HSecGR: Highly Secure Geographic Routing

Journal of Network and Computer Applications 80 (2017) 189–199

Contents lists available at ScienceDirect

Journal of Network and Computer Applications journal homepage: www.elsevier.com/locate/jnca

HSecGR: Highly Secure Geographic Routing

MARK

⁎

Mehdi Boulaiche , Louiza Bouallouche-Medjkoune LAMOS University of Bejaia, Algeria

A R T I C L E I N F O

A BS T RAC T

Keywords: Ad hoc network Secure routing Attack Cryptography Reputation Malicious

An ad hoc wireless network is a set of nodes connected by wireless links in which nodes cooperate to forward packets from a source to a destination. Geographic routing (or position-based routing) has become an attractive solution for such networks since it reduces routing control overhead flooded in the network to construct routes (routes discovery). Many geographic routing protocols have been designed to guarantee packet delivery in such networks. However, these protocols consider that all nodes in the network are trustworthy which allows malicious nodes to violate network security and disrupt packet forwarding. In this paper, we propose and evaluate a new security approach that secures geographic routing protocols against a variety of attacks. Our approach is based on the use of MACs to allow intermediate nodes to verify the authenticity and the integrity of forwarded packets and uses authenticated acknowledgements to prevent packet dropping attacks. To meet node's resource constraints, we have based our solution on symmetric cryptography. Our solution is robust against modification and dropping attacks even in the presence of compromised nodes in the network.

1. Introduction An ad hoc wireless network is a set of nodes connected by wireless links where all nodes in the network cooperate to forward packets from one point to another. The protocols designed for routing in this type of networks are different from those designed for routing in wired networks. Routing protocols designed for wireless ad hoc networks have to deal with the characteristics of such networks. These protocols have to be designed so as to minimize communication overhead since nodes have limited resources. They also need to handle mobility of nodes within the network. And very importantly, a routing protocol designed for such networks should mitigate the impact of attacks on the protocol. Indeed, due to the broadcast nature of wireless channel it is sufficient that an attacker be in the transmission range of a node to eavesdrop on the on-going traffic, tamper, or drop packets since every node in the network is expected to participate in packet forwarding process. There are three main categories of routing protocols for ad hoc wireless networks namely: flat routing, hierarchical routing, and geographic routing. Flat routing protocols include reactive protocols such as DSR (Boukerche et al., 2011), AODV (Mulert et al., 2012) and proactive protocols such as DSDV (Ade and Tijare, 2010). In hierarchical routing, nodes are divided into clusters and a cluster head is assigned to each cluster head. LEACH (Tyagi and Kumar, 2013) is an example of hierarchical routing protocols. In geographic routing protocols, the position information of nodes is used to forward packets ⁎

toward the final destination. GPSR (Karp and Kung, 2000) is an example of geographic routing protocols. Geographic routing has become an attractive solution (Milocco et al., 2014; Peng and Kemp, 2011; Lee et al., 2010a; Boulaiche and Bouallouche-Medjkoune, 2015; Tao et al., 2010; Kleerekoper and Filer, 2015; Al-shugran et al., 2013) for wireless ad hoc networks where nodes keep only information about local one hope neighbors. In geographic routing, a node selects a next forwarding node based only on the location of itself, its neighbors and the destination. The location information can be obtained with GPS or through any other localization system. As it does not use control packets to establish a path, the geographic routing reduces routing control overhead flooded in the network to maintain network connectivity compared with other types of routing protocols. Protocols called greedy (Al-shugran et al., 2013) forward packets such that their routes be the closest to the path as the crow flies between the source and the destination. NFP (Al-shugran et al., 2013) protocol selects its closest neighbor among those in the direction of the destination to forward the packet. Whereas, with MFR (Al-shugran et al., 2013) protocol, a forwarding node selects its neighbor that is closest to the destination as next forwarding node. NADV (Lee et al., 2010b) selects the neighbor with the optimal tradeoff between the advance and link cost. To overcome holes (Chen and Varshney, 2007) problem (known also as local minima) in geographic routing protocols, solutions proposed in (Karp and Kung, 2000; Tao et al., 2010; Won et al., 2013) use the right (or left) hand rule (Chen and Varshney, 2007) to forward packets around the holes.

Corresponding author. E-mail addresses: [email protected] (M. Boulaiche), [email protected] (L. Bouallouche-Medjkoune).

http://dx.doi.org/10.1016/j.jnca.2016.12.028 Received 21 December 2015; Received in revised form 12 November 2016; Accepted 19 December 2016 Available online 25 December 2016 1084-8045/ © 2016 Elsevier Ltd. All rights reserved.

Journal of Network and Computer Applications 80 (2017) 189–199

M. Boulaiche, L. Bouallouche-Medjkoune

Other work in secure routing (such as Ade and Tijare, 2010; Perrig et al., 2005; Kim and Tsudik, 2009; Tygar et al., 2002; Buttyan et al., 2006; Yi et al., 2001; Levine et al., 2002; Zapata and Asokan, 2002; Johnson et al., 2003; Wang et al., 2010), is about protecting topology (route) discovery. ARIADNE (Perrig et al., 2005) and SRDP (Kim and Tsudik, 2009) are two protocols that provide an extension to secure route discovery in DSR (Boukerche et al., 2011) protocol using cryptographic tools. ARIADNE provides three patterns (shared secret keys between any pair of nodes, TESLA (Tygar et al., 2002), or digital signature) to authenticate information provided by intermediate nodes between the source and the destination. However, analysis of ARIADNE protocol in (Yi et al., 2001) has shown some security vulnerabilities in the protocol. Authors in (Buttyan et al., 2006) proposed to sign Route Reply field instead of signing Route Request to eliminate these security vulnerabilities. Authors in SRDP (Kim and Tsudik, 2009) Proposed the use of either aggregated message authentication codes (MACs) or multi-signatures to securely discover an authenticated route to the destination in DSR. To secure AODV (Mulert et al., 2012) protocol, Authors in SAR (Yi et al., 2001) ARAN (Levine et al., 2002), S-AODV (Zapata and Asokan, 2002) propose other extensions that can provide security properties for AODV protocol. In SAR protocol, nodes in the network are divided into confidence levels. Consequently, only nodes that belong to a higher confidence level than the minimum required level can participate in route search process. S-AODV protocol proposes to use a digital signature to authenticate non-mutable fields of the message (fields that don’t change since message creation) and use a hash chain to protect the hop_counter field. SEAD (Johnson et al., 2003) and SDSDV (Wang et al., 2010) are two protocols that have been proposed to provide security services for DSDV protocol (Ade and Tijare, 2010). SEAD protocol tries to protect DSDV sequence_number field against modification attacks using a hash chain. Whereas, SDSDV tries to improve DSDV security by preventing nodes from increasing or decreasing distance_metric and sequence_number fields. In detective solutions, CONFIDENT (Buchegger and Le Boudec, 2005) and Watchdog & Pathrater (Kevin et al., Mary.) protocols are two protocols that have been proposed to enhance the security of DSR protocol. By monitoring nodes behavior in the network, malicious nodes are isolated in black lists and thus will be avoided during packet routing. TAODV (Lyu et al., 2004) is another solution that has been proposed to improve AODV security based on node behaviors in the network. To secure geographic routing protocols, Chen L. et al. proposed in (Lyu et al., 2013) the use of geographic leashes and the TESLA scheme to provide resistance against the Sybil attack and wormhole attack and the use of a distributed trust model and the packets opportunistic forwarding to prevent black hole and gray hole attacks. In (Marin-Perez and Ruiz, 2011) Rafael M. et al. proposed a Self-Protected Beaconless Geographic Routing protocol (SBGR) in which nodes overhear the forwarding of their neighbors to detect malicious behaviors. Authors in (Pathak et al., 2008) proposed GSPR an infrastructure free geographic routing protocol that is resilient to disruptions caused by malicious or faulty nodes. Authors in (Song et al., 2007) proposed secure geographic forwarding (SGF) that incorporates both the Hashed MAC and the TESLA to provide security mechanisms for both data and control messages in geographic routing protocols. Most of the earlier works deal with only one type of attacks but not with a variety of attacks that can be launched against a routing protocol. For example, solutions proposed in (Perrig et al., 2005; Kim and Tsudik, 2009; Tygar et al., 2002; Buttyan et al., 2006; Yi et al., 2001; Levine et al., 2002; Zapata and Asokan, 2002; Johnson et al., 2003; Wang et al., 2010) protect route discovery packets against modification attacks. However, these solutions don’t protect against packet dropping attacks. Contrary, solutions proposed in (Buchegger and Le Boudec, 2005; Kevin et al., 2000; Lyu et al., 2004) protect against packet dropping attacks but don’t protect against modification

Geographic routing protocols forward packets based on the assumption that all nodes in the network are trustworthy and don’t take into account the security problem. However, the presence of malicious (or compromised) nodes in the network, can lead to a degradation in the performances of geographic routing in terms of delivery ratio (routing failures). In geographic routing, a forwarding node selects its next hop according to the destination position contained in forwarded messages. An attacker may alter or modify this information to disrupt the routing scheme. An attacker may also generate falsified messages such as beacon messages or error messages to disrupt routing scheme. These types of attacks can be used with the blackhole attack (Sarma et al., 2011) in which a node drops all packets going through it, or with sybil attack (Md Zin et al., 2014) in which the attacker provides multiple identities to other nodes in the network. Another type of attacks that can be launched against geographic routing is wormhole attack (Qazi et al., 2013), two malicious nodes cooperate and build a tunnel between them and get packets from one region to another. This type of attacks is very difficult to detect. In this paper we will propose a Highly Secure Geographic Routing approach. The objective of our work is to provide a mechanism that allows both intermediate nodes and the destination node to verify the authenticity and the integrity of forwarded packets in one hand and to protect against dropping attacks on the other hand. Our solution is based on the use of MACs (Message Authentication Code) with a secret key to protect packets against modification and to prevent attackers from tampering routing information. To protect packets against dropping attacks, each intermediate node that receives a packet must return back an authenticated acknowledgement to the packet's source indicating both the previous and the next hop for this packet. For this, we propose an extension to the packet header to provide these security services for geographic routing protocols. Our solution is robust against modification and dropping attacks even in the presence of compromised nodes in the network. To meet node's resource constraints, we have based our solution on symmetric cryptography. The rest of the paper is organized as follows: Section 2 presents related work on secure routing protocols in ad hoc networks. Our security approach that protects against these security attacks will be presented and detailed in Section 3. Simulation results will be discussed in Section 4. Section 5 concludes this paper. 2. Related work The use of wireless links significantly facilitates attacks against routing protocols in wireless ad hoc networks. Unlike wired networks where the attacker must have physical access to the network, in wireless ad hoc networks, it is sufficient that the attacker be in the transmission range of a node to eavesdrop on communications, modify, or inject packets in the network. To address routing security problem in ad hoc networks, several solutions have been proposed in the literature. Generally speaking, these solutions propose extensions to already existing protocols in order to strengthen their security efficiency against some attacks. Authors in (Baadache and Belmehdi, 2012, 2014) proposed an approach that allows to secure both proactive and reactive routing protocols against simple and cooperative black hole attack. In (Yu et al., 2009) authors proposed SRAC a secure routing protocol to defend Byzantine attacks as well as other internal attacks against routing protocols for MANETs in adversarial environments by using both message and route redundancy during route discovery. Authors in (Zhang et al., 2014) proposed TOHIP a TOpology-HIding multipath routing Protocol which does not allow packets to carry routing information so that the malicious nodes cannot deduce network topology and launch various attacks based on that. Authors in (Djenouri and Badache, 2009) suggest a modular solution structured around five modules to monitor, detect, and safely isolate misbehaving nodes that drop packets in mobile ad hoc networks. 190

Journal of Network and Computer Applications 80 (2017) 189–199

M. Boulaiche, L. Bouallouche-Medjkoune

attacks. Although solutions proposed in (Lyu et al., 2013; Marin-Perez and Ruiz, 2011; Pathak et al., 2008; Song et al., 2007) provide resistance against modification and dropping attacks, they still focus on a simple attack launched by an individual attacker, but not on a cooperative attack launched by a set of cooperated attackers. On the other hand, previous isolation (reputation) systems are based on vulnerable techniques in which the system can be circumvented by dropping packets at a lower rate or after a collision the retransmission can be skipped. In addition, these techniques allow isolating dropping attackers but not modification attackers. The major value added by the approach proposed in this paper is that it protects geographic routing against a variety of attacks altogether, i.e.; dropping, modification, and injection attacks launched by both individual attackers and cooperative attackers along the endto-end path. Another value added by our approach is that the proposed isolation (reputation) system is based on authenticated acknowledgments rather than on previous vulnerable techniques. And very importantly, the proposed isolation system allows detecting and isolating both dropping and modification attackers. One another feather added by our approach is that it allows detecting and isolating attackers in the whole network and not just attackers in the neighborhood.

Fig. 1. Our protocol's header.

copy of the packet sent in order to compare it with the received acknowledgements sent by the intermediate nodes along the path toward the destination. Afterwards, the source node alarms a timer. If the destination acknowledgement is not received within a timeout, then, the source considers that the packet was dropped by an intermediate node (this includes both malicious and non-malicious causes) and the link between the last node in the downstream where its acknowledgement was well received and its next forwarding node is considered as a suspected link. Each intermediate node “I” verifies the authenticity of the packet by comparing the received MAC1 field to the MAC value computed over the received packet header with the secret key it shares with its previous forwarding node “I-1”. If the checking succeeds, the intermediate node modifies the MAC1 field by a new one computed over the header with the secret key it shares with its next forwarding node and forwards the packet. Then, the intermediate node sends back an acknowledgement packet toward the source node S. Since the intermediate nodes don’t have the secret key shared between the source and the destination, they can’t verify whether the payload of the packet was tampered or not. This allows a compromised node to tamper packet's payload, however, this information is transmitted to the source node in the acknowledgement packet since the MAC2 field of the acknowledgement packet is computed over the following received fields: HKIS{Type, Ident, Length, Source_Address, Destination_Address, Prevoius_hop, Next_hop, MAC2, msg} with the secret key shared with the source node S. The acknowledgement packet contains the previous and the next forwarding nodes as well, which allows the source node to construct the path traversed by the packet toward the destination. Finally, when the destination receives the packet, it firstly verifies its authenticity using MAC1 field, and then it verifies the payload of the packet (the message) by comparing the received MAC2 field to the MAC value computed over the received payload with the secret key it shares with the source node S. if the checking succeeds the destination sends back to the source an acknowledgement packet where the MAC2 field is computed with the secret key shared with the source node S over the following received fields: HKIS {Type, Ident, Length, Source_Address, Destination_Address, Prevoius_hop, Next_hop, MAC2, msg}. Otherwise, the destination sends an error message to the source node. When the source node receives an acknowledgement packet, it first verifies its authenticity using its MAC1 field, then, it checks whether the message received by the originator of the acknowledgement was modified or not by comparing the received MAC2 field to the MAC value computed over the packet fields it has sent before (i.e., the following fields: Type, Ident, Length, Source_Address, Destination_Address, Prevoius_hop, Next_hop, MAC2, msg that the source node has sent before). If the message was modified then the link between the acknowledgement originator and its previous forwarding node is considered as a suspected link. Note here that acknowledgement packets sent back to the source node traverse the reverse path traversed by the corresponding data packet in order to prevent attacks on acknowledgements packets because an attacker can’t modify or drop the acknowledgements of its upstream nodes. The reception of an acknowledgement acknowl-

3. Highly Secure Geographic Routing 3.1. Assumptions and notations We consider a wireless ad hoc network in which all nodes cooperate to forward packets from the source node to the destination. It is assumed that each node is aware of its own position, neighbor's position, and the position of the destination. The location information can be obtained by equipping nodes with GPS or through any other localization system. Neighbor's position can be obtained by periodic beacon messages. We also assume that wireless connections between nodes are bidirectional because our solution requires a bi-directional exchange of packets. We also assume that a source node S truste the destination node D (i.e: the source node S doesn’t disclose its secret key shared with D for any node in the network in any case and so the node D). We also assume that there is a shared secret key between each pair of nodes in the network i.e. n (n-1)/2 keys distributed in the network using, for example, a Key Distribution Center (KDC) where n is the number of nodes in the network. The following notations are used in this paper:

• • •

A, B, C …: are nodes. KAB: is the secret key shared between the two nodes A and B. MACKAB{X}: is X's Message Authentication Code calculated with the KAB key shared between nodes A and B using hush function like HMAC or MD5.

3.2. HSecGR overview Our approach is based on the use of two MACs to prevent packet tampering attacks throughout the path toward the destination. The first MAC is computed over the header of the message with the pair-wise shared secret key between the sender and its next forwarding node toward the destination in order to provide per-hop authentication. The second MAC is computed over the payload with the pair-wise shared secret key between the source and the destination in order to protect the message against modification along the path. To prevent packet dropping attacks, we propose to use authenticated acknowledgements. In our approach, we also propose the use of a reputation system to detect and isolate packet tampering and dropping attackers. Our proposed approach works as follows. When a source node S sends a message to a destination D, it encapsulates the message in a new packet where the header is illustrated in Fig. 1. Then, it keeps a 191

Journal of Network and Computer Applications 80 (2017) 189–199

M. Boulaiche, L. Bouallouche-Medjkoune

18) If (H2== p.MAC2) Then 19) Message was received correctly; 20) Send back an acknowledgement to the source node; 21) If (p.type== report) Then 22) Broadcast the report to all neighbors; 23) EndIf 24) Else 25) Send back an error packet to the source node; 26) EndIf 27) EndIf 28) Else 29) Replace p.MAC1 field by HKii+1{p.Type, p.Ident, p.Length, p.Source_Address, p.Destination_Address, p.Prevoius_hop, p.Next_hop, P.MAC2}; 30) If (p.type == Ack) Then 31) Send the packet to the previous node in the upstream of this packet; 32) Else 33) Forward the packet to next node towards the destination; 34) Send back an acknowledgement to source node S; 35) EndIf 36) Else 37) Packet header was modified; 38) Ignore this packet; 39) EndIf

edges all upstream nodes in the path. Non authenticated packets or acknowledgements are dropped and don’t acted upon and this is to prevent malicious nodes from forging packets.

• • • • • • • • •

• • •

Type: this field allows to define the packet's type ( data, acknowledgement, error, or report packet). Ident: packet identifier. Length: header length. Source_Address: packet's source address. Destination_Address: packet's destination address. Prevoius_hop: this field is used in acknowledgement packets to indicate the previous forwarding node of the acknowledgement originator (a node the packet was received from). In report packets, this field contains the source of the suspect link. Next_hop: used in acknowledgement packets to indicate the next forwarding node of the acknowledgement originator (a node the packet was sent to). In report packets, this field contains the destination of the suspect link. MAC1: Message Authentication Code used to protect packet's header against modification and to authenticate packet's originator (hop by hop authentication). This MAC is calculated over the following fields: HKii+1{Type, Ident, Length, Source_Address, Destination_Address, Prevoius_hop, Next_hop, MAC2} with the secret key shared between the current node and its next forwarding node. Note that this MAC is recomputed by each intermediate node to authenticate the packet hop by hop. MAC2: Message Authentication Code used to protect non mutable fields of the packet against modification and to authenticate message originator. This MAC is calculated over the following fields: HKSD{Type, Ident, Length, Source_Address, Destination_Address, Prevoius_hop, Next_hop, msg} with the secret key shared between the source node and the destination node. Payload (or msg): the message to send in the packet.

3.3. Example for 3 nodes In this section we illustrate the functioning of our security approach with an example of three nodes S, I1, and D (Fig. 2), where S sends a message msg to D through the intermediate node I1. And the destination D sends back an acknowledgement through I1. S→I1: Msg1= < Type=Data, Ident, Length, S, D, Null, Null, MAC1, MAC2, msg > ; MAC2 =HKSD{Type, Ident, Length, S, D, Null, Null, msg} MAC1=HKSI1{Type, Ident, Length, S, D, Null, Null, MAC2} I1: If (MAC1= HKSI1{Type, Ident, Length, S, D, Null, Null, MAC2}) Than I1→D: Msg2 = < Type, Ident, Length, S, D, Null, Null, MAC1, MAC2, msg > ; MAC1=HKI1D{Type, Ident, Length, S, D, Null, Null, MAC2} I1→S: Ack1 = < Type=ACK, Ident+1, Length, S, D, S, D, MAC1, MAC2 > MAC2 =HKI1S{Type, Ident+1, Length, S, D, Null, Null, MAC’2,msg}; MAC’2: is the field MAC2 received in the packet header MAC1 =HKI1S{Type, Ident+1, Length, S, D, S, D, MAC2} EndIf D: If (MAC1= HKDI1{Type, Ident, Length, S, D, Null, Null, MAC2}) Than S:

Lets msg be the message to send from a source node S to a destination node D and lets I be an intermediate node between S and D. Algorithm 01. Receiving a packet “p”.

01) H1← HKi−1i{p.Type, p.Ident, p.Length, p.Source_Address, p.Destination_Address, p.MAC2} 02) If (H1 == p.MAC1) Then 03) Packet's header wasn’t modified; 04) If (p.Destination_Address == my addr) Then 05) If (p.type == Ack) Then 06) H2← HKi−1i{Type, Ident, Length, Source_Address, Destination_Address, Prevoius_hop, Next_hop, MAC2, msg} 07) If (H2== p.MAC2) Then 08) Message well received by the intermediate node; 09) Acknowledge all previous forwarding nodes of this node(upstream); 10) Else 11) The message received by this node was modified; 12) Insert this link into global black list; 13) Send a report to this node; 14) EndIf 15) EndIf 16) If (p.type == dataOrp.type == report) Then 17) H2← HKi−1i{p.Type, p.Ident, p.Length, p.Source_Address, p.Destination_Address, p.Prevoius_hop, p.Next_hop, p.msg}

Fig. 2. Example for 3 nodes.

192

Journal of Network and Computer Applications 80 (2017) 189–199

M. Boulaiche, L. Bouallouche-Medjkoune

Upon receiving a report broadcast by a neighbor, the suspected node in the report is inserted in the local blacklist. This report needs to be authenticated to prevent any byzantine reports coming from malicious behaviors which try to blacklist a legitimate node. Therefore, we propose to use the TESLA (Tygar et al., 2002) broadcast authentication method to authenticate broadcast suspected neighbor's reports.

If (MAC2= HKDS{Type, Ident, Length, S, D, Null, Null, msg}) Than D→I1: Ack2 = < Type=ACK, Ident+1, Length, D, S, I1, Null, MAC1, MAC2 > MAC2 =HKDS{Type, Ident+1, Length, S, D, Null, Null, MAC’2,msg}; MAC’2: is the field MAC2 received in the packet header MAC1 =HKDI2{Type, Ident+1, Length, S, D, I1, Null, MAC2} Else D→S: Err = {Type=Err, Ident+1, Length, D, S, I1, Null, MAC1, MAC2} MAC2 =HKDS{Type, Ident+1, Length, S, D, Null, Null, MAC’2,msg}; MAC’2: is the field MAC2 received in the packet header MAC1 =HKDS{Type, Ident+1, Length, D, S, I1, Null, MAC2} EndIf EndIf

3.5. Protocol proof In this section we will present a formal proof for cryptographic properties of our approach. For this, we will use a formal method called BAN (Burrows et al., 1990) logic. BAN logic, named according to the names of its inventors Michael Burrows, Martin Abadi and Roger Needham who introduced it in 1990, is the first and the most famous logic dedicated to the analysis of cryptographic protocols. It is a belief logic that models principal's beliefs involved in a protocol and the evolution of these beliefs after exchanging messages during the execution of the protocol. 3.5.1. Protocol formulation In standard notation, a step of a protocol is presented as follows: P→Q: message. Our approach can be seen as the exchange of two types of messages (data/report messages and acknowledgement/error messages).

3.4. Isolating suspected nodes In this section, we present our solution to detect and isolate malicious nodes. In geographic routing, the forwarding node selection relies only on one-hope neighboring nodes. Therefore, each node maintains two black lists; a global and a local one. The global black list allows nodes to construct a list of suspected links in the whole network. This list is constructed from acknowledgements and error messages received from the destination and the intermediate nodes because the acknowledgements are interpreted and acted upon only by the source of the data packet. Whereas, the local black list allows to blacklist malicious neighbors and avoid them when selecting the forwarding node. This list is updated from reports received from source nodes and neighbor's broadcast reports. When a source node S detects a suspicious link (for example the red link I3I4 in Fig. 3), it generates a report and sends it to the source of the suspicious link (node I3 in the figure). Upon receiving a report, the source of the suspicious link (node I3) acknowledges the report, inserts the destination of the suspicious link (node I4 in the figure) into its local blacklist, and broadcasts the report to all its neighbors. All neighbors that receive a broadcast report insert the destination of the suspicious link (node I4) in their local blacklist. In the figure, only blue nodes that insert node I4 in their local blacklists because I4 is not a neighbor for grey and white nodes. If the same suspicious link (The red link I3I4 in the figure) detected another time by the source node S, then, node S resends this time the report to the node precedes the source of the suspicious node (node I2 in the figure). This node acknowledges the report, inserts the source of the suspicious link (node I3) in its blacklist, and broadcasts the report to all its neighbors. In the figure, only grey nodes that insert node I3 in their local blacklists because I3 is not a neighbor for the other white nodes.

Message1: S→D:

Message2: D→S:

Type=Data, Ident, Length, S, D, Null, Null, MAC1, MAC2, msg; MAC2 =HKSD{Type, Ident, Length, S, D, msg} MAC1=HKSD{Type, Ident, Length, S, D, MAC2} Type=ACK, Ident+1, Length, D, S, S, Null, MAC1, MAC2 MAC2 =HKDS{Type, Ident+1, Length, S, D, MAC’2,msg}; MAC’2: is the field MAC2 received in the packet header MAC1 =HKDS{Type, Ident+1, Length, D, S, S, Null, MAC2}

The first step of BAN logic is protocol idealization. In our approach, the Ident is considered as a nonce. Unencrypted messages will be removed during the idealization step. We also remove all components of the encrypted message that do not contribute to the development of agent's knowledge. In our approach, we remove the hash function H (as the hash function H is known by all nodes in the network and therefore can be used by all nodes and do not contribute to the development of agent's knowledge.

Message1: S→D: {Type, Ident, Length, S, D, MAC2}KSD, {Type, Ident, Length, S, D, msg}KSD Message2: D→S: {Type, Ident+1, Length, D, S, S, Null, MAC2}KSD, {Type, Ident+1, Length, S, D, MAC2,msg}KDS

Fig. 3. Isolating malicious nodes.

193

Journal of Network and Computer Applications 80 (2017) 189–199

M. Boulaiche, L. Bouallouche-Medjkoune

sends a message encapsulates this message into a packet where the header contains a field called MAC1. This field allows intermediate nodes to authenticate forwarded packets hop by hop. Whenever an intermediate node I receives a packet, it calculates HKI-1I{Type, Ident, length, S, D, MAC2} using the shared key with the node it received the packet from, then it compares the result with MAC1 field. In our protocol, the packet is authenticated if HKI-1I = MAC1. According to the formal demonstration of our protocol presented above, to calculate the right MAC1 field, an attacker should have the secret keys shared between the two nodes. Thus, an attacker can’t calculate the right MAC1 field unless it has the shared keys. Let's consider the worst case where the attacker compromises all intermediate nodes between S and D (i.e: the attacker has all the keys shared between intermediate nodes). When the destination D receives a packet, it calculates HKDS{Type, Ident, Length, S, D, msg} using the secret key KDS it shares with the source node S and compares the result with MAC2 field of the packet header. In our approach, a destination node D confirms the reception of a packet if and only if HKDS= MAC2. A malicious node can claim to be S if and only if it has the secret key shared between S and D which is impossible because by assumption the destination D trusts the source S.

The second step of the BAN logic is writing the initial assumptions. To analyze our approach we give the following assumptions:

D | ≡ D ←→ ⎯ S, KDS

D | ≡ #(Ident ),

S | ≡ S ←→ ⎯ D KSD

S | ≡ #(Ident )

These assumptions are: shared keys between each pair of nodes and the freshness of the identifier Ident. Indeed, each node I believes that it shares a secret key with another node J in the network. In addition, each node that receives a message believes that the identifier Ident received in the message has not been used in any other previous message. The third step is the use of the postulates of BAN logic to deduce other beliefs. In our approach, we need to deduce the following beliefs: 1. 2. 3. 4.

D |≡ S D |≡ S S |≡ D S |≡ D

|≡ Type, Ident, Length, S, D, MAC2 |≡ Type, Ident, Length, S, D, msg |≡ Type, Ident+1, Length, S, D, MAC2,msg |≡ Type, Ident+1, Length, D, S, S, Null, MAC2

The first belief means that the principal D believes that the principal S believes Type, Ident, Length, S, D, MAC2. The second belief means that “the principal D believes that the principal S believes Type, Ident, Length, S, D, msg”. The third belief means that the principal S believes that the principal D believes Type, Ident+1, Length, S, D, MAC2, msg. The fourth belief means that the principal S believes that the principal D believes Type, Ident+1, Length, D, S, S, Null, and MAC2. According to the notation proposed by BAN receiving the message 1 by D is modeled by the following formula:

Theorem 02. A malicious node can’t modify a message without being detected. Proof. Let msg be the message to send from a source S to a destination D and let ni( i≥1) be the set of intermediate nodes between S and D. In our approach, each intermediate node ni sends back an acknowledgement to the source node S and includes in the header a field called MAC2=HKIS {Type, Ident+1, Length, S, D, MAC’2,msg} where Type, Ident+1, Length, S, D, MAC’2,msg are the fields received in the packet. Whenever the source node S receives an acknowledgement from an intermediate node I, it calculates HKSI{Type, Ident+1, Length, S, D, MACKSD,msg} where Type, Ident+1, Length, S, D, MACKSD,msg are the fields that node S has sent before and compares HKSI with the field MAC2 received in the acknowledgement header. The message msg received by node ni has not modified if HKSI= MAC2. Supposing node ni has modified the message, than this modification will be discovered when S receives the acknowledgement of ni's next hop. Let's consider the worst case where all intermediate nodes between S and D are compromised nodes. When the destination D receives a packet, it calculates HKDS{Type, Ident, Length, S, D, msg} using the secret key KDS it shares with the source node S and compares the result with MAC2 field of the packet header. The destination node D acknowledges the reception of the packet if and only if HKDS= MAC2. A malicious node can modify a message without being detected if it can recalculate MAC2 field in the packet header which is impossible because this field is calculated using the secret key shared between S and D and by assumption S and D trust each other.

D⊲{Type , Ident , Length, S, D, MAC 2}K SD , {Type, Ident, Length, S, D, msg}K SD

(1)

By applying the rule R3 we get the following formula which means that D sees {Type, Ident, Length, S, D, MAC2}KSD:

D⊲{Type , Ident , Length, S, D, MAC2}K SD

(2)

By applying the rule R1 on formula (2) and the assumption D |≡D ←→ ⎯ S , we get the following formula which means that D believes KSD

that S said type, Ident, Length, S, D, MAC2. Here, D doesn’t know whether S said Type, Ident, Length, S, D, MAC2 in the current execution of the protocol or in a previous one:

D | ≡ S |~Type , Ident , Length , S , D , MAC2

(3)

A formula X is said to be fresh if it wasn’t sent in any previous message. The rule R4 says that if one part of a formula is fresh, then the entire formula must also be fresh. Based on this rule and the assumption D |≡# (Ident ) we get:

D | ≡ #(Type , Ident, Length, S, D, MAC2)

(4)

Theorem 03. A malicious node can’t drop a packet without being detected.

By applying the rule R2 on (3) and (4) we obtain the following belief which means that D believes that S believes Type, Ident, Length, S, D, MAC2:

D | ≡ S | ≡ Type , Ident , Length , S , D , MAC2

Proof. A malicious node can drop a packet without being detected if it can fabricate the acknowledgements of all intermediate nodes between the source and the destination D. But in our approach, the source node doesn’t confirm the reception of the packet until it receives the acknowledgement of the destination node D. to fabricate the acknowledgement of the destination D, a malicious node should have the secret key KSD shared between S and D in order to calculate MAC1 and MAC2 fields which is impossible because by assumption S and D trust each other.

(5)

Finally, we get the following belief: the destination D believes that the message type, Ident, Length, S, D, MAC2 was sent by the source S. (i.e: the principal D acts as the message received Type, Ident, Length, S, D, MAC2 is right). Note. : the deduction of second, third, and fourth belief is done in the same way as the first belief.

3.6. HSecGR overhead

Theorem 01. (Authentication) a node that participates in routing process is the one it claims to be.

Like any other security approach, our approach adds additional overhead in the network due to acknowledgements sent by each intermediate node, the header added by our protocol, and report

Proof. The purpose of our protocol is to authenticate each forwarded packet to detect any packet with malicious intents. Each node S that 194

Journal of Network and Computer Applications 80 (2017) 189–199

M. Boulaiche, L. Bouallouche-Medjkoune

between the maximum number when using NFP and the minimum number when using MFR. NADV (Lee et al., 2010b) is a good example for protocols combining multiple metrics to select next hop towards the destination. With NADV, the selection of next hop is a trade-off between the advance towards the destination and the transmission cost. For this, we have simulated our approach with NADV to evaluate the additional overhead generated by our approach when using protocols combining multiple metrics to select next hop. We have measured 3 performance metrics:

Table 1 Simulation parameters. Parameter

Value

Number of nodes Simulation area Transmission range of nodes Source data pattern (each) Packet size HSecGR header size Hash length Hash function

from 15 to 55 nodes 1000 m×300 m 150 m 8 packets/second 1024 bytes/packet 50 bytes 128 bits (16 bytes) MD5

1. Average latency: Latency is the time required for a packet to be transmitted from a source node to a destination node. Therefore, the average latency is the sum of latencies of all packets divided by the total number of received packets.

packets sent to isolate malicious nodes in the network. However, this overhead does not consume a lot of bandwidth because acknowledgements and report packets used in our approach consist of a header and don’t carry a payload (data). In addition, the intermediate nodes ignore unauthenticated packets and don’t acknowledge an unauthenticated packet to minimize the additional traffic in the network. Hash functions used in our approach generate codes with very low size and the header added to the packet doesn’t add a large overhead to the packet according to the real size of the data packet.

Average _latency

=

(∑

n

i =1

(reception _time

−

)

sending _time) / n

where: n is the number of received packets. 2. Packet overhead: The number of packet transmissions; for example, a packet forwarded through 4 hops is considered as 4 packets in this metric. 3. Byte overhead: The number of bytes transmissions; for example, a packet with 1024 bytes forwarded through 4 hops is considered as 1024*4=4096 bytes overhead in this metric.

4. Simulation and analysis All results shown in the following are the average of 30 independent scenarios.

We have used J-Sim as a simulation environment to evaluate the performances of our security approach. Nodes used in our simulations are considered homogeneous: having the same calculation and memory capacity, the same transmission range and equipped with the same IEEE 802.11 communication interfaces. These nodes are deployed inside a square size of 1000 by 300 creating topologies containing from 15 to 55 nodes. Node's positions are generated randomly. Each node generates random packets of 1024 bytes toward random destinations. The table below summarizes parameters used: (Table 1).

4.1.1. End to end delivery delay Fig. 4 shows the end to end transmission delay of the three protocols NFP, MFR, and NADV using and without using our security approach. From the figure, it can be noted that the end to end transmission delay obtained with NFP routing protocol is very high and this can be justified by the number of intermediate nodes selected by NFP protocol to forward packets from the source node to the destination. Effectively, with NFP protocol, a node selects its nearest neighbor toward the destination as next hop to forward packets. This selection strategy increases the number of hops along the path between the source and the destination. As each intermediate node takes time for processing a packet (encapsulation, next hop selection, queuing, etc.), the end to end transmission delay increases with NFP protocol. In contrary, with MFR routing protocol, a node selects the closest neighbor toward the destination as next hop to forward packets which allows reducing the number of intermediate nodes that constitutes the path between the source and the destination and so reducing end to end transmission delay. We can also note that the end to end delay obtained when applying our security approach is higher. And this can be justified by the additional processing performed at each intermediate node. Indeed, with our security approach, each intermediate node performs additional processing such as: computing MAC1 to authenticate the forwarded packet, replacing MAC1 field with a new one, and

4.1. Performance evaluation To evaluate the performances of our security approach, we have simulated our security approach with NFP (Al-shugran et al., 2013) and MFR (Al-shugran et al., 2013) geographic routing protocols. The functioning of our approach is mainly based on the acknowledgments sent by each intermediate node along the end-to-end path. Basically, the additional traffic generated by the approach depends on the number of intermediate nodes along the end-to-end path; more nodes in the path implies more overhead generated in the network. Moreover, the end-to-end transmission delay (latency) is affected by the number of hops along the path since our approach applies more processing in each hop. To gauge these two metrics, we have chosen MFR and NFP geographic routing protocols. According to the study performed in (Al-shugran et al., 2013), MFR and NFP are two protocols representing the basic functioning of geographic routing where the distance is the only metric used to select the next forwarding node. Based only on the distance, with NFP each node selects its closest neighbor to forward a packet. Consequently, the number of intermediate nodes along the endto-end path will be the maximum. With MFR, each node selects its furthest neighbor towards the destination to forward a packet which minimizes the number of intermediate nodes along the end-to-end path. Since NFP maximizes the number of intermediate nodes and MFR minimizes the number of intermediate nodes along the end-toend path, using our approach with NFP allows us to study the maximum additional traffic and the maximum end-to-end transmission delay. On the other hand, using our approach with MFR allows us to study the minimum additional traffic and the minimum end-to-end transmission delay. The number of intermediate nodes selected along the end-to-end path when using other metrics will be comprised

Fig. 4. End to end delivery delay.

195

Journal of Network and Computer Applications 80 (2017) 189–199

M. Boulaiche, L. Bouallouche-Medjkoune

Fig. 5. Packet Overhead.

Fig. 6. Byte overhead.

sending an acknowledgment to the source node which increases the end to end transmission delay. However, this augmentation is related proportionally to the number of intermediate nodes along the path; the more nodes in the path taken by the packet the more additional processing on the packet and so the more end to end transmission delay. This is what the figure shows, when applying our approach with NFP routing protocol, the end to end transmission delay increases in a very high way. And when applying our approach with MFR and NADV protocols, the end to end delay obtained is relatively less high. We can also note that the network density greatly influences the end to end transmission delay when applying our approach with NFP routing protocol. In conclusion, the end to end transmission delay is related proportionally to the way a routing protocol uses for selecting next forwarding node.

also note that the usage of our security approach increases the byte overhead generated in the network. This is due to the header added by our approach in one hand and the acknowledgments sent back to the source node on the other hand. However, the additional byte overhead generated by our approach is relatively small compared with that generated without using our approach. The header size added by our approach is quite small compared with the complete size of the data packet (the header size represents only a small percentage of the whole packet size). The acknowledgment used in our approach consists of a header without any payload which means that the acknowledgments sent back to the source node don’t generate so much overhead in the network. We can also remark that the overhead generated when applying our security approach with MFR and NADV routing protocols is relatively small. Whereas, when applying our approach with NFP routing protocol the overhead generated is relatively high. This can be justified by the number of intermediate nodes selected by each protocol to forward packets towards the destination. Effectively, contrary to NFP, the strategy used by MFR and NADV routing protocols to select the next forwarding node allows reducing the number of intermediate nodes along the path between the source and the destination. This allows reducing the number of acknowledgement packets sent back to the source node and so reducing the additional overhead generated in the network. In conclusion, our security approach performs well with protocols that minimize the number of hops between the source and the destination.

4.1.2. Packet overhead Fig. 5 depicts the number of packets generated in the network by the three protocols NFP, MFR, and NADV using and without using our security approach. The figure shows that the number of packets generated in the network when applying our security approach is greater than that generated without using our security approach. This can be justified by the number of acknowledgement packets sent by each intermediate node toward the source node in one hand and report packets sent to isolate malicious nodes on the other hand. Indeed, in our approach, each intermediate node along the path (source-destination) should send back an acknowledgment packet toward the source node which increases the number of packets generated in the network when applying our security approach. The figure also shows that the number of generated packets in the network depends on the routing protocol used. When using our approach with MFR and NADV routing protocols, the number of packets generated in the network is relatively less high. Whereas, when using our approach with NFP protocol, the number of packets generated in the network is relatively high. Effectively, the number of intermediate nodes in the path between the source and the destination with NFP routing protocol is greater than that with MFR and NADV routing protocols. And since each intermediate node sends back an acknowledgment when applying our approach, the number of packet generated when applying our approach with NFP is relatively high. The more intermediate nodes in the path between the source and the destination the more acknowledgements generated in the network and so the more packets overhead in the network. In conclusion, the packet overhead is related proportionally to the way a routing protocol uses for selecting next forwarding node.

4.2. Attacks detection efficiency In this section, we will evaluate the detection efficiency of our approach against black hole attack. In this type of attacks, a malicious node drops all packets or some packets that go through it. To evaluate the efficiency of our approach against this attack, we have chosen watchdog as a comparison approach. To compare our approach with watchdog, we have measured the following metrics: 1. Delivery ratio: the delivery ratio represents the fraction of packets sent that are actually received by the respective destination node among all packets sent ((the number of received packets / the number of all packets sent)*100). 2. Detection ratio: the detection ratio represents the percentage of true attackers isolated among all nodes isolated ((the number of isolated attackers / the total number of isolated nodes)*100). As our approach is a generic security mechanism that can be used with any geographic routing protocol in ad hoc networks, we have chosen NFP and MFR protocols to evaluate the detection efficiency of our security approach. Fig. 7 shows the delivery ratio marked with our security approach, watchdog approach, and without any security mechanism measured on the two geographic routing protocols NFP (Fig. 7a) and MFR (Fig. 7b). According to the results shown in the Figure, we can see that geographic routing is greatly affected by black hole attack which

4.1.3. Byte overhead Fig. 6 illustrates the byte overhead generated in the network by NFP, MFR, and NADV protocols using and without using our security approach. The figure shows that the NFP routing protocol generates more byte overhead in the network compared to MFR and NADV routing protocols. This is due to the strategy used by NFP protocol when selecting next forwarding node which increases the number of intermediate nodes in the path between the source and destination. We 196

Journal of Network and Computer Applications 80 (2017) 189–199

M. Boulaiche, L. Bouallouche-Medjkoune

Fig. 9. Detection ratio.

watchdog. The reason is that with watchdog, an attacker can circumvent the watchdog by dropping packets at a lower rate than the watchdog's configured minimum misbehavior threshold or after a collision an attacker could skip retransmitting the packet without being detected. Fig. 8 illustrates the delivery ratio of our approach, watchdog, and without any security mechanism measured with the time. From the figure we can see that delivery ratio converges to the normal case without attack, i.e., at the beginning of simulation, the delivery ratio is significantly affected by blackhole attack when applying our security approach or watchdog. Subsequently, delivery ratio increases to become closer to that measured in the normal case (case without attack). The reason for this is that with our security approach or watchdog, nodes require some time at the beginning of the simulation in order to detect and isolate attackers in the network. In contrast, without applying any security approach, attackers continue to drop packets in the network without being detected or isolated and so the delivery ratio measured with NFP or MFR without applying any security mechanism continue to give low values for all the duration of the simulation. Fig. 9 shows the detection ratio of our approach versus watchdog on both NFP and MFR-based network. As depicted in the figure, the detection ratio of our approach outperforms that of watchdog which has multiple drawbacks such as false misbehavior reports in which a node falsely report innocent nodes as malicious nodes, or insufficient transmission power in one hand and because of selective forwarding in which the attacker sometimes forwards the packets and sometimes it drops them on the other hand. Note here that with our security approach, non malicious droppers (such as local minima or insufficient transmission power) are considered as malicious droppers, which slightly degrades the detection ratio.

Fig. 7. Impact of black hole attack on geographic routing.

requires the adaptation of a security mechanism to protect it against this attack. Indeed, the delivery ratio decreases to 10% with NFP protocol when the number of attackers represents 32% of the nodes in the network and decreases to 18% with MFR protocol when the number of attackers represents 32% of the nodes in the network. In contrast, when applying our security approach, delivery ratio continues in a steady way with the increasing number of attackers in the network in both NFP and MFR-based networks. And this proves the efficiency of our isolating system that allows nodes to isolate attackers in the network and avoid them when forwarding packets towards the destination which improves the delivery ratio. We can see as well, that the delivery ratio of our security approach is better than that of

5. Conclusion and future work The functioning of a wireless ad hoc network mainly relies on multihop communication of nodes that cooperate with each other to connect the remote nodes. Many geographic routing protocols for wireless ad hoc networks have been proposed. However, these protocols have been proposed for trusted environments. Due to the broadcast nature of wireless channel, an attacker can disrupt the routing process by launching several attacks on routing protocols. In this paper, we proposed and evaluated a new security approach that allows securing geographic routing protocols. We based the design of our approach on efficient one-way hash functions to meet networks resources constraints. Simulation results show that our security approach gives better results in terms of end to end delay and packets/bytes overhead with an MFR based network than with an NFP based network. The comparison of our approach with watchdog approach has shown the efficiency of our approach in terms of isolating malicious nodes and so increasing delivery ratio. However, considering non malicious droppers as malicious slightly degrades the detection ratio. A potential solution to this problem may be to send an error packet whenever a node

Fig. 8. Delivery ratio in the presence of 4% of attackers.

197

Journal of Network and Computer Applications 80 (2017) 189–199

M. Boulaiche, L. Bouallouche-Medjkoune

encounters a local minima or insufficient transmission power. Simulation results show that our approach performs well, in terms of additional overhead and end to end transmission delay, with protocols

minimizing the number of intermediate hops along the path between the source and the destination.

Appendix The BAN's notations and rules used in our protocol proof (Section 3.5) are presented here as they are explained in Burrows et al. (1990), where: the symbols P and Q are principals; X and Y are statements; and K is encryption key. Basic notations

• • • • • •

P |≡ X: P believes X, or P would be entitled to believe X. In particular, the principal P may act as though X is true. This construct is central to the logic. P ⊲X : P sees X. Someone has sent a message containing X to P. P |~X : P once said X. The principal P at some time sent a message including the statement X. It is not known whether the message was sent long ago or during the current run of the protocol, but it is known that P believed X then. #(X): The formula X is fresh; that is, X has not been sent in a message at any time before the current run of the protocol. P |≡Q↔ : P and Q may use the shared key K to communicate. The key K is good, in that it will never be discovered by any principal except P or Q, K

or a principal trusted by either P or Q. {X}K: This represents the formula X encrypted under the key K.

Logic postulates Rule 1: If P believes that the key K is shared with Q and sees X encrypted under K, then P believes that Q once said X.

K P |≡ Q ↔ P, P◁{X}K P |≡ Q |~ X

(R1)

Rule 2 (Nonce verification): if P believes that X could have been uttered only recently (in the present) and that Q once said X (either in the past or in the present), then P believes that Q believes X.

P |≡ #(X ), P |≡Q |∼X P |≡ Q |≡X

(R2)

Rule 3: If a principal sees a formula, then he also sees its components, provided he knows the necessary keys:

P⊲(X, Y) P⊲X

(R3)

Rule 4: If one part of a formula is fresh, then the entire formula must also be fresh:

P |≡#(X) P |≡#(X, Y )

(R4)

modular solution. Ad Hoc Netw. 7, 1243–1258. Johnson, D.B., Hu, Y.-C., Perrig, A., 2003. SEAD: secure efficient distance vector routing for mobile wireless ad hoc networks. Ad Hoc Netw. 1 (1), 175–192. Karp, B., Kung, H., 2000. GPSR: Greedy perimeter stateless routing for wireless networks. In: Proceedings of the 6th Annual International Conference on Mobile Computing and Networking. ACM Press, pp. 243–254. Kevin, L.Marti, S., Giuli, T.J., Mary, B., 2000. Mitigating routing misbehavior in mobile ad hoc networks. In: Proceedings of the 6th annual international conference on Mobile computing and networking (MobiCom’00), pp. 255–265. Kim, J., Tsudik, G., 2009. SRDP: secure route discovery for dynamic source routing in MANETs. Ad Hoc Netw. 7, 1097–1109. Kleerekoper, A., Filer, N.P., 2015. Perfect link routing for energy efficient forwarding in geographic routing. Ad Hoc Netw. 30, 46–62. Lee, S., Bhattacharjee, B., Banerjee, S., Han, B., 2010a. A general framework for efficient geographic routing in wireless networks. Comput. Netw. 54 (5), 844–861. Lee, S., Bhattacharjee, B., Banerjee, S., Han, B., 2010b. A general framework for efficient geographic routing in wireless networks. Comput. Netw. 54 (5), 844–861. Levine, B.N., Shields, C., Sanzgiri, K., Dahill, B., Belding-Royer, E.M., 2002. A secure routing protocol for ad hoc networks. In: Proceedings of the10th IEEE International Conference on Network Protocols (ICNP),pp. 78–87. Lyu, Chen, Gu, Dawu, Zhang, Yuanyuan, Lin, Tingting, Zhang, Xiaomei, 2013. Towards efficient and secure Geographic routing protocol for hostile wireless sensor networks. Int. J. Distrib. Sens. Netw. Vol., 11. M.R., Lyu X., Li, J., Liu. 2004. A trust model based routing protocol for secure ad-hoc networks. In: Proceedings of Aerospace Conference (AC’04), pp. 1286–1295. Marin-Perez, R., Ruiz, P.M., October 2011. SBGR: a simple self-protected beaconless

References Ade, S.A., Tijare, P.A., 2010. Performance comparison of aodv, dsdv, olsr and dsr routing protocols in mobile ad hoc networks. Int. J. Inf. Technol. Knowl. Manag. 2 (2), 545–548. Al-shugran, M., Ghazali, O., Hassan, S., Nisar, K., Suki, A., Arif, M., 2013. A qualitative comparison evaluation of the greedy forwarding strategies in mobile Ad Hoc network. J. Netw. Comput. Appl. 36, 887–897. Baadache, A., Belmehdi, A., 2012. Fighting against packet dropping misbehavior in multi-hop wireless ad hoc networks. J. Netw. Comput. Appl. 35, 1130–1139. Baadache, A., Belmehdi, A., 2014. Struggling against simple and cooperative black hole attacks in multi-hop wireless ad hoc networks. Comput. Netw. 73, 173–184. Boukerche, A., Turgut, B., Aydin, N., Ahmad, M.Z., Boloni, L., Turgut, D., 2011. Routing protocols in ad hoc networks: a survey. Comput. Netw. 55, 3032–3080. Boulaiche, M., Bouallouche-Medjkoune, L., 2015. EGGR: Energy-aware and delivery Guarantee Geographic Routing protocol. Wirel. Netw. 21 (6), 1765–1774. Buchegger, S., Le Boudec, J.Y., 2005. Self-policing mobile ad hoc networks by reputation systems. IEEE Commun. Mag. 43 (7), 101–107. Burrows, M., Abadi, M., Needham, R., 1990. A logic of authentication. ACM Trans. Comput. Syst. 8 (1), 18–36. Buttyan, L., Acs, G., Vajda, I., 2006. Provably secure on-demand source routing in mobile ad hoc networks. IEEE Trans. Mob. Comput. 11 (5), 1533–1546. Chen, D., Varshney, P.K., 2007. A survey of void handling techniques for Geographic routing in wireless networks. IEEE Commun. Surv. Tutor. 9 (1), 50–67. Djenouri, Djamel, Badache, Nadjib, 2009. On eliminating packet droppers in MANET: a

198

Journal of Network and Computer Applications 80 (2017) 189–199

M. Boulaiche, L. Bouallouche-Medjkoune

identification support in wireless networks. Comput. Netw. 54, 3431–3448, (2010). Tyagi, S., Kumar, N., 2013. A systematic review on clustering and routing techniques based upon LEACH protocol for wireless sensor networks. J. Netw. Comput. Appl. 36 (2), 623–645. D., Tygar, A., Perrig, R., Canetti, D., Song, 2002. The TESLA broadcast authentication protocol. RSA Cryptobytes (RSA Laboratories). vol. 5(2), pp. 2–13. Wang, J., Chen, H., Lin, Y., 2010. A secure destination-sequenced distance-vector routing protocol for ad hoc networks. J. Netw. 5 (8), 942–948. Won, M., Zhang, W., Stoleru, R., 2013. GOAL: a parsimonious geographic routing protocol for large scale sensor networks. Ad Hoc Netw. 11 (1), 453–472. Yi, S., Kravets, R., Naldurg P., 2001. A security-aware routing protocol for wireless ad hoc networks. In: Proceedings of the ACM Symposium on Mobile Ad Hoc Networking and Computing Yu, Ming, Zhou, Mengchu, Su, Wei, 2009. A secure routing protocol Against Byzantine attacks for MANETs in adversarial environments. IEEE Trans. Veh. Technol. 58 (1), 449–460. M.G., Zapata, N., Asokan, 2002. Securing ad hoc routing protocols. In: Proceeding of ACM Workshop on Wireless Security (WiSe), ACM Press, pages 1–10. Zhang, Yujun, Yan, Tan, Tian, Jie, Hu, Qi, Wang, Guiling, Li, Zhongcheng, 2014. TOHIP: a topology-hiding multipath routing protocol in mobile ad hoc networks. Ad Hoc Netw. 21, 109–122.

geographic routing for wireless sensor networks. In: Proceedings of the IEEE 8th International Conference on Mobile Ad hoc and Sensor Systems (MASS), pp. 610– 619, . Md Zin, S., Anuar, N.B., Kiah, M.L.M., Pathan, A.K., 2014. Routing protocol design for secure WSN: review and open research issues. J. Netw. Comput. Appl. 41, 517–530. Milocco, R.H., Costantini, H., Boumerdassi, S., 2014. Improved geographic routing in sensor networks subjected to localization errors. Ad Hoc Netw. 13, 476–486. Mulert, J., Welch, I., Seah, W.K.G., 2012. Security threats and solutions in manets: a case study using aodv and saodv. J. Netw. Comput. Appl. 35 (4), 1249–1259. Pathak, V., Yao, D., Iftode, L., 2008. Securing geographical routing in mobile ad-hoc networks. Department of Computer Science, Rutgers University, Tech. Rep, vol. 638. Peng, B., Kemp, A.H., 2011. Energy-efficient geographic routing in the presence of localization errors. Comput. Netw. 55 (3), 856–872. Perrig, A., Hu, Y.C., Johnson, D., 2005. Ariadne: a secure on-demand routing protocol for ad hoc networks. Wirel. Netw. 11 (1–2), 21–38. Qazi, S., Raad, R., Mu, Y., Susilo, W., Securing, D.S.R., 2013. against wormhole attacks in multirate ad hoc networks. J. Netw. Comput. Appl. 36 (2), 582–592. A.H.K.D., Sarma, B.A., Kar, C.R., Mall, 2011. Secure routing protocol for mobile wireless sensor network. In: Proceedings of the IEEE Sensors Applications Symposium. Song, Joo-Han, Wong, Vincent W.S., Victor, C.M. Leung, 2007. Secure position-based routing protocol for mobile ad hoc networks. Ad Hoc Netw. 5, 76–86. Tao, S., Ananda, A.L., Chan, Mun Choon, 2010. Greedy face routing with face

199