Abstract: In this paper, we propose a new architecture based on an efficient trust model and secure distributed clustering algorithm (SDCA) in order to distribute a certification authority (CA) for ensuring the distribution of certificates in each cluster. We use the combination of a fully self-organized security for trust models like pretty good privacy (PGP) adapted to ad hoc technology and the clustering algorithm which is based on the use of trust and mobility metrics, in order to select the clusterhead and to establish a public key infrastructure (PKI) in each cluster for authentication and exchange of data. Furthermore, we present a new approach: the dynamic demilitarized zone (DDMZ) to protect the CA in each cluster. The principal idea of DDMZ consists in selecting the dispensable nodes, also called registration authorities (RAs); these nodes must be confident and located at one-hope from the CA. Their roles are to receive, filter and treat the requests from any unknown node to the CA. With this approach, we can avoid the single point of failure in each cluster. Moreover, we propose a probabilistic model to define the direct connectivity between confident nodes in order to study the resistance degree of the DDMZ against different attacks. In addition, we evaluate the performance of the proposed SDCA and we estimate the robustness and the availability of DDMZ through the simulations. The effects of direct connectivity and transmission range on the stability and security of the network are analyzed. The simulation's results confirm that the proposed architecture is scalable, secure, and more resistant against attacks.
Abstract: To avoid the single point of failure for the certificate authority (CA) in MANET, a decentralized solution is proposed where nodes are grouped into different clusters. Each cluster should contain at least two confident nodes. One is known as CA and the another as register authority RA. The Dynamic Demilitarized Zone (DDMZ) is proposed as a solution for protecting the CA node against potential attacks. It is formed from one or more RA node. The problems of such a model are: (1) Clusters with one confident node, CA, cannot be created and thus clusters’ sizes are increased which negatively affect clusters’ services and stability. (2) Clusters with high density of RA can cause channel collision at the CA. (3) Clusters’ lifetime are reduced since RA monitors are always launched (i.e., resource consumption). In this paper, we propose a model based on mechanism design that will allow clusters with single trusted node (CA) to be created. Our mechanism will motivate nodes that do not belong to the confident community to participate by giving them incentives in the form of trust, which can be used for cluster’s services. To achieve this goal, a RA selection algorithm is proposed that selects nodes based on a predefined selection criteria function and location (i.e., using directional antenna). Such a model is known as moderate. Based on the security risk, more RA nodes must be added to formalize a robust DDMZ. Here, we consider the tradeoff between security and resource consumption by formulating the problem as a nonzero-sum noncooperative game between the CA and attacker. Finally, empirical results are provided to support our solutions.
Abstract: In this paper, we focus on the medium access control (MAC), particularly the IEEE 802.11 and we deal with some hidden vulnerabilities based on the control packets CTS (clear to send) and ACK (acknowledgment). Through these vulnerabilities, we show two new smart attacks which were not dealt by the solutions proposed recently like the attack based on the RTS (request to send) packet vulnerability. The malicious node can exploit these vulnerabilities on the MAC protocol, in order to corrupt the monitoring and routing processes. Furthermore, we demonstrate the attacks through algorithms and we show how vulnerabilities can be exploited and how these attacks can be implemented by the attacker. The impact of these attacks is presented through simulation and implementation. Simulation and exprimental results show the impact of the attacks on the network. In addition, the experimental results demonstrate the feasibility of these real attacks and their exploitation. These experimentations allow us to confirm the simulation's results. Furthermore, in order to prevent these attacks, the solutions based on control packet authentication are presented. We propose two kinds of the solution one is cryptography independent and the other one is cryptography dependent. The evaluation and analysis of these solutions are investigated by analytic and simulations analysis. The simulations' results of the proposed solution show that the attacks are prevented and the negative impacts are significantly reduced. In addition, the security cost of the proposed solutions are investigated. Hence, the security costs are insignificant in comparison with the negative impact of these attacks.
Abstract: The intrusion detection system (IDS) for mobile ad hoc networks (MANET) consists in monitoring the nodes' behavior, in order to detect the malicious activity of nodes. Many existing solutions deal with the problem at each layer separately. But new kinds of misbehavior attacks are cross-layer attacks. And such smart misbehaviors cannot be detected at the level of one layer. In this paper, we propose a new cross-layer approach based on physical, MAC, and routing layers for a monitoring mechanism. A new analytical model is proposed to illustrate the parameters' effect on these different layers. The impact of the signal to noise ratio (SNR) and the distance between monitor and monitored nodes are clearly introduced. Moreover, the difference between the carrier sense, the interference range, and the transmission range is taken into account in our model. The proposed model improves the evaluation of the nodes' cooperation and reduces the risk of having any false positive rate. The analytical study and simulation results illustrate our purpose. In addition, with the simulations' results, we illustrate the impact of the distance between monitor and monitored nodes on the monitoring mechanism. Finally, we show that our cross-layer mechanism has a lower false positive rate than the classical Watchdog mechanism in different network's parameters such as the nodes' density, the speed mobility, and the different traffic loads.
Abstract: In this paper, we propose an anonymous protocol to secure nodes which have important roles in the network. We focus in the clustering approach to secure the mobile ad hoc networks (MANETs). In each cluster, a confident node is selected to ensure the certification authority (CA) roles; however, the cluster security depends in the security of the CA node. Therefore, we present an anonymous dynamic demilitarized zone (ADDMZ) to protect the CA node identity and to avoid the single point of failure in the cluster. ADDMZ is formed by a set of confident nodes which have a high trust level between them and their goal is to filter the communication between the cluster member node and the CA node. Moreover, we draw one's inspiration from military defence mechanisms such as: camouflage and identity change mechanisms. We present protocol to realize these mechanisms by using the identity based cryptographic from bilinear maps. The security analysis is proposed to discuss the proposed protocols.
Abstract: Although IEEE 802.11 provides several transmission rates, a suitable rate adaptation taking into account the relative fairness among all competitive stations, according to the underlying channel quality remains a challenge in Mobile Ad hoc Networks (MANETs). The absence of any fixed infrastructure and any centralized control makes the existing solutions for WLANs like CARA (collision-aware rate adaptation) [4] not appropriate for MANETs. In this paper, we propose a new analytical model with a suitable approach to ensure a relative fairness among all competitive nodes of a particular channel. Our model deals with the channel quality while respecting the nodes, based on transmission successes and failures in a mobility context. Finally, each node calculates its own probability to access the channel in a distributed manner. We evaluate the performance of our scheme with others in the context of MANET via extensive and detailed simulations. The performance differentials are analysed using varying network load and transmission range. The simulation results illustrate that our proposed approach ensures a better tradeoff between fairness and throughput.
Abstract: In this paper, we show new smart attacks which were not dealt with in the solutions proposed recently. We focus on the Medium Access Control (MAC), particularly the IEEE 802.11 and we study some hidden vulnerabilities based on the control packets. The malicious nodes can exploit these vulnerabilities to reduce the network's performance, to disturb the monitoring, routing processes and to escape the Intrusion Detection System (IDS). Furthermore, we show how vulnerabilities can be exploited and how these attacks can be implemented by the attacker. Moreover, attacks' algorithms and the security analysis are presented. We investigate on the effect of these attacks with the simulations and the experimentations. The simulations' results and their analysis illustrate the negative impact of these attacks on the network. In addition, the experimentation results demonstrate the feasibility to real exploitation of these attacks and they confirm the simulation's results.
Abstract: To avoid the single point of failure for the certificate authority (CA) in MANET, a decentralized solution is proposed where nodes are grouped into different clusters. Each cluster should contain at least two confident nodes. One is known as CA and the another as register authority RA. The Dynamic Demilitarized Zone (DDMZ) is proposed as a solution for protecting the CA node against potential attacks. It is formed from one or more RA node. The problems of such a model are: (1) Clusters with one confident node, CA, cannot be created and thus clusters' sizes are increased which negatively affect clusters' services and stability. (2) Clusters with high density of RA can cause channel collision at the CA. (3) Clusters' lifetime are reduced since RA monitors are always launched (i.e., resource consumption). In this paper, we propose a model based on mechanism design that will allow clusters with single trusted node (CA) to be created. Our mechanism will motivate nodes that does not belong to the confident community to participate by giving them incentives in the form of trust, which can be used for cluster's services. To achieve this goal, a RA selection algorithm is proposed that selects nodes based on a predefined selection criteria function. Finally, empirical results are provided to support our solutions.
Abstract: The monitoring process consists in evaluating the behaviour of nodes in networks in order to detect if the monitored nodes well-behave or misbehave. Many existing solutions deal the problem at each layer separately. Actually new kinds of misbehaviour attacks are cross-layer. So, such smart misbehaviours cannot be detected at the level of one layer. In this paper, we propose a new cross-layer approach based on physical, MAC and routing layers for a monitoring mechanism. An analytical model is proposed to illustrate the parameters' effect on these different layers. The impact of the signal to noise rate (SNR), the distance between monitor and monitored nodes are clearly introduced. Moreover, the difference between the carrier sense, the interference and the transmission ranges is taken into account in our model. The simulations' results show the effectiveness of the proposed analytical model, we reach until 90% of observation's correction in some cases.
Abstract: Providing a security solution for mobile ad-hoc networks (MANETs) is not an easy task. This is due to the unique characteristics of MANETs, such as the lack of a pre- existent infrastructure, the dynamic topology of the network, the non-existence of a control authority and the constraints of device resources. In this paper, we introduce the monitoring and cluster manager modules to improve our distributed hierarchical architecture. Moreover, we study the concept of dynamic demilitarized zone (DDMZ) defined in our hierarchical architecture to avoid a single point of failure in MANETs. The DDMZ is formed by the dispensable nodes which belong to the confident community. The confident community is formed by sets of confident nodes which have high trust levels and collaborate with each other to ensure secure services. We propose a probabilistic model to define the direct connectivity between confident nodes in order to study the resistance degree of DDMZ against different attacks. Furthermore, we estimate the robustness and the availability of DDMZ and we also analyze the effects of direct connectivity and transmission range on the stability and security of the network.
Abstract: An Mobile Ad-hoc network (MANET) is formed when group of mobile wireless nodes collaborate between them to communicate through wireless links in the absence of the fixed infrastructure and any centralized control. Theses characteristics make it able to adapt and operate in difficult conditions, but also vulnerable to new security attacks not present in a traditional wired network. In this paper a new approach to secure MANETs has been proposed. Our solution is based on our efficient trust model and distributed algorithm to clustering network in order to distribute role of certification authority (CA) in each cluster. We use fully self-organized security and monitoring process to supervise behaviors of nodes with low trust level. Also, we propose clustering algorithm based on the trust and mobility metric to select CA and to establish public key infrastructure (PKI) in each cluster. Furthermore, we introduce new concept Dynamic Demilitarized Zone (DDMZ) to protect CAs and avoid the single point of failure in each cluster. The DDMZ is formed by set of the dispensable nodes which must be confident and located at one-hop from the CA. Our approach can be easily extended to other hierarchical routing protocols. The simulation results include an evaluation of the stability, availability and security.
Abstract: In this paper, we propose a new architecture based on an efficient trust model and clustering algorithm in order to distribute a certification authority (CA) for ensuring the distribution of certificates in each cluster. We use the combination of fully self-organized security for trust model like PGP adapted to ad-hoc technology and the clustering algorithm which is based on the use of trust and mobility metric, in order to select the clusterhead and to establish PKI in each cluster for authentication and exchange of data. Furthermore, we present new approach Dynamic Demilitarized Zone (DDMZ) to protect CA in each cluster. The principle idea of DDMZ consists to select the dispensable nodes, also called registration authorities; these nodes must be confident and located at one-hope from the CA. Their roles are to receive, filter and treat the requests from any unknown node to CA. With this approach, we can avoid the single point of failure in each cluster. This architecture can be easily extended to other hierarchical routing protocols. Simulation results confirm that our architecture is scalable and secure.
Abstract: The thesis focuses on security in Mobile Ad hoc Networks (MANETs) [RFC 2501]. The lack of any central management of the network functions make MANETs more vulnerable to attacks than wireless (WLANs) and wired networks (LANs). Unfortunately, security protocols that currently exist are not designed to adapt MANETs characteristics. They do not take into account the resource limits, while the environment is dynamic and the resources are limited (memory storage, computation power and energy), and this complicates the problem, because, as we know, security solutions require a high amount of resources. However, we have to face the challenge, because the application fields of MANETs, such as military and emergency operations, are so numerous that it is necessary to design a robust security mechanism for Mobile Ad hoc Networks.
The main goal of my thesis consists in examining the solutions that are likely to insure security in MANETs, and in proposing a hierachical distributed architecture that enables to implement a dynamic public key infrastructure. This solution must be adapted to MANETs characteristics (no control central unit, dynamic network topology, etc.). With this aim in view, a trust model
adapted to the dynamic environment to insure the nodes trust level updating must be designed. Moreover, the certification authority vulnerabilities must be taken into account in the new DDMZ concept (dynamic dmilitarized zone), that we propose. In order to increase the security level of the important nodes in the network, their identity must be hidden. That is why we introduced the anonymity concept.
We also proposed an anonymous authentication protocol. Moreover, we drew our inspiration from the military model in order to implement a camouflage mechanism that hides the important nodes' roles.
In order to maintain the trust model, a monitoring mechanism is necessary. It must be adapted to dynamic wireless environment constraints and must reduce the rate of false positives (false alarms). It is based on a cross-layer approach and a probabilistic model to improve the monitor node's observation.
In order to face smart attacks, such as cross-layer attacks, we must study the vulnerabilities located at the lower layers, such as the MAC layer. Then, prevention and detection mechanisms are analysed and assessed. In order to assess the performance of these mechanisms, we take into account the main metrics of Mobile Ad hoc Networks, such as energy consumption, mobility, nodes' density, traffic rate, etc.
Notes:
National Conference Publications (French-Speaking Conferences)
