Characterising Networking Problems in Ambient Intelligence Networks

Jes us Friginal, David de Andr es, Juan-Carlos Ruiz, Pedro Gil

Fault-Tolerant Systems Group (GSTF), Instituto de Aplicaciones de las TIC Avanzadas (ITACA) Universidad Polit ecnica de Valencia, Campus de Vera s/n, 46022, Spain Phone: +34 96 3877007 Ext {75774, 75752, 85703, 79707}, Fax: +34 96 3877579 {jefrilo, ddandres, jcruizg, pgil}@disca.upv.es

Abstract
Ambient intelligence (AmI) relies on the the existence of multitude of networked tiny devices to create smart environments to serve people in their everyday tasks. In such a context, properties of ad hoc networks, like selfconguration and self-management, present an undeniable benet for AmI solutions. However, the main strengths of such networks may become their main weaknesses when exposed to events (faults) that may perturb their normal operation. The point is simple: if the behaviour of network is compromised, the one of the system upper layers also is. This is why, although the consideration of faults may be an option at design time, encompassing performance and dependability assessment is essential at evaluation time. This paper presents the dierent types of faults that can aect (wireless) ad hoc networks and establishes a classication that can be used by designers, to improve the resiliency of their products, or by evaluators to increase the representativeness and eectiveness of the faultloads they dene for experimentation.

Introduction

In computer-based ambient intelligence (AmI), electronic environments are sensitive and responsive to the presence of people. Current developments in wireless network

Funded by the Spanish project TIN 2009-13825

ing and VLSI integration are leading AmI into reality. Many projects, like [15] and [14], currently investigate to what extend ecosystems of wireless devices can support people in carrying out their everyday life activities using information and intelligence (context-awareness) that is hidden in the network connecting these devices. In practice, AmI relies on the notion of the internet of things, i.e. on the existence of a self-conguring wireless network of devices whose purpose would be to interconnect all available tiny object in a given environment. In this context, ad hoc networks leads the promise of dynamic self-conguring wireless AmI environments. As far as AmI systems intend to be deployed in daily scenarios such as our homes, oces, hospitals and vehicles, the study of those faults that threaten dependability and security aspects, must be a primary concern to reduce the risks for society. In this context, networking is a specially critical task given its importance to establish communications. Due to its essential role, the performance and robustness exhibited by networking highly condition the behaviour exhibited by the AmI system. The intrinsic wireless and mobile nature of most communications can lead AmI systems to be exposed to a wide variety of threats. Up to now, most communication threats were related to an accidental or natural origin (such as variable wireless link quality, interferences, fading, etc.). However, the increasing pres-

ence of mobile devices in our life has not come with an adequate security. This fact has become a propitious breeding ground for attackers [19]. Indeed, networking attacks in mobile computing increased from 25% in 2007 to 55% in 2008 [12], the highest increment among all potential types of attacks. Consequently, both accidental and malicious threats can turn into faults which, apart from causing immediate problems in the network, stretch beyond the bound of the AmI system, thus being visible to users. Faults can lead to incorrect context sensing, security and privacy breaches and misuse of resources. Therefore, fault protection mechanisms are very important aspect when deploying an AmI system into a real environment. Given the nature of the networks used in AmI systems, there is a large number of targets for faults, and consequently a huge number of faults to be injected. However, despite studying the probability of fault occurrence in AmI systems is interesting, estimating how do systems react to their adverse eects is even more important. However, from a pragmatical viewpoint, it might not always be possible or (aordable) to inject a concrete fault in the network because it is very dicult to recreate the particular conditions that enable a fault to exploit a given vulnerability (i.e., in an intelligent home, the hang of the operating system hang produced by a memory overow in the node responsible for connecting an alarm is highly unlikely, but it may happen). In this paper we propose to identify the dierent erroneous states (catalogued as fault models) the AmI system network could evolve towards. This can be of usefulness to directly inject them in the system, instead of injecting the entire fault procedure, thus optimising the experimentation time and easing the task of evaluators (i.e., emulating the operating system hang in the node through their perceptible eects to the rest of nodes of the network: permanent communication absence). The rest of the paper is structured as follows: Section 2 studies the research context. Section 3 details the fault classication criteria used to dene fault models. Section 4 gath-

ers the dierent faults according to the eect that may produce in an AmI system network. Section 5 discusses about the feasibility of our proposal and Section 6 concludes the paper.

Research context

Although pertinent works have tackled the occurrence and resolution of security issues on wireless ad hoc networks (AmI systems core), specially those related to fault prevention mechanisms, the terminology used is far from being homogeneous when referring to those dependability problems aecting the network. Accordingly, notions relative to threats, faults or attacks have a dierent meaning depending on the paper they appear in. Hence, one can easily nd (i) dierent denitions labelled under the same name or (ii) dierent terms referring to the same concept. This gap can be mainly justied given the absence of referenced studies that analyse the origin of problems in ad hoc networks from a systematic viewpoint. Some studies in the dependability community [3] clarify the relationship among generic concepts. In such contribution, the relationship between fault, error and failure is explained as follows: a service failure is a transition from a correct service state to an incorrect one. Failures are produced by errors. A failure occurs when an error reaches the service interface and alters the service. Finally, faults are dened as the adjudged or hypothesised causes of an error. Being so generic, previous concepts become meaningless if they are directly applied to a particular type of system. Few authors have adapted previous concepts to some types of ad hoc networks, and those who do it, only analysed supercially the possible causes of faults [11]. Conversely, most works address partially the problem since they are pathologically divided into two main groups: (i) those which study faults with a natural or accidental origin [10] [2], and those focused on attacks [4] [1] [17]. However, faults and attacks can be considered similar concepts since they dene actions attempting against system properties.

Indeed, as stated in [7], attacks are considered a malicious type of fault. Attacks can be active or passive [21]. Passive attacks are launched to steal valuable information in the targeted networks. Attacks can also be classied into external attacks carried out by nodes that do not belong to the network domain, and internal attacks which are actually part of the network [21]. Despite their (malicious or accidental) origin, faults can be propagated through dierent levels leading to similar eects or manifestations (errors and failures). However, since similar errors can be induced by dierent types of faults (i.e., a communication blockade may occur due to a black hole attack, or simply because users consume the same service at the same time), the challenge consists not in establishing an equivalence among faults but in the error domain. The conceptual association of similar errors is known as fault model. The presence of faults in systems ends up characterising the behaviour of wireless ad hoc networks. However, from a pragmatical viewpoint, it might not always be possible or (affordable) to identify a concrete fault. Nevertheless, identifying their symptomatology can be sucient to provide a correct coverage for the detection and tolerance fault mechanisms to break the error propagation paths.

Fault classication criteria

This section details the fault categories and the aected system properties used as criterion to classify fault models in ad hoc networks.
3.1 Fault categories

In wireless ad hoc networks, dierent levels or layers can be identied and ordered. The bottom layer corresponds to the physical device, which gathers the set of hardware and software components required to deploy the communication. It typically involves the use of embedded devices executing specic OS. The upper levels correspond to network layers. Generally, they are essentially structured

according to a physical layer, a link layer, a routing layer and a service layer, which is addressed to the nal user. At each of these levels faults may occur and consequences (errors, failures) may be observed. Faults in ad hoc networks can be basically classied according to dierent criteria: Phenomena : Denes whether the fault is related to natural or human-made agents. Natural faults are caused by natural phenomena without human participation. Normally, these faults are related to physical causes. Unlike other systems, ad hoc networks are very sensitive to this type of faults. Conversely, the denition of human-made faults result from human actions. Objective : This category is only applied to human-made faults and determines the objective of human interaction with the ad hoc network. This criterion distinguishes malicious and non-malicious faults. Non-malicious faults, introduced without malicious objectives are the result of unintended actions or bad decisions carried out, for instance, during the development of network components or during the service delivery once the network is deployed. Malicious faults, or attacks, are introduced by malicious users, or attackers, with the objective of altering the correct operation of the system. Duration : Indicates the persistence of the fault. Faults can remain in the system indefinitely (permanent fault), for a short period of time (transient fault) or they can appear and disappear repeatedly in time without a dened pattern (intermittent faults). For the sake of simplicity, only permanent and transient faults will be taken into account since intermittent faults can be considered a particular type of transient fault. Evidently, the granularity of this criteria depends on the target system considered. In systems where the time scale is measured in nanoseconds (i.e., VLSI systems), a fault with a duration of 1 second could be considered permanent. In ad hoc networks, we will consider a time scale perceivable by users. Consequently, faults occurred in a node become permanent in case the node is out of service for minutes, whereas

transient faults occur when nodes are out of service for seconds.
3.2 Aected system properties

The properties of AmI system networks can be catalogued under a twofold perspective. From a dependability and security viewpoint, following are some of the most signicant and sensitive attributes that can be aected by faults in ad hoc networks: Integrity assumes that a message is not altered in transit between sender and receiver. Condentiality involves that the transmitted information is only disclosed to authorised parties. Authentication ensures the identity of the party with which communications are exchanged, before granting it access to the network. Service availability guaranties that all resources of the communications network are always ready to be used when needed. Performance attributes encompass dierent Quality-of-Service (QoS) elements well-known in the networks community. Among the most extended, we could mention the most elementary: Energy consumption is the average energy consumed by a network node during a period of time. Other attributes such as power consumption per packet can be derived from it. Delay or latency is the time elapsed among the relay and the arrival of packets from a source to a destination node. It can be considered an elementary attribute as far as many others are derived from it, such as jitter, round-trip-time, etc. Throughput is the average rate of successful messages delivered through a certain network node. From throughput, other signicant related attributes can be estimated such as goodput, packet loss, etc.
3.3 Fault models

been reviewed to determine which are the elementary faults that can aect the correct behaviour of ad hoc networks. Then, a bottomup methodology has been used to match the root-cause of faults with the dierent ad hoc network layers. Fault models are then deduced from the causes and mechanisms implied in the occurrence of faults. Most common fault models for ad hoc networks are briey explained in following points: Node fall : A node fall happens when a node stops communicating with their neighbours in a sudden way or without previous notication. Signal problems : The wireless medium (i.e., the air) is subjected to dierent physic phenomena or interferences that can alter the wave transmissions. Topology alteration : By forging or forwarding ctitious (non-real) routing messages, network nodes can arise nonoptimal routing or make network partially inaccessible. Communication blockade : This fault model happens when there are intermediating impairments that aect the expected communication between a source and a destination node. Eavesdropping : It happens when network messages are intercepted and analysed for a dierent purpose they where conceived to. This fault model, does not propagate to other levels given its passive nature. Fault activation can be propagated out of the bounds of a concrete layer to upper layers. The relationship between ad hoc networks layers and fault models is illustrated in Figure 1.

4
Given the very dierent nature of faults in the ad hoc networks integrated in AmI systems, an analysis of the fault types is required. To cope with that goal, recent literature has

Fault mechanisms and causes

In this section we focus on gathering signicant fault causes and mechanisms that lead to the fault models previously explained. For every particular mechanism, we will explain the problem and describe its eect.

Figure 2: Hidden node problem.

Figure 1: Faults models targeting network layers.

4.1

Node fall

Physical damage : A node may fail due to the irreversible damage produced on its hardware (i.e., its wireless antenna) by natural causes related to res, rain, strokes, etc.
4.2 Signal problems

Exposed node : It occurs when a node is prevented from sending packets to other nodes due to an intermediate neighbour nodes [2]. Given an example of two sender nodes (S1 and S2) and two receiver nodes (R1 and R2), as illustrated in Figure 3, if a transmission between S1 and R1 is taking place (continuous arrow), node S2 is prevented from transmitting to R2 (discontinuous arrow). This occurs because S1 interferes the S2s signal.

Signal attenuation : This fact occurs due to a decrease in the intensity of the electromagnetic energy at the receiver which leads to low signal-to-noise ratio (SNR). This could be due to a considerable distance between nodes), [2]. Doppler shift : This is due to the relative velocities of the transmitter and the receiver nodes [2]. Doppler shift causes frequency shifts in the arriving signal, thereby complicating the successful reception of the signal. Multifading : Electromagnetic waves reecting o objects or diracting around objects can result in the signal travelling over multiple paths from the transmitter to the receiver [2]. Multipath propagation can lead to uctuations in the amplitude, phase, and geographical angle of the signal received at a receiver node. Hidden node : This problem occurs when a node A is visible from an intermediate (neighbour) node B but not from other node C, which directly communicates with node B (see Figure 2) [2]. In case nodes A and C, that cannot sense their signal carrier, start sending packets simultaneously to node B, collisions may occur, resulting in scrambling data.

Figure 3: Exposed node problem.

Use of heterogeneous devices : It happens specially in AmI systems, where dierent devices are destined to work together. The transmission power and reception sensitivity of devices implementing a concrete technology (i.e., IEEE 802.11) are subjected to variability depending on the manufactures implementations (i.e., Cisco, Linksys, etc.) [20]. This problem leads to asymmetric transmission ranges, which increases the problem of interferences in the network. Noise : The proximity of communication channels used during the communication often leads to overlapping problems (i.e., IEEE 802.11 only has three non-overlapping channels) [20]. This, in addition to signicant signal power spillage in the adjacent channels, and the fact of sharing the radio spectrum with hosts of other protocols and devices (i.e., Bluetooth or microwave ovens) leads to performance degradation and unpredictable behaviour.

Jamming attack : Since radio frequency is essentially an open medium, jamming can be a huge problem for wireless networks. Jamming is one of many exploits used that compromise the wireless environment. It works by denying service to authorized users as legitimate trac is jammed by the overwhelming frequencies of illegitimate trac. An attacker can easily jam the radio frequency (i.e., the 2.4 GHz band), thus dropping the signal in a way the aected zone of the wireless network can no longer function.
4.3 Topology alteration

Sink hole attack: This attack is also known as route intrusion, active eavesdropping [8], or man in the middle [1]. In this attack, an attacker forces its intrusion in an established route between two nodes by sending faked messages. It means that once intruded in the route, all the trac will be forwarded through the malicious node. Thus, the attacker will be not only able to intercept but also insert messages between two victim nodes. This type of attack is used as a platform to launch a wide variety of attacks requiring a route intrusion, ranging from black hole to jellysh attacks. Malicious packet forwarding : Also referred to as incorrect trac relay in [16], is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an attacker who intercepts the data and retransmits it. Replay attack: As topology changes, old control messages, though valid in the past, describe a topology conguration that no longer exists [16]. An attacker can perform a replay attack by recording old valid control messages and re-sending them, to make other nodes update their routing tables with stale routes. The same philosophy of attack may be applied at upper layers. Tampering attack: Also known as neighbour attack [13] or cache poisoning [16] [21]. An attacker may modify the messages originated from other nodes before relaying them. This causes incorrect routes to be stored in the routing table of legitimate nodes and prevent correct routes from being established. The idea could be applied to applicative trac.
4.4 Communication blockade

Link uctuation : At the transmission border line, communication tends to be unreliable due to uctuating quality of links [10]. This leads to spurious routing messages which, once received, do not reect correctly whether communication between two nodes is possible or not. As a consequence this means that stable and longer routes can be replaced by shorter but unreliable ones. Malicious packet forging : Also referred to as incorrect trac generation in [16]. This category typically includes attacks targeting routing protocols which consist in sending false control messages: i.e., control messages sent on behalf of another node (identity spoofing), or control messages which contain incorrect or outdated routing information. Sybil attack: This attack is labelled with dierent names as detour attack [5], routing table overow attack [21] or impersonation attack in some occasions. An attacker node may forge fake messages to other nodes. At a routing level, the dissemination of these packets leads the network to rebuild the topology with a wrong structure that can arise non-optimal routing, network congestion or make network partially inaccessible. The attacker maliciously announces legitimate nodes that new routes have been created or existing ones have been interrupted when in fact the links are in perfect condition.

High service demand : This refers to concrete moments in which the channel capacity is overloaded by devices. This usually happens when devices demand the same services

at the same time, for example, if dierent divices synchronise their state accessing some type of information at the same time. Accordingly, the network cannot attend all the data demands and communications are susceptible to be degraded. Typical eects include queuing delay, packet loss or the blocking of new connections. Black hole attack : Black holes refer to that nodes in the network where all incoming trafc is silently discarded (or dropped), without informing the source that the data did not reach its intended recipient. An attacker can either drop itself received routing or data messages or induce other nodes to discard them, instead of relaying them as the protocol requires. Collaborative black hole or colluding misrelay are dierent denominations to dene those coordinated approaches that use dierent attackers to perpetrate the attack. Selective forwarding : This attack, also known as grey hole [9] or link withholding [4], can be considered a particular case of black hole. Unlike black hole, selective forwarding is characterised by dropping only a concrete type of packets. For instance, by dropping (i) those packets addressed to a particular destination node or concrete service; (ii) a packet every n packets or every t seconds; or (iii) a randomly selected portion of the packets. Flooding attack : It is also referred to as message bombing [16] or sleep deprivation [1]. Nodes must overhear every single message in their radio range to determine if they are the addressee. Taking benet from such a vulnerability, an attacker can try to saturate the medium with a storm of broadcasting (valid or invalid messages) messages just to keep nodes busy, wasting their CPU and draining their battery power. Finally preventing nodes from communicating. In this case the attack is not aimed at modifying the network topology in a certain fashion, but rather at generally perturbing the network functions. Jellysh attack : This is a type of attack in which an attacker induces the same eects that the trac peaks, without really collapsing the network [1]. In the jellysh attack, the attacker delays all data packets for a random

period before forwarding them. Due to this fact, packets can be sent in scrambled order instead of the canonical FIFO order.
4.5 Eavesdropping

Trac analysis : This type of attack consists in capturing network messages for analysing and identifying the communication parties and functionalities (i.e, the nodes involved in the communication, the type of service demanded, etc.) [21]. They are dicult to detect given their dicult traceability. Trac analysis could provide sensitive information to launch further active attacks. Cryptanalysis : External attackers intercept encrypted protocol packets for their analysis (i.e., 802.11 WEP, IPsec, SAODV, SSL and so on). Discovering secret keys enables the intrusion of attackers in the network and the possibility to perpetrate identity spoong. However, it involves a heavy computation overhead in the attacker.
4.6 Summary

All the concepts previously explained, are compiled in the taxonomy shown in Figure 4. In such taxonomy, fault models are classied according to the ad hoc network layers they aect to. In addition, for every fault model, fault mechanisms and causes are classied attending to the fault categories and the dependability and performance properties previously considered in Section 3. For the sake of simplicity, fault mechanisms and causes have been considered transient, with the exception of the majority of those related to node fall, which have been considered permanent.

Discussion

To show the feasibility of our proposal, we recreated a communication between an IP web camera, whose goal would be to guard our garden, and the TV. Thanks to AmI, we could be sited in the sofa visualising the garden video signal while watching our favourite program, through an intermediate router located in other room. Since communications

are wireless, an attacker could be in the same radio range as such an intermediate node, trying to intrude our AmI network to perpetrate a black hole following the methodology shown in [18]. Such methodology consists in bypassing the trac through a malicious node, which drops the messages addressed to be forwarded. However, as far as the web camera is not always transmitting but it works as the user demands, it would not be always possible to perpetrate the attack when the communication is not tacking place. Figure 5 reects this situation. Such graphic is the result of injecting black hole attacks in the network with intermittent trac relays. This experimentation was developed using a fault injection prototype already presented in [6]. As one can observe, only in experiments 4 and 9 the black hole attack impacted on the service availability.

Conclusions

5 6 7 8 9
6 8  9   9 9   

4 1 1 3 1 2 1 0 1  1 1

4   0  2  3 4 1    6 7 9 6      6 7

Figure 5: Impact of black hole attacks on service availability.

However, to observe the same eects of the commented black hole in all the experiments, it would be sucient to force the intermediate node between the web camera and the TV to stop relaying messages by manipulating its network tables. In consequence, it will not be necessary to inject a black hole attack, since it can be emulated using the a communication blockade and congestion model. This is an example that represents the wide spectrum of possibilities that opens the use of fault models in AmI systems.

We are now in a stage of AmI environments where more practical aspects need to be investigated, so as to achieve a deeper market penetration. Such aspects involve standardization and regulation, which are the basis for mass production. A previous step towards this ambitious goal consists in assessing the behaviour of AmI components in operating conditions. Ad hoc networks provide AmI environments the capability to self-manage the inter-devices communications. However, they are subjected to a variety of threats. Consequently, their condent use relies on evaluating their behaviour in the presence of such threats. However, the recreation of hostile conditions in experimental environments is still an open issue given the huge amount of potential faults, and the diculty to reproduce exactly the fault effects in the network. Accordingly, the study of such eects, as presented in this paper, can assist experimenters to determine how the network reacts, and so the AmI system, against unexpected errors. Given the heterogeneity of faults presented in ad hoc networks, the main benet of this paper is to provide experimenters a conceptual framework based on fault models, which represent main referenced faults (including attacks) in the ad hoc network literature, according to well-known dependability concepts. Thus, the denition of representative fault taxonomies may contribute so that injected fault are not arbitrary mistakes chosen without criteria but they do correspond to the most signicant fault models occurred in AmI networks. The use of fault models can be useful, not only to assess the robustness of the ad hoc networks integrated in AmI systems, but also to i) improve protocol implementations by detecting existing vulnerabilities, ii) compare and guide the choice of a component, i.e., a routing protocol, for a given solution, and iii) tune the conguration parameters of the selected components to obtain a tradeo between the performance and dependability features exhibited by the network.

Fault categories Phenomena NA Physical damage Signal attenuation Doppler shift Multifading Hidden node Exposed node Heterogen. devices Noise Jamming attack Link fluctuation Sybil attack Sink hole attack Replay attack Tampering attack High service demand Black hole attack Selective forwarding Flooding attack Jellyfish attack Traffic analysis Cryptanalysis NA: Natural MA: Malicious PE: Permanent HU: Human-made NO: Non-Malicious TR: Transient HU Objective MA NO Duration PE TR AV

Affected properties Dependability IN AU CO Performance EN DE TH

FAULTS

FAULT MODELS
Device layer Node fall

Physical layer Link layer Signal problems

Routing layer Topology alteration

Routing layer Service layer Comm. blockade

Link layer Routing layer Service layer Eavesdropping

AV: Availability AU: Authentication IN: Integrity CO: Confidentiality

EN: Energy consumption DE: Delay TH: Throughput

Figure 4: Taxonomy of fault models.

References
[1] I. Aad, J.-P. Hubaux, and E. W. Knightly. Impact of denial of service attacks on ad hoc networks. IEEE/ACM Trans. Netw., 16(4):791802, 2008. [2] A. Al Hanbali, E. Altman, and N. Philippe. A survey of tcp over ad hoc networks. IEEE Communications Surveys and Tutorials, 1(4):2236, 2005. [3] A. Avizienis, J.-C. Laprie, B. Randell, and C. Landwehr. Basic concepts and taxonomy of dependable and secure computing. IEEE Trans. Dependable Secur. Comput., 1(1):11 33, 2004. [4] B. Kannhavong, H. Nakayama, Y. Nemoto, N. Kato, A. Jamalipour. A survey of routing attacks in mobile ad hoc networks. IEEE Wireless Communications, 14(5):85 91, 2007. [5] V. Balakrishnan and V. Varadharajan. Packet drop attack: A serious threat to operational mobile ad hoc networks. In Proceedings of the Network and Communication Systems Conf., pages 8995, 2005. [6] D. de Andr es et al. An Attack Injection Approach to Evaluate the Robustness of Ad Hoc Networks. In IEEE Pacic Rim Int. Symp. Dependable Computing, China, 2009. [7] P. Esteves Verssimo, N. Ferreira Neves, and M. Pupo Correia. Intrusion-tolerant architectures: Concepts and design. In Architecting Dependable Systems, volume 2677 of LNCS, pages 336. Springer-Verlag, 2003. [8] M. Jakobsson, S. Wetzel, and B. Yener. Stealth attacks on ad-hoc wireless networks. In IEEE Vehicular Technology Conference 03, 2003. [9] M. N. Lima, A. L. dos Santos, and G. Pujolle. A survey of survivability in mobile ad hoc networks. IEEE Communications Surveys and Tutorials, 11(1), 2009. [10] H. Lundgren, E. Nordstrom, and C. Tschudin. The gray zone problem in ieee 802.11b based ad hoc networks. SIGMOBILE Mob. Comput. Commun. Rev., 6(3):104105, 2002.

[11] D. Macedo, L. Correia, A. dos Santos, A. Loureiro, and J. Nogueira. Evaluating fault tolerance aspects in routing protocols for wireless sensor networks. In Fourth Annual Mediterranean Ad Hoc Networking Workshop, 2005. [12] McAfee and Informa Telecoms and Media. Mobile Security Report 2009. [Online]. Available: http://www.mcafee.com. [13] H. L. Nguyen and U. T. Nguyen. A study of dierent types of attacks on multicast in mobile ad hoc networks. Ad Hoc Netw., 6(1):32 46, 2008. [14] PERSIST. Project reference: FP7-215923. [Online]. Available: http://www.senseiproject.eu. [15] PERSIST. Project reference: FP7222878. [Online]. Available: http://www.ictpersist.eu. [16] D. Rao. Security Schemes for the OLSR Protocol for Ad Hoc Networks. PhD thesis, Universit Paris 6 and INRIA Rocquencourt, 2005. [17] S. Razak, S. Furnell, N. Clarke, and P. Brooke. Attacks against mobile ad hoc networks routing protocols. Proceedings of the 5th Annual Postgraduate Symposium on the Convergence of Telecommunications, pages 147152, 2004. [18] J.-C. Ruiz et al. Black Hole Attack Injection in Ad hoc Networks. In Supplemental Volume of IEEE Dependable Systems and Networks, pages G34G35, USA, 2008. [19] SC Magazine. Mobile hackers cash in on lack of protection oered by networks. [Online]. Available: http://www.scmagazineuk.com. [20] A. Sheth, C. Doerr, D. Grunwald, R. Han, and D. Sicker. Mojo: a distributed physical layer anomaly detection system for 802.11 wlans. In MobiSys 06: Proceedings of the 4th international conference on Mobile systems, applications and services, pages 191 204, 2006. [21] B. Wu, J. Chen, J. Wu, and M. Cardei. A survey on attacks and countermeasures in mobile ad hoc networks. In Wireless/Mobile networks security. Springer-Verlag, 2006.