Techniques For Detection & Avoidance Of Wormhole Attack In Wireless Ad Hoc Networks

Techniques For Detection & Avoidance Of Wormhole Attack In Wireless Ad Hoc Networks

Shaishav Shap, Prof. Aanchal Jain2

1 Parul Institute of Engineering and Technology, Vadodara, Gujarat, India

2 Department of Information and Technology, Parul Institute of Engineering and Technology, Vadodara, Gujarat, India

Abstract: A Wireless Networks due to their open nature has different set of attacks than Wired Networks and thereby, requires different steps to counter these attacks as compared to that in conventional networks. One such attack in wireless ad hoc networks is Wormhole Attack. In this Attack, wireless transmissions are recorded at one location and replayed them at another location thereby creating virtual tunnel in a network which is controlled by attacker. This attack can be mounted on wide range wireless ad hoc networks without compromising any cryptographic quantity over network. Thus it is one of the most sophisticated and severe attack and is particularly challenging to defend against. This Paper focuses on threat that wormhole attack possesses on network and also mentions few of the initiatives with their respective specifications to solve the problem.

Keywords:

Wireless Ad hoc Network, Security Attacks, Wormhole attack, Types of Wormhole Attack.

1. Introduction

   Today devices like mobiles, laptops, PDAs and many others which have high level of mobility are increasingly becoming common and with that wireless technologies are also becoming popular. Wireless networks not only provide its user ease of use but also provides ability to move freely while connected to network. Wireless network can be divided into two types one is Infrastructure based

   network and another is Ad hoc network. In Infrastructure based network each user needs to communicate with an access points or base stations whereas, Ad hoc wireless network consists of (usually mobile and wireless) nodes that create and maintain their intercommunication links without the help of a pre-existing infrastructure. Ad hoc network as discussed in [1] is adaptive in nature and self organizing. Lack of infrastructure in ad hoc network means a lack of central entities such as fixed routers, name servers, etc. Thus they can be set up urgently because they dont need any fixed infrastructure. Due to above mentioned characteristics, Wireless Ad hoc networks can be used as Environmental control behavior, Health care systems, Search and rescue operation, Battlefield operations and many more.

   Since Ad hoc networks can be deployed any time anywhere for communication of important information, so security considerations of this information is an important aspect. Security in Ad hoc networks are difficult because links between nodes are unreliable as well as their network topology is dynamic. Also parties involved in a communication across a network might not have any common history, which complicates the provision of services requiring trust or continuity. Moreover wireless network is more susceptible to attacks ranging from passive eavesdropping to active interfering. This is due to lack of any online Certificate Authority(CA) or Trusted Third Party and also due to devices that are forming network are often small and portable, with a limited battery-life which tend to have limited power consumption and computation capabilities. These make it more vulnerable to Denial of Service attacks and incapable

   to execute computation-heavy algorithms like public key algorithms.

   As Discussed in [2], Requirements to security of Ad hoc network are discussed as follows:

   • Confidentiality: It refers to limiting information access and disclosure to authorized users. In Ad hoc network, this is more difficult to achieve because intermediates nodes (as they also act as routers) receive the packets for other recipients, so they can easily eavesdrop the information being routed.

   • Availability: It assures that the services of the system are available to any authorized users as when they require.

   • Integrity: It guarantees that a message being transferred over network is delivered to its intended user without any modification.

   • Authenticity: Enables a node to safeguard the characteristics of the peer node it is communicating, without which an attacker would duplicate a node, thus attaining unauthorized admission to resource and sensitive information and snooping with operation of other nodes.

   • Non-repudiation: It ensures that the information originator cannot deny of having sent the message. It also ensures that information receiver cannot deny of receiving the message. Non-repudiation is useful for detection and isolation of compromised nodes.

2. Security Attacks

   Any Action that compromises the security of information is called Security Attack. As per [3] attacks in Ad hoc networks can be classified into two major categories, namely passive attacks and active attacks. A passive attack involves illegal access to data exchanged in the network without affecting the operation of the communications, while an active attack involves information interruption, modification, or fabrication and thereby disrupting operation of network. Examples of passive attacks are Release of Message Contents, traffic analysis, and traffic monitoring. Examples of active attacks include impersonating, modification, denial of service (DoS), and message replay.

   The attacks can also be classified into two categories, namely external attacks and internal attacks, according the domain of the attacks. Some papers refer to outsider and insider attacks. External attacks are carried out by nodes that do not belong to the domain of the network. Internal attacks are from compromised nodes, which are actually part of the network. Internal attacks are more severe when compared with outside attacks since the insider knows valuable and secret information, and possesses privileged access rights.

   Authors of [4] have given Schematics of various attacks in Ad hoc network as described on individual layer are as under:

   • Application Layer: Malicious code, Repudiation.

   • Transport Layer: Session hijacking, Flooding.

   • Network Layer: Sybil, Flooding, Black Hole, Grey Hole. Worm Hole, Link Spoofing, Link Withholding, Location disclosure etc.

   • Data Link/MAC: Malicious Behavior, Selfish Behavior, Active, Passive, Internal External.

   • Physical: Interference, Traffic Jamming, Eavesdropping.

3. Wormhole Attack

   Wormhole attack [6][7][8][9][11][14][16][18][19] is one of the most severe security threats in ad-hoc network. It is a special kind of attack, which can result in severe damage to the functions and structures of Ad hoc networks. In Wormhole Attack, two or more colluding attackers record packets at one location, and tunnel them to another location for a replay at that remote location which gives two distant nodes the illusion that they are close to each other.

   Let us consider a multi-hop Ad hoc network irrespective of whether nodes in network are mobile or static as shown in figure 1. In this figure circle represents a node or a user of network whereas line between two nodes represents the connection between them. Let, node 2 wants to send message to node 9. But before transferring message, source will have to decide a path to send message using Predefined Routing Protocols which may be Reactive or Proactive in nature. If node 2 had already maintained a routing table (i.e. proactive routing) then it will have routin information of each and

   every node in network which will be used to send message to destination but if node 2 uses reactive routing protocol then it will not have any routing table so it needs to find routing information before transmitting message. In Reactive routing protocol sender broadcasts a Route Request (RREQ) message to its immediate (one-hop) neighbors in network. All nodes that receive route request message will check whether RREQ is intended for itself and if not then it will rebroadcast RREQ message after appending its node identity in message and when request message is received by destination it will unicast route reply message with route information to sender through same route from which request message had arrived to node. Most routing Protocols decide path that is optimal (shortest) because of nodes in ad hoc network have limited power and bandwidth. Therefore we can say the node 2 will send the message through the path 2-5-6-8-9. The intermediate nodes in ad hoc network act as routers that send the message to destination.

   Figure 1 Wormhole Attack in Ad hoc network Now let us consider that ad hoc network

   mentioned above is under wormhole attack. Let us consider that two attackers are placed in vicinity (range) of node 2 and node 9. Both of these attackers are connected with each other through a high speed bus. It is possible that attacker may not be part of network but still it can overhear message transmitted by node in whose range it lies, due to open nature of ad hoc network that uses air as transmitting medium. Whenever any of attackers receives message transmitted by nodes on whose vicinities attacker lies, it replays message to other attacker in network which would again transmit that message to node

   where it lies. Thus nodes where attackers lies i.e. node 2 and node 9 are made to believe that both of them are connected to each other directly. Thus a fake link is created in a network i.e. between node 2 and node 9. Thus we can say that attackers in wormhole attack creates fake or false link. Due to this fake link now node 2 will send message to node 9 directly through wormhole tunnel. Thus out path now becomes 2-9. All routes in network that had to pass through 2-5-6-8-9 are now replaced by 2-9. Thus large numbers of messages in network are now directed through wormhole.

   So now a question arises that how this attack is dangerous. As wormhole tunnel created saves time by cutting long routes to smaller routes as well as reduces traffic of over all network by providing high speed link and thus connecting the network efficiently. Answer is wormhole puts the attacker in a very powerful position relative to other nodes in the network, and therefore attacker could exploit this position in a variety of ways. Attacker can misuse this fake link to store all message passing through it which can be used to analyze content thereby bypassing confidentiality and authenticity, even if the attacker has no cryptographic keys. Attacker can also choose to selectively drop or modify the message of any node at any time thus affecting availability and integrity factors of security. Thus Wormhole attack is stepping stone for more attacks like congestion, packet loss, eavesdropping, spoofing and so on.

4. Types of Wormhole Attack

   According to [7][8] wormhole attacks can be divided into two types 1) In-band wormhole 2) Out-of-band wormhole attack. An In-band wormhole does not use an external communication medium to develop the link between the colluding nodes but instead develops a covert overlay tunnel over the existing wireless medium Whereas in Out-of-band wormhole, the colluder nodes establish a direct link between the two end-points of the wormhole tunnel in the network. This link is established using a wired link or a long-range wireless transmission as shown in figure 1. An in-band wormhole can be a preferred choice of attackers and can be potentially more harmful as it does not require any additional hardware infrastructure and consumes existing communication medium capacity for routing the

   tunneled traffic. In-band wormholes are further divided into extended in-band wormhole and self- contained in-band wormhole.

   Figure 2 Self-Contained In-band Wormhole Attack In a Self-contained wormhole, Attack is limited

   to self colluding nodes. Example of such a wormhole is shown in figure 2. Nodes 2 and 9 create an illusion of being neighbors by sending false routing advertisements of a 1-hop symmetric link between the two nodes without the actual exchange of RREQ messages. This false link information thus undermines the shortest path routing calculations attracting many end-to-end flows by advertising incorrect shortest paths. The attracted traffic is then forwarded through a tunnel with the help of a third colluder node, node 6. This colluder node acts as an application-layer relay for wormhole traffic between wormhole endpoints.

   Figure 3 Extended In-band Wormhole Attack

   An extended wormhole creates a wormhole that extends beyond the attackers forming the tunnel endpoints. Figure 3 presents an example of an extended wormhole. The attacker nodes 2 and 9 forming the tunnel endpoints capture RREQ

   messages from nodes 3 and 10 and forward them through the relay node 6 to pass through the tunnel to the other end. All subsequent data messages are forwarded in a similar fashion. This results in a false link between nodes 3 and 10 extending the wormhole beyond the endpoint nodes 2 and 9.

   Two different types of wormhole attacks have been discussed in the [9]: hidden wormhole attack and exposed wormhole attack. Hidden wormhole attack is the conventional wormhole attack in which the adversary records and replays packets. This attack can be easily mounted using only hardware introduced by the attacker and without compromising any hosts in the network. Thus, it is more challenging to be detected. In Exposed wormhole attack two end points are two compromised hosts. Then the adversary builds a virtual tunnel between the two compromised nodes. To defend against exposed wormhole attacks, several secure routing protocols have been proposed for wireless ad hoc networks.

   1. Metrics for distinguishing wormholes

      To distinguish between different wormholes we need to have factors through which we can judge effect of a wormhole tunnel on a network.

      • Strength: The effectiveness of a wormhole attack is based on the amount of traffic that can be attracted by a wormhole. The larger the amount of attracted traffic, stronger can be the wormhole attack on the network traffic. We define the strength as the number of end-to-end paths passing through the wormhole tunnel.

      • Difference between the advertised and actual path length: Another metric for a wormhole attack is the difference in the advertised path length and the actual path length. For instance, in Figure 1 the advertised path from nodes 2 to

        9 are directly linked through wormhole link, thus advertising a path length of 1 hop. However, the actual path from 2 to 9 passes through the nodes 2, 5, 6, 8 and 9, making the actual path of length 4 hops. This metric is used for the purpose of detection of the wormhole.

      • Attraction: This metric refers to the decrease in the path length offered by the wormhole. For instance, in Figure 1, before the wormhole attack, the path from node 2 to node 9 might pass through the nodes 5, 6, and 8. After the

        wormhole attack, the path passes through the nodes 2 and 9, decreasing the path length by 3 hops.

      • Robustness: Robustness of a wormhole refers to the ability of the wormhole to persist without significant decrease in the strength even in the presence of minor topology changes in the network.

5. Detection & Avoidance of Wormhole Attack

   The attacker in Wormhole attack is invisible at higher layers; unlike a malicious node in a routing protocol, which can often easily be named, the presence of the wormhole and the two colluding attackers at either endpoint of the wormhole are not visible in the route. Thus it is very difficult to detect let alone to avoid wormhole attack in network. In this section we will give short overview of existing work. According to [10], we can classify protocols for wormhole detection based on the approach they rely upon.

   1. Location based approaches

      This have the best ability to secure the neighborhood if the locations of nodes are securely exchanged and the general transmission range is known. In these approaches, a sender and receiver that know their own node-locations will securely exchange their location information. Then, in order to detect whether a wormhole connects them, the nodes will determine the distance between them by counting number of hops. Authors of [6], suggested the use of geographical leashes to detect wormholes. A leash is any information that is added to a packet designed to restrict the packets maximum allowed transmission distance. A geographical leash ensures that the recipient of the packet is within a certain distance from the sender. To construct a geographical leash, in general, each node must know its own location, and all nodes must have loosely synchronized clocks. When sending a packet, the sending node includes in the packet its own location, and the time at which it sent the packet and when packet is received, the receiving node compares these values to its own location, and the time at which it received the packet. If the clocks of the sender and receiver are synchronized to within some threshold then the

      receiver can compute an upper bound on the distance between the sender and itself by using upper bound value of velocity of nodes. In [9] end-to-end wormhole detection is proposed. In this mechanism, the source node estimates the minimum hop count to the destination node based on geographic information of the two end hosts. For a received route, the source compares the hop count value received from the reply packet with this estimated value. If the received value is less than that estimated, the corresponding route is marked as if a wormhole exists. Then, the source launches wormhole TRACING in which the two end points of the wormhole will be identified in a small area provided that there are multi-paths exist between the source and destination. Finally, a normal route is selected for the data communication. Location based protocols usually require the nodes to be equipped with GPS or employ some other positioning technology. The problems with this approach are the need for having the hardware and/or infrastructure in place to accurately determine the positions of nodes and the fact that many positioning schemes may still not provide the required location accuracy in all environments (e.g., indoor and urban areas).

   2. Time-based approaches

      They in general, are based on accurate time measurements or require the nodes to have tightly synchronized clocks. In [5][6], Hu et al have given another packet leash called temporal. This method requires extremely accurate synchronized clocks which are used to bound propagation time of packets. This level of time synchronization can be achieved with some off-the-shelf hardware based on LORAN- C, WWVB, GPS, or on-chip atomic clocks. Thus General requirement for time synchronization is a restriction on the applicability of temporal leashes. Indeed Time-based approaches work best with in- band wormholes because in an in-band wormhole a noticeable delay for the traffic that passes through it is caused. In [11], the authors proposed a transmission time based mechanism (TTM) to detect wormholes. This Technique tries to detect wormhole during route setup procedure by calculating the transmission time between each two successive nodes along the established route. A wormhole will be identified based on the fact that transmission time between two wormhole nodes is considerably higher

      than that between two legitimate successive nodes. Though Time based protocols have advantages of providing simplicity, low computation overhead and the high effectiveness of the proposed mechanism. But still they require some approximations as the node that is in charge of detection has to account for the processing and propagation delay times. Moreover, in ad hoc networks, the underlying protocol may also cause some unpredictable delays during transmission of messages. More importantly, these protocols are not capable of detecting out-of- band physical layer wormholes because a packet suffers only the propagation delay which could be contained by for wormholes using high-speed links.

   3. Distance bounding approaches

      They use estimates of the physical distance between purported neighbors to ensure that such a distance is not longer than the maximum allowable distance (e.g., by using the farthest distance reachable by a node operating at its maximum transmission power). Many techniques have been used to estimate the distance between the nodes. Many Distance Bounding (DB) protocols estimate the distance to a potential neighbor by measuring the signal round-trip time and multiplying it by the signal propagation speed (speed of light) [12]. There is approach that use directional antennas to detect wormhole as discussed in [13], which makes the assumption of the unit disk model, the availability of antennas with an even number of non-overlapping zones, and the ability to have zones identically oriented for all nodes (e.g., using a compass). If two nodes are indeed neighbors, a message sent over some zone zi should be received at the opposite zone i. Information (cryptographically protected) on the used zone is included in messages to detect wormhole. For increased protection, information can be exchanged among multiple nodes. This would ensure physical ND against at most two external adversaries. This approachs applicability is limited, as devices in many typical mobile computing scenarios use omni- directional antennas. A Similar approach that uses ultrasound technique has been proposed in [15]. The protocol begins when the sender node sends a packet containing a nonce to the receiver using RF antenna. Then receiver immediately echoes the packet back to the sender using ultrasound. The sender node can

      then calculate how long it should take to hear the echo, namely, the sum of the time it takes to reach using RF, plus the time it takes for a return packet to go from receiver to sender using ultrasound. But as discussed in protocol that uses directional antenna, this protocol too requires special hardware which cannot be used commonly in all application areas. A secure neighbor verification protocol for wireless sensor networks is proposed in [14]. In this protocol, each node estimates its distance to the other nodes it can communicate with through a single hop. Then, nodes exchange information about their estimates. Next, a series of simple geometric tests is run by each node over the local neighborhood view it has obtained, in order to detect topology distortions created by wormhole attacks. Only those nodes that successfully pass the tests are verified to be actual communication neighbors. This protocol requires each node to be equipped with a microsecond precision clock and two network interfaces: a radio- frequency and an acoustic interface. These protocols cannot be easily applicable to any ad hoc network because they add expense, complexity, and need for special customization. Moreover, some of these protocols have their own specific weakness (e.g., uncertainty in location and varying propagation conditions) and cannot always ensure the detection of wormholes. Also it is sometimes possible for the attacker to use adversarial nodes that are equipped with the same hardware used by the network nodes to deceive a detection protocol.

      Protocols that do not rely on location, timing, or tight synchronization can be further classified into centralized and distributed approaches.

   4. Centralized approaches

      Centralized approaches rely on gathering and rocessing of information at a central entity. Authors of [16] presented a graph theoretic framework which is used to prevent wormhole attacks. The protocol assumes the existence of special-purpose guard nodes that know their correct locations, have higher transmit power and have different antenna characteristics. Use of such special purpose guard nodes makes this approach impractical. In [17] a scheme to detect wormhole attacks based on statistical analysis is presented. It is based on the

      observation that certain statistics of the discovered routes by routing protocols will change dramatically under wormhole attacks. Hence, it is possible to examine such statistics to detect this type of routing attacks and pinpoint the attackers if enough routing information is available. Local connectivity information was used in [18] to detect wormholes. The detection algorithm essentially looks for forbidden substructures in the connectivity graphs that should not be present in a legal connectivity graph (without any wormhole). Requirement of this approach is that network must be dense to avoid any false alarm. A selective wormhole establishing only one or few fake links would be less likely to create a forbidden structure. And also there is probability that this scheme might reject links which may not be wormhole link. Also for Ad hoc networks that are distributed in nature, centralized approach are very slow and not so strong.

   5. Decentralized approaches

      Decentralized or distributed approaches consist of nodes that exchange information such as node degrees or the list of one-hop and/or two-hop neighbors. Based on the collected information, the existence or not of a wormhole is determined. In general, the information should always be locally collected and/or disseminated, that is between a node and its one or at most two-hop neighbors. In [19], an approach is proposed that makes assumption that the wormhole will significantly increase the number of one-hop neighbors. Nodes are assumed to be uniformly and densely deployed with no links changed or added. Each node will count the number of nodes that are two-hops away and the idea is that this number grows under a wormhole attack. In [10], an approach called SECUND that uses hop count discrepancies to find secure neighbors to each node is proposed. Here, each node has its one hop neighbor information as well as shares this information to its one hop neighbors and then that node verify whether node in its neighbor list is its true neighbor or is fake neighbor. If a node finds any node that is not really its neighbor it would remove all links between them. Though SECUND has given excellent result in detection of wormhole but still it can give few false alarms (if threshold factor chosen is small) and thus can sometime eliminate few legal links. From all

      above approaches, distributed approaches are considered best, though they can provide restriction in network with very high load or network with low load capacity.

6. Conclusion & Future Work

In this paper we have describe the wormhole attack with its different type in details. We have also discussed the threats that this attack presents briefly and overviewed various methods used to eliminate or at least minimize effect of this attack. In this type of attacks many solution have been suggested that can be used in network. All these solution have their own pros and cons. Disadvantage are in form of requirements (which can either be impractical, costly or else affecting other parameters of ad hoc network like mobility or decentralization) or their effect on overall performance (by increasing load on network). Its very necessary to further scrutinize effect of this attack to contain the danger that this attack posses. Moreover, it can also help to design a new and more powerful wormhole attack countermeasure.

References

1. Bing Wu, Jainmin Chen, Jie Wu, Mihelia Cardie : A survey of Attacks and Counter Measures in Mobile Adhoc Networks Wireless/Mobile Network security, Springer (2006)

2. Richa Agrawal, Rajeev Tripathi, Sudarshan Tiwari: Performance Comparison of AODV and DYNO MANET Protocols under Wormhole Attack Environment International Journal of Computer Applications (IJCA), Vol. 44- No 9, 2012.

3. M. Ilyas, The Handbook Of Ad-Hoc Wireless Networks CRC Press, 2003.

4. Pallavi Khatri , Sarita Bhadoria, and Mamta Narwariya: A Survey on Security issues in Mobile ADHOC networks TECHNIA International Journal of Computing Science and Communication Technologies, VOL. 2, NO. 1, July 2009.

5. Y.C.Hu, A.Perrig and D.Johnson: Packet leashes: a defense against wormhole attacks in wireless networks, in INFOCOM, 2003.

6. Yih-Chun Hu, Adrian Perig, David B. Johnson: Wormhole Attack on Wireless Network IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, Vol. 24- No 2, 2006.

7. Viren Mahajan, Maitreya Natu, and Adarshpal Sethi: ANALYSIS OF WORMHOLE INTRUSION ATTACKS IN MANETS IEEE Military Communications Conference (MILCOM), 2008.

8. Reshmi Maulik and Nanbendu Chaki: A Study on Wormhole Attacks in MANET International Journal of Computer Information System and Industrial Management Applications (IJCISIM), Vol.3 (2011), pp. 271-279.

9. Xia Wang and Hjony Wong: An End to End Detection of Wormhole Attack in Wireless Adhoc Network International Conference of computer Software and Applications, Vol.3 (2007), pp. 271- 279.

10. Thaier Hayajneh, Prashant Krishanamurthy, David Tipper and Anh Le: Secure Neighborhood Creation in Wireless Ad Hoc Networks using Hop Count Discrepancies Springer Science + Buisness Media, LLC 2011.

11. Phuong Van Tran, Le Xuan Hung, Young- Koo Lee, Sungyoung Lee and Heejo Lee: TTM: An Efficient Mechanism to Detect Wormhole Attacks in Wireless Ad-hoc Networks IEEE CCNC, 2007.

12. Panos Papadimitratos, Marcin Poturalski, Patrick Schaller, Pascal Lafourcade, David Basin, Srdjan Capkun, Jean-Pierre Hubaux: Secure Neighborhood Discovery: A Fundamental Element for Mobile Ad Hoc Networking IEEE Communications Magazine, 2008.

13. Lingxuan Hu and David Evans: Using Directional Antennas to Prevent Wormhole Attacks A In Network and Distributed System Security Symposium (NDSS), 2004.

14. Reza Shokri, Marcin Poturalski, Gael Ravot, Panos Papadimitratos and Jean-Pierre Hubaux: A Practical Secure Neighbor Verification Protocol for Wireless Sensor Networks ACM WiSec, 2009.

15. Naveen Sastry, Umesh Shankar and David Wagner: Secure Verification of Location Claims In: Proceedings of 2nd ACM Workshop on Wireless Security (WiSE03), 2003.

16. L. Lazos, R. Poovendran, C. Meadows, P. Syverson, L. W. Chang: Preventing Wormhole Attacks on Wireless Ad Hoc Networks: A Graph Theoretic Approach Wirel Netw 13(1), 2007.

17. Lijun Qian, Ning Song and Xiangfang Li: Detecting and Locating Wormhole Attacks in

    Wireless Ad Hoc Networks through Statistical Analysis of Multi-path J Netw Comput appl 30(1):308-330, 2007.

18. Ritesh Maheshwari, Jie Gao and Samir R Das: Detecting Wormhole Attacks in Wireless Networks Using Connectivity Information IN: GOA J (ed) INFOCOM 2007. 26th IEEE international conference on computer communications, IEEE, pp 107-115.

19. Chonho Lee and Junichi Suzuki: SWAT: A Decentralized Self-healing Mechanism for Wormhole Attacks in Wireless Sensor Networks In: Handbook on wireless sensor network, World Scientific Review Volume,2008.