Paper ID: 174

A Distributed Protocol for Detection of Packet

Dropping Attack in Mobile Ad Hoc Networks
Jaydip Sen, M. Girish Chandra, P. Balamuralidhar, Harihara S.G., Harish Reddy
Embedded Systems Research Group, Tata Consultancy Services, Bangalore-560066, India
Email: {jaydip.sen, m.gchandra, balamurali.p, harihara.g, h.reddy}@tcs.com

vulnerability of the routing protocols. A set of nodes in a

Abstract—In multi-hop mobile ad hoc networks (MANETs), MANET may be compromised in such a way that it may not
mobile nodes cooperate with each other without using any be possible to detect their malicious behavior easily. Such
infrastructure such as access points or base stations. Security nodes can generate new routing messages to advertise non-
remains a major challenge for these networks due to their existent links, provide incorrect link state information, and
features of open medium, dynamically changing topologies,
flood other nodes with routing traffic thus inflicting Byzantine
reliance on cooperative algorithms, absence of centralized
monitoring points, and lack of clear lines of defense. Among the
failure in the network. Another common routing disruption
various attacks to which MANETs are vulnerable, malicious attack in MANETs has been packet-dropping attack by a
packet dropping attack is very common where a malicious node group of malicious nodes. A group of nodes acting in
can partially degrade or completely disrupt communication in the collaboration may drop packets in the network at such a rate
network by consistently dropping packets. In this paper, a that the message communication in the network may be
mechanism for detection of packet dropping attack is presented severely degraded and sometimes even completely disrupted.
based on cooperative participation of the nodes in a MANET. The The detection of these malicious nodes may not be easy as
redundancy of routing information in an ad hoc network is they work in a group. Although there has been lot of research
utilized to make the scheme robust so that it works effectively on detection and prevention of such an attack in MANETs,
even in presence of transient network partitioning and Byzantine
most of these schemes have either low detection rate, high
failure of nodes. The proposed scheme is fully cooperative and
thus more secure as the vulnerabilities of any election algorithm complexity of detection algorithms, security vulnerabilities in
used for choosing a subset of nodes for cooperation are absent. the schemes themselves or high rate of false positives (Section
Simulation results show the effectiveness of the protocol. II). In this paper, a mechanism for detection of malicious
packet dropping attack in MANETs has been presented. The
Index Terms— distributed algorithm, mobile ad hoc network, scheme involves a collaborative distributed protocol that
packet dropping attack, routing security. utilizes complementary relationship between cryptographic
key distribution and intrusion detection activity for detection
I. INTRODUCTION of malicious packet dropping attack. The scheme has been
In a wireless ad-hoc network, a collection of mobile devices evaluated for its performance by implementing it on the
(referred to as ‘nodes’) with wireless network interfaces form network simulator ns-2. The effectiveness and efficiency of
a temporary network without the aid of any fixed the proposed mechanism has been compared with one of the
infrastructure or centralized administration. MANETs have currently available schemes and is found to have produced
some special characteristic features such as: (i) unreliable better results.
wireless links used for communication, (ii) constantly The rest of the paper is organized as follows. Section II
changing network topologies and memberships of nodes, (iii) presents some related work on defense against packet dropping
limited bandwidth of the links, (iv) Low battery lifetime, (V) attack in MANETs. Section III discusses the details of the
Limited computation power of the nodes that prohibit the proposed security mechanism. Section IV presents the
deployment of complex routing protocols and encryption simulations conducted on the mechanism and analyses the
algorithms for security. While these features are essential for results. Section V concludes the paper.
flexibility and adaptability of various operations in MANETs,
they introduce specific security concerns like vulnerabilities to II. RELATED WORK
link attacks including passive eavesdropping, active A number of works have been done on the area of ad hoc
interfering, leakage of secret information, data tampering,
network security especially for detection of packet dropping
impersonation, message-replay, message distortion and denial-
attacks by malicious nodes. This section mentions some of
of-service. An additional problem in MANETs is the security
these works.
Paper ID: 174

To solve the problem of reduction in the throughput due to problems, and therefore the collaborative method should be
selfish and malicious nodes in a MANET, Marti et al [1] used. The main advantage of this scheme is the restriction of
proposed two additional components to the dynamic source computation-intensive operations of the system to few
routing protocol (DSR): watchdog and pathrater. When a dynamically elected nodes. However, most of the available
node forwards a packet, the node’s watchdog verifies whether mobile agent frameworks are heavyweight and can often be
the next node in the path also forwards the same. The the targets of attacks themselves [5].
watchdog does this by listening promiscuously to the next
node’s transmissions. If the next node does not forward the III. THE PROPOSED FRAMEWORK
packet, then it is misbehaving. The pathrater assesses the This section presents the details of the proposed scheme. At
results of the watchdog and selects the most reliable path for first, some salient features of the scheme are described and
packet delivery. However, this scheme has several drawbacks. then the details of the framework and the associated protocols
First of all, overhearing does not always work particularly in are presented.
situations like collisions or weak signals. Secondly, pathrater
actually does not punish malicious nodes that do not cooperate
in routing. Rather it relieves them of the burden of forwarding
packets for others, while their messages are forwarded without
any problem. In this way, the malicious nodes are rewarded
Fig.1. Key distribution and intrusion detection as complementary functions
and reinforced in their behavior.
CONFIDANT [2] protocol as proposed by Buchegger et al A. Salient Features of the Proposed Scheme
extends the concepts of watchdog and pathrater. In this The proposed framework employs the complementary
mechanism, misbehaving nodes are not only excluded from relationship between key distribution and intrusion detection.
forwarding route replies, but also from sending their own route Key distribution in an ad hoc network require a trust
request. The scheme includes a trust manager to evaluate the management scheme to dynamically bind trust relationships
level of trust of alert reports and a reputation system to rate between the key distribution servers and the clients. Usually,
each node. The reports from trusted sources are only processed the context of this trust relationship is whether the node is well
by the nodes. However, it is not clear how fast the trust level behaving or not. This requirement of dynamic trust
can be adjusted for a compromised node especially if it has a management scheme can be satisfied by an intrusion detection
high trust level initially. system (IDS) that monitors the behavior of the nodes in the
Buttyan et al [3] have advocated the use of tamper-resistant network for identification of malicious or faulty nodes (Fig. 1).
hardware on each node of a MANET to encourage The intrusion detection system, in turn, requires the security
cooperation. Nodes are assumed to be unwilling to forward provided by the key distribution process through cryptographic
packets unless they are stimulated to do so. In this approach, a techniques. This complementary relationship between key
protected credit counter runs on the tamper-resistant device. It distribution and intrusion detection has been deployed in the
increments by one when a packet is forwarded. It refuses to proposed scheme to provide a high level of robustness into it.
send its own packets if the counter is smaller than a threshold. In the bootstrapping phase, the system uses the initial trust
Public key cryptography is used to exchange credit counter relationships that may be implemented by location limited side
information among the neighbors and verify if forwarding is channels (LLCs) [7]. This provides the initial security to the
really successful. However, the availability of tamper-resistant intrusion detection mechanism, which in turn provides a
hardware is a very vital assumption for the successful working dynamic trust management scheme for key distribution.
of the scheme that involves complexity in hardware design. Due to dynamic nature of ad hoc networks, any intrusion
In [4], the authors have presented a security architecture for detection (in this present context, detection of packet
MANETs involving mobile agents. In this scheme, multiple dropping) process should involve a distributed and cooperative
sensors deployed throughout the network collect and merge protocol among the participating nodes. The cooperation
audit data implementing a cooperative detection algorithm. between the nodes may be restricted within a small subset of
Sensors are deployed on some of the hosts in the network that nodes that are believed to be more trustworthy, or it may
monitor the network traffic. The selection of these nodes is involve all the nodes in the network. Unlike most of the
based on their connectivity index and a distributed voting existing approaches, the proposed mechanism involves all the
algorithm. The detection decisions are taken by mobile agents nodes in the network for working of the distributed protocol
that migrate their execution and state information between the because the protocol involving a subset of nodes have the
different sensor hosts of the network, and finally return to the following drawbacks. Firstly, these schemes require some
originator host with the results. The authors have proposed mechanisms to dynamically identify the subset of nodes that
two different methods of decision-making: collaborative and will participate in the protocol execution. Moreover, such
independent. They argue that independent decision-making by schemes fail to take into account the observations of all the
mobile agents is susceptible to single point of failure nodes in the network for identification of occurrences of
Paper ID: 174

events, and depend on the observations made by the nodes observed by all of its neighbors (Fig. 2). The accused
belonging to the subset only. For example, if the neighbors of (suspected) node on receiving the challenge responds by
a suspicious node cooperate to detect whether that node is acknowledging the message and sending a verify_behavior
really malicious, then the neighbors do not have information message to all of its neighbors. The neighbors respond by
about the past behavior of the node as observed by other nodes sending the observed value of the degree of maliciousness of
in the network because of the dynamic nature of the network’s the accused node. The accused node calculates the group’s
topology. This may lead to incorrect evaluation of the behavior trust in its behavior using the received values and broadcasts
of the suspicious node. the computed group-trust along with the received responses to
A detection mechanism for malicious packet dropping all the neighbors. All the messages are cryptographically
attack that is based on a cooperative algorithm may be secured by public key cryptographic mechanisms. The
susceptible to attacks by Byzantine nodes. These nodes may messages are also time-stamped so as to prevent replay attacks.
make false claims of detecting malicious activities by some For computing group trust value from the received responses,
nodes that are really honest. The proposed scheme is secure any consensus-based scheme can be used. In the proposed
and will operate correctly even in the presence of such scheme, the difference of the absolute trust values and the
Byzantine nodes in the network. average degree of maliciousness of the majority of the
As in a MANET, every node acts as a router and respondents (neighbors) has been taken as the final group-trust
participates in packet forwarding, there is lot of redundancy of value of the node. Majority among the neighbors has been
routing information in the network. This redundancy of taken as the larger of the two subsets of nodes obtained by
routing has been utilized in the proposed scheme to achieve a partitioning the nodes on the basis of a preset threshold value
high degree robustness in its functioning so that it can work of trust.
correctly in presence of selective packet dropping, packet
Accuser Accused Respondent
tampering and even in the scenario of transient network
partitioning. Challenge

Broadcast Send Observed

B. The Proposed Security Protocol Challenge Acknowledge Behavior

In the proposed scheme, every node in the network monitors

the behavior of its neighbors and upon detecting any abnormal
action by any of its neighbors invokes a distributed algorithm Observed Behavior
to ascertain whether the node behaving abnormally is indeed
malicious. The protocol works through cooperation of some Broadcast Group
Trust
security components that are present in each node in the
networks. These components are as follows: (i) monitor, (ii) Fig.2. Challenge and response mechanism in Trust collector module
trust collector, (iii) trust manager, (iv) trust propagator, (v)
whistle blower. The functions of these components are (iii) Trust Manager: Each node in the network maintains a
described below. global trust state containing the suspected nodes and their trust
(i) Monitor: The monitor module of each node passively values. A table is also maintained that contains a list of nodes
listens to the communication to and from each of its neighbors. that has been determined to be malicious and thus should not
For detecting packet drops and modifications by the be allowed any access to the network resources. The trust
neighboring nodes, the monitor module of a node randomly manager of a node is responsible for verifying the correctness
copies the incoming packets to its neighbors and checks of the group trust certificate received, caching them, and
whether the neighbors really forward the packets with contents updating the global trust state (table) of the node for which it
unchanged, or drop them, or modify the contents before has received a new group certificate (from the neighbors of a
forwarding them. The collected data is audited by the monitor. suspected node). While verifying the correctness, the trust
The deviation from normal behavior of a neighbor is used as manager must check whether the response from every
an indicator for the unbiased degree of maliciousness, because neighbor node has been correctly considered in computing the
this is independent of the past behavior of the neighbor node. group- trust by the suspected node, and the messages have not
If this unbiased deviation exceeds a pre-set threshold, the trust been tampered with. This is implemented by cryptographic
collector module of the node is invoked. mechanisms. The contribution of a trust certificate in the final
(ii) Trust collector: The Trust collector module of a node trust value of a suspected node depends on the global trust
invokes a majority consensus algorithm among the neighbors state of the majority of the neighbors of that node. If the
of a node that has been suspected to be malicious. On being majority of the neighbors observe that node is behaving
activated by its monitor module, the (accuser) node that has maliciously, i.e., its trust value is low, the received trust
suspected some malicious activity by one of its neighbors certificate is propagated to all the neighbors of the suspected
challenges the suspicious node to verify its behavior as node. If the computed trust value of a node falls below the
Paper ID: 174

threshold trust level, a global alarm is raised and the whistle the network. Moreover, due to group certification scheme, the
blower module is called on. number of false alarm is also less. As the number of malicious
For updating the trust value of a node, a cumulative function nodes in a network is usually small, the number of trust state to
is used. In (1), Told , Tnew , Tcertificate stand for the old trust value, be maintained in the nodes are also few. Thus the scheme
new trust value, and the group recommended trust value for a involves a very low storage overhead.
node respectively. (v) Whistle Blower: The whistle blower module initiates a
(1 − Tnew ) = α (1 − Told ) + β (1 − Tcertificate ) − δ (1) response action on receiving a global alarm about a suspected
node. When a global alarm is raised, the alarm message is
α and β represent the weightage corresponding to the old flooded across the entire network followed by the invocation
trust value and the new trust value of the node respectively. δ of a voting algorithm among the nodes that have recently
is the trust replenishment factor over time. β depends on three interacted with the suspected node, and a final decision is
factors α1 , α 2 , α 3 and can be expressed as follows: arrived at about the course of action to be taken (i.e., whether
β = α1α 2α 3 (2) to isolate the node as it has been detected to be truly malicious
or to keep it under surveillance as its trust value is still above
The parameter α1 is given by the threshold). Fig.3 depicts the interactions of different
∑ w iti security modules.
α =
majority
1 (3)
W

where, wi , t i are the weightage and the trust value respectively

of a node belonging to the majority group of the neighbors of
the accused node. W is a factor that depends on the size of the
network. The factor α 2 represents the weightage given to the
new trust value computed, and α 3 is defined as follows:
1 if k = 1
α3 =  (4)
0 if k > 1
where k is the number of certificates received from the
same group of neighbors or a subset of it in some threshold Fig. 3. Interaction among different security modules in a node
time interval.
(iv) Trust Propagator: The reputation propagator module C. The Packet Dropping Detection Algorithm
uses mobility of the nodes for propagating trust certificates. This section presents a formal method of detection of packet
Whenever a new trust certificate is computed for a node, it is dropping attack used in the proposed scheme. The algorithm
initially distributed to a subset of the neighbor nodes of the proposed in [1] has been extended. In the proposed algorithm,
suspected node. The size of this subset will determine the each node maintains a watch list of sent and overheard
effective convergence time of trust information among the packets. Only those overheard packets are added to the watch
nodes that are at present and in near future would be the list, which are destined to a neighbor node. Each sent packet is
neighbors of the suspected node. At regular intervals, the added to the watch list with a probability p1 and each
neighboring nodes in the network participate in dynamic overheard packet is added to the watch list with a probability
exchange of certificates. While the suspected node moves p2 . In Fig. 4, suppose node A wants to send a packet to node
through the network, every node in the network would receive D via the intermediate nodes B and C . E overhears the
the certificate through flooding or exchange mechanism. The
transmission and both A and E check whether node B really
number of hops required to be flooded are determined
forwards the packet.
dynamically by making the neighbors of the suspected node
send their neighborhood information along with the observed
behavior of the suspected node. The certificates are
piggybacked on routing packets and thus they involve no
communication overhead. This flooding and exchange
mechanism enables detection of tampering of packets and
provides robustness against packet dropping attacks as a node
can compare a certificate in its local cache with the copies of Fig. 4. Communication between different nodes in a MANET
the same certificate in its neighboring nodes. This scheme is However, there may be several reasons for which a sender
also robust against network partitioning as the trust states of all node may not be able to overhear a packet sent. The reasons
the suspected nodes are maintained locally by all the nodes in are: (i) the packet is maliciously dropped by the neighbor node
(node B in this example), (ii) the packet is dropped due to
Paper ID: 174

buffer overflow (congestion) at the forwarding node, (iii) the B. Results

packet was forwarded by the forwarding node but there was a The performance of the proposed algorithm in terms of false
collision at the destination node (node D in the example), (iv) alarm rate and successful detection rate has been compared
the packet was forwarded after the preset timeout interval at with the watchdog algorithm proposed in [1]. In the
the sender node. If Pmalicious , Pcongestion , Pcollision , Ptimeout denote the simulation, each of the packets sent by a node is added to its
probabilities of the above four events respectively, then we can watch list and each packet overheard by a node is put into its
arrive at the following equation: watch list (i.e., the probabilities p1 and p2 (Section III C) are
Pmalicious = 1 − (Pcongestion + Pcollision + Ptimeout ) (5) taken as 1.0). A node is assumed to be malicious if its
Each node estimates the malicious drop probability using Pmalicious value exceeds 0.6. Fig.5 compares the false alarm rates
(5) and updates the probability of a node being malicious using as produced by the two algorithms. It is observed that the
the following equation: proposed approach reduces the false alarm rate by 50% as
P (n, t ) = α1P (n, t − 1) + α 2 f ( packetsdropped , Pmalicious ) (6) compared to the scheme suggested in [1]. This improvement is
Where n is the offending node t is the time interval and attributed to the estimation of Pcongestion in the proposed
f ( packetsdropped , Pmalicious ) is a function of number of packets mechanism.
dropped and Pmalicious . In the proposed mechanism, f is chosen
TABLE I SIMULATION PARAMETERS
as an exponential function that initially rises slowly with the Parameters Values
increase in number of dropped packets. Simulation duration 1000 s
Simulation area 1000 m * 1000 m
For evaluation Pmalicious in (5), Pcongestion , Pcollision and Ptimeout Number of mobile nodes 50
have to be estimated. One approach of estimating Pcongestion , at Transmission range 50 m
Movement model Random waypoint
the forwarding node is to assume a Poisson arrival pattern [6]. Traffic type CBR (UDP)
In the proposed scheme, the congestion at the sending node is Total number of traffic flows 9
Bandwidth threshold 1 packet/s
taken as the estimate of the congestion at the forwarding node. Data payload 512 bytes/packet
This seems to be a better estimate as all the nodes in the Number of malicious nodes 5 (10% of total)
network are expected to have the same average traffic load on Maximum speed of a node 8 m/s
them. Pcollision is computed as the percentage of overlapping Host pause time 5s

RTS (request to send) packets received. For example, suppose

node B sends a packet to node C and overhears the medium
for the forwarded packet. Suppose node C really forwards the
packet but at the same time node E also sends a packet to B False
alarm Marti’s
resulting in a collision. Thus node B will erroneously
rate algo
conclude that the packet is dropped by node C .
Proposed
Pcollision discounts computation of Pmalicious in such cases. This algo
computation is based on the fact that node B would have
received RTS from both the nodes C and E . If these RTSs
Algorithms
have overlapping duration of bandwidth reservation, there is a
Fig. 5. Comparison of the false alarm rates
chance that node B will not be able to overhear the
forwarded packet. Ptimeout accounts for the RTS collisions and The comparison of the two algorithms in terms of successful
the noise error in the medium and is estimated depending on detection rates is presented in Fig. 6. The decrease in the
the conditions of the wireless links. success rate of the proposed algorithm is due to over-
estimation of congestion at a node that is really malicious and
IV. SIMULATION AND RESULTS is dropping packets intentionally (i.e. not due to congestion).
This simulation being a random instance, not all the malicious
A. Simulation Environment nodes are on the active traffic path, and thus not detected by
The proposed mechanism has been implemented in network the proposed algorithm. However, to avoid this situation the
simulator ns-2. Malicious behavior is simulated by dropping proposed scheme uses a cumulative function that assigns
unicast packets at the network layer. In the simulation, all the suitable weights to the past information about the node as well.
links are assumed to be bi-directional. It is also assumed that Thus if a node is pretty much localized and consistently drops
promiscuous sniffing of packets is possible. This is, of course, packets, it will be detected by the proposed scheme.
true in 802.11 technology. The performance of the proposed Each of the 50 nodes in the network is assigned a unique
mechanism is compared with that suggested in [1]. The integer identification number from (0,49). Fig.7 shows the
parameters used in simulation are presented in Table I. number of nodes that identifies a node as malicious
 Paper ID: 174

corresponding to each node in the network. The malicious the false alarm rate by 50% as observed in Fig 8. Fig. 9 shows
nodes are shown in dark. It can be seen that number of that in terms of successful detection rate both the distributed
complaints is more for nodes that have higher packet dropping and individual-observation based algorithms have the same
rates. Some of the nodes that are not malicious are also level of performance. The results thus clearly demonstrate the
wrongly identified. In fact, these are the nodes that are effectiveness of the distributed collaborative algorithm for
experiencing heavy congestion and thus dropping packets at detection of packet dropping attack in an ad hoc network.
high rates. Thus the scheme also helps in identifying nodes
that have higher congestion. This helps in reducing the number
of false alarm as the nodes can take a distributed approach in
arriving at a consensus to identify the malicious nodes
ignoring the nodes that are experiencing congestion. Success
rate
Cooperative Independent
observation

Success
rate
Marti’s
algo Proposed Algorithms
algo Fig.9. Success rates for distributed and non-distributed schemes

Algorithms
V. CONCLUSION
Fig. 6. Comparison of successful detection rates In this paper, a distributed algorithm is presented for
detecting malicious packet dropping attack in MANETs. The
algorithm works on cooperative participation of all the nodes
in the network at the network-bootstrapping phase but
No.
of effectively identifies the nodes that behave maliciously as they
nodes participate in network activities. The redundancies in routing
information in a MANET are suitably utilized to make the
detection scheme highly robust and secure against various
attacks. Due to the use of controlled flooding technique the
mechanism has also very low communication overhead.
Simulation carried on the scheme demonstrates its
effectiveness. As a future scope of work, the mechanism can
be extended so that the identified malicious nodes are isolated
from the network and a secure routing protocol can be
Nodes developed utilizing only the trusted nodes in the network.
Fig.7. No. of nodes that finds a node malicious
REFERENCES
[1] S. Marti, T.J. Giuli, K. Lai, and M. Baker, “Mitigating routing
misbehavior in mobile ad hoc networks”, In Proceedings of the 6th
False International Conference on Mobile Computing and Networking, pp.
alarm 255-265, 2000.
rate [2] S. Buchegger and J-Y.L. Boudec, “Performance analysis of the
Independent
observation CONFIDANT protocol”, In Proceedings of the 3rd ACM Symposium on
Mobile Ad Hoc Networking and Computing, pp. 226-236, 2002.
[3] L. Buttyan and J.P. Hubaux, “Stimulating cooperation in self-organizing
Cooperative
mobile ad hoc networks”, ACM Journal for Mobile Networks (MONET),
Special Issue on Mobile Ad Hoc Networks, summer 2002.
[4] O. Kachirski and R. Guha, “Effective intrusion detection using multiple
Algorithms sensors in wireless ad hoc networks”, In Proceedings of the 36th Hawaii
Fig.8. False alarm rates for distributed and non-distributed schemes International Conference on System Sciences, pp. 57-61, 2003.
[5] M.C. Man and V.K. Wei, “A taxonomy for attacks on mobile agents”, In
The effectiveness of a distributed consensus based approach Proceedings of the International Conference on Trends in
Communications, Vol. 2, pp. 385-388, 2001.
in detection of malicious nodes is further depicted in Fig. 8 [6] R. Rao and G. Keisidis, “Detecting malicious packet dropping using
and Fig. 9. Fig. 8 shows the comparison of a distributed statistically regular multi-hop wireless networks that are not bandwidth
algorithm and an algorithm based on individual observation of limited”, In Proceedings of the GLOBE-COM, 2003.
the nodes. The distributed and cooperative approach reduces
Paper ID: 174

[7] F. Stajano and R. Anderson, “The resurrecting duckling: security issues

for ad-hoc wireless networks”, In Proceedings of the 7th Security
Protocols Workshop, 1999, LNCS Vol. 1796, pp. 172-192.