A Survey on Security Concerns and Discovery Methods in MANET

Arockia Rubi.s1, Birunda Devi.M1, Vairachilai.S2, Dhanalakshmi.N3 1 PG Scholar, Department of CSE, NPR CET, Natham, Tamilnadu 2 Assistant Professor, Department of CSE, NPR CET, Natham, Tamilnadu 3 Assistant Professor, Department of IT, NPR CET, Natham, Tamilnadu Email id:arockiaruby.s@gmail.com1; birunda.devi@gmai.com1 Abstract- The migration to wireless network from wired network has been a global trend in the past few decades. The mobility and scalability brought by wireless network made it possible in many applications. Among all the contemporary wireless networks, Mobile Ad hoc NETwork (MANET) is one of the most important and unique applications. On the contrary to traditional network architecture, MANET does not require a fixed network infrastructure; In general, routing protocols for MANETs are designed based on the assumption that all participating nodes are fully supportive. However, due to the open structure and scarcely available battery-based energy, node misbehaviors may exist. However, the open medium and wide distribution of nodes make MANET vulnerable to malicious attackers. This survey paper gives the overview of security issues. Also attempt has been made to identify possible detection methods associated with different security issues. Keywords: MANET, DSR, AODV, Attack, Security 1. INTRODUCTION Mobile Ad hoc NETwork (MANET) is a collection of mobile nodes equipped with both a transmitter and a receiver; each node uses the bidirectional link to communicate with other nodes of network. MANET formation may vary depending on its application from a small, static network that is highly power constrained to a large-scale, mobile, highly dynamic network. Every node works both a transmitter and a receiver. Nodes communicate directly with each other when they are both within the same communication range. Otherwise, they rely on their neighbors to relay messages. One of the major advantages of wireless networks is its ability to allow data communication between different parties and still maintain their mobility. However, this communication is limited to the range of transmitters. This means that two nodes cannot communicate with each other when the distance between the two nodes is beyond the communication range of their own. MANET solves this problem by allowing intermediate nodes to rely data transmission. There are two types of MANETs: closed and open [1]. In a closed MANET, all mobile nodes cooperate with each other toward a common goal, such as emergency search/rescue or military and law enforcement operations. In an open MANET, different mobile nodes with different goals share their resources in order to ensure global connectivity. Some resources are consumed quickly as the nodes participate in the functions. Battery power is considered to be more importance in a mobile environment. An individual mobile node may attempt to benefit from other nodes, but refuse to share its own resources. These type of nodes

are called selfish or misbehaving nodes and their behavior is termed selfishness or misbehavior. A selfish node may refuse to forward the data it received to save its own energy. However, the open standard of MANET is vulnerable to various types of attacks. For example, due to the nodes lack of physical protection, malicious attackers can easily capture and compromise nodes to achieve attacks. Attackers can easily insert the malicious or incorporate nodes into the network with the help of one or two compromised nodes to achieve attacks. Such misbehaving nodes need to be detected so that these nodes can be avoided by well behaved nodes. Many schemes and intrusion detection systems proposed to detect such nodes. 2. SECURITY ISSUES IN MANET There are many types of attacks affecting the behavior and performance of MANET. Attacks can be classified according to its domain, protocols and means of attack. Ad hoc networks have two levels of attacks. First level is based on the routing mechanisms used in the network. Second level occurs on the security mechanisms in the network and tries to damage them. An attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset. Attacks in MANET divided into two major types. They are: Internal attacks External attacks 2.1 Internal attacks Internal attacks are directly leads to the attacks on nodes presents in network and links interface between them. This type of attacks may broadcast wrong type of routing information to other nodes [10]. Internal attacks are sometimes more difficult to handle as compare to external attacks, because internal attacks arise from more trusted nodes. The wrong routing information generated by compromised nodes or malicious nodes are difficult to identify. This difficulty occurs due to the compromised nodes, which are able to generate the valid signature using their private keys. 2.2 External attacks External attacks are attacks launched by adversaries who are not initially authorized to participate in the network operations. These attacks usually aim to cause network congestion, denying access to specific network function or to disrupt the whole network operations. Bogus packets injection, denial of service, and impersonation are some of the attacks that are usually initiated by the external attackers. External attacks are classified into two categories: Active and passive attacks. 2.2.1 Passive attacks MANETs are more susceptible to passive attacks. A passive attack does not alter the data transmitted within the network. But it includes the unauthorized listening to the network traffic or accumulates data from it. Passive attacker does not disrupt the operation of a routing protocol but

attempts to discover the important information from routed traffic. Detection of such type of attacks is difficult since the operation of network itself doesnt get affected. In order to overcome this type of attacks powerful encryption algorithms are used to encrypt the data being transmitted. 2.2.2 Active Attacks Active attacks are very severe attacks on the network that prevent message flow between the nodes. However active attacks can be internal or external. Active external attacks can be carried out by outside sources that do not belong to the network. Internal attacks are from malicious nodes which are part of the network, internal attacks are more severe and hard to detect than external attacks. These attacks generate unauthorized access to network that helps the attacker to make changes such as modification of packets, DoS, congestion etc. The active attacks are generally launched by compromised nodes or malicious nodes. Malicious nodes change the routing information by advertising itself as having shortest path to the destination. There are many types of active attacks: A) Modification attacks This attack modifies the packets and degrades the overall communication performance of the network. A malicious node gets the routing information from the packet and uses it for further attacks in future. Example for such attack is sinkhole attack. In this attack, a malicious node advertises itself, as it has the shortest path to the receiver. B) Dropping attacks In this attack, packets received by the selfish nodes are dropped to prevent the end-to-end communication. C) Timing attacks In this attack, attacker advertises itself, as it is closer to the actual node to attract other nodes in the network. Rushing and hello flood attacks uses this type of attacks. 2.3 Attacks at Application Layer Application layer contains user data and supports many protocols like HTTP, FTP. Worm attacks, mobile viruses and repudiation attacks are examples of application attacks. 1) Malicious code attack Malicious code attack includes viruses, worms, spywares and trajon horses. These can attack both operating system and user application. 2) Repudiation attacks Repudiation means denial of participation in part or all of the communications. For example a selfish person may deny on the received product or may deny the online bank transaction.

3) Worm attacks In the network, malicious programs widely spread. A worm can exploit in different ways. One such example is IP address scanning used by internet worm. These techniques generate probe packets to a vulnerable TCP/UDP port at many different IP addresses. Hosts respond to the scan gets hit, receives a worm copy and gets affected. Example for this worm is Code Red Worm. 2.4 Attacks at network layer Network layer is attacked by variety of attacks. By attacking the network protocol, the attacker knows the traffic pattern, enter into the routing path between the source and destination and can control the network traffic flow. 1) Routing discovery attack Routing attacks target the route discovery or maintenance phase by not following the rules of routing protocols. Routing message flooding attacks such as, hello flooding attacks, acknowledgement flooding attacks, routing table overflow and RREQ flooding are targeting the routing discovery phase. 2) Routing Maintenance attack Route maintenance phase is attacked by sending false control messages, such as link broken error message. It causes route repairing or invocation of the costly maintenance of route. For example, AODV and DSR implement path maintenance procedures to recover broken paths. If the destination node or an intermediate node along an active path moves, the upstream node of the broken link broadcasts a route error message to all active upstream neighbors. The node also invalidates the route for this destination in its routing table. Attackers could take advantage of this mechanism to launch attacks by sending false route error messages. 3) Data forwarding attacks Some attacks target the data forwarding phase. A malicious node participates in the route discovery and maintenance phase but refuse to forward the packets. Instead of forwarding the packets it simply drop the packet, modifying the contents or flood data packets. They can also delay forwarding the time sensitive packets. 4) Other advanced attacks i) Black hole Attack In black hole attack, a malicious node uses its routing protocol in order to advertise itself for having the shortest path to the destination node or to the packet it wants to intercept. This hostile node advertises its availability of fresh routes irrespective of checking its routing table. In this way attacker node will always have the availability in replying to the route request and thus intercept the data packet and retain it. ii) Wormhole attack In this attack, attacker uses private tunnel to forward the data. The tunnel between to attackers is referred as wormhole. In this it records packets at one location and forward them

using tunnel to another location. Network is disrupted by tunneling the control messages. If it is used in routing protocols such as DSR or AODV, it prevent route discovery other than through the wormhole. Byzantine attack A compromised node or a group of compromised nodes working together and carry out attacks to disrupt the routing services. The attacks may include create routing loops or selectively dropping packets. Rushing attack This attack is proposed by Hu et al. In route discovery, RREQ forwarded by attacker is first reach the neighbor of target. The routes obtained by this RREQ include the attacker. The attacker can quickly forward the RREQ than the legitimate user and this attacker is included in all the discovered routes. iv) iii)

Fig 2.1. Rush Attack Resource consumption attack An attacker or a compromised node can attempt to consume battery life by forwarding unnecessary packets or requesting excessive route discovery. Location disclosure attack An attacker first gathers information such as route map and then reveals the structure of the network or location of nodes in the network. Attacker tries to figure out communicating parties, analyze the traffic to know the traffic pattern and track changes in the traffic pattern. 2.5 Attacks at physical layer These attacks are hardware oriented and need help from hardware sources to effect. It is simple to execute and do not need complete knowledge about technology. 1) Eavesdropping In means interception and reading of messages and conversations by unintended receivers. Wireless communication is easily intercepted with correct receiver frequency. Main aim vi) v)

is to get the confidential information such as private key, public key and passwords. This can be eavesdropped by tapping the communication lines.

Fig 2.2. Eavesdropping 2) Active interference It is also a denial of service attack which blocks the wireless communication. Attacker can change the order of messages or replay old messages. The effect of such attack depends on the duration and routing protocol in use. 2.6 Attacks at transport layer 1) SYN flooding attacks It is a Denial of Service (DoS) type of attacks, in which attacker creates a large number of half opened TCP connection with victim node. It never completes the handshake to fully open the connection. 2) Session hijacking In this an attacker takes advantage of unprotected session after its initial step. It spoofs victims IP address and predict the correct sequence number, the one which is expected by the target node and launches various types DoS attacks. In this attack malicious node tries to discover password, secret keys logon names and other information from nodes. 3. DETECTION METHODS Due to the limitations of MANET protocols nodes in MANET assumes that other nodes will always cooperate with each other to relay the data. This is enough to the attackers to perform the attack using some compromised nodes. To avoid this problem some IDS should be added to enhance the security level of the MANET. IDS can act as a second layer in the MANET. If MANET can detect attacker as soon as they enter the network, we will able to eliminate the damages completely. 3.1 Reputation-based schemes In this scheme the network nodes collectively detect and declare the misbehaviors of a suspicious node. This declaration is propagated through the network to avoid those nodes in future routing.

1) watchdog This scheme is proposed to improve the throughput of the network in the presence of malicious nodes. This scheme consists of two parts watchdog and pathrater. Watchdog is responsible for detecting the malicious node misbehaviors in the network. It detects the misbehavior by overhearing the next hop transmission. It maintains the sent packets in the buffer. A packet in the buffer is cleared when it overhear the next hop successfully transmit the same packet over the medium. If a data packet remains in the buffer for too long, the watchdog module accuses the next hop neighbor of misbehaving. Thus, the watchdog enables misbehavior detection at the forwarding level as well as the link level. If a Watchdog node overhears that its next node fails to forward the packet within a certain period of time, it increases its failure counter. Whenever a nodes failure counter exceeds a predefin ed threshold, the Watchdog node reports it as misbehaving. In this case, the Pathrater cooperates with the routing protocols to avoid the reported nodes in future transmission. The pathrater module rates every path in its cache and subsequently chooses the path that best avoids misbehaving nodes. 2) CONFIDANT The CONFIDANT protocol proposed by Buchegger and Le Boudec in is another example of reputation-based schemes. The protocol is based on selective altruism thus making misbehavior unattractive. CONFIDANT consists of four important componentsthe Monitor, the Reputation System, the Path Manager, and the Trust Manager. They perform the vital functions of neighborhood watching, node rating, path rating, and sending and receiving alarm messages, respectively. Each node continuously monitors the behavior of its first-hop neighbors. If a suspicious event is detected, details of the event are passed to the Reputation System. Depending on how significant and how frequent the event is, the Reputation System modifies the rating of the suspected node. Once the rating of a node becomes intolerable, control is passed to the Path Manager, which accordingly controls the route cache. Warning messages are propagated to other nodes in the form of an Alarm message sent out by the Trust Manager. The Monitor component in the CONFIDANT scheme observes the next hop neighbors behavior using the overhearing technique. This causes the scheme to suffer from the same problems as the watchdog scheme. Each node maintains a data structure Statusij_ about every other node j as an indication of what impression node i have about node j. Along with a credit counter, node i also maintains lists of nodes to which node j will and will not provide service. Every node periodically broadcasts relevant information in the form of a self-state message. Other nodes update their own lists based on the information contained in these self-state messages. 3.2 Credit based schemes Goal of credit based schemes is to provide the incentives to the nodes faithfully performing network functions. To facilitate this payment system is set up. Nodes get paid for providing services to other nodes. The concept of nuggets (also called beans) is used as payments for forwarding packets. Two models proposed for this: the packet purse model and the packet trade model.

In packet purse model nuggets are loaded into packet before it is sent. The sender puts certain number of nuggets into the data packet to be sent. Each intermediate node earns nuggets in return for forwarding the packet. if the packet exhausts its nuggets before reaches its destination, then it is dropped. In the Packet Trade Model, each intermediate node buys the packet from the previous node for some nuggets and sells it to the next node for more nuggets. Thus, each interm ediate node earns some nuggets for providing the forwarding service and the overall cost of sending the packet is borne by the destination. 3.3 Acknowledgement based schemes There are several schemes that use end-to-end acknowledgments (ACKs) to detect routing misbehavior or malicious nodes in wireless networks. The acknowledgements packets are sent by the receiver node to the sender node to notify the reception of data packets up to the some locations of the continuous data stream. The Selective acknowledgement scheme is used to acknowledge out of order data blocks. 1) 2ACK This scheme differs from the ACK and SACK schemes used in TCP protocol. 2ACK scheme aiming to resolve the receiver collision and limited transmission power problems. TWOACK detects misbehaving links by acknowledging every data packet transmitted over every three consecutive nodes along the path from the source to the destination. Upon retrieval of a packet, each node along the route is required to send back an acknowledgment packet to the node that is two hops away from it down the route. TWOACK is required to work on routing protocols such as Dynamic Source Routing (DSR). 2ACK detects misbehaving links by acknowledging every data packet transmitted over every three consecutive nodes along the path from the source to the destination. Upon retrieval of a packet, each node along the route is required to send back an acknowledgment packet to the node that is two hops away from it down the route. Source send data packet to receiver. Receiver generates the 2ACK packet back to sender. Retrieval of 2ACK packet within a predefined time period indicates successful transmission otherwise both destination and intermediate nodes are reported as malicious. 2) TWOACK The proposed TWOACK scheme serves as an add-on technique for routing schemes to detect routing misbehavior and to mitigate their adverse effect. It is used to detect some selfish nodes will participate in the route discovery and maintenance processes but refuse to forward data packets. TWOACK scheme send two-hop acknowledgment packets in the opposite direction of the routing path. The TWOACK scheme detects misbehavior through the use of a new type of acknowledgment packet, termed TWOACK. A TWOACK packet is assigned a fixed route of two hops (three nodes) in the opposite direction of the data traffic route. TWOACK transmission takes

place for every set of triplets along the route. Therefore, only the first router from the source will not serve as a TWOACK packet sender. The last router just before the destination and the destination will not serve as TWOACK receivers. TWOACK detects misbehaving links by acknowledging every data packet transmitted over every three consecutive nodes along the path from the source to the destination. Upon retrieval of a packet, each node along the route is required to send back an acknowledgment packet to the node that is two hops away from it down the route. Source send data packet to receiver. Receiver generates the TWOACK packet back to sender. Retrieval of TWOACK packet within a predefined time period indicates successful transmission otherwise both destination and intermediate nodes are reported as malicious. The TWOACK scheme successfully solves the receiver collision and limited transmission power problems. 3) AACK It is an acknowledgement based scheme which can be considered as a combination of scheme called TACK (identical to TWOACK) and an end-to-end acknowledgement scheme called ACKnowledge (ACK). The source node sends out Packet 1 without any overhead except 2 b of flag indicating the packet type. All the intermediate nodes simply forward this packet. When the destination node receives Packet 1, it is required to send back an ACK acknowledgment packet to the source node along the reverse route. Within a predefined time period, if the source node receives this ACK acknowledgment packet, then the packet transmission from source node to destination node is successful. Otherwise, the source node will switch to TACK scheme by sending out a TACK packet. Misbehaving nodes that exhibit abnormal behaviors can disrupt the network operation and affect the network availability by refusing to cooperate to route packets due to their selfish or malicious behavior. This paper proposes a novel intrusion detection system, which is an adaptive acknowledgment scheme (AACK) with the ability to detect misbehaved nodes and avoid them in other transmissions. The aim of AACK scheme is to overcome watchdog weaknesses due to collisions and limited transmission power and also to improve TWOACK scheme. The concept of adopting a hybrid scheme in AACK greatly reduces the network overhead. The functions of such detection schemes all largely depend on the acknowledgment packets. Hence, it is crucial to guarantee that the acknowledgment packets are valid and authentic. AACK reduces the network overhead than the TWOACK scheme while maintaining the same network throughput. 4) EAACK Another acknowledgement based intrusion detection system named EAACK-Enhanced Adaptive ACKnowledgment is specially designed for MANETs to detect the attackers. EAACK is an acknowledgment-based IDS. This scheme makes use of digital signature. It requires all acknowledgment packets to be digitally signed. It reduces the packet dropping attack; it is the major security threat. In case of limited transmission power, receiver collision, false misbehavior rate EAACK is a preferred IDS than the existing approaches.

EAACK have 3 parts: ACK, S-ACK, and MRA. First destination sends an acknowledgement packet to the source. Within a predefined time period source receives the acknowledgement then transmission of packet is successful. Otherwise it will switch to S-ACK mode. Every three consecutive nodes work in a group to detect misbehaving nodes. For every three consecutive nodes in the route, the third node is required to send an S-ACK acknowledgment packet to the first node. To initiate the MRA mode, the source node first searches its local knowledge base and seeks for an alternative route to the destination node. If there is no other that exists, the source node starts a DSR routing request to find another route. It detects the malicious nodes despite the existence of the false misbehavior report by the help of MRA scheme. This system uses the digital signatures to authenticate the acknowledgement packets. Digital signatures prevent the acknowledgement packets to be forged. The sender of the acknowledgement packet must sign the packet and after the reception of the packet receiver will verify the authenticity of the packet. 4. CONCLUSION MANET has a dynamic infrastructure and having no centralized administration makes such network vulnerable to many attacks. It needs high level of security compared to wired networks. In this survey different security attacks in communication and different layers is studied. And also it analyses the different detection schemes used to detect and evict such attacks. In future we extend the detection mechanisms in order to detect more vulnerable attackers and malicious nodes in the network to improve the network performance and verifying it using the simulation methods. 5. REFERENCES 1. Elhadi M. Shakshuki, Nan Kang, and Tarek R. Sheltami, EAACK - A Secure Intrusion Detection System for MANETs IEEE trans. Vol.60, no.3, MAR, 2013. 2. S. Marti, T. J. Giuli, K. Lai, and M. Baker, Mitigating routing misbehavior in mobile ad hoc networks, in Proc. 6th Annu. Int. Conf. Mobile Comput. Netw., Boston, MA, 2000, pp. 255265. 3. K. Liu, J. Deng, P. K. Varshney, and K. Balakrishnan, An acknowledgmen t-based approach for the detection of routing misbehavior in MANETs, IEEE Trans. Mobile Comput., vol. 6, no. 5, pp. 536550, May 2007. 4. N. Nasser and Y. Chen, Enhanced intrusion detection systems for discovering malicious nodes in mobile ad hoc network, in Proc. IEEE Int. Conf. Commun., Glasgow, Scotland, Jun. 2428, 2007, pp. 11541159. 5. T. Sheltami, A. Al-Roubaiey, E. Shakshuki, and A. Mahmoud, Video transmission enhancement in presence ofmisbehaving nodes inMANETs, Int. J. Multimedia Syst., vol. 15, no. 5, pp. 273282, Oct. 2009. 6. J. Al-Jaroodi, Security Issues in Wireless Mobile Ad Hoc Networks at the Network Layer, University of Nebraska-Lincoln, Dept. of Computer Science and Engineering, Technical Report TR02-10-07, November 2002. K. Sanzgiri, B. Dahill, B. N. Levine, C. Shields. 7. Bing Wu, Jianmin Chen, Jie Wu, Michaela Cardei, A Survey on Attack and Countermeasures in Mo bile Ad Hoc Networks Wireless/Mobile Security, Springer., 006.