(BQ) The book is divided into 2 parts, part 1 from chapter 21 to chapter 38. This part includes the contents: Mobile ad hoc network routing, security for ad hoc networks, phishing attacks and countermeasures, chaos-based secure optical communications using semiconductor lasers, chaos applications in optical communications,...and other contents.
21 Mobile Ad Hoc Network Routing Melody Moh and Ji Li Contents 21.1 Chapter Overview 407 21.2 One-Layer Reputation Systems for MANET Routing 21.2.1 Watchdog and Pathrater 21.2.2 CORE: A Collaborative Reputation Mechanism 21.2.3 OCEAN: Observation-Based Cooperation Enforcement in Ad Hoc Networks 21.2.4 SORI – Secure and Objective Reputation-Based Incentive Scheme for Ad Hoc Networks 21.2.5 LARS – Locally Aware Reputation System 21.2.6 Comparison of One-Layer Reputation Systems 21.3 Two-Layer Reputation Systems (with Trust) 21.3.1 CONFIDANT – Cooperation of Nodes: Fairness in Dynamic Ad Hoc Networks 21.3.2 TAODV – Trusted AODV 21.3.3 SAFE: Securing Packet Forwarding in Ad Hoc Networks 21.3.4 Cooperative and Reliable Packet Forwarding on Top of AODV 21.3.5 Comparison of Two-Layer Reputation Systems 408 408 409 409 410 412 412 412 412 413 414 415 416 21.4 Limitations of Reputation Systems in MANETs 417 21.4.1 Limitations of Reputation and Trust Systems 417 21.4.2 Limitations in Cooperation Monitoring 417 21.5 Conclusion and Future Directions 419 References 419 The Authors 420 Instant deployment without relying on an existing infrastructure makes mobile ad hoc networks (MANETs) an attractive choice for many dynamic situations However, such flexibility comes with a consequence – these networks are much more vulnerable to attacks Authentication and encryption are traditional protection mechanisms, yet they are ineffective against attacks such as selfish nodes and malicious packet dropping Recently, reputation systems have been proposed to enforce cooperation among nodes These systems have provided useful countermeasures and have been successful in dealing with selfish and malicious nodes This chapter presents a survey of the major contributions in this field We also discuss the limitations of these approaches and suggest possible solutions and future directions 21.1 Chapter Overview A MANET is a temporary network formed by wireless mobile hosts without a presetup infrastructure Unlike a traditional infrastructure-based wireless network where each host routes packets through an access point or a mobile router, in a MANET each host routes packets and communicates directly with its neighbors Since MANETs offer much more flexibility than traditional wireless networks, and wireless devices have become common in all computers, demand for them and potential applications have been rapidly increasing The major advantages include low cost, simple network maintenance, and convenient service coverage These benefits, however, come with a cost Owing to the lack of control of other nodes in the net- Peter Stavroulakis, Mark Stamp (Eds.), Handbook of Information and Communication Security © Springer 2010 407 408 work, selfishness and other misbehaviors are possible and easy One of the main challenges is ensuring security and reliability in these dynamic and versatile networks One approach is using a public key infrastructure to prevent access to nodes that are not trusted, but this central authority approach reduces the ad hoc nature of the network Another approach is the use of reputation systems, which attempts to detect misbehaviors, such as selfish nodes, malicious packet dropping, spreading false information, and denial of service (DoS) attacks The misbehaving nodes are then punished or rejected from the network [21.1–3] In reputation systems, network nodes monitor the behavior of neighbor nodes They also compute and keep track of the reputation values of their neighbors, and respond to each node (in packet forwarding or routing) according to its reputation Some reputation systems are based only on direct observations; these are often called one-layer reputation systems Others rely on both direct observation and indirect (second-hand) information from a reported reputation value, misbehavior, alarm, or warning message Some of these also include a trust mechanism that evaluates the trustworthiness of indirect information; these systems are often called two-layer reputation systems This chapter provides a survey on key reputation systems for MANET routing Section 21.2 presents one-layer reputation systems, Sect 21.3 describes two-layer reputation systems, Sect 21.4 discusses limitations of these systems, and, finally, Sect 21.5 concludes the chapter 21.2 One-Layer Reputation Systems for MANET Routing indexnetwork routingIn this section, we describe one-layer reputation systems, i.e., systems that evaluate only the reputation of the base system, i.e., of network functionalities such as packet forwarding and routing Reputations may be derived only from direct observations, or from both direct and indirect (second-hand) observations These systems, however, not have an explicit scheme to compute the trust of second-hand reputation values (which will be covered in Sect 21.3) The reputation systems discussed in this section, in chronological order, are Watchdog and Pathrater [21.4], CORE [21.5], OCEAN [21.6], SORI [21.7], and 21 Mobile Ad Hoc Network Routing LARS [21.1] All of them are either explicitly designed for or demonstrated over Dynamic Source Routing (DSR) [21.8] 21.2.1 Watchdog and Pathrater The scheme based on the Watchdog and the Pathrater, proposed by Lai et al [21.4] was one of the earliest methods done on reputation systems for MANETs The two are tools proposed as extensions of the DSR to improve throughput in MANET in the presence of misbehaving nodes In the proposed system, a Watchdog is used to identify misbehaving nodes, whereas a Pathrater helps to avoid these nodes in the routing protocol Specifically, the Watchdog method detects misbehaving nodes through overhearing; each node maintains a buffer of recently sent packets and compares each overheard packet with the packet in the buffer to see if there is a match If a packet remains in the buffer for too long, the Watchdog suspects that the node that keeps the packet (instead of forwarding it) is misbehaving and increases its failure tally If the failure tally exceeds a threshold, the Watchdog determines that the node is misbehaving and notifies the source node The Pathrater tool is run by each node in the network It allows a source node to combine the knowledge of misbehaving nodes with link reliability data to choose the route that is most likely to be reliable Each node maintains a “reliability” rating for every other network node it knows about The “path metric” of a path is calculated by averaging all the node ratings in the path A source node then chooses the most reliable path (the one with the highest average node rating) and avoids any node that is misbehaving These two tools significantly improve DSR [21.8] as they can detect misbehavior at the forwarding level (network layer) instead of only at the link level (data link layer) They also enable the DSR to choose the more reliable path and to avoid misbehaving nodes However, they have some limitations The authors of [21.4] note that the Watchdog technique may not detect a misbehaving node in the presence of ambiguous collisions, receiver collisions, limited transmission power, false misbehavior, collusion, and partial packet dropping (see Sect 21.5 for more discussions) Also, the Pathrater tool relies on the source node to know the entire path; it can therefore 21.2 One-Layer Reputation Systems for MANET Routing be applied only on source-based routing such as DSR [21.8] 21.2.2 CORE: A Collaborative Reputation Mechanism CORE is another highly well known, pioneer work in reputation systems for MANETs Proposed by Michiardi and Molva [21.5], the system aims to solve the selfish node problem Like Watchdog and Pathrater, CORE is also based on DSR and only evaluates reputations in the base system (i.e., the network routing and forwarding mechanisms) For each node, routes are prioritized on the basis of global reputations associated with neighbors The global reputation is a combination of three kinds of reputation that are evaluated by a node These three reputations are subjective, indirect, and functional reputations The subjective reputation is calculated on the basis of a node’s direct observation The indirect reputation is the second-hand information that is received by the node via a reply message Note that a reply message could be ROUTE REPLY for routing, or an ACK packet for data forwarding The subjective and indirect reputations are evaluated for each base system function, such as routing and data forwarding Finally, the functional reputation is defined as the sum of the subjective and indirect reputations on a specific function (such as packet forwarding function, routing function) The global reputation is then calculated as the sum of functional reputations with a weight assigned to each function CORE uses some watchdog (WD) mechanism to detect misbehaving nodes In each node, there is a WD associated with each function Whenever a network node needs to monitor the correct behavior (correct function execution) of a neighbor node, it triggers a WD specific to the function The WD stores an expected result in the buffer for each request If the expectation is met, the WD will delete the entry for the target node and the reputations of all the related nodes will be increased on the basis of the list in the reply message (the reply message contains a list of all the nodes that successfully participated in the service) If the expectation is not met or a time-out occurs, the WD will decrease the subjective reputation of the target node in the reputation table In the CORE system, only positive information is sent over the network in reply messages 409 It can therefore eliminate the DoS attacks caused by spreading negative information over the network The advantages of the CORE system are that it is a simple scheme, easy to implement, and is not sensitive to the resource CORE uses a reply message (RREP) to transmit the second-hand reputation information Thus, no extra message is introduced by the reputation system When there is no interaction from a node, the node’s reputation is gradually decreased, which encourages nodes to be cooperative There are a few drawbacks to CORE One of them is that CORE is designed to solve mainly the problem of selfish nodes; thus, it is not very efficient at dealing with other malicious problems Moreover, CORE is a single-layer reputation system where first-hand and second-hand information carry the same weight It does not evaluate trustworthiness before accepting second-hand information As such, the system cannot prevent the risk of spreading incorrect second-hand information Furthermore, in CORE only positive information is exchanged between nodes Therefore, half of the capability, the part dedicated to carrying negative information, is lost In addition, reputations are only evaluated among one-hop neighbors, yet a path usually contains multiple hops In consequence, the result may not be preferred or optimized for the entire path Finally, although the original paper only described the system without any performance evaluation, some later simulation experiments done by Carruthers and Nikolaidis have shown that CORE is most efficient in static networks; its effectiveness dropped to 50% under low mobility, and it is almost noneffective in high mobility networks [21.9] 21.2.3 OCEAN: Observation-Based Cooperation Enforcement in Ad Hoc Networks OCEAN was proposed by Bansal and Baker [21.6], from the same group who proposed Watchdogs and Pathraters It is a reputation system that was proposed after the CORE (described above) and the CONFIDANT (Cooperation Of Nodes: Fairness In Dynamic Ad Hoc Networks; to be described in Sect 21.3.1) systems The authors of OCEAN observed that indirect reputations (i.e., second-hand information) could easily be exploited by lying and giving false alarms, and that second-hand information required a node to maintain trust relationships 410 with other nodes They therefore proposed OCEAN, a simple, direct-reputation-based system, aimed at avoiding any trust relationship, and at evaluating how well this simple approach can perform OCEAN considers only direct observations Based on and expanded from their early work (Watchdog and Pathrater), the system consists of five modules: NeighborWatch, RouteRanker, RankBased Routing, Malicious Traffic Rejection, and Second Chance Mechanism The NeighborWatch module is similar to the Watchdog tool [21.4]; it observes the behavior of its neighbor nodes by keeping track of whether each node correctly forwards every packet Feedback from these forwarding events (both positive and negative) is then fed to the RouteRanker The RouteRanker module maintains ratings of all the neighbor nodes In particular, it keeps a faulty node list that includes all the misbehaving nodes A route’s ranking as good or bad (a binary classification) depends on whether the next hop is in the faulty node list The Rank-Based Routing module proposes adding a dynamic field in the DSR RREQ (Route Request packet), named avoid-list, which consists of a list of faulty nodes that the node wishes to avoid The Malicious Traffic Rejection module rejects all the traffic from nodes which it considers misleading (depending on the feedback from NeighborWatch) Finally, the Second Chance Mechanism allows a node that was once considered misleading (i.e, it was in the faulty node list) to be removed from the list on the basis of a time-out period of inactivity To assess the performance of this directobservation-only approach, OCEAN was compared with defenseless nodes and with a reputation system called SEC-HAND that was intended to correspond to a reputation system with alarm messages representing second-hand reputation information After their application onto DSR, the results of the simulation found that OCEAN significantly improved network performance as compared with defenseless nodes in the presence of selfish and misleading nodes OCEAN and SEC-HAND performed similarly in static and slow mobile networks However, SEC-HAND performed better for highly mobile networks than OCEAN since the second-hand reputation messages spread the bad news faster, thus allowing SEC-HAND to punish and avoid the misleading nodes OCEAN, on the other hand, failed to punish the misleading nodes as severely and still permitted those nodes to route packets Therefore, 21 Mobile Ad Hoc Network Routing it suffered from poor network performance These evaluation results showed that second-hand reputations with the corresponding trust mechanisms were still necessary in highly mobile environments, which some MANET applications desire 21.2.4 SORI – Secure and Objective Reputation-Based Incentive Scheme for Ad Hoc Networks SORI, proposed by He et al., focused on selfish nodes (that not forward packets) [21.7] Their paper did not address malicious nodes (such as ones sending out false reputations) The authors noted that the actions taken, such as dropping selfish nodes’ packets solely on the basis of one node’s own observation of its neighbor nodes, could not effectively punish selfish nodes They therefore proposed that all the nodes share the reputation information and punish selfish nodes together In SORI, each node keeps a list of neighbor nodes discovered from overheard packets, including the number of packets requested for forwarding and the number of packets forwarded The local evaluation record includes two entries, the ratio of the number of packets forwarded and the number of packets requested, and the confidence (equal to the number of packets forwarded) This reputation is propagated to all the one-hop neighbors The overall evaluation record is computed using the local evaluation record, reported reputation values, and credibility, which is based on how many packets have been successfully forwarded If the value of the overall evaluation record for a node is below a certain threshold, all the requests from that (selfish) node are dropped with probability (1 − combined overall evaluation record − δ), where δ is the margin value necessary to avoid a mutual retaliation situation This is a very interesting, unique aspect of SORI, since punishment of misbehaving nodes is gradual, as opposed to the approach taken by most other schemes: setting a hard threshold point beyond which no interaction with the node is made In this way, SORI actively encourages packet forwarding and disciplines selfish behaviors The scheme was evaluated by a simulation over DSR SORI effectively gave an incentive to wellbehaved nodes and punished selfish nodes in terms of throughput differentiation Furthermore, the scheme also incurred no more than 8% of commu- 21.2 One-Layer Reputation Systems for MANET Routing 411 Table 21.1 Comparison of one-layer reputation schemes Reputation systems Observations Reputation computation method Implicit evaluation of second-hand information Strengths and other notes Watchdog and Pathrater (over DSR) [21.4] Observes if neighbor nodes forward packets Uses direct observations only Starts 0.5 Increased for nodes in actively used paths Selfish node is immediately ranked −100, and the source node is notified Not applicable (no indirect reputation) Likely the earliest work on reputation for MANET routing Only source node is notified of selfish nodes so communication overhead is small Avoids selfish nodes in path selection CORE (over DSR) [21.5] Observes packet forwarding and routing functions Uses both direct and indirect observations Starts null Increased on observed good behavior and reported positive reputation Decreases on directly observed misbehavior Global reputation includes subjective, indirect, and function reputations Smaller weight given to indirect reputation Indirect reputation can only be positive Flexible weights for functional areas Reputation communication is only among one-hop neighbors so overhead is limited Avoids selfish nodes in route discovery OCEAN (over DSR) [21.6] Observes if neighbor nodes forward packets Uses direct observations only Nodes start with high reputation and the reputation decreases on directly observed misbehavior Not applicable (no indirect reputation) Simple but effective approach in many cases Very small overhead since no indirect observations Second chance mechanism overcomes transient failures Avoids selfish nodes in path selection; rejects routing of selfish nodes SORI (over DSR) [21.7] Observes if neighbor nodes forward packets Increase/decrease on packet forwarding/drop Reputation rating uses the rate of forwarded packets, the number of reported reputations, and the total number of forwarded packets Use confidence, which is the total number of packets forwarded Assumes no reporting of false reputations Selfish nodes are punished probabilistically – their packets are dropped with probability inversely proportional to their reputations LARS (over DSR) [21.1] Observes if neighbor nodes forward packets Uses direct observations only Reputation decreases on packet drop and increases on packet forwarding Selfish flag is set when reputation falls below a threshold, and a warning message is broadcast to k-hop neighbors Take action upon a warning only when receiving a warning from at least m neighbors Simple Resilient to (m − 1) false accusations Very high overhead owing to the need to broadcast warnings to all k-hop neighbors DSR Dynamic Source Routing, MANET mobile ad hoc network 412 nication overhead compared with a nonincentive approach, which was a significant advantage 21.2.5 LARS – Locally Aware Reputation System Proposed by Hu and Burmester, LARS is a simple reputation system for which reputation values were derived only on the basis of direct observations [21.1] It focuses on detecting selfish nodes that dropped packets Since it does not allow the exchange of second-hand reputation values, it essentially avoids false and inconsistent reputation ratings Furthermore, it uses a simple yet effective mechanism to deal with false accusations, as described below In LARS, every network node keeps a reputation table In the table, there is either a reputation value or a selfish flag associated with each of the neighbor nodes Like in most other schemes, the reputation value is increased when the node observes a normal packet forwarding, and is decreased when it notices a selfish packet-drop behavior The selfish flag is set when the reputation value drops below a threshold When a node declares a target node as selfish, it broadcasts a warning message to its k-hop neighbors A node will act on a warning message only if it has received warnings from at least m different neighbors concerning the same target node When this happens, this node will then broadcast the same warning message to its own k-hop neighbors This scheme thus tolerates up to m − misbehaving neighbors that send out false accusations The authors of [21.1] note that if there are at least m nodes in the neighborhood that all agree a particular node is being selfish, there is a high probability that the conviction is true LARS was evaluated by simulation and compared with the standard DSR [21.8] LARS achieved a significantly higher goodput (defined as the ratio between received and sent packets), and was resilient to a high percentage of selfish nodes, up to 75% We observed, however, that even though LARS computed reputations only on the basis of direct observations, it still required each node to broadcast warning messages to k-hop neighbors to declare a selfish node This would undoubtedly incur a very high message overhead when the ratio of selfish nodes was high 21 Mobile Ad Hoc Network Routing 21.2.6 Comparison of One-Layer Reputation Systems In this section, we summarize and compare the five one-layer reputation systems described so far, as shown in Table 21.1 For each scheme, we highlight the type of observations, reputation computing method, implicit evaluation of second-hand information (if any), strengths, and other notes (such as special features or weaknesses) 21.3 Two-Layer Reputation Systems (with Trust) In this section, we describe reputation systems that take into account both first- and secondhand observations of network nodes and compute the trust of second-hand information Arranged in chronological order, we present four representative proposals: CONFIDANT [21.10, 11], TAODV [21.12], SAFE [21.13], and cooperative, reliable AODV [21.14] 21.3.1 CONFIDANT – Cooperation of Nodes: Fairness in Dynamic Ad Hoc Networks CONFIDANT, by Buchegger and Le Boudec [21.10, 11], is most likely the first reputation system with a trust mechanism introduced for MANET routing CONFIDANT was proposed with two main objectives: (1) making use of all the reputations (both first-hand and second-hand) available while coping with false disseminated information, and (2) making denying cooperation unattractive by detecting and isolating misbehaving nodes To achieve these two objectives, CONFIDANT uses four components for its trust architecture within each node: The Monitor, the Trust Manager, the Reputation System, and the Path Manager, as illustrated by the finite-state machine shown in Fig 21.1 The Monitor component, similar to WDs, locally listens to packet forwarding from neighbor nodes to detect any deviating behaviors The Trust Manager deals with outgoing and incoming ALARM messages Each such ALARM message is sent by some Trust Manager to warn others of malicious nodes The Trust Manager checks the source of an ALARM to see if it is trustworthy before applying the information to the target node’s reputation If the source 21.3 Two-Layer Reputation Systems (with Trust) Evaluating alarm Significant event Updating event count Threshold exceeded Not enough evidence Ev en td No t si ete gn cte ific 413 Updating ALARM table d Not enough evidence an t Below threshold Monitoring in ith W Trusted Evaluating trust ed ust ed t tr eiv o N rec M AR AL Sending ALARM MONITOR ce an el r to Initial state PATH MANAGER Tolerance exceeded Rating Managing path Fig 21.1 CONFIDANT finite-state machine node is not trustable, a deviation test will be performed on the information received The information will only be applied to the target node’s reputation if it matches the node’s own reputation record of the target node The Reputation System manages node rating A rating is changed only when there is sufficient evidence of malicious behavior More specifically, a rating is changed according to a weighted combination of direct, indirect, and other reported observations, ordered in decreasing weights Furthermore, past observations have less weight than the current one In this way, a node can recover from its accidental misbehaviors by acting correctly in the system This fading mechanism will encourage positive behavior Finally, the Path Manager ranks paths according to reputations, deletes paths containing malicious nodes, and handles route requests from malicious nodes Like all the schemes described in the previous section, CONFIDANT was applied on DSR Its performance was compared with that of the standard DSR via computer simulation The simulation results showed that CONFIDANT performs significantly better than the (defenseless) DSR while introducing only a small overhead for extra message exchanges; the ratio of the number of ALARM messages to number of other control messages was 1–2% Its advantageous performance was resilient to node mobility, and degraded only when the percentage of malicious nodes was very high (80% or beyond) To conclude, CONFIDANT is a relatively strong protocol which successfully introduced the mechanism of trust onto MANET routing 21.3.2 TAODV – Trusted AODV All the schemes described earlier, including the five in Sect 21.2 and CONFIDANT, have all focused on DSR [21.8] They either are explicitly designed for DSR, or applied their reputation systems onto DSR TAODV [21.12] was proposed by Li et al Theirs is likely the first work that applied reputation and trust onto AODV [21.15], a routing mechanism that is more popular among practical wireless networks than DSR The TAODV framework consists of three 414 21 Mobile Ad Hoc Network Routing Cryptography routing protocol Trust recommendation Trust combination Trust judging Trust updating Trusted routing protocol Trust AODV routing protocol Trust model Basic AODV routing protocol main modules: the basic AODV, a trust model, and the trusted AODV The trust model uses a threedimensional metric called opinion that is derived from subject logic Opinion includes three components: belief, disbelief, and uncertainty; the sum of them always equals Each of these three components is a function of positive and negative evidence collected by a node about a neighbor node’s trustworthiness These three components in turn form a second-hand opinion (through discounting combination) and opinion uncertainty (through consensus combination) The framework of TAODV is shown in Fig 21.2 The trusted AODV routing protocol is built on top of AODV and the trust model described above The protocol contains six procedures: trust recommendation, trust combination, trust judging, cryptography routing protocol, trusted routing protocol, and trust updating The trust recommendation procedure uses three new types of messages, trust request message (TREQ), trust reply message (TREP), and trust warning message (TWARN), to exchange trust recommendations The trust combination procedure has been summarized above The trust judging procedure follows the criteria for judging trustworthiness that is based on the three-dimensional opinion and takes actions accordingly The trusted routing protocol implements trusted route discovery and trust route maintenance according to the opinions of each node in the route This work [21.12] did not include any performance evaluation However, the authors claimed Fig 21.2 Framework of the trusted AODV that using an opinion threshold, nodes can flexibly choose whether and how to perform cryptographic operations This eliminates the need to request and verify certificates at every routing operation TAODV is therefore more lightweight than other designs that are based on strict cryptography and authentication 21.3.3 SAFE: Securing Packet Forwarding in Ad Hoc Networks The SAFE scheme was proposed by Rehahi et al [21.13] It addressed malicious packet dropping and DoS attacks on MANET routing Like CONFIDANT, it also combined reputation and trust, and used DSR as the underlying protocol SAFE builds reputation and trust through an entity, the SAFE agent, which runs on every network node Figure 21.3 shows the architecture of a SAFE agent, which comprises the following functionalities: Monitor, Filter, Reputation Manager, and Reputation Repository, briefly described below The Monitor observes packet emission in the node’s neighborhood, and keeps track of the ratio of forwarded packets (verses the total number of packets to be forwarded) for each neighbor node The monitoring results are regularly communicated to the Reputation Manager The Filter distinguishes if an incoming packet contains a reputation header, added by SAFE to facilitate the exchange of reputation information between SAFE agents Only packets with the 21.3 Two-Layer Reputation Systems (with Trust) SAFE agent Filter Monitor Reputation repository Reputation manager – Reputation gathering – Reputation computing – Reputation updating Fig 21.3 The SAFE agent architecture reputation header will be forwarded to the Reputation Manager The Reputation Manager is the main component of the SAFE agent It gathers, computes, and updates reputation information regarding its neighborhood Reputation is computed using both direct monitoring and accusations (second-hand, negative reputation information broadcast by an observing node) When an accusation is received, the node will query its neighborhood about the target node of the accusation If the number of responding accusations received is larger than a threshold value, the accusation becomes valid, and the reputation of the target node is updated according to the total number of accusations received The last functional unit of the SAFE agent is the Reputation Repository, which stores all the computed reputation values Each reputation is associated with a time-to-live value that indicates the time for which the entry is valid; expired entries are removed from the repository The performance of SAFE was evaluated through simulation and compared with that of DSR The results showed that it effectively detected malicious nodes (that drop packets and cause DoS attacks) and reduced the number of dropped packets SAFE, however, needed twice as many (or even more) routing control packets; this appeared to be its major drawback 21.3.4 Cooperative and Reliable Packet Forwarding on Top of AODV Recall that all of the systems discussed above, except TAODV (described in Sect 21.2.3), focused on DSR Cooperative and reliable packet forwarding on top 415 of AODV, proposed by Anker et al [21.14], is the second work that designed a reputation system for AODV [21.15] One important feature of this work is that unlike most previous solutions that combined direct and indirect information into a single rating value to classify nodes, this work incorporated direct and indirect information into three variables: total rating, positive actions, and negative actions The goal is to consider the entire history of direct and indirect observations for node rating Yet, as time progresses, the impact of old history diminishes More specifically, a variable called direct rating (based on direct observations) is defined to be the function of recent positive and negative actions based on direct observations of a target node Next, total rating is a function of direct rating, plus the directly and indirectly observed numbers of positive and negative actions Nodes are therefore classified (evaluated) by a combination of total rating and total number of (both direct and indirect) positive and negative observations In this way, two nodes with the same total rating are classified differently if they have different histories Furthermore, this work does not hold rating information for nodes that are more than one hop away The authors of [21.14] use trust, or trustworthiness, to deal with false rating information They view trust as “the amount of recent belief on the target node,” and define it to be a simple function of both true and false reports recently received about the target node Finally, on path selection, a greedy strategy is adopted, which selects the most reliable next hop that a node knows of on the path The authors claimed that, in the absence of cooperation among malicious nodes, this strategy maximizes path reliability in terms of the probability that packets will be correctly forwarded For performance evaluation, this work compared its own proposed solution with the original AODV [21.15], and AODV with only first-hand observations It simulated three types of misbehaviors: complete packet drops (black holes), partial packet drops (gray holes), and advanced liars (which lie strategically, sometimes with small deviations and other times with completely false information) In general, the proposed system with both first- and second-hand information achieved higher throughput and experienced fewer packet drops; it also successfully prevented misbehaving nodes from routing and dropping packets In a large network 416 21 Mobile Ad Hoc Network Routing (of 500 nodes), the first-hand information scheme had a slight advantage on throughput This showed that using the greedy approach (by considering only the first hop of the path) did not work very well in large networks; the cost of the reputation system (more transmissions) was also more apparent 21.3.5 Comparison of Two-Layer Reputation Systems In this subsection, we again summarize and compare all four two-layer reputation systems described so far, as shown in Table 21.2 For each scheme, we once more highlight the type of observations, reputation Table 21.2 Comparison of two-layer reputation systems Reputation systems Observations Reputation computation Trust (evaluation of second-hand information) Strengths and other notes CONFIDANT (over DSR) [21.10, 11] Both direct observations (packet forwarding) and indirect observations (ALARMS) Start at highest reputation, rating changes by different weights upon packet drops, packet forwarding, and indirect observations Use a deviation test to evaluate and update trust rating of the source node of indirect observations Likely the first reputation/trust system for MANET routing ALARM message provides a way of communicating indirect negative reputations Choose routes with nodes of high reputation; avoid paths containing selfish/malicious nodes TAODV (over AODV) [21.12] Direct observations on positive/negative events (i.e., successful/ failed communications) Opinions passed to neighbor nodes to form indirect opinions No explicit reputation Use 3-dimensional metric call opinions (belief, disbelief, and uncertainty), each metric is based on both positive and negative observations The 3-dimensional opinion is used to evaluate the trustworthiness between any two nodes; these along with direct observation form indirect opinions Likely the first work applying reputation to AODV Lightweight, as it avoids mandatory cryptographic operations – they are performed only on low trust (opinion) between nodes SAFE (over DSR) [21.13] Direct observations (rate of forwarded packets) and accusations (negative indirect observations) Start with a value slightly above the threshold Reputation values are computed on the basis of direct observations and accusations Queries the neighborhood when receiving an accusation, and adjusts reputation only after receiving sufficient accusations against the same target node Other neighbors’ opinions are considered to ensure trustworthiness of accusations Gives second chance to malicious nodes, but allows them to be discarded more easily if they misbehave Queries on accusations require very high overhead Cooperative, reliable AODV (over AODV) [21.14] Direct and indirect observations of recent positive and negative events, and the number of direct and indirect observations Reputation includes direct rating, positive and negative actions, and total rating, which considers the entire history of observations Trust is viewed as the amount of recent belief and is a function of recently received true and false reports Takes history and the number of observations into account Uses greedy approach for path selection which does not perform well in large networks having long paths ... 422 22 .1 .2 Types of Attacks 423 22 .2 Security Challenges in the Operational Layers of Ad Hoc Networks 424 22 .2. 1 Data Link Layer 424 22 .2. 2... (Sect 22 .4.1) ISO/IEC 9798 -2 (AES) (Sect 22 .4.1) (ISO/IEC 9798-4, MD5-MAC) 20 .14 (ISO/IEC 9798 -2, AES) 43 .22 (ISO/IEC 9798-4, MD5-MAC) 20 .14 (ISO/IEC 9798 -2, AES) 43 .22 2 NS-RSA (Sect 22 .4 .2) (NS-RSA)... networks, IEEE International 22 .13 22 .14 22 .15 22 .16 22 .17 22 .18 22 .19 22 .20 22 .21 Conference on Communications (ICC’08), 19 23 May 20 08 (20 08) 1464–1468 J Dwoskin, D Xu, J Huang, M Chiang, R