A distributed sinkhole detection method using cluster analysis

Expert Systems with Applications 37 (2010) 8486–8491

Contents lists available at ScienceDirect

Expert Systems with Applications journal homepage: www.elsevier.com/locate/eswa

A distributed sinkhole detection method using cluster analysis Woochul Shim *, Gisung Kim, Sehun Kim Department of Industrial and Systems Engineering, Korea Advanced Institute of Science and Technology, 373-1, Guseong-Dong, Yuseong-Gu, Daejeon 305-701, South Korea

a r t i c l e

i n f o

Keywords: MANET Sinkhole Cluster analysis Features Distributed detection DSR

a b s t r a c t In recent years, the popularity of wireless devices has grown dramatically. Mobile ad hoc networks (MANETs) are considered to be vitally important for wireless communication. However, the dynamic nature of MANETs makes their routing protocols vulnerable to attacks. In this paper, we focused on sinkhole attacks, representative of routing-disruption attacks. First, we analyzed sinkhole attacks under a dynamic source routing protocol. Unlike wired networks, where routing-disruption attacks can be prevented through authentication mechanisms, application of authentication techniques in wireless networks is nontrivial—the lack of centralization hampers authentication support management. We then used a data mining technique called cluster analysis to develop a sinkhole attack detection method in wireless networks. The cluster analysis to route request packets does not require any centralized infrastructure. Robust features for detecting sinkhole attacks in a distributed manner are suggested. Simulation shows excellent classification performance and successful distributed detections. Ó 2010 Elsevier Ltd. All rights reserved.

1. Introduction Ad hoc networks are popular for wireless applications and are used in many situations including disaster relief, rescue operations, personal area networking, as well as a variety of military, business, and scientific applications. Mobile ad hoc networks (MANETs), which include self-configuration, self-maintenance, and quick and inexpensive deployment, are collections of mobile nodes that rely on each other to deliver packets and extend the limited transmission ranges inherent in mobile nodes. MANETs typically do not use centralized equipment, such as fixed routers and routing backbones. There are no wired connections. Therefore, nodes can only communicate with other nodes within their transmission range. Cooperation amongst intermediate nodes is required for nodes to forward packets to other nodes outside of their transmission range. Hence, nodes must act as hosts and routers simultaneously. Furthermore, MANET nodes can join or leave networks freely; thus, network topologies are dynamic. Note that since wireless communication uses open transmission mediums, monitoring is relatively simple. Additionally, the lack of centralized and coordinated suspicious-packet filtering-infrastructure presents serious security issues for MANETs. MANETs are thus particularly vulnerable to attacks. Attacks on MANETs can be categorized in many ways, and several types of attacks have been categorized into two main groups:

* Corresponding author. Address: #4218, Industrial and Systems Engineering, KAIST, 373-1, Yuseong-gu, Guseong-dong, South Korea. Tel.: +82 42 350 2954; fax: +82 42 350 3110. E-mail address: [email protected] (W. Shim). 0957-4174/$ - see front matter Ó 2010 Elsevier Ltd. All rights reserved. doi:10.1016/j.eswa.2010.05.028

active and passive (Burg, 2003). Active attacks intentionally modify data with the intent of overloading the network, disrupting operations, or cutting-off some nodes in the network. To execute active attacks, the attacker must be a member of the network and must be able to communicate with other nodes in the network. On the other hand, passive attacks do not involve any disruptions of service—they steal information and eavesdrop on communications within the network. This paper focuses on ‘‘sinkhole attacks’’, which are representative of active routing-disruption attacks. Here, the attacker attempts to deceive a routing path in such a way that legitimate data packets are misrouted. After a sinkhole attack, the attacker can gather most of the data packets from the network. Sinkhole attacks can thus be combined with other, more serious attacks that exploit data packets thus collected. Moreover, if the (sinkhole) attacker does not take any subsequent malicious action, such as packet dropping or modifying, the attack is more difficult to detect. Sinkhole attacks can be implemented on specific routing protocols, such as dynamic source routing (DSR) (Johnson, 2007, chap. 5) and ad hoc on demand vector (AODV) (Perkins, 2003) and etc. In wired networks, routing-disruption attacks are hampered by authentication mechanisms. However, in MANETs, such authentication mechanisms are difficult to employ since there is no centralized administrator for key management. Since cluster analysis on control packets does not require any centralized infrastructure and is able to discriminate false route requests (RREQs) from normal RREQs, cluster analysis is adopted in this paper to detect sinkhole attack. The objective of this study is to identify cluster analysis indicators useful for distributed detection of sinkhole attacks. Entropy

W. Shim et al. / Expert Systems with Applications 37 (2010) 8486–8491

8487

concept was used to analyze the received RREQ packets on the aspect of each node. The main advantage of this paper is to suggest fully decentralized and robust features under various types of a sinkhole attack by analyzing sinkhole attacks thoroughly. The remainder of this paper is organized as follows. In Section 2, we explain sinkhole attacks and variations thereof, in brief. Related work is presented in Section 3. The proposed method is presented in Section 4. Simulations are presented in Section 5. Finally, we conclude and suggest future work in Section 6.

RREQ because node 2 already has the (false) RREQ which has the same source and a higher sequence number. In brief, various types of sinkhole attacks can be implemented in different ways. An attacker can fix or change a false sequence number or insert several nodes before a false RREQ’s source route (for example [3, 5, 4, 0] instead of [3, 0]). Moreover, the attacker can adjust the frequency at which false RREQs are generated.

2. Sinkhole attacks on DSR

As discussed in Section 2, sinkhole attacks are performed by generating and broadcasting false RREQs containing arbitrary source and destination addresses, and a forged path. The gist of the sinkhole attack is that an attacker propagates false route information to its neighbors. After then, the neighbors believe that a received false RREQ is originated from a node who is recorded as a source in the false RREQ although a real source of the false RREQ is the attacker. Therefore, the best and quickest way to detect sinkhole attacks is by discriminating between legitimate and falsely generated RREQs. In wired networks, the above attack can be achieved using authentication techniques such as RSA (Rivest et al., 1978). However, wireless networks, especially MANETs, lack a centralized administration to manage authentication keys. Hence, it is difficult to apply the authentication techniques typically used in wired networks to wireless networks. Although, several research proposed authentication algorithms for MANETs (Capkun et al., 2003; Lou & Lu, 2001; Sankar, 2003), it is hard to be implemented since their remained problems such as heavy computational requirements and no certain infrastructures to support the certificates. To the best of our knowledge, only a few sinkhole attack detection methods for MANETs exist. Chris Tseng and Jack Culpepper (2005) introduced sinkhole intrusion in MANETs and suggested some detection indicators: ‘route-add ratio’ and ‘sequence number discontinuity’. They also proposed a threshold-based detection rule for detecting sinkhole attacks. The first indicator ‘route-add ratio’ is the proportion of routes that traverse a particular node to routes added to this node’s routing table. However, some nodes are susceptible to be faced with equivocal situation when they are positioned around the center of the network topology because nodes which are nearby the center of the network must have high route-add ratio value even though the nodes are not attackers. Also note that, ‘sequence number discontinuity’ is of no use in detecting attacks when an intelligent sinkhole attacker increments the sequence numbers sufficiently to avoid the frequent-broadcasting detection rule. Therefore, in this paper, cluster analysis is introduced to address the existing limitations in authentication techniques. Also, by novel selection of features in distributed manner, cluster analysis enables robust detection of various types of sinkhole attacks and network topology.

In this section, sinkhole attacks are explained in the context of DSR protocols. Here, nodes must search its route cache for available routes to the destination before it can send a packet. If no such route is found, the node broadcasts a RREQ, which consists of (source id, destination id, sequence number, and source route) information, to find a route. When an intermediate node receives an RREQ, that node searches its route cache for available routes to the destination. If it finds an available route, the node sends a route reply packet (RREP), which contains route information from the source to the destination, to the source. Otherwise, the node appends its id to the source route in the RREQ and rebroadcasts it. Through this route-discovery process, nodes learn the source routes from received RREQs and RREPs. The sequence number contained in an RREQ indicates the freshness of the RREQ. The sequence number in the RREQ is used to prevent loop formation and to avoid multiple transmissions of the same RREQ. Every time a node broadcasts an RREQ, it increases its sequence number by one. Higher sequence numbers represent more recent RREQs. Accordingly, when receiving an RREQ, a single node compares the sequence number of the RREQ to previous sequence numbers of the source of the RREQ and determines whether to admit or ignore the RREQ. Sinkhole attacks make use of this RREQ route-discovery process, which again, is based on sequence number increments. A sinkhole node observes RREQs from other nodes and records the source id and the sequence number from the RREQs. The sinkhole node uses that information to generate a false RREQ. The sequence number of the false RREQ is set higher than the original sequence number of the target node. The sinkhole node then broadcasts the false RREQs to the network with rotating target nodes. All nodes that receive these false RREQs learn forged routes and use fake information for data communication (Chris Tseng & Jack Culpepper, 2005). Fig. 1 shows a sinkhole attack process in the DSR protocol. The false RREQ is composed of (source id: 3, destination id: 2, sequence number: 50, and source route: [3, 0]). The dotted arrows indicate the propagation of the false RREQ, and the solid arrows indicate the corresponding RREP. The broken arrow from node 3 signifies an RREQ originating from node 3. However, node 2 ignores this

3. Related works

4. Proposed method In the Section 3, related work and adequate reasons for employing cluster analysis were discussed. This section explains a distributive detection approach for robust sensing sinkhole attacks. By considering characteristics of sinkhole attacks, features, which enable to sense sinkhole attacks and distinguish false RREQs from normal RREQs, are introduced. 4.1. Characteristics of proper features for MANETs

Fig. 1. The sinkhole attack process in DSR.

Novel and robust features for detecting sinkhole attacks can be derived from in-depth analyses of sinkhole attacks and character-

8488

W. Shim et al. / Expert Systems with Applications 37 (2010) 8486–8491

istics of MANETs. Similar approaches against distributed denial of service (DDoS) attacks in wired networks have been proposed (Lee et al., 2008). In wired networks, centralized administration (routers) serve, in part, to collect packets for inspection. In detail, it is possible to inspect whole packets in the network by examining packets through routers in predetermined periods or whenever received are packets. However, in MANETs, there is no centralized administration. Mechanisms, which influence detection rate and selection of features, must be set up to inspect packets. Here, if an arbitrary node inspects passing packets, it is impossible to recognize attacks or symptoms of attacks throughout the entire network since arbitrary nodes are only aware of their neighboring environment. Even if all network nodes exchange local information with each other, information is still incomplete because exchanged information can be modified or lost through intermediate malicious nodes. Note that we have not even considered the enormous energy requirements necessary for such global exchanges. Therefore, features often employed in wired networks cannot be utilized in wireless networks, in general. Worthwhile are investigations analyzing which features can be employed in wireless networks to detect sinkhole attacks accurately. 4.2. Selection of the features By considering sinkhole attacks and proper characteristics of the features, suitable features for detecting sinkhole attacks in MANETs are described as follows. First, the features should be able to identify the existence of attacks without exchanging information amongst nodes. Second, the features should be able to detect sinkhole attacks immediately and in a robust manner. In order to meet the above requirements, each node should act as a detector and information should be limited to the received RREQs at each node. Also, detection algorithms should begin execution at the moment RREQs arrive because sinkhole attacks begin by broadcasting false RREQs. Considering the above requirements, the proposed features are as follows: 1. 2. 3. 4. 5.

RREQ drop ratio for low sequence numbers. RREQ drop ratio for same sequence numbers. Sequence number. Degree of source divergence. Degree of destination divergence.

According to the DSR protocol, there are several reasons for dropping received RREQs: node queues are full, time to live expiration, receipt of RREQs of sequence numbers not greater than the current RREQ from the same source, source route fields are full. A final reason for RREQ dropping is when a node itself is already a member of the received RREQ’s route path (Johnson et al., 2001, chap. 5). In the absence of sinkhole attacks, the primary reason for dropping received RREQs is receipt of RREQ of same the sequence number from the same source. In contrast, in the presence of sinkhole attacks, nodes that have received false RREQs that have an abnormally high sequence number could also be scheduled for dropping, which would result in continual dropping of received RREQs (of lower sequence number with same source). For these reasons, ‘RREQ drop ratios for low/same sequence number’ are adequate features to discriminate phenomena of normal and infected. ‘Sequence number discontinuity’ was utilized as a detection indicator in the work of Chris Tseng and Jack Culpepper (2005). A critical success factor for sinkhole attacks is that they (the malicious RREQ packets) have sequence numbers far in excess of normal RREQ packets. Therefore, the ‘sequence number’ itself can be an important clue signaling sinkhole attacks.

By taking a deep glance of the success of sinkhole attacks, an attacker generates false RREQs (altering source and destination pair) in order to funnel most network traffic to themselves. For the above reason, under sinkhole attacks, it is estimated that the divergence of source and destination are more dispersed than those of normal network operation. Thus a metric for differences in divergence of source and destination exists. The ’degree of divergence of source/destination’ is therefore capable of discovering sinkhole attacks. In order to measure this degree of divergence, we adopt the concept of entropy (Feinstein, 2003). Let an information source have n independent symbols each with occurrence probability Pi. Entropy H is then defined as follows (Shannon & Weaver, 1963):

H¼

n X

Pi log2 Pi :

i¼1

According to the above formula, entropy can be calculated on consecutive received RREQs. If a sinkhole attack varies the source and destination pair often, entropy will be higher than that of the ‘‘normal’’ network state. More variables could facilitate more accurate detection of sinkhole attacks. However, excessive numbers of parameters requires additional operating overhead for mobile nodes. This violates the energy considerations we alluded to at the end of Section 4.2, and as such, we do not consider additional variables in this work. 4.3. Cluster analysis Cluster analysis works by grouping data such that objects in a given group are similar to each other and dissimilar from other groups. Here, normal and false RREQs can be separated. In this paper, we use cluster analysis to separate false RREQs from normal RREQs and to verify indicators for detection. There exist two major types of cluster algorithms in the literature: hierarchical and partitioning (Kaufman & Rousseeuw, 1990). We use a hierarchical approach, which does not require predetermined numbers of groups because, there could be more than two groups such as false RREQs or normal RREQs, etc. Cluster analysis requires distance measures to examine dissimilarities among clusters. There are two common distance measures: Mahalanobis distance—based on the covariance matrix of the variables; and Euclidian distance—the geometric distance in multidimensional space (Staniford-Chen et al., 1998). Here, we use Euclidian measures because Mahalanobis measures require the features to be multivariate normally distributed. Normality is often violated by many data sets and may not be true for network traffic data. Euclidian distance is calculated as follows:

vffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi u n uX Dðx; yÞ ¼ t ðxi  yi Þ2 ; i¼1

where x and y are two records to be clustered, and n is the number of features to be measured. The Ward minimum variance method was used as a clusterlinkage rule after calculating distances of each cluster. In this method, the distance between two clusters is the analysis of variance sum of squares between the clusters summed over all features. At each generation, the within-cluster sum of squares is minimized over all partitions. To determine the number of cluster, we use the Cubic Clustering Criterion (CCC) developed by W.S. Sarle of the SAS Institute (Johnson, 1998; SAS Institute, 1990). CCC measures analyze the CCC values as a function of the number of clusters and watches for peaks. CCC value should

8489

W. Shim et al. / Expert Systems with Applications 37 (2010) 8486–8491

be greater than three and form a peak at a possible cluster solution.

Table 1 Various attacks. Sequence number

5. Simulation results In this section, simulation results of cluster analysis using our proposed features are discussed. To verify the advantages of our proposed features, classification results, and differences between normal clusters and attack cluster will be shown against various types of sinkhole attacks. A node-specific hierarchical tree diagram will also be presented to demonstrate the ability of distributed detection (of each node). 5.1. Simulation environment A sinkhole simulator for DSR was implemented as an extension of the NS-2 Network Simulator. (n.d.) to verify the aforementioned advantages of the proposed features. The DSR implementation built into NS-2 v2.3b was used as a base, and some modifications were made to simulate sinkhole attacker nodes. The simulation environment was composed of 30 wireless nodes. The transmission range of each node was 250 m. Nodes were placed randomly in a 670  670 m2 rectangular area. They were moved according to a random waypoint algorithm. We generated sinkhole attacks as follows. The sinkhole node observed outside RREQs, recording the source id and sequence number of the RREQs. It (sinkhole node) then made use that information to generate false RREQs. The source of the false RREQ (target node) was arbitrary chosen from the records and added itself to the path. The sequence number of the false RREQ was set higher than original sequence number of the target node. The sinkhole node then broadcasted the false RREQs to the network while rotating the target node from 150 to 180 s. 5.2. Implementations of various sinkhole attacks As mentioned in Section 2, there exist several variations of sinkhole attacks. However, variation in the number of nodes inserted into false RREQ paths is not able to influence the performance of proposed algorithm. Hence, only sequence number manipulation and broadcasting frequency of false RREQs were considered in this experiment. The intensity and success rate of attacks was dependent upon the sequence number and broadcasting frequency of false RREQs. When a node receives a false RREQ, it (node) regards it as the latest valid RREQ until reception an RREQ of a sequence number higher than that of the false RREQ. Therefore, the higher the sequence number of the false RREQ, the longer the attack lasts. On the other hand, an attack, which generates moderate sequence numbered false RREQs such as always five more than a normal RREQ’s sequence number with the same source node, depends on the frequency of the broadcasting false RREQs. By frequently broadcasting moderately (sequence) numbered RREQs, an attacker is able to trick the nodes into believing the false RREQs to be valid. Hence, self-recovery from attacks (via reception of normal RREQs of sequence numbers higher than the false RREQs) is prevented by frequent broadcasting of false RREQs. Table 1 shows the various types of sinkhole attacks in our simulation. In the Section 5.3, we discuss the performance of our proposed algorithm under the variations of sinkhole attacks discussed above. 5.3. Results In our simulation, values of the proposed features were recorded at each node whenever they received a RREQ. After that,

High (Begins with 10,000) Moderate (Always 5 more than normal RREQ)

Broadcasting frequency Frequent (Broadcasts every 1 s)

Infrequent (Broadcasts every 10 s)

Strong attack Every 1 s/10,000+ Frequent/moderate Every 1 s/+5

Infrequent/high Every 10 s/10,000+ Weak attack Every 10 s/+5

Table 2 Classification results. Classified into False RREQ (%)

Classified into Normal RREQ (%)

Moderate infrequent False RREQ Normal RREQ

92.40 6.68

7.60 93.32

Moderate frequent False RREQ Normal RREQ

96.61 1.28

3.39 98.72

High infrequent False RREQ Normal RREQ

99.98 0

0.02 100

High frequent False RREQ Normal RREQ

99.13 0

0.87 100

cluster analysis was performed at each node’s record to classify RREQs. A total of 51,857 RREQs were generated in our simulation. Table 2 presents the classification results. Clearly, the RREQs were well-classified by the proposed features. Since there was no misclassification of normal RREQs, our modifications result in extraordinary performance for high sequence numbers. Interestingly, infrequent broadcasting of false RREQs made classification much easier with cluster analysis. Because, in the scenario with frequent broadcasting of false RREQs, if some nodes may receive tremendous false RREQs, cluster analysis could classify whole false RREQs into several smaller clusters and those small clusters cannot be united according to the CCC measure. Under moderate sequence numbered attacks, some misclassification of normal and false RREQs was present—the difference in sequence numbers between normal and false RREQs was relatively small. Clearly, frequent broadcasting with moderate sequence numbered RREQs aides classification since the more false RREQs were broadcast the more effects comes out in terms of the proposed features. However, misclassification under moderate/infrequent attack is not serious problem because moderate/infrequent attacks are relatively benign. In summary, the proposed features are able to classify almost all false RREQs from normal RREQs to high accuracy. This was especially true for high sequence numbered attacks but also for moderate sequence numbered attack. Table 3 shows the average value of each proposed feature of each cluster. False RREQ cluster are clusters which have major false RREQ packets and Normal cluster are all other clusters excluding False RREQ clusters under each attack scenario. As expected, there is an obvious difference in RREQ Drop ratio for low sequenced number and same sequence number between no attack and each False RREQ cluster. In the absence of attacks, the main reason of dropping received RREQs is receiving same sequence numbered RREQ of the same source. However, under sinkhole attacks, higher sequence numbered false RREQs force the node to drop lower sequence numbered normal RREQs. Hence, there exists some portion

8490

W. Shim et al. / Expert Systems with Applications 37 (2010) 8486–8491

Table 3 Average of each cluster with two attack scenarios. Proposed features

Attack types

No attack

High frequent Normal clusters RREQ drop ratio for low sequence number RREQ drop ratio for same sequence number Entropy of source Entropy of destination

0.050144 0.585549 0.908287 0.708997

Moderate infrequent False RREQ cluster

Normal clusters

1.401283 1.331576

0.00082 0.64658 0.661765 0.289096

of drop ratio for low sequence numbers. In addition, the average entropy of Normal clusters and False RREQ clusters exhibited clear differences and the False RREQ cluster value was almost twice that of weak attack scenarios, especially. Since the intention of sinkhole

False RREQ cluster

1.438672 1.217465

0 0.72134 0.6088 0.3321

attacks is to lead all network traffic to itself (the attacker), they generate several false RREQs with arbitrary source and destination pairs that increase entropy. Therefore, logic can be achieved by considering the differences in Table 3 to detect a sinkhole attacks

Fig. 2. Classification results with hierarchical diagram of node 9.

Fig. 3. Values for deciding number of groups for node 9.

W. Shim et al. / Expert Systems with Applications 37 (2010) 8486–8491

whenever a node receives a false RREQ so that it is possible to detect swiftly and precisely. Fig. 2 shows the node 9’s classification results under the strong attack scenario. In Fig. 2, five digit numbered objects represent false RREQs and the others are normal RREQs. As shown in Fig. 3, according to CCC measures, the number of clusters is 4, and all false RREQs are grouped in one cluster (right side of Fig. 2). Hence, fully distributed detection at each node is possible using our proposed features, which do not require information exchange amongst neighboring nodes. 6. Conclusion In this paper, we presented novel features to detect sinkhole attacks in a distributed manner using cluster analysis. Although sinkhole attacks have great potential as leading attacks, behind which other serious attacks can follow, little research on detecting sinkhole attacks in MANETs exists. To find robust indicators for a sinkhole attacks, we analyzed false RREQs and selected five features which can discriminate false from normal RREQs under various sinkhole attacks. After feature selection, cluster analysis was applied to form groups into which false RREQs and each unknown group of normal RREQs were partitioned. In order to verify the proposed features, we experimented with various types of sinkhole attacks. Excellent classification results were obtained and differences of values of the proposed features between normal and false RREQs clusters were shown. In addition, we demonstrate that the proposed features are able to discriminate false RREQs in distributed manner. Future works focusing on finding additional features from a node status not only limited to received RREQ packets are possible. Also, extensions of our proposed features to other routing protocols, such as AODV, can be studied in future. Acknowledgement This research was supported by the MKE (Ministry of Knowledge Economy), Korea, under the ITRC (Information Technology

8491

Research Center) support program supervised by the NIPA (National IT Industry Promotion Agency) (NIPA-2010-(C1090-10310005)). References Burg, A. (2003). Ad hoc network specific attacks. In Seminar of ad hoc networking: Concepts, applications, and security. Munchen: Technische Univ. Capkun, S. et al. (2003). Self-organized public-key management for mobile ad-hoc networks. IEEE Transactions on Mobile Computing, 2(1), 52–64. Chris Tseng, H., & Jack Culpepper, B. (2005). Sinkhole intrusion in mobile ad hoc networks: The problem and some detection indicators. Computers & Security, 24, 561–570. Feinstein, L. et al. (2003). Statistical approach to DDoS attack detection and response. In Proceedings of the DARPA information survivability conference and exposition (pp. 303–314). Washington, DC: IEEE. Johnson, D. E. (1998). Applied multivariate method for data analysis. Brooks/Core Publishing Co. Johnson, D. B. et al. (2001). DSR: The dynamic source routing protocol for multi-hop wireless ad hoc networks. In Charles E. Perkins (Ed.), Ad hoc networking (pp. 139–172). Addison-Wesley. Johnson, D. (2007). The dynamic source routing protocol (DSR) for mobile ad hoc networks for IPv4. Available from http://www.rfc-editor.org/rfc/rfc4728.txt. Kaufman, L., & Rousseeuw, P. J. (1990). Finding groups in data: An introduction to cluster analysis. In Wiley series in probability and mathematical statistics. John Wiley and Sons, Inc. Lee, K. et al. (2008). DDoS attack detection method using cluster analysis. Expert System with Applications, 34(3), 1659–1665. Lou, H., & Lu, S. (2001). Providing robust and ubiquitous security support for mobile ad hoc networks. In Proceedings of the 9th international conference on network protocols (ICNP). NS-2 Network Simulator. (n.d.). Available from http://www.isi.edu/nsnam/ns/. Perkins, C. et al. (2003). Ad hoc on-demand distance vector (AODV) routing. In IETF RFC 3561, July. Rivest, R. L. et al. (1978). A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2), 120–126. SAS Institute. (1990) (4th ed.). SAS/STAT user’s guide, version 6 (Vol. 1). SAS Institute. Sankar, K. (2003). Securing authentication and privacy in ad hoc partitioned networks. In Symposium on applications and the internet workshops (SAINT’03) (p. 354). Orlando, Florida. Shannon, C. El., & Weaver, W. (1963). The mathematical theory of communication. University of Illinois Press. Staniford-Chen, S. et al. (1998). GrIDS—A graph-based intrusion detection system for large networks. In The 19th national information systems security conference (pp. 361–370).