1. Building A Trustworthy, Secure, And Privacy Preserving Network
Bharat Bhargava
CERIAS Security Center
CWSA Wireless Center
Department of CS and ECE
Purdue University
Supported by NSF IIS , NSF IIS ,
NSF ANI , CISCO, Motorola, IBM

2. Research Team Faculty Collaborators Postdoc Ph.D. students
Dongyan Xu, middleware and privacy
Mike Zoltowski, smart antennas, wireless security
Sonia Fahmy, Internet security
Ninghui Li, trust
Cristina Nita-Rotaru, Internet security
Postdoc
Lezsek Lilien, privacy and vulneribility
Xiaoxin Wu, wireless security
Jun Wen, QoS
Mamata Jenamani, privacy
Ph.D. students
Ahsan Habib, Internet Security
Mohamed Hefeeda, peer-to-peer
Yi Lu, wireless security and congestion control
Yuhui Zhong, trust management and fraud
Weichao Wang, security of ad hoc networks
More information at

3. Motivation
Lack of trust, privacy, security, and reliability impedes information sharing among distributed entities.
San Diego supercomputer center detected 13,000 DoS attacks in a three-week period [eWeek, 2003]
Internet attacks in February, 2004 caused an estimated $68 billion to $83 billion in damages worldwide [British Computer Security Report]
Business losses due to privacy violations
Online consumers worry about revealing personal data
This fear held back $15 billion in online revenue in 2001
52,658 reported system crashes caused by software vulnerabilities in 2002 [Express Computers 2002]

4. Research is required for the creation of knowledge and learning in secure networking, systems, and applications.

5. Goal
Enable the deployment of security sensitive applications in the pervasive computing and communication environments.

6. Problem Statement
A trustworthy, secure, and privacy preserving network platform must be established for trusted collaboration. The fundamental research problems include:
Trust management
Privacy preserved interactions
Dealing with a variety of attacks and frauds in networks
Intruder identification in ad hoc networks (focus of this seminar)

7. Applications/Broad Impacts
Guidelines for the design and deployment of security sensitive applications in the next generation networks
Data sharing for medical research and treatment
Collaboration among government agencies for homeland security
Transportation system (security check during travel, hazardous material disposal)
Collaboration among government officials, law enforcement and security personnel, and health care facilities during bio-terrorism and other emergencies

8. Scientific Contributions
Trust formalization
Privacy preservation in interactions
Network tomography techniques for DoS attacks
Intrusion detection and intruder identification in ad hoc networks
Vulnerability analysis and threat assessment

9. A. Trust Formalization Problem Research directions Challenges
Dynamically establish and update trust among entities in an open environment.
Research directions
Handling uncertain evidence
Modeling dynamic trust
Formalization and detection of fraud
Challenges
Uncertain information complicates the inference procedure.
Subjectivity leads to various interpretations toward the same information.
The multi-faceted and context-dependent characteristics of trust require tradeoff between representation comprehensiveness and computation simplicity of the trust model.

10. Uncertain Evidence
Probability-based approach to evaluate the uncertainty of a logic expression given a set of uncertain evidence
Atomic formula: Bayes network + causal inference + conditional probability interpretation of opinion
AND/OR expressions: rule defined by Jsang [Jsang'01]
Subjectivity is realized using discounting operator proposed by Shafer [Shafer'76]

11. Dynamic Trust Reputation aggregation
Trust production based on direct interaction
Identify behavior patterns and their characteristic features
Determine which pattern is the best match of an interaction sequence
Develop personalized trust production algorithms considering behavior patterns
Reputation aggregation
Global reputation vs. personalized reputation
Personalized reputation aggregation
Determine the subset of trust information useful for a specific trustor by using collaborative filters
Translate trust information into the scale of a specific trustor

12. Trust Enhanced Role Assignment (TERA) Prototype
Trust enhanced role mapping (TERM) server assigns roles to users based on
Uncertain & subjective evidence
Dynamic trust
Reputation server
Dynamic trust information repository
Evaluate reputation from trust information by using algorithms specified by TERM server
Prototype and demo are available at

13. TERA Architecture

14. Trust Enhanced Role Mapping (TERM) Server
Evidence rewriting
Role assignment
Policy parser
Request processor & inference engine
Constraint enforcement
Policy base
Trust information management
User behavior modeling
Trust production
Policy repository

15. TERM Server

16. Fraud Formalization and Detection
Model fraud intention
Uncovered deceiving intention
Trapping intention
Illusive intention
Fraud detection
Profile-based anomaly detection
Monitor suspicious actions based upon the established patterns of an entity
State transition analysis
Build an automaton to identify activities that lead towards a fraudulent state

17. Model Fraud Intentions
Uncovered deceiving intention
Satisfaction ratings are stably low.
Ratings vary in a small range over time.

18. Model Fraud Intentions
Trapping intention
Rating sequence can be divided into two phases: preparing and trapping.
A swindler behaves well to achieve a trustworthy image before he conducts frauds.

19. Model Fraud Intentions
Illusive intention
A smart swindler attempts to cover the bad effects by intentionally doing something good after misbehaviors.
Process of preparing and trapping is repeated.

20. B. Private and Trusted Interactions
Problem
Preserve privacy, gain trust, and control dissemination of data
Research directions
Dissemination of private data
Privacy and trust tradeoff
Privacy metrics
Challenges
Specify policies through metadata and establish guards as procedures
Efficient implementation
Estimate privacy depending on who will get this information, possible uses of this information, and information disclosed in the past
Privacy metrics are usually ad hoc and customized
Detail slides at

21. Preserving Privacy in Data Dissemination
Design self-descriptive private objects
Construct a mechanism for apoptosis of private objects
apoptosis = clean self-destruction
Develop proximity-based evaporation of private objects
Develop schemes for data distortions

22. Privacy-Trust Tradeoff
Gain a certain level of trust with the least loss of privacy
Build trust based on digital credentials of users that contain private information
Formulate the privacy-trust tradeoff problem
Estimate privacy loss due to disclosing a set of credentials
Estimate trust gain due to disclosing a set of credentials
Develop algorithms that minimize privacy loss for required trust gain

23. Privacy Metrics Determine the degree of data privacy
Size of anonymity set metrics
Entropy-based metrics
Privacy metrics should account for:
Dynamics of legitimate users
Dynamics of violators
Associated costs

24. Size of Anonymity Set Metrics
The larger set of indistinguishable entities, the lower probability of identifying any one of them
Can use to ”anonymize” a selected private attribute value within the domain of its all possible values
“Hiding in a crowd”
“More” anonymous (1/n)
“Less” anonymous (1/4)

25. Dynamics of Entropy
Decrease of system entropy with attribute disclosures (capturing dynamics)
When entropy reaches a threshold (b), data evaporation can be invoked to increase entropy by controlled data distortions
When entropy drops to a very low level (c), apoptosis can be triggered to destroy private data
Entropy increases (d) if the set of attributes grows or the disclosed attributes become less valuable – e.g., obsolete or more data now available H*
Entropy
Level
All
attributes
Disclosed attributes
(a)
(b)
(c)
(d)

26. Private and Trusted System (PRETTY) Prototype
(4)
(1)
(2)
[2c2]
(3) User Role
[2a]
[2b] [2d]
[2c1]
TERA = Trust-Enhanced Role Assignment

27. Information Flow for PRETTY
User application sends query to server application.
Server application sends user information to TERA server for trust evaluation and role assignment.
If a higher trust level is required for query, TERA server sends the request for more user’s credentials to privacy negotiator.
Based on server’s privacy policies and the credential requirements, privacy negotiator interacts with user’s privacy negotiator to build a higher level of trust.
Trust gain and privacy loss evaluator selects credentials that will increase trust to the required level with the least privacy loss. Calculation considers credential requirements and credentials disclosed in previous interactions.
According to privacy policies and calculated privacy loss, user’s privacy negotiator decides whether or not to supply credentials to the server.
Once trust level meets the minimum requirements, appropriate roles are assigned to user for execution of his query.
Based on query results, user’s trust level and privacy polices, data disseminator determines: (i) whether to distort data and if so to what degree, and (ii) what privacy enforcement metadata should be associated with it.

28. Experimental Studies Private object implementation
Validate and evaluate the cost, efficiency, and the impacts on the dissemination of objects
Study the apoptosis and evaporation mechanisms for private objects
Tradeoff between privacy and trust
Study the effectiveness and efficiency of the probability-based and lattice-based privacy loss evaluation methods
Assess the usability of the evaluator of trust gain and privacy loss
Location-based routing and services
Evaluate the dynamic mappings between trust levels and distortion levels

29. C. Tomography Research Problem Research Directions
Defend against denial of service attacks
Optimize the selection of data providers in peer-to-peer systems
Research Directions
Stripe based probing to infer individual link loss by edge-to-edge measurements
Overlay based monitoring to identify congested links by end-to-end path measurement
Topology inference to estimate available bandwidth by path segment measurements

30. Defeating DoS Attacks in Internet

31. Overlay-based Monitoring
Do not need individual link loss to identify all congested links
Edge routers form an overlay network for probing. Each edge router probe part of the network
Problem statement
Given topology of a network domain, identify which links are congested and possibly under attack

32. Attack Scenarios Delay (ms) Loss Ratio Time (sec) Time (sec)
(a) Changing delay pattern due to attack
(b) Changing in loss pattern due to attack

33. Identified Congested Links
Loss Ratio
Loss Ratio
Time (sec)
Time (sec)
(a) Counter clockwise probing
(b) Clockwise probing
Probe46 in graph (a) and Probe76 in graph (b) observe high losses, which means link C4  E6 is congested.

34. Probing: Simple Method
(c) internal links
(a) Topology
(b) Overlay
Congested link

35. Analyzing Simple Method
Lemma 1. If P and P’ are probe paths in the first and the second round of probing respectively, |P P’ | ≤ 1
Theorem 1. If only one probe path P is shown to be congested in any round of probing, the simple method successfully identifies status of each link in P
Performs better if edge-to-edge paths are congested
The average length of the probe paths in the Simple method is ≤ 4

36. Performance: Simple Method
Theorem 2. Let p be the probability of a link being congested in any arbitrary overlay network. The simple method determines the status of any link of the topology with probability at least 2(1-p)4-(1-p)7+p(1-p)12
Detection Probability
Frac of actual congested links

37. Advanced Method AdvancedMethod() begin
Conduct Simple Method. E is the unsolved equation set
for Each undecided variable Xij of E do
node1 = FindNode(Tree T, vi, IN)
node2 = FindNode(Tree T, vj , OUT)
if node1 ≠ NULL AND node2 ≠ NULL then
Probe(node1, node2). Update equation set E
end if
Stop if no more probe exists
endfor
end

38. Analyzing Advanced Method
Lemma 2. For an arbitrary overlay network with n edge routers, on the average a link lies on b = edge-to-edge paths
Lemma 3. For an arbitrary overlay network with n edge routers, the average length of all edge-to-edge paths is d =
Theorem 3. Let p be the probability of a link being congested. The advanced method can detect the status of a link with probability at least (1-(1-(1-p)d)b)

39. D. Intruder Identification in Adhoc On-demand Distance Vector (AODV)
Problem
AODV are vulnerable to various attacks such as false distance vector, false destination sequence, and wormhole attacks
Detecting attacks without identifying and isolating the malicious hosts leaves the security mechanisms in a passive mode
Challenges
Locate the sources of attacks in a self-organized infrastructure
Combine local decisions with knowledge from other hosts to achieve consistent conclusions on the malicious hosts

40. Attacks on Routing in Mobile Ad Hoc Networks
Active attacks
Passive attacks
Routing procedure
Packet silent discard
Routing information hiding
Flood network
Route request
Route broken message
False reply
Wormhole attacks

41. Related Work
Vulnerability model of ad hoc routing protocols [Yang et al., SASN ’03]
A generic multi layer integrated IDS structure [Zhang and Lee, MobiCom ’00]
IDS combining with trust [Albert et al., ICEIS ’02]
Information theoretic measures using entropy [Okazaki et al., SAINT ’02]
SAODV adopts both hash chain and digital signature to protect routing information [Zapata et al, WiSe’03]
Security-aware ad hoc routing [Kravets et al, MobiHOC’01]

42. Ideas
Monitor the sequence numbers in the route request packets to detect abnormal conditions
Apply reverse labeling restriction to identify and isolate attackers
Combine local decisions with knowledge from other hosts to achieve consistent conclusions
Combine with trust assessment methods to improve robustness

43. Introduction to AODV
Introduced in 97 by Perkins at NOKIA, Royer at UCSB
12 versions of IETF draft in 4 years, 4 academic implementations, 2 simulations
Combines on-demand and distance vector
Broadcast Route Query, Unicast Route Reply
Quick adaptation to dynamic link condition and scalability to large scale network
Support multicast

44. Route Discovery in AODV (An Example)
Route to the source
Route to the destination

45. Attacks on AODV Route request flooding False distance vector
query non-existing host (RREQ will flood throughout the network)
False distance vector
reply “one hop to destination” to every request and select a large enough sequence number
False destination sequence number
select a large number (even beat the reply from the real destination)
Wormhole attacks
tunnel route request through wormhole and attract the data traffic to the wormhole
Coordinated attacks
The malicious hosts establish trust to frame other hosts, or conduct attacks alternatively to avoid being identified

46. Impacts of Attacks on AODV
We simulate the attacks and measure their impacts on packet delivery ratios and protocol overhead
Packet Delivery Ratio
Control packet / data packet
No Attacks
96%
0.38
Vicious Flooding
91%
2.93
False Distance
75%
False Destination Sequence
53%
0.66
Wormhole
61%
0.41

47. False Destination Sequence Attack
RREP(D, 5)
RREP(D, 20)
RREQ(D, 3) S3 D S S1 S2 M
Packets from S to D are sinking at M. Node movement breaks the path from S to M (trigger route rediscovery).

48. During Route Rediscovery, False Destination Sequence Attack Is Detected
(1). S broadcasts a request that carries the old sequence + 1 = 21
(2) D receives the RREQ. Local sequence is 5, but the sequence in RREQ is 21. D detects the false desti-nation sequence attack. D S3
RREQ(D, 21) S S1 S2 M S4
Propagation of RREQ

49. Reverse Labeling Restriction (RLR)
Blacklists are updated after an attack is detected.
Basic Ideas
Every host maintains a blacklist to record suspicious hosts. Suspicious hosts can be released from the blacklist.
The destination host will broadcast an INVALID packet with its signature when it finds that the system is under attack on sequence. The packet carries the host’s identification, current sequence, new sequence, and its own blacklist.
Every host receiving this packet will examine its route entry to the destination host. If the sequence number is larger than the current sequence in INVALID packet, the presence of an attack is noted. The previous host that provides the false route will be added into this host’s blacklist.

50. Correct destination sequence number is broadcasted.
BL {} S3 D
INVALID ( D, 5, 21, {}, SIGN )
BL {S2} S S1
BL {}
BL {M}
BL {S1} S2 M S4
D broadcasts INVALID packet with current sequence = 5, new sequence = 21. S3 examines its route table, the entry to D is not false. S3 forwards packet to S1. S1 finds that its route entry to D has sequence 20, which is > 5. It knows that the route is false. The hop which provides this false route to S1 was S2. S2 will be put into S1’s blacklist. S1 forwards packet to S2 and S. S2 adds M into its blacklist. S adds S1 into its blacklist. S forwards packet to S4. S4 does not change its blacklist since it is not involved in this route.
Correct destination sequence number is broadcasted.
Blacklist at each host in the path is determined.

51. D1 D2
[M] S3 S4
[M] M D4 D3
[M]
[M] S2 S1
M attacks 4 routes (S1-D1, S2-D2, S3-D3, and S4-D4). When the first two false routes are detected, D3 and D4 add M into their blacklists. When later D3 and D4 become victim destinations, they will broadcast their blacklists, and every host will get two votes that M is malicious host.
Hosts closer to malicious site are in blacklists of multiple hosts. In the above figure, M is in four blacklists.

52. Combine Local Decisions with Knowledge from Other Hosts
When a host is destination of a route and is victim by any malicious host, it will broadcast its blacklist.
Each host obtains blacklists from victim hosts.
If M is in multiple blacklists, M is classified as a malicious host based on certain threshold.
Intruder is identified.
Trust values can be assigned to other hosts based on past information.

53. Acceleration in Intruder IdentificationM2 M3 M2 M3 M1 M1 S2 S2 S1 S3 S3 S1
Routing topology
Reverse labeling procedure
Multiple attackers exist in the network. More routes are under attack. When the false routes are detected, more blacklists will be broadcasted.

54. Reverse Labeling Restriction
Update Blacklist by INVALID Packet
Next hop on the invalid route will be put into local blacklist, a timer starts, and a counter increases. The time duration that the host stays in blacklist is exponential to the counter value.
Labeling process will be conducted in the reverse direction of the false route.
When timer expires, the suspicious host will be released from the blacklist and routing information from it will be accepted.

55. Deal With Hosts in Blacklist
Packets from hosts in blacklist
Route request: If the request is from suspicious hosts, ignore it.
Route reply: If the previous hop is suspicious and the query destination is not the previous hop, the reply will be ignored.
Route error: will be processed as usual. RERR will activate re-discovery, which will help to detect attacks on destination sequence.
INVALID: if the sender is suspicious, the packet will be processed but the blacklist will be ignored.

56. Attacks of Malicious Hosts on RLR
Attack 1: Malicious host M sends false INVALID packet
Because the INVALID packets are signed, it cannot send the packets in other hosts’ name
If M sends INVALID in its own name
If the reported sequence number is greater than the real sequence number, every host ignores this attack
If the reported sequence number is less than the real sequence number, RLR will converge at the malicious host. M is included in blacklist of more hosts. M accelerated the intruder identification directing towards M.

57. Attack 2: Malicious host M frames other innocent hosts by sending false blacklist
If the malicious host has been identified, the blacklist will be ignored
If the malicious host has not been identified, this operation can only make the threshold lower. If the threshold is selected properly, it will not impact the identification results.
Combining trust can further limit the impact of this attack.

58. Attack 3: Malicious host M only sends false destination sequence about some special host
The special host will detect the attack and send INVALID packets.
Other hosts can establish new routes to the destination by receiving the INVALID packets.

59. Experimental Studies of RLR
The experiments are conducted using ns2.
Various network scenarios are formed by varying the number of independent attackers, number of connections, and host mobility.
The examined parameters include:
Packet delivery ratio
Identification accuracy: false positive and false negative ratio
Communication and computation overhead

60. Simulation Parameter Simulation duration 1000 seconds Simulation area
Number of mobile hosts 30
Transmission range
250 m
Pause time between the host reaches current target and moves to next target
0 – 60 seconds
Maximum speed
5 m/s
Number of CBR connection
25/50
Packet rate
2 pkt / sec

61. Experiment 1: Measure the Changes in Packet Delivery Ratio
Purpose: investigate the impacts of host mobility, number of attackers, and number of connections on the performance improvement brought by RLR
Input parameters: host pause time, number of independent attackers, number of connections
Output parameters: packet delivery ratio
Observation: When only one attacker exists in the network, RLR brings a 30% increase in the packet delivery ratio. When multiple attacker exist in the system, the delivery ratio will not recover before all attackers are identified.

62. Increase in Packet Delivery Ratio: Single Attacker
X-axis is host pause time, which evaluates the mobility of host. Y-axis is delivery ratio. 25 connections and 50 connections are considered. RLR brings a 30% increase in delivery ratio. 100% delivery is difficult to achieve due to network partition, route discovery delay and buffer.

63. Increase in Packet Delivery Ratio: Multiple Attackers
X-axis is number of attackers. Y-axis is delivery ratio. 25 connections and 50 connections are considered. RLR brings a 20% to 30% increase in delivery ratio.

64. Experiment 2: Measure the Accuracy of Intruder Identification
Purpose: investigate the impacts of host mobility, number of attackers ,and connection scenarios on the detection accuracy of RLR
Input parameters: number of independent attackers, number of connections, host pause time
Output parameters: false positive alarm ratio, false negative alarm ratio
Observation: The increase in connections may improve the detection accuracy of RLR. When multiple attackers exist in the network, RLR has a high false positive ratio.

65. Accuracy of RLR: Single Attacker
30 hosts, 25 connections
30 hosts, 50 connections
Host Pause time (sec)
# of normal hosts identify the attacker
# of normal hosts marked as malicious 24
0.22 29
2.2 10 25
1.4 20
1.1 30 28 40
0.6 50
0.07 60
1.0
The accuracy of RLR when there is only one attacker in the system

66. Accuracy of RLR: Multiple Attackers
30 hosts, 25 connections
30 hosts, 50 connections
# of attackers
# of normal hosts identify all attackers
# of normal hosts marked as malicious 1 28 29
1.1 2
0.65
2.6 3 25 27
1.4 4 21
0.62
2.2 5 15
0.67 19
4.1
The accuracy of RLR when there are multiple attackers

67. Experiment 3: Measure the Communication Overhead
Purpose: investigate the impacts of host mobility and connection scenarios on the overhead of RLR
Input parameters: number of connections, host pause time
Output parameters: control packet overhead
Observation: When no false destination sequence attacks exist in the network, RLR introduces small packet overhead into the system.

68. Control Packet Overhead
X-axis is host pause time, which evaluates the mobility of host. Y-axis is normalized overhead (# of control packet / # of delivered data packet). 25 connections and 50 connections are considered. RLR increases the overhead slightly.

69. Research Opportunities: Improve Robustness of RLR
Protect the good hosts from being framed by malicious hosts
The malicious hosts can frame the good hosts by putting them into blacklist.
By lowering the trust values of both complainer and complainee, we can restrict the impacts of the gossip distributed by the attackers.
Adopting the trust management scheme proposed by Aberer and Despotovic [CIKM’01] to determine the lowering speed.

70. Avoid putting every host into blacklist
Combining the host density and movement model, we can estimate the time ratio that two hosts are neighbors
The counter for a suspicious host decreases as time passes
Adjusting the decreasing ratio to control the average percentage of time that a host stays in the blacklist of another host

71. Defend against coordinated attacks
The behaviors of collusive attackers show Byzantine manners. The malicious hosts may establish trust to frame other hosts, or conduct attacks alternatively to avoid being identified.
Look for the effective methods to defend against such attacks. Possible research directions include:
Apply classification methods to detect the hosts that have similar behavior patterns
Study the behavior histories of the hosts that belong to the same group and detect the pattern of malicious behavior (time-based, order-based)

72. An Architecture of Intruder Identification Agent

73. Intruder identification can be applied to detect more attacks in ad hoc networks:
DoS attacks
Malicious discard
Trust abuse and privacy violation
Reverse labeling mechanism can be applied to identify the attackers that
Disseminate false routing information
Discard data packets
Generate gossip to destroy other hosts’ reputation

74. Conclusions on Intruder Identification
False destination sequence attacks can be detected by the anomaly patterns of the sequence numbers
Reverse labeling method can reconstruct the false routing tree
Isolating the attackers brings a sharp increase in network performance
On going research will improve the robustness of the mechanism and the accuracy of identification

75. Related Ongoing Research
Detecting wormhole attacks
Position-based private routing in ad hoc networks
Fault tolerant authentication in movable base station systems
Congestion avoidance routing in ad hoc networks

76. Detecting Wormhole Attacks
Problem statement
The malicious nodes can eavesdrop the packets, tunnel them to another location in the network, and retransmit them. This generates a false scenario that the original sender is in the neighborhood of the remote location.
First, we are going to present our work on wormhole detection in ad hoc networks. Since the nodes in a wireless network use a radio channel to send information, the malicious nodes can eavesdrop the packets, tunnel them to another location in the network, and retransmit them. This generates a false scenario that the original sender is in the neighborhood of the remote location. The tunneling procedure forms a wormhole. The attack is usually conducted by collusive attackers.
Wormhole attacks are more difficult to detect because the mechanisms such as authentication cannot prevent them. The packets are all real. But at the same time, the impacts of the attacks are bad.
wireless node 1
wireless node 2
tunnel
attacker 1
attacker 2

77. Research challenges
Detect wormholes when the malicious host can be the legal member of the network
Control the overhead introduced by wormhole detection to avoid the hosts being overwhelmed

78. Classification of Wormholes
the wormholes are divided into 3 groups:
Closed
Half open
Open

79. The Approach: End-to-End Mechanism
Assumption:
The hosts have the positioning devices and loosely synchronized clocks
Pair-wise keys have been deployed
Ideas:
The source and the intermediate hosts will attach the <time, position> pairs that record the receiving and forwarding events
The attached information is protected by message authentication codes (MAC)
The neighbor relation validations are conducted by the destination

80. Validation at the Destination
The MAC codes are calculated correctly
The neighbor hosts are within the radio range when the packet is passed
The average moving speed between the <time, position> pairs from the same host does not exceed the maximum value.

81. Controlling Overhead: Cell-based Open Tunnel Avoidance
Divide the area into same-sized cells and the time into same-length slots
Require a constant storage space and linear computation operations for every intermediate host
Have a configurable wormhole detection capability

82. Computation Efficiency
The experiments are conducted on a iPAQ 3630 with 206M Hz CPU and 64M RAM
The computation overhead of wormhole detection for one 10-hop route consumes less than 0.5% of its CPU.
The computation resource of a real PDA can support wormhole detection using COTA without trouble.

83. Conclusions
The end-to-end mechanism can detect half open and open wormholes in ad hoc networks
As a position information management scheme, COTA requires constant storage space and linear computation resource for every intermediate host
The proposed mechanism can be adopted by real mobile devices

84. B. Position-based Private Routing in Ad Hoc Networks
Problem statement
To hide the identities of the nodes who are involved in routing in mobile wireless ad hoc networks.
Challenges
Traditional ad hoc routing algorithms depend on private information (e.g., ID) exposure in the network.
Privacy solutions for P2P networks are not suitable in ad hoc networks.

85. Weak Privacy for Traditional Position-based Ad Hoc Routing Algorithm
Position information of each node has to be locally broadcast periodically.
Adversaries are able to obtain node trajectory based on the position report.
Adversaries can estimate network topology.
Once a match between a node position and its real ID is found, a tracer can always stay close to this node and monitor its behavior.

86. AO2P: Ad Hoc On-Demand Position-based Private Routing
Position of destination is the information exposed in the network for routing discovery.
A receiver-contention scheme is designed to determine the next hop in a route.
Pseudo IDs are used instead of real IDs for data packet delivery after a route is built up.
Route with a smaller number of hops will be used for better end-to-end throughput.

87. AO2P Routing Privacy and Accuracy
Only the position of destination is revealed in the network for routing discovery. The privacy of the destination relies on the difficulty of matching a position to a node ID.
Node mobility enhances destination privacy because a match between a position to a node ID is temporary.
The privacy for the source and the intermediate forwarders is well preserved.
Routing accuracy relies on the fact that at a specific time, only one node can be at a position. Since the pseudo ID for a node is generated from its position and the time it is at that position, the probability that more than one node have the same pseudo ID is negligible.

88. Privacy Enhancement: R-AO2P
The position of reference point is carried in rreq instead of the position of the destination.
The reference point is on the extended line from the sender to the destination. It can be used for routing discovery because generally, a node that processes the rreq closer to the reference point will also process the rreq closer to the destination.
The position of the destination is only disclosed to the nodes who are involved in routing.
Reference point in R-AO2P

89. Illustrated Results
Average delay for next hop determination

90. Illustrated Results
Packet delivery ratio

91. Conclusions AO2P preserves node privacy in mobile ad hoc networks.
AO2P has low next hop determination delay.
Compared to other position-based ad hoc routing algorithm, AO2P has little routing performance degradation.

92. C. Fault Tolerant Authentication in Movable Base Station System
Problem
To ensure security and prevent theft of resources (like bandwidth), all the packets originating inside the network should be authenticated.
Authentication may become unreliable when base station fails or node moves from one cell to another.
Challenge
How to design fault tolerant authentication methods that are robust in the above conditions
How to design the protocols adaptable and re-configurable

93. Proposed Schemes We propose two schemes to solve the problem.
Virtual Home Agent
Hierarchical Authentication
They differ in the architecture and the responsibilities that the Mobile Nodes and Base Stations (Agents) hold.

94. Virtual Home Agent Scheme
VHA ID = IP ADDRESS
Master Home Agent (MHA)
Database Server
Shared Secrets
Database
Backup Home Agents
Other nodes in the network

95. Advantages of Proposed Scheme
Has only 3 states and hence the overhead of state maintenance is negligible.
Very few tasks need to be performed in each state (outlined in the tech report).
Flexible – there could be multiple VHAs in the same LAN and a MHA could be a BHA for another VHA, a BHA could be a BHA for more than one VHA at the same time.

96. Disadvantages of Virtual HA Solution
Not scalable if every packet has to be authenticated
Ex: huge audio or video data
BHA (Backup Home Agents) are idle most of the time (they just listen to MHA’s advertisements.
Central Database is still a single point of failure.

97. Hierarchical Authentication Scheme
Multiple Home Agents in a LAN are organized in a hierarchy (like a tree data structure).
A Mobile Node shares a key with each of the Agents above it in the tree (Multiple Keys).
At any time, highest priority key is used for sending packets or obtaining any other kind of service.

98. Hierarchical Authentication SchemeB G F E D K2 K1
(K1, P1)
(K2, P2)
Database

99. Hierarchical Authentication Scheme
Key Priority depends on several factors and computed as cumulative sum of weighted priorities of each factors:
Example Factors:
Communication Delays
Processing Speed of the Agents
Key Usage
Life Time of the Key

100. D. Congestion Avoidance Routing in Ad Hoc Networks
Objective
To bring the consideration of congestion in the design of the routing protocols.
Thrust
To avoid congestion by minimizing contention for channel access.
Challenges
The global coupling effect of wireless channel access in ad hoc networks.
Quantification of congestion without exchanging messages with neighbors.

101. Intermediate Delay (IMD)
IMD is a routing metric that characterizes the impacts of channel contention, the length of the route, and the traffic load at individual nodes.
IMD estimates the delay introduced by the intermediate nodes along the route using the sum of delays from each node.

102. Ad Hoc Routing Based on IMD
Simplification of delay computation:
If channel capacity is C and packet size is P, delay is P/C.
If n nodes are in contention for a channel, each node gets C/n share of the channel capacity. The delay is nP/C.
2P/C
P/C D E F H I G J
P/C PC
Adapt to changes in traffic and network topology

103. Delay Estimation
A mobile node is modeled as a single server queuing system.
Total delay includes the delay for transmitting a packet and the delay in the queue.
The key is to estimate the delay for transmitting a packet.
Node with active traffic
Use the mean value to estimate the delay.
Node without active traffic
Study the procedure of packet transmission to obtain the expectation of the delay.

104. IEEE 802.11 DCF (Distributed Coordination Function)
E[Tsucc]=TRTS+TCTS+TDATA+TACK+3TSIFS+E[Tbackoff]
E[Tfail]=TRTS+Ttimeout+E[Tbackoff]

105. SAGA: Self-Adjusting Congestion Avoidance Routing Protocol
SAGA is a distance vector routing protocol.
use IMD instead of hop count as the distance
bypass hop spots where contention is intense
Lazy route query uses special route advertisement for local route discovery.
Approach to reduce the oscillation of IMD and prevent a node from switching back and forth among alternative routes.

106. Experimental Evaluation
Objective
Study the performance of SAGA, AODV, DSR, and DSDV under congestion.
Performance metrics
Throughput, delivery ratio, protocol overhead, and end-to-end delay
Method
Simulation using the network simulator ns2
Two types of UDP traffic: constant bit rate (CBR) and pareto on/off (POO)
The offered traffic load is taken as the input parameter
Six experiments by varying the maximum speed of movement of nodes and the number of connections
Five independent runs with random scenarios for each experiment

107. 30 CBR Connections, Low Mobility (4m/s)

108. 10 POO Connections, High Mobility (20m/s)