DETECTING MALICIOUS PACKET DROPPING USING TRAFFIC PATTERNS IN MANET

Ad hoc networks are gaining presence with the proliferation of cheap wireless devices and the need to keep them connected. Individual applications and larger missions. such as those of tactical sensor networks. require secure data transmission among wireless devices. Security remains a major challenge for such networks. Current protocols employ encryption and authentication techniques for secure message exchange. but given the limitations and innately insecure nature of ad-hoc networks. such mechanisms may not suffice. A security breach can. for example, be a network-level denial-of-service (DoS) attack, passive eavesdropping, or physical layer jamming to degrade communication channels. In a multihop network, an intruder node can degrade communication quality by simply dropping packets that arc meant to be relayed (forwarded). The network could then misinterpret the cause of packet loss as congestion instead of malicious activity. In this paper, we suggest that traffic transmission patterns be selected to facilitate verification by a receiver. Such traffic patterns are used in concert with suboptimal MAC that preserves the statistical regularity from hop to hop. This general technique for intrusion detection is therefore suitable for networks that are not bandwidth limited but have strict security requirements, e.g., certain kinds of tactical sensor networks.


INTRODUCTION
Ad hoc networks can be defined as dynamic networks of wireless devices that have no a priori infrastructure support The devices in ad hoc networks, referred herein as .. nodes'·, dynamically establish connections when they are in radio range of each other. Nodes in radio range exchange information directly, but nodes out of radio range depend on intermediate nodes to forward their packets. Thus. nodes can simultaneously act as sources, sinks and relays for packets. Ad hoc networks are employed in, for example, emergency response (disaster relief) and tactical battlefield environments including mission-customized mobile wireless sensor networks.
Resource efficient routing for mobile multihop ad hoc networks has been a major area of research [ 1-6]. More recently, secure packet routing protocols have been proposed [10][11][12]. Certain routing issues can be resolved by encrypting the routing information. Encryption requires private keys or hash functions that are known only to the receiver and sender requiring, in turn, a mechanism for secure key distribution. In some cases. it is possible to assign private symmetric keys to each pair of nodes before they are deployed in the field. Secure key distribution would, of course, be required in more dynamic deployment situations.
One approach to secure exchange of symmetric private keys is a public key encryption system [15]. Each node is assigned a public key known to all nodes and a private key known only to the node under consideration. Nodes can employ the more complex public key encryption to exchange keys and continue future communication using private symmetric keys. In turn, private keys can be used to exchange less computationally complex symmetric hash functions. The Internet" s public key system employs a certification authority that authenticates user identities by issuing digital certificates for use in the public key distribution process. Similar systems for key management and distribution have been proposed for ad hoc networks [7,8]. In the following, we assume that key management and key distribution issues are resolved.
There are ways of undermining the communication of the network that data encryption alone cannot mitigate. Since nodes depend on intermediates to relay packets, an intrudzrr node can disrupt a session for which it is a relay by simply dropping packets on a regular basis instead of forwarding them. The end nodes can easily mistake the cause of the resulting packet loss as congestion.
This issue was previously examined for TCP connections in the Internet [ 13].
We propose to control the traffic transmission pattern of the source node such that it is possible for the destination node to gain information about the actual congestion at an intermediate relay node from the statistics of interpacket arrival times. Such traffic patterns will be used in concert with certain medium access control (MAC) mechanisms R. Rao, G. Kesidis Detecting malicious packet dropping using traffic patterns in MANET that preserve statistical properties of the trafJic from hop to hop. Clearly, under such mechanisms. optimal throughput levels for the ad hoc network cannot be reached. Therefore. our proposed approach is applicable to situations where defense against hijacked nodes is important or where the network has low traffic volume. i.e.. the network is not bandwidth limited. Examples include certain kinds of tactical networks of sensors that individually generate little traffic volume. e.g .. temperature or wind direction readings or target identification. Also. individual sensors that substantially process and compress data (video. audio. etc) may also fall into this category because the resulting trafJlc generated will only amount to the alerts and commands associated with target tracking missions (however. this traffic will be latency critical).
The balance of this paper is organized as follows. In Section 2. we discuss a specific network model designed to help a receiver detect any abnormally high amount of packet loss and specify the decision rules. Section 3 explains the simulation setup and presents the simulation resulls. Conclusions are drawn in section 4.

NETWORK MODEL
We consider an ad hoc network model with multihop routes. Intermediate nodes receive packets and forward them to destination nodes based on the destination addresses in the packet headers. If an intermediate node is hijacked, it can drop packets at random to degrade communication. This activity may drastically reduce the effective communication bandwidth of the network. The sender and receiver can easily mistake the cause of missing packets for network congestion. The only way that malicious packet dropping can be detected is by finding the true level of congestion at the intruder node. Furthermore. only a non-compromised node in radio range of an "intermediate" (potentially hijacked) node experiencing higher that normal packet loss can monitor traffic flow to help determine the true level of congestion at the intermediate node. Nodes A and C share a symmetric key (or hash function) to encrypt the packet payloads as necessary. Packet sequence 166 numbers for the session and source (A) and destination (C) addresses are encrypted and stored in each packet header. Of course, the destination address is present unencrypted to enable basic packet forwarding. Node B is the intermediate traffic node forwarding the packets and is also an intruder (hijacked) node that drops packets at random. Note that node B cannot change the packet sequence number as it is encrypted.
We further assume that B is a bottleneck node. So. even if B does maliciously drop packets. A must still forward through B to get to C in the short term, i.e .. before mobility and other environmental conditions create an alternative path to C that can be used hy the distributed routing algorithm in place.
Suppose node A transmits packets according to a Poisson process at an average rate of/... packets/s. The packet length is assumed to be constant. The aggregate arrival process to B has rate A ; ; : : : . A. All the flows transmitting to node B follow a poisson process. Thus to total flow rate is also poisson with mean rate A. The mean service rate of node B is 11 packets/s. For stability we assume 11 > A. We assume all nodes receiving packets from node B are aware of the buffer size (K packets) of node B. Finally. we assume that node B participates in an ALOHA-type (exponential backoff) medium access mechanism so that the packet arrival and departure processes of B are Poisson.

GROUNDS FOR SUSPICION
Let the sequence number of the / 1 packet received by C be r(i) and the time of its arrival to C be Trln· The first packet an·ives at time T 1 (the implicit assumption r(l) = I can be relaxed). Node C estimates A using the foilowing equation. (1) The sequence number r(i) also includes packets lost in transmission. Therefore. r(i) " i. Despite the fact that Trln does not necessarily give the time of arrival of { 11 packet. (I) still gives an unbiased estimator for the arrival rate A at the destination node for a general stationary model of the network buffer. Since node C keeps track of the actual sequence numbers of the packets constituting its session with C. it is aware of packets lost during transmission.
The number of packets lost at time Trln is given by r(i)i. The empirical probability of packets lost is given by Node C knows the buffer capacity of the queue at node B is K and the queues average service rate is 11 packets/s. We assume that the total traffic arriving at node B is also known to C. c.f.. Section 2.3. Using the estimated A and the above assumptions. node C can estimate the probability of packet loss due to buffer overflow (i.e .. natural congestion) using the rule that Poisson arrivals see time averages (PASTA) [9]: From PASTA, the probability that a Poisson arrival will see the system in state I is also given by (3a). Thus packets arriving at queue see the system in state I with probability given by (3a). Probability that arriving packets lind buffer full (Queue length = K) is given by This is also the probability that a packet arriving at queue is dropped. Since we have all the flows to the queue system as poisson, the sum also being poisson, the probability that a packet from a particular flow of rate i is dropped is given by the fraction of the total flow rate, i.e. This is equation (3 ). To make such a comparison statistically significant, the measured confidences node C has in these estimates, i.e .. the sample standard deviations a and d ,. , need to be involved. Node C can therefore deem the intermediate node B to be an intruder if the confidence ·'intervals" do not overlap, i.e., if (4) for a fixed constant a ~ 1 typically.
Clearly. it is desirable to apply the test (4) only if there is sufficient confidence in the individual estimates. i.e .. only if the relative errors (5) are sufficiently small (significantly less than I). In our simulation results, however. we apply test (4) on a packetby-packet basis to study the performance of our detection mechanism as a function of the number of received packets.
Note that if computation costs of sample standard deviations are too high for the nodes. an alternative test for ( 4)  If node C suspects that an intermediate node B is maliciously dropping packets where node B is handling multiple flows, then C needs to ascertain the true total traffic load A that B is experiencing. To do this, we propose the following protocol initiated by C.
Node C dispatches a message to B requesting that B contact all of its tributaries to request that they send a message to C containing their recent traffic transmission rate to B. This information will be sent in both unencrypted and encrypted format. the latter using the symmetric private keys shared by C and the tributaries of B. Upon receipt of these messages from the tributaries of B, C will authenticate each one and tally the component transmission rates to obtain A.
Note that many of the tributaries of the suspect intermediate node B may need to use B itself to communicate with node C. However, note that it is in the best interest of the intermediate node B to honestly cooperate with C's investigation otherwise C may underestimate the total load on B and therefore more likely conclude that B is maliciously dropping. Clearly. we are assuming throughout that the intermediate node B is not aware of the private keys of any other nodes. in particular those of its tributaries. so that it cannot spoof any other node. Also. we assume that no two proximal nodes have been hijacked and are cooperating to undermine communication in the network.

FALSE ALARM AND MISDETECTION
The value of the fixed parameter a in the decision criterion ( 4) critically affects the detection performance. This performance is quantified by false alarm and misdetection rates. A false alarm occurs when an intruder is R. Rao, G. Kesidis Detecting malicious packet dropping using traffic patterns in MANET not present and equation (4) holds. i.e .. the receiver concludes there is an intruder when there is none.
drop. This gives us the probability of false alarm. Here note that false alarm is negligible for any given number of Misdetection occurs when an intruder is present at B but ( 4) packets.
is false. i.e .. the receiver fails to detect an intruder when one is present. Intuitively. the probability of false alarm is an increasing function of a but the probability of rnisdetection is a decreasing function of a.

SIMULATION
The simulation model considers a single queue and single flow at node B as shown in Figure 2. The simulations were performed for different values of a and for fixed value of traf!ic intensity (p = AlJ.!). The achieved confidence interval is 95%. I 9 times out of 20 [14].
The difficulty in detecting an intruder maliciously dropping packets is increased with the traffic intensity. Therefore, we focus on the case p = 0.9. For lower values of traffic intensity, our detection strategy will have improved performance than that reported below.

CONCLUSIONS
The plots in Section 3 show the dependence of false alarm and misdetection rates on the number of packets processed and the value of parameter a in the intruder decision rule (4). As the number of packets increase, the estimate of the loss probability improves. This is seen as the decrease in both the false alarm and misdetection probabilities. There is a trade-off, however, in the choice of the parameter et: the probability of false alarm decreases with increasing a, but the probability of misdetection increases with increasing a. The value of a should be chosen according to any specified requirements on false alarm and misdetection rates.
Finally, we studied misdetcction performance in the presence of model error in the medium access.