IEEE 802.11 Tutorial by Jim Zyren and Al Petrick Approval of the IEEE 802.

11 standard for wireless local area networking (WLAN) and rapid progress made toward higher data rates have put the promise of truly mobile computing within reach. While wired LANs have been a mainstream technology for at least fifteen years, WLANs are uncharted territory for most networking professionals. Some obvious questions come to mind when considering wireless networking: How can WLANs be integrated with wired network infrastructure? What is the underlying radio technology? How is multiple access handled? What about network security? IEEE 802.11 is limited in scope to the Physical (PHY) layer and Medium Access Control (MAC) sublayer, with MAC origins to IEEE802.3 Ethernet standard. The following overview explains major differences between wired and wireless LANs and should answer some of the questions facing MIS professionals evaluating WLAN technology. Network Topology WLANs can be used either to replace wired LANs, or as an extension of the wired LAN infrastructure. The basic topology of an 802.11 network is shown in Figure 1. A Basic Service Set (BSS) consists of two or more wireless nodes, or stations (STAs), which have recognized each other and have established communications. In the most basic form, stations communicate directly with each other on a peer-to-peer level sharing a given cell coverage area. This type of network is often formed on a temporary basis, and is commonly referred to as an ad hoc network, or Independent Basic Service Set (IBSS). Station AH3

Station Station AH1 AH2 Ad Hoc Network Figure 1 Peer-to-Peer Communications in Ad Hoc Network In most instances, the BSS contains an Access Point (AP). The main function of an AP is to form a bridge between wireless and wired LANs. The AP is analogous to a basestation used in cellular phone networks. When an AP is present, stations do not communicate on a peer-to-peerIEEE 802.11 Tutorial 2 basis. All communications between stations or between a station and a wired network client go through the AP. APs are not mobile, and form part of the wired network infrastructure. A BSS in this configuration is said to be operating in the infrastructure mode. Station Station Station A1 Station A2 B1 B2 BSS-A BSS-B A AP AP B Server DISTRIBUTION SYSTEM Figure 2 ESS Provides Campus-Wide Coverage

The Extended Service Set (ESS) shown in Figure 2 consists of a series of overlapping BSSs (each containing an AP) connected together by means of a Distribution System (DS). Although the DS could be any type of network, it is almost invariably an Ethernet LAN. Mobile nodes can roam between APs and seamless campus-wide coverage is possible. Radio Technology IEEE 802.11 provides for two variations of the PHY. These include two (2) RF technologies namely Direct Sequence Spread Spectrum (DSSS), and Frequency Hopped Spread Spectrum (FHSS). The DSSS and FHSS PHY options were designed specifically to conform to FCC regulations (FCC 15.247) for operation in the 2.4 GHz ISM band, which has worldwide allocation for unlicensed operation. Region Allocated Spectrum US 2.4000 2.4835 GHz Europe 2.4000 2.4835 GHz Japan 2.471 - 2.497 GHz France 2.4465 - 2.4835 GHz Spain 2.445 - 2.475 GHz Table 1 Global Spectrum Allocation at 2.4 GHz Both FHSS and DSSS PHYs currently support 1 and 2 Mbps. However, all 11 Mbps radios are DSSS. Operating principles of DSSS radios are described in the following paragraphs.IEEE 802.11 Tutorial 3 11 chips 1 bit period 11 chips 1 bit Data PRN Out

11 Bit Barker Code (PRN): 1 0 1 1 1 0 1 0 0 0 01000101111011101000 Figure 3 Digital Modulation of Data with PRN Sequence DSSS systems use technology similar to GPS satellites and some types of cell phones. Each information bit is combined via an XOR function with a longer Pseudo-random Numerical (PN) sequence as shown in Figure 3. The result is a high speed digital stream which is then modulated onto a carrier frequency using Differential Phase Shift Keying (DPSK). BARKER CODE: +1 -1 +1 +1 -1 +1 +1 +1 -1 -1 -1 Rx DATA FROM ADCs 2x CHIP CLOCK PARALLEL PN REGISTER LOAD A/D SAMPLE CLOCK N = 16 CHIP PERIOD SYMBOL PERIOD CORRELATION SCORE Figure 4 Matched Filter Correlator Used for Reception of DSSS Signal

When receiving the DSSS signal, a matched filter correlator is used as shown in Figure 4. The correlator removes the PN sequence and recovers the original data stream. Tat the higher data rates of 5.5 and 11 Mbps, DSSS receivers employ different PN codes and a bank of correlators to recover the transmitted data stream. The high rate modulation method is called ComplimentaryIEEE 802.11 Tutorial 4 Code Keying (CCK). The effects of using PN codes to generate the spread spectrum signal are shown in Figure 5. ff XOR Figure 5a Effect of PN Sequence on Transmit Spectrum f Correlator f Figure 5b Received Signal is Correlated with PN to Recover Data and Reject Interference As shown in Figure 5a, the PN sequence spreads the transmitted bandwidth of the resulting signal (thus the term, spread spectrum) and reduces peak power. Note however, that total power is unchanged. Upon reception, the signal is correlated with the same PN sequence to reject narrow band interference and recover the original binary data (Fig. 5b). Regardless of whether the data rate is 1, 2, 5.5, or 11 Mbps, the channel bandwidth is about 20 MHz for DSSS systems. Therefore, the ISM band will accommodate up to three non-overlapping channels 2.4000 GHz 2.4835 GHz Ch. 1 Ch. 6 Ch. 11

Figure 6 Three Non-Overlapping DSSS Channels in the ISM Band Multiple Access The basic access method for 802.11 is the Distributed Coordination Function (DCF) which uses Carrier Sense Multiple Access / Collision Avoidance (CSMA / CA). This requires each station to listen for other users. If the channel is idle, the station may transmit. However if it is busy, each station waits until transmission stops, and then enters into a random back offIEEE 802.11 Tutorial 5 procedure. This prevents multiple stations from seizing the medium immediately after completion of the preceding transmission. Ack Data Next MPDU Src Dest Other Contention Window Defer Access Backoff after Defer DIFS SIFS DIFS Figure 7 CSMA/CD Back-off Algorithm Packet reception in DCF requires acknowledgement as shown in Figure 7. The period between completion of packet transmission and start of the ACK frame is one Short Inter Frame Space (SIFS). ACK frames have a higher priority than other traffic. Fast acknowledgement is one of the salient features of the 802.11 standard, because it requires ACKs to be handled at the MAC

sublayer. Transmissions other than ACKs must wait at least one DCF inter frame space (DIFS) before transmitting data. If a transmitter senses a busy medium, it determines a random back-off period by setting an internal timer to an integer number of slot times. Upon expiration of a DIFS, the timer begins to decrement. If the timer reaches zero, the station may begin transmission. However, if the channel is seized by another station before the timer reaches zero, the timer setting is retained at the decremented value for subsequent transmission. The method described above relies on the Physical Carrier Sense. The underlying assumption is that every station can hear all other stations. This is not always the case. Referring to Figure 8, the AP is within range of the STA-A, but STA-B is out of range. STA-B would not be able to detect transmissions from STA-A, and the probability of collision is greatly increased. This is known as the Hidden Node. STA B CTS-Range STAA RTS-Range Access Point Figure 8 RTS/CTS Procedure Eliminates the Hidden Node ProblemIEEE 802.11 Tutorial 6 To combat this problem, a second carrier sense mechanism is available. Virtual Carrier Sense enables a station to reserve the medium for a specified period of time through the use of RTS/CTS frames. In the case described above, STA-A sends an RTS frame to the AP. The RTS will not be heard by STA-B. The RTS frame contains a duration/ID field which specifies the period of time for which the medium is reserved for a subsequent transmission. The reservation information is stored in the Network Allocation Vector (NAV) of all stations detecting the RTS frame. Upon receipt of the RTS, the AP responds with a CTS frame, which also contains a

duration/ID field specifying the period of time for which the medium is reserved. While STA-B did not detect the RTS, it will detect the CTS and update its NAV accordingly. Thus, collision is avoided even though some nodes are hidden from other stations. The RTS/CTS procedure is invoked according to a user specified parameter. It can be used always, never, or for packets which exceed an arbitrarily defined length. As mentioned above, DCF is the basic media access control method for 802.11 and it is mandatory for all stations. The Point Coordination Function (PCF) is an optional extension to DCF. PCF provides a time division duplexing capability to accommodate time bounded, connectionoriented services such as cordless telephony. Logical Addressing The authors of the 802.11 standard allowed for the possibility that the wireless media, distribution system, and wired LAN infrastructure would all use different address spaces. IEEE 802.11 only specifies addressing for over the wireless medium, though it was intended specifically to facilitate integration with IEEE 802.3 wired Ethernet LANs. IEEE802 48-bit addressing scheme was therefore adopted for 802.11, thereby maintaining address compatibility with the entire family of IEEE 802 standards. In the vast majority of installations, the distribution system is an IEEE 802 wired LAN and all three logical addressing spaces are identical. Security IEEE 802.11 provides for security via two methods: authentication and encryption. Authentication is the means by which one station is verified to have authorization to communicate with a second station in a given coverage area. In the infrastructure mode, authentication is established between an AP and each station. Authentication can be either Open System or Shared Key. In an Open System, any STA may request authentication. The STA receiving the request may grant authentication to any request, or only those from stations on a user-defined list. In a Shared Key system, only stations which possess a secret encrypted key can be authenticated. Shared Key authentication is available

only to systems having the optional encryption capability. Encryption is intended to provide a level of security comparable to that of a wired LAN. The Wired Equivalent Privacy (WEP) feature uses the RC4 PRNG algorithm from RSA Data Security, Inc. The WEP algorithm was selected to meet the following criteria: reasonably strong self-synchronizing computationally efficient exportable optionalIEEE 802.11 Tutorial 7 Timing and Power Management All station clocks within a BSS are synchronized by periodic transmission of time stamped beacons. In the infrastructure mode, the AP serves as the timing master and generates all timing beacons. Synchronization is maintained to within 4 microseconds plus propagation delay. Timing beacons also play an important role in power management. There are two power saving modes defined: awake and doze. In the awake mode, stations are fully powered and can receive packets at any time. Nodes must inform the AP before entering doze. In this mode, nodes must wake up periodically to listen for beacons which indicate that AP has queued messages. Roaming Roaming is perhaps the least defined feature among those discussed in this article. The standard does identify the basic message formats to support roaming, but everything else is left up to network vendors. In order to fill the void, the Inter-Access Point Protocol (IAPP) was jointly developed by Aironet, Lucent Technologies, and Digital Ocean. Among other things, IAPP extends multi-vendor interoperability to the roaming function. It addresses roaming within a single ESS and between two or more ESSs. The Wireless Ethernet Compatibility Alliance

The recently adopted Complimentary Code Keying (CCK) waveform delivers speeds of 5.5 and 11 Mbps in the same occupied bandwidth as current generation 1 and 2 Mbps DSSS radios and will be fully backward compatible. Now that a standard is firmly in place, WLANs will become a part of the enterprise networking landscape within the next twelve months. The mission of the Wireless Ethernet Compatibility Alliance is to provide certification of compliance with the IEEE 802.11 Standard and to ensure that products from multiple vendor meet strict requirements for interoperability. With cross vendor interoperability assured, WLANs are now able to fulfill the promise of high speed mobile computing Securing Ad Hoc Networks Lidong Zhou Department of Computer Science Zygmunt J. Haas School of Electrical Engineering Cornell University Ithaca, NY 14853 Abstract Ad hoc networks are a new wireless networking paradigm for mobile hosts. Unlike traditional mobile wireless networks, ad hoc networks do not rely on any xed infrastructure. Instead, hosts rely on each other to keep the network connected. The military tactical and other security-sensitive operations are still the main applications of ad hoc networks, although there is a trend to adopt ad hoc networks for commercial uses due to their unique properties. One main challenge in design of these networks is their vulnerability to security attacks. In this paper, we study the threats an ad hoc network faces and the security goals to be achieved. We identify the new challenges and opportunities posed by this new networking environment and explore new approaches to secure its communication. In particular, we take

advantage of the inherent redundancy in ad hoc networks multiple routes between nodes to defend routing against denial of service attacks. We also use replication and new cryptographic schemes, such as threshold cryptography, to build a highly secure and highly available key management service, which forms the core of our security framework. 1 Introduction Ad hoc networks are a new paradigm of wireless communication for mobile hosts (which we call nodes). In an ad hoc network, there is no xed infrastructure such as base stations or mobile switching centers. Mobile nodes that are within each others radio range communicate directly via wireless links, while those that are far apart rely on other nodes to relay messages as routers. Node mobility in an ad hoc network causes frequent changes of the network topology. Figure 1 shows such an example: initially, nodes A and D have a direct link between them. When D moves out of As radio range, the link is broken. However, the network is still connected, because A can reach D through C, E, and F. Military tactical operations are still the main application of ad hoc networks today. For example, military units (e.g., soldiers, tanks, or planes), equipped with wireless communication devices, could form an ad hoc network when they roam in a battleeld. Ad hoc networks can also be used for emergency, law enforcement, and rescue missions. Since an ad hoc network can be deployed rapidly with relatively low cost, it becomes an attractive option for commercial uses such as sensor networks or virtual classrooms. 1.1 Security goals Security is an important issue for ad hoc networks, especially for those security-sensitive applications. To

secure an ad hoc network, we consider the following attributes: availability, condentiality, integrity, authentication, and non-repudiation. To be published in IEEE network, special issue on network security, November/December, 1999. This work is supported in part by ARPA/RADC grant F30602-96-1-0317, AFOSR grant F49620-94-1-0198, Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Material Command, USAF, under agreement number F30602-99-10533, and National Science Foundation Grants 9703470, ANI-9805094, and NCR-9704404. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the ocial policies or endorsements, either expressed or implied, of these organizations or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright annotation thereon. 1E B C F D B C EF D (b) (a) AA Figure 1: Topology change in ad hoc networks: nodes A, B, C, D, E, and F constitute an ad hoc network.

The circle represents the radio range of node A. The network initially has the topology in (a). When node D moves out of the radio range of A, the network topology changes to the one in (b). Availability ensures the survivability of network services despite denial of service attacks. A denial of service attack could be launched at any layer of an ad hoc network. On the physical and media access control layers, an adversary could employ jamming to interfere with communication on physical channels. On the network layer, an adversary could disrupt the routing protocol and disconnect the network. On the higher layers, an adversary could bring down high-level services. One such target is the key management service, an essential service for any security framework. Condentiality ensures that certain information is never disclosed to unauthorized entities. Network transmission of sensitive information, such as strategic or tactical military information, requires condentiality. Leakage of such information to enemies could have devastating consequences. Routing information must also remain condential in certain cases, because the information might be valuable for enemies to identify and to locate their targets in a battleeld. Integrity guarantees that a message being transferred is never corrupted. A message could be corrupted because of benign failures, such as radio propagation impairment, or because of malicious attacks on the network. Authentication enables a node to ensure the identity of the peer node it is communicating with. Without authentication, an adversary could masquerade a node, thus gaining unauthorized access to resource and sensitive information and interfering with the operation of other nodes.

Finally, non-repudiation ensures that the origin of a message cannot deny having sent the message. Nonrepudiation is useful for detection and isolation of compromised nodes. When a node A receives an erroneous message from a node B, non-repudiation allows A to accuse B using this message and to convince other nodes that B is compromised. There are other security goals (e.g., authorization) that are of concern to certain applications, but we will not pursue these issues in this paper. 1.2 Challenges The salient features of ad hoc networks pose both challenges and opportunities in achieving these security goals. First, use of wireless links renders an ad hoc network susceptible to link attacks ranging from passive eavesdropping to active impersonation, message replay, and message distortion. Eavesdropping might give an adversary access to secret information, violating condentiality. Active attacks might allow the adversary to delete messages, to inject erroneous messages, to modify messages, and to impersonate a node, thus violating availability, integrity, authentication, and non-repudiation. Secondly, nodes, roaming in a hostile environment (e.g., a battleeld) with relatively poor physical protection, have non-negligible probability of being compromised. Therefore, we should not only consider malicious attacks from outside a network, but also take into account the attacks launched from within the network by compromised nodes. Therefore, to achieve high survivability, ad hoc networks should have a 2distributed architecture with no central entities. Introducing any central entity into our security solution could lead to signicant vulnerability; that is, if this centralized entity is compromised, then the entire network is subverted.

Thirdly, an ad hoc network is dynamic because of frequent changes in both its topology and its membership (i.e., nodes frequently join and leave the network). Trust relationship among nodes also changes, for example, when certain nodes are detected as being compromised. Unlike other wireless mobile networks, such as mobile IP *21, 48, 34+, nodes in an ad hoc network may dynamically become aliated with administrative domains. Any security solution with a static conguration would not suce. It is desirable for our security mechanisms to adapt on-the-y to these changes. Finally, an ad hoc network may consist of hundreds or even thousands of nodes. Security mechanisms should be scalable to handle such a large network. 1.3 Scope and roadmap Traditional security mechanisms, such as authentication protocols, digital signature, and encryption, still play important roles in achieving condentiality, integrity, authentication, and non-repudiation of communication in ad hoc networks. However, these mechanisms are not sucient by themselves. We further rely on the following two principles. First, we take advantage of redundancies in the network topology (i.e., multiple routes between nodes) to achieve availability. The second principle is distribution of trust. Although no single node is trustworthy in an ad hoc network because of low physical security and availability, we can distribute trust to an aggregation of nodes. Assuming that any t + 1 nodes will unlikely be all compromised, consensus of at least t + 1 nodes is trustworthy. In this paper, we will not address denial of service attacks towards the physical and data link layers. Certain physical layer countermeasures such as spread spectrum have been extensively studied (e.g., [44, 6, 42, 17, 37]). However, we do focus on how to defend against denial of service attacks towards routing protocols in Section 2.

All key-based cryptographic schemes (e.g., digital signature) demand a key management service, which is responsible for keeping track of bindings between keys and nodes and for assisting the establishment of mutual trust and secure communication between nodes. We will focus our discussion in Section 3 on how to establish such a key management service that is appropriate for ad hoc networks. We present related work in Section 4 and conclude in Section 5. 2 Secure Routing To achieve availability, routing protocols should be robust against both dynamically changing topology and malicious attacks. Routing protocols [30, 25, 43, 32, 49, 16, 23, 35] proposed for ad hoc networks cope well with the dynamically changing topology. However, none of them, to our knowledge, have accommodated mechanisms to defend against malicious attacks. Routing protocols for ad hoc networks are still under active research. There is no single standard routing protocol. Therefore, we aim to capture the common security threats and to provide guidelines to secure routing protocols. In most routing protocols, routers exchange information on the topology of the network in order to establish routes between nodes. Such information could become a target for malicious adversaries who intend to bring the network down. There are two sources of threats to routing protocols. The rst comes from external attackers. By injecting erroneous routing information, replaying old routing information, or distorting routing information, an attacker could successfully partition a network or introduce excessive trac load into the network by causing retransmission and inecient routing. The second and also the more severe kind of threats comes from compromised nodes, which might

advertise incorrect routing information to other nodes. Detection of such incorrect information is dicult: merely requiring routing information to be signed by each node would not work, because compromised nodes are able to generate valid signatures using their private keys. To defend against the rst kind of threats, nodes can protect routing information in the same way they protect data trac, i.e., through the use of cryptographic schemes such as digital signature. However, this 3defense is ineective against attacks from compromised servers. Worse yet, as we have argued, we cannot neglect the possibility of nodes being compromised in an ad hoc network. Detection of compromised nodes through routing information is also dicult in an ad hoc network because of its dynamically changing topology: when a piece of routing information is found invalid, the information could be generated by a compromised node, or, it could have become invalid as a result of topology changes. It is dicult to distinguish between the two cases. On the other hand, we can exploit certain properties of ad hoc networks to achieve secure routing. Note that routing protocols for ad hoc networks must handle outdated routing information to accommodate the dynamically changing topology. False routing information generated by compromised nodes could, to some extent, be considered outdated information. As long as there are suciently many correct nodes, the routing protocol should be able to nd routes that go around these compromised nodes. Such capability of the routing protocols usually relies on the inherent redundancies multiple, possibly disjoint, routes between nodes in ad hoc networks. If routing protocols can discover multiple routes (e.g., protocols in ZRP [16], DSR [25], TORA [32], and AODV [35] all can achieve this), nodes can switch to an alternative route when the primary route appears to have failed.

Diversity coding *1+ takes advantage of multiple paths in an ecient way without message retransmission. The basic idea is to transmit redundant information through additional routes for error detection and correction. For example, if there are n disjoint routes between two nodes, then we can use n r channels to transmit data and use the other r channels to transmit redundant information. Even if certain routes are compromised, the receiver may still be able to validate messages and to recover messages from errors using the redundant information from the additional r channels. 3 Key Management Service We employ cryptographic schemes, such as digital signatures, to protect both routing information and data trac. Use of such schemes usually requires a key management service. We adopt a public key infrastructure because of its superiority in distributing keys and in achieving integrity and non-repudiation. Ecient secret key schemes are used to secure further communication after nodes authenticate each other and establish a shared secret session key. In a public key infrastructure, each node has a public/private key pair. Public keys can be distributed to other nodes, while private keys should be kept condential to individual nodes. There is a trusted entity called Certication Authority (CA) *11, 47, 26+ for key management. The CA has a public/private key pair, with its public key known to every node, and signs certicates binding public keys to nodes. The trusted CA has to stay on-line to reect the current bindings, because the bindings could change over time: a public key should be revoked if the owner node is no longer trusted or is out of the network; a node may refresh its key pair periodically to reduce the chance of a successful brute-force attack on its private key. It is problematic to establish a key management service using a single CA in ad hoc networks. The CA, responsible for the security of the entire network, is a vulnerable point of the network: if the CA is

unavailable, nodes cannot get the current public keys of other nodes or to establish secure communication with others. If the CA is compromised and leaks its private key to an adversary, the adversary can then sign any erroneous certicate using this private key to impersonate any node or to revoke any certicate. A standard approach to improve availability of a service is replication. But a naive replication of the CA makes the service more vulnerable: compromise of any single replica, which possesses the service private key, could lead to collapse of the entire system. To solve this problem, we distribute the trust to a set of nodes by letting these nodes share the key management responsibility. 3.1 System model Our key management service is applicable to an asynchronous ad hoc network; that is, a network with no bound on message-delivery and message-processing times. We also assume that the underlying network layer 4 9/ XXXXz server 1 s1 s2 server 2 ... Key Management Service k ... sn server n

K1/k1 K2/k2 Kn/kn K/k Figure 2: The conguration of a key management service: the key management service consists of n servers. The service, as a whole, has a public/private key pair K/k. The public key K is known to all nodes in the network, whereas the private key k is divided into n shares s1, s2, . . . , sn, one share for each server. Each server i also has a public/private key pair Ki/ki and knows the public keys of all nodes. provides reliable links i . The service, as a whole, has a public/private key pair. All nodes in the system know the public key of the service and trust any certicates signed using the corresponding private key. Nodes, as clients, can submit query requests to get other clients public keys or submit update requests to change their own public keys. Internally, our key management service, with an (n, t+ 1) conguration (n 3t+ 1), consists of n special nodes, which we call servers, present within an ad hoc network. Each server also has its own key pair and stores the public keys of all the nodes in the network. In particular, each server knows the public keys of other servers. Thus, servers can establish secure links among them. We assume that the adversary can compromise up to t servers in any period of time with a certain duration ii . If a server is compromised, then the adversary has access to all the secret information stored on the server. A compromised server might be unavailable or exhibit Byzantine behavior (i.e., it can deviate arbitrarily from

its protocols). We also assume that the adversary lacks the computational power to break the cryptographic schemes we employ. The service is correct if the following two conditions hold: (Robustness) The service is always able to process query and update requests from clients. Every query always returns the last updated public key associated with the requested client, assuming no concurrent updates on this entry. (Condentiality) The private key of the service is never disclosed to an adversary. Thus, an adversary is never able to issue certicates, signed by the service private key, for erroneous bindings. Ad hoc network specific attacks Seminar Ad hoc networking: concepts, applications, and security Technische Universitt Mnchen, 2003 written by Adam Burg 1Table of contents 1. Introduction 2. Essentials and vulnerabilities of ad hoc networks 2.1. Availability 2.2. Confidentiality 2.3. Authenticity 2.4. Integrity 2.5. Non-repudiation 3. Classifications of attacks 4. Attack types 4.1. Impersonation 4.2. Sinkhole attacks

4.3. Wormholes 4.4. Sleep deprivation torture 4.5. The Sybil attack 4.6. Rushing attacks 4.7. Denial-of-Service and Flooding 5. Conclusion Appendix. References and Sources 21. Introduction

Nowadays, it is hard to imagine a world without the Internet. The World Wide Web has evolved into an entity intertwined with our lives. What started out as an academic/military network meant to make the exchange of research information easier and then turned into a meeting place for people from all around the world, grew exponentially larger year by year till it became the platform for many commercial applications and services it is today. For a long time though, we could only enjoy its advantages within the confines of our homes or offices. With the rapid development of mobile technologies however, the use of networks is not limited through earthbound cables anymore. The potentials of such wireless networks are not fully explored yet. Mobile telephony is the most basic application making use of them, but the list only starts there. Combining peer-to-peer techniques with the opportunities that mobility offers, so called ad hoc networks have become an important field of research in recent years. An ad hoc network is defined as ... an autonomous system of routers (and associated hosts) connected by wireless links--the union of which form an arbitrary graph. The routers are free to move randomly and organize themselves arbitrarily; thus, the network's

wireless topology may change rapidly and unpredictably. Such a network may operate in a standalone fashion, or may be connected to the larger Internet operating as a hybrid fixed/ad hoc network. *9+ The areas of application range from school classes over well-known services like chatrooms to online shopping, but they are also used in places that do not come to mind immediately, like in the military. Furthermore, it is not even necessary to have a human interaction factor: ad hoc networks can also be used to link together research computers or moving vehicles that exchange information on the road, unbeknownst to the driver. However, new technologies do not only present new potentials, they usually present new risks as well. The purpose of this paper is to outline the security requirements of ad hoc networks and to describe various ways to attack their nodes or to disrupt their functionality and services. 2. Essentials and vulnerabilities of ad hoc networks The principle of ad hoc networks sounds like a great idea. A dynamic connection between devices that can be used from anywhere and offers limitless bussiness, recreational and educational opportunities appears to be a promising technological advancement towards making our lives easier. However, as with conventional networks, security and safety considerations have to be taken into account. Ad hoc networks are by nature very open to anyone. Their biggest advantage is also one of their biggest disadvantages: basically anyone with the proper hardware and knowledge of the network topology and protocols can connect to the network. This allows potential attackers to infiltrate the network and carry out attacks on its participants with the purpose of stealing or altering information. Also, depending on the application, certain nodes or network components may

be exposed to physical attacks which can disrupt the functionality. In contrary to 3conventional networks, ad hoc network hosts are more often than not part of an environment that is not maintained professionally. Wireless nodes might be scattered over a large (potentially unsecure) area, where it may pose difficult to supervise all of them. Another specialty of ad hoc networks is their heavy reliance on inter-node communication. Due to the dynamic nature of the link between the single nodes, it may happen that a certain node B is not in range of node A. In these cases, the information can be routed through intermittent nodes. Even though this is of course not a new concept since it is heavily utilized in the infrastructure of the Internet, the fact that ad hoc network nodes are usually mobile and can disappear at any time (both from within the range of a particular node as well as from the entire network), the possiblity that a certain data route becomes unavailable is significantly higher than in fixed-location networks. This makes it easier for attackers to disrupt the network than in conventional networks. To ensure proper operation, several attributes of these networks have to be protected against defects and more importantly against malicious intent. [1, 4] 2.1. Availability Availability is the most basic requirement of any network. If the networks connection ports are unreachable, or the data routing and forwarding mechanisms are out of order, the network would cease to exist. 2.2. Confidentiality Confidentiality describes the need to protect the data roaming in the network from being understood by unauthorized parties. Confidentiality can be achieved by encrypting essential information so only the communicating nodes can analyze

and understand it. 2.3. Authenticity Authenticity is cruicial to keep eavesdroppers out of the network. With many services applicable in ad hoc networks (and other kinds of networks too, for that matter), it is important to ensure that when communicating with a certain node, that node is really who/what we expect it to be (node authentication). Message authentication ensures that the contents of a message are valid. 2.4. Integrity Integrity of communication data is required to ensure that the information passed on between nodes has not been altered in any way. Data can be altered both intentionally and accidentally (for example through hardware glitches, or inteference in the case of wireless connections). 42.5. Non-repudiation Non-repudation means that messages can be traced back to their senders, without the sender being able to deny having sent it. This is less a means to prevent attacks, it is rather intended to make it possible to detect intrusions and fake messages. Many routing and authentication algorithms implemented in ad hoc networks rely on trust-based concepts; the fact that a message can be attributed to a specific node helps making these algorithms more secure. It is also necessary to ensure the privacy of nodes. The location privacy of the nodes has to be protected in some applications of ad hoc networks, to ensure their safety. Imagine a battlefield scenario where the nodes are living soldiers. Exposing their location might endanger their lives. Data privacy means no unauthorized entity should be able to access the contents of messages. In some networks (like the battlefield network above) it might be convenient to conceal the existence of

nodes (existence privacy). Furthermore, an ad hoc network might have to respect the identity privacy of its participants. Ad hoc networks should also be able to isolate nodes which are identified to be dangerous to the network and function on properly without them and the damage they have done (self-stabilisation and Byzantine robustness [3], about the Byzantine Generals Problem, see [8]) Without a doubt, these attributes are not unique to ad hoc networks. However, the special traits described above make them more prone to old kinds of attacks and make them vulnerable to new ones. Also, the detection of tempering and intrusion becomes harder and yet the more important. The steady flow of information relies heavily on the communication between nodes, thus the security attributes are more closely linked to each other. The fact that hosts can be anywhere physically, and that malicious parties might join the network, carry out their attacks and disappear again without leaving behind significant traces makes it important to analyze and assess the shape of attacks on ad hoc networks, so that appropriate measures can be taken to secure their safety. 3. Classifications of attacks Attacks on networks come in many varieties and they can be grouped based on different characteristics. One way to diversify attacks is to classify them by their source. External attacks are commited by parties that are not legally part of the network. External attackers are not necessarily disconnected from the network, though. The targeted network might be a self-contained entity, that is linked to other networks using that are using the same infrastructure or communication technology. This would make it possible to initiate attacks without even being authenticated in the targeted network. On the other hand, it would also be

possible to jam the communication of the entire ad hoc network of a company from the parking lot in front of the company building. In contrast to this, internal attacks are sourced from inside a particular network. A 5compromised node (defined as malicious parties *whose+ actions compromise the security of the whole ad hoc network *1+) with access to all other nodes within its range poses a high threat to the functional efficiency of the whole collective. As discussed in [2], attacks can be executed more efficiently, since internal attacks are not as easy to prevent as external ones. Furthermore, a malicious node that is already part of the network might actually be protected by ist own security mechanisms, which assume that nodes on the network can be trusted (and have to be protected against attacks as well). Another diversification of attacks is the distinction between passive and active attacks. Passive attacks do not involve any disruption of the service, they are merely intended to steal information and to eavesdrop on the communication within the network. Active attacks on the other hand actively alter the data, with the intent of overloading the network, obstructing the operation or to cut off certain nodes from their neighbors so they can not use the networks services effectively anymore. To execute active attacks, the attacker must be able to inject packets into the network. Attack might target the physical layer of a network, for example by jamming the transmissions of wireless antennas or phones, or by destroying the hardware of a certain node. Selfish nodes, which act only to their own advantage, without regards to the functionality of the whole network, can be put in either group: they are not actively attacking the network, but they have a negative effect on the communication efficiency. For example, in wireless ad hoc networks, the hosts use

medium access control (MAC) protocols to share the wireless channel. Selfish nodes might misbehave and try to obtain an unfair amount of the channels resources [10]. An attacker could also exploit the protocols of the network layer. Intimate knowledge of the routing mechanisms involved can present security risks which are hard to defend against. Finally, it is also possible for someone with bad intentions to abuse the loopholes of the application layer: in the case of an information network for example he could inject false or fake information, thus undermining the integrity of the application. However, it can also be interesting to analyze the severity of the effects of attacks on ad hoc networks. Usually, the threat a certain type of intrusion or attack poses depends on the application. Not all networks have to be protected equally against security risks. In [2], two examples of ad hoc network usage are described: firstly a network of student PDAs which are interconnected, and secondly the battlefield scenario mentioned above where soldiers are connected to each other by wireless communication devices. Obviously, while the student network might be intruded by unauthorized parties, the question arises whether it is necessary to protect it by implementing secret key algorithms and high-security routing protocols etc. The importance of protection is defined by the importance of the information passed on between the students and their teachers. If the privacy and availability of this data is not crucial, it might not be necessary to implement safety precautions. In the case of the military operation supported by an ad hoc network with the soldiers acting as nodes, it is very likely that the creators of such a network would 6take every measure possible to prevent its exposure. The lives of the soldiers could depend on the quality of these measures. If one of the soldiers can be located

through stolen routing information, the whole network (and so all the soldiers) might run the risk of being terminated. If the enemy can disrupt the networks data flow, the soldiers will not be able to communicate with each other, which would also endanger the operation.

4. Attack types 4.1. Impersonation Impersonation attacks are also called spoofing attacks. The attacker assumes the identity of another node in the network, thus receiving messages directed to the node it fakes. Usually this would be one of the first steps to intrude a network with the aim of carrying out further attacks to disrupt operation. Depending on the access level of the impersonated node, the intruder may even be able to reconfigure the network so that other attackers can (more) easily join or he could remove security measures to allow subsequent attempts of invasion. A compromised node may also have access to encryption keys and authentification information. In many networks, a malicious node could obstruct proper routing by injecting false routing packets into the network or by modifying routing information. Attackers might see an advantage in selectively forwarding packets that pass them. As described in [5], an intruder with this goal will most likely try to impersonate a node within the path of the data flow of interest. It could achieve this by modifying routing data or implying itself as a trustworthy communication partner to neighboring nodes in parallel. Depending on the layer where the identity faking takes place, it can be difficult to prevent it. Exploiting MAC layer protocol weaknesses, attackers could place their node between two other nodes communicating with each other (man-in-the-middle attack). Since MAC adresses

can be faked with little effort, detecting an illegitimate intruder might not be possible in this layer. However, by using good authentication algorithms, strong data encryption and secure routing protocols, the effects of impersonation can be reduced significantly. 4.2. Sinkhole attacks By carrying out a sinkhole attack, a compromised node tries to attract the data to itself from all neighboring nodes. Since this would give access to all data to this node, the sinkhole attack is the basis for many other attacks likes eavesdropping or data alteration. Sinkhole attacks make use of the loopholes in routing algorithms of ad hoc networks and present themselves to adjacent nodes as the most attractive partner in a multihop route. Even though by definition nodes on the network layer of an ad hoc network are equal, sinkhole attacks might be very effective on application level, where nodes may have different roles. This means, that as stated in [2], the effect of sinkhole attacks on networks with centralized entities can be especially grave, because by impersonating the centralized node or 7its neighbors, the adversary can get access to the biggest part of the data flowing through the network. Effective against sinkhole attacks is the use of multipath (SMR [11], derivates of AODV and DSDV) and/or probabilistic (PRB [12]) routing protocols. Multipath protocols send data redundantly, not relying on one path only. Probabilistic protocols measure the trustworthiness of a message based on the probability of the packet arriving from a certain source, which can help detecting sinkholes within the network (if many packets arrive from a rather improbable source). 4.3. Wormholes Closely related to the sinkhole attack is the wormhole attack. In a wormhole attack,

a malicious node uses a path outside the network to route messages to another compromised node at some other location in the net (just like a conventional wormhole presents a shortcut between two normally distant locations in space). Wormholes are hard to detect because the path that is used to pass on information is usually not part of the actual network. Interestingly, a wormhole itself does not have to be harmful, for it usually lowers the time it takes for a package to reach its destination. But even this behaviour could already damage the operation, since wormholes fake a route that is shorter than the according one within the network; this can confuse routing mechanisms which rely on the knowledge about distance between nodes. Wormholes are especially dangerous because they can do damage without even knowing the protocols used or the services offered in the network. In a wireless network it is relatively easy to eavesdrop on the communication and forward the packets to other known nodes before the packet sent within the network arrives. This, for example, might be harmful if the data within the packet is altered to contain different information than the original. Imagine a shopping scenario: if the article list or the adress is contained within a different packet than the authentication information of the buyer, a wormhole attacker could modify that packet only and send it over the faster, off-network route to the recepient before the real packet arrives there. Since the recepient would assume that the first packet is authentic, any subsequent packets with the real information will be dropped. Sure enough, this exploit can also be attributed to flaws in the service application, but the threat remains, and in some cases it might not be possible to prevent the possibility of such modifications on the application side. As outlined in [6], in a network with on-demand routing, the Route Discovery mechanism can be seriously disrupted by bypassing the normal route and forwarding the ROUTE

REQUEST packets directly to the destination. The same document proposes the idea of outfitting each packet with timestamps and location stamps in order to detect wormhole intrusions in a system. Each packet is tagged with very precise time information and/or geographic location information of the sender node, which is then compared by the destination node to its own time and location stamps. If the comparison reveals an unrealistic distance the data took within an unrealistic amount of time, it can be assumed that there is a wormhole within the network. Another effective way to minimize wormhole threats is avoiding any race conditions, making the attack close to pointless. 84.4. Sleep deprivation torture Best described in [4], these kind of attacks are most specific to wireless ad hoc networks, but may be encountered in conventional or wired networks as well. The idea behind this attack is to request the services a certain node offers, over and over again, so it can not go into an idle or power preserving state, thus depriving it of its sleep (hence the name). This can be very devastating to networks with nodes that have limited resources, for example battery power. It can also lead to constant business of the component, hindering other nodes to (legitimately) request services, data or information from the targeted entity. Measures to prevent such attacks are hard to take, but the effects can be minimized by prioritizing between the functions of the targeted node, so that constant requests of low-priority services do not block other, high-priority requests. Furthermore, resources can be shared unequally between different types Abstract: In the performance evaluation of a protocol for an ad hoc network, the protocol should be tested under realistic conditions including, but not limited to, a sensible transmission range, limited buffer space for the storage of messages,

representative data trafc models, and realistic movements of the mobile users (i.e., a mobility model). This paper is a survey of mobility models that are used in the simulations of ad hoc networks. We describe several mobility models that represent mobile nodes whose movements are independent of each other (i.e., entity mobility models) and several mobility models that represent mobile nodes whose movements are dependent on each other (i.e., group mobility models). The goal of this paper is to present a number of mobility models in order to offer researchers more informed choices when they are deciding upon a mobility model to use in their performance evaluations. Lastly, we present simulation results that illustrate the importance of choosing a mobility model in the simulation of an ad hoc network protocol. Specically, we illustrate how the performance results of an ad hoc network protocol drastically change as a result of changing the mobility model simulated. Keywords: ad hoc networks, entity mobility models, group mobility models Short title: Survey of Mobility Models

This work supported in part by NSF Grants ANI-9996156 and ANI-0073699. Research groups URL is http://toilers.mines.edu. Final version of this paper published in: Wireless Communication & Mobile Computing (WCMC): Special issue on Mobile Ad Hoc Networking: Research, Trends and Applications, vol. 2, no. 5, pp. 483-502, 2002.

1T. Camp, J. Boleng, and V. Davies: Survey of Mobility Models 2 1 Introduction In order to thoroughly simulate a new protocol for an ad hoc network, it is imperative to use a mobility model that accurately represents the mobile nodes (MNs) that will eventually utilize the given protocol. Only in this type of scenario is it possible to determine whether or not the proposed protocol will be useful when implemented. Currently there are two types of mobility models used in the simulation of networks: traces and synthetic models [28]. Traces are those mobility patterns that are observed in real life systems. Traces provide accurate information, especially when they involve a large number of participants and an appropriately long observation period. However, new network environments (e.g. ad hoc networks) are not easily modeled if traces have not yet been created. In this type of situation it is necessary to use synthetic models. Synthetic models attempt to realistically represent the behaviors of MNs without the use of traces. In this paper, we present several synthetic mobility models that have been proposed for (or used in) the performance evaluation of ad hoc network protocols. A mobility model should attempt to mimic the movements of real MNs. Changes in speed and direction must occur and they must occur in reasonable time slots. For example, we would not want MNs to travel in straight lines at constant speeds throughout the course of the entire simulation because real MNs would not travel in such a restricted manner. In Section 2, we discuss seven different synthetic entity mobility models for ad hoc networks: 1. Random Walk Mobility Model (including its many derivatives): A simple mobility model based on random directions and speeds.

2. Random Waypoint Mobility Model: A model that includes pause times between changes in destination and speed. 3. Random Direction Mobility Model: A model that forces MNs to travel to the edge of the simulation area before changing direction and speed. 4. A Boundless Simulation Area Mobility Model: A model that converts a 2D rectangular simulation area into a torus-shaped simulation area. 5. Gauss-Markov Mobility Model: A model that uses one tuning parameter to vary the degree of randomness in the mobility pattern. 6. A Probabilistic Version of the Random Walk Mobility Model: A model that utilizes a set of probabilities to determine the next position of an MN. 7. City Section Mobility Model: A simulation area that represents streets within a city. There are other synthetic entity mobility models available for the performance evaluation of a protocol in a cellular network or personal communication system (PCS). Although some of these mobility models could be adapted to an ad hoc network, this paper focuses on those models that have been proposed for (or used in) the performance evaluation of an ad hoc network. In Section 3, we present ve group mobility models that allow researchers to simulate situations where the MNs decisions on movement depend upon the other MNs in the group. 1. Exponential Correlated Random Mobility Model: A group mobility model that uses a motion function to create movements.

2. Column Mobility Model: A group mobility model where the set of MNs form a line and are uniformly moving forward in a particular direction. 3. Nomadic Community Mobility Model: A group mobility model where a set of MNs move together from one location to another. 4. Pursue Mobility Model: A group mobility model where a set of MNs follow a given target. 5. Reference Point Group Mobility Model: A group mobility model where group movements are based upon the path traveled by a logical center.T. Camp, J. Boleng, and V. Davies: Survey of Mobility Models 3 In all ve group mobility models, random motion of each individual MN within a given group occurs. In Section 4, we illustrate that a mobility model has a large effect on the performance evaluation of an ad hoc network protocol. In other words, we show how the performance results of an ad hoc network protocol signicantly change when the mobility model in the simulation is changed. The results presented prove the importance of choosing an appropriate mobility model (or models) for a given performance evaluation. We survey a number of synthetic mobility models used in ad hoc network simulations in this paper. The details of the models provide a good resource to researchers when they are deciding upon a mobility model to use in their performance evaluations. In addition, implementations of all the mobility models described in this paper (except Exponential Correlated Random Mobility Model) are available at http://toilers.mines.edu. 2 Entity Mobility Models In this section, we present seven mobility models that have been proposed for (or used in) the performance evaluation of an ad hoc network protocol. The rst two models presented, the Random Walk Mobility Model and the Random

Waypoint Mobility Model, are the two most common mobility models used by researchers. Thus, we discuss these two models in more depth than the other ve models presented. 2.1 Random Walk 2.1.1 Overview The Random Walk Mobility Model was rst described mathematically by Einstein in 1926 *29+. Since many entities in nature move in extremely unpredictable ways, the Random Walk Mobility Model was developed to mimic this erratic movement [9]. In this mobility model, an MN moves from its current location to a new location by randomly choosing a direction and speed in which to travel. The new speed and direction are both chosen from pre-dened ranges, [speedmin;speedmax+ and *0;2+ respectively. Each movement in the Random Walk Mobility Model occurs in either a constant time interval t or a constant distance traveled d, at the end of which a new direction and speed are calculated. If an MN which moves according to this model reaches a simulation boundary, it bounces off the simulation border with an angle determined by the incoming direction. The MN then continues along this new path. Many derivatives of the Random Walk Mobility Model have been developed including the 1-D, 2-D, 3-D, and d-D walks. In 1921, Polya proved that a random walk on a one or two-dimensional surface returns to the origin with complete certainty, i.e., a probability of 1.0 [32]. This characteristic ensures that the random walk represents a mobility model that tests the movements of entities around their starting points, without worry of the entities wandering away never to return.

The 2-D Random Walk Mobility Model is of special interest, since the Earths surface is modeled using a 2-D representation. Figure 1 shows an example of the movement observed from this 2-D model. The MN begins its movement in the center of the 300mx600m simulation area or position (150, 300). At each point, the MN randomly chooses a direction between 0 and 2 and a speed between 0 and 10 m/s. The MN is allowed to travel for 60 seconds before changing direction and speed. In the Random Walk Mobility Model, an MN may change direction after traveling a specied distance instead of a specied time. We illustrate this variation of the model in Figure 2. In this example, the MN travels for a total of 10 steps (instead of 60 seconds) before changing its direction and speed. Unlike Figure 1, each movement of the MN in Figure 2 is the exact same distance. The Random Walk Mobility Model is a widely used mobility model (e.g. [1, 10, 26, 33]), which is sometimes referred to as Brownian Motion. In its use the model is sometimes simplied. For example, *2+ simplied the Random Walk Mobility Model by assigning the same speed to every MN in the simulation. 2.1.2 Discussion The Random Walk Mobility Model is a memoryless mobility pattern because it retains no knowledge concerning its past locations and speed values [19]. The current speed and direction of an MN is independent of its past speed and direction [13]. This characteristic can generate unrealistic movements such as sudden stops and sharp turns (see Figure 1). (Other models, such as the Gauss-Markov Mobility Model, which we discuss in Section 2.5, can x this discrepancy.)T. Camp, J. Boleng, and V. Davies: Survey of Mobility Models 4 0 100

200 300 400 500 600 0 50 100 150 200 250 300 Figure 1: Traveling pattern of an MN using the 2-D Random Walk Mobility Model (time). 0 100 200 300 400 500 600 0 50 100 150 200 250 300 Figure 2: Traveling pattern of an MN using the 2-D Random Walk Mobility Model (distance).T. Camp, J. Boleng, and V. Davies: Survey of Mobility Models 5 0 100 200 300 400 500 600 0 50 100 150 200 250 300 Figure 3: Traveling pattern of an MN using the Random Waypoint Mobility Model.

If the specied time (or specied distance) an MN moves in the Random Walk Mobility Model is short, then the movement pattern is a random roaming pattern restricted to a small portion of the simulation area. Some simulation studies using this mobility model (e.g., *2, 10+) set the specied time to one clock tick or the specied distance to one step. Figure 2 illustrates the static nature obtained in the Random Walk Mobility Model when the MN is allowed to move 10 steps (not one) before changing direction; as shown, the MN does not roam far from its initial position. In summary, if the goal of the performance investigation is to evaluate a semi-static network, then the parameter to change an MNs direction should be given a small value. Otherwise, a larger value should be used. 2.2 Random Waypoint 2.2.1 Overview The Random Waypoint Mobility Model includes pause times between changes in direction and/or speed [16]. An MN begins by staying in one location for a certain period of time (i.e., a pause time). Once this time expires, the MN chooses a random destination in the simulation area and a speed that is uniformly distributed between [minspeed, maxspeed]. The MN then travels toward the newly chosen destination at the selected speed. Upon arrival, the MN pauses for a specied time period before starting the process again. Figure 3 shows an example traveling pattern of an MN using the Random Waypoint Mobility Model starting at a randomly chosen point or position (133, 180); the speed of the MN in the gure is uniformly chosen between 0 and 10 m/s. We note that the movement pattern of an MN using the Random Waypoint Mobility Model is similar to the Random Walk Mobility Model if pause time is zero and [minspeed, maxspeed] = [speedmin, speedmax].

The Random Waypoint Mobility Model is also a widely used mobility model (e.g., [4, 8, 11, 15]). In addition, the model is sometimes simplied. For example, *18+ uses the Random Waypoint Mobility Model without pause times. 2.2.2 Discussion In most of the performance investigations that use the Random Waypoint Mobility Model, the MNs are initially distributed randomly around the simulation area. This initial random distribution of MNs is not representative of the manner in which nodes distribute themselves when moving. Figure 4 illustrates the cumulative average MN neighbor percentage for MNs using the Random Waypoint Mobility Model as time progresses (speed is 1 m/s and pause timeT. Camp, J. Boleng, and V. Davies: Survey of Mobility Models 6 0.1 0.12 0.14 0.16 0.18 0.2 0.22 0.24 0 200 400 600 800 1000 1200 1400 1600 1800 2000 Average MN Neighbor Percentage Simulation Time (sec) Figure 4: Average neighbor percentage vs. time. is zero). The average MN neighbor percentage is the cumulative percentage of total MNs that are a given MNs neighbor. For example, if there are 50 MNs in the network and a node has 10 neighbors, then the nodes current

neighbor percentage is 20%. A neighbor of an MN is a node within the MNs transmission range. As shown, there is high variability during the rst 600 seconds of simulation time. This high variability in average MN neighbor percentage will produce high variability in performance results unless the simulation results are calculated from long simulation runs [3]. In the following, we present three possible solutions to avoid this initialization problem. First, save the locations of the MNs after a simulation has executed long enough to be past this initial high variability, and use this position le as the initial starting point of the MNs in all future simulations. Second, initially distribute the MNs in a manner that maps to a distribution more common to the model. For example, initially placing the MNs in a triangle distribution may distribute nodes in the Random Waypoint Mobility Model more accurately than initially placing the MNs randomly in the simulation area [5]. Lastly, discard the initial 1000 seconds of simulation time produced by the Random Waypoint Mobility Model in each simulation trial. (Discarding 1000 seconds of simulation time ensures that the initialization problem is removed even if the MNs move slowly. In other words, we can discard fewer seconds of simulation time for faster moving MNs.) Discarding the initial 1000 seconds of simulation time has an added benet over the rst solution proposed. Specically, this simple solution ensures that each simulation has a random initial conguration. There is also a complex relationship between node speed and pause time in the Random Waypoint Mobility Model. For example, a scenario with fast MNs and long pause times actually produces a more stable network than a scenario

with slower MNs and shorter pause times. Figure 5 gives the link breakage rate of MNs using the Random Waypoint Mobility Model as a function of pause times and speeds. The gure illustrates that long pause times (i.e., over 20 seconds) produce a stable network (i.e., few link changes per MN) even at high speeds [3]. In other words, the gure indicates that the mobile network is quite stable for all pause times over 20 seconds. (See [17] for an in-depth discussion.) If the Random Waypoint Mobility Model is used in a performance evaluation, appropriate parameters need to be evaluated. For example, the Random Waypoint Mobility Model is used to evaluate a multicast protocol for ad hoc networks in [25]. In this performance investigation, the speed of the mobile nodes was varied between 0-1 m/s, the pause time of the mobile nodes was varied between 60-300 seconds, and each simulation executed for 300 seconds. With such slow speeds, and large pause times, the network topology hardly changes. In other words, the results presented in [25] are only valid for an ad hoc network scenario with MNs that barely move.T. Camp, J. Boleng, and V. Davies: Survey of Mobility Models 7 0 5 10 15 20 25 30 35

40 45 50 Speed 0 200 400 600 800 1000 Pause Time 0 2000 4000 6000 8000 10000 12000 Link Changes per Node Figure 5: Link breakage vs. speed vs. pause time. 2.3 Random Direction The Random Direction Mobility Model [24] was created to overcome density waves in the average number of neighbors produced by the Random Waypoint Mobility Model. A density wave is the clustering of nodes in one part of the simulation area. In the case of the Random Waypoint Mobility Model, this clustering occurs near the center of the

simulation area. In the Random Waypoint Mobility Model, the probability of an MN choosing a new destination that is located in the center of the simulation area, or a destination which requires travel through the middle of the simulation area, is high. (This trend is illustrated in Figure 3.) Thus, the MNs appear to converge, disperse, and converge again 1 . In order to alleviate this type of behavior and promote a semi-constant number of neighbors throughout the simulation, the Random Direction Mobility Model was developed [24]. In this model, MNs choose a random direction in which to travel similar to the Random Walk Mobility Model. An MN then travels to the border of the simulation area in that direction. Once the simulation boundary is reached, the MN pauses for a specied time, chooses another angular direction (between 0 and 180 degrees) and continues the process. Figure 6 shows an example path of an MN, which begins in the center of the simulation area or position (150, 300), using the Random Direction Mobility Model. The dots in the gure illustrate when the MN has reached a border, paused, and then chosen a new direction. Since the MNs travel to, and usually pause at the border of the simulation area, the average hop count for data packets using the Random Direction Mobility Model will be much higher than the average hop count of most other mobility models (e.g., Random Waypoint Mobility Model). In addition, network partitions will be more likely with the Random Direction Mobility Model compared to other mobility models. A slight modication to the Random Direction Mobility Model is the Modied Random Direction Mobility Model *24+. In this modied version, MNs continue to choose random directions but they are no longer forced to travel to

the simulation boundary before stopping to change direction. Instead, an MN chooses a random direction and selects a destination anywhere along that direction of travel. The MN then pauses at this destination before choosing a new random direction. This modication to the Random Direction Mobility Model produces movement patterns that could be simulated by the Random Walk Mobility Model with pause times. 1 An autocorrelation test on the number of neighbors obtained from MNs moving with the Random Waypoint Mobility Model reveals that there is no deterministic pattern to the mobility model; thus, we question the conclusion that density waves in the average number of neighbors actually exist [20]T. Camp, J. Boleng, and V. Davies: Survey of Mobility Models 8 0 200 300 400 500 600 0 50 100 150 200 250 300 Figure 6: Traveling pattern of an MN using the Random Direction Mobility Model. 2.4 A Boundless Simulation Area In the Boundless Simulation Area Mobility Model, a relationship between the previous direction of travel and velocity of an MN with its current direction of travel and velocity exists *12+. A velocity vector v = (v;) is used to describe an MNs velocity v as well as its direction ; the MNs position is represented as (x; y). Both the velocity vector and the position are updated at every t time steps according to the following formulas:

v(t +t) = min*max(v(t)+v;0);Vmax+; (t +t) = (t)+; x(t +t) = x(t)+v(t) y(t +t) = y(t)+v(t) cos(t); sin(t);

where Vmax is the maximum velocity dened in the simulation, v is the change in velocity which is uniformly distributed between [Amax t;Amax t], Amax isthe maximum acceleration of a given MN, isthe change in direction which is uniformly distributed between * t; t+, and is the maximum angular change in the direction an MN is traveling. The Boundless Simulation Area Mobility Model is also different in how the boundary of a simulation area is handled. In all the mobility models previously mentioned, MNs reect off or stop moving once they reach a simulation boundary. In the Boundless Simulation Area Mobility Model, MNs that reach one side of the simulation area continue traveling and reappear on the opposite side of the simulation area. This technique creates a torusshaped simulation area allowing MNs to travel unobstructed. Figure 7 illustrates this concept. The rectangular area on the left side of Figure 7 is transformed into the torus shape on the right side of Figure 7 in two steps; rst we fold the simulation area so that the top border (y = Ymax) lies against the bottom border (y = 0), forming a cylinder, and then we fold the resulting cylinder so that both open circular ends connect. Figure 8 illustrates an example path of an MN using the Boundless Simulation Area Mobility Model, where Vmax is 10 m=s, Amax is 10 m=s 2 , is =2 or 90 degrees, and t

is 0.1 seconds; the MN begins in the center of the simulation area or position (150, 300) and moves for 500 seconds. The triangles in the gure illustrate when the MN reaches a boundary and the dots illustrate where the MN reappears. of services, or even more: the node could assign more resources to certain requester nodes than to other with lesser priority (for example, clients subscribing to the premium service might be served faster than clients subscribing to the regular service). 4.5. The Sybil attack Malicious nodes in a network may not only impersonate one node, they could assume the identity of several nodes, by doing so undermining the redundancy of many routing protocols. In [7], this attack is called the Sybil attack. Since ad hoc networks depend on the communication between nodes, many systems apply redundant algorithms to ensure that the data gets from point A to point B. A consequence of this is that attackers have a harder time to destroy the integrity of information. If the same packet is sent over several distinct pathes (in multipath routing protocols like SMR [11]), a change in the packets incoming from one of these pathes can be detected easily, thus isolating a possible intruder in the network becomes possible. Also, if not the same packet but pieces of related information are sent on distinct routes, an eavesdropper might have difficulties putting together the pieces of the information puzzle. However, if a single malicious node is able to represent several other nodes, the effectiveness of these measures is significantly degraded. The attacker may get access to all pieces of the fragmented information or may alter all packets in the same transmission so that the destination node(s) cannot detect tampering anymore. In trust-based routing environments, representing multiple identitities

can be abused to deliver fake recommendations about the trustworthiness of a certain party, hereby attracting more traffic to it; in ideal starting point for further attacks. [7] also describes measures to counter such attacks. Using unique symmetric keys, by which each node can verify its neighbors identity, and limiting the number of neighbors a node can have results in the partial isolation of compromised nodes, since they can only communicate with their verified neighbors. 94.6. Rushing attack This type of attack is mostly directed against on-demand routing protocols based on the Dynamic Source Routing protocol [13]. A malicious node will attempt to tamper with ROUTE REQUEST packets, modifying the node list, and hurrying this packet to the next node. Since in basic DSR only one RREQ packet of each route request is forwarded, the malicious node can route subsequent packets through itself if its RREQ manages to reach the next node in the route before any other neighboring nodes can. Rushing attacks can be detected by evaluating the Route Discovery. 4.7. Denial-of-Service and Flooding In a conventional sense, denial of service attacks and their opposite counterpart, flooding, are considered attacks of their own. However, as we have seen so far, they are basically the results of most of the kinds of tampering with network integrity, redundancy and availability. As mentioned in 4.4, the sleep deprivation attack can be used to cut off a service node from the rest of the network, rendering it or its resources unavailable for access. Sinkholes are one of the major ways to initiate selective forwarding or non-forwarding of messages. By attracting all

packets to itself, a node can decide which packets to forward, if any at all. Sybil attacks can have the side effect of flooding, if the source node of a packet tries to use redundant pathes to send data and the malicious node follows protocol and forwards them all, since even tho physically it is only a single entity, to the network it presents itself as many. Malicious nodes can attempt to impersonate one or more nodes and control all data pathes to a certain destination, thereby seriously reducing its availability. In contrast to this, they may also inject false or replicated packets into the network, or create ghost packets which loop around due to compromised routing information, effectively using up the bandwidth and cpu resources along the way. This has especially serious effects on ad hoc networks, since the nodes of these usually possess only limited resources in terms of battery and computational power. Traffic may also be a monetary factor, depending on the services provided, so any flooding which blows up the traffic statistics of the network or a certain node can lead to considerable damage costs. 5. Conclusion The safety in ad hoc networks has come a long way, but its journey is not over yet. Several defense mechanisms have been invented to prevent attacks or to reduce their effects, but they create massive overhead which might be unacceptable in some types of networks. The attributes of ad hoc networks make conventional attacks even more dangerous to them than to regular networks. DoS attacks and flooding attempts may never really be fully averted, and so the emphasis has been put on making it as hard as possible to intrude a network. As we have seen, many attacks are only possible or only effective, if the malicious party is a participant of the network, so it is highly important to implement secure 10mechanisms to authenticate entities entering the network. 100 percent safety can

not be provided, but the aim should be to make ad hoc networks as safe as possible. Why Ad Hoc Networks ? Ease of deployment Speed of deployment Decreased dependence on infrastructure1-7 What is an Ad hoc Network? A network without any base stations infrastructure-less or multi-hop A collection of two or more devices equipped with wireless communications and networking capability Supports anytime and anywhere computing Two topologies: Heterogeneous (left) Differences in capabilities Homogeneous or fully symmetric (Right) all nodes have identical capabilities and responsibilities Homogeneous network infrastructure

network ad-hoc network AP AP AP wired network AP: Access Point infrastructure network ad-hoc network AP AP AP wired network AP: Access Point1-8 Mobile Ad Hoc NeWhat is an Ad hoc Network? Self-organizing and adaptive Allows spontaneous formation and deformation of mobile networks Each mobile host acts as a router Supports peer-to-peer communications Supports peer-to-remote

communications Reduced administrative cost Ease of deploymentAd Hoc Networks Operating Principle Fig. depicts a peer-to-peer multihop ad hoc network Mobile node A communicates directly with B (single hop) when a channel is available If Channel is not available, then multi-hop communication is necessary e.g. A->D->B For multi-hop communication to work, the intermediate nodes should route the packet i.e. they should act as a router Example: For communication between A-C, B, or D &Traffic Characteristics Traffic characteristics may differ in different ad hoc networks bit rate timeliness constraints reliability requirements unicast / multicast / geocast host-based addressing / content-based addressing / capability-based addressing May co-exist (and co-operate) with an infrastructure-based networkTraffic Profiles Three distinct types of traffic patterns observed

in ad hoc networks Peer-to-peer between two entities (Fig. a) Bursty Two or more devices in a group communication while moving as a group (correlated traffic) -> remote to remote communication Hybrid non-coherent communication among nodes -> uncorrelated trafficChallenges in Ad hoc Mobile Networks (1) Host is no longer an end system - can also be an acting intermediate system Changing the network topology over time Potentially frequent network partitions Every node can be mobile Limited power capacity Limited wireless bandwidth Presence of varying channel qualityProblems of Mobility in Ad hoc Mobility affects signal transmission -> Affects communication Mobility affects channel access Mobility affects routing Mobility-induced route changes

 Mobility-induced packet losses Mobility affects multicasting Mobility affects applications1-25 Mobility in Ad hoc Networks Mobility patterns may be different people sitting at an airport lounge New York taxi cabs kids playing military movements personal area network Mobility characteristics speed predictability direction of movement pattern of movement uniformity (or lack thereof) of mobility characteristics among different nodes