A Combined Solution for Routing and Medium Access Control Layer Attacks in Mobile Ad Hoc Networks

: Problem statement: In Mobile Ad hoc Network (MANET), both the routing layer and the Medium Access Control (MAC) layer are vulnerable to several attacks. There are very few techniques to detect and isolate the attacks of both these layers simultaneously. In this study, we developed a combined solution for routing and MAC layer attacks. Approach: Our approach, makes use of three techniques simultaneously which consists of a cumulative frequency based detection technique for detecting MAC layers attacks, data forwarding behavior based detection technique for detecting packet drops and message authentication code based technique for packet modification. Results: Our combined solution presents a reputation value for detecting the malicious nodes and isolates them from further network participation till its revocation. Our approach periodically checks all nodes, including the isolated nodes, at regular time period l . A node which recovers from its misbehaving condition is revoked to its normal condition after the time period l . Conclusion/Recommendations: By simulation results, we show that our combined solution provides more security by increased packet delivery ratio and reduced packet drops. We also shown that our approach has less overhead compared to the existing technique.


Mobile Ad-Hoc Network (MANET): A Mobile Ad
Hoc Network (MANET) is a collection of dynamic, independent, wireless devices that groups a communications network, devoid of any backing of a permanent infrastructure. The eventual goal of designing a MANET network is to make available a self-protecting, "dynamic, self-forming and selfhealing network" for the dynamic and non-predictive topological network (Orwat et al., 2008). According to the positions and transmission range, every node in MANET acts as a router and tends to move arbitrary and dynamically connected to form network. The topology of the ad hoc network is mainly interdependent on two factors; the transmission power of the nodes and the Mobile Node location, which are never fixed along the time period (Saad and Zukarnain, 2009).
Ad hoc networks excel from the traditional networks in many factors like; easy and swift installation and trouble-free reconfiguration, which transform them into circumstances, where deployment of a network infrastructure is too expensive or too susceptible (Huang et al., 2007). MANETs have applicability in several areas like in military applications where cadets relaying important data of situational awareness on the battleground, in corporate houses where employees or associates sharing information inside the company premises or in a meeting hall; attendees using wireless gadgets participating in an interactive conference, critical mission programmer for relief matters in any disaster events like large scale mishaps like war or terrorist attacks, natural disasters and all. They are also been used up in private area and home networking, "location-based" services, sensor networks and many more adds up as services based on MANET (Wu et al., 2007). The three major drawback related to the quality of service in MANET are bandwidth limitations, vibrant and non-predictive topology and the limited processing and minimum storage of mobile nodes (Uma and Padmavathi, 2009).
Routes in MANET are multihop because of the limited propagation range of wireless radios. Since nodes in the network move freely and randomly, routes often get disconnected. Routing protocols are thus responsible for maintaining and reconstructing the routes in a timely manner as well as establishing the durable routes. In addition, routing protocols are required to perform all the above tasks without generating excessive control message overhead (Masoud et al., 2006;Murad and Al-Mahadeen, 2007).

MANET attacks and classification:
The wireless nature and inherent features of mobile ad hoc networks make them vulnerable to a wide variety of attacks. The attacks on MANETs can be classified into various criteria as shown below (Shanthi et al., 2009;Xiao et al., 2007;Razak et al., 2004): • Passive attack and active attacks: These attacks depends on whether the normal operation of the network is disrupted or not: There are many other types of classification in attacks on MANET. Like the stealthy and non-stealthy attacks, cryptographic and non-cryptographic and Single and multiple attackers.

Denial of Service (DoS) Attacks in MANET:
In MANETs, nodes act as both routers and ordinary nodes. Due to the dynamic network topology and lack of centralized infrastructure, network security becomes most important issue in MANET. In various attacks mentioned above, the DoS attack, being a multi-layer attack plays a major role in disrupting the network.
A DoS attack basically slows down or eliminates a network's capability to from its expected function. This intruder thrives on server resources or network bandwidth and prevents the genuine users from accessing resources (Denko, 2006). In MANETs, the link layer and the network layer are affected by DoS attacks. A DoS attack benefit by vulnerabilities of link layer protocols, network layer protocols and MAC layer protocols. Further in network layer it is classified into three types; routing disruption, forwarding disruption and resource consumption attacks (Xing and Wang, 2006).
In MANET, DoS can be classified into basically two types; routing layer attack and MAC layer attack. Attacks at the routing layer could consist of the following (Razak et al., 2004): • The nodes which are affected by attackers take part in the network but drop down a definite number of data packets • The misbehaving node transmits untrustworthy route updates and forms route failure or breakage. • The misbehaving node could replay out-of-date updates • Diminishes the Time-To-Live (TTL) field in the IP header which causes the data packet to drop or deviate from its destination At the MAC layer the following attacks can happen (Razak et al., 2004): • Denial of service attack at that node by maintaining a congestion scenario in the route • Battery life drainage of node by flooding attacks Problem identification and proposed solution: In MANET, due to DoS attacks, both the routing layer and MAC layer are affected (Razak et al., 2004). There are very few approaches to detect and isolate the attacks of both routing and MAC layers.
We present a robust scheme, which detects the malicious nodes which perform DoS attacks and helps to isolate those nodes from the network. Our approach, thus analyzes the possibilities of protecting not only the routing layer, but also the corresponding MAC layer. Such an approach therefore increases the possibilities of higher security. We assume that the receiver nodes are always free of any attacks. Thus this approach is based on a receiver (destination) initiated approach.
Related works: Denko (2006) has proposed a reputation-based incentive mechanism for encouraging nodes to involve both in resource utilization and preventing DoS attacks. In this study, a DoS attack caused by a selfish node that drops packet and a wormhole attack caused by a malicious node, both are considered. Here a clustering architecture was proposed for performing reputation data management in a localized and distributed manner. DoS attacks were analyzed by a mutual monitoring and information exchange. Reputation rating was passed on by using neighborhood and cluster level information with more weight given to a node's own observation. A load balancing mechanism was used to reduce traffic on heavily used cooperative nodes. In this mechanism, selections are carried by probabilistically among the eligible nodes that are on the path to the destination. Guang et al. (2006) have proposed two attacks implemented at MAC layer, which also affects ad hoc on-demand routing mechanisms. The two attacks mentioned here are; Shortcut Attack (SCA) and Detour Attack (DTA), which are formed at MAC layer but halts the procedure at ad hoc routing mechanisms. The shortcut attack is used by misbehaving node to enlarge the probability which is used to be selected as a relaying node. After attracting flows traversing through it, the malicious nodes can discharge DoS attacks to degrade the by and large network performance. A node using detour attack can reduce the probability to be discovered by the routing discovery process by which it saves its limited device energy. Gupta et al. (2002) have proposed Denial of Service (DoS) attacks on Medium Access Control (MAC) layer. In this study, the uniqueness and the possessions of DoS attacks at the MAC layer in ad hoc networks are mentioned. The various possible DoS attacks and possible methods to ease these attacks, along with its degradation of MAC layer network performance in terms of the achieved throughput and latency are discussed. The various vulnerabilities are recognized and shown that the capture effect and the lack of fairness that arise when this MAC protocol is used may be particularly exploited to cause disruptions in attaining important services. Zhou et al. (2004) have proposed two types of MAC layer DOS attacks and their counter measures to defend against these two types of DOS attacks. The two attacks discussed are attacks initiated from a single adversary by injecting large amount of data flows into the network called Single Adversary Attack (SAA) and attacks initiated by two colluding adversaries by sending enormous data flows directly to each other Colluding Adversaries Attack (CAA). Here, to contradict SAA attacks a packet-by-packet authentication scheme is introduced so that legitimate nodes can cancel data transmission requests from unauthenticated adversaries and for CAA attacks, several methods such as a fair MAC protocol using protecting traffic flows are proposed. Ren et al. (2007) have proposed a congestionbased Reduction of Quality (RoQ) DDoS attacks and there defense scheme in MANETs. Here the RoQ DDoS attacks are categorized into four; pulsing attack, round robin attack, self-whisper attack and flooding attack. To tackle these attacks, a defense scheme that includes both the detection and response mechanisms are used. The detection scheme monitors three MAC layer signals and the response scheme is based on Explicit Congestion Notification (ECN) marking. Djenouri and Badache (2009) have proposed an approach which deals with the packet dropping misbehavior in mobile ad hoc networks, which monitors, detects and isolates misbehaving nodes that do not forward packets. Here the solution is comprised of five modules; the monitor, the detector, the isolator, the witness and the investigator. For the monitoring, the efficient technique of two-hop ACK is used with a random requesting approach for cost reduction. For local detection, a detector module that uses a Bayesian approach is used. After the detection of a node as misbehaving, the isolator is responsible for isolating misbehaving nodes detected by the detector. The investigator investigates accusations before testifying when the node has not enough experience with the accused and the witness module responds to witness requests of the isolator. Akbani et al. (2008) proposed a hop-by-hop, efficient authentication protocol, called HEAP. It authenticates packets during each hop by using a modified HMAC-based algorithm besides using two keys and withdraws any packets that initiate from outsiders. This method can be appropriate for multicast, unicast or broadcast applications and is defiant to several passive attacks such DoS, wormhole, replay, impersonation and man-in-the-middle attacks by making it very difficult for an passive user to propagate any forged packet. HEAP is not designed to detect insider attacks. But if a third party Intrusion Detection System (IDS) were to detect a malicious node and alert other nodes about it, HEAP provides a framework for an effective response system. Priakanth and Thangaraj (2009) proposed a channel adaptive energy efficient Medium Access Control (MAC) protocol, for efficient packets scheduling and queuing in an ad hoc network, with time varying characteristic of wireless channel taken into consideration. Every node in the proposed scheme estimates the channel and link quality for each contending flow based on which a weight value is calculated and propagated using the routing protocol. Since a wireless link with worse channel quality can result in more energy expenditure, the transmission was allowed only for those flows whose weight is greater than channel quality threshold.

Combined solution for routing and MAC layer attacks:
In our approach, we combine three techniques to simultaneously check for the nodes misbehavior. The three techniques used here are: • For MAC layer attacks-we use a cumulative frequency based detection technique • For packet drops in routing layer-data forwarding behavior based detection technique • For packet modification in routing layer-MAC based authentication technique

Cumulative frequency based detection technique:
For channel reservation, Request To Send (RTS) and Clear To Send (CTS) packets, are send to nodes which contain the time period to be set as reservation time in channels. These are attacked by DoS attackers either to empowering control over it or flooding it with fake packets. We use the following status values (Ren et al., 2007;Gill et al., 2005) from MAC layer to detect the DoS attacks: • Frequency of receiving RTS/CTS packets • Frequency of sensing a busy channel • Number of RTS/DATA retransmissions • Round trip times for RTS/CTS packets Each status represents each stage of RTS/CTS packets. In the initial stage, when the number of RTS/CTS packets obtained is more than a threshold value OV th , then it indicates a maximum value of nodes prevails in the transmission range for channel contention. A node resides in the backoff stage and halts the Channel Passage (CP) count, during channel's busy state. When the halt time exceeds a sensing threshold maximum uphold U th , which suggests that the number of nodes lying within the interference range is higher. During the retransmission time, if the number of retransmissions surpasses a value of threshold RT th , it will be considered as channel congestion. In the final stage, the Time Taken (TT) to complete one successful transmission and reception of RTS-CTS handshake between itself and receiver can be calculated by the sender. The value of TT is the total time taken for the RTS frame to reach from sender to receiver and for the CTS frame to transmit an acknowledgement.
The necessary overhead for implementing this detection scheme is minimal because these status values are accessible in the protocol stack implementation. During the response phase, the nodes will check the following conditions to mark each packet with a Channel Busy (CB) Bit:  Table (IT) which modifies the trust value according to the packet received.
Initially, the nodes do not have any information about the dependability of its neighboring nodes. When a source S needs to transmit a packet to the destination D, it sends Route Request (REQ) packets to its neighbors.
When an intermediate node receives the RREQ packet for the first time, it estimates the number of packets received through its channel. If the packets are safely received from its previous node it provides a TV to its previous node. Consider two intermediate nodes N x and N y , where N x transmits the packet to N y . Each time, when node N y receives a packet from N x , then N y increases the trust value of node N x as: Then the IT of node N y is modified with the values of TV x . Similarly each node determines its IT and finally the packets reach the destination D.

MAC based authentication technique: For a Message
Authentication Code (MAC) (Stallings, 2002) based authentication technique, we use a Secure On demand Routing (SOR). Here every source sends a request packet (REQ), which contains Source id (S id ), sequential source Number (Ns), Destination id (D id ), a MAC generated by source with shared key between S and D (MS) and cumulative MAC (C mac ) computed by S using shared key between S and D over MS (Fig. 1).
In the intermediate nodes, the C mac is altered by adding on with its shared key and Source's shared key. This cumulative addition of C mac continues to add up and gets stored up till the destination along with the node address for backward transmission (bt). At the destination, the authenticity and recent updated ms is verified of the req. after verifying MS, it sends a Reply Packet (Rep) to its previous hop with an increasing and unique reply number N rep and a MAC which is based on N rep and the cumulative MAC in the received R eq using shared key between D and S. During the transmission from D-S, each intermediate checks the Rep, verifies and records all information.
The format of request and reply packets generated or forwarded by an intermediate node I is given by (6) and (7) (Fig. 2). MS enables the destination to prevent duplicate requests early and not reply to them: REQi = {REQ, S id , D id , Ns, MS, C maci } (6) REPi = {REP, S id , D id , Ns, Nd, PathList, C maci -d} When a node does not forward its packet, either by node failure or node misbehavior, an Error packet (Err) is generated and sends to the node. The error packet consists of the error node id (N err ), the id of the next node (NN id ), source id (S id ), MAC error (M err ): To avoid malicious nodes from sending bogus Err, MAC protects Err packets using shared key between N err and S (Fig. 3). When the source receives an Err, it checks the legitimacy of the Err and informs the source about the nodes status.
The cumulative isolation technique: We determine the percentage value of each technique as; α (percentile for cumulative frequency), β (percentile for data forwarding) and δ (percentile for MAC authentication) to isolate the misbehaving nodes from making further damage to the network. Initially every node is provided with a Reputation Value (RV). When a data is sent to the receiver by a source, with respect to the information gained by the above 3 techniques, the receiver calculates the RV on each nodes. Each technique provides its percentile value for the source in a periodical manner of time period λ. The cumulative results of percentage (α, β and δ) provides the source with the information of each node and its vulnerability towards the network. The RV value is calculated as: Reputation Value (RV) = RV -(α+β+δ) More the percentile value, more vulnerable the nodes will be. Thus RV value, if exceeds a threshold value RVth, determines the node to be misbehaving. This value of RV is sent to all the other nodes, which help in isolating those nodes for avoiding further damage to the network. During the periodical time period λ, the nodes are checked continuously. During the time period if the nodes attain their stable state and behaves normally the node is revoked and is allowed to take part in the network.
Simulation results: Simulation model and parameters: We use Network Simulator (NS2) to simulate our proposed algorithm. In our simulation, the channel capacity of mobile hosts is set to the same value: 2 Mbps. We use the Distributed Coordination Function (DCF) of IEEE 802.11 for wireless LANs as the MAC layer protocol. It has the functionality to notify the network layer about link breakage.
In our simulation, mobile nodes move in a 1000×1000 m region for 50 sec simulation time. We have varied the number of nodes as 25, 50, 75, 100 and 125. We assume each node moves independently with the same average speed. All nodes have the same transmission range of 250 m. In our simulation, the node speed is 10 m sec −1 . The simulated traffic is Constant Bit Rate (CBR). Our simulation settings and parameters are summarized in Table 1.

Performance metrics:
We evaluate mainly the performance according to the following metrics.

Control overhead:
The control overhead is defined as the total number of routing control packets normalized by the total number of received data packets.
Average end-to-end delay: The end-to-end-delay is averaged over all surviving data packets from the sources to the destinations.
Average packet delivery ratio: It is the ratio of the number of packets received successfully and the total number of packets transmitted. In the simulation results we compared our CSRM scheme with the Packet Droppers (PD) scheme (Akbani et al., 2008) in presence of malicious node environment.

Based on attackers:
In the first experiment, we vary the number of attackers as 5, 10, 15…25 in a 100 node network. Figure 4 shows the result of average packet delivery ratio, for the increasing misbehaving nodes. Figure 5 shows the result of average packet drop, for the increasing misbehaving nodes. Figure 6 shows the result of control overhead for the schemes when the number of misbehaving nodes is increased.
From the results, we can see that CSRM scheme has significantly more delivery ratio, less packet drop and less overhead than the PD scheme, since it has more security features for both MAC layer and Routing Layer attacks.

Based on number of nodes:
In the first experiment, we vary the number of nodes as 25, 50, 75, 100 and 125, keeping the number of attackers as 10. Figure 7 show the results of average packet delivery ratio, for the increasing number of nodes.  Figure 9 shows the results of control overhead for the schemes when the number of nodes is increased.
From the results, we can see that CSRM scheme has significantly more delivery ratio, less packet drop and less overhead than the PD scheme, since it has more security features for both MAC layer and Routing Layer attacks.

DISCUSSION
The combined three techniques help in determining a Reputation Value (RV), which if exceeds a threshold value, isolates the nodes from further participation in the network. Our approach periodically checks all nodes, including the isolated nodes, at regular time period λ. A node which recovers from its misbehaving condition is revoked to its normal condition after the time period λ.

CONCLUSION
In this study, we have developed a combined solution for both routing and MAC layer attacks in MANET. In our technique, we simultaneously use the three techniques of cumulative frequency detection, Data forwarding behavior detection and MAC authentication. The cumulative frequency technique detects malicious node by using Channel Busy (CB) bit with the use RTS/CTS conditions. The data forwarding behavior technique uses an incentive based scheme to determine the malicious nodes. In the incentive based scheme, less the node attains the incentive more the malicious it will be. In the technique of MAC based authentication, the error bit determines the misbehaving nodes or the inactive nodes. By simulation results, we have shown that our combined solution achieves increased packet delivery ratio and reduced packet drop with less delay and overhead, compared to the existing technique.