Professional Documents
Culture Documents
in Mobile Ad Hoc
Networks
1
neighborhood of the remote location. The tunnel- The contributions of this paper are:
ing procedure forms a wormhole. It is conducted A classification of the wormholes is pro-
by collusive attackers. If a fast transmission path posed. We divide the attacks into three
(e.g. a dedicated channel shared by attackers) ex- groups (closed, half open, and open) accord-
ists between the two ends of the wormhole, the ing to the format of the tunnel and attacker’s
tunneled packets can propagate faster than those capability. The classification establishes a
through a normal multi-hop route. This forms the basis on which the detection capability of
“rushing attack” studied by Hu et al [14]. the approaches can be identified.
Wormhole attacks put severe threats to both ad We propose an end-to-end mechanism that
hoc routing protocols and some security enhance- can detect closed, half open, and open
ments. In many routing protocols, mobile nodes wormholes in ad hoc networks. Considering
depend on the neighbor discovery procedure to the limited resources available to a mobile
construct the local network topology. If the at- node, we design COTA to manage the in-
tackers tunnel the neighbor discovery beacons formation. The communication overhead in-
through wormholes, the good nodes will get false troduced by the proposed mechanism is also
information about their neighbors. This may studied.
lead to the choice of a non-existent route. Zero- Simulation is conducted to evaluate the
interaction authentication (ZIA) [15] is designed overhead, detection capability, and accu-
to protect the data on mobile devices from the il- racy of the proposed mechanism. Exper-
legal access. The files are decrypted only when iments on off-the-shelf mobile devices are
an authentication token that is worn by the user conducted to examine the practicability of
can directly communicate to the device through a this method in real world.
short-range wireless channel. If a wormhole ex-
ists between the token and the device, the data The remainder of this paper is organized as fol-
may be disclosed. lows: Section II describes the wormhole attacks
Some efforts have been put on this problem and their impacts on ad hoc network security. The
and encouraging results have been collected [16– classification is given out. In section III, we re-
18]. However, the classification in section II view the previous work. Section IV presents and
shows that the previous research focuses on the justifies our assumptions. Section V describes the
detection of closed wormholes. Half open and end-to-end mechanism and COTA in detail. The
open wormholes, whose detection requires infor- problems such as detection capability and param-
mation exchanges beyond direct neighbors, have eter determination are studied. Section VI stud-
not been studied. In this paper, we propose an ies the frequency to conduct wormhole detection
end-to-end mechanism that can detect wormholes and the method to control communication over-
along a multi-hop path on which the interme- head. Section VII investigates the robustness of
diate nodes do not necessarily trust each other. the proposed mechanism. Section VIII presents
The mechanism combines authentication with lo- the simulation results. Section IX discusses the
cation information. To prevent the destination future work and section X concludes the paper.
node from being overwhelmed by the computa-
tion and storage overhead, a scheme called Cell- II. Problem Statement
based Open Tunnel Avoidance (COTA) is intro-
duced to manage the position records. COTA en- In a wormhole attack, if the malicious nodes have
ables a node to pre-determine the resources that it a dedicated channel, the tunneling procedure can
wants to consume on wormhole detection. It re- be conducted in real time. Since the packets are
duces the overhead without hurting the detection resent in the exactly same way, encryption or
capability. The frequency to conduct the detec- authentication alone cannot prevent the attacks.
tion is also studied to examine the communica- Other nodes cannot tell whether the packets are
tion overhead. The proposed mechanism can be from the real originator or from the resender. A
combined with existent ad hoc routing protocols. group of collusive attackers can form a wormhole
2
that has as many ends as the number of malicious
nodes.
S { M1 A B M2 } D
Wormhole attacks put severe threats to ad hoc
(a) Closed wormhole
routing protocols. In the protocols that use dis-
tance vector technique, such as Ad hoc On-
demand Distance Vector protocol (AODV) [19]
and Destination-Sequenced Distance Vector pro- S M1 {A B M2 } D
tocol (DSDV) [20], the hop count of a path af- (b) Half open wormhole
fects the choice of routes. A pair of attackers
can form a long tunnel and fabricate the false sce-
nario that a short path exists between the source S M1 {A B} M2 D
and the destination. The fake path will attract (c) Open wormhole
the data traffic. As soon as the packets are ab-
sorbed to the wormhole, the attackers can either False route Physical link { } Wormhole
ing using Clusters (ARC) [23]. They may con- and to represent the good nodes as source
fuse the clustering procedure and lead to a wrong and destination, and , , . as the good nodes
on the route.
topology. If a wormhole controls the link be-
tween two clusterheads or a link close to the root
of the routing hierarchy, it can partition the net-
The nodes between the curly-braces (“ ”) are
those on the path but invisible to and be-
work. cause they are in a wormhole. We borrow the
The safety and effectiveness of some security words “closed” and “open” from the definition
enhancements for ad hoc networks would be im- of an interval, where “closed” means “start from
proved if wormholes can be defended. The exam- and include”, and “open” means “start from but
ple on ZIA has been shown in section I. Another not include”. In Figure 1-(a), and tunnel
example shows the impacts of such attacks on the the neighbor discovery beacons from to , and
distributed monitoring of node misbehaviours. In vice versa, so and think that they are direct
AODV-S [3], the neighbors collaboratively au- neighbors. Both and
are in the worm-
thorize a token to the node before it joins the net- hole. In Figure 1-(b),
is a neighbor of and
work activities. If a wormhole exists beside the it tunnels its beacons through
to . Only one
misbehaved node, the attackers can selectively
tunnel the good-looking packets to the remote
malicious node is visible to and . In an open
wormhole, both attackers are visible to and ,
side. The good nodes at the remote side moni- as shown in Figure 1-(c).
tor all these packets and can not detect any secu- The previous research focuses on the preven-
rity violations. The new token will be authorized. tion of closed wormholes. The mechanisms that
This may conflict with the conclusion drawn by only examine direct neighbors cannot guarantee
the real neighbors. We can settle this embarrass-
ment through preventing wormholes. ple, and
, and and
the detection of the other two types. For exam-
are real neighbors
The classification of such attacks will facilitate in Figure 1-(c). This does not impact the estab-
the design of detection methods. According to
whether the attackers are visible on the route, we
lishment of an open wormhole between
. Therefore, an end-to-end mechanism must
and
classify the wormholes into three types: closed, be designed to defend against the half open and
half open, and open. The examples that include open wormholes.
two malicious nodes are shown in Figure 1. For Wormhole detection needs to be conducted
when a neighbor relation or a route is first estab-
3
lished. Besides, it must be conducted repeatedly received signals from each other and a witness.
during the lifetime of the neighbor relation or the Only when the directions of both pairs match, the
route because the nodes are moving and worm- neighbor relation is confirmed.
holes can be formed dynamically. The detection Another potential solution is to integrate the
frequency impacts the overhead and the detection prevention methods into Intrusion Detection Sys-
accuracy. This problem is studied in section VI. tems. The traffic monitoring module of IDS will
find that the ends of wormholes act as packet
sinks: many data packets which are not destined
III. State of Art
to them will lose their tracks at these nodes. The
joint response generated by the neighbors of the
The wormhole attackers encapsulate the received malicious node will expose the anomalous traffic
packets into their packets and tunnel them to an- pattern.
other location. Ironically, this technique was first
Some mechanisms proposed to locate the po-
introduced to overcome some difficulties in net-
sition of a mobile node in an indoor environ-
working. IP-tunnel is used in Mobile IP to trans-
ment [32–34] can be applied to prevent worm-
fer packets from home agents to remote agents
holes. For example, both the original packet and
[24]. In Virtual Private Networks (VPN), the
the resent one will be captured by the location
tunnels are used to connect two LANs, allowing
sensors and two conflicting positions of the same
them to share data, but keeping them behind the
node will be detected. Either the good nodes or
firewalls [25]. IP-tunnels are also used in Multi-
a centralized controller will discover this anoma-
Protocol Label Switch (MPLS) [26].
lous result. However, it will not be easy to port
Wormhole attacks threaten the safety of Inter- such methods to outdoor environments.
net routing protocols such as RIP2 [27]. But
One approach to detect closed wormholes
the attacker needs to have a total control on a
router, which is not easy to achieve. Furthermore,
without clock synchronization is proposed by
Capkun in [17]. Every node is assumed
through using static routes, such attacks can be
to be equipped with a special hardware that can
prevented. Because of the dynamic membership
respond to a one-bit challenge without any de-
and frequent topology changes, a node in ad hoc
lay. The challenger measures the round trip time
networks does not have this luxury.
of the signal with an accurate clock to calculate
Wormhole attacks on mobile ad hoc networks the distance between the nodes. The probabil-
were independently discovered by Dahill et al ity that an attacker can guess all bits correctly
[28], Hass et al [29], and Hu et al [16]. To de- decreases exponentially as the number of chal-
fend against them, some efforts have been put lenges increases.
on hardware design and signal processing tech-
Another approach to detect closed wormholes
niques. If the data bits are transferred in some
is packet leash, which was proposed by Hu, Per-
special modulating method known only to the
rig and Johnson [16]. The leash is the informa-
neighbor nodes, they are resistant to the closed
tion added into a packet to restrict its transmis-
wormholes. Another approach, RF watermark-
sion distance. In the geographical leashes, the
ing, works in the similar way. It modulates the ra-
location information and loosely synchronized
dio waveform in a specific pattern to accomplish
clocks together verify the neighbor relation. In
authentication. Both mechanisms will be com-
temporal leashes, the packet transmission dis-
promised if the malicious nodes can accurately
tance is calculated as the product of signal prop-
capture the signal patterns. Neither of them can
agation time and the speed of light. Both mecha-
prevent half open or open wormholes.
nisms use lightweight hash chains to authenticate
The adoption of directional antenna [30, 31] the nodes [7]. The Message Authentication Code
by mobile devices can raise the security levels. (MAC) can be calculated in real time.
A solution that uses such equipments to defend
One advantage of packet leashes is the low
against closed wormholes has been presented in
computation overhead. Similar to geographical
[18]. The nodes examine the directions of the
4
leashes, the end-to-end mechanism proposed in In certain environments, using the distance be-
this paper assumes the knowledge of location in- tween two nodes to verify the neighbor relation
formation and loosely synchronized clocks. It cannot guarantee the detection. For example,
can be deployed in the environments where ge- even if an obstacle (e.g. a building) exists be-
ographical leashes can be used to detect closed, tween two nodes and blocks all signals, a posi-
half open, and open wormholes. tion based mechanism may still consider them as
neighbors. To detect such conditions, the nodes
IV. Assumptions and Notations need a more accurate signal propagation model in
that environment. It is able to determine whether
IV.A. Network assumptions the two nodes can actually communicate to each
other when the positions are given. In this paper,
We assume that the links among nodes are bidi- we assume that any two nodes having a distance
rectional. Two neighbor nodes can always send shorter than can communicate to each other.
packets to each other. This assumption will hold Each node has a clock, and we assume that the
under most conditions in the real environment. clocks are loosely synchronized with the maxi-
Many medium access control protocols [35, 36] mum relative error . By this we mean that the
are also based on this assumption. difference between the clocks of any two nodes is
The security threats to mobile ad hoc networks smaller than if we sample the time at the same
come from all layers. The malicious node can moment.
jam the physical layer. There have been ap- The mobile nodes have limited computation
proaches using spread spectrum [37] to provide resources. But they can accomplish the opera-
resistance to such attacks. There are also Deny of tions required by the security mechanisms, such
Service (DoS) attacks on the medium access con- as the calculation and verification of digital sig-
trol layer [38]. For example, if a malicious node natures, encryption using symmetric keys, and
keeps sending noises and causes collisions, the calculation of the MAC code.
communication within the neighborhood will be We do not assume that a node can control the
paralyzed. The fairness control mechanisms such longest buffering time of a packet before it is for-
as time division multiple access [39] can avoid warded. We do not assume trusted hardware such
one attacker eating up all available bandwidth. In as tamper-proof wireless cards. They may restrict
this paper we will not discuss solutions to those the deployment of the proposed mechanism.
attacks.
The network itself acts in Byzantine manners
[40]. It may drop or corrupt packets. The packets IV.B.1. Assumption justification
can be duplicated or forwarded out of order.
A lot of research in ad hoc networks has been
conducted based on the position awareness as-
IV.B. Node assumptions
sumption. They cover from routing [42–44], en-
A node can locate its geographic position. There ergy consumption [45, 46], to location based ser-
have been off-the-shelf devices, such as Global vices [47, 48]. Some work has been conducted
Positioning System (GPS) [41], that can provide based on loose synchronization assumption, such
accurate positioning service. The accuracy of po- as geographical leashes [16], Secure Tracking
sition information will affect the detection capa- of Node Encounters (SECTOR) [17], Ariadne
bility of the proposed mechanism. For example, [6], and Light-weight Hop-by-hop Authentica-
if the direct communication range among neigh- tion Protocol (LHAP) [49]. In this part, we jus-
bors is and the maximum error of the distance tify our assumptions based on the available tech-
between two locations is , they introduce a rel- niques and application scenarios.
ative error up to . The mechanisms such as Location-based services using GPS are ready
GPS can locate the position with the accuracy of to launch with the progresses that reduce ex-
15 feet. pense, size, weight, and power consumption of
5
such devices. Motorola has unveiled one kind of tiple users to share a group key, it will put threats
GPS chip set whose unit cost is about $10 [50]. It to the whole scheme if one node is compromised
is cheap and small enough to fit in PDAs and cell [61].
phones. Sprint PCS alone has sold over 8.8 mil- If digital signatures are used, we only need
lion GPS-enabled handsets by March, 2003 [51]. to set up keys. The method supports the au-
The positioning device is becoming a common thentication of multicast traffic and has the non-
part of the wireless node for both military and repudiation property. But the computation of a
civilian usage. digital signature can be three orders of magni-
A lot of efforts have been put on clock syn- tude slower than that of the symmetric mecha-
chronization in ad hoc and sensor networks. nisms [62]. With the emergence of high speed
There have been solutions based on LORAN- signature algorithms [63, 64] and more powerful
C [52], WWVB [53], Reference Broadcast [54], portable processors, computing digital signatures
TINY/MINI-SYNC [55], Tree-based solution will cause less overhead on the mobile nodes.
[56], and GPS [57]. A good survey can be found With the assumption of loosely synchronized
in [56]. In this paper we only assume loosely clocks, if the end-to-end delay can be accurately
synchronized clocks among nodes, for example,
. If every node is equipped with
predicted, a variant of TESLA can be applied to
accomplish authentication. We only need to set
GPS, its clock is accurate enough to satisfy this up keys and the nodes do not have to do the ex-
requirement. The mobile nodes do not need ex- pensive computations. The disadvantage is that
tra hardware or a complex protocol to get more the packets may not be authenticated immedi-
accurate time. ately. The receiver needs to temporarily buffer
The security of GPS has been studied for the packet until the key is disclosed. This may
some time. Solutions for anti-jamming and anti- require more storage space.
spoofing civilian GPS signals have been pro- To set up the keys, either centralized mecha-
posed in [58–60]. Here we do not present the nisms, such as a key distribution center or a Pub-
details. GPS signals can be weak or biased in lic Key Infrastructure (PKI), or a pre-load method
an indoor environment. But as discussed in sec- during initialization, can be applied. A survey
tion III, a more accurate positioning scheme in of key establishment in mobile networks can be
such an environment can be implemented to de- found in [65]. Another solution proposed in [66]
fend against wormholes. applies a PGP-like mechanism to distribute the
keys.
IV.C. Key setup
same and both represent the secret key between nism has two special features:
node and node . represents the First, every intermediate node will attach its
MAC code computed over message with key
timestamps and positions to the detection pack-
. If digital signatures are applied, ets, but all examining operations are conducted
represents the signature of over message . by the destination node. In this way it can detect
All nodes that have the public key can verify the the conflicting information sent by the attacker to
signature. different neighbors. However, a scheme must be
Every node can locate its geographic position. designed to prevent the destination node from be-
The position of node is
. The maximum ing overwhelmed by the overhead.
error of the distance between two positions is Second, cross packet examination must be
. If node and node read their positions adopted by the end-to-end mechanism. Exam-
at the same time, the real distance between them ining the packets independently can miss some
. The clocks are loosely
wormholes. For example, in the half open worm-
synchronized. The difference between the clocks hole shown in Figure 1-(b), can declare that
of any two nodes is smaller than . We also as-
sume that is the upper bound of the velocity of
it receives a packet at the position of
wards it at the position of
and for-
. As long as the
node movement. distance
and the declared buffering time
satisfy !#", examining the single
packet cannot find any anomaly.
V. Detecting Wormhole Attacks
In the cross packet examination, if a node de-
clares its position $
at its clock time , and %
V.A. Basic end-to-end mechanism
&
at its clock time , the destination can estimate
Design goals its average moving speed and examines whether
it is lying. If
In the end-to-end wormhole detection mecha-
' ()*
/
nism, we only assume that the source and the des-
tination of a route trust each other. This assump- + ,-*.
(1)
tion holds under most conditions. If on-demand
routing protocols are used, the source and the the node lies about its positions and there is a
destination can negotiate the parameters such as wormhole on the path.
the frequency to send wormhole detection pack- Delivery of detection packets
ets through the routing request and reply. If geo-
We assume that the pairwise keys have been
graphical routing protocols are used, the destina-
deployed. Every node on the path has a secret
tion can pre-determine the parameters and sub- key 021 with the destination . knows the
mits them to the location servers. The source will path length in hops and the identity of every node
get them when acquiring the position of the des- along the path. This can be achieved through the
tination. routing protocols such as DSR [1] or the explicit
As shown in section II, wormholes need to be attachment of node identify to the routing pack-
examined repeatedly during the route’s lifetime. ets.
The detection information can be attached to the When a wormhole detection packet is sent
routing packets or the data packets. If the fre-
quency of data packets is too low, wormhole de-
from the source, it contains seven fields: source
address , destination address , the message
tection packets can be sent separately. For multi- , a sequence number for this route, the lo-
ple applications that use the same route, only one cal time &354 6 798
when the packet is sent, the po-
354 6 798
:;<.= > > ?> > &354 6 798 > 3@4A6 798
group of detection packets need to be sent. No sition at that time, and the MAC code
detection is required for a route if it is no longer . can
in use. be a routing packet, a data packet, or void if the
Compared to the mechanisms that only de- detection packet is sent separately. Every time af-
7
S: hS = MAC KSD (S, D, M, id, ( t Ssend , P Ssend ))
are calculated correctly. (b) The neighbor nodes
S −> A: (S, D, M, id, (tSsend , PSsend ), h S )
are within the direct communication range when
A: hA= MAC KAD (Received packet, (t Arecv , P Arecv ), (t Asend , P Asend )) the packet is passed. (c) The average moving
A −> B: (Received packet, (tArecv , PArecv ), (t Asend , PAsend), h A ) speed of a node between it receives and forwards
B: h B = MAC KBD (Received packet , (t Brecv , P Brecv), (t Bsend, P Bsend ))
the packet does not exceed . (d) The sending
B −> D: (Received packet, (tBrecv , PBrecv), (t Bsend , PBsend ), h B) and receiving time of the same transmission sat-
isfy equation 3. (e) The new time, position pair
and the previous pairs of the same node do not
Figure 2: The delivery of a wormhole detection
conflict as shown in equation 1.
packet in the end-to-end mechanism.
Items (a), (b), (c) and (d) focus on a single
packet. The MAC codes guarantee the authen-
ter sending a detection packet for this route, the
ticity and integrity of the time, position pairs.
source increases by 1. Examining the received
Since the MAC codes cover the whole packet
s, can find out how many detection packets
(including the information attached by previous
have been dropped.
When an intermediate node forwards the nodes), it is very difficult for the attacker to
record a part of the packet and conduct resend
, 6 > > 6
packet, it attaches two time, position pairs: attacks. If the attacker resends the whole packet,
when it receives the packet, and it is the same as the duplicate packet generated
,24 6 798 4 6A7 8
when it forwards the packet.
Then it attaches :
, where 5= in-
by the network. Item (b) will detect the closed
wormholes on the route.
cludes both the received packet and the two at-
Item (e) implements the cross packet exami-
tached pairs. Figure 2 shows an example of the
nation. Through calculating the average mov-
delivery procedure.
ing speed of the intermediate nodes using their
Two potential problems exist in the proposed current and previous time, position records,
mechanism. First, how can a node get the accu- the destination node monitors their movements.
rate sending time and calculate it into the MAC Items (c), (d) and (e) together prevent the mali-
code? Second, how does the signal propagation cious node from cheating the wormhole detection
time affect the detection? For the first problem, mechanism by declaring fake positions.
the end-to-end mechanism has a weaker require-
The wormhole detection packets may get lost
ment on the accuracy of the sending timestamp
because of the unreliable network. They can also
than packet leashes. So we can adopt either of
be intentionally dropped or corrupted by the ma-
the two approaches [16] for temporal leashes.
licious nodes. Using the sequence number, the
For the second problem, taking the signal prop- destination node can monitor how many detec-
agation time into account, we have the fol- tion packets have been lost. If a wormhole is de-
lowing equation for the sending time at this +4A6 798 tected, or consecutive detection packets are all
node and the receiving time at the next hop: 6 lost, the destination node will broadcast a mes-
* 6 &4A6 7 8-* (2)
sage which notifies the source to abort the current
route and activate the reinitiation. The relation
If the direct communication range between between the value of and the position informa-
neighbors is known, we can estimate tion density is discussed in section VI. The same
. The sending time and the receiving time of condition will happen if a route becomes expired
the same transmission always satisfy: and no more detection packets are sent. Under
this condition, the source will ignore the broad-
6 &4 6 798- (3) cast message.
Compared to previous approaches, the end-
to-end mechanism does not let the intermedi-
Detection operations at the destination
When
receives a detection packet, it will
ate nodes verify the neighbor relations by them-
selves. On the contrary, all examinations are con-
check the following items: (a) All MAC codes
8
ducted by the destination. The proposed mech- covers more than 500 years), an eight-byte posi-
anism can detect closed wormholes because the
good nodes at different ends of the tunnels will tion within
tion (on the surface of the Earth, it locates a posi-
), and an eight-byte MAC code,
not lie about their positions. For half open and every intermediate node will attach 40 bytes to
open wormholes, if the malicious nodes send the packet. If the maximum transmission unit
their real positions in the detection packets, the (MTU) is 1,500 bytes and is 1,000 bytes,
fake neighbor connections will be discovered be- twelve nodes can attach their information.
cause they are longer than the direct communi- In this way the byte overhead will increase fast
cation range. To avoid being detected, a smart to the path length. It does not scale well to long
attacker can buffer the packets and declare that it routes. To control the byte overhead, the desti-
moves to the other end of the wormhole and for- nation node can choose a part of the intermediate
wards the data. This attack can be prevented by nodes to attach their information. It changes the
introducing packet lifetime into the network. It selected nodes to guarantee that everyone is ex-
will restrict the longest moving distance of a node amined. If consecutive nodes on the route are
during the delivery of a single packet so that the chosen, it is the same as an end-to-end detection
length of the tunnel will be limited. It will also on these nodes. More details of this method and
guarantee the position information density of the its impact on the detection capability are studied
intermediate nodes as shown in section VI. in section VI. The packet overhead is determined
Restricted by the positioning and clock syn- by the frequency to send the detection packets.
chronization errors, the end-to-end mechanism This question is also studied in section VI.
could introduce false alarms into the system. For All examining operations are conducted by the
example, the attacker will be able to tunnel the
packets beyond without being detected if the
destination node. We assume that the path length
destination considers the positioning error when
is , and packets carrying the detection infor-
mation arrive at the destination. It needs
calculating the distance between two points. On
the contrary, if the destination ignores the error,
operations to examine a single packet. For ev-
ery intermediate node, there will be
time,
some connections having a distance close to position pairs. If the cross packet examination
will be wrongly accused as wormholes. With the
progresses in the positioning and synchronization ery two pairs, there will be
calculates the average moving speed between ev-
operations for
techniques, the error rate will become smaller.
.
each node. So the total computation overhead for
the packets will be
V.B. Overhead of basic end-to-end mech-
anism store
For the same reason, the destination needs to
time, position pairs for every interme-
Since the mobile devices have limited resources,
.
diate node. The required storage space will be
the end-to-end mechanism, as a security enhance- entry in the computation overhead and
ment, must consider the communication, compu- Theentry in the storage space put challenges to the
tation, and storage overhead.
mobile nodes with limited resources. For exam-
Every intermediate node attaches two time,
ple, if a route is ten-hop long and 1,800 worm-
position pairs and a MAC code to each detec-
hole detection packets are received, the destina-
tion packet. If pairwise keys are used, it has been
tion needs to store 36K time, position pairs
shown in [16] that a PDA can accomplish 220K
(about 580 Kbytes), and conducts 65M opera-
times MAC code calculation in one second. So
tions. As the number of routes increases, the node
there is not much computation overhead at the in-
cannot afford the required resources. In the next
termediate nodes. And they do not need to store
any information.
that requires
space and compu-
section, we propose a mechanism called COTA
.
The communication overhead includes byte tation overhead (where .
and are constant),
overhead and packet overhead. If we use an
eight-byte timestamp (if the time unit is , it
but having the same wormhole detection capabil-
9
X
ity as the end-to-end mechanism.
Cell 5
Cell 1
COTA avoids to record and compare all time, (4.18, P3)
position pairs. It divides the whole area into Cell 7
r
Cell 3
time, position pair of a node arrives, the des- Null (6.18, P4n)
to the same node are not compared. In section Expire time Cell 1
Expire time
Cell 37
Expire time
Cell Kn
Expire time
V.D we prove that after adding an offset to equa-
tion 1, COTA has the same detection capability (b) Data structure organization
and it falls into cell 4. There is no record of node it can detect all wormholes that can be detected
in cell 4 in the slot 4.1 – 4.2 second. So the new by the end-to-end mechanism. In equation 5, is
entry will be recorded by the destination. Then the maximum error of the distance, is the radius
will select the record of node from each cell
of cells, is the highest speed of nodes, is the
that has the shortest time difference from the new length of a time slot, and is the clock error.
timestamp and calculates the average speed. In
+ > ' , >
this case, they will be (3.26, ) in cell 3 and Proof 1 : We assume that we have two pairs,
7
(6.18, ) in cell 4. and , of the same node that show
the anomaly
COTA only stores and compares a part of the
time, position records to reduce the storage and ' ()*
computation overhead. There are two questions
that we have to ask: (1) can COTA detect all
+ ,-*.
(6)
/
+ >> '
anomalies that the end-to-end mechanism can de- And without losing generality, we assume that
is received by the destination first. When
tect? (2) how much space and computation do we
save? We discuss the answers in the next two sec- , arrives, there are two possible condi-
+ > '
tions. tions:
is recorded by COTA.
>
Condition I:
+
V.D. Detection capability of COTA >If is selected to be compared with
,)* + ,-*
speed between every two pairs using equation 4.
The speed between pair two and four is faster
than , but the speed between any other two pairs (@ ' ()*
(7)
is not. If we record and compare all pairs, we will
find the anomaly and detect the wormhole. How-
Combining equation 6 and 7, we must have
* ( ) ;
/
ever, if COTA is applied and pair one and three
arrive first, they will be recorded. Later when pair ,-*. (8)
/ (10)
We define
as the
holes that the end-to-end mechanism can detect.
of COTA.
COTA.
Now let us consider the required storage space
An optimistic node can use COTA as in equation and computation operations of COTA. We as-
4. It will allow all neighbors that are within the sume that the packet lifetime is . The des- %6
direct communication range to exchange packets. tination node only needs to record the time,
a packet as far as
beyond the range. A
But in some cases, a real attacker is able to tunnel
position pairs that were sent in the past
During this period, the possible position of a
. %69
more conservative node can use the format shown good node must be within a circle with the di-
in equation 5. It will guarantee the detection ca- ameter
%6'
(use the position when
pability, but in some cases it will introduce false %6
as the center, and as %6
positive alarms. The impact of false alarms will the radius). If there are no wormholes, the num-
be studied through simulation in section VIII. ber of cells that have active records for the node
is at most
A %6
V.E. Parameter determination
(14)
There are three parameters in COTA: packet life-
time, cell size, and time slot length. The choices In each cell, at most %6'
records
of the parameters impact not only the detection are stored. So the total number of records stored
capability of COTA, but also the storage and by the destination for one node is at most
computation overhead. We now discuss them
% 6
%6
separately.
The choice of packet lifetime is directly related
6
to the end-to-end delay in ad hoc networks. Esti-
(15)
mating this delay accurately is a difficult prob-
lem because it is affected by traffic load, path
length, movement model, network size, and other store at most
If the path length is , the destination needs to
"
records for one
features. There have been theoretical analyses route.
of this problem in simplified network scenarios When a new record arrives, the destination will
[67–70]. The results provide valuable guidelines select from each cell a record of that node to com-
12
pare with it. There are at most 6 25000
2r + vT = 20 2r + vT = 50
2r + vT = 30
records in each cell for the node. If a linear search
A
15000
5000
60m 36 K 65 M 0.70 K 2.49 M
viewed as the curve of computation overhead.
70m 36 K 65 M 0.43 K 1.57 M
We assume that , where is a
13
V.F. Data structure maintenance The maintenance of the data structure will in-
crease the space requirement within a limited
range. If all pointers are four-byte and times-
COTA uses a complex data structure. If it cannot tamps are eight-byte, the required space will in-
be efficiently maintained, the overhead caused by crease less than 10%. Resetting the available
the insertion/deletion of records and the collec- bits and moving the array headers can be accom-
tion of unused space will cancel out all bene- plished when COTA traverses the array of each
fits described in previous sections. We are going cell. They do not add much computation over-
to answer two questions about COTA: (1) How head. Referring to the results shown in Table
to organize the stored records? (2) How to effi- 1, we find that COTA can still save a lot of re-
ciently recollect the space of the expired records? sources.
A practical data structure in the destination
node is shown in Figure 3-(b). All nodes that
have active records are put into a link list. The V.G. Experiments on real devices
destination remembers the expiration time of the
In this section, we present some results on the
latest time, position pair of every node. It
computation efficiency of COTA. They are col-
is used in space collection. Every node has a
lected through experiments on real mobile de-
link list, which stores the cells that have active
vices. We assume that symmetric cryptographic
records. Each cell also remembers the expiration
operations are used.
time of the latest pair in it. In each cell, an array
of records are maintained. The size of the array is
%6 . Every entry has a bit to iden-
We define the procedure that locates the record
in an array who has the shortest time difference
tify whether the data is available in it. To avoid from the new timestamp and calculates the aver-
memory copy as time elapses, the array is used age moving speed as a . It corresponds
in a cyclical way and a pointer is used to identify to the operations that examine a new record in
the current array header. one cell. It also clears out the expired records in
that cell. We design a test program that executes
When a new time, position pair of a node ar-
100 million and run it on a Compaq
rives, the destination first locates the cell list of
iPAQ 3630 with 206 MHz CPU and 64M RAM.
that node. Then for each cell of that node, it uses
a linear search to locate the record that has the
Different values of
are examined and
the size of an array is determined by the optimal
shortest time difference from the new timestamp.
value of the time slot length. The computation
This linear search is also used to abort those efficiency of COTA is shown in Table 2.
expired records and to recollect the space if all
records in that cell have expired. It resets the Table 2: Computation efficiency of COTA.
available bits of those expired entries and moves
the array header according to current time. If the Sensitivity (m) 20 30 40 50 60
Optimal
latest pair in a cell has expired, COTA can take
the memory back without looking into the array
7 .6
size of an array
/ sec
19
1.05M
13
1.54M
10
2.01M
8
2.54M
7
2.86M
determine the storage and computation resources creases, we must be able to find another record
that it wants to put on wormhole detection. In this of within the interval . %6
section, we focus on the communication over- The longest interval between the received
head. We study packet overhead and byte over- timestamps of the source is . 7
There-
Proof 2 : Let’s consider the
pairs of an intermediate node received by the
VI.B. Controlling byte overhead
destination. The pairs received in the same detec-
domly select a
>
tion packet have the same sub-index. If we ran-
pair, there are
The analysis in V.B shows that the end-to-end
mechanism does not scale well to very long
two possible conditions: routes if every intermediate node attaches its
6 % > 6
Condition I: the selected pair records a receiv- time, position pairs. To avoid this problem,
ing event. We assume that it is . the destination can choose a part of the nodes
15
to attach their records. The selected intermediate tion of COTA allows the destination to control the
nodes are switched to guarantee that every neigh- overhead on each route. It helps to defend against
A malicious node can eavesdrop the wormhole and the frequency to send out wormhole detec-
detection packets. The position information at- tion packets. When an intermediate node for-
tached by the intermediate nodes is protected by wards the routing request, it will attach its iden-
the MAC codes. The malicious node cannot send tity. The source and the intermediate nodes will
fake information in other node’s name to fabri- protect the attached information using keyed hash
cate a wormhole on the route. Every intermedi- codes. When the destination receives the request,
ate node calculates the MAC code based on the it knows the identities of all intermediate nodes.
whole packet. An attacker cannot take a part The destination reviews the proposed parameters.
of the detection packet and conducts the resend If they satisfy its requirements, the destination
attack. If it resends the whole packet, it is the will accept them. Otherwise, it will propose its
same as a duplicate packet generated by the un- choices in the routing reply (RREP). Besides the
reliable network. For multiple connections that parameters, the destination will also determine
have the same source and destination and use the the starting value of the sequence number for the
same route, only one group of wormhole detec- detection packets. When the source receives the
tion packets need to be sent. A malicious node reply, it will start to send out the data packets and
cannot overwhelm the destination by establishing the detection packets.
multiple connections at the same time. The adop- RREQ and RREP accomplish the route discov-
16
400
ery and try to settle the wormhole detection pa-
350
17
400 250
350
0 0
0 0.5 1 1.5 2 2.5 0 0.5 1 1.5 2 2.5
Added offset / The unit distance Added offset / The unit distance
Figure 6: False positive alarms: no wormholes, Figure 7: False positive alarms: wormholes exist,
added offset / the unit distance changes. added offset / the unit distance changes.
70
ratio. Figure 6 illustrates the relation between 30 The highest node speed
[4] M. Zapata and N. Asokan. Securing ad- [14] Yih-Chun Hu, Adrian Perrig, and David B.
hoc routing protocols. In Proceedings Johnson. Rushing attacks and defense in
of ACM Workshop on Wireless Security wireless ad hoc network routing protocols.
(WiSe), 2002. In Proc. of the ACM Workshop on Wireless
Security (WiSe), 2003.
[5] Y. Hu, D. Johnson, and Adrian Perrig. Sead:
Secure efficient distance vector routing for [15] M. Corner and B. Noble. Zero-interaction
mobile wireless ad hoc networks. In Proc. authentication. In Proceedings of the Eighth
of the IEEE Workshop on Mobile Comput- Annual International Conference on Mobile
ing Systems and Applications, 2002. Computing and Networking (MobiCom),
2002.
[6] Y. Hu, A. Perrig, and D. Johnson. Ariadne:
A secure on-demand routing protocol for ad [16] Y. Hu, A. Perrig, and D. Johnson. Packet
hoc networks. In Proc. of ACM MobiCom, leashes: A defense against wormhole at-
2002. tacks in wireless ad hoc networks. In Pro-
ceedings of INFOCOM, 2003.
[7] A. Perrig, R. Canetti, D. Song, and D. Ty-
gar. Efficient and secure source authenti- [17] S. Capkun, L. Buttyan, and J. Hubaux. Sec-
cation for multicast. In Proc. of Network tor: Secure tracking of node encounters in
and Distributed System Security Symposium multi-hop wireless networks. In Proceed-
(NDSS), 2001. ings of the ACM Workshop on Security of
Ad Hoc and Sensor Networks, 2003.
[8] S. Yi, P. Naldurg, and R. Kravets. Security-
aware ad hoc routing for wireless networks. [18] L Hu and D. Evans. Using directional an-
In Proc. of the ACM Symposium on Mobile tennas to prevent wormhole attacks. to ap-
Ad Hoc Networking and Computing (Mobi- pear in the Proceedings of Network and
HOC), 2001. Distributed System Security Symposium
(NDSS), 2004.
[9] Y. Zhang and W. Lee. Intrusion detection in
wireless Ad-Hoc networks. In Proceedings [19] C. Perkins and E. Royer. Ad-Hoc On-
of ACM MobiCom, 2000. Demand Distance Vector Routing. In Pro-
ceedings of the 2nd IEEE Workshop on Mo-
[10] V. Bharghavan. Secure wireless LANs. In bile Computing Systems and Applications,
Proc. of the ACM Conference on Computers 1999.
and Communications Security, 1994.
[20] C. Perkins. Highly dynamic destination-
[11] Z. Zhou and Z. Haas. Securing Ad Hoc net- sequenced distance-vector routing (DSDV)
works. IEEE Networks, 13(6):24–30, 1999. for mobile computers. In Proceedings of
SIGCOMM, 1994.
[12] P. Albers and O. Camp. Security in Ad Hoc
network: A general ID architecture enhanc- [21] G. Pei, M. Gerla, X. Hong, and C.-C. Chi-
ing trust based approaches. In Proceedings ang. A wireless hierarchical routing proto-
of International Conference on Enterprise col with group mobility. In Proc. of IEEE
Information Systems, 2002. WCNC, 1999.
21
[22] C. Chiang. Routing in Clustered Multi- [32] N. Sastry, U. Shanker, and D. Wagner. Se-
hop, Mobile Wireless Networks with Fad- cure verification of location claims. In Pro-
ing Channel. In Proceedings of IEEE ceedings of the ACM Workshop on Wireless
SICON, 1997. Security (WiSe), 2003.
[23] E. Royer. Hierarchical routing in ad hoc [33] Paramvir Bahl and Venkata N. Padmanab-
mobile networks. Wireless Communication han. RADAR: An in-building RF-based
and Mobile Computing, 2(5), 2002. user location and tracking system. In Proc.
of INFOCOM, 2000.
[24] C. Perkins, B. Woolf, and S. Alpert. Mobile [34] A. Ward, A. Jones, and A. Hopper. A
IP: Design Principles and Practices. Print- new location technique for the active office.
ice Hall, 1998. IEEE Personnel Communications, 4(5):42–
47, 1997.
[25] B. Gleeson, A. Lin, J. Heinanen, G. Ar-
mitage, and A. Malis. A framework for IP [35] N. Jain, S. Das, and A. Nasipuri. A multi-
Based Virtual Private Networks. IETF RFC channel MAC protocol with receiver-based
2764, 2000. channel selection for multihop wireless net-
works. In Proceedings of the 9th Int.
[26] D. Awduche, L. Berger, D. Gan, T. Li, Conf. on Computer Communications and
V. Srinivasan, and G. Swallow. RSVP-TE: Networks (IC3N), 2001.
Extensions to RSVP for LSP Tunnels. IETF
RFC 3209. [36] E. Jung and N. Vaidya. A power control
MAC protocol for ad-hoc networks. In Pro-
[27] S. Bellovin. Security problems in the ceedings of ACM MOBICOM, 2002.
TCP/IP protocol suite. Computer Commu-
[37] R. Pickholtz, D. Schilling, and L. Milstein.
nications Review, 19(2):32–48, April 1989.
Theory of spread spectrum communications
– a tutorial. IEEE Trans. Comm., 1982.
[28] B. Dahill, B. Levine, E. Royer, and
C. Shields. A secure routing protocol for [38] V. Gupta, S. Krishnamurthy, and M. Falout-
ad hoc networks. Tech report 02-32, Dept. sos. Denial of service attacks at the MAC
of Computer Science, University of Mas- layer in wireless ad hoc networks. In Pro-
sachusetts, Amherst, 2001. ceedings of Milcom, 2002.
[29] P. Papadimitratos and Z. Haas. Secure rout- [39] Patrik Bjorklund, Peter Varbrand, and
ing for mobile Ad Hoc networks. In Pro- Di Yuan. Resource optimization of spatial
ceedings of SCS Communication Networks TDMA in ad hoc radio networks: A column
and Distributed Systems Modeling and Sim- generation approach. In Proceedings of IN-
ulation Conference (CNDS), 2002. FOCOM, 2003.
adaptive filter. In Proc of ION GPS/GNSS
Conference, 2003.
, 2003.
[61] P. Kruss. A survey of multicast security is-
[52] D. Mills. A computer-controlled LORAN- sues and architectures. In Proceedings of
C receiver for precision timekeeping. Tech- 21st National Information Systems Security
nical report 92-3-1, Dept. of Electrical Conference, 1998.
23
[62] M. Brown, D. Cheung, D. Hankerson, [72] T. Camp, J. Boleng, B. Williams, L. Wilcox,
J. Hernandez, M. Kirkup, and A. Menezes. and W. Navidi. Performance comparison of
PGP in constrained wireless devices. In two location based routing protocols for Ad
Proceedings of the 9th USENIX Security Hoc networks. In Proc. of the IEEE INFO-
Symposium, 2000. COM, 2002.
[63] N. Courtois, L. Goubin, and J. Patarin. [73] J. Kim and M. Krunz. Fluid analysis of de-
Flash, a fast multivariate signature algo- lay performance for QoS support in wireless
rithm. In Proceedings of Cryptographers’ networks. In Proc. of Seventh Annual Inter-
Track RSA Conference, 2001. national Conference on Network Protocols,
1999.
[64] Guillaume Poupard and Jacques Stern. On
the Fly signatures based on factoring. In [74] Y. Lu and B. Bhargava. Self-adjusting con-
ACM Conference on Computer and Com- gestion avoidance routing protocol for ad
munications Security, pages 37–45, 1999. hoc networks. Technical report, Purdue
University, Department of Computer Sci-
[65] C. Boyd and A. Mathuria. Key establish-
ences, February 2003.
ment protocols for secure mobile communi-
cations: A selective survey. Lecture Notes [75] Network simulator – ns2.
in Computer Science, 1998. http://www.isi.edu/nsnam/ns/.
[66] J. Hubaux, L. Buttyan, and S. Capkun. The [76] D. Harkins and D. Carrel. The internet key
quest for security in mobile ad hoc network. exchange (IKE) protocol. IETF RFC 2409,
In Proceedings of the ACM Symposium on 1998.
Mobile Ad Hoc Networking and Computing
(MobiHOC), 2001. [77] W. Torgeson. Multidimensional scaling
of similarity. Psychometrika, 30:379–393,
[67] B. Shrader, M. Sanchez, and T. Giles. 1965.
Throughput-delay analysis of conflict-free
scheduling in multihop ad-hoc networks. In
Proceedings of the 3rd Swedish Workshop
on Wireless Ad-hoc Networks, 2003.
[68] N. Bansal and Z. Liu. Capacity, delay and
mobility in wireless ad-hoc networks. In
Proceedings of IEEE InfoCom, 2003.
[69] G. Sharma and R. R. Mazumdar. Delay and
capacity trade-offs for wireless ad hoc net-
works with random mobility. Tech Report
of ECE Department, Purdue University and
submit for review, 2003.
[70] Eugene Perevalov and Rick Blum. De-
lay limited capacity of ad hoc networks:
Asymptotically optimal transmission and
relaying strategy. In Proceedings of IEEE
InfoCom, 2003.
[71] C. Perkins, E. Royer, and S. Das. Perfor-
mance comparison of two on-demand rout-
ing protocols for Ad Hoc networks. In Pro-
ceedings of INFOCOM, 2000.
24