WARP: A wormhole-avoidance routing protocol by anomaly detection in mobile ad hoc networks

doi:10.1016/j.cose.2009.09.005

Computers & Security

Volume 29, Issue 2, March 2010, Pages 208-224

https://doi.org/10.1016/j.cose.2009.09.005 Get rights and content

Abstract

The infrastructure of a Mobile Ad hoc Network (MANET) has no routers for routing, and all nodes must share the same routing protocol to assist each other when transmitting messages. However, almost all common routing protocols at present consider performance as first priority, and have little defense capability against the malicious nodes. Many researches have proposed various protocols of higher safety to defend against attacks; however, each has specific defense objects, and is unable to defend against particular attacks. Of all the types of attacks, the wormhole attack poses the greatest threat and is very difficult to prevent; therefore, this paper focuses on the wormhole attack, and proposes a secure routing protocol based on the AODV (Ad hoc On-demand Distance Vector) routing protocol, which is named WARP (Wormhole-Avoidance Routing Protocol). WARP considers link-disjoint multipaths during path discovery, and provides greater path selections to avoid malicious nodes, but eventually uses only one path to transmit data. Based on the characteristic that wormhole nodes can easily grab the route from the source node to the destination node, WARP enables the neighbors of the wormhole nodes to discover that the wormhole nodes have abnormal path attractions. Then, the wormhole nodes would be gradually isolated by their normal neighboring nodes, and finally be quarantined by the whole network.

Introduction

In all possible methods of attacks in Mobile Ad hoc Networks (MANETs), the wormhole attack is one of the most threatening and hazardous attacks. A wormhole attack is usually performed by two or more malicious nodes in conspiracy. Two malicious nodes at different locations send received routing messages to each other via a secrete channel. In this way, although the two malicious nodes are located far from each other, they appear to be within one-hop communication range. Therefore, the route passing through the malicious nodes is very likely to be shorter than any other regular one. Wormhole nodes can easily grab the route from the source node to the destination node, and then sniff, drop, or selective-drop data packets passed by. Wormhole nodes can successfully execute such attacks without compromising any computer, and are unavoidable, even though some MANETs provide authenticity and confidentiality protection.

In a wormhole attack, malicious node m1 first captures a routing message from a neighboring node, and then sends the message to another malicious node, m2, by means of a secret tunnel, m2 then broadcasts or propagates the message received. In this way, a tunnel-like channel is formed between the two malicious nodes. Even though the tunnel has a very long distance, other normal nodes may mistakenly think that there is only a distance of a one-hop count. The tunnel-like channel can be realized by two methods (Khalil et al., 2005): packets encapsulated channel and out-of-band channel, as shown in Fig. 1(a) and (b), respectively.

Packets encapsulated channel is also called in-band channel, where a malicious node puts a captured routing message in a data packet payload, and uses normal nodes to transmit the data packet to another malicious node. The malicious node receiving the data packet draws the routing message out of the packet payload and further broadcasts or propagates it. In this way, the hop count is reduced to increase the chance of grabbing a route, and as no field information is changed, neither Secure AODV (SAODV) (Zapata and Asokan, 2002), which can protect routing messages, nor Authenticated Routing for Ad hoc Networks (ARAN) (Sanzgiri et al., 2002), which can authenticate each neighbor, have any way of defending against attacks from a encapsulated channel. As shown in Fig. 1(a), a path is built in advance between the two malicious nodes, m1 and m2, and s is the source node and d is the destination node. When s broadcasts a Route Request (RREQ), it would be received by malicious node m1, and then m1 encapsulates the RREQ into the payload of a data packet, and transmits it using the pre-built path between m1 and m2. After receiving the data packet, m2 would extract the original RREQ and broadcast it till it reaches the destination node. As the path passing through the malicious nodes saves 4 hop counts on the surface and thus is shorter than the other two paths, node d would finally choose the path to respond a Route Reply (RREP). In this way, the malicious nodes would deprive the route of passing data packets. The method of an out-of-band channel differs from encapsulating packet mainly in the type of tunnel-like channel. A special channel may be a connection by a wired network between the two malicious nodes, or a private channel between the two ends using a high-powered transmission to send signals over a long distance, as shown in Fig. 1(b).

This paper proposes a secure routing protocol to defend against wormhole attacks based on the Ad hoc On-demand Distance Vector (AODV) routing protocol (Perkins et al., 2004), which is named WARP (Wormhole-Avoidance Routing Protocol). WARP considers link-disjoint multipaths during path discovery in order to choose a safer path to avoid wormhole nodes. Since wormhole nodes have great abilities to grab the routes from the source nodes to the destination nodes, after a certain time of executing wormhole attacks, the wormhole nodes would be rejected by their neighboring nodes, thereby preventing them from transmitting routing messages, and hence, they are quarantined by the whole MANET. Some normal nodes may be located at key positions of connectivity within the network, and thus, may be quarantined due to considerable acquisition of routing paths; however, they would not be in key positions for long as the MANET topology is constantly changing. In addition, in the design of WARP, when a node is quarantined by its neighbors, and then has no abnormal behaviors for a certain period, it would be recovered from the quarantine.

The remainder of this paper is organized as follows. Section 2 provides a brief review on previous works against wormhole attacks and the AODV routing protocol. Section 3 describes the details of the proposed routing algorithm – WARP, in detection and defense against wormhole nodes. Section 4 offers discussion on the properties of WARP. Section 5 is the outcome and analysis of ns2 simulation. Section 6 offers conclusions.

Section snippets

Related works

Since the proposed WARP is based on AODV, in addition to reviewing previous research on defending wormhole attacks, the AODV is also briefly described.

The proposed wormhole-avoidance routing protocol

This paper proposes a routing protocol named WARP (Wormhole-Avoidance Routing Protocol), which is based on AODV and can efficiently quarantine wormhole nodes. According to a multi-path routing algorithm, WARP takes link-disjoint multiple paths into consideration during path discovery; however, it eventually chooses only one path to transmit data packets. Some preliminaries of the proposed protocol are given in Section 3.1, and the details are formally described in Section 3.2.

Properties of WARP protocol

The ability of WARP to provide avoidance of wormhole attacks is first illustrated, and then other merits are addressed in this section. Fig. 14 shows the key concept of WARP. Initially, the neighboring nodes of the two wormhole nodes w1 and w2, say a and b, respectively, will regularly forward RREQs, RREPs, and RREP_DECs to the two nodes, increasing the anomaly values of w1 (or w2) in node a's (or node b's) routing table, as shown in Fig. 14(a). Once the anomaly value of w1 saved in node a

Experimental results and comparison with other studies

This section will first show experimental results on the performance of WARP, and then offer a comparison of WARP with other related protocols.

Conclusions

This paper proposes a routing protocol called WARP (Wormhole-Avoidance Routing Protocol), which is based on AODV, to defend against wormhole attacks in MANETs. During the stage of path discovery, WARP considers multiple link-disjoint paths in order to avoid possible wormhole nodes, but in the end, still uses only one path to transmit data packets. Based on the characteristic that wormhole nodes can grab most data transmission paths in a MANET, WARP enables the neighbors of a wormhole node to

Acknowledgments

This work was partially supported by the National Science Council with contracts NSC 97-2221-E-130-014 and 98-2221-E-130-007.

Ming-Yang Su received his B.S. degree from the Department of Computer Science and Information Engineering of Tunghai University, Taiwan in 1989, and received his M.S. and Ph.D. degrees from the same department of the National Central University and National Taiwan University in 1991 and 1997, respectively. He is an IEEE member, and currently an associate professor of the Department of Computer Science and Information Engineering at the Ming Chuan University, Taoyuan, Taiwan. His research

References (22)

Marianne A. Azer, Sherif M. El-Kassas, Abdel Wahab F, Magdy S. El-Soundani. Intrusion detection for wormhole attacks in...
Hon Sun Chiu, King-Shan Lui. DelPHI: wormhole detection mechanism for ad hoc wireless networks. In the proceedings of...
T. Clausen et al.
Optimized link state routing protocol (OLSR)
(October 2003)
Gorlatova MA, Peter C. Mason, Maoyu Wang, Louise Lamont, Ramiro Liscano. Detecting wormhole attacks in mobile ad hoc...
Hu YC, Perrig A, Davic B. Johnson. Ariadne: a secure on-demand routing protocol for ad hoc networks. In the proceedings...
Yih-Chnu Hu et al.
Wormhole attacks in wireless networks
IEEE Journal on Selected Areas in Communication
(2006)
Johnson DB, Maltz DA, Hu YC. The dynamic source routing protocol for mobile ad-hoc network (DSR), IETF internet draft...
Issa Khalil, Saurabh Bagchi, Ness B. Shroff. LITEWORP: a Lightweight countermeasure for the wormhole attack in multihop...
Issa Khalil, Saurabh Bagchi, and Ness B. Shroff. MOBIWORP: mitigation of the wormhole attack in mobile multihop...
Lazos L, Poovendran R, Meadows C, Syverson P, Chang LW. Preventing wormhole attacks on wireless ad hoc networks: a...

Gunhee Lee, Dong-kyoo Kim, Jungtaek Seo, An approach to mitigate wormhole attack in wireless ad hoc networks. In the...

Cited by (78)

Data collection for attack detection and security measurement in Mobile Ad Hoc Networks: A survey
2018, Journal of Network and Computer Applications
Mobile Ad Hoc Network (MANET) is becoming one type of major next generation wireless networks. Nevertheless, it easily suffers from various attacks due to its specific characteristics. In order to evaluate and measure the security of MANET in real time and make this network react accordingly, a promising alternative is to integrate detection mechanisms that play a role of the second line of defense to detect attacks in MANETs. We note that in most attack detection mechanisms, it is essential and crucial to collect the data related to security for further analysis. If security-related data collection is untrustworthy, attack detection and security measurement might be impacted and disabled. Unfortunately, few existing studies concern security-related data collection in attack detection for the purpose of trustworthy security measurement. The literature lacks a thorough survey on security-related data collection for attack detection and security measurement in MANETs. In this paper, we propose a number of requirements for trustworthy security-related data collection, and then review detection mechanisms in MANETs that were published in recent 20 years. In particular, we employ the proposed requirements as a set of criteria to evaluate the existing work about security-related data collection. Based on the survey and evaluation, we identify a number of open issues and point out future research directions.
A detection and prevention system against collaborative attacks in Mobile Ad hoc Networks
2017, Future Generation Computer Systems
Citation Excerpt :
proposed a decentralized approach that measured some parameters on the basis of which some penalty was added to the paths containing wormhole nodes to avoid communication through them. Su [14] proposed WARP (Wormhole Avoidance Routing Protocol) that selected single path from multiple paths on the basis of the first hop field. Azer [7] proposed another approach that worked on the principle that wormhole nodes get involved in routing in repeated ways for different sources and destinations.
Mobile Ad hoc Networks (MANETs) are vulnerable to various kinds of threats due to their dynamic nature and lack of a central point of control. Collaborative attacks occur when multiple attackers synchronize their actions to disrupt a target network. A wormhole attack is one of the most severe collaborative attacks, as it can harm a network in several ways. Wormhole attacks are very difficult to detect, as they are launched by two or more nodes in collaboration with each other and they work in two phases. In the first phase, malicious nodes try to convince legitimate nodes to transfer data through them in order to get acces to more routes. In the second phase, malicious nodes exploit the received data in a variety of ways. In this paper, we propose a Detection and Prevention System (DPS) to detect and block malicious nodes in MANETs. For this purpose, special nodes called DPS nodes, which continuously monitor the behavior of other nodes, are deployed in a network. When a DPS node finds a node exhibiting pre-defined suspicious behavior, it declares that suspicious node as a wormhole node by broadcasting a message. All data and control messages from a node that has been declared as wormhole node are discarded by the network. NS-2 simulations show that the proposed DPS considerably reduces the number of packets dropped by malicious nodes with very low false positive rate.
Detection and isolation of wormhole nodes in wireless ad hoc networks based on post-wormhole actions
2024, Scientific Reports
DAIWN: Detection and Isolation of Wormhole Nodes in Wireless Ad Hoc Networks
2023, Research Square
An Approach to Detect Wormhole Attack in Mobile Ad Hoc Networks Using Direct Trust Based Detection Approach
2023, International Journal of Intelligent Systems and Applications in Engineering
Literature review on network security in Wireless Mobile Ad-hoc Network for IoT applications: network attacks and detection mechanisms
2022, International Journal of Intelligent Unmanned Systems

View all citing articles on Scopus

View full text