Building A Trustworthy, Secure, And Privacy Preserving Network

1
Building A Trustworthy, Secure, And Privacy
Preserving Network

• Bharat Bhargava
• CERIAS Security Center
• CWSA Wireless Center
• Department of CS and ECE
• Purdue University
• Supported by NSF IIS 0209059, NSF IIS 0242840 ,
• NSF ANI 0219110, CISCO, Motorola, IBM

2
Research Team

• Faculty Collaborators
• Dongyan Xu, middleware and privacy
• Mike Zoltowski, smart antennas, wireless security
• Sonia Fahmy, Internet security
• Ninghui Li, trust
• Cristina Nita-Rotaru, Internet security
• Postdoc
• Lezsek Lilien, privacy and vulneribility
• Xiaoxin Wu, wireless security
• Jun Wen, QoS
• Mamata Jenamani, privacy
• Ph.D. students
• Ahsan Habib, Internet Security
• Mohamed Hefeeda, peer-to-peer
• Yi Lu, wireless security and congestion control
• Yuhui Zhong, trust management and fraud
• Weichao Wang, security of ad hoc networks
• More information at http//www.cs.purdue.edu/peopl
  e/bb

3
Motivation

• Lack of trust, privacy, security, and reliability
  impedes information sharing among distributed
  entities.
• San Diego supercomputer center detected 13,000
  DoS attacks in a three-week period eWeek, 2003
• Internet attacks in February, 2004 caused an
  estimated 68 billion to 83 billion in damages
  worldwide British Computer Security Report
• Business losses due to privacy violations
• Online consumers worry about revealing personal
  data
• This fear held back 15 billion in online revenue
  in 2001
• 52,658 reported system crashes caused by software
  vulnerabilities in 2002 Express Computers 2002

4

• Research is required for the creation of
  knowledge and learning in secure networking,
  systems, and applications.

5
Goal

• Enable the deployment of security sensitive
  applications in the pervasive computing and
  communication environments.

6
Problem Statement

• A trustworthy, secure, and privacy preserving
  network platform must be established for trusted
  collaboration. The fundamental research problems
  include
• Trust management
• Privacy preserved interactions
• Dealing with a variety of attacks and frauds in
  networks
• Intruder identification in ad hoc networks (focus
  of this seminar)

7
Applications/Broad Impacts

• Guidelines for the design and deployment of
  security sensitive applications in the next
  generation networks
• Data sharing for medical research and treatment
• Collaboration among government agencies for
  homeland security
• Transportation system (security check during
  travel, hazardous material disposal)
• Collaboration among government officials, law
  enforcement and security personnel, and health
  care facilities during bio-terrorism and other
  emergencies

8
Scientific Contributions

• Trust formalization
• Privacy preservation in interactions
• Network tomography techniques for DoS attacks
• Intrusion detection and intruder identification
  in ad hoc networks
• Vulnerability analysis and threat assessment

9
A. Trust Formalization

• Problem
• Dynamically establish and update trust among
  entities in an open environment.
• Research directions
• Handling uncertain evidence
• Modeling dynamic trust
• Formalization and detection of fraud
• Challenges
• Uncertain information complicates the inference
  procedure.
• Subjectivity leads to various interpretations
  toward the same information.
• The multi-faceted and context-dependent
  characteristics of trust require tradeoff between
  representation comprehensiveness and computation
  simplicity of the trust model.

10
Uncertain Evidence

• Probability-based approach to evaluate the
  uncertainty of a logic expression given a set of
  uncertain evidence
• Atomic formula Bayes network causal inference
  conditional probability interpretation of
  opinion
• AND/OR expressions rule defined by J?sang
  J?sang'01
• Subjectivity is realized using discounting
  operator proposed by Shafer Shafer'76

11
Dynamic Trust

• Trust production based on direct interaction
• Identify behavior patterns and their
  characteristic features
• Determine which pattern is the best match of an
  interaction sequence
• Develop personalized trust production algorithms
  considering behavior patterns
• Reputation aggregation
• Global reputation vs. personalized reputation
• Personalized reputation aggregation
• Determine the subset of trust information useful
  for a specific trustor by using collaborative
  filters
• Translate trust information into the scale of a
  specific trustor

12
Trust Enhanced Role Assignment (TERA) Prototype

• Trust enhanced role mapping (TERM) server
  assigns roles to users based on
• Uncertain subjective evidence
• Dynamic trust
• Reputation server
• Dynamic trust information repository
• Evaluate reputation from trust information by
  using algorithms specified by TERM server

Prototype and demo are available at
http//www.cs.purdue.edu/homes/bb/NSFtrust/
13
TERA Architecture
14
Trust Enhanced Role Mapping (TERM) Server

• Evidence rewriting
• Role assignment
• Policy parser
• Request processor inference engine
• Constraint enforcement
• Policy base
• Trust information management
• User behavior modeling
• Trust production

15
TERM Server
16
Fraud Formalization and Detection

• Model fraud intention
• Uncovered deceiving intention
• Trapping intention
• Illusive intention
• Fraud detection
• Profile-based anomaly detection
• Monitor suspicious actions based upon the
  established patterns of an entity
• State transition analysis
• Build an automaton to identify activities that
  lead towards a fraudulent state

17
Model Fraud Intentions

• Uncovered deceiving intention
• Satisfaction ratings are stably low.
• Ratings vary in a small range over time.

18
Model Fraud Intentions

• Trapping intention
• Rating sequence can be divided into two phases
  preparing and trapping.
• A swindler behaves well to achieve a trustworthy
  image before he conducts frauds.

19
Model Fraud Intentions

• Illusive intention
• A smart swindler attempts to cover the bad
  effects by intentionally doing something good
  after misbehaviors.
• Process of preparing and trapping is repeated.

20
B. Private and Trusted Interactions

• Problem
• Preserve privacy, gain trust, and control
  dissemination of data
• Research directions
• Dissemination of private data
• Privacy and trust tradeoff
• Privacy metrics
• Challenges
• Specify policies through metadata and establish
  guards as procedures
• Efficient implementation
• Estimate privacy depending on who will get this
  information, possible uses of this information,
  and information disclosed in the past
• Privacy metrics are usually ad hoc and customized

Detail slides at http//www.cs.purdue.edu/homes/bb
/priv_trust_cerias.ppt
21
Preserving Privacy in Data Dissemination

• Design self-descriptive private objects
• Construct a mechanism for apoptosis of private
  objects
• apoptosis clean self-destruction
• Develop proximity-based evaporation of private
  objects
• Develop schemes for data distortions

22
Privacy-Trust Tradeoff

• Gain a certain level of trust with the least loss
  of privacy
• Build trust based on digital credentials of users
  that contain private information
• Formulate the privacy-trust tradeoff problem
• Estimate privacy loss due to disclosing a set of
  credentials
• Estimate trust gain due to disclosing a set of
  credentials
• Develop algorithms that minimize privacy loss for
  required trust gain

23
Privacy Metrics

• Determine the degree of data privacy
• Size of anonymity set metrics
• Entropy-based metrics
• Privacy metrics should account for
• Dynamics of legitimate users
• Dynamics of violators
• Associated costs

24
Size of Anonymity Set Metrics

• The larger set of indistinguishable entities, the
  lower probability of identifying any one of them
• Can use to anonymize a selected private
  attribute value within the domain of its all
  possible values

Hiding in a crowd
Less anonymous (1/4)
25
Dynamics of Entropy

• Decrease of system entropy with attribute
  disclosures (capturing dynamics)
• When entropy reaches a threshold (b), data
  evaporation can be invoked to increase entropy by
  controlled data distortions
• When entropy drops to a very low level (c),
  apoptosis can be triggered to destroy private
  data
• Entropy increases (d) if the set of attributes
  grows or the disclosed attributes become less
  valuable e.g., obsolete or more data now
  available

H
Entropy Level
All attributes
Disclosed attributes
(a)
(b)
(c)
(d)
26
Private and Trusted System (PRETTY) Prototype
(4)
(1)
(2)
2c2
(3) User Role
2a
2b 2d
2c1
TERA Trust-Enhanced Role Assignment
27
Information Flow for PRETTY

• User application sends query to server
  application.
• Server application sends user information to TERA
  server for trust evaluation and role assignment.
• If a higher trust level is required for query,
  TERA server sends the request for more users
  credentials to privacy negotiator.
• Based on servers privacy policies and the
  credential requirements, privacy negotiator
  interacts with users privacy negotiator to build
  a higher level of trust.
• Trust gain and privacy loss evaluator selects
  credentials that will increase trust to the
  required level with the least privacy loss.
  Calculation considers credential requirements and
  credentials disclosed in previous interactions.
• According to privacy policies and calculated
  privacy loss, users privacy negotiator decides
  whether or not to supply credentials to the
  server.
• Once trust level meets the minimum requirements,
  appropriate roles are assigned to user for
  execution of his query.
• Based on query results, users trust level and
  privacy polices, data disseminator determines
  (i) whether to distort data and if so to what
  degree, and (ii) what privacy enforcement
  metadata should be associated with it.

28
Experimental Studies

• Private object implementation
• Validate and evaluate the cost, efficiency, and
  the impacts on the dissemination of objects
• Study the apoptosis and evaporation mechanisms
  for private objects
• Tradeoff between privacy and trust
• Study the effectiveness and efficiency of the
  probability-based and lattice-based privacy loss
  evaluation methods
• Assess the usability of the evaluator of trust
  gain and privacy loss
• Location-based routing and services
• Evaluate the dynamic mappings between trust
  levels and distortion levels

29
C. Tomography Research

• Problem
• Defend against denial of service attacks
• Optimize the selection of data providers in
  peer-to-peer systems
• Research Directions
• Stripe based probing to infer individual link
  loss by edge-to-edge measurements
• Overlay based monitoring to identify congested
  links by end-to-end path measurement
• Topology inference to estimate available
  bandwidth by path segment measurements

30
Defeating DoS Attacks in Internet
31
Overlay-based Monitoring

• Do not need individual link loss to identify all
  congested links
• Edge routers form an overlay network for probing.
  Each edge router probe part of the network
• Problem statement
• Given topology of a network domain, identify
  which links are congested and possibly under
  attack

32
Attack Scenarios
Delay (ms)
Loss Ratio
Time (sec)
Time (sec)
(a) Changing delay pattern due to attack
(b) Changing in loss pattern due to attack
33
Identified Congested Links
Loss Ratio
Loss Ratio
Time (sec)
Time (sec)
(a) Counter clockwise probing
(b) Clockwise probing
Probe46 in graph (a) and Probe76 in graph (b)
observe high losses, which means link C4 ? E6 is
congested.
34
Probing Simple Method
Congested link
35
Analyzing Simple Method

• Lemma 1. If P and P are probe paths in the first
  and the second round of probing respectively,
  P P 1
• Theorem 1. If only one probe path P is shown to
  be congested in any round of probing, the simple
  method successfully identifies status of each
  link in P
• Performs better if edge-to-edge paths are
  congested
• The average length of the probe paths in the
  Simple method is 4

36
Performance Simple Method

• Theorem 2. Let p be the probability of a link
  being congested in any arbitrary overlay network.
  The simple method determines the status of any
  link of the topology with probability at least
  2(1-p)4-(1-p)7p(1-p)12

Detection Probability
Frac of actual congested links
37
Advanced Method

• AdvancedMethod()
• begin
• Conduct Simple Method. E is the unsolved
  equation set
• for Each undecided variable Xij of E do
• node1 FindNode(Tree T, vi, IN)
• node2 FindNode(Tree T, vj , OUT)
• if node1 ? NULL AND node2 ? NULL then
• Probe(node1, node2). Update equation set E
• end if
• Stop if no more probe exists
• endfor
• end

38
Analyzing Advanced Method

• Lemma 2. For an arbitrary overlay network with n
  edge routers, on the average a link lies on b
  edge-to-edge paths
• Lemma 3. For an arbitrary overlay network with n
  edge routers, the average length of all
  edge-to-edge paths is d
• Theorem 3. Let p be the probability of a link
  being congested. The advanced method can detect
  the status of a link with probability at least
  (1-(1-(1-p)d)b)

39

• D. Intruder Identification in Adhoc On-demand
  Distance Vector (AODV)
• Problem
• AODV are vulnerable to various attacks such as
  false distance vector, false destination
  sequence, and wormhole attacks
• Detecting attacks without identifying and
  isolating the malicious hosts leaves the security
  mechanisms in a passive mode
• Challenges
• Locate the sources of attacks in a self-organized
  infrastructure
• Combine local decisions with knowledge from other
  hosts to achieve consistent conclusions on the
  malicious hosts

40
Attacks on Routing in Mobile Ad Hoc Networks
Attacks on routing
Active attacks
Passive attacks
Packet silent discard
Routing information hiding
Routing procedure
Flood network
Route request
Route broken message
False reply
Wormhole attacks
41

• Related Work
• Vulnerability model of ad hoc routing protocols
  Yang et al., SASN 03
• A generic multi layer integrated IDS structure
  Zhang and Lee, MobiCom 00
• IDS combining with trust Albert et al., ICEIS
  02
• Information theoretic measures using entropy
  Okazaki et al., SAINT 02
• SAODV adopts both hash chain and digital
  signature to protect routing information Zapata
  et al, WiSe03
• Security-aware ad hoc routing Kravets et al,
  MobiHOC01

42
Ideas

• Monitor the sequence numbers in the route request
  packets to detect abnormal conditions
• Apply reverse labeling restriction to identify
  and isolate attackers
• Combine local decisions with knowledge from other
  hosts to achieve consistent conclusions
• Combine with trust assessment methods to improve
  robustness

43
Introduction to AODV

• Introduced in 97 by Perkins at NOKIA, Royer at
  UCSB
• 12 versions of IETF draft in 4 years, 4 academic
  implementations, 2 simulations
• Combines on-demand and distance vector
• Broadcast Route Query, Unicast Route Reply
• Quick adaptation to dynamic link condition and
  scalability to large scale network
• Support multicast

44
Route Discovery in AODV (An Example)
D
S1
S3
S2
S4
S
Route to the source
Route to the destination
45
Attacks on AODV

• Route request flooding
• query non-existing host (RREQ will flood
  throughout the network)
• False distance vector
• reply one hop to destination to every request
  and select a large enough sequence number
• False destination sequence number
• select a large number (even beat the reply from
  the real destination)
• Wormhole attacks
• tunnel route request through wormhole and attract
  the data traffic to the wormhole
• Coordinated attacks
• The malicious hosts establish trust to frame
  other hosts, or conduct attacks alternatively to
  avoid being identified

46
Impacts of Attacks on AODV
We simulate the attacks and measure their impacts
on packet delivery ratios and protocol overhead
47
False Destination Sequence Attack
D
S3
S
S1
S2
M
Packets from S to D are sinking at M. Node
movement breaks the path from S to M (trigger
route rediscovery).
48
During Route Rediscovery, False Destination
Sequence Attack Is Detected
(1). S broadcasts a request that carries the old
sequence 1 21
(2) D receives the RREQ. Local sequence is 5, but
the sequence in RREQ is 21. D detects the false
desti-nation sequence attack.
D
S3
RREQ(D, 21)
S
S1
S2
M
S4
Propagation of RREQ
49
Reverse Labeling Restriction (RLR)

• Blacklists are updated after an attack is
  detected.
• Basic Ideas
• Every host maintains a blacklist to record
  suspicious hosts. Suspicious hosts can be
  released from the blacklist.
• The destination host will broadcast an INVALID
  packet with its signature when it finds that the
  system is under attack on sequence. The packet
  carries the hosts identification, current
  sequence, new sequence, and its own blacklist.
• Every host receiving this packet will examine its
  route entry to the destination host. If the
  sequence number is larger than the current
  sequence in INVALID packet, the presence of an
  attack is noted. The previous host that provides
  the false route will be added into this hosts
  blacklist.

50
D
S3
INVALID ( D, 5, 21, , SIGN )
S
S1
S2
M
S4
D broadcasts INVALID packet with current sequence
5, new sequence 21. S3 examines its route
table, the entry to D is not false. S3 forwards
packet to S1. S1 finds that its route entry to D
has sequence 20, which is gt 5. It knows that the
route is false. The hop which provides this false
route to S1 was S2. S2 will be put into S1s
blacklist. S1 forwards packet to S2 and S. S2
adds M into its blacklist. S adds S1 into its
blacklist. S forwards packet to S4. S4 does not
change its blacklist since it is not involved in
this route.
Correct destination sequence number is
broadcasted. Blacklist at each host in the path
is determined.
51
D1
D2
S3
M
S4
M
M
D4
D3
M
M
S2
S1
M attacks 4 routes (S1-D1, S2-D2, S3-D3, and
S4-D4). When the first two false routes are
detected, D3 and D4 add M into their blacklists.
When later D3 and D4 become victim destinations,
they will broadcast their blacklists, and every
host will get two votes that M is malicious host.
Hosts closer to malicious site are in blacklists
of multiple hosts. In the above figure, M is in
four blacklists.
52
Combine Local Decisions with Knowledge from Other
Hosts

• When a host is destination of a route and is
  victim by any malicious host, it will broadcast
  its blacklist.
• Each host obtains blacklists from victim hosts.
• If M is in multiple blacklists, M is classified
  as a malicious host based on certain threshold.
• Intruder is identified.
• Trust values can be assigned to other hosts based
  on past information.

53
Acceleration in Intruder Identification
D3
D3
D2
D2
D1
D1
M2
M3
M2
M3
M1
M1
S2
S2
S1
S3
S3
S1
Routing topology
Reverse labeling procedure
Multiple attackers exist in the network. More
routes are under attack. When the false routes
are detected, more blacklists will be
broadcasted.
54
Reverse Labeling Restriction

• Update Blacklist by INVALID Packet
• Next hop on the invalid route will be put into
  local blacklist, a timer starts, and a counter
  increases. The time duration that the host stays
  in blacklist is exponential to the counter value.
• Labeling process will be conducted in the reverse
  direction of the false route.
• When timer expires, the suspicious host will be
  released from the blacklist and routing
  information from it will be accepted.

55
Deal With Hosts in Blacklist

• Packets from hosts in blacklist
• Route request If the request is from suspicious
  hosts, ignore it.
• Route reply If the previous hop is suspicious
  and the query destination is not the previous
  hop, the reply will be ignored.
• Route error will be processed as usual. RERR
  will activate re-discovery, which will help to
  detect attacks on destination sequence.
• INVALID if the sender is suspicious, the packet
  will be processed but the blacklist will be
  ignored.

56
Attacks of Malicious Hosts on RLR

• Attack 1 Malicious host M sends false INVALID
  packet
• Because the INVALID packets are signed, it cannot
  send the packets in other hosts name
• If M sends INVALID in its own name
• If the reported sequence number is greater than
  the real sequence number, every host ignores this
  attack
• If the reported sequence number is less than the
  real sequence number, RLR will converge at the
  malicious host. M is included in blacklist of
  more hosts. M accelerated the intruder
  identification directing towards M.

57

• Attack 2 Malicious host M frames other innocent
  hosts by sending false blacklist
• If the malicious host has been identified, the
  blacklist will be ignored
• If the malicious host has not been identified,
  this operation can only make the threshold lower.
  If the threshold is selected properly, it will
  not impact the identification results.
• Combining trust can further limit the impact of
  this attack.

58

• Attack 3 Malicious host M only sends false
  destination sequence about some special host
• The special host will detect the attack and send
  INVALID packets.
• Other hosts can establish new routes to the
  destination by receiving the INVALID packets.

59
Experimental Studies of RLR

• The experiments are conducted using ns2.
• Various network scenarios are formed by varying
  the number of independent attackers, number of
  connections, and host mobility.
• The examined parameters include
• Packet delivery ratio
• Identification accuracy false positive and false
  negative ratio
• Communication and computation overhead

60
Simulation Parameter
61
Experiment 1 Measure the Changes in Packet
Delivery Ratio

• Purpose investigate the impacts of host
  mobility, number of attackers, and number of
  connections on the performance improvement
  brought by RLR
• Input parameters host pause time, number of
  independent attackers, number of connections
• Output parameters packet delivery ratio
• Observation When only one attacker exists in the
  network, RLR brings a 30 increase in the
  packet delivery ratio. When multiple attacker
  exist in the system, the delivery ratio will not
  recover before all attackers are identified.

62
Increase in Packet Delivery Ratio Single Attacker
X-axis is host pause time, which evaluates the
mobility of host. Y-axis is delivery ratio. 25
connections and 50 connections are considered.
RLR brings a 30 increase in delivery ratio. 100
delivery is difficult to achieve due to network
partition, route discovery delay and buffer.
63
Increase in Packet Delivery Ratio Multiple
Attackers
X-axis is number of attackers. Y-axis is delivery
ratio. 25 connections and 50 connections are
considered. RLR brings a 20 to 30 increase in
delivery ratio.
64
Experiment 2 Measure the Accuracy of Intruder
Identification

• Purpose investigate the impacts of host
  mobility, number of attackers ,and connection
  scenarios on the detection accuracy of RLR
• Input parameters number of independent
  attackers, number of connections, host
  pause time
• Output parameters false positive alarm ratio,
  false negative alarm ratio
• Observation The increase in connections may
  improve the detection accuracy of RLR. When
  multiple attackers exist in the network, RLR has
  a high false positive ratio.

65
Accuracy of RLR Single Attacker
The accuracy of RLR when there is only one
attacker in the system
66
Accuracy of RLR Multiple Attackers
The accuracy of RLR when there are multiple
attackers
67
Experiment 3 Measure the Communication Overhead

• Purpose investigate the impacts of host
  mobility and connection scenarios on the
  overhead of RLR
• Input parameters number of connections, host
  pause time
• Output parameters control packet overhead
• Observation When no false destination sequence
  attacks exist in the network, RLR introduces
  small packet overhead into the system.

68
Control Packet Overhead
X-axis is host pause time, which evaluates the
mobility of host. Y-axis is normalized overhead
( of control packet / of delivered data
packet). 25 connections and 50 connections are
considered. RLR increases the overhead slightly.
69
Research Opportunities Improve Robustness of RLR

• Protect the good hosts from being framed by
  malicious hosts
• The malicious hosts can frame the good hosts by
  putting them into blacklist.
• By lowering the trust values of both complainer
  and complainee, we can restrict the impacts of
  the gossip distributed by the attackers.
• Adopting the trust management scheme proposed by
  Aberer and Despotovic CIKM01 to determine the
  lowering speed.

70

• Avoid putting every host into blacklist
• Combining the host density and movement model, we
  can estimate the time ratio that two hosts are
  neighbors
• The counter for a suspicious host decreases as
  time passes
• Adjusting the decreasing ratio to control the
  average percentage of time that a host stays in
  the blacklist of another host

71

• Defend against coordinated attacks
• The behaviors of collusive attackers show
  Byzantine manners. The malicious hosts may
  establish trust to frame other hosts, or conduct
  attacks alternatively to avoid being identified.
• Look for the effective methods to defend against
  such attacks. Possible research directions
  include
• Apply classification methods to detect the hosts
  that have similar behavior patterns
• Study the behavior histories of the hosts that
  belong to the same group and detect the pattern
  of malicious behavior (time-based, order-based)

72
An Architecture of Intruder Identification Agent
73

• Intruder identification can be applied to detect
  more attacks in ad hoc networks
• DoS attacks
• Malicious discard
• Trust abuse and privacy violation
• Reverse labeling mechanism can be applied to
  identify the attackers that
• Disseminate false routing information
• Discard data packets
• Generate gossip to destroy other hosts reputation

74
Conclusions on Intruder Identification

• False destination sequence attacks can be
  detected by the anomaly patterns of the sequence
  numbers
• Reverse labeling method can reconstruct the false
  routing tree
• Isolating the attackers brings a sharp increase
  in network performance
• On going research will improve the robustness of
  the mechanism and the accuracy of identification

75
Related Ongoing Research

• Detecting wormhole attacks
• Position-based private routing in ad hoc networks
• Fault tolerant authentication in movable base
  station systems
• Congestion avoidance routing in ad hoc networks

76
Detecting Wormhole Attacks

• Problem statement
• The malicious nodes can eavesdrop the packets,
  tunnel them to another location in the network,
  and retransmit them. This generates a false
  scenario that the original sender is in the
  neighborhood of the remote location.

wireless node 1
wireless node 2
attacker 1
attacker 2
77

• Research challenges
• Detect wormholes when the malicious host can be
  the legal member of the network
• Control the overhead introduced by wormhole
  detection to avoid the hosts being overwhelmed

78
Classification of Wormholes

• the wormholes are divided into 3 groups
• Closed
• Half open
• Open

79
The Approach End-to-End Mechanism

• Assumption
• The hosts have the positioning devices and
  loosely synchronized clocks
• Pair-wise keys have been deployed
• Ideas
• The source and the intermediate hosts will attach
  the lttime, positiongt pairs that record the
  receiving and forwarding events
• The attached information is protected by message
  authentication codes (MAC)
• The neighbor relation validations are conducted
  by the destination

80
Validation at the Destination

• The MAC codes are calculated correctly
• The neighbor hosts are within the radio range
  when the packet is passed
• The average moving speed between the lttime,
  positiongt pairs from the same host does not
  exceed the maximum value.

81
Controlling Overhead Cell-based Open Tunnel
Avoidance

• Divide the area into same-sized cells and the
  time into same-length slots
• Require a constant storage space and linear
  computation operations for every intermediate
  host
• Have a configurable wormhole detection capability

82
Computation Efficiency

• The experiments are conducted on a iPAQ 3630 with
  206M Hz CPU and 64M RAM
• The computation overhead of wormhole detection
  for one 10-hop route consumes less than 0.5 of
  its CPU.
• The computation resource of a real PDA can
  support wormhole detection using COTA without
  trouble.

83
Conclusions

• The end-to-end mechanism can detect half open and
  open wormholes in ad hoc networks
• As a position information management scheme, COTA
  requires constant storage space and linear
  computation resource for every intermediate host
• The proposed mechanism can be adopted by real
  mobile devices

84
B. Position-based Private Routing in Ad Hoc
Networks

• Problem statement
• To hide the identities of the nodes who are
  involved in routing in mobile wireless ad hoc
  networks.
• Challenges
• Traditional ad hoc routing algorithms depend on
  private information (e.g., ID) exposure in the
  network.
• Privacy solutions for P2P networks are not
  suitable in ad hoc networks.

85
Weak Privacy for Traditional Position-based Ad
Hoc Routing Algorithm

• Position information of each node has to be
  locally broadcast periodically.
• Adversaries are able to obtain node trajectory
  based on the position report.
• Adversaries can estimate network topology.
• Once a match between a node position and its real
  ID is found, a tracer can always stay close to
  this node and monitor its behavior.

86
AO2P Ad Hoc On-Demand Position-based Private
Routing

• Position of destination is the information
  exposed in the network for routing discovery.
• A receiver-contention scheme is designed to
  determine the next hop in a route.
• Pseudo IDs are used instead of real IDs for data
  packet delivery after a route is built up.
• Route with a smaller number of hops will be used
  for better end-to-end throughput.

87
AO2P Routing Privacy and Accuracy

• Only the position of destination is revealed in
  the network for routing discovery. The privacy of
  the destination relies on the difficulty of
  matching a position to a node ID.
• Node mobility enhances destination privacy
  because a match between a position to a node ID
  is temporary.
• The privacy for the source and the intermediate
  forwarders is well preserved.
• Routing accuracy relies on the fact that at a
  specific time, only one node can be at a
  position. Since the pseudo ID for a node is
  generated from its position and the time it is at
  that position, the probability that more than one
  node have the same pseudo ID is negligible.

88
Privacy Enhancement R-AO2P

• The position of reference point is carried in
  rreq instead of the position of the destination.
• The reference point is on the extended line from
  the sender to the destination. It can be used for
  routing discovery because generally, a node that
  processes the rreq closer to the reference point
  will also process the rreq closer to the
  destination.
• The position of the destination is only disclosed
  to the nodes who are involved in routing.

Reference point in R-AO2P
89
Illustrated Results

• Average delay for next hop determination

90
Illustrated Results

• Packet delivery ratio

91
Conclusions

• AO2P preserves node privacy in mobile ad hoc
  networks.
• AO2P has low next hop determination delay.
• Compared to other position-based ad hoc routing
  algorithm, AO2P has little routing performance
  degradation.

92

• C. Fault Tolerant Authentication in Movable Base
  Station System
• Problem
• To ensure security and prevent theft of resources
  (like bandwidth), all the packets originating
  inside the network should be authenticated.
• Authentication may become unreliable when base
  station fails or node moves from one cell to
  another.
• Challenge
• How to design fault tolerant authentication
  methods that are robust in the above conditions
• How to design the protocols adaptable and
  re-configurable

93
Proposed Schemes

• We propose two schemes to solve the problem.
• Virtual Home Agent
• Hierarchical Authentication
• They differ in the architecture and the
  responsibilities that the Mobile Nodes and Base
  Stations (Agents) hold.

94
Virtual Home Agent Scheme
95
Advantages of Proposed Scheme

• Has only 3 states and hence the overhead of state
  maintenance is negligible.
• Very few tasks need to be performed in each state
  (outlined in the tech report).
• Flexible there could be multiple VHAs in the
  same LAN and a MHA could be a BHA for another
  VHA, a BHA could be a BHA for more than one VHA
  at the same time.

96
Disadvantages of Virtual HA Solution

• Not scalable if every packet has to be
  authenticated
• Ex huge audio or video data
• BHA (Backup Home Agents) are idle most of the
  time (they just listen to MHAs advertisements.
• Central Database is still a single point of
  failure.

97
Hierarchical Authentication Scheme

• Multiple Home Agents in a LAN are organized in a
  hierarchy (like a tree data structure).
• A Mobile Node shares a key with each of the
  Agents above it in the tree (Multiple Keys).
• At any time, highest priority key is used for
  sending packets or obtaining any other kind of
  service.

98
Hierarchical Authentication Scheme
99
Hierarchical Authentication Scheme

• Key Priority depends on several factors and
  computed as cumulative sum of weighted priorities
  of each factors
• Example Factors
• Communication Delays
• Processing Speed of the Agents
• Key Usage
• Life Time of the Key

100
D. Congestion Avoidance Routing in Ad Hoc Networks

• Objective
• To bring the consideration of congestion in the
  design of the routing protocols.
• Thrust
• To avoid congestion by minimizing contention for
  channel access.
• Challenges
• The global coupling effect of wireless channel
  access in ad hoc networks.
• Quantification of congestion without exchanging
  messages with neighbors.

101
Intermediate Delay (IMD)

• IMD is a routing metric that characterizes the
  impacts of channel contention, the length of the
  route, and the traffic load at individual nodes.
• IMD estimates the delay introduced by the
  intermediate nodes along the route using the sum
  of delays from each node.

102
Ad Hoc Routing Based on IMD

• Simplification of delay computation
• If channel capacity is C and packet size is P,
  delay is P/C.
• If n nodes are in contention for a channel, each
  node gets C/n share of the channel capacity. The
  delay is nP/C.

Adapt to changes in traffic and network topology
103
Delay Estimation

• A mobile node is modeled as a single server
  queuing system.
• Total delay includes the delay for transmitting a
  packet and the delay in the queue.
• The key is to estimate the delay for transmitting
  a packet.
• Node with active traffic
• Use the mean value to estimate the delay.
• Node without active traffic
• Study the procedure of packet transmission to
  obtain the expectation of the delay.

104
IEEE 802.11 DCF (Distributed Coordination
Function)
ETsuccTRTSTCTSTDATATACK3TSIFSETbackoff E
TfailTRTSTtimeoutETbackoff
105
SAGA Self-Adjusting Congestion Avoidance Routing
Protocol

• SAGA is a distance vector routing protocol.
• use IMD instead of hop count as the distance
• bypass hop spots where contention is intense
• Lazy route query uses special route advertisement
  for local route discovery.
• Approach to reduce the oscillation of IMD and
  prevent a node from switching back and forth
  among alternative routes.

106
Experimental Evaluation

• Objective
• Study the performance of SAGA, AODV, DSR, and
  DSDV under congestion.
• Performance metrics
• Throughput, delivery ratio, protocol overhead,
  and end-to-end delay
• Method
• Simulation using the network simulator ns2
• Two types of UDP traffic constant bit rate (CBR)
  and pareto on/off (POO)
• The offered traffic load is taken as the input
  parameter
• Six experiments by varying the maximum speed of
  movement of nodes and the number of connections
• Five independent runs with random scenarios for
  each experiment

107
30 CBR Connections, Low Mobility (4m/s)
108
10 POO Connections, High Mobility (20m/s)