一种新颖的移动自组网灰洞攻击检测方案

移动自组网(mobile ad hoc networks,MANETs)是典型的分布式网络,没有集中式的管理节点,网络拓扑动态变化,而且网络带宽有限.移动自组网无网络基础设施的特点,使其易于受到各种拒绝服务攻击(denial of service,DoS).灰洞攻击是一种类型的拒绝服务攻击,攻击者在网络状态良好的情况下,首先以诚实的方式参与路由发现过程,然后以不被察觉的方式丢弃部分或全部转发数据包.首先介绍了相关工作、DSR算法、聚合签名算法和网络模型.然后基于聚合签名算法,给出了用于检测丢包节点的3个相关算法:证据产生算法、审查算法和诊断算法.证据产生算法用于节点产生转发证据;审查算法用于审查源路由节点;诊断算法用于确定丢包节点.最后分析了算法的效率.ns-2仿真结果表明,在移动速度中等的网络中,提出的算法可以检测出多数丢包节点,且路由包开销较低.舍弃含丢包节点的路由后,数据发送率有相应的改善.     

基于能量预测的传感器网络信任机制研究

信任机制最近已建议作为一个无线传感器网络(WSNs)有效的安全机制.文中提出了一种信任机制(EPTM),该机制不仅可以防止被入侵的节点或者恶意节点选举为簇头,而且还设计出一种新型副簇头节点来监察簇头以防止他们的恶意行为.特别介绍了一种基于能量预测的方法来检测拒绝服务攻击(DoS)的节点,选出值得信赖的簇.最后通过仿真验证了机制的可行性,结果表明:EPTM可以有效防御拒绝服务(DoS)攻击.     

Cryptographic Versus Trust-based Methods for MANET Routing Security

Mobile Ad-hoc Networks (MANETs) allow wireless nodes to form a network without requiring a fixed infrastructure. Early routing protocols for MANETs failed to take security issues into account. Subsequent proposals used strong cryptographic methods to secure the routing information. In the process, however, these protocols created new avenues for denial of service (DoS). Consequently, the trade-off between security strength and DoS vulnerability has emerged as an area requiring further investigation. It is believed that different trust methods can be used to develop protocols at various levels in this trade-off. To gain a handle on this exchange, real world testing that evaluates the cost of existing proposals is necessary. Without this, future protocol design is mere speculation. In this paper, we give the first comparison of SAODV and TAODV, two MANET routing protocols, which address routing security through cryptographic and trust-based means respectively. We provide performance comparisons on actual resource-limited hardware. Finally, we discuss design decisions for future routing protocols.     

Efficient Node Admission and Certificateless Secure Communication in Short-Lived MANETs

Decentralized node admission is an essential and fundamental security service in mobile ad hoc networks (MANETs). It is needed to securely cope with dynamic membership and topology as well as to bootstrap other important security primitives (such as key management) and services (such as secure routing) without the assistance of any centralized trusted authority. An ideal admission technique must involve minimal interaction among MANET nodes, since connectivity can be unstable. Also, since MANETs are often composed of weak or resource-limited devices, admission must be efficient in terms of computation and communication. Most previously proposed admission protocols are prohibitively expensive and require heavy interaction among MANET nodes. In this paper, we focus on a common type of MANET that is formed on a temporary basis, and present a secure, efficient, and a fully noninteractive admission technique geared for this type of a network. Our admission protocol is based on secret sharing techniques using bivariate polynomials. We also present a new scheme that allows any pair of MANET nodes to efficiently establish an on-the-fly secure communication channel.     

Ad Hoc网络中一种基于信任域值的IDS模型的设计

移动Ad Hoc网络由于具有开放媒质、动态拓扑和分布合作及能量受限等特点,特别容易受到攻击.在Ad Hoc网络中,每个节点充当路由器,寻找和保持到其他节点的路由.路由安全是保证Ad Hoc网络安全最重要的一环.本文采用决策支持系统中的信任机制将一种基于信任域值的IDS模型（IDS_trust）引入到Ad Hoc网络中,并提出了一种新的安全解决方案.     

An Improved Multi-Objective Particle Swarm Optimization Routing on MANET

A Mobile Ad hoc Network (MANET) is a group of low-power consumption of wireless mobile nodes that configure a wireless network without the assistance of any existing infrastructure/centralized organization. The primary aim of MANETs is to extend flexibility into the self-directed, mobile, and wireless domain, in which a cluster of autonomous nodes forms a MANET routing system. An Intrusion Detection System (IDS) is a tool that examines a network for malicious behavior/policy violations. A network monitoring system is often used to report/gather any suspicious attacks/violations. An IDS is a software program or hardware system that monitors network/security traffic for malicious attacks, sending out alerts whenever it detects malicious nodes. The impact of Dynamic Source Routing (DSR) in MANETs challenging blackhole attack is investigated in this research article. The Cluster Trust Adaptive Acknowledgement (CTAA) method is used to identify unauthorised and malfunctioning nodes in a MANET environment. MANET system is active and provides successful delivery of a data packet, which implements Kalman Filters (KF) to anticipate node trustworthiness. Furthermore, KF is used to eliminate synchronisation errors that arise during the sending and receiving data. In order to provide an energy-efficient solution and to minimize network traffic, route optimization in MANET by using Multi-Objective Particle Swarm Optimization (MOPSO) technique to determine the optimal number of clustered MANET along with energy dissipation in nodes. According to the research findings, the proposed CTAA-MPSO achieves a Packet Delivery Ratio (PDR) of 3.3%. In MANET, the PDR of CTAA-MPSO improves CTAA-PSO by 3.5% at 30% malware.     

移动自组网中基于多约束和协同过滤动态信任机制*

由于具有分布式特性,导致移动自组网容易遭受攻击。为了增强移动自组网的安全性,建立一套适合自组织、无认证中心的节点信任评估模型是非常必要的。因此,提出了一种移动自组网中基于多约束和协同过滤的动态信任机制。其主要思想是在根据节点自身的经历的基础上,采用一个带多约束的信任更新算法来评估直接信任。其中：时间衰减因子保证了信任度随时间进行衰减;奖励因子保证了良好的节点应受到奖励;惩罚因子保证了恶意节点应受到惩罚。另外,采用协同过滤技术来评估推荐信任,以此来阻止不诚实的推荐。通过定量评估分析和模拟仿真,结果表明所提出的方法比Bayesian模型能更精确地计算节点之间的信任度和提高移动自组网的安全性。     

Prevention of selective black hole attacks on mobile ad hoc networks through intrusion detection systems

A black hole attack on a MANET refers to an attack by a malicious node, which forcibly acquires the route from a source to a destination by the falsification of sequence number and hop count of the routing message. A selective black hole is a node that can optionally and alternately perform a black hole attack or perform as a normal node. In this paper, several IDS (intrusion detection system) nodes are deployed in MANETs in order to detect and prevent selective black hole attacks. The IDS nodes must be set in sniff mode in order to perform the so-called ABM (Anti-Blackhole Mechanism) function, which is mainly used to estimate a suspicious value of a node according to the abnormal difference between the routing messages transmitted from the node. When a suspicious value exceeds a threshold, an IDS nearby will broadcast a block message, informing all nodes on the network, asking them to cooperatively isolate the malicious node. This study employs ns2 to validate the effect of the proposed IDS deployment, as IDS nodes can rapidly block a malicious node, without false positives, if a proper threshold is set.     

Prevention of Black Hole Attack in Multicast Routing Protocols for Mobile Ad-Hoc Networks Using a Self-Organized Public Key Infrastructure

ABSTRACT

A mobile ad-hoc network (MANET) is an autonomous system of mobile nodes connected by wireless links in which nodes cooperate by forwarding packets for each other thereby enabling communication beyond direct wireless transmission range. Example applications include battlefield communication, disaster recovery operations, and mobile conferencing. The dynamic nature of ad-hoc networks makes them more vulnerable to security attacks compared with fixed networks. Providing security in mobile ad-hoc networks has been a major issue in recent years. Most of the secure routing protocols proposed by researchers need a centralized authority or a trusted third party to provide authentication. This destroys the self-organizing nature of ad-hoc networks. Black Hole attack is one of the routing attacks that occur in MANETs. In this attack, a malicious node uses the routing protocol to advertise itself as having the shortest path to the node whose packets it wants to intercept. In this article, we propose an enhanced certificate based authentication mechanism, where nodes authenticate each other by issuing certificates to neighboring nodes and generating public key without the need of any online centralized authority. The proposed scheme uses Multicast Ad-hoc On Demand Distance Vector Routing (MAODV) protocol as a support for certification. The effectiveness of our mechanism is illustrated by simulations conducted using network simulator ns-2.     

移动Ad Hoc网络中的可信路由机制研究

作为下一代网络发展趋势之一的移动Ad Hoc网络受到各种类型的安全威胁,灰洞攻击就是其中最常见的类型之一。仿真模拟了MANET环境下的灰洞攻击,即选择性丢包攻击对MANET性能的影响。从仿真模拟中可以看出灰洞攻击对于MANET的路由影响,不仅导致丢包率增加,而且会导致端到端时延方面的增加。基于信任度的定义,提出一种可信AODV路由协议（Trusted AODV Routing,TAR）,方案通过交换相邻节点的节点信任度,并计算路径信任度的方法,集合最短路径算法,从而选择合适的可信路径。通过性能分析,TAR协议在丢包率、端到端时延和路径建立时延方面,相比于AODV协议有明显的提高,能够有效地抵制灰洞攻击。     

Reliable and fully distributed trust model for mobile ad hoc networks

A mobile ad hoc network (MANET) is a wireless communication network which does not rely on a pre-existing infrastructure or any centralized management. Securing the exchanges in MANETs is compulsory to guarantee a widespread development of services for this kind of networks. The deployment of any security policy requires the definition of a trust model that defines who trusts who and how. Our work aims to provide a fully distributed trust model for mobile ad hoc networks. In this paper, we propose a fully distributed public key certificate management system based on trust graphs and threshold cryptography. It permits users to issue public key certificates, and to perform authentication via certificates' chains without any centralized management or trusted authorities. Moreover, thanks to the use of threshold cryptography; our system resists against false public keys certification. We perform an overall evaluation of our proposed approach through simulations. The results indicate out performance of our approach while providing effective security.     

A light-weight trust-based QoS routing algorithm for ad hoc networks

In a mobile ad hoc network (MANET), the lack of a trusted infrastructure makes secure and reliable packet forwarding very challenging, especially for providing QoS guarantee for multimedia applications. In this paper, we firstly introduce the concept of trust and QoS metric estimation into establishing a trust-based QoS model. In this model, we estimate the trust degree between nodes from direct trust computation of direct observation and indirect trust computation by neighbors’ recommendations. On the other hand, due to the NP-completeness of the multi-QoS constraints problem, we only take into account link delay as the QoS constraint requirement. Then, we design a trust-based QoS routing algorithm (called TQR) from the trade-off between trust degree and link delay. At last, by using NS2 we implement this algorithm based on AODV (Ad hoc On-demand Distance Vector). We compare its performance with AODV, Watchdog-DSR and QAODV. The simulation results show that TQR scheme can prevent attacks from malicious nodes and improve the security performance of the whole network, especially in terms of packet delivery ratio, average end-to-end delay, routing packet overhead and detection ratio of malicious nodes.     

一种基于可信计算平台的无线传感器网络标识密钥更新方法

针对无线传感器网络使用标识密码的密钥更新问题,设计了一种以可信计算平台为密钥生成中心,利用单向函数构造随机数池的高效密钥更新方案,使得传感器节点既能对密钥更新消息进行验证,又不至于引起过多的网络通信。为保证通信密钥的安全性,使用可信计算平台作为密钥生成中心,保证了密钥源头的安全。密钥更新时,利用可信计算平台的特性对其平台配置情况进行验证,来判断其所发出的消息和密钥的真实性与完整性。利用单向函数产生随机数池,一方面使得传感器节点可以验证消息的真实性,另一方面可以抵抗重放攻击。     

Video transmission enhancement in presence of misbehaving nodes in MANETs

Mobile Ad-hoc NETworks (MANET) are infrastructureless networks where self-configuring mobile nodes are connected by wireless links. Because of its decentralized operation, these nodes rely on each other to store and forward packets. Video transmission over MANETs is more challenging than over conventional wireless networks due to rapid topology changes and lack of central administration. Most of the proposed MANET protocols assume that all nodes are working within a cooperative and friendly network context. However, misbehaving nodes that exhibit abnormal behaviors can disrupt the network operation and affect the network availability by refusing to cooperate to route packets due to their selfish or malicious behavior. In this paper, we examine the effect of packet dropping attacks on video transmission over MANETs. We also study the effects of mitigation using intrusion detection systems to MANET in presence of video traffic. To the best of our knowledge, this is the first attempt to study multimedia over such environments. We propose a novel intrusion detection system, which is an adaptive acknowledgment scheme (AACK) with the ability to detect misbehaved nodes and avoid them in other transmissions. The aim of AACK scheme is to overcome watchdog weaknesses due to collisions and limited transmission power and also to improve TWOACK scheme. To demonstrate the performance of our proposed scheme, simulation experiments are performed. The results of our experiments show that MPEG4 is more suitable for our simulation environment than H264 video traffic. The simulation results show that AACK scheme provides better network performance with less overhead than other schemes; it also shows that AACK outperforms both TWOACK and watchdog in video transmission applications in the presence of misbehaving nodes.     

On Dynamic Distribution of Private Keys over MANETs

Identity-Based cryptography has been proposed in mobile ad-hoc networks (MANETs) to provide security. However, the figure of the Private Key Generator (PKG) is not adequate in the MANET setting, since it may not be reachable by all nodes, can fail during the life-time of the protocol or can even be attacked, compromising the whole system. Previous works distribute the task of the PKG among a set of nodes by means of a secret sharing scheme.In this paper we propose an efficient solution to emulate in a dynamic and distributed way the role of the PKG in so that even new nodes joining the network are able to issue shares of the master key of an Identity-Based scheme. In this way, the distributed PKG spreads dynamically among the nodes as the network increases. Furthermore, the techniques we propose may be suitable for other protocols over MANETs.     

一个基于权限的移动自组网门限信任模型

探讨了移动自组网所特有的安全威胁, 将Shamir 秘密分割模型和权限思想相结合，提出了一个基于权限的门限信任模型,并提出了一种新的私钥分量刷新技术。分析结果表明，该模型在可信节点剩余很少时仍能完成网络中节点的认证，亦可避免攻击者获取足够的私钥分量进行非法认证。     

Malicious node prevention and mitigation in MANETs using a hybrid security model

Mobile ad-hoc network (MANET) has got tremendous success and attention due to its self-maintenance and self-configuration properties or behavior. Based on wired and wireless networks, the network topology of MANETs changes rapidly by means of routing attacks. Hence, providing security to this infrastructure-less network is a major issue. The routing protocols for ad-hoc networks cope well with the dynamically changing topology but are not designed to accommodate defense against malicious attacker. Malicious nodes have opportunities to modify or discard routing information or advertise fake routes to attract user data to go through themselves. In this article, we discuss a hybrid technique using anonymity, one-way trapdoor protocol, hash functions, and elliptic curve cryptographic to mitigate attacks in the MANET. The simulation is carried on NS-2 and the simulation results are dissected on different system execution measurements, for example, packet send and received, packet dropped, average network throughput, end-to-end delay, and packet delivery ratio.     

基于机器学习的移动自组织网络入侵检测方法

移动自组织网络是由无线移动节点组成的复杂分布式通信系统。研究了移动自组织网络的入侵检测问题,采用了一种新型的基于机器学习算法的异常入侵检测方法。该方法获取正常事件的内部特征的相互关系模式,并将该模式作为轮廓检测异常事件。在Ad hoc 按需距离向量协议上实现了该方法,并在网络仿真软件QualNet中对其进行了评估。     

利用虫洞原理抵御黑洞攻击的方法

移动Ad hoc网络(MANETs)在民用设施和国防事业方面得到广泛应用.动态变化的拓扑结构是Ad hoc网络的一大特征,也正是这种动态性使得Ad hoc网络特别容易受到安全方面的攻击.重点讨论在AODV协议下的黑洞攻击和灰洞攻击,并根据攻击的特点,提出了一种利用虫洞原理防御的策略.     

The performance impact of traffic patterns on routing protocols in mobile ad hoc networks

As mobile ad hoc network (MANET) systems research has matured and several testbeds have been built to study MANETs, research has focused on developing new MANET applications such as collaborative games, collaborative computing, messaging systems, distributed security schemes, MANET middleware, peer-to-peer file sharing systems, voting systems, resource management and discovery, vehicular computing and collaborative education systems. The growing set of diverse applications developed for MANETs pose far more complex traffic patterns than the simple one-to-one traffic pattern, and hence the one-to-one traffic pattern widely used in previous protocol studies has become inadequate in reflecting the relative performance of these protocols when deployed to support these emerging applications.As a first step towards effectively supporting newly developed and future diverse MANET applications, this paper studies the performance impact of diverse traffic patterns on routing protocols in MANETs. Specifically, we propose a new communication model that extends the previous communication model to include a more general traffic pattern that varies the number of connections per source node. We study the performance impact of traffic patterns on various routing protocols via detailed simulations of an ad hoc network of 112 mobile nodes. Our simulation results show that many of the conclusions drawn in previous protocol comparison studies no longer hold under the new traffic patterns. These results motivate the need for performance evaluation of ad hoc networks to not only include rich and diverse mobility models as has been done in the past but also include diverse traffic patterns that stress a wide set of protocol design issues.