Sonali Bhargava and Dharma P. Agrawal Center for Distributed & Mobile Computing Dept of ECECS, University of Cincinnati Security Enhancements in AODV protocol.

Sonali Bhargava and Dharma P. Agrawal Center for Distributed & Mobile Computing

Dept of ECECS, University of Cincinnati

Security Enhancements in AODV protocol for

Wireless Ad Hoc Networks

Presented By:Syeda Momina Tabish

MIT - 7

Agenda

Syeda Momina Tabish ....................................................................................................... NIIT-NUST

2

IntroductionMotivationRelated WorkAssumptions and backgroundProposed Approach

Intrusion Detection Model (IDM)Intrusion Response Model (IRM)

Experimental SetupPerformance Metrics

Simulation ResultsConclusion & Future Work

Security Enhancements in AODV protocol for Wireless Ad Hoc Networks

Introduction


3

AODV -- On-demand route discoveryEffective use of available bandwidthHighly scalableAn ad hoc network is dynamically formed

when two or more mobile hosts with wireless capability come into transmission range of each other

Advantage of ad hoc networks:Can be set up ‘on-the-fly’Requires no existing infrastructure


Stable Enhancement in AODV4

AODV Operation

Source

Destination

RREQ

RREP

Data

RERR

Data

Introduction contd.


5

Ad hoc network is useful in situations where geographical or terrestrial constraints demand totally distributed network system without any fixed base station.

Could be in battlefields or in any other disaster situations.

Wireless Ad hoc networks are highly susceptible to malicious attacks. They need harder security than conventional wired and static Internet.

Intrusion prevention measures such as encryption and authentication, at times fail to identify attack, as these prevention measures cannot defend against compromised mobile nodes.


Motivation


6

We need an Intrusion Detection system in the network to create another wall of defense

Forms of AttackPassive eavesdroppingActive interferingLeakage of secret informationData tamperingImpersonationDenial of service

Detection of compromised nodes is challenging due toNodes are constantly mobileProtocols implemented are cooperative in natureLack of fixed infrastructure and central authorityNo distinction between normalcy and abnormality


Motivation contd.


7

The Attacks to routing protocol can be further classified into two types. They are:External Attack: An attack caused by

nodes that do not belong to the network.Internal Attack: An attack from nodes that

belong to the network due to them getting compromised or captured.

Related Work


8

Yonguang Zhang and Wenke Lee: presented new intrusion detection and response mechanism. The basic assumption is that the user and program activities are observable and system should be cooperative and distributed.

Sergio Marti: introduced techniques that improve throughput in an ad hoc network by identifying misbehaving nodes that agree to forward the packet but never do so.

Venkatraman: proposed intrusion detection agent to prevent some internal attacks on the network. Intrusion detection agent runs on all the nodes and is based on Yongguang Zhang and Wenke Lee's model.


Assumptions and Background


9

AssumptionWhen a node is within radio range of another

node they are termed as neighbors.Every link between two nodes is bi-

directional.Nodes are in promiscuous state.Compromised nodes do not work in teams.


Proposed ApproachIdentified possible internal attacks for AODV

protocol and present details of Intrusion Detection Model [IDIM] and Intrusion Response Model [IRM].

The compromised nodes could cause sufficient damage by merely not cooperating.

The types of malicious activities depend on the functioning of the protocol.

These attacks are deterministic and can be detected by IDM and malicious nodes are isolated using IRS .


10

Proposed Approach contd.


11

Following are the internal attacks handled by IDM.Distributed false route request: Under this

attack, a malicious node generates false route requests from different radio ranges, thereby resulting in continued wastage of channel bandwidth. They cannot be categorized as malicious nodes.

Denial of service: Denial of service attack results when the network bandwidth is hijacked by the malicious node by repeatedly generating route requests. A malicious node continues to transmit control packets, as a result of which other nodes in the network can not use the resources.


Proposed Approach contd.


12

Destination is Compromised: A compromised destination node does not acknowledge the route requests destined for it. This result; in re-broadcasts and increase in end-to-end routing delay. Therefore, the network throughput is severely decreased.

Impersonation: It is undesirable to have a malicious node impersonating an another node while sending that control packets to create the anomaly updation in the routing table.

Routing Information Disclosure: Malicious node leaks the confidential. information to unauthorized users in the network. This kind of attack is difficult to identify.


Intrusion Detection Model


13

Based on the model presented by Yonguang Zhang and Wenke Lee.

Each node employs the detection model that utilizes the neighborhood information to detect misbehaviors of its neighbors.

The IDM is present on all the nodes. Constantly monitors the behavior of its neighbors and analyzes it to detect if the neighbor has been compromised.


Handling of Internal Attacks


14


Data Collection

Secure Communication

Global Response

Intrusion Response Model

Intrusion Detection Model

Mal count > Thresho

ld

Yes

No

Intrusion Detection Model contd.


15

The model identifies each of the aforementioned attacks as follows:Distributed false route request:

A route request is generated whenever a node has to send data to the particular destination.

Malicious node might generate frequent, unnecessary route requests.

Malicious node generates a false route message from different radio range, it will be difficult to identify the malicious node.

When the node in the network receive a number of route requests that is greater than a threshold count by a specific source for a destination in a particular time interval tinterval, the node is declared as malicious and the information is propagated in the network.




16

Denial of service:

Malicious node launches the denial of service attack by transmitting false control packets and using the entire network resources.

This results in deprivation of network resources for other nodes.

Denial of service can be launched by transmitting false routing packets or data packets.

It can be identified if a node is generating the control packets that is more than the threshold count in a particular time interval tfrequency.




17

Destination is Compromised: A destination might not be able to reply, if it is

(i) not in the network(ii) overloaded(iii) it did not receive route request; or if it is (iv) malicious

This attack is identified when the source does not receive the reply from the destination in a particular time interval twait.

The neighbors generate probe/ hello packets to determine connectivity. If the node is in the network and does not respond to route requests destined for it, it is identified as malicious.




18

Impersonation:

It can be avoided if sender encrypts the packet with its private key and other nodes decrypts with the public key of the sender.

If the receiver is not able to decrypt the packet, the sender might be not the real source and hence packet will be dropped.




19

A node identifies that an another has been compromised when its malcount increases beyond the threshold value for that allegedly compromised node.

In such cases, it propagates this information to the entire network by transmitting Mal packet.

If other nodes also suspect that the node that has been detected as compromised, it reports its suspicion to the network and transmits ReMal packet.




20

If two or more nodes report about a particular node, Purge packet is transmitted to isolate the malicious node from the network.

All nodes that have a route through the compromised node look for newer routes.

All packets received from the compromised node are dropped.


Experimental Setup


21

Used the version of Berkeley’s Network Simulator (ns) for our implementation.Based on a 1500 by 300 meter flat space

scattered with 50 wireless nodes. In which 10 are data sources.

The nodes move randomly with random speed (the speed is uniformly distributed between 0-20 sec).

The MAC layer used for the simulations is IEEE 802.11

The transport protocol used for simulations is User Datagram Protocol (UDP).


Experimental Setup contd.


22

Performance Metrics:

1. Packet Delivery Fraction: This is the ratio of CBR packets delivered to that generated and is measured as throughput.

2. Routing Overhead: The number of routing packets transmitted for every data packet sent. Each hop of the routing packet is treated as a packet. They have used the normalized routing load for comparison, which is the ratio of routing packets to the data packets.

3. Average end-to-end delay: This is the average of the delays incurred by all the packets that are successfully transmitted.


Experimental Setup contd.


23

4. Accuracy of Predictions: Only the malicious nodes generated in the network were reported as intruders and others nodes were not claimed as malicious.

In the simulation misbehaving node is one that generate false route requests or drop the route request packets that are destined for it.


Simulation Results


24

Routing Load vs. Pause Time


Simulation Results


25

End to End Delay vs. Pause Time


Simulation Results


26

Packet Delivery vs. Pause time


Conclusion & Future Work


27

Proposed a security scheme to pro-actively prevent internal attacks.

The results of implementation show that the overheads is marginal and has negligible effects on network performance while making the protocol robust.

Working on defining more internal attacks and plan to identify solutions for them.

Moreover, they plan to introduce security scheme for external attacks and incorporate those with Intrusion Detection and Response model as well.


Thanks


28

Questions ???

Sonali Bhargava and Dharma P. Agrawal Center for Distributed & Mobile Computing Dept of ECECS, University of Cincinnati Security Enhancements in AODV protocol.

Documents

networkssyeda momina

aodv protocol forwireless

syeda momina tabishmit

niitnuststable enhancement

wireless capability

distributed network

compromised mobile nodes

intrusion detection