MobiWorp: Mitigation of the wormhole attack in mobile multihop wireless networks

In multihop wireless systems, the need for cooperation among nodes to relay each other’s packets exposes them to a wide range of security attacks. A particularly devastating attack is the wormhole attack, where a malicious node records control traffic at one location and tunnels it to a colluding node, possibly far away, which replays it locally. This can have an adverse effect on route establishment by preventing nodes from discovering legitimate routes that are more than two hops away. Previous works on tolerating wormhole attacks have focused only on detection and used specialized hardware, such as directional antennas or extremely accurate clocks. More recent work has addressed the problem of locally isolating the malicious nodes. However, all of this work has been done in the context of static networks due to the difficulty of secure neighbor discovery with mobile nodes. The existing work on secure neighbor discovery has limitations in accuracy, resource requirements, and applicability to ad hoc and sensor networks. In this paper, we present a countermeasure for the wormhole attack, called MobiWorp, which alleviates these drawbacks and efficiently mitigates the wormhole attack in mobile networks. MobiWorp uses a secure central authority (CA) for global tracking of node positions. Local monitoring is used to detect and isolate malicious nodes locally. Additionally, when sufficient suspicion builds up at the CA, it enforces a global isolation of the malicious node from the whole network. The effect of MobiWorp on the data traffic and the fidelity of detection is brought out through extensive simulation using ns-2. The results show that as time progresses, the data packet drop ratio goes to zero with MobiWorp due the capability of MobiWorp to detect, diagnose and isolate malicious nodes. With an appropriate choice of design parameters, MobiWorp is shown to completely eliminate framing of a legitimate node by malicious nodes, at the cost of a slight increase in the drop ratio. The results also show that increasing mobility of the nodes degrades the performance of MobiWorp.     

Mastering quality of service in GPRS/UMTS an overview

Quality of Service (QoS) has become a very important issue in networking, covering many performance aspects and numerous measures. The deployment of next generation wireless system includes 2.5G General Packet Radio Service (Gprs), which is the packet-switched extension of the Global System for Mobile communications (Gsm), and Third-Generation (3G) Universal Mobile Telecommunications System (Umts) to meet the needs of larger capacity and higher bit rates. AnUmts packet core network is an IP-based network. The Internet Engineering Task Force (Ietf) Forum developed several IP QoS related mechanisms available for IP transport networks. Service Quality Management (Sqm), one component of Telecommunication Management Network (Tun), will enable providers to manage QoS against objectives set out in customer Service Level Agreements (Slas) and will enable customers to compare the service offerings of different service providers.     

Dynamic cache invalidation scheme for wireless mobile environments

The caching of frequently accessed data items on the client side is an effective technique to improve performance in a mobile environment. Caching data in a wireless mobile computer can significantly reduce the bandwidth requirement. However, cache content needs to be validated; classical cache invalidation strategies are not suitable for mobile environments due to the disconnection frequency and mobility of the mobile clients. Attractive cache invalidation techniques are based on invalidation reports (IRs). But, IR-based cache invalidation schemes result in considerable consumption of uplink and download bandwidth. In this paper, we address these problems by presenting a new energy-efficient cache invalidation method for the wireless mobile environment. The new cache invalidation scheme is called Adaptive Energy Efficient Cache Invalidation Scheme (AEECIS). The algorithm is adaptive since it changes the data dissemination strategy based on the current conditions. To reduce the bandwidth requirement, the server transmits in one of three modes: slow, fast or super-fast. The mode is selected based on thresholds specified for time and the number of clients requesting updated objects. An efficient implementation of AEECIS is presented and simulations have been carried out to evaluate its caching effectiveness. The results demonstrate that it can substantially improve mobile caching by reducing the communication bandwidth (thus energy consumption) for query processing. Also, the reported results demonstrate that compared to previous IR-based schemes, AEECIS can significantly improve the bandwidth consumption and the number of uplink requests.

Rogue-base station detection in WiMax/802.16 wireless access networks

We address the problem of detecting a rogue base station (Bs) in WiMax/802.16 wireless access networks. A rogueBs is a malicious station that impersonates a legitimate access point (Ap). The rogueBs attack represents a major denial-of-service threat against wireless networks. Our approach is based on the observation that inconsistencies in the signal strength reports received by the mobile stations (Mss) can be seen if a rogueBs is present in a network. These reports can be assessed by the legitimate base stations, for instance, when a mobile station undertakes a handover towards anotherBs. Novel algorithms for detecting violations of received signal strength reports consistency are described in this paper. These algorithms can be used by an intrusion detection system localized on the legitimateBss or on a global network management system operating theBss.     

TICP: Transport Information Collection Protocol

We present and validateTicp, a TCP-friendly reliable transport protocol to collect information from a large number of sources spread over the Internet.Ticp is a stand-alone protocol that can be used by any application requiring the reliable collection of information. It ensures two main functions: (i) the information arrives at the collector entirely and correctly, (ii) the implosion at the collector and the congestion of the network are avoided. The congestion control inTicp is done by having the collector probe the sources at a rate function of network conditions. The probing rate increases and decreases in a way similar to how TCP adapts its congestion window. We implementTicp in ns-2 and validate its performance. In particular, we show how efficientTicp is in quickly and reliably collecting information from a large number of sources, while avoiding network congestion and being fair with competing traffic.     

Measurement-based admission control in UMTS

In this paper, we develop an efficient Call Admission Control (cac) algorithm forumts systems. We first introduce the expressions that we developed for Signal-to-Interference (sir) for both uplink and downlink, to obtain a novelcac algorithm that takes into account, in addition tosir constraints, the effects of mobility, coverage as well as the wired capacity behind the base station, for the uplink, and the maximal transmission power of the base station, for the downlink. As of its implementation, we investigate the measurement-based approach as a means to predict future, both handoff and new, call arrivals and thus manage different priority levels depending on a tunable coefficient. Compared to classicalcac algorithms, ourcac mechanism achieves better performance in terms of outage probability and QoS management.     

A countermeasure againstDDOS attacks using active networks technologies

A Distributed Denial of Service (DDoCS) attack consumes the resources of a remote host or network by sending a massive amount ofIP packets from many distributed hosts. It is a pressing problem on the Internet as demonstrated by recent attacks on major e-commerce servers andISPs. Since the attack is distributed and the attack tools evolve at a rapid and alarming rate, an effective solution must be formulated using a distributed and adaptive approach. In this paper, we propose a countermeasure againstDDoCS attacks using a method we call Active Shaping. Our method employs the Active Networks technologies, which incorporates programmability into network nodes. The Active Networks technology enables us to deter congestion and bandwidth consumption of the backbone network caused byDDoCS attacks, and to prevent our system from dropping packets of legitimate users mistakenly. This paper introduces the concept of our method, system design and evaluates the effectiveness of our method using a prototype.     

Strong and privacy-friendly management of federated identities for service provision over UMTS

Mobile subscribers who wish to mutually authenticate to service providers on the Internet utilize existing identity management mechanisms, such as Microsoft .net passport, overlooking the existing trust relationship between the subscriber and the 3G mobile operator and increasing network resources consumption, in an environment that requires security mechanisms that are as lightweight as possible. Furthermore, knowledge as well as the possession of an item, does not distinguish a person uniquely, revealing an inherent security weakness of pin authentication mechanisms. This paper proposes a protocol (3GbioId) for implementing strong identity management for Internet applications over 3G mobile networks. 3GBioId introduces biometrics, as well as the principles of the Liberty Alliance, into the 3G mobile security architecture, targeting to a more effective, secure and lightweight identity management alternative to the existing protocols. The results of a security, privacy, performance, usability and complexity evaluation indicate 3GbioId’s benefits and limits.     

Parallel interference cancellation efficiency for noisy signals in O-CDMA system

The aim of this paper is to evaluate the robustness of Parallel Interference Cancellation (Pic) to noise contribution for an optical Code Division Multiple Access system. The theoretical expression of thePic error probability is developed in the case of white additive Gaussian noise. From theoretical analysis, we show that, even with noise contribution, thePic receiver outperforms the Conventional Correlation Receiver (Ccr). Moreover, the results highlight that, for a given performance, thePic receiver relaxes not only the constraint on the code length, but also the Signal to Noise Ratio compared toCcr. Particularly, this is proofed in access network context, i.e. 30 users withBer lt; 10^?9.     

A MC-CDMA system analysis in a software radio context

This paper presents a Multi-Carrier Code Division Multiple Access (Mc-Cdma) system analysis in a software radio context. Based on a combination of multi-carrier modulation and code division multiple access,Mc-Cdma benefits from the main advantages from both schemes: high spectral efficiency, high flexibility, multiple access capabilities, etc. It is firstly shown why, nowadays,Mc-Cdma is undoubtedly a high potential candidate for the air interface of the 4G cellular networks. TheMc-Cdma concept and the block-diagrams of the transmitter and the receiver are presented first. Afterwards, the technical issues concerning the processing devices for the implementation ofMc-Cdma systems in a software radio context are analysed. The advantages and disadvantages of Digital Signal Processors (Dsps) and Field Programmable Gate Arrays (Fgpas) components are discussed. The implementation ofMc-Cdma systems and the integration of signal processing algorithms as Fast Hadamard Transform (Fht) and Inverse Fast Fourier Transform (Ifft) are considered and analysed for the first time. Finally, implementation results with a mixed prototyping board are presented. Then, it is shown that a new combination of the flow graphs ofFht andIfft leads to interesting computation savings and that hardware structures asFgpas are more adapted thanDsps to those intensive computation functions. Finally, for the completeMc-Cdma modem implementation, the necessity of a Co-Design methodology is highlighted in order to obtain the best matching between algorithms and architecture.     

Architecture d’un réseau actif à base de services Web

This paper presents a novel active architecture for building and deploying network services:aswa, Web Services based Active network Architecture. At the architectural level,aswa defines an active node whose functionalities are divided into the Node Operating System, the Execution Environment, and the Active Applications. At the implementation level,aswa is a Web Services based platform where new components could be added and deployed, in order to dynamically modify network nodes behavior. Applications can be developed with any language and communicate across heterogeneous environments, and across Internet and Intranet structures. At the deployment levelaswa uses an active node approach, and offers a controlled deployment mode. In terms of security, Authentication of deployed code and protection of the nodes is achieved by the use ofhttps and the header extensions of thesoap envelope. Finally to validate this architecture,aswa defines a Firewall as an Active Application to secure the code deployment.     

The structure of international internet hyperlinks and bilateral bandwidth

Using network analysis, this article examines the structure of the international Internet as a global communication system. The number of inter-domain hyperlinks embedded in web-sites for 47 nations were gathered using Alta Vista. Data were also obtained on the bandwidth connections among 63 nations. The results indicate that theU.s. is most central nation in the hyperlink network, followed by the Australia,U.k., China and Japan. Most peripheral are Uruguay, Luxemburg,Uae., and Thailand. A cluster analysis found a single group centered about theU.s. The analysis of the bandwidth network revealed that theU.s. is the most central nation, followed by theU.k., Germany, Hong Kong, Singapore and Japan. Most peripheral are Iceland, Lithuania, and Morocco. This network had three groupings, 1) the English-speaking countries with Scandinavia, Belgium, The Netherlands, and East Asia, 2) South America, and 3) Franco-German Europe. The correlation between the two networks indicates that the physical infrastructure is an important determinant of hyperlink communication. However, it is not the only determinant, others may be cultural or linguistic. The results are discussed in terms of world system theory, the evolution of Internet and globalization.     

A scheduler for relative delay service differentiation

We propose a new delay-based scheduler called asRD-VC (Relative Delay VirtualClock). Since it performs a delay-based service differentiation among flow aggregates, the quality at microflow level is the same as that at aggregate level. This is not easily achievable when the service differentiation is bandwidth-based or loss-based. Unlike theEDF (Earliest Deadline First) scheduler [1], our proposed scheduler self-regulates and adapts the delays according to load changes. This characteristic permits us to implement it in an AF-likePHB providing the relative quantification service in a DiffServ network. Finally, we compare our proposedrd-vc scheduler with two important existing propositions:WTP (Waiting Time Priority) [2, 3] andex-vc (Extended VirtualClock) [4]. Both these propositions are delay-based and have self-regulation property. All three schedulers (RD-VC, WTP andEX-VC) maintain the required service differentiation among aggregates and have comparable long term average performance like mean throughput per aggregate and packet loss ratio etc. However,RD-VC and WTP take an edge overEX-VC at short-term performance like jitter. Bothrd-vc andWTP have good long term and short-term performance. Our proposedrd-vc, compared to existingWTP, has two additional characteristics, i.e. unlike WTP which is limited to architectures with one queue per Qos class, it has no limitation on implementation scope (with or without separate queues per class) and it has lower complexity. This rendersRD-VC an interesting proposition.     

nOBS: an ns2 based simulation tool for performance evaluation of TCP traffic in OBS networks

Performance evaluation of tcp traffic in obs networks has been under intensive study, since tcp constitutes the majority of Internet traffic. As a reliable and publicly available simulator, ns2 has been widely used for studying tcp/ip networks; however ns2 lacks many of the components for simulating optical burst switching networks. In this paper, an ns2 based obs simulation tool (nobs), which is built for studying burst assembly, scheduling and contention resolution algorithms in obs networks is presented. The node and link objects in obs are extended in nobs for developing optical nodes and optical links. The ingress, core and egress node functionalities are combined into a common optical node architecture, which comprises agents responsible for burstification, routing and scheduling. The effects of burstification parameters, e.g., burstification timeout, burst size and number of burstification buffers per egress node, on tcp performance are investigated using nobs for different tcp versions and different network topologies.     

Co-channel interference effects as applied to broadband fixed wireless access channel capacity statistical distribution

Channel Capacity is of primary importance in broadband fixed wireless access (bfwa) networks due to the ever increasing demand for multimedia services and the possibility of providing wireless Internet. One of the major factors limiting capacity in such systems is interference originating from adjacent terrestrial applications belonging to the same bfwa network or to another. Moreover, the performance of broadband fixed wireless access links operating above 10 GHz is predominantly controlled by rain attenuation. The purpose of this paper is the presentation of a physical model for the evaluation of the fraction of the time where the capacity distribution of a broadband fixed wireless access channel under rain fade conditions suffering from co-channel interference, non-exceeds a specified level in (bps/Hz). The proposed analysis examines the capacity distribution properties focusing on the spatial inhomogeneity of rainfall medium. The impact of various operational and geometrical parameters on the performance of interfered broadband wireless access channel capacity distribution is investigated through extended simulations.     

Analysis and evaluation of Secos, a protocol for energy efficient and secure communication in sensor networks

Wireless sensor networks are increasingly being used in applications where the communication between nodes needs to be protected from eavesdropping and tampering. Such protection is typically provided using techniques from symmetric key cryptography. The protocols in this domain suffer from one or more of the following problems—weak security guarantees if some nodes are compromised, lack of scalability, high energy overhead for key management, and increased end-to-end data latency. In this paper, we propose a protocol called Secos that mitigates these problems in static sensor networks. Secos divides the sensor field into control groups each with a control node. Data exchange between nodes within a control group happens through the mediation of the control head which provides the common key. The keys are refreshed periodically and the control nodes are changed periodically to enhance security. Secos enhances the survivability of the network by handling compromise and failures of control nodes. It provides the guarantee that the communication between any two sensor nodes remains secure despite the compromise of any number of other nodes in the network. The experiments based on a simulation model show a seven time reduction in energy overhead and a 50% reduction in latency compared to SPINS, which is one of the state-of-the-art protocols for key management in sensor networks.     

A taxonomy for medium access control protocols in wireless sensor networks

Wireless sensor networks (Wsns) tend to be highly optimized due to severely restricted constraints. Various medium access control (Mac) protocols forWsns have been proposed, being specially tailored to a target application. This paper proposes a taxonomy for the different mechanisms employed in those protocols. The taxonomy characterizes the protocols according to the methods implemented to handle energy consumption, quality of service and adaptability requirements. We also present an overview of the transceptors found inWsns, identifying how events on communication affect the energy consumption. Based on the taxonomy, we classify existingMac protocols. Finally, we discuss challenging trends inMac protocols forWsns, such as security issues and software radios.     

Bandwidth sharing under the assured forwarding Per-Hop behavior

The DiffServ’s Assured Forwarding (af) Per-Hop Behavior (phb) Group defines a differentiated forwarding of packets in four independent classes, each class having three levels of drop precedence. Specific end-to-end services based on thisphb are still being defined. A particular type of service that could assure a given rate to a traffic aggregate has been outlined elsewhere. In such a service, a fair distribution of bandwidth is one of the main concerns. This paper presents experimental work carried out to evaluate howaf distributes bandwidth among flows under different load conditions and traffic patterns. We focused on the effect that marking mechanisms have on bandwidth sharing among flows within a singleaf class. The traffic types we used includeudp flows, individual and aggregatedtcp flows, mix oftcp andudp, tcp sessions with heterogeneous round-trip times, as well as color-blind and color-aware re-marking at the aggregation point fortcp flows. Tests were performed on real and simulated networks. We have found certain conditions under whichaf distributes bandwidth fairly among nonadaptiveudp flows andtcp aggregates. Finally, we evaluate a basic rule for setting the parameters of the two-rate Three-Color Marker conditioning algorithm (trtcm) in order to achieve a better bandwidth distribution fortcp flows.     

Network services and traffic engineering methods for supporting applications on the VTHD experimental gigabit network

vthd is a high-performanceip experimental network. This network and associated research projects have been partially funded by the French government through the French Research Network for Telecommunications (rnrt) in order to support the development of leading-edge network services on the one hand, and test a wide-scale deployment of advanced Internet applications on the other hand. This paper describes the network services that were deemed necessary to support the deployment of innovative applications, as well as several of the applications that have been experimented on the network. It also presents a selection of the traffic engineering methods and experiments that have been developed in the course of thevthd related research projects. This article describes the collective works of members of the project partners, which are represented by the set of authors for the present paper.