BSMR - Byzantine-Resilient Secure Multicast Routing in Multi-Hop

Purdue University
Purdue e-Pubs
Department of Computer Science Technical
Department of Computer Science
Reports
2007
BSMR: Byzantine-Resilient Secure Multicast

Routing in Multi-hop Wireless Networks
Reza Curtmola
Cristina Nita-Rotaru
Purdue University, crisn@cs.purdue.edu
Report Number:
07-005
Curtmola, Reza and Nita-Rotaru, Cristina, "BSMR: Byzantine-Resilient Secure Multicast Routing in Multi-hop Wireless Networks"
(2007). Department of Computer Science Technical Reports. Paper 1670.
https://docs.lib.purdue.edu/cstech/1670
This document has been made available through Purdue e-Pubs, a service of the Purdue University Libraries. Please contact epubs@purdue.edu for
additional information.
BSMR: BYZANTINE-RESILIENT
BSMR: BYZANTINE-RESILIENTSECURE
SECUREMULTICAST
MULTICAST
ROUTINGIN
ROUTING IN MULTI-HOP
MULTI-HOPWIRELESS
WIRELESSNETWORKS
NETWORKS
RezaCurtmola
Reza Curtmola
CristinaNita-Rotaru
Cristina Nita-Rotam
CSDTR
CSD TR#07-005
#07-005
March2007
March 2007
BSMR: Byzantine-Resilient Secure Multicast
Routing in Multi-hop Wireless Networks
Reza Curtmola Cristina Nita-Rotaru
Department of Computer Science Department of Computer Science and CERIAS
The Johns Hopkins University Purdue University
crix@cs.jhu.edu crisn @ cs.purdue.edu
crisn@cs.purdue.edu
Abstract
Multi-hop wireless networks rely on node cooperation to provide unicast and multicast services.
services. The multi-hop
communication offers increased coverage for such services, but also makes them more vulnerable to insider (or
Byzantine) attacks coming from compromised nodes that behave arbitrarily to disrupt the network.
In this work we identify vulnerabilities of on-demand multicast routing protocols for multi-hop wireless
networks and discuss the challenges encountered in designing mechanisms to defend against them. We propose
BSMR, a novel secure multicast routing protocol that withstands insider attacks from colluding adversaries. Our
protocol is a software-based solution and does not require additional or specialized hardware. We present simulation
results which demonstrate that BSMR effectively mitigates the identified
identified attacks.
1. INTRODUCTION
Multicast routing protocols deliver data from a source to multiple destinations organized in a multicast
group. Several protocols were proposed to provide multicast services for multi-hop wireless networks.
These protocols rely on node cooperation and use flooding [1], [I], gossip [2], geographical position [3],
[3], or
dissemination structures such as meshes [4], [5], or trees [6], [7].
[7].
A major challenge in designing protocols for wireless networks is ensuring robustness to failures and
resilience to attacks. Wireless networks provide a less robust communication than wired networks due
to frequent broken links and a higher error rate. Security is also more challenging in multi-hop wireless
networks because the open medium is more susceptible to outside attacks and the multi-hop communication
makes services more vulnerable to insider attacks coming from compromised nodes. Although an effective
mechanism against outside attacks, authentication is not sufficient to protect against insider attacks because
an adversary that compromised a node also gained access to the cryptographic keys stored on it. Insider
attacks are also known as Byzantine [8] [8] attacks and protocols able to provide service in their presence
are referred to as Byzantine resilient protocols.
Previous work focused mainly on the security of unicast services. Several routing protocols [9]-[12][9]-[12]
were proposed to cope with outsider attacks. Methods proposed to address insider threats in unicast
routing include monitoring [13],
[13], multi-path routing [14]
[14] and acknowledgment-based feedback [15], [15], [16].
The problem of secure multicast in wireless networks was less studied and only outside attacks were
addressed - [17]
addressed' [17]..
Security problems related to multicast routing can be classified in routing specific security, such as
the management of the routing structure and data forwarding,
forwarding, and application specific security such as
data confidentiality and authenticity. Solutions to the latter problem also referred to as secure group
communication focus mainly on group key management [18], [18], [19]. In this work we are concerned with
multicast routing specific security.
security.
Several differences make the multicast communication model more challenging than its unicast counter-
part. First, designing secure multicast protocols for wireless networks requires a more complex trust model,
as nodes which are members of the multicast group cannot simply organize themselves in a dissemination
structure without the help of other non-member nodes acting as routers.
Second,
Second, unlike unicast protocols which establish and maintain routes between two nodes, multicast
protocols establish and maintain more complex structures, such as trees or meshes. For example, protocols
relying on trees require additional operations such as route activation,
activation, tree pruning and tree merging.
These actions do not have a counterpart in the unicast case and may expose the routing protocol to new
vulnerabilities.
Third, multicast protocols deliver data from one sender to multiple receivers making scalability a major
problem when designing attack-resilient protocols. In particular, solutions that offer resiliency against
Byzantine attacks for unicast are not scalable in a multicast setting. For example, multi-path routing affects
affects
significantly
significantly the data dissemination efficiency,
efficiency, while strategies based on end-to-end acknowledgments have
overhead.
high overhead.
In this paper we study vulnerabilities of multicast routing protocols in multi-hop wireless networks and
propose a new protocol that provides resilience against Byzantine attacks. Our main contributions are: are:
• We identify several aspects that make the design of attack-resilient multicast routing protocols more
challenging than their unicast counterpart, such as a more complex trust model and underlying routing
structure, and scalability.
scalability. We also discuss potential attacks against such protocols.
• We propose BSMR, an on-demand multicast protocol for multi-hop wireless networks which relies on
several mechanisms to mitigate Byzantine attacks. BSMR uses a selective data forwarding
forwarding detection
mechanism that relies on a reliability metric capturing adversarial behavior.
behavior. Nodes determine the
reliability of links by comparing the perceived data rate with the one advertised by the source.
Adversarial links are avoided during the route discovery phase. BSMR also prevents attacks that try
to prevent or arbitrarily influence
influence route establishment.
• We show through simulations that the impact of several Byzantine attacks (flood rushing, black hole
and wormhole) on a previously proposed secure multicast routing protocol is considerable and cannot
be ignored. We also demonstrate through simulations that our protocol BSMR mitigates the attacks,
while incurring a small overhead.
overhead.
The remainder of the paper is organized as follows.
follows. Section II I1 overviews related work. Section III
I11
presents our network and system model. We discuss the attacks against multicast in IV-B IV-B and present
BSMR in Section V. We present experimental results in Section VI and conclude in Section VII.
II. RELATED WORK
Significant work addresses vulnerabilities of unicast routing protocols in wireless networks. Several
secure routing protocols resilient to outside attacks were proposed in the last few years such as Ariadne
[l 11, SEAD [10],
[11], [lo], ARAN [12],
[12], and the work in [9].
[9].
flood rushing and wormhole were recently identified and studied. RAP
Wireless specific attacks such as flood
[20] prevents the rushing attack by waiting for several flood
[20] flood requests and then randomly selecting one to
forward, rather than always forwarding only the first
forward, first one. Techniques
Techniques to defend against wormhole attacks
include Packet Leashes [21][21] which restricts the maximum transmission distance by using either a tight
time synchronization or location information, Truelink [22] [22] which uses MAC level acknowledgments to
infer if a link exists or not between two nodes, and the technique in [23], [23], which relies on directional
antennas.
antennas.
[13]-[16]. Watchdog [13]
The problem of insider threats in unicast routing was studied in [13]-[16]. [13] relies on a
node monitoring its neighbors if they forward packets to other destinations. If a node does not overhear a
neighbor forwarding more than a threshold number of packets, it concludes that the neighbor is adversarial.
[14] uses multi-path routing to prevent a malicious node from selectively dropping data.
SDT [14] data. ODSBR
[15], [16]
[15], [16] provides resilience to Byzantine attacks caused by individual or colluding nodes by detecting
malicious links based on an acknowledgement-based feedback techniques.
Most of the work addressing application security issues related to multicast in wireless networks focused
on the problem of group key management in order to ensure data confidentiality and authenticity [24]- [24]-
[28]. Work studying multicast routing specific
[28]. specific security problems in wireless networks is scarce with the
notable exception of the authentication framework
framework by Roy et al. [17]. The framework allows MAODV
al. [17].
to withstand several external attacks targeted against the creation and maintenance of the multicast tree.
However, it does not provide resilience against Byzantine attacks.
[29]-[31]. Solutions proposed
Multicast routing specific security was also studied in overlay networks [29]-[31].
specific properties such as:
exploit overlay specific as: existence of network connectivity between each pair of
nodes which allows nodes to directly probe non-neighboring nodes,nodes, and highly redundant connectivity,
connectivity,
guaranteeing that many disjoint paths exist. None of these properties hold in multi-hop wireless networks.
networks.
111. NETWORK
III. SYSTEMMODEL
NETWORK AND SYSTEM MODEL
A. Network Model
We consider a multi-hop wireless network where nodes participate in the data forwarding process for
other nodes. We assume that the wireless channel is symmetric. All nodes have the same transmitting
power and consequently the same transmission range. The receiving range of a node is identical to its
transmission range.
Nodes are not required to be equipped with additional hardware such as GPS receivers or tightly
synchronized clocks. Also, nodes are not required to be tamper resistant: If an attacker compromises
compromises a
node, it can extract all key material, data or code stored on that node.
node.
B. Multicast Protocol
We assume a tree-based on-demand multicast protocol such as [6]. [6]. The protocol maintains bi-directional
shared multicast trees connecting multicast sources and receivers.
receivers. Each multicast group has a corresponding
multicast tree. The multicast source is a special node, the group leader,
leader, whose role is to eliminate stale
routes and coordinate group merges.
merges. Route freshness is indicated by a group sequence number updated
by the group leader and broadcast periodically in the entire network.
network. Higher group sequence numbers
denote fresher routes.
The main operations of the protocol are route discovery,
discovery, route activation
activation and tree maintenance. During
route
roUte discovery a node discovers
discovers a path to a node that is part of the multicast tree. A requester first
first
broadcasts a route request message that includes the latest known group sequence number. number. The route
request message is flooded in the network using a basic flood suppression
suppression mechanism and establishes
reverse routes to the source of the request. Upon receiving the route request, a node that is part of the
multicast tree and has a group sequence number at least as large as the one in the route request, generates
a route reply message and unicasts it on the reverse route. The route reply message includes the last
known group sequence number and the number of hops to the node that originated the route reply.
During route activation, the requester selects the freshest and shortest route (i.e., with the smallest
number of hops to the multicast tree) from the routes returned by the route discovery operation.
operation. The
requester activates that route by unicasting a multicast activation message.
Three main operations ensure the tree maintenance:
maintenance: tree pruning, broken link repair and tree merging.
merging.
Tree pruning occlirs
occurs when a group member that is a leaf in the multicast tree decides to leave the group.
group.
To prune itself from the tree, the node sends a message to indicate this to its parent. The pruning message
travels up the tree causing leaf nodes that are not members of the multicast group to prune themselves
from the tree, until it reaches either a non-leaf node or a group member.
member. A non-leaf group member must
continue to act as a router and cannot prune itself from the multicast tree.
A node initiates a link repair procedure when the upstream link in the multicast tree breaks. If
A If the
node cannot reconnect to the tree, it means the tree is partitioned. In this case the node runs a special
procedure to prune non-member leaf nodes and elect a group leader for the partition. When two partitions
of the same tree reconnect, the leader of one of the partitions coordinates the merge of the partitions,
suppressing the other leader.
leader.
ATTACKSAGAINST
IV. ATTACKS AGAINSTMULTICAST
MULTICAST ROUTING
ROUTING
A. Adversarial Model
We assume that nodes may exhibit Byzantine behavior, either alone or colluding with other nodes.
Examples of such behavior include: not forwarding packets, injecting, modifying or replaying packets.
We refer to any arbitrary action by authenticated nodes resulting in disruption of the routing service as
Byzantine behavior, adversary.
behavior, and to such an adversary as a Byzantine adversary.
We consider a three-level trust model that captures the interactions between nodes in a wireless multicast
defines a node's privileges: a first level includes the source which must be continually available
setting and defines
and assumed not to be compromised; a second level consists of the multicast group member nodes, which
are allowed to initiate requests for joining multicast groups;
groups; and a third level consists of non-member
nodes which participate in the routing but are not entitled to initiate group join
join requests. In order to cope
with Byzantine attacks, even group members cannot be fully trusted.
An attacker can disrupt the physical layer by jamming, and MAC protocols such as 802.11 can be
RTSICTS packets. This work only considers attacks targeted against
disrupted by attacks using the special RTS/CTS
focuses instead on
the network level. Also, preventing traffic analysis is not the goal of this work, which focuses
survivable routing.
B. Attacks in Multicast in Multi-Hop Wireless
Wireless Networks
discovery, route activation and
An adversary can attack control messages corresponding to the route discovery,
tree management components of the routing protocol, or can attack data messages.
The route discovery phase can be disrupted by outside attackers creating undesired results by injecting,
replaying, or modifying control packets. Nodes that are not in the tree can mislead other nodes into
believing that they found and are connected to the tree. Nodes can flood the network with bogus requests
for joining multicast groups. A Byzantine adversary can prevent a route from being established by dropping
the request and/or response, or can influence the route selection by using wireless specific attacks such
as wormhole and flood rushing. A Byzantine adversary can also modify the packets carrying the route
identifiers.
selection metric such as hop count or node identifiers.
An outside attacker can inject bogus route activation messages, or prevent correct route activation
messages to reach all nodes.
nodes.
Nodes can maliciously report that other links are broken or generate incorrect pruning messages resulting
in correct nodes being disconnected from the network or tree partitioning. In the absence of authentication,
leader. Although many routing protocols do not describe how to
any node can pretend to be the group leader.
select a new group leader when needed, we note that the leader election protocol can also be influenced
attackers.
by attackers.
replaying, injecting data, or se-
Attacks against data messages consist of eavesdropping, modifying, replaying,
route. A special form of packet delivery disruption
lectively forwarding data after being selected on a route.
is a denial of service attack, in which the attacker overwhelms the computational, sending or receiving
first
capabilities of a node. In general, data source authentication, integrity and encryption can solve the first
specific security.
attacks and are usually considered application specific security. Defending against selective data forwarding
forwarding
and denial of service cannot be done exclusively by using cryptographic mechanisms.
SECUREMULTICAST
V. SECURE MULTICASTROUTINGPROTOCOL
ROUTING PROTOCOL
A. BSMR Overview
Overview
Our protocol ensures that multicast data is delivered from the source to the members of the multicast
group, even in the presence of Byzantine attackers, as long as the group members are reachable through
non-adversarial paths and a non-adversarial path exists between a new member and a node in the multicast
tree.
To eliminate a large class of outside attacks we use an authentication framework that ensures only
authorized nodes can perform certain operations (e.g., only tree nodes can perform tree operations and
only nodes that possess valid group certificates can connect to the corresponding multicast tree).
BSMR mitigates inside attacks that try to prevent a node from establishing a route to the multicast tree
by flooding
flooding both route request and route reply such that if an adversarial-free route exists, then a route is
established.
BSNIR
BSMR ensures resilience to selective data forwarding
forwarding attacks by using a reliability metric that captures
adversarial behavior.
behavior. The metric consists of a list of link weights in which high weights correspond to low
reliability. Each node in the network maintains its own weight list and includes it in each route request
to ensure that a new route to the tree avoids
avoids adversarial links.
A link's reliability is determined based on the number of packets successfully delivered on that link
over time. Tree nodes monitor the rate of receiving data packets and compare it with the transmission
transmission
rate indicated by the source in the form of an NIRATE message. If the perceived transmission rate falls
MRATE message. falls
below the rate indicated in the MRATE message by more than a threshold,
threshold, an honest node that is a direct
descendant of an adversarial node updates its weight list by penalizing the link to its parent and then tries
to discover a new route to the tree.
tree.
We note that a strategy based on end-to-end acknowledgments,
acknowledgments, although shown effective in unicast [14],
[14],
[16], is not scalable: As the size of the multicast group increases, ACK implosion occurs at the source,
which may cause a drastic decrease in data delivery [32].
[32]. Moreover,
Moreover, solutions that address the problem of
feedback implosion in multicast protocols (e.g., feedback aggregation
aggregation or a combination of ACWNACK
ACKINACK
messages [33])
[33]) were designed to operate under non-adversarial conditions; It is questionable if they will
work in adversarial networks.
networks.
Without loss of generality,
generality, we limit our description to one multicast group.
group. Below we describe the
previously mentioned authentication framework,
framework, the route discovery, the route activation, multicast tree
maintenance and the selective data forwarding detection mechanisms.
mechanisms.
B. Authentication Framework
In order to protect from external attacks against the creation and maintenance of the multicast tree
BSMR uses a framework similar with the one in [17]. [17]. The framework prevents unauthorized nodes to be
part of the network, of a multicast group, or of a multicast tree. These forms of authentication correspond
to the trust model described in Section IV-A.IV-A. Each node authorized to join the network has a pair of
publiclprivate certijicate that binds its public key to its IP address.
public/private keys and a node certificate address. Each node authorized
to join certijicate that binds its public key and IP address to
join a multicast group has an additional group certificate
the IP address of the multicast group.
group.
Nodes in the multicast tree are authenticated using a tree token,token, which is periodically refreshed and
disseminated by the group leader in the multicast tree with the help of pairwise
pairwise shared keys established
between every direct tree neighbors.
neighbors. Thus, only nodes that are currently on the tree will have a valid tree
token. To allow any node in the network to check that a tree node possesses a valid tree token, the group
leader periodically broadcasts in the entire network a tree token authenticator ff(tree t o k e n ) , where ff is
(tree token),
a collision resistant one-way function.
function. Nodes can check the validity of a given tree token by applying the
function f to it and comparing the result with the latest received tree token authenticator.
authenticator.
To prevent tree nodes from claiming to be at a smaller hop distance from the group leader than they
actually are, we use a technique based on a one-way hash chain. The last element of this hash chain,
referred to as hop count anchor,
anchor, is broadcast periodically by the group leader.
leader.
We assume that nodes have a method to determine the source authenticity of the received data (e.g., (e.g.,
TESLA [34]).
[34]). This allows a node to correctly determine the rate at which it receives multicast data. data.
C. Route Discovery
C.
BSMR's route discovery
discovery allows
allows a node that wants to join a multicast group to find a route to the multicast
tree. The
tree. The protocol follows
follows the typical route request/route
requestlroute reply procedure used by on-demand routing
protocols with severalseveral differences.
differences. To prevent outsiders from interfering, all route discovery messages
are
are authenticated using the public key corresponding to the network certificate. Only group authenticated
nodes
nodes can initiate route requests and the group certificate is required in each request. Tree nodes use the
tree token to prove their current tree status. status.
Several
Several mechanisms are used to address internal attackers: (a) both route request and route reply are
flooded
flooded in order to ensure that, that, if an adversarial-free path exists, it will be found;
found; (b) the path selection
relies
relies on the weights list carried in the response flood and allows the requester to select a non-adversarial
path;
path; (c)
(c) the propagation of weights and path accumulation is performed using an onion-like signing to
prevent forwarding
forwarding nodes from from modifying the path carried in the response.
The
The requesting node broadcasts a route request (RREQ) message that includes the node identifier and its
weight list,
list, the multicast group
group identifier,
identifier, the last known group sequence number, and a request sequence
number.
number. The The RREQ
RREQ message is flooded flooded in the network until it reaches a tree node that has a group
sequence
sequence number at least as as great as that in the RREQ. Only new requests are processed by intermediate
nodes.
nodes.
When a tree node receives for the first time a RREQ from a requester and the node's group sequence
number is is at least asas great asas that contained in the RREQ, it initiates a response. The node broadcasts
a route reply (RREP) message that includes that node identifier, identifier, its recorded group sequence number,
the
the requester's identifier,
identifier, a response sequence number, the group identifier and the weight list from the
request message.
message. To To prove its current tree node status, the node also includes in the response the current
tree token,
token, encrypted with the requester's public key. The RREP message is flooded in the network until
following weighted Jlood
requester, using the following
it reaches the requester, flood suppression mechanism. Tree nodes with a
group
group sequence number at least as great as that in the RREP RREiP ignore RREP messages. Otherwise, a node
computes the total path weight by summing the weight of all the links on the specified path from the
multicast tree to itself. If the total weight is less than any previously forwarded matching response (same
requester, multicast group
requester, group and response sequence number), and all the signatures accumulated on the
reply areare valid,
valid, the node appends its identifier to the end of the message, signs the entire message and
rebroadcasts it. it. As the RREP message propagates across the network, nodes establish the forward forward route by
setting pointers to the node from from which the RREP was received. Although several tree nodes may initiate
the response flood,
the flood, the weighted floodflood suppression mechanism insures the communication overhead is
equivalent to only only one flood.
flood.
When the requester receives a response, it performs the same computation as an intermediate node
during the response propagation. The requester updates its information upon receipt of
during of a valid response
that contains a better path according to our reliability metric.
D. Multicast Route Activation
D.
The requester signs
The signs and unicasts on the selected route a multicast activation (MACT) message that
includes its identifier, the group identifier and the sequence number used in the route request phase. An
includes its identifier,
intermediate node on the route checks if the signature on MACT is valid and if
intermediate if MACT contains the same
sequence number as
sequence as the one in the original RREQ message. The node then adds to its list of
of tree neighbors
the
the previous node and the next node on the route as downstream and upstream neighbors, respectively,
sends the MACT message along the forward route.
and sends route.
The requester and the nodes that received the MACT message could be prevented from being grafted
The
to the
to the tree by an adversarial node,
node, selected on the forward route, which drops the MACT message. To
attack, these nodes will start a waiting to connect timer (WTC-Timer)
mitigate the attack, (WTC_Timer) upon whose expiration
faulty link and initiate Route Discovery (Event 3 of Sec. V-F). The timers are set to expire
nodes isolate a faulty
nodes
after a value proportional to a node's hop distance to the tree, in the hope that the nodes closer to the
tree will succeed in avoiding the adversarial node and will manage to connect to the tree. After a node
becomes aware of its expected receiving data rate, it cancels its WTC_Timer
WTC-Timer and behaves as described in
Sec. V-F.
E. Multicast Tree
Tree Maintenance
The tree maintenance phase ensures the correct operation of the protocol when confronted with events
events
such as pruning, link breakage and node partitioning. Routing messages exchanged by tree neighbors, such
as pruning messages (described in Sec.Sec. III-B)
111-B) are authenticated using the pairwise keys shared between
tree neighbors. If a malicious node prunes itself even if it has a subtree below it, the honest nodes in this
subtree will reconnect to the tree following the procedure described in Sec. V-F. The link repair procedure
is initiated by nodes that detect a broken link and is similar with Route Discovery.
The group leader periodically broadcast in the entire network a signed Group Hello message that contains
the current group sequence number, the tree token authenticator and the hop count anchor (described in
Sec.
Sec. V-B).
F:
F. Selective Data Forwarding Detection
The source periodically signs and sends in the tree a multicast rate (MRATE)
(MRATE) message that contains its
po. As this message propagates in the multicast tree, nodes may add their perceived
data transmission rate Po.
transmission rate to it. The information in the MRATE message allows nodes to detect if tree ancestors
perform selective data forwarding attacks. Depending on whether their perceived rate is within acceptable
limits of the rate in the MRATE message, nodes alternate between two states. The initial state of a node
is Disconnected;
Disconnected; After it joins the multicast group and becomes aware of its expected receiving data rate,
the node switches to the Connected state. Upon detecting a selective data forwarding attack, the node
Disconnected state.
switches back to the Disconnected
A network operating normally exhibits some amount of natural "loss", "loss", which may cause the rate
perceived by a node to be smaller than the rate perceived by its tree parent. This natural rate decrease is
cumulative as data travels further away from the source.
source. We define a threshold 6b as the upper bound for
the tolerable loss rate on a single link. If a node's perceived rate is smaller than the last recorded rate in
MRATE by more than 6, b, the node concatenates its identifier and its rate to MRATE and signs the entire
message before forwarding it. These added rates serve as proofs that nodes which previously forwarded
the MRATE message did not perceive losses much larger than natural losses.
In order to prevent a malicious node from introducing a rate decrease significantly larger than 6,
b, we use
another threshold ,6,A >> 6.
b. Upon receiving an MRATE
NlRATE message, each node first checks if the difference
between the last rate in MRATE and the node's perceived rate is greater than ,6,. A. If so, this indicates
that there exists at least an adversarial node in between this node and the node that added the last rate
to MRATE. The first honest node that notices a difference larger than ,6, A incriminates the link to its tree
parent as faulty (by using an multiplicative weight increase scheme) and assumes responsibility for finding
a new route to the tree. The nodes in the subtree below this node will notice there is a "gap"
"gap" greater than
A between the rates included in MRATE; They will defer taking any action to isolate the faulty link for
,6,
an amount of time proportional to the distance from the node that already started the repair procedure,
in the hope that the nodes closer to the faulty link will succeed in isolating it. Upon detecting that the
expected data packet rate has been restored, nodes cancel the repair procedure.
Figures 1,
1, 2 and 3 describe how a Connected node reacts to the following events, respectively: (1)
receipt of an MRATE message, (2) timeout of the MRATE-Timer,
MRATE_Timer, and (3) timeout of the WTC_Timer.
WTC-Timer.
pnode
Pnode denotes the rate at which the node receives packets from its tree parent.
MRATE_Timer will expire.
Tree nodes expect to periodically receive MRATE messages, otherwise the MRATE-Timer
Note that each tree node stores the latest received MRATE message and uses it to re-initiate the propagation
Fig. 1: I: receipt of
of MRATE = = (po,
(Po, (idl,pl), . . . , (idk,pk))
(id 1 , PI),"" (id k, Pk))
I.
1. ifif this is the first MRATE message received then
2. switch to Connected state
3. WTC_Timer
cancel WTC-Timer
4. store MRATE message and cancel MRATE-Timer MRATE_Timer
5. if WTC_Timer #
if state = Connected and WTC-Timer =I PENDING
PENDING then
6. ifif MRATE contains a "gap""gap" larger than A Do then
7. WTC_Timer timer
start WTC-Timer
8. forward MRATE
9. return
10.
10. else if WTC_Timer =
if WTC-Timer = PENDING
PENDING then
II.
11. if
if MRATE contains a "gap" "gap" larger than A Do then
12.
12. MRATE = cat-and-sign(MRATE,
cat_and_sign(MRATE, (idnode,
(id node ' pnode))
Pnode»
13.
13. forward MRATE
14. return
15.
15. else
16.
16. cancel WTC-Timer
WTC_Timer
17.
17. switch to Connected state
18.
18. if pkPk - Pnode > A
- pnode Do then
19.
cacand_sign(MRATE, (idnode,
(idnode, pnode))
Pnode»
20. WTC-Timer =
if WTC_Timer = PENDING
PENDING then
21. cancel WTC_timer
WTC-timer
22. switch to Disconnected
Disconnected state
23. increase weight of the link to the parent
24. initiate Route Discovery
initiate
25. else if pk Pk - Pnode > b
- pnode 0 then
cacand_sign(MRATE, (idnode,
(idnode, pnode))
Pnode»
27. forward MRATE message
28. start MRATE-Timer
MRATE Timer
of MRATE-Timer
Fig. 2: timeout of MRATE Timer
WTC-Timer =I
1. if state = Connected and WTC_Timer
I. # PENDING
PENDING then
2. stored MRATE =
retrieve stored = (po,
(po, (id
(idl,
l , pl), . . . , (idk,
pI), ... (idk, pk))
Pk))
3.
3. if pk Pnode > Do
Pk -- pnode A then
4. MRATE = cacand_sign(MRATE,
cat-and-sign(MRATE, (id (idnode,
node ' pnode))
Pnode»
5.
5. switch to Disconnected
Disconnected state
6.
7. initiate Route Discovery
Discovery
8.
8. else if pk Pnode > 0
Pk -- pnode b then
9.
9. MRATE = = cacand_sign(MRATE,
cat-and-sign(MRATE, (id (idnode,
node ' pnode))
Pnode»
IO.
10. forward
forward MRATE message
3: timeout of WTC
Fig. 3: WTC-Timer
Timer
1.
1. switch
switch to Disconnected
Disconnected state
state
3. initiate
initiate Route Discovery
of MRATE if MRATE_Timer
MRATE-Timer expires.
expires. Also, when MRATE_Timer
MRATE-Timer expires a node compares its perceived
rate with the expected rate from
from the stored MRATE message.
VI. EXPERIMENTAL
VI. EXPERIMENTAL RESULTS
RESULTS
To the best of our knowledge, the only security mechanism proposed on-demand multicast protocols is
the authentication
authentication framework by Roy et al. al. [17],
[17], to which we refer as
as A-MAODY.
A-MAODV. Although A-MAODV
withstands several
several external attacks targeted against the creation and maintenance of the multicast tree, it
external attacks
does
does not provide additional attacks. In this section, we study the effect of
additional resilience against Byzantine attacks.
several
several Byzantine attacks on the performance of A-MAODV and we simulate the same attacks against
BSMR in order to show
show its effectiveness
effectiveness in mitigating the attacks.
attacks.
Implementation. We implemented BSMR using the ns2 simulator [35],
Implementation. [35], starting from
from an MAODV
[36]. We assumed the protocol uses RSA [37]
implementation [36]. [37] with l024-bit
1024-bit keys
keys for
for public key operations,
[38] with 128-bit keys for symmetric encryptions and HMAC [39]
AES [38] [39] with SHAI
SHAl as the message
authentication code.
A were 10%
The values used for 156 and 6 10% and 20% of the source's rate, respectively. We developed a
protocol-independent Byzantine attack simulation module for ns2.
A. Experimental Methodology
To capture a protocol's
protocol's effectiveness in delivering data to the multicast group, we used as a performance
as:
metric the packet delivery ratio (PDR), defined as:
PDR=~
P DR = - PT
P, .N
Ps ·N
where P,Pr is the number of data packets received by multicast group members, P, Ps is the number of data
packets sent by the source and N is the size of the group.
Because external attacks can be prevented using the authentication framework described in Sec. Sec. V-B,
in this paper we focus on the following three Byzantine attacks:
--black attack: This is a selective data forwarding attack, in which adversaries only forward routing
black hole attack:
control packets, while dropping all data packets.
--wormhole
wormhole attack:
attack: Two colluding adversaries cooperate by tunneling packets between each other in
order to create a shortcut (or wormhole) in the network. The adversaries use the low cost appearance of
the wormhole in order to increase the probability of being selected on paths; Once selected on a path,
they attempt to disrupt data delivery by executing a black hole attack.
--flood attack: The attack exploits the flood
flood rushing attack: flood duplicate suppression technique used by many
wireless routing protocols. By "rushing"
"rushing" an authenticated flood through the network before the flood
traveling through a legitimate route, a Byzantine adversary ends up controlling many routes. The attack
can be implemented by simply ignoring the small randomized delays which are normally required to
reduce the number of collisions.
collisions. Flood rushing can be used to increase the effectiveness of a black hole
or wormhole attack.
In order to quantify the impact of adversarial positioning, we consider the following scenarios:
--random
random placement:
placement: adversaries are placed randomly in the simulation area;
-strategic
-strategic placement:
placement: adversarial placement is as follows:
follows:
• black hole attack:
attack: adversaries are placed strategically around the multicast source, equidistant on a
circle with radius of 200 meters.
• wormhole attack:
attack Given k adversaries,
adversaries, one adversary is placed near the source, at coordinates
(650,650).
(650,650). The other k -- 11 adversaries are placed throughout the simulation area so that the areas
covered by their transmission range overlap as little as possible. Each one of the k -- 11 adversaries
is connected via a wormhole tunnel to the adversary placed near the source, thus creating k -- 11
wormholes.
In Fig. 4, we illustrate the strategic adversarial placement for the black hole attack (in the presence of
6 adversaries) and for the wormhole attack (in the presence of 7 adversaries).
To study the influence of whether the adversaries explicitly join the multicast group and the order of
joining, we consider two scenarios:
joining, scenarios:
-N JOIN: adversarial nodes do not join the group;
NJOIN:
-JOIN:
-JOIN: adversarial nodes explicitly join join the group before any of the honest members join. The adversaries
are considered group members in the formula for PDR.
We chose these test case scenarios in order to study the impact of the attacks under a light set of
conditions (adversaries
(adversaries are placed randomly, or they do not explicitly join
join the multicast group) and under
a more extreme set of conditions (adversaries
(adversaries are placed strategically, or they join the group before honest
nodes do).
1]50
• o.
.... 1200
900
• •
" I , , , , , 1 la,
'"
I ~""'.'
+-'~'''=--::::'OO=--::::'''---="",----='''---C9=-OO-'''=-''---C''=-00
,~-----'-~, ~~_~~~~---.J
O L
o 150 3m ara sm ~ro 9m ,050 tzaa --':"=-,,-,-J"OO
13s ~wo oo 150 3M
OW 450
110 600
MO ]50
150 '.lOO
~m 1050
OOIO 1200
I I ~1350
1310 IlSOO
Y~O
(a) Black hole: 6 adversaries (b) Wormhole: 7 adversaries

Fig. 4: Examples of strategic adversarial placement for the black hole and wormhole attacks
B. Simulation Setup
We performed simulations using the ns2 network simulator [35]. Nodes were set to use 802.11 radios
with 2 Mbps bandwidth and 250 meters nominal range. The simulated time was 600 seconds. We randomly
placed 100
100 nodes within a 1500 by 1500 meter area and the multicast source in the center of the area at
coordinates (750,750).
(750,750). We experimented with different values for group size (10,
(l0, 30 and 50), for number
of adversaries (between 16%
16% and 60% of the group size) and for "max"
"max" speed (0, 2 and 5 mls).
Group members join the group sequentially in the beginning of the simulation,
simulation, each one at an interval
of 3 seconds. Then the source transmits multicast data for 600 seconds at a rate of 5 packets per second,
second,
each packet of 256 bytes (resulting in loads between 100-500 Kbps across all receivers). The members
stay in the group until the end of the simulation.
simulation. Adversaries added to the network replace honest nodes,
thus modeling the capture of honest nodes.
We used a random way-point mobility model, but we incorporated changes to address concerns raised
[40] about the validity of the standard random way-point model. In particular, nodes select a speed
in [40]
uniformly between 10%
10% and 90% of the given maximum speed to achieve a more steady mobility pattern
and ensure that the average speed does not drop drastically over the course of the simulation. In addition,
300 seconds of mobility are generated before the start of the simulation so that nodes are already in
motion. This allows the average speed and node distribution to stabilize before the simulation starts.
Each data point in the figures
figures is averaged over 30 different random environments and over all group
members.
We evaluate the PDR as a function of the number of adversaries, for different group sizes and levels
mobility. Each graph of sections VI-C and VI-D illustrates the effect of the attacks with and without
of mobility.
flood rushing.
C. Attack Resilience: The
C. The black hole attack
a ) Impact of
a) of Adversarial
Adversarial Placement: Figures 5 and 6 show the results for random and strategic
adversarial placement, respectively. For random placement we see that, for the same group size, the PDR
of A-MAODV decreases as the number of adversaries increases. For the same number of adversaries,
adversaries, it
also decreases as we increase the group size. However,
However, random adversarial placement causes the number of
group members in the subtree below an adversary to be low; Thus a relatively large number of adversaries
is needed to cause a significant disruption (e.g., 30 adversaries for a group of size 50 can cause the PDR
to drop below 50%). In the presence of flood rushing, the PDR decreases further because adversaries
actively try to get selected themselves as part of the tree. The impact of flood
flood rushing decreases as the
group size and the nodal speed increase.
We notice that, for A-MAODV, increasing the nodal speed does not have a negative effect on the PDR;
On the contrary, at higher speeds we even see a slight increase in PDR. The effect of link breaks due to
1 +A-MAODV ++A-MAODV-rush 4BSMR 4% BSMR-rush 1
100
_"
co _"
~
_
,.
BO
70 + . o 70 + . ;- 70 +.............................. .... .
~ '"~ ,,+ rJ
'" 60 , . . '" 60 , .
i=' i=' i='
~ 50 .~ 50 .~ 50
a; a; a;
C 40 C 40 C 40 + .
~ ~
ti 3D ti 3D
~ ~
':J---~---~-----i
10
o+----~---~-------i
0 o0 +-----~---~-----i -.
o0 2 5 10 o0 2 5 10
10 0 2 5 10
Adversaries
Adversaries Adversaries
Adversaries
(a)
(a) 10 members; 00 mls
10 members; m/s (b) 10
(b) 10 members;
members; 22 m/s
d s (c) 10
(c) 10 members;
members; 55 mls
m/s
100 ,.................................................................................................................•
_ BO
-"
c 'ij " eo
o 70 '";; 70 70
:; :; :;
'" 60 '" 60 '" 60
i=' i=' i='
.~ 50 .~ 50 .~ 50
a; a; a;
C 40 C 40 C 40
~ 30 ~ 3D
]I
~ 30
Q. Q.
20 , . 20 + . Q.
20 , .
10 10 10
o+----~---~-----; -.
O+-----~---~----i O+----~---~-----i
o0 5 1010 2020 o0 5 1030 2020 o0 5 1010 2020
Adversaries
Adversaries
(d)
(d) 30 members; 00 mls
30members; m/s (e) 30
(e) 30 members;
members; 22m/s
mls (f)30
(f) 30 members;
members; 55 mls
m/s
9O.~=::::::::iI~~ .
-"
e
~ 70
It: "
.f
a;
50
C 40
0;
g 30
Q.
20 20
10 1010 10
O+----~---~-----i
" , O+----~---~----i
0 - O+----~---~-------j
0
o0 1010 2020 3030 o0 1010 2010 3030 o0 1010 20 30
Adversaries
Adversaries
(g)
(g) 50 members;00mls
50members; m/s (h) 50
(h) 50members;
members;22m/s
d s (i)(i) 50
50members;
members;55mls
m/s
Fig.
Fig.5:5:Black
Blackhole
holeattack
attackand
andflood
floodrushing
rushingcombined
combinedwith
withblack
blackhole:
hole:Random
Randomplacement
placement(NJOIN)
(NJOIN)
mobility
mobility isiscompensated
compensatedby by the
the fact
fact that
that group
group members
membersget get aa chance
chancetoto reconnect
reconnect toto the
the multicast
multicast tree
tree
inin aa different
differentposition,
position, possibly
possibly connected
connected toto the
the source
sourcethrough
through an an adversarial-free
adversarial-freepath.
path. For
For the
the same
same
reason,
reason, the
the effect
effectof
of flood
floodrushing
rushingisisdiminished
diminished asasthe
thenodal
nodalspeed
speedincreases.
increases.
BSMR
BSMR is almost unaffected by the black hole attack (see Fig. The
is almost unaffected by the black hole attack (see Fig. 5).
5). ThePDR
PDR drops
dropsby by less
less than
than 10%
10%
even
even inin the
the presence
presenceof of 20
20adversaries.
adversaries.InIn addition,
addition,the
the influence
influenceof of flood
floodrushing
rushing isis unnoticeable.
unnoticeable.This This
shows
showsthe the effectiveness
effectivenessagainst
against flood rushing of
floodrushing of BSMR's
BSMR's strategy,
strategy,which
which includes
includesthetheprocessing
processingof of all
all
response
response flood
floodduplicates
duplicatesand andthe
themetric
metriccapturing
capturingpast
past behavior
behaviorof of adversarial
adversarialnodes.
nodes.Mobility
Mobilitycauses
causesaa
slight
slightPDR
PDRdecrease,
decrease,which
whichisisnatural
naturalbecause
becausehigher
higherspeeds
speedswillwill cause
causemore
morelink
linkbreaks.
breaks.
1 +A-MAODV -B-A-MAODV-rush
[ft-A-MAODV ++A-MAODV-rush ....... +BSMR-rush 1
tBSMR -B-BSMR=ruSilJ
100,························· . 100,····················· .. :
90~-==~~~ ,
-"
~
o 70
_eo
...'0' + 70 '\: C-".... ,
_
~
o
80
70+········,,,····
:; ~
:;
a: 60 60 t··········· ....., ,""'-:................... , a: 60 ,............ ""'''
~ ~ ~
.~ 50 .~ 50 .~ 50
Q;
Q 40
Q;
Q 40 + ""'. . . . . . . . . . . . . . . . . . . . . ,,""6 Q;
Q 40j ....·········..···········
w a; a;
tf 30 ~ 30 ti 30
~
20
~
20
r:. 20
10 10 10
o-l-----_---_------i o-l-----_---_-----i o-l-----~---_------i

o 10 o '0 o 10
Adversaries
(a)
(a) 10
10 members; 0 m1s
m/s (b)
(b) 10
10 members; 2 m1s
m/s (c)
(c) 10
10 members; 5 m1s
m/s
l00.:r.: ····· ·····..···..······..··· ··· ·..·· · , 100 ,........................................................................ . .
90 .
_ 80 _ 80 _ 80
'"~ ...
-;; 70
...
""; 70
70
:; :;; :;
a: " a: 60 a: 60
~ ~ ~
.~ 50 .~ 50 .~ 50
Q; Q; Q;
Q 40 Q 40 Q 40
a; a; ]I
~ ti
~
30 30
a. 20 j..................... .'.. ,=:=::::=:::~~~-4J r:. 20+ I =~=='P 38.

20
10 10 10
o+----~---~------i o+----~---~-----i O---_---~--~

o 10 20 o 10 20 10 20
Adversaries Adversanes
(d)
(d) 30 members; 0 m/s (e)
(e) 30 members; 2 m1s
m/s (f) 30 members; 5 m1s
(f) m/s
100 100
90 90
e"
80 80
0 70
c
.2 70
c
0 70
:;
a: 60
1;;
a: 60 ~ 60
~ ~ ~
w 50
.~ 50
.~ ~ 50
Q; Q; ~
Q 40 Q 40 Q 40
a; a;
~. 30
.
""u '0 ""g 30
a. Q. a.
20 20 20
10 10 10
0 0 0
0 10 20 30
'0 0 10 20 30 0 10 20 30
'0
Adversaries
Adversaries Adversaries Adversaries
(g) 50 members; 0 m1s

(g) m/s (h)
(h) 50 members;
members; 2 m1s
m/s (i) 50 members; 5 m1s
m/s
hole: Strategic placement (NJOIN)
Fig. 6: Black hole attack and flood rushing combined with black hole:
In the previous experiments, the adversaries were randomly placed. Fig. 6 shows the results when
adversaries are strategically positioned as described in Section VI-A. For A-MAODV we notice a drastic
drop in the PDR. For example, at 0 mis, °
d s , when the group size is 30, only 5 adversaries (representing 16%
16%
of the group size) are able to reduce the PDR to 25% by executing the black hole attack with flood rushing.
This is a direct consequence of the fact that an adversary is now selected in the tree closer to the root
and the subtree below it may potentially contain many group members. For the same reason, the negative
effect of the flood rushing attack is now emphasized when compared to the random placement case. We
A-MAODV.
conclude that strategic adversarial positioning has a crippling effect on the performance of A-MAODY.
L-
[ -A-A-MAODV
A A-MAODV
-. -.-
-A-MAODV-rush
. - - - - ...
:::::: A·MAODV·rush - . - BSMR .-II-
.. _ - - - - - - - -
BSMR.ru~h ~~<"'
BSMR-rush
_----_._----.
-
_ ---
idea4
---(.-- ideal] +- ~p - -
- - --
100 100
90 90
_
C
8D _
,
5
8D
80 -5
_ 8D
80
o
:;;
0::
70
6D
"":;-
'";
,g
1
0:: 8D
SO
70
70
-
""
,g
;-
:;
1
0:: 6D
80
70
70
~ 2~ ~
2
..
.~
Q
50
40
..-$
$ 50
~
Q 40
;.~.-
-
~8
so
50
40
40
;;
~
0.
3D i%
0.
L
3D
30
~
5
u
~
2
30
20 20 20 .. o.
10 10 10
10
o -I------~---~--____; 0 1
of----~---~---~
0
o0 2 5 10 0 2 5 10 0 2 5 10
Adversaries
Adversaries Advenaries
Adversaries
(a) 10
10 honest members; 0 mls
m/s 10 honest members; 2 mls
(b) 10 m/s 10 honest members; 5 mls
(c) 10 m/s
90 90
8D 80 8D
C 70
C 70
~ 70
~
0
0:: 6D
:;
0:: .0
~
0:: .0
~ ~ ~
..
.~
Q
50
40
..
.~
Q
50
40
..
~
.~
Q
50
40
~ ~
ti ~
g 30
~
30
~
30
0. 0. 0.
20 20 20
10 10 10
0 0 0
0 10 20 0 10 20 0 10 20
Adversaries
Advenaries Adversaries
Adversaries
(d) 30 honest members; 0 mls

m/s (e) 30 honest members; 2 rn/s
m/s (0 30 honest members; 5 mls
(f) m/s
100Jik···················································......................................................... ,
90 90
_ 00 _ '0
o 70
C
.e 70
co 70
:; 1; :;
0:: 50 0:: .0 0:: '0
~ ~ ~
.~ 50 .~ 50 .~ 50
•
C 40 •
C 40 •
C 40
~
0.
30 ~
~
30
20 j .
I
0.
3D
20, . . .
20
10 10 10
o -I------~---_--____; 0+----_---_----;
o0 10
10 20 30 o0 10 20 30 0 10
10 10
20 30
Adversaries
Adversaries
(g) 50 honest members; 0 mls

m/s (h)
(h) 50 honest members; 2 mls
m/s (i) 50 honest members; 5 mls
m/s
Fig. 7: Black hole attack and flood rushing combined with black hole: Random placement (JOIN)
(JOIN)
On the contrary,
contrary, the effect of strategic
strategic adversarial
adversarial positioning on BSMR is minor (Fig. 6). Like for
(Fig. 6).
random placement, the PDR drops by less than 10% 10% even in the presence of 20 adversaries,
adversaries, at low nodal
speeds. When more adversaries are present, we see a slightly larger PDR decrease because there are less
available honest nodes left in the network to serve as intermediaries for the group members.
members. The resilience
of BSMR to attacks that otherwise have a devastating
devastating effect on A-MAODV validates
validates the effectiveness
effectiveness of
BSMR's
BSMR's approach.
b)
b) Impact of Order: To analyze the impact of explicit join of adversaries
of Explicit Join and Join Order: adversaries to the
multicast group (JOIN), when compared to the NJOINNJOIN case,
case, we look again at the cases where adversaries
adversaries
1 +A-MAODV +A-MAODV-rush +BSMR BSMR-rush -:?+- ideal 1
100'-
90
.... , 90
...... X
"" .... ,
80 80 80
£ £ 70
£ 70
0 70 0 0
'X,
'g
II: SO
:;
II: 60 , .... ~
II:
~
60
~ ~
~ ~ ~
50 50 50
.~ .~ .~
0; 0; 0;
Q 40 Q 40 Q 40
;; ;; ;;
1J0. 30 ti
~
30 ti 30
0. ~
20 20 20
10 10 10
0 0 0
0 2 5 10
10 0 2 5 10
10 0 2 5 10
(a) 10
(a) 10 honest members; 0 m/s 10 honest members; 2 rn/s
(b) 10 m/s 10 honest members; 5 m/s
(c) 10
100
90
80 60 60
£ 70
C 70 """- 70
~
0
~
II: 80
:;
II: 80 II: 60
~ ~ ~
~ ~ ~
50 50 50
.~ .~ .~
0; 0; 0;
Q 40 Q 40 Q 40
;;
~
~
30 ti
~
30 ~~
30
0. 0. 0.
20 20 20
10 10 10
0 0 ".
0
0 5 10 20 0 5 10 20 0 5 10 20
Adversaries
Adversaries
(d) 30 honest members; 0 rn/s

(d) m/s m/s
(e) 30 honest members; 2 rn/s m/s
(f) 30 honest members; 5 rn/s
(f)
100"""· ·..·..· · ·..··· · · · , 100),0···· · ··· · · :
90 90
_ 80 _ 00
"~
_00
""~ ...'0' 70
70 70
:;
II: SO II: 60 II: 00
~ ~ ~
.~ 50 .~ 50 ~ 50
0; 0; 0;
Q 40 Q 40 Q 40
;; ;;
~ 30 ti 30 :: 30
0.
~
0.
Ii!
0.
I"'.... ·..·......·· ..······....···············.... ··..··········..··· :
2°1···················.···.·····.······~~:1
20f······ ....··....····· \:................................................................ : 20,·····..·······......·
10 10j 10
o+----~---~-------:
0 0 o+----~---~--~
0
o0 10 20 30 0 10 20 30 o0 10 20 30
Adversaries
(g) 50 honest members; 0 m/s m/s

(h) 50 honest members; 2 rn/s (i) 50 honest members; 5 m/s
(i)
Strategic placement (JOIN)
flood rushing combined with black hole: Strategic
Fig. 8: Black hole attack and flood
are randomly and strategically placed (Figures 7 and 8, 8, respectively). Each figure
figure also shows the ideal
PDR (labeled ideal), which would be obtained if everyone
every one of the honest group members would receive
all the packets sent by the source.
source. The effectiveness of an attack should be interpreted as the difference
diflerence
between the ideal line and a protocol's PDR line. An attack is effective if this difference increases as the
number of adversarial nodes is increased; On the other hand, a protocol resilient to attack appears as a
line that remains parallel to the ideal line.
For random adversarial placement in Fig. 7, just like in the NJOIN case, we also see a decrease in
adversaries increases.
PDR as the number of adversaries increases. In addition, we see a major difference from from the NJOIN case:
When the adversaries
adversaries explicitly join the group before the honest nodes join, the impact of flood rushing
is minimal because the adversaries are already part of the group and rushing control packets does not
provide any additional
additional benefit. contrary, in this case flood rushing may actually improve
benefit. On the contrary, improve the PDR %
because, by rushing control packets,

packets, adversaries may help legitimate nodes to find routes faster. faster. Also,
in MAODV a joining node activates
activates a route only after waiting an interval of time, during which it may
receive several route reply messages. At the end of this interval,
interval, it selects
selects the best route according to
a hop count metric.
metric. Thus, even if a adversarial tree node managed to rush its route reply, it may get
overwritten by a legitimate
legitimate route reply with a better hop metric.
metric.
A drastic drop in the PDR is observed for A-MAODV adversaries are placed strategically (see
A-MAODV when adversaries
8). We conclude that strategic
Fig. 8). strategic positioning
positioning has a crippling
crippling effect on the performance of A-MAODV
even more when adversaries explicitly join the multicast group.group. For both random and strategic
placement,
placement, BSMR is barely affected by the attacks:
attacks: In most cases the PDR line remains almost parallel to
the ideal line, which shows little degradation occurs as the number of adversaries increases.increases. The impact
of the attacks on BSMR increases slightly when a large number of adversaries adversaries have joined the group,
group,
available
because there are less available honest nodes left in the network to serve
serve as intermediaries
intermediaries for honest
members. We conclude that BSMR's strategy
group members. strategy is effective in the JOIN case as well. well.
D. Attack Resilience: The The wormhole attack
c ) Impact of
c) of Adversarial Placement: Figures 9 and 10 10 show the results
results for random and strategic
adversarial
adversarial placement, respectively.
respectively. Unlike in the experiments
experiments for the black hole attack,
attack, where the maxi-
mum number of adversaries was varied proportionally with the group group size,
size, for the wormhole attack only
up to 1212 adversaries
adversaries (forming 6 wormholes) and up to 7 adversaries
adversaries (forming 6 wormholes)
wormholes) were used
for the random and strategic
strategic placement cases,
cases, respectively, regardless of the group size.
respectively, regardless size.
When adversaries
adversaries are placed randomly, delivery ratio of A-MAODV is affected by an increase
randomly, the delivery increase in the
number of adversaries,
adversaries, as expected.
expected. In general,
general, we notice that the wormhole
wormhole attack causes more damage
than the black hole attack because less adversarial nodes are needed to decreasedecrease the delivery ratio by the
same amount.
amount. As an example,
example, for speed of 0 mfs m/s and group size of 30 members, only 10 10 nodes forming
forming
wormholes can reduce the PDR to 60%;
wormholes 60%; On the other hand, 20 adversaries
adversaries executing the black hole attack
are needed to reduce the PDR by the same amount. amount. Flood rushing has a noticeable impact especially for
sizes and for low mobility levels. Increasing
small group sizes Increasing the nodal speed reduces slightly the impact of
the wormhole and flood rushing attacks.
attacks. The explanation is similar with that for the black hole attack: attack:
Mobility causes link breaks and honest nodes reattach themselves in different positions in the multicast
tree, possibly connected to the source
source through non-adversarial paths.
The wormhole attack has a minor effect on the delivery delivery ratio of BSMR and the addition of flood
rushing has no effect.
effect. The PDR drops by less than 10%
10% for all simulated scenarios,
scenarios, even at higher levels
of mobility and remains above 90% for most simulated scenarios. scenarios. This confirms
confirms the effectiveness
effectiveness of
BSMR's strategy
strategy against the wormhole attack.
attack.
Fig. 10
10 shows
shows the results
results when adversaries are strategically placed and form form wormholes as described
described
VI-A. Because one end of each wormhole is near the source,
in Section VI-A. source, the other end of the wormhole
attractive, short routes to the nodes that are in its transmission range.
will present attractive, range. This has a serious
serious
impact on the delivery ratio of A-MAODV:
A-MAODV: When 7 adversaries
adversaries are present, forming wormholes, they
present, forming 6 wormholes,
cover almost completely
completely the entire simulation area;
area; Thus,
Thus, every honest node that is normally more than
three hops away from the sourcesource will be tricked into connecting to the multicast tree through one of the
adversarial
adversarial nodes.
nodes. When flood
flood rushing is employed,
employed, even nodes that are normally less than three hops
away from the source
source are also tricked into connecting
connecting through adversarial nodes.
nodes. This
This. has a serious
serious impact
on the PDR of A-MAODV,
A-MAODV, which drops as low as 23% (a drop of over 70%) when flood flood rushing is present
~[frA-MAODV
M A O D AV::::;-A-MAODV-rush
-MAODV-rush t .......BSMR
BSMR-..... BSMR-rush I
I)- BSMR-rush 1
'00 '00 'GG
90 90 90
80 _80 _80
C C ~
70 0 70 0 70
.2
:;
~ 60 ~ 60
'~" 60
bi,,,,,,
~ ~
~ ~ ~
50 50 50
.i? .i? .i?
;; ;; ;;
C 40 C 40 C 40
;; ;;
g
ll.
30
~
ll.
30
P
g
ll.
30
20 20 20
10 10 10
10
10
0 00
00
10 00 101 12 00 2 4 1 86 1 0 101 212
00 2 4 6 8 1 0 1 12
2 2 4 8 1 0 2
Adversaries
Adversaries
(a) 10
(a) lO members;
members; 00 m/s
rn/s (b) 10
(b) 10 members;
members; 22 m/s
rn/s (c)
(c) 10
10 members;
members; 55 mls
mls
100 ' I00
100
90 90
90'
_ 80 _ 80
C
0 70
C
0 70
--
,
s
C
20
80
80
70
70
:;
~ 60
'~" 60 2~ e
80
-8
~ ~
~ ~ ~ 50
50 50 50
.i? .i? .~
;;
C 40
;;
C 40 $;;C 40
40
;; ;; ;;
0
'"u 30 '"i;l 30 '"i;l 30
30
l:. ll.
20
P
ll.
20
20
20
10 10 10
10
0 00 00
00 68 10 1 122 00 2 4 6 68 1 0 10 1 12
2 00 2 4 6 86 1 0 10 1 2
12
2 4 6 1 0
Adversaries
Adversaries
(d)
(d) 30
30 members;
members; 00 rn/s
m/s (e) 30 members;
(e) members; 2 rn/s
m/s (t) 30 members; 5 m/s
(f) rn/s
100 100 ---~-~----------l '00
90
80 _80 80
C 70
C 70
C 70
0 0 0
:; :;
'~" 60'
'~" 60 ~ 60
~
.~
~
~
.. ..
50 50 50
.~
;; 13 ;;
Q C C
'G
]1 ;; ;;
i;l 30 '"i;l 30 '"
U
~
30
ll. ll. ll.
20 20 20
10 10 10
0 0-. 0
0 6 10 12 00 2 4 6 8 1 0 10 1 122 00 2 4 6 8 1 0 10 1 2
12
Adversaries
Adversaries
(g)
(g) 50
50 members;
members; 00 rn/s
m/s (h) 50
(h) 50 members;
members; 22 rn/s
m/s (i) 50
(i) 50 members;
members; 55 rn/s
m/s
Fig. 9:9: Wormhole
Fig. Wormhole attack
attack and
and flood
flood rushing
rushing combined
combined with wormhole: Random
with wormhole: Random placement
placement (NJOIN)
(NJOIN)
for
for 00 rnfs
m/s and
and group
group size
size isis 30.
30. We
We conclude
conclude that
that aa small
small number
number of of strategically
strategically placed adversaries
adversaries can
cause
cause considerable
considerable damage
damage when A-MAODV isis used.
when A-MAODV used.
For
For BSMR,
BSMR, strategic
strategic placement
placement results
results in
in aa slim
slim increase
increase inin the
the delivery
delivery ratio
ratio drop,
drop, when compared to
when compared to
the
the random
random placement
placement case.
case. For
For most
most simulated
simulated scenarios,
scenarios, the
the PDR
PDR drops
drops by
by less
less than
than 10%.
10%. The
The solid
solid
performance of
performance of BSMR
BSMR serves
serves as as proof
proof for
for the
the robustness
robustness ofof its
its approach.
approach.
d)d ) Impact
Impact of
ofExplicit
Explicit Join
Join and
and Join
Join Order:
Order: To Toanalyze
analyze the
the impact
impact of
of explicit
explicitjoin
join of
of adversaries
adversaries to
to the
the
multicast
multicastgroup
group (JOIN),
(JOIN), when compared to
when compared to the NJOIN case,
the NJOIN case, wewe look
look again
again at
at the
the cases
cases where
where adversaries
adversaries
are
arerandomly
randomly and and strategically
strategically placed (Figures 11
placed (Figures 11and
and 12,
12, respectively).
respectively). Eacn
Eacli figure
figure also
also shows
shows the
the ideal
ideal
(+A-MAODV +A-MAODV-rush -A- BSMR +BSMR-rush I
100 100
..- ..
'"(; 70 1 \ ,,: . e:.-o ..70+ \, ...,............................................................ :
'"
~
~
60
~
a: 60
~ ~
.~ 50 ~ 50
a; ~
C .OJ························ C 40
~ 3D
";;
~ 3D
~ 20
~
20 20
10 10 10
O+--~-~-~-~-~---i o +--~-_-_-_-_-----;
o0 2 3
Adversaries
4 5 6 7 0 2 3
•4 5 8 7 o0 2 3 4 5 6 7
Adversaries Adversanes
Adversaries
(a)
(a) 10
10 members;
members; 00 mls
mls (b) 10
(b) 10 members;
members; 22 m/s
d s (c) 10
(c) 10 members;
members; 55 m/s
d s
100... ··················· ..................................................................................• 100 ,... ,
...'Q'70
_80
- ..
~
o 70
-
".
~
..
70
~ 'Ii :;
60 a: 60 a: 60
~
~ 50
~ 50
~
.~ 50
~ a;
"
C 40 C .0 C .0
~ 0;
~ 30
";;
-ti 3D
" 30
:. 20
0.
~
20
~
20+························........ ··········· .
10 10 10
J
oo+---~-~-~-~-~----i o +---_-_-~-~-~-----; O+--~-~-~-~-_----i
o0 2 3 4 5 6 7
Adversaries
o0 2 3 4 5 6 7
• o0 2 3
Adversaries
4 5 6 7
(d)
(d) 30
30 members;
members; 00 mls
mls (e) 30
(e) 30 members;
members; 22 m/s
d s (f) 30 members;
(f) 30 members; 55 m/s
d s
...-"
~ 7DI'·,~····························
...0'- ..
70'·······~"""':· .... ··········
- ..
~
o 70+",''''··············································· :
1;
a: + (\;[..........,'.-" . :; ~
60 ~ .. i·····················""to,.[··~
..... a: 60
~ ~ ~
.~ 50 ~ 50 §: 50
a; a; ~
C 40 i········· "&:::::= "~,, ; C .0 C .0
0; 0; 0;
ti 30 tj 30 ~ 30
'" ~
~
~ : If----------r---~----,------i
0.
20 20
10 10 10
0 o +---_-_-_-_-_-----i
0 2 3 • 4 5 6 7 0 2 3 4 5 6 7 o0 2 3 4 5 6 7
Adversaries
Adversaries
(g)
(g) 50
50 members;
members; 00 mls
rnls (h) 50
(h) 50 members;
members; 22 m/s
d s (i) 50 members;
(i) 50 members; 55 m/s
d s
Fig.
Fig. 10:
10:Wormhole
Wormholeattack
attack and
and flood
flood rushing
rushing combined
combined with wormhole:Strategic
with wormhole: Strategicplacement
placement (NJOIN)
(NJOIN)
PDR
PDR (labeled
(labeled ideal),
ideal), which
which would
would be be obtained
obtained ifif everyone
every one of of the
the honest
honest group
group members
members wouldwould receive
receive
all
all the
the packets
packets sent
sent by
by the
the source.
source. The
The effectiveness
effectiveness ofof an
an attack
attack should
should be be interpreted
interpreted as as the
the difference
diflerence
between
between the the ideal
ideal line
line and
and aa protocol's
protocol's PDR
PDR line.
line. An
An attack
attack isis effective
effective ifif this
this difference
difference increases
increases asas the
the
number
number of of adversarial
adversarial nodes
nodes isis increased;
increased; On On the
the other
other hand,
hand, aa protocol
protocol resilient
resilient to
to attack
attack appears
appears as as aa
line
line that
that remains
remains parallel
parallel to
to the
the ideal
ideal line.
line.
In
In general,
general, forfor both
both random
random and and strategic
adversarial placement,
placement, thethe effect
effect ofof flood
flood rushing
rushing on on both
both
A-MAODV
A-MAODV and and BSMR
BSMR isis unnoticeable.
unnoticeable. However,
However, thethe reasons
reasons behind
behind the
the immunity
immunity to to flood
flood rushing
rushing areare
different:
different: BSMR
BSMR prevents
prevents flood
flood rushing
rushing attacks
attacks by
by using
using aa reliability
reliability metric
metric and and by
by processing
processing all all flood
flood
1 +LMAODV
+
±A-MAODV --R- A·MAODV-rush
A-MAODV-rush -A- 8SM
BSMRR '--l1li-
4- 8SM R·rush .-,-
BSMR-rush ..-.g
id;~
1DO 100;.;(;················································· , 100)(-·················································· ,
'0 9D 9D
._
' ; 70
so
.
_
i
so
70
:;
'" 50 '" 60
~ ~
.~ 50 .~ 50
;; ;;
C 40 C ..
;;
~ 3D g;; 30
~ 2D +.................... . 'T" 11.
20 20+···················································.....
10 10 10
o-l--~-~-~-~-~---i
0 o0 -I---_-~-~-~-~---i 0.J..---~-_-~-~-~-~
o0 1 4 6 8 1 0 10 1 122 o0 2 4 6 8 1 0 10 1 122 o0 2 4 6 8 1 0 10 1 122
Adversarles
Adversaries
(a)
(a) 10
10 members;
members; 00 mls
mls (b) 10
(b) 10 members;
members; 22 mls
d s (c) 10
(c) 10 members;
members; 55 mls
d s
100k--··-····-------········-·-·--··
_ DO
-;'" ,0 + ~~ .,_ "'.::::~;K

.
_ so
-; 7D + "''iiL ""'''''-. .=c±
.
_
-; 7D
so
+ "":....
:;'" 60 + l'P"'................... " ~ 50 +.................... . ,'8;" . :;
'" 50
~ ~ ~
.~ 50 .~ 50 .~ 50
;; ;; ;;
C .. t···················································· ¥:::,.;= . c 40+ " ' ..""'''''iii'J C 40
;; ;;
'ti 30 g 30
j 3D
~ 11. ~
20 20 2D
10 10 10
0.J..---~-~-_-~-~-~ 0.J..---_-~-~-~-~-~ o+--_-~-_-~-_-~

o0 2 4 6 8 1 0 10 1 122 o0 2 4 6 8 1 0 10 1 122 o0 2 4 6 68 1 0 10 1 122
Adversarles
Adversaries
(d)
(d) 30
30 members;
members; 00 mls
d s (e) 30
(e) 30 members;
members; 22 mls
d s (f) 30
(f) 30 members;
members; 55 mls
mls
_ so
o
~
'0 '"
0'
:;
70 o
:;
7D
'" 60 '" 50 '" 50

~
~
~
.~ 50 50 .~ 50
;; ~ ;;
C 40 C 40 C 40
;; ;; ;;
g 30 i3
~
30 i3 30
11. 11. ~
20+···················································· :
"
10
20
10 10
o-l---_-_-_-_-_---i o+--~-_-_-~-_--i o -1--_-_-_-~-~-~

o0 2 4 6 8 1 0 10 1 122 o0 2 4 6 8 1 0 10 1 122 o0 2 4 6 68 1 0 10 1 122
Adversaries
Adversaries
(g)
(g) 50
50 members;
members; 00 mls
mls (h) 50
(h) 50 members;
members; 22 mls
d s (i) 50
(i) 50 members;
members; 55 mls
d s
Fig.
Fig. II:
11:Wormhole
Wormhole attack
attack and
and flood
flood rushing
rushing combined
combined with wormhole: Random
with wormhole: Randomplacement (JOIN)
placement (JOIN)
duplicates,
duplicates, forwarding
forwarding thethe ones
ones with
with aa better
better metric.
metric. As
As already
already explained
explained in in Sec.
Sec. VI-C,
VI-C, A-MADDV's
A-MAODV's
immunity
immunity to to flood
flood rushing
rushing isis simply
simply an
an artefact
artefact that
that the
the adversarial
adversarial nodes
nodes join
join the
the multicast
multicast tree
tree before
before
the
the honest
honest nodes
nodes do.
do.
When
When adversaries
adversaries are
are placed
placed randomly
randomly (Fig.
(Fig. 11),
11), the
the impact
impact of
of the
the wormhole
wormhole attack
attack on
on A-MADDV
A-MAODV
isis significant
significant and
and increases
increases asas the
the number
number of of wormholes
wormholes increases.
increases. BSMR's
BSMR's delivery
delivery ratio
ratio line
line remains
remains
almost
almost parallel
parallel with
with the
the ideal
ideal line,
line, which
which means
means that
that little
little degradation
degradation occurs
occurs asas more
more adversaries
adversaries join
join
the
the multicast
multicast group.
group.
The
The devastating
devastating impact
impact of
of the
the wormhole
wormhole attack
attack on
on A-MADDV
A-MAODV becomesbecomes obvious
obvious when
when adversaries
adversaries are
are
1 +A-MAODV -B-A.MAODV-rush
I....,."...A-MAODV +A-MAODV-rush BSMR-rush .":: .~~ ideal
-A- BSMR -llll-BSMR-rush
-+-BSMR id~1 +
"oXC··················································· :
90 90 90
80
,.. 80 .0
o 70 -; 70 o 70
:; :; :;
'"
<:-
60 '" 60 '" .0
~ <:-
.~ 50 .:!: 50 .~ 50
Gi
c
~
m
40
30
.
Gi
c
ti
40
3D
Gi
c
M
m
40
30
~
Q.
20 + · · · · · · · · · · · · · · ·"""...... C""·····················................. ...f 20 1 c~-"lil,;;;;;;:..a,
Q.
20j "'1'!!!lo ~=~
"o+--~-~-~-~-~----i
0
" o+--~-~-~-~-~----;
" o+--~-~-~-~-~----i
o0 2 3 4 5 6 7 o0 2 3 4 5 6 7 o0 2 3 4 5 6 7
Adversaries
10 members; 0 m1s
(a) 10 d s (b) 10
(b) 10 members; 2 m1s
d s 10 members; 5 m/s
(c) 10 mls
90~····~. . ····""'·A-··~,,""c··:,·····················.·········f
_ 80
_80
o 70+\·················································· :: "lIII ~
o 70+ '\ ::= ::::m ~
~ 70
:; :;
'" 60+ \........................................................................................... f '" .0+ I'!l!: · ···.··· f
'" 80
<:- <:- <:-
.~ 50 .~ 50 .~ 50
.
Gi
c
ti
40+·····
3D
"'.............. ,
.
0;
c
tj
401·····································=····""""l'!l\;"'······
30
f
.
Gi
C
tj
40
30
+ .. e::;.;;=~"'................. f
~ ~ ~
20 20 20
"o+--~-~-~-~-~-----i
"o+--~-~-~-~-~----;
"o+--~-~-~-~-~----'
o0 2 3 4 5 6 7 o0 2 3 4 5 6 7 o0 2 3 4 5 6 7

Adversaries
d s
(d) 30 members; 0 m1s (e) 30 members; 2 m1s
(e) d s (f) 30 members; 5 m/s
(f) mls
100" 100~···;;::·······,······································ ········f
-X- -X-
90 -X- -X- 90
80 .0
~ ~
0 70 0 70 o 70
:; :;
~
~
80
'"~ .0 '" .0
~
.~ 50
,~
" .~ 50
Gi Gi
.
0;
c 40 C 40 C 40
a;
.
ti
Q.
30
20
~
~
30
20
M
Q.
30
20+··················································· ,
"0
"
101
0
, , , , , , "
101 ,
0.J..---~-~-~-~-~----i
0
, , , , ,
0 2 3 4 5 6 7 0 2 3 4 5 6 7 o0 2 3 4 5 6 7
(g) 50 members; 0 m1s

d s (h)
(h) 50 members; 2 m1s
d s d s
(i) 50 members; 5 m1s
12: Wormhole attack and flood rushing combined with wormhole:
Fig. 12: Strategic placement
wormhole: Strategic placement (JOIN)
strategically placed (Fig. 12).

12). When 7 adversaries are present, the difference between the ideal line and
A-MAODV's line increases by more than 60% at 0 mis, mls, for both group sizes of 30 and 50 (causing the
15-20%). BSMR is affected slightly more than when adversaries are randomly placed,
PDR to drop to 15-20%).
in all simulated scenarios the difference between the ideal line and BSMR's line does not grow more
but in,
than 8%, even in the presence of 7 adversaries. This validates the effectiveness
effectiveness of BSMR's strategy in
JOIN case a well.
the JOIN
~ A-MAODV-10 -S- A-MAODV-30 ~ A-MAODV-NJOIN -S- A-MAODV-JOIN
...... BSMR-10 ..... BSMR-30 ...... BSMR-NJOIN ..... BSMR-JOIN
250 160 - , - - - - - - - - - - - - - - - - - - ,
140 +................................................................ .........................::~I---~.
=go 200 'C

u 1120i.=::=:~t:=:::::::::::~r---""""=~ ...
-3l
.l!l 150
~
-
~
100
r4 ..-::=:::.~~:::=~~----~---f
u
ell
Q. g
-9: 80 \ ..
- 100
-g -g 60
QI QI
..c
of 40
~ 50~~,...4~--~ ~
o
20
O+-------,------r------,-----------i
0
o0 I 2 5 10
0 0
0+--------,-----,--------,---------1
o
0 2 5 10
I0 20
Speed (m/s)
Speed (rnls) Adversaries
Adversaries
(a) Non-adversarial scenario (group

(a) (group size
size E {1O,
{10,30))
30}) (b) Attack Scenario
(b) size = 30, 2m/s,
Scenario (group size 2m/s, strategic
strategic placement)
placement) =
13: BSMR overhead
Fig. 13:
E. Protocol Overhead
E.
first compare the overhead incurred by A-MAODV and BSMR in a non-adversarial scenario
We first
(Fig. 13(a)), 10 and 30, under different levels of mobility.
13(a)), for group sizes of 10 mobility. BSMR has higher overhead
because both route request and route reply are broadcast, and because of the extra MRATE packets
broadcast periodically. flooding in the route discovery phase becomes
periodically. BSMR's overhead due to double flooding
mobility, when link breaks occur more often.
more noticeable especially at higher levels of mobility,
We then compare the overhead under adversarial conditions. In Fig. l3(b) 13(b) we focus
focus on one of the
scenarios: Black hole with strategic adversarial placement. For the NJOIN case,
strongest studied attack scenarios:
BSMR's additional overhead compared to A-MAODV grows slowly as the number of adversaries increases
(from 40 more packetslsec. adversaries to 55 more packetslsec.
packets/sec. for 0 adversaries packets/sec. for 20 adversaries). For the JOIN
case, the additional overhead does not grow as we increase the number of adversaries. This indicates
that as the number of adversaries increases, BSMR incurs little extra overhead over the non-adversarial
case. This is not surprising: the bulk of the additional overhead is caused by the initial route discovery
phase which leads to the creation of the multicast tree with avoidance of adversaries; Afterwards, BSMR's
additional overhead consists only of periodical MRATE packets and of occasional route discovery in case
a link breaks due to mobility.
mobility.
CONCLUSION
VII. CONCLUSION
In this paper we have discussed several aspects that make designing attack-resilient multicast routing
networks more challenging when compared to their unicast counterpart.
protocols for multi-hop wireless networks
solutions tailored for
A more complex trust model and underlying structure for the routing protocol make solutions
unicast settings not applicable for multicast protocols. In the absence of defense mechanisms, Byzantine
attacks can prevent multicast protocols to achieve their design goals.
We have proposed BSMR, a routing protocol which relies on novel general mechanisms to mitigate
attacks. BSMR identifies
Byzantine attacks. identifies and avoids
avoids adversarial links based on a reliability metric associated
adversarial behavior. Our experimental results show that BSMR's
with each link and capturing adversarial BSNLR's strategy is
effective against strong insider attacks such as black holes and flood rushing. We believe that this strategy
can also be effective against wormhole attacks and defer the experimental validation for future work.
ACKNOWLEDGEMENTS
ACKNOWLEDGEMENTS
The first author would like to thank R5zvan Mus5loiu-E. for fruitful "copy-room"
Razvan Musaloiu-E. "copy-room" discussions in the
early stages of this work. This work is supported by National Science Foundation CyberTrust Award No.
0545949. The views expressed in this research are not endorsed by the National Science Foundation.
REFERENCES
Y B. KO
[I] Y.
[1] Ko and N. H. Vaidya,
Yaidya, "Flooding-based
"Flooding-based geocasting protocols for mobile ad hoc networks,"
networks," Mob. Netw.
Netw. Appl., vol. 7, no. 6,
6 , pp.
47 1 4 8 0 , 2002.
471-480,
[2]
[2] R. Chandra, V. Ramasubramanian, and K. Binnan, "Anonymous gossip:
K. Birman, gossip: Improving multicast reliability in mobile ad-hoc networks," in
Proc. of
of ICDCS,
ICDCS, 2001.
[3] Y-B. KO
[3] Y.-B. Ko and N. H. Vaidya,
Yaidya, "GeoTORA: a protocol for geocasting in mobile ad hoc networks,"
networks," in Proc. of of ICNP. IEEE Computer
Society, 2000, p. 240.
[4] E. L. Madruga and J. J. Garcia-Luna-Aceves,
[4] Garcia-Luna-Aceves, "Scalable multicasting:
multicasting: the core-assisted mesh protocol,"
protocol," Mob. Netw.
Netw. Appl., vol. 6, no. 2,
pp. 151-165,
151-165, 2001.
[5]
[5] S.S. J. Lee, W. Su, and M. Gerla,Geria, "On-demand
"On-demand multicast routing protocol in multihop wireless mobile networks," networks," Mob. Netw.
Netw. Appl.,
vol. 7, no. 6, pp. 441-453, 2002.
[6]
[6] E. Royer and C. Perkins, "Multicast
"Multicast ad-hoc on-demand distance vector (MAODY) routing," in Internet Draft, July 2000.
(MAODV) routing,"
[7]
[7] J. G. Jetcheva and D. B. Johnson, "Adaptive demand-driven multicast routing in multi-hop wireless ad hoc networks." in Proc. of of
MobiHoc, 2001, pp. 33-44. 3344.
[8] L. Lamport, R. Shostak, and M. Pease, ''The
[8] "The Byzantine generals problem,"
problem," in Advances in Ultra-Dependable Distributed Systems.
IEEE Computer Society Press, 1995. 1995. [Online]. Available:
Available: citeseer.nj.nec.comllamport82byzantine.html
citeseer.nj.nec.comhmport82byzantine.html
[9]
[9] P. Papadimitratos and Z. Haas, "Secure routing for mobile ad hoc networks,"networks," in Proc. of of CNDS,
CNDS, January 2002, pp. 27-31.27-31.
[10] Y-C. Hu, D. B. Johnson, and A. Perrig, "SEAD: Secure efficient distance vector routing for mobile wireless ad hoc networks,"
[lo] Y.-C. networks," in
Proc.
Proc. of WMCSA, June 2002.
of WMCSA,
[II] Y-c. Hu, A. Perrig, and D. B. Johnson, "Ariadne: A secure on-demand routing protocol for ad hoc networks,"
[I I ] Y.-C. networks," in Proc. of of MOBICOM,
September 2002.
[12]
[I21 K. K. Sanzgiri,
Sanzgiri, B. Dahill, B. N. Levine, C. Shields,
Shields, and E. Belding-Royer, "A secure routing protocol for ad hoc networks,"
networks," in Proc. ofof
ICNP, November 2002.
[13] S.S. Marti, T. Giuli, K. Lai, and M. Baker, "Mitigating
"Mitigating routing misbehavior in mobile ad hoc networks,"
networks," in Proc.
Proc. of
of MOBICOM, August
2000.
[14]
[I41 P. Papadimitratos and Z. Haas, "Secure data transmission in mobile ad hoc networks," networks," in Proc. ofof WiSe, 41-50.
Wise, 2003, pp. 41-50.
[15]
[I51 B. Awerbuch, D. Holmer, C. Nita-Rotaru, and H. Rubens, "An on-demand secure routing protocol resilient to byzantine failures," failures," in
Proc. of WiSe'02.
of WiSe '02. ACM Press, 2002.
[16] B. Awerbuch, R. Curtmola, D. Holmer, C. Nita-Rotaru, and H. Rubens, "On the survivability of routing protocols in ad hoc wireless
networks," in Proc. of of SecureComm'05. IEEE, 2005.
[17]
[I71 S.S. Roy, V. G. G. Addada, S. S. Setia, and S. Jajodia, "Securing MAODY:
MAODV: Attacks and countermeasures,"
countermeasures," in Proc.
Proc. 2nd IEEE Int'l. Con!
Con$
SECON. IEEE, 2005.
[18]
[I81 C. Zhang, B. DeCleene, J. Kurose, and D. Towsley, Towsley, "Comparison
"Comparison of inter-area rekeying algorithms for secure wireless group
communications," Pelform.
communications," Perform. Eval., vol. 49, no. 1-4, 2002.
[I91 K. H. Rhee, Y. H. Park, and G. Tsudik, "An architecture for key management in hierarchical mobile ad hoc networks,"
[19] networks," Journal of of
Communication and Networks,
Communication Networks, vol. 6, no. 2, June 2004.
[20] Y.-C.
Y-c. Hu, A. Perrig, and D. B. Johnson, "Rushing attacks and defense in wireless ad hoc network routing protocols," in Proc. of of WiSe.
Wise.
ACM,
ACM,2003.2003.
[21]
[21] - -, - , "Packet
"Packet leashes: A defense against wormhole attacks in wireless ad hoc networks,"
networks," in Proc. of INFOCOM, April 2003.
of INFOCOM,
[22] J. Eriksson, S. S. Krishnamurthy, and M. Faloutsos, ''Truelink:
"Truelink: A practical countermeasure to the wormhole attack in wireless networks,"
networks,"
in Proc. of of lCNP'06.
ICNP'06. IEEE, 2006.
[23] L. Hu and D. Evans, "Using
[23] "Using directional antennas to prevent wormhole attacks,"
attacks," in Proc. ofof NDSS, 2004.
[24]
[24] D. Bruschi and E. Rosti, "Secure multicast in wireless networks of mobile hosts: protocols and issues," issues," Mobile Networks and
Applications, vol. 7, no. 6, pp. 503-511,
503-511, 2002.
[25] T. Kaya, G.
[25] G. Lin, G. Noubir, and A. Yilmaz, "Secure multicast groups on ad hoc networks,"
networks," in Proc. of of SASN'03.
SASN'03. ACM Press, 2003,
pp. 94102.
pp.94-102.
[26] S. S. Zhu, S. S. Setia, S.
S. Xu, and S.S. Jajodia, "Gkmpan: An efficient group rekeying scheme for secure multicast in ad-hoc networks," networks," in
Proc. ofof Mobiquitos'04. IEEE, 2004, pp. 42-51. 42-51.
[27] L. L. Lazos and R. Poovendran, "Power proximity based key management for secure multicast in ad hoc networks," networks," 2005, aCM Journal
on Wireless Networks (WINET).
[28] R. Balachandran, B. Ramamurthy, X. Zou, and N. Vinodchandran, Yinodchandran, "CRTDH: an efficient key agreement scheme for secure group
communications in wireless ad hoc networks,"
networks," in Proc. of
of lCC
ICC 2005, vol.
vol. 2, 2005, pp. 1123-
1123- 1127.
(29]
[29] S.
S. Banerjee, S. Lee, B. Bhattacharjee, and A. Srinivasan, "Resilient overlays," SIGMETRICS Peflorm.
"Resilient multicast using overlays," Peiform. Eval.
Eva!. Rev.,
vol. 31, no. 1,
I, pp. 102-113,
102-1 13, 2003.
[30] V. Pappas, B. Zhang, A. Terzis, and L. Zhang, "Fault-tolerant
(30] networks," in Proc. of
"Fault-tolerant data delivery for multicast overlay networks," of ICDCS '04,
'04,
2004, pp. 670-679.
(31] L. Xie and S.
[31] S. Zhu, "Message dropping attacks in overlay networks: Attack detection and attacker identification,"
identification," in Proc. SecureComm
'06. IEEE and Create-NET, 2006.
'06.
[32] R. Curtmola and C. Nita-Rotaru, "Secure multicast routing in wireless networks,"
(32] networks," to be published in ACM M MC C2~R,R 2006,
, www.cs.jhu.
edu/crix/publications/mc2r.pdf.
edu/crix/publications/mc2r.pdf.
[33] K. Tang, K. Obraczka, S.-J. Lee, and M. Gerla, "A reliable, congestion-controlled
(33] congestion-controlled multicast transport protocol in multimedia multi-hop
networks," in Proc. of
networks," of IEEE WPMC'02,
WPMC'02, 2002.
(34]
[34] A. Perrig, R. Canetti, D. Song, and J. D. Tygar,
Tygar, "Efficient and secure source authentication for multicast," Proc. of
multicast," in Proc. of NDSS'OI, 2001.
[35] "The network simulator - ns2,"
(35] ns2," http://www.isi.edu/nsnarn/ns/. [Online]. Available: http://www.isi.edu/nsnam/ns/
http://www.isi.edu/nsnarn/ns/. (Online].
[36] Y. Zhu and T. Kunz, "MADDY
(36] "MAODV implementation for NS-2.26," Carleton University, Technical Report SCE-04-01.
[37] R. L. Rivest, A. Shamir, and L. M. Adleman, "A
(37] cryptosyatems," Communications
"A method for obtaining digital signatures and public-key cryptosy-stems,"
of the ACM, vol. 21, no. 2, pp. 120-126,
of 120-126, 1978.
1978.
[38] Advanced
(38] Advanced Encryption Standard (AES).
(AES). National Institute for Standards
Standards and Technology (NIST), 2001, no. FIPS 197. 197.
(39]
[39] The
The Keyed-Hash Message Authentication Code (HMAC). (HMAC). NIST, 2002, no. FIPS 198. 198.
[40] J. Yoon, M. Liu, and B. Noble, "Random waypoint considered harmful,"
(40] harmful," in Proc. of
of INFOCOM '03,2003.
'03, 2003.

BSMR - Byzantine-Resilient Secure Multicast Routing in Multi-Hop

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BSMR - Byzantine-Resilient Secure Multicast Routing in Multi-Hop

Uploaded by

Copyright:

Available Formats

Purdue University

BSMR: Byzantine-Resilient Secure Multicast

(a) Black hole: 6 adversaries (b) Wormhole: 7 adversaries

o-l-----_---_------i o-l-----_---_-----i o-l-----~---_------i

a. 20 j..................... .'.. ,=:=::::=:::~~~-4J r:. 20+ I =~=='P 38.

o+----~---~------i o+----~---~-----i O---_---~--~

(g) 50 members; 0 m1s

(d) 30 honest members; 0 mls

(g) 50 honest members; 0 mls

(d) 30 honest members; 0 rn/s

(g) 50 honest members; 0 m/s m/s

because, by rushing control packets,

100 100 ---~-~----------l '00

-;'" ,0 + ~~ .,_ "'.::::~;K

0.J..---~-~-_-~-~-~ 0.J..---_-~-~-~-~-~ o+--_-~-_-~-_-~

'" 60 '" 50 '" 50

o-l---_-_-_-_-_---i o+--~-_-_-~-_--i o -1--_-_-_-~-~-~

Adversaries Adversaries Adversaries

Adversaries Adversaries Adversaries

(g) 50 members; 0 m1s

strategically placed (Fig. 12).

140 +................................................................ .........................::~I---~.

=go 200 'C

(a) Non-adversarial scenario (group

You might also like