to communication and information technologies. The following scenario illustrates a possible use of an oppnet deployed after an earthquake. One of its helpers, a surveillance system, “looks” at a public area scene with many objects. The image is passed to another helper that analyzes it, and recognizes one of the objects as an overturned car. Another helper decides that the license plate number of the car should be obtained, and (maybe another) image analysis helper provides this information. The plate number is used by another helper to check in a vehicle database whether the car is equipped with the OnStar™ communication system. If it is, the appropriate OnStar center facility is contacted, becomes a helper, and obtains a connection with the OnStar device in the car. The OnStar device in the car becomes a helper and is asked to contact BANs (body area networks) on and within bodies of car occupants. Each BAN available in the car becomes a helper and reports on the vital signs of its owner. The reports from BANs are analyzed by prioritizing helpers that schedule the responder teams to ensure that people in the most serious condition are rescued sooner than others. With the exception of the BAN link that is just a bit futuristic (its widespread availability could be measured in years not in decades), all other helper capabilities are already quite common. With so many helper capabilities available, we need “only” to integrate them in a clever way. We believe that our paradigm provides a very useful framework—including a conceptual frame of thought—for such integration. We can look at oppnets as an epitome of pervasive computing. The most critical problems inherent to pervasive computing were very aptly expressed as follows [Thib02]: Pervasive computing has pervasive problems, not the least of which are interoperability, security and privacy. Oppnets confront all three enumerated problems head on (though in this paper we concentrate on the discussion of privacy and security issues). Therefore, work on oppnets will be a test case for attacking the pervasive computing problems. The next Section describes the basics of oppnet operation. Section 3 delineates scenarios for benevolent and malevolent uses for oppnets. Section 4 briefly presents areas of related work. Privacy and security challenges facing oppnets are presented in Sections 5 and 6. Finally, Section 7 concludes the paper and sketches directions for future work. 2. Basics of Oppnet Operation A. Seed Oppnet and Its Growth Each opportunistic network grows from a seed that is a set of nodes employed together at the time of the initial oppnet deployment. The seed is pre-designed (and can therefore be viewed as a network in its own right). In the extreme it can consist of a single node. The seed grows into a larger network by extending invitations to join the oppnet to foreign devices, node clusters, networks, or other systems which it is able to contact. Any new node that becomes a full-fledged oppnet member, that is a helper, may be allowed to invite external nodes. By inviting “free” collaborative nodes, the opportunistic networks can be very competitive economically. The issues that have to be addressed are proper incentives or enforcements so that invited nodes are willing or required to join, and potentially lower credibility of invited collaborators that, in general, can’t be fully trusted (at least till they prove themselves). Helpers collaborate on realizing the oppnet’s goal. They can be deployed to execute all kinds of tasks even though, in general, they were not designed to become elements of an oppnet that invites them. B. Oppnet Helpers 1) Potential Oppnets Helpers: The set of helpers includes even entities not usually thought of as network nodes, both wired and wireless, free-standing and embedded. Even nodes with no sensing capabilities, such as networked mainframes from LANs or wireless-equipped processors embedded in cars, can significantly contribute to processing or communication capabilities of an oppnet. After all, any networked PC or embedded processor has some useful sensing, processing, or communication capabilities. For example, information about user’s presence or absence, her work habits and Internet access patterns can be collected by her desktop and her PDA; information about user’s location – by his cellphone (even one without GPS can be triangulated); and data about food consumed by user’s household – by a processor embedded in a refrigerator and RFID-equipped food packages and containers. As an example, a PC becomes “invitable” once the seed identifies a subset of IP addresses located in its geographical area and contacts them. In larger areas, it is not difficult to do, with IP addresses hierarchically organized by location. 2) Helper Functionalities: It should be noted that, in general, working in the “disaster mode” does not require any new functionalities from the helpers. For example, in case of fire monitoring tasks, the weather sensornet that became a helper can be simply told to stop collecting precipitation data, and use the released resources to increase the sampling rates for temperature and wind direction. It is possible that more powerful helpers could be reprogrammed on the fly. Also, oppnet nodes might be built with excess general-purpose communication, computation, storage, sensing, and other capabilities useful in case of unforeseen emergencies. For example, excess sensing capabilities could be facilitated by multisensor devices that are becoming cheaper and cheaper as new kinds of sensors are being developed all the time (for example, novel biosensors for detection of anthrax [IHRR02]). C. Critical Mass for an Oppnet and Growth Limitations 1) Critical Mass: Oppnets can be really effective if they are able to build up their size (by inviting other nodes) enough to reach a certain “critical mass” in terms of size, node locations, and node capabilities. Once this threshold is passed, they are ready to communicate, calculate, and measure aspects of entities and physical environment in their midst in an unprecedented detail. They can gather data for damage assessment when used in emergencies or disaster recovery. Some sensornets that become helpers—such as sensor nodes embedded in roads, buildings, and bridges—are designed primarily for damage assessment. Others helpers (whether from sensornets or not) can gather data—legitimately or not—on general public, employees, or other monitored individuals. 2) Growth Limitations: The network stops inviting more nodes when it obtains enough helpers providing sufficient sensing, processing, and communication capabilities (cost/benefit analysis of inviting more nodes might be performed). It should avoid recruiting superfluous nodes that wouldn’t help and might reduce performance by using resources just to “gawk.” This does not mean that network configuration becomes frozen. As the area affected by the monitored activity (e.g., an earthquake) changes and the required monitoring level (due, say, to the severity of damage) in different locations shifts, the oppnet reconfigures dynamically, adapting its scope and its capabilities to its needs (e.g., to the current disaster recovery requirements). D. Applications for Oppnets 1) Emergency Applications: We see important applications for opportunistic networks in all kinds of emergency situations, for example in hurricane disaster recovery and homeland security emergencies. We believe that they have the potential to significantly improve efficiency and effectiveness of relief and recovery operations. For predictable disasters (like hurricanes or firestorms, whose path can be predicted with some accuracy), seed oppnets can be put into action and their build-up started (or even completed) before the disaster, when it is still much easier to locate and invite other nodes and clusters into the oppnet. The first helpers invited by the seed could be the sensornets deployed for structural damage monitoring and assessment, such as the ones embedded in buildings, roads, and bridges. 2) Benevolent and Malevolent Oppnet Applications: As most technologies, opportunistic networks can be used to either benefit or harm humans, their artifacts, and technical infrastructure they rely upon. Invited nodes might be “kept in the dark” about the real goals of their host oppnets. Specifically, “good guys” could be cheated by a malevolent oppnet and believe that they will be used to benefit users. Similarly, “bad guys” might be fooled by a benevolent oppnet into believing that they collaborate on objectives to harm users, while in fact they would be closely controlled and participate in realizing positive goals. On the negative side, home-based opportunistic networks could be the worst violators of individual’s privacy, if they are able to exploit PCs, cellphones, computer-connected security cameras, embedded home appliance processors, etc. 3) Counteracting Malevolent Oppnet Applications: To counteract malevolent oppnets threats, predator networks that feed on all kinds of malevolent networks —including malevolent oppnets— can be created. They detect malevolent nets, plant spies in them, and use the spies to discover true goals of suspicious networks (some of the suspicious networks might actually be benevolent ones, victims of false positives). Conversely, intelligent adversaries can deploy malevolent predator networks that feed on all kinds of benevolent networks, including benevolent opportunistic networks. 3. Example Oppnet Use Scenarios Below we show two example oppnet application scenarios: a benevolent one and a malevolent one. Both rely on some reconfiguration capabilities of non-opportunistic (regular) sensornets. A. Benevolent Oppnet Scenario —“Citizens Called to Arms” A seed oppnet is deployed in the area where an earthquake occurred. It is an ad hoc wireless network with nodes much more powerful than in a “typical” ad hoc network (more energy, computing and communication resources). Once activated, the seed tries to detect any nodes that can help in damage assessment and disaster recovery. It uses any available method for detection of other networks, including radio-based (including cellphone-based) detection, searching for nodes using the IP address range for the affected geographic area, and even AI-based visual detection of some appliances and PCs (after visual detection, the seed still needs to find a network contact for a node to be invited). The oppnet “calls to arms” the optimal subset of detected and contacted “citizens,” inviting all devices, clusters, and entire networks, which are able to help in communicating, computing, sensing, etc. In emergency situations, entities with any sensing capabilities (whether members of sensornets or not), such as cellphones with GPS or desktops equipped with surveillance cameras, can be especially valuable for the oppnet. Let us suppose that the oppnet is able to contact three independent sensornets in the disaster area, deployed for weather monitoring, water infrastructure control, and public space surveillance. They become helper candidates and are ordered (this is a life-or-death emergency!) to immediately abandon their normal daily functions and start assisting in performing disaster recovery actions. For example, the weather monitoring sensornet can be called upon to sense fires and flooding, the water infrastructure sensornet with multisensor capabilities (and positioned under road surfaces) —to sense vehicular movement and traffic jams, and the public space surveillance sensornet —to automatically search public spaces for images of human victims. B. Malevolent Oppnet Scenario — “Bad Guys Gang Up” Suppose that foreign info warriors use agents or people unaware of their goals to create an apparently harmless weather monitoring sensornet. Only they know that, when activated, the original sensornet becomes a seed of a malevolent oppnet. The sensornet starts recruiting helpers. The seed will not reveal its true goals to any of its helpers. Instead, it uses a cover of a beneficial application, proclaiming to pursue weather monitoring for research. Actually, this opportunistic sensornet monitors weather but for malicious reasons: it analyzes wind patterns that can contribute to a faster spread of poisonous chemicals. Once the “critical mass” in terms of geographical spread and sensing capabilities is reached, the collected data can be used to make a decision on starting a chemical attack. 4. Related Work Areas Oppnets might be perceived as networks that lie within the intersection of ad hoc networks, P2P systems, and sensor networks. They can use (after modifications) ad hoc node localization and self-organization techniques from ad hoc networks, growth-by-joining approaches from P2P systems, and data aggregation algorithms from sensornets. Hence, the fact that a lot of related work comes from these three areas should not be surprising. However, we look at three more categories of related work. There are six major areas of related technologies useful for opportunistic networks, that we identified and explore for useful methods, protocols, and algorithms: 1. Ad hoc networks 2. Peer-to-peer systems 3. Sensornet 4. Grid computing (for resource integration and management) 5. Benevolent Trojans (for helper search) 6. Miscellaneous other (e.g., techniques from the CenWits project from the University of Colorado). There is a tremendous amount of knowledge and experience in the above areas that we can learn from but we can not employ any of the existing techniques ‘as-is’ in our opportunistic networks, due to unique characteristic of oppnets. We omit the details as not necessary in this Privacy and Security Research Challenges paper. 5. Privacy Challenges in Oppnets The proposed opportunistic network technology is one of possible approaches for moving towards the ultimate goal of pervasive computing. Since huge privacy risks are associated with all pervasive computing approaches, oppnets—being such an approach—must face significant privacy perils. Pervasiveness must breed privacy threats, as we explain in our 2004 paper [BLRW04]: Pervasive devices with inherent communication capabilities might […] self-organize into huge, opportunistic sensor networks, able to spy anywhere, anytime, on everybody and everything within their midst. […] Without proper means of detection and neutralization, no one will be able to tell which and how many snoops are active, what data they collect, and who they work for (an advertiser? a nosy neighbor? Big Brother?). Questions such as “Can I trust my refrigerator?” will not be jokes—the refrigerator will be able to snitch on its owner’s dietary misbehavior to the owner’s doctor. We very clearly recognize the crucial issue of privacy in oppnets (as well as in all other pervasive computing approaches). Privacy guarantees, are indispensable for realization of the promise of pervasive computing. We strongly believe that without proper privacy protection built into any technology attempting to become pervasive, the public will justifiably revolt against it. Any oppnet solution (or other pervasive computing solution) compromising on privacy protection is doomed to a total failure. Simply, privacy protection is the “make it or break it” issue for oppnets and pervasive computing in general. There is no inherent reason why an oppnet would need to enslave the device asked to help it, exploiting its sensitive resources. There is no inherent reason why the helper device would need to disclose all such resources to the oppnet. In the simplest solution, the candidate helper will keep its private data in a secure vault (e.g., enciphered in its storage) before agreeing to join an oppnet that asked for help. In case of an involuntary conscription (in an emergency situation), the oppnet will allow the candidate helper to save private data in helper’s own vault before mustering it. Other solution we consider will rely on a strict separation of private and public areas within the helper device or network. This will ensure that a benevolent oppnet will never (even when it malfunctions) attempt to capture helper’s private data. It will also provide protection against malevolent oppnets that might attack privacy of other devices or networks pretending they need them as their helpers. Still other techniques—proposed in [Lili05]—include: • Protecting privacy of entities (including oppnet helpers) that are under oppnet surveillance by, for example, assuring their anonymity or pseudonymity. • Providing algorithms for detecting malevolent oppnet, which masquerade as benevolent oppnets in order to attack prospective helpers. Detection will deny them opportunity to compromise privacy of helpers. • Developing methods to protect oppnets against all kinds of privacy attacks, and to disable malicious uses of oppnets for privacy attacks. Some relaxation of the strictest privacy protection standards might be permissible in emergency situation, especially in life-and-death situations. For example, a victim searching for help will probably not object to an oppnet taking over her Body Area Network (BAN), controlling devices on and within her body. We will consider exploring this possibility with a full concern for legal and ethical issues involved. If we do, we will follow two basic assumptions: (1) an entity should give up only as much privacy as is indispensable for becoming a helper for the requesting oppnet; and (2) an entity’s privacy disclosure should be proportional to the benefits expected for the entity or to a broader common good. The latter is especially important in emergencies, when the goals like saving a life of one person takes precedence over the comfort of another. Our earlier work on privacy includes a solution for privacy-preserving data dissemination [LiBh05], which we might adapt to improve the oppnet-helper relationships. Finally, we need to note that privacy (and security) in pervasive computing is a very active investigation area. We can use many other privacy solutions conceived by other researchers working on networks and, in general, on pervasive computing. 6. Security and Privacy Challenges for Oppnets One of the sources of privacy and security threats is the fact that authentication cannot, in general, be performed when devices join the network. It is not possible to guarantee that malicious devices will not join. Moreover we might not be able to classify or rate devices as malicious until they join the oppnet, and we detect their notorious behavior. Delivering secret keys securely to all non-malicious devices (and only to nonmalicious devices) is very difficult in such an ad hoc environment. Hence, relying alone on cryptography-based authentication mechanisms (e.g., Kerberos) will not help in all situations. So, MITM, packet dropping, ID spoofing (masquerading), DoS and other attacks are even bigger threats in oppnets. If not controlled, they can defeat the purpose of oppnet. Figure 1 displays general security scheme for oppnets. In the absence of initial authentication mechanism all five steps marked by outgoing arrows from the adder circle are mandatory. The privacy and security challenges for opportunistic networks can be listed as follows (in the order in which, we think, they should be investigated): A. Increasing trust and secure routing B. Helper privacy and oppnet privacy C. Protecting data privacy D. Ensuring data integrity E. Identifying most dangerous attacks and sketching solutions F. Intrusion detection No initial authentication Robust routing (to prevent common attacks) Grant access to helper based on roles New helper joining oppnet Authorize helper to perform certain operations Observe helper behavior Use special intrusion detection techniques for sophisticated attacks by helper (like MITM) Permanently eliminate, isolate, avoid “bad guys” during routing so that they can’t join Find “bad guys” Fig. 1. General oppnet security scheme. A. Increasing Trust and Secure Routing A list of “more trusted” devices can be maintained. For example, we can trust more the devices owned by certain institutions, such as devices at police stations, government offices, hospitals, public libraries, universities or reputable companies. Once a list of trusted devices is made (which is a challenge), these devices will be used for more critical tasks than unknown devices or distrusted devices (such a ‘black list’ could be maintained as well). Secure routing can use both lists. Selecting a route that passes through only trusted devices (or as many trusted devices as possible) is challenging. Numerous papers have been written on individual ad hoc routing protocols. A survey of secure wireless ad hoc routing can be found in [HuPe04]. Secure wireless ad hoc routing protocol most relevant to oppnet is Ariadne [HuPJ02]. It is an on-demand protocol that works in the presence of compromised nodes. Ariadne uses symmetric cryptography. It authenticates routing messages using one of the three schemes: • Shared secrets between each pair of nodes. • Shared secrets between communicating nodes combined with broadcast authentication. • Digital signatures. Solutions proposed for securing routing protocols in wireless or ad hoc networks or the Internet cannot be used directly in oppnets because oppnets are highly heterogeneous. Their nodes have different processing abilities, power sources, modes of transmission (wired or wireless), etc. The proposed approaches—e.g., IPSec, WEP and ssh—use mostly cryptographic solutions to minimize the probability and effects of possible attacks. Trusted devices with battery power should be used sparingly to increase their lifetime. This is necessary to maintain network connectivity, the goal of oppnet. This might be easier in oppnets than in other systems, as oppnets can rely on growth to amass needed resources (even with a big safety margin). B. Helper Privacy and Oppnet Privacy In this section, by “protecting privacy of the system” we mean no intrusions into the system, no illegal access to data, resources and software of systems. So by privacy we do not mean data privacy or confidentiality which is discussed in Subsection 6.C. Oppnet can be feasible only if privacy of helpers can be guaranteed. Privacy of a helper can be guaranteed by its access controls (authentication and authorization) and by its intrusion prevention (using security primitives, relying on trust, secure routing etc.). Intrusion detection should be used as the second line of privacy defense for helpers when prevention fails or cannot be used due to its inefficiency. Elimination or isolation of bad entities from oppnet via intrusion detection is very important for benevolent nodes. The problem of guaranteeing access control and performing real-time intrusion detection for oppnets are more difficult than for the Internet, wireless or ad hoc networks because of the highly heterogeneous nature of participating devices and the spontaneous manner in which oppnets are formed. Privacy of oppnet is also important. Malicious entities can join the oppnet with the sheer purpose of violating privacy of oppnet members. A fear of having one’s privacy violated can prevent candidate helpers invited by an oppnet from joining, or can cause reluctance (a passive or an active resistance) of the candidate helpers ordered by an oppnet to join. Since it is very difficult to uncover the motives of any device or system invited/ordered by an oppnet to join, the only way to find bad helpers is by intrusion detection. C. Protecting Data Privacy In the subcategory of oppnets that have a central controller, the following kinds of messages are most important. 1) Broadcast from the controller: Mostly some announcements may be made by the controller (for e.g. water level will rise by 6 inches in half an hour in the whole city) for which privacy might not be desired. But there can be messages from the controller which may require privacy since they will be intended to only few nodes in the oppnet. The lack of shared secret or a key between the controller and intended recipients makes the problem of providing data privacy difficult. Even if we assume that there is a shared secret key (for symmetric key cryptography encryption) between controller and intended recipients, the biggest problem with the symmetric key cryptography is capture of even a single device (especially in crisis when providing physical protection is even more difficult) leading to the failure of the whole scheme. 2) Messages from nodes to the controller: These messages may require privacy. (You may have to tell something to your manager but may not want to share with your colleagues.) Encryption is a way of providing data privacy. Asymmetric key cryptography (or public key cryptography, using PKI) can be used to protect privacy of messages from nodes to the controller. The controller can broadcast its public key to all the devices in the oppnet. Devices can encrypt their data with the public key and the controller can decrypt them with its private key. So when data is traveling towards the controller, the nodes that forward them can see only their encrypted form. A malicious device can pose as a controller by distributing its own public key. The above will not work if the controller cannot exclude such ‘competition’ in distributing its forged public key. We need a secure mechanism to broadcast a public key either before an emergency (for predictable emergencies, to potential helpers that can be identified), during an emergency, or after an emergency. Apart from the above discussed messages, messages in oppnet might be sent from one device to another device (peer to peer), or there can be intra-cluster communication among devices in some specific area. A local cluster head (a trusted device doing an extra job) can use public key cryptography while communicating with its neighbors. A cluster head can announce its public key. Nodes can encrypt data with the public key and, upon receiving encrypted data, the cluster head can decrypt them with its private key. But a malicious device can pose as a cluster head and can distribute its own public key. So, this approach will not work if the cluster head cannot exclude such ‘competition’ in distributing its forged public key. D. Ensuring Data Integrity Data integrity is a part of data security, also a part of any secure communication. Digital signatures can be used to guarantee integrity of data. But they are too expensive computationally for weak devices (like cellphones, PDAs etc.) running on a limited battery power. Hence, alternatives should be devised to guarantee integrity of data packets. Also, packet sizes may vary when it travels through an oppnet. Suppose that a packet is sent from a cellphone to the base station through a PC connected to the Internet. In this case, the packet size when it travels from the cellphone to the PC will be different from the packet size when it travels from the PC to the base station. If packet fragmentation and aggregation cannot be performed securely, the end-to-end security mechanisms could fail. E. Identifying Most Dangerous Attacks and Sketching Solutions Below we discuss some of the most important attacks, their effects and initial solutions to prevent those attacks. • MITM: Suppose a malicious device is on the path connecting a person in the house that needs help and the central controller. In this case, if the person sends request destined to the controller, the malicious device instead of forwarding it might inform the person that help is on the way. It could also tamper with messages broadcast by the controller. Solution: A person in need can send redundant messages to the controller through multiple neighbors. This will increase the chances that least one of the multiple message copies will reach the controller, even if there are attackers on some paths. So, redundancy of routes can be exploited to avoid the attackers. • Packet dropping: The malicious device in the above scenario might drop some or all the packets between the person in need and the controller. In the worst case, it might forward packets containing insignificant information and drop packets containing critical information. Solution: The above proposed idea of sending redundant messages using multiple neighbors may work if no adversary is situated on at least one path. Again, redundancy of routes can be exploited to avoid the attackers. • DoS attacks by malicious devices: False requests for help can be generated by malicious devices. They will keep the rescue team busy and unavailable for real emergencies. Solution: Upper limit can be placed on the number of requests any device can generate. Thus, it will limit the number of times any device can send a false help request. In addition, the rescue team can attempt contacting the requester to confirm an emergency request. • DoS attacks on weak links: DoS attacks may target a “weak” device, such as a cellphone that is critical to oppnet operation (e.g., if it is the only device that connects two parts of a city). The battery of the cellphone is a very precious resource and should be used sparingly till an alternative connection is found. Some attacks may target only critical weak devices. Such surgical attacks are capable of defeating the goal of oppnets, which is to maintain connectivity in crisis. Solution: Identification of weak devices, their strengthening (e.g., providing backups for them), or minimizing their workload is a major task for maintaining connectivity in oppnets. • ID spoofing: Mapping some node properties (like location) into node ID by a controller can be dangerous. A malicious device capable of masquerading can generate requests with multiple IDs, resulting in many false alarms for the rescue team. Services that need authentication can be misused if their IDs can be spoofed. A device capable of spoofing ID of a trusted node or a node with critical functions can pose many kinds of attacks. Solution: Although it is difficult to guarantee that malicious nodes will not join the oppnet, nodes can watch their neighbors for possible attempts of ID spoofing. The SAVE protocol [LMRZ01] can provide routers with information needed for source address validation. This protocol needs to be modified to suit the heterogeneous nature of oppnets. F. Intrusion Detection Malicious devices or malicious networks will be able to join an oppnet because of the lack of an initial authentication mechanism. Therefore, there is a need to detect and isolate malicious nodes, clusters, or networks. Securely distributing information about malicious entities in the presence of malicious entities is a challenge. If shared securely, this second-hand reputation information can be used by all oppnet nodes to protect themselves from attackers. Even if that information could be distributed securely, avoiding those entities while maintaining connectivity is another challenge. For a review of intrusion detection in wireless ad hoc networks we refer reader to [MiNP04]. However, we need to emphasize that the highly heterogeneous nature of oppnets makes real-time intrusion detection and response in them even more challenging than in other types of networks. The intrusion detection approach most relevant for oppnets comes from the AAFID project [Zamb01], in which autonomous agents perform intrusion detection using embedded detectors. An embedded detector is an internal software sensor that has added logic for detecting conditions that indicate a specific type of attack or intrusion. Embedded detectors are more resistant to tampering or disabling, because they are a part of the program they monitor. Since they are not executing continuously, they impose a very low CPU overhead. They perform direct monitoring because they have access to the internal data of the programs they monitor. Such data does not have to travel through an external path (a log file, for example) between its generation and its use. This reduces the chances that data will be modified before an intrusion detection component gets it. 7. Conclusions This paper presents the new concept of opportunistic networks (oppnets), and presents related research challenges. Oppnets constitute a newly identified category of computer networks. When deployed, oppnets attempt to detect systems existing in their relative vicinity—ranging from sensing and monitoring, to computing and communication systems—and integrate them under their own control. When such a system is detected, oppnet evaluates its potential benefit, and—if the evaluation is positive—invites it to become its helper. In this manner, an oppnet can grow from a small seed into a stupendous network with vast sensing, communication, and computation capabilities. An integrated network has been called for in various critical or emergency situations [USGo01]. Oppnet can be used to enable connectivity in an area where any existing communication or information infrastructure has been fractured or partially destroyed. It integrates various systems that were not designed to work together to facilitate creation of a bigger and better picture of the region it is deployed in. The integration allows flow of information that, for example, can assist in rescue and recovery efforts for devastated areas, or can provide more data on phenomena that are just developing, such as wildfires or flash torrents. Answering to the identified challenges in oppnets will contribute to advancing knowledge and understanding of the opportunistic networks, while simultaneously advancing the state of the art of the generalpurpose computer networks. We take on many challenges, continuing our investigation of oppnets, and designing oppnet architectures with their associated components: methods, protocols, and algorithms. The planned prototype opportunistic network will provide a proof of concept, as well as stimulation and feedback necessary for fine-tuning oppnet architectures and their components Acknowledgements This work was supported in part by the National Science Foundation under Grant IIS-0242840, and in part by the U.S. Department of Commerce under Grant BS123456. The authors would also like to acknowledge Western Michigan University for its support and its contributions to the WiSe (Wireless Sensornet) Laboratory, Computational Science Center and Information Technology and Image Analysis (ITIA) Center. L. Lilien, a co-PI on the NSF grant providing a partial support for this research, would like to thank Professor Bharat Bhargava from Purdue University, the PI for this grant. He is affiliated with the CERIAS security center at Purdue University. Any opinions, finding, conclusions or recommendation expressed in the paper are those of the authors and do not necessarily reflect the views of the funding agencies or institutions. References and Bibliography [AnYC05] Z. Anwar, W. Yurcik, and R. H. Campbell, “A Survey and Comparison of Peer-to-Peer Group Communication System Suitable for Network-Centric Warfare,” SPIE 2005. [BaPa00] P. Bahl and V.N. Padmanabhan, ”RADAR: An In-Building RF-based User Location and Tracking System,” INFOCOM (2), March 2000, pp. 775-784. [BFHX05] X. Bao, B. Fang, M. Hu, and B. Xu, "Heterogeneous Search in Unstructured Peer-to-Peer Networks," IEEE Distributed Systems Online, vol. 6, no. 2, 2005. [BoGS03] A. Boulis, S. Ganeriwal, and M. Srivastava, “Aggregation in Sensor Networks: An Energy Accuracy Trade-off,” Proc. 1st IEEE Intl. Workshop on Sensor Network Protocols and Applications (SNPA’03), May 2003, Anchorage, Alaska. [BEGH01] N. Bulusu, D. Estrin, L. Girod and J. Heidemann, “Scalable Coordination for Wireless Sensor Networks: Self-Configuring Localization Systems,” Proc. Sixth Intl. Symp. on Communication Theory and Applications (ISCTA 2001), Ambleside, United Kingdom, July 2001. [BLRW04] B. Bhargava, L. Lilien, A. Rosenthal, and M. Winslett, “Pervasive Trust,” IEEE Intelligent Systems, vol. 19(5), Sep./Oct.2004, pp. 74-77. [CeEs02] A. Cerpa and D. Estrin, “ASCENT: Adaptive Self-Configuring Sensor Networks Topologies,” Proc. Twenty First Intl. Annual Joint Conf. of the IEEE Computer and Communications Societies (INFOCOM 2002), New York, NY, June 2002. [ChHa03] S. Chatterjea, and P. Havinga, “A Dynamic Data Aggregation Scheme for Wireless Sensor Networks,” ProRISC 2003, November 2003, Veldhoven, Netherlands. [ChBe02] W. Cheswick and S. Bellovin, Firewalls and Internet Security, 2nd ed., Addison-Wesley, 2002. [Flor03] R. A. Flores-Mendez, “Towards Standardization of Multi-Agent System Frameworks,” 2003. http://turing.acm.org/crossroads/xrds5-4/multiagent.html [Gong02] L. Gong, “Peer-to-Peer Networks in Action,” IEEE Internet Computing, January – February 2002. [GuAA05] A. Gupta, D. Agrawal, and A. E. Abbadi, “Distributed Resource Discovery in Large Scale Computing,” SAINT 2005. [Hein00] W. Heinzelman, “Application-Specific Protocol Architectures for Wireless Networks,” Ph.D. Thesis, Department of Electrical Engineering and Computer Science, MIT, Cambridge, MA, June 2000. [HiBo01] J. Hightower and G. Borriello, “Location Systems for Ubiquitous Computing,” IEEE Computer, August 2001. [HeCB00] W. Heinzelman, A. Chandrakasan, and H. Balakrisnan, “Energy-efficient Communication Protocol for Wireless Microsensor Networks,” Proc. 33rd Intl. Conf. on System Sciences (HICSS), January 2000. [HSIG01] J. Heidemann, F. Silva, C. Intanagonwiwat, R. Govindan, D. Estrin, and D. Ganesan, “Building Efficient Wireless Sensor Networks with Low-Level Naming,” Proc. 18th ACM Symp. on Operating Systems Principles, October 2001. [HVBW01] J. Hightower, C. Vakili, G. Borriello, and R. Want, “Design and Calibration of the SpotOn AdHoc Location Sensing System,” unpublished manuscript, August 2001. [HuPJ02] Y.-C. Hu, A. Perrig, and D.B. Johnson, “Ariadne: A Secure On-Demand Routing Protocol for Ad Hoc Networks,” Proc. 8th Ann. Int’l Conf. Mobile Computing and Networking (MobiCom 2002), Atlanta, Georgia, September 2002, pp. 12–23. [HuPe04] Y.-C. Hu and A. Perrig, “A Survey of Secure Wireless Ad Hoc Routing,” IEEE Security & Privacy, Special Issue on Making Wireless Work, Vol. 2(3), May/June 2004, pp.28-39. [IHRR02] H. Inerowicz, S. Howell, F. Regnier, and R. Reifenberger, “Protein Microarray Fabrication for Immunosensing,” Proc. 224th American Chemical Society (ACS) National Meeting, Aug. 2002. [ItGE00] C. Itanagonwiwat, R. Govindan, and D. Estrin, “Directed Diffusion: A Scalable and Robust Communication Paradigm for Sensor Networks,” Proc. Sixth Annual Intl. Conf. on Mobile Computing and Networks (MobiCom), 2000. [IyBr03] S. Iyenger and R. Brooks, Distributed Sensor Networks, CRC Press, Inc., 2003. [KrEW02] B. Krishanamachari, D. Estrin, and S. Wicker, “The Impact of Data Aggregation in Wireless Sensor Networks,” Proc. Intl. Workshop on Distributed Event Based Systems (DEBS), Vienna, Austria, July 2002. [KuWu01] H.T. Kung and C. H. Wu, "Hierarchical Peer-to-Peer Networks," Technical Report IIS-TR-02-015, Institute of Information Science, Academia Sinica, Taiwan, April 2001. [LiBh05] L. Lilien and B. Bhargava, “A Scheme for Privacy-preserving Data Dissemination,” IEEE Transactions Systems, Man, and Cybernetics, accepted, final version submitted in October 2005, to appear. [LiGu06] L. Lilien and A. Gupta "Opportunistic Networks for Emergency Preparedness and Response," submitted for publication. [Lili05] L. Lilien, “Opportunistic Sensor Networks,” Proposal to the Faculty Research and Creative Activities Support Fund (FRACASF), Western Michigan University, December 2, 2005. [LMRZ01] J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang. "SAVE: Source Address Validity Enforcement Protocol," UCLA Technical Report 01-0004, Los Angeles, CA, 2001. [MiNP04] A. Mishra, K. Nadkarni, A. Patcha, "Intrusion Detection in Wireless Ad Hoc Networks", IEEE Wireless Communications, Vol. 11(1), February 2004, pp. 48-60. [Mena03] D.A. Menascé, “P2P Search,” IEEE Internet Computing, March – April 2003. [MICA03] MICA2 Wireless Measurement System Datasheet, Crossbow Technology Inc., San Jose, CA, September 2003, http://www.xbow.com/Products/Product_pdf_files/Wireless_pdf/6020-0042-01_A_MICA2.pdf. [MOWW04] T. Moscibroda, R. O’Dell, M.Wattenhofer, and R. Wattenhofer, “Virtual Coordinates for Ad Hoc and Sensor Networks,” ACM Joint Workshop on Foundations of Mobile Computing (DIALMPOMC), Philadelphia, Pennsylvania, USA, October 2004. [Mote03] Mote Documentation and Development Information, UC Berkeley, Berkeley, CA, 2003, http://www.cs.berkeley.edu/~awoo/smartdus. [OnSt05] “On Star Explained,” Accessed on November 26, 2005, http://www.onstar.com/us_english/jsp/explore/index.jsp [Oppe78] A. Oppenheim, Applications of Digital Signal Processing, Prentice-Hall, Inc., 1978. [PBSJ05] P.N. Pathirana, N. Bulusu, A.V. Savkin, and S. Jha, “Node Localization Using Mobile Robots in Delay-Tolerant Sensor Networks,” IEEE Transactions On Mobile Computing, Vol. 4, No. 3, May/June 2005, pg 285-296. [PrCB00] N. Priyantha, A. Chakraborty, and H. Balakrishnan, “The Cricket Location Support System,” Proc. ACM Int’l Conf. Mobile Computing and Networking (MobiCom ’00), pp. 32-43, Aug. 2000. [Ripe02] M. Ripeanu, “ Peer-to-peer Architecture Case Study: Gnutella Network,” Internet2 Workshop: Collaborative Computing in Higher Education: Peer-to-Peer and Beyond, January, 2002, Tempe, Arizona. [SaHS01] A. Savvides, C. Han, and M. Srivastava, “Dynamic Fine-Grained Localization in Ad-Hoc Networks of Sensors,” Proc. ACM Int’l Conf. Mobile Computing and Networking (MobiCom ’01), pp. 166-179, July 2001. [SMKKB01] I. Stoica, R. Morris, D. Karger, M. F. Kaashoek, and H. Balakrishnan, “Chord: A scalable peer-topeer lookup service for internet applications,” Proc 2001 Conf. on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM), pages 149–160. ACM Press, 2001. [TGBKS04] M. Terwilliger, A. Gupta, V. Bhuse, Z. Kamal, and M. Salahuddin “A Localization System Using Wireless Sensor Networks: A Comparison of Two Techniques.” Workshop on Positioning, Navigation and Communication, Hanover, Germany, 2004. [TeGC05a] M. Terwilliger, A. Gupta and C. Coullard, “Localization with Confidence in Sensor Networks,” submitted for publication, 2005. [TerGC05b] M. Terwilliger, A. Gupta and C. Coullard, “On Bounding Localization Errors,” submitted for publication, 2005. [Thib02] P. Thibodeau, “Pervasive computing has pervasive problems,” ComputerWorld, Vol.36(41), Oct. 7, 2002. [USGo01] U.S. Government Printing Office via GPO Access, "Combating Terrorism: Assessing the Threat of a Biological Weapons Attack." Online Resource last accessed on December 15, 2005. http://www.armscontrolcenter.org/cbw/resources/hearings/snsvair_20011012_combating_terroris m_assessing_biological_weapons_attack.htm [WhCu03] K. Whitehouse and D. Culler, “Macro-Calibration in Sensor/Actuator Networks,” Mobile Networks and Applications, Kluwer Academic Publishers 2003. [YHRC98] K. Yao, R. Hudson, C. Reed, D. Chen, and F. Lorenzelli, “Blind Beamforming on a Randomly Distributed Sensors Array System,” Proc. 1998 IEEE Workshop on Signal Processing Systems (SiPS ‘98), October 1998. [Zamb01] D. Zamboni, “Using Internal Sensors for Computer Intrusion Detection”, CERIAS Technical Report 2001-42, CERIAS, Purdue University, West Lafayette, IN, August 2001.