Testimony-based Isolation: New Approach To
Overcome Packet Dropping Attacks in MANET
Djamel Djenouri1 , Nadjib Badache2
1: CERIST Center of Research, Algiers 16030, Algeria.
2: USTHB University, Algiers, Algeria.
E − mails: ddjenouri@mail.cerist.dz, badache@mail.cerist.dz
Abstract— Attackers could take advantage of the cooperative
nature of MANET’s routing protocols, by participating in the
route discovery procedure to include themselves in routes, then
simply drop data packets during the forwarding phase, aiming
at a DoS (Denial of Service) attack. In this paper we deal with
the detection and isolation of such malicious nodes. We first
propose a monitoring technique different from the promiscuous
overhearing (watchdog) used by almost all the current solutions,
that overcomes many watchdog’s shortcomes. After that we
propose a testimony-based isolation protocols basing on our
monitoring technique.
I. I NTRODUCTION
Security in MANET attracts more and more researchers,
with its variety of fields, problems, and challenges arisen from
the features of this infrastructureless environment [1]. One of
the complex problems is detecting and isolating nodes that
drop packets they receive to forward. Current secure routing
protocols [2] aim at protecting the route discovery and route
maintenance procedures. However, the packet dropping attack
is launched during the forwarding phase. Although it could
be launched easily, it is difficult to detect it. In the context of
selfish nodes detection and isolation, many solutions have been
proposed [1]. Selfish nodes also drop data packet, they only
differ from them with respect to their purpose. Like malicious
nodes, selfish nodes drop packets to save their resource, they
do not aim damaging others. Still, all the detective solutions
could be used in the context of malicious nodes. All these
solutions, however, relay on the watchdog technique, thus
inherent all its drawbacks.
The principle of the watchdog is that each node in the
source route monitors its successor after it sends it a packet
to forward, by overhearing the channel. A monitor accuses a
monitored node as misbehaving when it detects that this latter
drops more than a given number (threshold) of packets. This
basic technique of monitoring has no overhead when nodes do
not misbehave. Nevertheless, it suffers from some problems,
especially when using the transmission power control tech-
nique employed by some new power-aware routing protocols
following the watchdog’s proposal, such as [3].
Assume three aligned nodes: A, B and C, such that A sends
B a packet and monitors its forwarding to C, and lets assume
that B uses the power control technique. When A is closer
to B than C, B could circumvent the watchdog by using a
transmission power strong enough to reach A but less than the
one required to reach C, which is power efficient for B. On
the other hand, when C is closer to B than A, and B behaves
correctly but uses the power control technique, A could not
overhear B’s forwarding to C and will wrongly notice a packet
dropping, which might result in false detections when the
number of packets falsely detected exceeds the configured
threshold. Further, packet collisions either at C or A during the
monitoring could cause false detections, and after a collision at
C, B could circumvent to A by not retransmitting the packet.
In this proposal we suggest a novel monitoring approach to
overcome the watchdog’s problems with reasonable overhead.
We also propose a Baysien approach for nodes accusation,
that enables nodes redemption before judgment. Finally, we
suggest a social-based approach to approve detections and
safely isolate guilty nodes. This approach’s aim is to consider
and avoid false accusation attacks (rumors) vulnerability, as
well as decreasing false positives that might be caused by
channel conditions and nodes mobility. In contrast to the
current solutions [4], [5], where each node unilaterally isolates
nodes it judges as misbehaving, our isolation mechanism
safely enables that all nodes together isolate the attacker.
Unilateral isolation could cause problems as we will see later.
The remainder of the paper is organized as follows: Next,
our solution will be presented, followed by some analysis and
discussions in section 3. Section 4 will be devoted to the
simulation study, and finally the last section will conclude the
paper, and sketches our perspectives.
II. S OLUTION OVERVIEW
Our solution consists of three related steps: the monitoring
step, in which nodes control each other when forwarding
packets. The judgment step, in which nodes decide about the
behavior of each monitored node basing on the result of the
previous step. And finally an isolation step, in which a detector
node launch the execution of a testimony-based protocol to
isolate the detected node.
A. Monitoring
Like the watchdog, in our solution each node A in the source
route 1 monitors its successor B, and checks whether this latter
forwards to C each packet it provides. We define a new kind
of feedbacks we call two-hop ACK, an ACK that travels two
hops. Node C acknowledges packets sent from A by sending
this latter via B a two-hop ACK. Node B could, however,
escape from the monitor without being detected by simply
1 like the watchdog, our protocol is also implemented with DSR [6]
sending A a falsified two-hop ACK. Note that performing in B. Judgment
this way is power economic for B, since sending a short packet
The new monitoring method (random two-hop ACK) allows
like an ACK consumes too less energy than a data packet. To
to confirm the correct forwarding of packets. Though, when a
get over this vulnerability we use an asymmetric cryptography
monitoring node notices that some packet has been dropped
based strategy as follows:
over a link it should not directly accuse the monitored
Node A generates a random number and encrypts it with C’s
as misbehaving, since this dropping could be caused by
public key (PK), then appends it in the packet’s header. When
collisions or nodes’ mobility. Indeed, a threshold of tolerance
C receives the packet it retrieves the number, decrypts it using
should be fixed. In the following we propose a Bayesian
its secret key (SK), encrypts it using A’s PK, and puts it in a
approach allowing nodes to decide about the behavior of
two-hop ACK it sends back to A via B. In the first hop (C,B),
each other. In our approach, the threshold is not constant but
the ACK is piggybacked to the ordinary MAC ACK (using
increases with the nodes well-behaving.
a cross-layer implementation) , instead of being transmitted
The Bayesian approach [8] is a mathematical estimation
in a separate packet. When A receives the ACK it decrypts
method, that consists of estimating a parameter the
the random number and checks whether the number within
observations of which follow a Bernouli distribution by
the packet matches with the one it has generated, to validate
a Beta distribution. The Bayesian approach for nodes
B’s forwarding regarding the appropriate packet. However, if
reputation regarding packet forwarding in MANET has
B does not forward the packet A will not receive the two-hop
already been used by Buchegger and Le-Boudec [4], but
ACK, and it will be able to detect this malicious after a time
their solution requires periodic transmissions of huge control
out. This strategy needs a security association between each
packets.
pair of nodes to ensure that nodes share their PK with each
Since misbehaving is usually exception rather than the
other. This requires a key distribution mechanisms, which can
norm, information exchange in our solution is limited to
be achieved by continuously appending public keys to route
negative impressions, thereby it is simpler and engenders no
request (RREQ) and route reply (RREP) packets during each
overhead when nodes well-behave. Hereafter, we describe
route discovery of DSR [6] until all public keys reach every
our Bayesian-based approach.
node. To ensure authenticity of keys, a mechanism like the
Each node i thinks that each other node j misbehaves with
chain of trust [7] can be used. Note that the same keys could
probability θj , which is a random variable estimated by
be employed for other security purposes at other layers.
a Beta distribution Beta(a, b). For brevity we remove the
The watchdog’s problems related to detection are mitigated
indices in the following, and simply denote this probability by
with this approach, as long as B’s forwarding validation at A
θ. Initially with no prior information, θ is assumed uniform
is not only related to B’s transmission, but to C’s reception.
in [0,1], which is idem to Beta(1,1). As observations, that
Nevertheless, the problem with this first solution is that it
follow a Bernoulli distribution with parameter θ, are made, a
requires a two-hop ACK for each packet on each coupe of
and b are updated as follows: a = a + u, b = b + 1 − u
hops, which might result in important overhead.
where u=1 if the observation consists of a dropping, and
To decrease this cost we propose to randomize the ACK ask,
0 otherwise. A dropping in our solution is a lack of a
viz. A does not ask C an ACK for each packet, but upon
required two-hop ACK. If the monitor does not ask a two-hop
sending a packet to forward it randomly decides whether it
ACK, the observation is considered as non-dropping. After
asks an ACK or not, with a probability p, then it conceal this
as many observations as the decision could be made (θ
decision in the packet. A simple way to conceal the decision
could be approximated by the mathematical expectation
is to exploit the random number. For instance, when the node
E(Beta(a, b))), j will be judged. This point is denoted
decides to ask an ACK it selects an even number, and an odd
by the decision point, and the number of observations is
number when it decides to not ask the ACK. This random
expressed by a+b. j will be accused as misbehavior as soon
selection strategy prevents the monitored node from deducting
as: E(Beta(a, b)) > Emax .
which packets contain ACK requests. Note that getting such
Note that: E(Beta(a, b)) = a/(a + b).
information allows a misbehaving to drop packets with no
requests without being detected.
Emax could be fixed to 0.5, or for more efficiency it should
The probability p is continuously updated as follows:
be estimated empirically for each network as follows:
It is set to 1 (the initial value) when a timeout exceeds without
receiving the requested ACK, and set to ptrust upon receiving 1) Make simulations with no misbehaving and compute E
the requested ACK. at each node for different scenarios that estimate the
network.
2) Retrieve the maximum value in all scenarios from the
This way more trust is given to well-behaving nodes, and decision point then consider it as Emax
by setting p to 1 the ACK request is enforced after a lack of In Buchegger’s approach [4], every node periodically broad-
ACK, which allows to achieve all by the same performance in casts in its neighborhood each θj . Nodes used this information
misbehaving true detections (true positives) like the ordinary (known as second hand information) to update their own
two-hop ACK as we will see later. opinion on nodes’ behavior. To decide about the acceptance
of a provided information, each node performs complicated
tests on the trustworthiness of the provider. The problem
with this proactive solution is the important overhead, even
if nodes well-behave. Our approach is rather reactive, thus no
such information are exchanged. Indeed, each node performs
monitoring separately and informs the others in order to isolate
the attacker as soon as it judges it, as we will see in the
following with more details.
C. Isolation
Isolating a misbehaving node means:
• do not route packets through it, to avoid losing them
• do not forward packets for it, to punish it
A node X that judges some other node Y as misbehaving
should not isolate it unilaterally, but it must ensure its isolation
by all nodes. This because when X unilaterally isolates Y, the
others could consider X as misbehaving when they realize that
it does not forward packets for Y.
In social life, a person that accuses another for a crime must
show proofs. One possible way to do so is to get a witness
against the accused person.
Identically, we suggest a testimony-based protocol to isolate a
detected node. Upon a detection, the detector informs nodes
in its neighborhood about the dropper (the accused), and asks
for witnesses by broadcasting a WREQ (Witness REQuest)
packet. It also put the detected node in a special nodes set we
call suspicious set. Each node receiving WREQ immediately
sends a signed WREP (Witness REPly) packet to the accuser
in the following two cases:
• if its suspicious set includes the accused
• if the accused’s misbehaving expectation is close to Emax
and/or the number of control packets detected dropped is
close to the configured maximum threshold
Otherwise, when it has not enough experience with the ac-
cused, and if it is its neighbor then it asks the successor of
the accused node whether it has received packets forwarded
from this latter, by sending an ACREQ (ACcusation REQuest)
packet using a route that does not include the accused. But
first, in order to ovoid false accusations, the investigator should
ensure that the accuser has really sent a packet to the accused
to be forwarded to the appropriate successor. One possible
way to do this is to check whether such a packet has been
recently overheard using the promiscuous mode. The node
also should check whether the accused has sent the accuser an
ACK just after overhearing the data, to ensure that it has really
received the packet and that the accuser is not impressing it, as
it will be illustrated later. Note that unlike the watchdog, the
information provided from the promiscuous mode are not used
for the monitoring, but only for testifying, aiming at improving
efficiency on detections.
If the accused’s successor has not recently received any
packet forwarded from the accused, it sends a signed ACREP
(ACcusation REPly) packet to the investigator, then this latter
testifies to the accusation and sends the accuser a signed
WREP (Witness REPly) packet. When the detector collects
k validation from its neighbors, with at least one provided
by direct experience (without asking the successor of the ac-
cused), it broadcasts in the network an accusation packet (AC),
containing signatures of all validating nodes. The requirement
of at least one direct witness will be argued later. Each node
receiving such a valid accusation isolates the guilty. Otherwise,
if the detector fails to collect k validation it does not isolate
the detected node, but keeps it in the suspicious set.
III. A NALYSIS
Getting rid of the promiscuous mode based monitoring
makes our monitoring solution independent of transmission
powers, and resolves the watchdog false detection problem
related to the employment of the power-control technique.
Moreover, our solution resolves some watchdog’s problems
related to collisions.
If we assume the average path length is H hops, the average
communication complexity of our monitoring technique for
n packet is: O( (1+p2trust ) × (H − 1) × n) two-hop ACK
transmissions, it converges to O(ptrust × (H − 1) × n)
when all nodes on the route well-behave. This reduces the
communication complexity of the ordinary two hop ACK (our
first monitoring solution) which is O((H − 1) × n). That is
by a factor of 1/Ptrust .
Now, we discuss the efficiency in detection of the random
two-hop ACK vs. the ordinary two-hop ACK. We assume
that there is no packet loss. Later in our simulation study
we will make more investigations of more realistic scenarios
with mobility and collusion. Like in the Bayesien judgment,
we suppose that the monitored node misbehaves (drop the
packet) with a probability θ, i.e the behavior of the node for
each packet follows a Bernoulli distribution with a parameter
θ. Monitoring n packets could be considered as simply the
repetition of the previous operation (monitoring one packet)
n times. Therefore, the number of packets dropped (pdr) for
n packets is a random variable that is the sum of n random
variables which follows a Bernoulli distribution with param-
eter θ, thus follows a Binomial distribution with expectation:
E(pdr) = θ × n.
Theoretically, the ordinary two hop ACK detects all this
number of packets (when the assumption of no packet loss
is held). The purpose now is to asses the number of packets
dropped and detected (pd) by the random two hop ACK, i.e
E(pd).
The probability of requesting an ACK is continuously updated,
it differs from one operation (monitoring one packet) to
another according to the result of the previous operation and
the previous behavior.
We denote the algorithm’s probability of requesting an
ACK for a packet i (the value of p set by the algorithm for the
packet i, which is a random variable) by Pi . Consequently,
The real probability (in the execution) of asking an ACK for
packet i + 1 would be expressed by E(Pi ). Pi is fixed to
1 if in the previous operation the packet was dropped and
 1
detected, that is with the probability 2 θ × E(Pi−1 ), since 0.9

the events dropping the ith packet and requesting ACK for 0.8

the (i − 1)th packet are independent. Otherwise, it is fixed

Detection Ration
0.7

0.6
to Ptrust , i.e with probability 1 − θ × E(Pi−1 ). Therefore, 0.5

the mathematical expectation of Pi could be expressed by: 0.4 Ptrust=1/4

Ptrust=1/2

1 × θE(Pi−1 ) + Ptrust (1 − θE(Pi−1 )). Hence: 0.3

Ptrust=3/4

E(Pi ) = Ptrust + θ(1 − Ptrust )E(Pi−1 )......(1) 0.2

0.1 0.2 0.3 0.4 0.5
Theta
0.6 0.7 0.8 0.9 1

The number of packets detected by the random strategy Fig. 1. Detection Ratio
(pd) also follows a Binomial distribution, since it is the results
of repeating a Bernoulli operation n times with parameter
θ × Pi , but the only difference from the continuous requesting
to investigate it vs some usual values of Ptrust .
is that in this latter strategy (Pi ) is not constant. We have: For Ptrust = 1/4, E(pd) ≈ 4−3θ θ
×n
θ
X
n X
n for Ptrust = 1/2, E(pd) ≈ 2−θ × n
E(pd) = E(θPi ) = θ E(Pi )......(2) and finally, for Ptrust = 3/4: E(pd) ≈ 4−θ3θ
×n
i=1 i=1
Not that P1 = 1.
Figure 1 illustrates the approximated detection ratio accord-
Lemma 1: ∀i ≥ 1, ing to θ. We mean by detection ratio E(pd)/E(pdr)
X
i−1 Ptrust = 0.5 strikes a balance between efficiency and
E(Pi ) = θi−1 (1 − Ptrust )i + Ptrust θj (1 − Ptrust )j cost. It decreases the complexity overhead as much as half,
j=0 while keeping the detection ratio good enough. Contrary to
Proof: Ptrust = 0.25 that has too low values for low and average
We prove this lemma by recurrence on i. misbehaving, and to Ptrust = 0.75 that does not reduces
For i=1. We simply replace i by 1 in the formula, then we the overhead enough. Thus, we fix Ptrust = 0.5 later in our
get E(P1 ) = 1 which is correct. simulation study.
Now assume the formula is held for i-1 then we will prove it As illustrated, authentication of the two-hop ACK packet is
for i. Hence by assumption: ensured by employing encreption/decreption operations on the
X
i−2 random number generated by the monitor and piggybacked
i−2 i−1
E(Pi−1 ) = θ (1 − Ptrust ) + Ptrust θj (1 − Ptrust )j to the monitored packet. For this, we propose to use the ECC
j=0 encryption algorithm [9], which is more time-efficient than
By replacing this expression of E(Pi−1 ) in (1) we obtain:
the standard RSA. The encryption time completely depends
on the computation power of nodes and the length of keys.
E(Pi ) = Ptrust + θ(1 − Ptrust ) × (θi−2 (1 − Ptrust )i−1 +
i−2
X
Anyway, our encryption operations have minor impact, since
Ptrust θj (1 − Ptrust )j ) = Ptrust + θi−1 (1 − Ptrust )i + they are applied merely on the random number and not on
j=0 the whole packet holding it.
i−1
X Because a packet dropping might be unintentional due to
Ptrust θj (1 − Ptrust )j =
j=1
nodes mobility and channel conditions, accusation should not
i−1
X be made upon one dropping detection, but more observations
θi−1 (1 − Ptrust )i + Ptrust (1 + θj (1 − Ptrust )j ). must be noted. We have proposed a Bayesian approach
j=1 to make such a judgment, where each node estimates
Since θ0 (1 − Ptrust )0 = 1, we conclude: each other’s misbehavior with a probability that follows a
X
i−1
Beta(a,b) distribution, whose parameters (a,b) are updated
E(Pi ) = θi−1 (1 − Ptrust )i + Ptrust θj (1 − Ptrust )j  as observations are made. When enough observations with
j=0
regard to a given monitored node are collected such that
Using this lemma, formula 2 could be developed into:
the judgment point is reached, the monitoring node will
θP trust
n
1−θ (1−Ptrust ) n accuse the monitored one as soon as the estimated probability
E(pd) = 1−θ(1−P trust) × n + θ(1 − Ptrust ) 1−θ(1−Ptrust ) ×
θPtrust
(E(Beta(a, b))) exceeds the configured maximum tolerance,
(1 − 1−θ(1−P trust )
)......(3) i.e E(Beta(a, b)) > Emax .
The steps of simplification are removed due to space a b∗Emax
E(Beta(a, b)) > Emax ←→ a+b
> Emax ←→ a > 1−Emax
:
limitation.
b∗Emax
This latter ( 1−E ) represents the tolerable number of
This probability depends on many parameters, we will try max
packets, which is proportional to b, the number of packets
2 The probability of detection is the probability of asking an ACK in the forwarded. More the node forward packets, more its tolerable
(i − 1)th operation threshold increases.
Forwarding packets after an unintentional or intentional drop-
pings that does not results in accusation would decrease E,
which allows redemption before accusation. This redemption
could not be possible when setting the tolerable threshold to
a fixed number of packets.
Note that the strategy of dropping up to the tolerable threshold
is not efficient for an attacker, since it cannot know whether
and how much the monitor will notice false observations due
to channel conditions or node’s mobility.
Upon the detection of a misbehaving, the detector launches
locally in its neighborhood a call for witnesses using a
broadcast control packet. This costs only one transmission.
Neighbors that considers the accused as suspicious, or those
that are monitoring the accused node and whose misbehaving
estimations against it are close to the tolerable threshold testify
against it by sending the requestor a signed reply packet. Those
which have not enough experience with the accused investigate
this accusation and ask the accused’s successor whether it
has recently received packets from the accused. But first, they
ensure that the accuser really sent the packet to the accused
to forward to the claimed successor. To do this they must be
neighbor of the accused, otherwise they do not testify. The
following example illustrates and analyzes the investigation:
Assume three aligned nodes A, B and C, and another node
D in A’s range, as illustrated in figure 2. When A accuses B
to not forward packets to C and sends a call for witnesses, D
investigates the issue. But before asking C it ensures that A
has really sent the packet and B has received it, by checking
the data packet and ACK overheard. If it has recently received
the data packet, D could not ensure that B has received it. For
instance, if D is closer to A than B, A (attempting a DoS attack
against B) could send the packet in a power strong enough
to be overhead by D, but not by B. Requiring the ACK 3
reception from B just after the data ensures that B has really
received the data from A. To do this, D simply safeguards
the overheard packets (their headers) during a short period.
This way, a node that asks the accused’s successor has no
doubt that the accused has received a data packet to forward
to the successor in question. Any collision at D prevents it
from testifying, but has no effect on false detections.
Upon the reception of the ACREQ, the asked node (C) replies
with a signed ACREP packet if it has not received any
packet from B. A coincidental collision at C at that moment,
however, would result in a false reply if A is attempting
a DoS attack, then in a false testimony. Nevertheless, the
requirement of at least one direct testimony (provided from a
direct experience) mitigates wrong accusation caused by this
kind of false testimonies.
The signature of the packets prevents their spoofing, thus no
node could testify using the ID of another.
The accuser have to collect k different signatures to approve
its accusation. Theoretically, k − 1 is the maximum number of
misbehaving nodes that could exists at any time. In practice,
3 The source of this ACK should be authenticated at the MAC level, to
prevent spoofing MAC addresses
Fig. 2. Example of a nodes’ connections
however, it is hard to determine such a number, so it should
be fixed to strike a balance between efficiency and robustness.
Setting k to a high value increases the robustness of the
protocol against false detections and rumors, but decreases
its efficiency regarding true detections. On the other hand,
a low value of k allows high detections, but opens the
vulnerability of rumors and increases the unintentional false
detections (false positives), since k nodes could collude to
accuse maliciously any node, or could wrongly accuse it. This
issue related to k will be investigated later in our simulations.
Once the accuser collects k valid signatures, it broadcasts
an accusation packet including all signatures through the
network to isolate the guilty. This broadcast is costly, but
it is not performed until a node is detected and approved
as misbehaving. Expect for monitoring, our solution requires
no overhead as long as nodes well-behave, as no opinions
are exchanged periodically. This makes our solution reactive,
unlike the current solutions reputation-based solutions [1].
Regarding monitoring, the randomization of the two-hop ACK
reduces dramatically the overhead, as it will be shown in the
following section. Also, the inclusion of two-hop ACK in the
ordinary ACK for each first hop reduces the number of two-
hop ACK packets as much as half compared with a separate
transmission on each hop.
IV. S IMULATION - BASED ASSESSMENT
To asses the performance of our solution in mobile envi-
ronment, we have driven a GloMoSim-based [10] simulation
study we present hereafter.
We have simulated a network of 50 nodes, located in an area of
1500 × 1000m2, where they move following the random way-
point model during the 900 seconds of simulation time. To
generate traffic, we used three CBR sessions between remote
nodes, each session consists of continually sending a 512 bytes
data packet each second. On each hop, each data packet is
transmitted using a controlled power according to the distance
between the transmitter and the receiver. In these conditions
we remarked many link changes and collisions.
First, we remarked that our monitoring approach improves
dramatically the detection rate compared to the watchdog, i.e
decreases the false detections and increases the true detections.
We also remarked that the random version reduces the over-
head while keeping the efficiency to close to the ordinary two-
hop ACK. Figure 3 shows the false detection rate of the two
versions of our monitoring approach and the watchdog vs the
rate of misbehaving nodes. Figures regarding the true detection
and the overhead are omitted because of space limitation.
To investigate the impact of the parameter k (the required
 False Detection rate False positive rate
0.24 0.3

0.22 2HopACK
Random2HopACK 0.25 2Witness
0.2 WD 1Witness

False positive rate

0.18 0.2

Detection
0.16
0.15
0.14

0.12 0.1

0.1
0.05
0.08

0.06 0
0 5 10 15 20 25 30 35 40 45 50 0 5 10 15 20
Misbehaving nodes rate Misbehaving monitored nodes rate

Fig. 3. False detection vs. Misbehaving rate Fig. 5. False detection vs. Misbehaving rate

True positive rate

1 detected node. Fixing k is a trade-off problem, high values

0.8
mitigates rumors aiming DoS attacks as well false detections
True positive rate

0.6
(especially for control packets with which we have been more
sever), but reduces the efficiency on detections, contrary to
0.4

0.2
0
2 4 6 8
Misbehaving monitored nodes rate
Fig. 4. True detection vs. Misbehaving rate
number of witnesses) we compare two versions, respectively
denoted by one witness and two witness (the first with k = 1
while the second with k = 2).
As illustrated in figure 4 and 5, two witness considerably
improves (decreases) false positive rate, but losses a little bit
on true positive rate compared with one witness, especially
when misbehaving rate exceeds 10%.
False detections in our scenarios are due to nodes’ mobility
and collisions. The one-witness version has unacceptable val-
ues with respect of this metric, particulary when misbehaving
rate is low. Two-witness mitigates this shortcoming, and also
cut down the vulnerability of collusive false accusation attack
compared with one-witness, since more than two nodes have
to collude to isolate a node.
The parameter k could be increased to be less tolerant
on false detections and false accusations attacks, but should
depend on nodes’ connectivity to not loss efficiency on de-
tections. In networks with low connectivity, it should not be
increased lots, because this would prevent nodes from finding
witnesses, and consequently reduces the detection efficiency.
V. C ONCLUSION
In this work we have proposed a solution to monitor and
safely isolate malicious nodes that drop packets in MANET.
Instead of relying the promiscuous monitoring (the watchdog),
used by all the current solutions, our monitor is based on
an efficient technique (namely random two hop ACK) that
gets over the watchdogs limitations. Simulation results also
show that the random requesting reduces the overhead, while
keeping the efficiency on detection good enough. After detec-
tion, we proposed a testimony-based protocol, that enforces
the detector to collect at least k witnesses before isolating the
2Witness
low values. In our simulation, the protocol with two witnesses
1Witness
showed considerable improvement regarding false accusation
10 12 14 16 18 20
while keeping the true detection good enough. This parameter
could be risen to ensure more robustness, but should depend
on the connectivity to keep efficiency.
In this proposal we have focused on data packets. As
perspective, we plan to complete the solution to deal with
selfishness misbehavior. Contrary to an attacker, a selfish
dropper is not interested in dropping only data packets, but also
control packets, to exclude itself from routes. We especially
aim at proposing solutions for control packets.
R EFERENCES
[1] D. Djenouri, L. Khalladi, and N. Badache, “A survey of security issues
in mobile ad hoc and sensor networks,” IEEE Communications Surveys
and Tutorials, vol. 7, no. 4, pp. 2–28, 2005.
[2] Y.-C. Hu and A. Perrig, “A survey of secure wireless ad hoc routing,”
IEEE Security and Privacy, vol. 2, no. 3, pp. 28–39, 2004.
[3] D. Djenouri and N. Badache, “New power-aware routing for mobile ad
hoc networks,” The International Journal of Ad Hoc and Ubiquitous
Computing (Inderscience), vol. 1, no. 3, 2005.
[4] S. Buchegger and J.-Y. Le-Boudec, “A robust reputation system for p2p
and mobile ad-hoc networks,” in Second Workshop on the Economics of
Peer-to-Peer Systems, Barkeley, CA, USA, June 2004.
[5] P. Michiardi and R. Molva, “CORE: A collaborative reputation mecha-
nism to enforce node cooperation in mobile ad hoc networks,” in Com-
munication and Multimedia Security Conference, Portoroz, Slovenia,
September 26-27 2002.
[6] B. David and A. David, “Dynamic source routing in ad hoc wireless
networks,” in Mobile Computing. Kluwer Academic, 1996, vol. 353,
pp. 153–181.
[7] S. Capkun, L. Buttyan, and J.-P. Hubaux, “Self-organized public-key
management for mobile ad hoc networks,” IEEE Transactions on Mobile
Computing, vol. 2, no. 1, pp. 52–64, January 2003.
[8] A. Davison, Bayesian Models, Chapter 11 in Manuscript. Springer,
2000.
[9] V. Miller and N. Koblitz, “Elliptic curve cryptosystems,” Mathematics
of Computation, pp. 203–209, 1985.
[10] X. Zeng, R. Bagrodia, and M. Gerla, “Glomosim: A library for the
parallel simulation of large-scale wireless networks,” in The 12th Work-
shop on Parallel and distributed Simulation. PADS’98, Banff, Alberta,
Canada, May 1998, pp. 154–161.