MrFair: Misbehavior-resistant fair scheduling in wireless mesh networks

MrFair: Misbehavior-resistant fair scheduling in wireless mesh networks

Ad Hoc Networks 10 (2012) 299–316 Contents lists available at ScienceDirect Ad Hoc Networks journal homepage: www.elsevier.com/locate/adhoc MrFair:...

1MB Sizes 0 Downloads 51 Views

Ad Hoc Networks 10 (2012) 299–316

Contents lists available at ScienceDirect

Ad Hoc Networks journal homepage: www.elsevier.com/locate/adhoc

MrFair: Misbehavior-resistant fair scheduling in wireless mesh networks Mihui Kim a,⇑, Varagur Karthik Sriram Iyer b,1, Peng Ning b a b

Department of Computer Engineering, Hankyong National University, Republic of Korea Department of Computer Science, North Carolina State University, Raleigh, NC 27695, United States

a r t i c l e

i n f o

Article history: Received 6 July 2010 Received in revised form 19 May 2011 Accepted 5 July 2011 Available online 12 July 2011 Keywords: Wireless mesh networks Fair scheduling Misbehavior resistance Authentication

a b s t r a c t It is a critical issue to ensure that nodes and/or flows have fair access to the network bandwidth in wireless mesh networks (WMNs). However, current WMNs based on IEEE 802.11 exhibit severe unfairness. Several scheduling schemes have been proposed to ensure fairness in WMNs. Unfortunately, all of them implicitly trust nodes in the network, and thus are vulnerable to the misbehavior of nodes participating in scheduling. In this paper, we address the threats to fair scheduling in WMNs resulting from node misbehavior and present a generic verification framework to detect such misbehavior. Moreover, we develop two verification schemes based on this framework for distributed and centralized authentication environments, respectively. We validate our approach by extending an existing fair scheduling scheme and evaluating it through simulation. The results show that our approach improves misbehavior detection with light performance overhead. Ó 2011 Elsevier B.V. All rights reserved.

1. Introduction Wireless mesh networks (WMNs) are becoming increasingly popular as a means to establish cost-effective and efficient public area networks. WMNs are easy to deploy and expand as compared to wireless LANs (WLANs). Fig. 1 shows an example of an infrastructure WMN. A WMN usually consists of a gateway (GW) with a wired connection to the Internet and a number of transit access points (TAPs), where client nodes generate and receive traffic through the closest TAP. A WMN can cover the same area as a WLAN but at a much lower cost. It is highly desirable to maximize the throughput of clients while ensuring fair allocation of bandwidth in a WMN. However, WMNs using contention based IEEE 802.11 suffer from severe spatial unfairness. The throughput of nodes farther away from the gateway is far less than the throughput of those closer [1]. As an alternative to such contention ⇑ Corresponding author. Tel.: +82 31 670 5167; fax: +82 31 670 5169. E-mail addresses: [email protected] (M. Kim), varaguri@microsoft. com (V.K. Sriram Iyer), [email protected] (P. Ning). 1 Present address. Microsoft Corporation, One Microsoft Way, Redmond, WA, United States. 1570-8705/$ - see front matter Ó 2011 Elsevier B.V. All rights reserved. doi:10.1016/j.adhoc.2011.07.001

based solutions, time division multiple access (TDMA) based fair scheduling schemes [2–5], which regulate the amount of bandwidth being allocated to the nodes, have been considered. Existing fair scheduling schemes are classified into two categories, distributed [4–6] and centralized [2–4] schemes, according to deployment environments. However, all of these scheduling schemes depend on traffic load information exchanged for the fair allocation of bandwidth among the nodes. Hence, it is critical that control messages containing traffic demand information are accurate and reflect the true demand. The nature of WMNs makes them vulnerable to a number of threats. Since the use of cheap infrastructure is one of the attractive features of a WMN, it cannot guarantee that all components of the network are physically secure against tampering or replication by the adversary. As a result, they become active targets of any adversary who attempts to compromise and gain entry into the network. Similarly, clients are also potential targets and stepping stones to penetrate the network, and thus cannot be fully trusted. Compromised TAPs and client nodes impose a serious threat to the fairness guarantee. Most scheduling schemes [4–8] assume that the TAPs report correct demands in their respective neighborhoods in order to enable the

300

M. Kim et al. / Ad Hoc Networks 10 (2012) 299–316

Wired Link

Internet

GW

TAP

Fig. 1. Infrastructure wireless mesh network.

computation of an efficient schedule. Consequently, these schemes are vulnerable to a number of threats in the presence of compromised nodes. In this paper, we address the threats to fair scheduling in WMNs caused by misbehaviors of compromised nodes. Specifically, we make the following contributions:  We analyze the threats of node misbehavior on fair scheduling in WMNs and illustrate the negative impact of node misbehavior on the performance of an existing fair scheduling scheme. To the best of our knowledge, this is the first paper that discusses the impact of node misbehavior on fair scheduling in WMNs.  We present a generic verification framework for the detection of node misbehavior during fair scheduling and develop two concrete misbehavior detection schemes based on this framework. The first scheme is designed for a distributed authentication environment, where we use digital signatures to generate verifiable commitments and demands. The second scheme is developed for a centralized authentication environment, in which we take advantage of symmetric cryptographic primitives to verify commitments and demands.  We validate our approach by extending an existing centralized fair scheduling scheme named CIRMA [4], which does not consider node misbehavior, and evaluating it through simulation. Based on the simulation results, we demonstrate that a fair scheduling scheme with an instance of the verification framework can fast defense against misbehaviors while incurring minimal overhead. The rest of the paper is organized as follows. Section 2 discusses related work. Section 3 clarifies the assumptions and adversary model, and illustrates the impact of misbehavior. Section 4 describes the generic verification framework for the detection of misbehavior during fair scheduling, and presents two verification schemes for distributed and centralized authentication environments, respectively. Section 5 discusses the security of the proposed schemes. Section 6 presents our simulation evaluation. Finally, Section 7 concludes this paper and points out some future research directions. 2. Related work It has been shown that IEEE 802.11 based networks are inherently unfair due to the use of a contention based MAC

protocol [1]; the throughput of a flow in such a network is inversely proportional to the number of hops it traverses. Several groups of researchers [4–8] have pursued countermeasures for unfairness in IEEE 802.11 based WMNs at three different levels: (i) per-TAP fairness, (ii) per-client fairness, and (iii) per-flow fairness. The inter-TAP fairness algorithm (IFA) was aimed at per-TAP fairness [6]. It relies on the exchange of offered loads and link capacities among the nodes in a branch to enable TAPs to compute their fair shares and limit the traffic from client nodes. Several approaches were focused on per-client fairness. A distributed scheduling algorithm [5] employed the spatial reuse of TDMA [9] with client demand information exchanged among nodes. An integrated routing and MAC scheduling protocol (IRMA) [4] was developed to implement a cross layer scheduling scheme with routing that maximizes throughput and ensures fairness in the mesh network based on traffic flow specifications provided by nodes. There were also attempts to achieve per-flow fairness. A co-ordinated congestion control algorithm (C3L) [7] adopted a centralized traffic engineering approach based on the latest traffic loads, in order to perform global bandwidth allocation and provide the end-to-end flow level max–min fairness. A fair flow control (FFC) mechanism [8] used the traffic profiles of flows provided by nodes to achieve the best max–min fair flow control. All of the above approaches look at the problem from the perspective of maximizing the throughput of the network while preserving fairness guarantee. They are based on gathered or shared demand or measurement information. However, none of them consider potential security threats against the network. Besides fair scheduling, researchers have also attempted to address the security threats in WMNs. Glass et al. [10] pointed out the fairness problem as the responsibility of MAC layer or routing protocol and introduced IEEE 802.11s as a way to partially address the security problem. However, this result cannot handle threats from compromised nodes. Salem et al. [10–12] discussed challenges and fundamental operations to make WMNs secure, particularly the detection of corrupted TAPs and securing the routing mechanisms. However, they do not address the impact that corrupted nodes might have on fairness. A security scheme for WMNs [13] included a key distribution and a detection mechanism against malicious clients. Unfortunately, compromised nodes can still ruin the fair

M. Kim et al. / Ad Hoc Networks 10 (2012) 299–316

scheduling even with proper key distribution, and the detection mechanism cannot be used to defend against various misbehaviors involved in fair scheduling. Intrusion detection and tolerance have been considered for diagnosing and tolerating misbehavior [14,15]. Tian et al. [14] provided an intrusion detection model based on multichannel monitoring and anomaly analysis using adaptive machine learning and genetic search. Makaroff et al. [15] introduced a general asset-driven approach to managing the large attack space. However, such anomaly detection approaches are based on developing a long term profile of normal activities. They cannot immediately deal with misbehaviors considered in this paper. For example, the compromised nodes with authentication credentials can easily hide the unfair resource usages. Defense mechanisms against selfish misbehaviors in the MAC or the routing layer are worth considering for securely guaranteeing fairness in WMNs. Kyasanur and Vaidya [16] modified IEEE 802.11 distributed coordination function (DCF) mode to defend against such misbehaviors in the MAC layer. Li et al. [17] utilized the channel seizing and back-off behavior of nodes to achieve the same goal in the MAC layer. Moreover, Oliviero and Romano [18] and Martignon et al. [19] provided solutions against routing misbehaviors, evaluating trustworthiness of the other mesh routers through the direct observations by watchdogs. All of them enhanced the tolerance against selfish misbehaviors in the MAC or the routing layer. However, they cannot cope with adversary model in this paper as explained in the next section. Overall, existing fair scheduling mechanisms have overlooked the security threats introduced by misbehaving nodes. Indeed, none of the current security approaches is a proper solution for addressing this problem. The primary objective of this paper is to address the threats by misbehaving nodes to fair scheduling in WMNs.

301

Table 1 Cryptographic notation. Notation

Description

[M]X M1kM2 H(M) MAC kXY ðMÞ

Digital signature on message M by entity X Message M1 concatenated with message M2 Hash image of M using the one-way hash function H Message authentication code for M using secret key kXY Entity X sends message M to entity Y

X ? Y:M

the verification result to the scheduler nodes and adjusting the contents of commitments and demand claims. We make the following assumptions regarding the security of the entities in a WMN. All benign nodes are time synchronized and scheduling is performed periodically. TAP–TAP communication and TAP–GW communication are authenticated. GW is the only trusted entity in the network, and TAPs do not trust each other. There exists an underlying authentication framework that enables client authentication. The compromised nodes are minority in the network, but the extent to which a node misbehaves is significant (i.e., defendable via verifying related information). Table 1 lists the notation used in discussion of our solutions. 3.2. Adversary model In this paper, we assume the adversary can eavesdrop, capture, drop, resend, delay, or alter packets. Moreover, the adversary can introduce, capture, tamper or replicate client nodes and TAPs, but not the gateway or the backend authentication infrastructure. The adversary may be a legitimate (authenticated) user. Based on the adversary model, an attacker may misbehave in various ways in infrastructure WMNs, causing the network to arrive in an inconsistent schedule even with a base authentication framework. The threats can be classified into three categories based on the misbehaving node involved in scheduling.

3. System and adversary models 3.2.1. TAP misbehaviors 3.1. System model and assumption As shown in Fig. 1, we consider a generic infrastructure WMN with a single-channel consisting of three types of nodes: client nodes (M) as the end points of the network, a wireless gateway (GW) as an access router toward the wired Internet, and TAPs (T) which form a static wireless backbone. Client nodes connect to this backbone by associating themselves with the closest TAP. A client is assumed to be associated with only one TAP at any given time. The mesh network may have one or more wireless GWs. For simplicity, in this paper we consider an infrastructure WMN with a single GW. However, in WMNs with multiple GWs, our verification schemes can easily be extended through sharing the verification information among the GWs. Our system is based on the centralized per-client fair scheduling. Thus the GW has a main role in calculating a link schedule. However, our verification approach can be smoothly applied to the distributed version or other gradual fairness scheduling mechanisms through distributing

 Reporting non-existent clients: A compromised TAP may create an inconsistent view of demands in the network by advertising a large local demand that does not exist in reality. Since the TAPs use this information to determine a schedule, the compromised TAP may be allocated more resources than it deserves.  Reporting an incorrect list of clients: A compromised TAP may start with reporting correct local demand information but in time fail to report clients who have left the network. In a different case, the TAP may stop reporting clients that recently join the network. The misbehaviors incur unfairness to other TAPs in the network and clients connecting to the compromised TAP, respectively.  Colluding: Two TAPs can collude in such a way that the first TAP transfers all its demand information to the second TAP, which may then claim this demand as its own. The first TAP may also forward the client credentials it receives to the second TAP, making demand information generated by the second TAP appear legitimate.

302

M. Kim et al. / Ad Hoc Networks 10 (2012) 299–316

3.2.3. Client and TAP collusion

3.2.2. Client misbehaviors  Sybil attack: A malicious client may masquerade as multiple clients and connect to the mesh network. As a result, a TAP could be fooled into reporting a large demand, while the share that it is allocated will all be consumed by the single client.  Replicated clients: A compromised client node could get replicated and connect to the mesh network through different TAPs. The distributed nature of the network makes it hard for such replications to be detected. The replicated clients would then affect the calculation of the transmission schedule.  Clients associated with more than one TAP: A malicious client may associate with more than one TAP within its extended communication range. Consequently, this client would be able to get bandwidth from all associated TAPs. This would create unfairness in the network under a situation where all clients are expected to get an equal share of the bandwidth.

 An attacker may compromise a TAP and circumvent the local authentication schemes embedded in the TAP. Consequently, the attacker may associate a large number of unauthorized or even non-existing clients to the mesh network. Hence, the mesh network will arrive in an inconsistent schedule, where the other legitimate TAPs and clients are penalized. 3.2.4. Negative impact of misbehaviors Next we show how node misbehaviors generate negative impact on the network performance through ns-2 simulation of CIRMA [4], an existing fair scheduling algorithm for WMNs. While CIRMA ensures fairness to all nodes in the network, it operates under the assumption that the per-flow bandwidth requests from nodes are accurate without verifying their consistency. We use the same parameters as in the original paper that presented CIRMA [4], which are listed in Fig. 2a. The simula-

flow1 flow2 flow3

Fig. 2. Simulation parameters and topology.

1.1

Aggregate throughput (Mbps)

0.6

Fairness index

1.05 1 0.95 0.9

CIRMA normal CIRMA 1-hop misb. CIRMA 2-hop misb. CIRMA 3-hop misb.

0.85 0.8 2

3

4

5

6

7

8

9

Number of clients per a TAP

(a) Fairness index

10

CIRMA normal CIRMA 1 misb. CIRMA 2 misb. CIRMA 3 misb.

0.5 0.4 0.3 0.2 0.1 0 2

3

4

5

6

7

8

9

10

Number of clients per a TAP

(b) Aggregate throughput of flows

Fig. 3. Effect of misbehavior on CIRMA.

M. Kim et al. / Ad Hoc Networks 10 (2012) 299–316

303

Fig. 4. Proposed verification framework.

tion is performed for a simple WMN topology as shown in Fig. 2b. The mesh network consists of a gateway node, three TAPs (T1, T2 and T3), and the same number of clients per TAP. The simulation increases the number of clients. Three source nodes, which are one, two and three hops away from the gateway node, are selected and generate constant bit rate (CBR) traffic at the rate of 1Mbps towards the gateway node. The misbehavior is implemented in the form of a compromised TAP creating a bandwidth request for every associated client irrespective of the existence of actual demand at these clients. We first measure Jain’s fairness index [20] for CIRMA under normal behavior as well as in the presence of misbehavior as shown in Fig. 3. In Fig. 3a and b, we variate the hops of a misbehavior TAP and the number of misbehavior TAPs, respectively. Fig. 3a seems to suggest that CIRMA guarantees fairness to all the flows in the network irrespective of the number of hops or the presence of misbehavior. However, as Fig. 3b shows, the aggregate throughput is drastically reduced in the presence of misbehavior. It is interesting to note that a single misbehaving node has the similar effect on the aggregate throughput to multiple misbehaving nodes. This shows that an attacker need only compromise a single TAP to have a significant impact on the throughput obtained by the clients in the network. 4. Verification framework We first present a basic verification framework for detecting various misbehaviors explained in Section 3.2. Based on a general authentication framework, it provides a step-by-step confirmation for commitment and bandwidth demands of clients and TAPs, until the scheduling node (i.e., GW) uses the demands for the calculation of a fair schedule. We then instantiate this basic framework into two concrete verification schemes for distributed and centralized authentication environments, respectively. 4.1. Basic verification framework Our basic verification framework is composed of client commitment, TAP commitment, demand claim, neighbor

report, demand verification, and replication check, as shown in Fig. 4a. Clients first authenticate themselves to the TAP or GW through an underlying authentication framework that is assumed to exist in the network (e.g., a protocol for carrying authentication for network access (PANA2) [12]), and then establish the security association (SA). A typical PANA authentication exchange between the client and the GW [G] (phase I) is shown in Fig. 4b. In the distributed authentication environment, a general authentication can be performed between the client and the TAP [C]. If there is no verification phase, a general bandwidth request (phase II) is executed after the authentication phase. However, our verification framework performs the verification phase III instead of phase II in order to resist the threats to fair scheduling in WMNs resulting from node misbehaviors. 1. Client commitment: A client generates a verifiable commitment to certify its association with a TAP in a particular scheduling round. 2. TAP commitment: After verifying the received client commitments, the TAP sends all its clients an aggregated commitment to certify the association between the TAP and its associated set of clients in a particular scheduling round. The associated clients verify the TAP commitment. 3. Neighbor report3: In order to verify the consistency between a TAP commitment and its related demand claim in a particular scheduling round, each TAP sends a verifiable version for the TAP commitment overheard from its neighbor TAPs to a verifying TAP. This is to detect a potentially compromised TAP that sends a 2 PANA allows clients to become authenticated in the network using the existing authentication infrastructure without necessarily being aware of the protocol used by this infrastructure. Thus, it can provide a common authentication framework. 3 As shown by the measurement results obtained from a single-channel Roofnet with 37 TAPs over a 4 km2 city [21], most TAPs have many neighbors (maximum 22 TAPs) and the majority of TAPs use many neighbors in routing rather than just one or two (maximum 10 TAPs). Therefore, in our assumed single-channel WMN, a Neighbor Report can be generated after the surrounding TAPs overhear the commitment delivered by a TAP to its associated clients.

304

M. Kim et al. / Ad Hoc Networks 10 (2012) 299–316

demand claim different from the TAP commitment after authenticating itself to all its clients. 4. Demand claim: As a verifiable representation of current demand at a TAP in a particular scheduling round, a TAP constructs a demand claim using the client and TAP commitments. The TAP then sends it to a verifying TAP determined by a seed value received from a GW. A demand claim of a TAP in each scheduling round may be verified at different verifying TAPs. 5. Demand verification: On receiving demand information and TAP commitment transfered through neighbor report, a verifying TAP checks the consistency of client list on two received messages and also verifies the demand. If any inconsistency is found during verification, it sends an alert to a GW. Otherwise, the verifying TAP sends a verified demand claim to the GW, which uses the demand to compute a schedule. 6. Replication check: Lastly, the GW performs client replication check after receiving all verified demand claims. 4.2. Verification in a distributed authentication environment In this subsection, we instantiate the basic verification framework into a concreate scheme for a network environment where clients are authenticated by the associated TAPs. A public area wireless mesh network (PAWMN), such as those deployed at airports and shopping centers, is an example of this type of networks. Such mesh networks offer network services for free or at subsidized rates to all customers without a predefined contract. There exist no predefined relationship between the clients and the network, but the authentication is necessary for proving the identity of client. 4.2.1. Client commitment Initially, clients identify the TAP with which they wish to associate, mostly the nearest TAP, in order to access the network. The clients then initiate the mutual authentication and association session. At the beginning of the next scheduling round, each client sends the TAP a verifiable version of commitment, which binds its own ID with the ID of the associating TAP and a time stamp using a digital signature. However, a TAP may not always have a consistent view of the client demand even in the presence of only well behaved clients. Generally, a client may simply power down or terminate its connection and leave the network without notification. One way to address this problem would be for the TAP to receive a fresh commitment from the clients at the beginning of every scheduling round. However, it should not be a cumbersome process for the clients with low computational abilities, such as generating a new signature on the same commitment but with a different time stamp in every round. In order to mitigate this process, we use a hash chain for re-authentication. In the initial client commitment, a client Mi includes a hash value x0Mi , as an authentication token for the verification of commitments on the next round. In the first scheduling round after the client Mi has associated with a TAP Tj (t1Mi is the start time in the scheduling round),

the client Mi sends the TAP Tj the first commitment with signature as shown below.

M i ! T j : Comm0Mi

D E where Comm0Mi ¼ M i ; x0Mi ; L; t 1Mi ; ½M i kT j kx0Mi kt 1Mi Mi and x0Mi

H

H

x1Mi

x2Mi

H

x3Mi

H



H

L1 xM i

Then, for any lth(0 < l < L) scheduling round, the client Mi sends the TAP Tj the simplified commitment shown below.

D E where CommlMi ¼ M i ; xlMi

Mi ! T j : CommlMi

After a signature verification of the first commitment Comm0Mi , the TAP Tj can verify this simplified commitment by performing a hash operation on xlMi and checking if it is equal to xl1 M i that was received in the previous round. 4.2.2. TAP commitment The TAP Tj on receiving the commitment verifies the client ID Mi and the association specified in the commitment. Once the TAP has received and verified commitments from all the clients that wish to associate with it, it generates an aggregated commitment CommT j and sends this commitment to its clients, where CommT j ¼ ½HðMi k    kM j Þktcurrent T j and tcurrent is the start time of the current scheduling round. T j ! M i;...;j : M i ; . . . ; M j ; CommT j ; 8M i ; . . . ; M j associated with TAP T j

4.2.3. Neighbor report Each neighbor TAP Tk of TAP Tj can also overhear the transmitted TAP commitment CommT j . Each neighbor TAP sends the verifiable version of the overheard TAP commitment with its signature to a verifying TAP Tv of the claiming TAP Tj. In order to minimize the threat of colluding attacks by two compromised TAPs, the verifying TAP Tv should change periodically and in an unpredictable way. Thus, the GW broadcasts periodically a seed value yp (p = 0, . . . , P  1; P 6 L) in the network for determining the verifying TAP, where this seed value is determined based on a hash chain to reduce the computational overhead.

y0

H

y1

H

y2

H

y3

H



H

yP1

Each neighbor TAP Tk calculates the ID of the verifying TAP with the seed value and the ID of the claiming TAP as Tv = H(ypkTj) mod k, where k is the total number of TAPs in the network. The claiming TAP Tj should not be the same as the verifying TAP Tv. Thus, the neighbor TAP Tk repeats the calculation after increasing yp if the result Tv is the same as Tj. The neighbor TAP Tk makes a verifiable neighbor report with the original TAP commitment and sends it to the verifying TAP. To avoid duplicate neighbor reports, the neighbor TAP Tk may check if the neighbor report for TAP Tj has already been transmitted in the neighborhood (e.g., through overhearing) before sending it to Tv.

T k ! T v : T j ; NeRepT k

where NeRepT k ¼ ½CommT j T k

M. Kim et al. / Ad Hoc Networks 10 (2012) 299–316

4.2.4. Demand claim As discussed in Section 3.2, TAP misbehaviors manifest in the form of a TAP misreporting or manipulating local demand information in the claim. In order to make the claim resistant to manipulation, it is structured to include (i) client commitments and (ii) TAP commitment. This claim is then sent to verifying TAP Tv in this scheduling round. The way of determining the verifying TAP Tv is the same as explained in Section 4.2.3.

T j ! T v : CommMi ; . . . ; CommMj ; CommT j 4.2.5. Demand verification A verifying TAP Tv upon receiving a demand claim and a neighbor report first checks the consistency among the TAP commitments in the neighbor reports and the TAP commitments in the claim. The verifying TAP verifies the signature on the TAP commitment and the signatures on each of the client commitments included in the claim. Each verification of a client commitment is to provide resistance against collusion attacks by malicious TAPs and clients. The verifying TAP then sends the verification result with its signature to the GW. T v ! GW : M i ; . . . ; M j ; DemVer T v

where DemVer T v ¼ ½CommT j T v

4.2.6. Replication check After the GW has received the demand verification results, it checks whether TAP Tv verifying the demand is a proper verifying TAP of the claiming TAP Tj. It then checks the signature of the verifying TAP and finally the collision of client IDs on all verification results. We will provide security and performance analysis of this scheme in Sections 5 and 6. 4.2.7. Considerations for movement events of clients Most fair scheduling schemes in WMNs assume the mobility of clients. However, the schemes, whether centralized or distributed, are mostly designed and performed independently of movement events (i.e., join, leave, and handoff processes) [4,7–10,22]. The reasons for this are as follows: First, the scheduling period is generally shorter than the handoff time. On the basis of the number or the demand for bandwidth of clients associated until each scheduling round, the resource is assigned fairly. The scheduling period assumed in TDMA- or STDMA-based fair scheduling schemes is very short (e.g., 1 ms [23], 100 ms [24]), and is generally shorter than the required minimum time for handoff (e.g., 100 ms) or the time of handoff by the dynamic host configuration protocol (DHCP) (e.g., a couple of seconds [25]). Therefore, handoff is rarely affected by periodic scheduling. Second, some scheduling schemes provide resources (i.e., slots in TDMA) separately from the scheduled resources (slots). Some fair scheduling schemes provide contention or free (unassigned) slots [4,26] together with scheduled slots, in order to process newly joining clients quickly (i.e., to transmit node-join request messages or bandwidth request messages) and give transmission

305

chances to such clients through the contention–detection method. For the same reasons, the leaving process of mobile clients is also beyond the scope of scheduling schemes. The claiming TAPs in fair scheduling schemes do not consider whether or not resources assigned to clients through a proper association process are used. The TAPs simply do not assign resources to leaving clients in the next round after the clients have sent a leaving message or stopped sending the bandwidth request (client commitment). In our verification framework, even if compromised clients might abuse frequent handoff in order to ruin the scheduling and verification (i.e., leaving between the neighbor report and the demand claim), the effect on this misbehavior is not great and is limited only to the number of compromised clients. Such clients can be managed with a blacklist through the cooperation of neighbor TAPs and the GW. Therefore, in this paper, we assume that the movements are managed by reserving some portion of the available bandwidth for these events instead of forcing a complete new association as other scheduling schemes [4,26], or the moving client performs a proactive association with the TAP toward which it is moving [25]. Then, we focus on designing our verification framework to provide robustness against misbehavior to such fair scheduling schemes, independently of movement events. 4.3. Verification in a centralized authentication environment In this subsection, we consider networks without a public key infrastructure (PKI). We propose a verification scheme using hash-based signatures to detect node misbehaviors during fair scheduling. The verification scheme is inspired by a scheme named Sym-HaSAFSS [27], which was proposed for generating and verifying aggregate signatures in unattended wireless sensor networks (UWSNs) [27]. The main contribution of Sym-HaSAFSS is the provision of an accumulated aggregation signature with the storage, bandwidth, and computational efficiency for the lack of real-time communication in UWSNs. In this paper, we use the hash-based signature for the verification of each main step of the proposed scheme: client commitment, TAP commitment, neighbor report, and demand claim. However, we do not use Sym-HaSAFSS directly. Instead, we adapt the Sym-HaSAFSS algorithms to provide efficient support of verification in a PKI-less WMN. For example, unlike Sym-HaSAFSS, our scheme does not update the accumulated aggregation signature in each occurrence of client commitment. The verification scheme consists of eight phases: key and token generation, client commitment, key release for client commitment verification, TAP commitment, neighbor report, demand claim, key release for TAP commitment/ demand verification, and replication check. We assume that there is a central authority (CA) that is trusted to handle all security issues in a WMN. The keys used in the scheme are as follows:  Time-trapdoor key: At first, the CA generates time trapdoor keys from a hash chain, and the last hash value

306

M. Kim et al. / Ad Hoc Networks 10 (2012) 299–316

(i.e., the commitment) is distributed to all nodes. Each hash value is disclosed at each verification step.  Signature key: Next, the CA generates the signature keys of time series that are used to make a signature for commitments and claims.  Token key: In the verification scheme, the commitments and claims could be verified with a token encrypted by this key. The basic processes to verify messages with these keys are as follows: key and token generation, message signing, and key release for message verification.  Key and token generation: At first, the CA generates L time-trapdoor keys as

tk0

H1

tk1

H1

tk2

H1

tk3

H1

...

H1

tkL1 :

For each node X, the CA performs the following actions for token generation and release. 1. Generate a random number zX0 which serves as the initial signature key generator and derive a hash chain H1 H1 H1 from it, as zX0 ! zX1 ! . . . ! zXL1 : 2. Compute the signature keys from the hash chain, as X kj ¼ H2 ðzXj Þ; 8j ¼ 0; . . . ; L  1. 3. Generate the token keys from the time-trapdoor keys for the node X for each of the L time periods as X tkj ¼ MAC tkj ðXÞ; 8j ¼ 0; . . . ; L  1. 4. Generate L tokens by encrypting the signature keys with the token keys for each of the L time periods as X C Xj ¼ EtkX ðkj Þ; 8j ¼ 0; . . . ; L  1. j 5. Send the initial signature key generator and L tokens to the node X through a secure channel.4

CA ! X : zX0 ; C X0 ; C X1 ; C X2 ; . . . ; C XL1  Message signing: The node X can sign a message M for a verifying TAP Y with its signature key at time tw as follows: 1. 2. 3. 4.

X

Compute the signature key as kw ¼ H2 ðzXw Þ. Compute a signature as rXw ¼ MAC kX ðMÞ. w Send the token and signature hC Xw ; rXw i to Y. Compute the chain value for the next scheduling round as zXwþ1 ¼ H1 ðzXw Þ and delete zXw .

 Key release for message verification: After time interval d (known as the key release interval for verification), the CA releases the time-trapdoor key tkw in the wth scheduling round to all nodes in the network. The time-trapdoor key is used by the verifying TAPs to verify the signed messages. The time interval d is chosen so that at time tw + d, all nodes have generated and sent the signed messages to the verifying TAP and the signed messages have been received by the verifying TAP. Any message received after tw + d is simply discarded. 4 At the end of a successful authentication session, a secure channel is established between the clients and a central authority (CA) (i.e., SA establishment as shown in Fig. 4). The secure channel is protected through encryption and authentication by pre-shared keys or dynamic shared keys.

Once the token key tkw has been released by the CA, the verifying TAP Y performs the following operations to verify the signed message: 1. Compute the token key for the sender X as 0X tkw ¼ MAC tkw ðXÞ. 0X 2. Compute the signature key for X as kw ¼ Dtk0X ðC Xw Þ. w 3. Generate the signature as r0X ¼ MAC ðMÞ. w k0X w 4. Compare the received signature with the calculated one. If rXw ¼¼ r0X w , then accept the signed message. We design our second verification scheme with these three basic processes. Fig. 5 illustrates our scheme. We explain each phase in detail. 4.3.1. Key and token generation This is the first phase to use hash-based signature. It involves the generation of the time-trapdoor keys and the verification tokens for all TAPs in the network. Assuming that the scheduling starts from time t0, the CA chooses L time periods, separated by time points t0 < t1 < t2 <    < tL1, and generates two hash chains of M T time-trapdoor keys, tkj and tkj ; 8j ¼ 0; . . . ; L  1. One is for the verification of client commitments and the other is for the verification of TAP commitments and demand claims. For each TAP Ti, the CA performs basic key and token T T generation: a hash chain zj i , signature keys kj i , token keys T T tkj i derived from the time-trapdoor key tkj , and tokens T C j i ðj ¼ 0; . . . ; L  1Þ are generated. The CA sends the initial signature key generator and L tokens to TAP Ti on the secure channel. T

T

T

T

T

i CA ! T i : z0i ; C 0i ; C 1i ; C 2i ; . . . ; C L1

A client Mi entering the network at time tw(w < L) first identifies a TAP it wishes to associate with (e.g., T3). The client then proceeds to authenticate itself to the network by initiating an authentication session with the CA. At the end of a successful authentication session, a secure channel is established between Mi and the CA. The CA then M generates the values zj i of a hash chain derived from a M Mi random number zw , the signature keys kj i , the token Mi M keys tkj derived from the time-trapdoor key tkj , and Mi the tokens C j ðj ¼ w; . . . ; L  1Þ for Mi. The CA sends the initial hash value and L  w tokens to Mi on the secure channel. M

M

M

Mi i i i i CA ! Mi : zM w ; C w ; C wþ1 ; C wþ2 ; . . . ; C L1

4.3.2. Client commitment In the verification scheme, the commitment generation involves generating a publicly verifiable commitment to the association between the client and the TAP. We assume that at time tw, several clients (e.g., Mi, . . . , Mj) are associated with TAP Tj for the sake of presentation. All the clients have been successfully authenticated by the CA and possess the tokens to verify the commitments. At time tw, each M

of the clients (e.g., Mi) computes a signature key kw i from M zw i Mi w

and generates a signature on the association as

r ¼ MAC kMi ðMi jjT j Þ. It then sends the commitment w

307

M. Kim et al. / Ad Hoc Networks 10 (2012) 299–316

Fig. 5. Verification processes on a centralized authentication environment.

M

i i CommMi ¼ hC M w ; rw i to Tj and computes the chain value for

the next scheduling round,

Mi . zwþ1

4.3.3. Key release for client commitment verification After time interval dM (known as the key release interval for client commitment verification), the CA releases timeM trapdoor key tkw for the wth scheduling round to all TAPs in the network (i.e., basic key release for message verification). To verify the received client commitments, the TAP 0M Tj computes the token key tkw i with each client ID (e.g., 0M Mi). It then computes the signature key kw i and the signa0Mi ture rw with the association (MikTj) for each client. Finally, M it compares the received signature rw i with the calculated 0M i one rw . If they are the same, Tj accepts the client commitment and includes it when generating a TAP commitment. Otherwise, it generates an alert of the form (Tj, compromised client ID, tw) and sends it to all TAPs and the GW. 4.3.4. TAP commitment After receiving commitments from all its clients and verifying them, the TAP Tj generates an aggregated TAP T

T

commitment, CommT j ¼ hC wj ; M i ; . . . ; M j ; cwj i with a signaTj w

ture c ¼ MAC

Tj

kw

ðM i jj    jjM j Þ. It then broadcasts this com-

mitment to its clients. 4.3.5. Neighbor report Each neighbor TAP Tk can also overhear the transmitted TAP commitment CommT j . It then sends to a verifying TAP T of Tj a neighbor report NeRepT k ¼ hT j ; CommT j ; C Twk ; rwk i, T where rwk ¼ MAC kT k ðCommT j Þ. The way to determine the w verifying TAP is the same as explained in Section 4.2.3. However, in this scheme, we can reuse the time-trapdoor M key tkw released for client commitment verification as a seed value. Thus, all neighbor TAPs calculate a verifying TAP ID with the received value and the claiming TAP ID M as T v ¼ Hðtkxw jjT j Þmod k, where k denotes the number of TAPs in the network. 4.3.6. Demand claim After the TAP Tj sends the TAP commitment to associated clients, it generates a signature with the client’s signa  T Mj i tures as rwj ¼ MAC T j rM w jj    jjrw . It sends to the kw D i verifying TAP Tv a demand claim M i ; . . . ; M j ; C M w ;...; M

T

C w j ; C wj ; rT j i.

4.3.7. Key release for TAP commitment/demand verification After time interval dT(>dM) (known as the key release interval for the verification of TAP commitment and deT mand claim), the CA releases time-trapdoor key tkw for th the w scheduling round to all nodes (i.e., basic key release for message verification). To verify the TAP commitment, a client checks first whether its ID exists in the client list 0T on the commitment. It then computes the token key tkw j 0T with ID Tj. It generates the signature key kw j , and the signa0T ture with client list, cw j ¼ MAC 0T j ðM i jj    jjM j Þ. Finally, it kw T compares the received signature cwj with the calculated 0T j one cw . If they are the same, it accepts the TAP commitment. Otherwise, it generates an alert of the form (MverifyingTAP, compromised TclaimingTAP, tw) and sends it to all nodes. The verifying TAP verifies the neighbor report and the demand claim after receiving the released time-trapdoor T key tkw . To verify the neighbor report, it computes the to0T ken key for the neighbor TAP tkw k and the signature key 0T T kw k . It checks whether MAC k0T k ðCommT j Þ is the same as rwk w on NeRepT k and whether the client list on CommT j of neighbor report is the same as those in the demand. If not, it generates an alert of the form (TverifyingTAP, compromised TclaimingTAP, tw) and broadcasts it to all nodes. To verify the demand claim, the verifying TAP generates 0M each clients’ signature rw i with the association (MikTj). It computes the signature r0Tw j with all of the clients’ signatures   0M j i . Finally, it compares the received signature r0M jj    jj r w w T T with the calculated one. If rwj ¼¼ rwj , it accepts the demand claim and sends a verifiable result to the GW for scheduling. Otherwise, it generates an alert of the form (TverifyingTAP, compromised TclaimingTAP, tw) and broadcasts it on all links. The verifiable result is made with the verifying TAP’s signature D E as C Twv ; M i ; . . . ; M j ; T j ; MAC kT v ðM i jj    jjM j jjT j Þ . w

4.3.8. Replication check After the GW verifies the results for demand claims received from verifying TAPs, it checks whether the verifying TAP is a proper verifying TAP of the claiming TAP. It also checks the signature of verifying TAP on the verification result and the collision of client IDs on all verification results. 5. Security analysis In this section, we show our verification schemes, a digital signature based verification scheme on distributed authentication environment (DSV) and a verification

308

M. Kim et al. / Ad Hoc Networks 10 (2012) 299–316

scheme using hash-based signature on centralized authentication environment (HSV), are secure against the misbehaviors explained at the Section 3.2. 5.1. Defense against TAP misbehaviors  Reporting non-existent clients: Assume there exists an adversary that produces a demand claim for unfair scheduling with a non-existent client (e.g., M1) and legitimate clients (e.g., Mi, . . . , Mj). In our verification framework, the demand claim should be verified by a verifying TAP that is periodically changed and determined in an unpredictable way. Otherwise, the demand claim is not included in link scheduling process. In DSV, the forged demand claim hCommM1 ; CommMi ; . . . ; CommMj ; CommT j i includes the commitment of M1, which is signed with an arbitrary private key, D E CommM1 ¼ M 1 ; x0M1 ; L; t 1M1 ; ½M 1 jjT j jjx0M1 jjt 1M1 M1 . In HSV, D Mi 1 the forged demand claim M 1 ; M i ; . . . ; M j ; C M w ; Cw ; . . . ; M

T

1 C w j ; C wj ; rT j i includes an arbitrary token C M of M1 w

a signature of the claiming TAP T j ; rT j ¼   M M M MAC T j rw i jjrw i jj    jjrw j , which is generated with an

increase the bandwidth assigned in scheduling. Even though the forged demand claim can pass the signature verification of a verifying TAP, it cannot pass the client replication check by a GW because the demand claims from the two TAPs include the same clients. 5.2. Defense against client misbehaviors  Sybil attack: If there is no authentication framework, a malicious client can masquerade as multiple clients and connect to the network through multiple sessions, in order to get more bandwidth. However, in our verification framework, a client should have the credentials of all masquerading clients to get each authentication session. Even if the malicious client can have the credentials of masquerading clients, it will be detected by the client replication check at a GW.  Clients associated with more than one TAP: Similarly, a malicious client with extended communication range may associate with more than one TAP. However, it can be also detected by the client replication check of a GW.

and

5.3. Defense against client and TAP collusion

kw

arbitrary private key of M1. The verifying TAP verifies the signatures of all clients and the claiming TAP in the demand claim. Even if the adversary has a credential (i.e., private key or signature key) of the claiming TAP Tj, the arbitrary signature of the non-existent client M1 generated without the proper credential cannot pass the signature verification of the verifying TAP.  Reporting the incorrect list of clients: Suppose a compromised TAP generates a demand claim including a client (e.g., M1) who has already left. In our verification framework, a GW performs the client replication check after receiving all verified demand claims. Therefore, if the client M1 joins the network through other TAPs, this misbehavior is detected. In a different case, assume a compromised TAP does not include a newly joined client (e.g., M2) in a TAP commitment or a demand. If its own ID M2) is included in the associated client list but not in the TAP commitment, the client M2) can detect it through signature verification of the TAP commitment. The TAP commitment generated with the omitted client list is hM 2 ; M i ; . . . ; M j ; CommT j ¼ T

Tj

kw

The resistance against misbehaviors on our verification schemes is based on the unforgeability of client and TAP commitments and demand claims protected by digital signatures or hash based signatures. A universally accepted security notion of a signature scheme is existential unforgeability under adaptive chosen message attack in the random oracle model [28]. Moreover, in HSV through hash based signature, all used keys are generated by one way hash function and the keys are opened for the verification just after all nodes use them for signing the messages, similar to TESLA broadcast authentication protocol [29]. Therefore, the forged message without the proper signature key cannot pass the message verification.

T

½HðMi jj    jjM j Þjjtcurrent T j i and hC wj ; M 2 ; M i ; . . . ; M j ; cwj ¼ MAC

 A compromised TAP may generate a demand claim with a large number of unauthorized clients in order to permit the illegitimate sessions to them. The forged demand claim can bypass the verification of TAP commitment. However, the demand claim generated without the proper credentials is detected by the signature verification of each client commitment performed by a verifying TAP.

ðM i jj    jjM j Þi in DSV and HSV, respectively. On

the other hand, the compromised TAP may generate a demand claim including a TAP commitment generated with the omitted client list, different from a normal one transmitted to clients. However, the verifying TAP can detect the inconsistency between two TAP commitments, because the TAP commitment transmitted to clients is transmitted to the verifying TAP through neighbor report, as it is.  Colluding: A compromised TAP may generate a demand claim with the credentials (i.e., private key) of clients received from another compromised TAP, in order to

5.4. Defense probability A verifying TAP performing the verification of client commitments and TAP commitments in a demand claim is determined by a seed number which is transmitted by a GW periodically; the verifying TAP for a claiming TAP is changed periodically and in an unpredictable way. Therefore, our framework supports strong tolerance against both TAP misbehaviors and TAP collusion attack. Moreover, the tolerance can be enhanced with multiple verifying TAPs for a claiming TAP in the high vulnerable networks. The success probability of defense according to the number of verifying TAPs is as follows:

309

Pr (the success of defense)

M. Kim et al. / Ad Hoc Networks 10 (2012) 299–316

where N is the number of TAPs in WMNs, v is the number of verifying TAPs, p is the compromised probability of a TAP, S is a success event of defense for a claim, F is a failure event of defense for a claim, and Ci is an event that i TAPs are compromised. Fig. 6 depicts the success probability of defense as p and v, and shows that multiple verifying TAPs strengthen the defense level.

1 0.95 0.9 0.85

p =0.05 p =0.1 p =0.15 p =0.2

0.8 0.75

1

2

6. Performance evaluation

3

To evaluate the effectiveness of the proposed schemes, we perform extensive simulation using ns-2 [30]. We then measure the computation overhead for verification on a desktop machine.

4

The number of verfier TAPs (v) Fig. 6. Success probability of defense (N = 25).

6.1. Simulation

PrðSjC i Þ ¼ 1  PrðFjC i Þ ¼1

N X

Since the verification framework is designed to be integrated with existing scheduling schemes, the proposed schemes are evaluated by extending CIRMA [4] with an instance of the verification framework in ns-2. In simulation, we use the modified CIRMA-MH (i.e., centralized link scheduling with min hop routing) [4], simply termed CIRMA. The TAPs collect and aggregate bandwidth requests from the client nodes, and then the scheme schedules links based on the aggregated requests from

Prði compromised TAPs cover all v

i¼v

verifying TAPsÞ  PrðC i Þ    Nv v   N X iv v  N  pi  ð1  pÞNi   ¼1 N i i¼v i 1.1

Aggregate throughput (Mbps)

0.7

Fairness index

1.05 1 0.95 CIRMA normal CIRMA misb. SIG-CPLEX misb. HAFS-BCAST misb. DSV misb. HSV misb.

0.9 0.85 0.8 2

3

4

5

6

7

8

9

10

CIRMA normal CIRMA misb. SIG-CPLEX misb. HAFS-BCAST misb. DSV misb. HSV misb.

0.6 0.5 0.4 0.3 0.2 0.1 0

Number of clients per a TAP

(a) Fairness index

2

3

4

5

6

7

8

9

10

Number of clients per a TAP

(b) Aggregate throughput of flows

Fig. 7. Defense against misbehavior.

Table 2 Parameters (P), performance metrics (M) and verification schemes (S). Symbol

Description

P

NTAP Nclient Nflow

Number of TAPs in the network Number of clients associated per a TAP Number of clients with active flows toward the gateway

M

fairIdx aggTh

do

Jain’s fairness index Aggregate throughput of flows Time to detect inconsistency in a demand claim Time to detect inconsistency in a client commitment Time to detect inconsistency in a TAP commitment Ratio of added control overhead due to the verification scheme in comparison with CIRMA with min hop routing

CIRMA SIG-CPLEX HAFS-BCAST DSV HSV

The original CIRMA scheme (no verification) The complex variant of signature based verification scheme on distributed authentication environment, proposed in [32] A HAFS based verification scheme with the key broadcast on centralized authentication environment [32] A digital signature based verification scheme on distributed authentication environment A verification scheme using hash-based signature on centralized authentication environment

sclaimDetect sCcmtDetect sTcmtDetect S

310

M. Kim et al. / Ad Hoc Networks 10 (2012) 299–316

the TAPs. We use OpenSSL [31] in ns-2 to implement security primitives required in our schemes, such as ECDSA as digital signature, and SHA1 and md5 as hash functions.

As explained in Section 2, there is no proper candidate for secure fair scheduling in WMNs to the best of our knowledge. Thus we compare our schemes in this paper

1.4 1.2

Delay (s)

Delay (s)

0.18 0.16 0.14 0.12 0.1 0.08 0.06 0.04 0.02 0

1 0.8 0.6 0.4 0.2 0

0

5

10

15

20

25

0

5

Number of TAPs

(a) τCcmtDetect CIRMA SIG-CPLEX 2.5 HAFS-BCAST DSV HSV 2

1 0.5 0 10

15

20

25

0.04 0.035 0.03 0.025 0.02 0.015 0.01 0.005 0

Ratio

Delay (s)

1.5

5

15

(b) τTcmtDetect

3

0

10

Number of TAPs

20

25

0

5

10

15

20

25

Number of TAPs

Number of TAPs

(d) δ0

(c) τclaimDetect

0.16 0.14 0.12 0.1 0.08 0.06 0.04 0.02 0

1.2 1

Delay (s)

Delay (s)

Fig. 8. Performance comparison as NTAP (Nclient = 4, Nflow = 10 and linear topology).

0.6 0.4 0.2 0

0

5

10

15

20

25

0

15

20

(a) τCcmtDetect

(b) τTcmtDetect

Ratio

1.5 1 0.5 0 5

10

Number of TAPs

CIRMA SIG-CPLEX HAFS-BCAST 2.5 DSV HSV 2

0

5

Number of TAPs

3

Delay (s)

0.8

10

15

Number of TAPs

(c) τclaimDetect

20

25

25

0.04 0.035 0.03 0.025 0.02 0.015 0.01 0.005 0 0

5

10

15

20

25

Number of TAPs

(d) δ0

Fig. 9. Performance comparison as NTAP (Nclient = 4, Nflow = 10, the tree topology, and topologies with 2, 6, 12, 20, and 24 TAPs have at most 1, 2, 3, 4, and 4 hops from a GW, respectively.).

311

M. Kim et al. / Ad Hoc Networks 10 (2012) 299–316

on all or some TAPs with a probability. Thus the demand should be broadcast to all TAPs and the demand verification can be an overburden with a high probability. In contrast, in this paper, we determine a verifying TAP for 1.2

0.16 0.14 0.12 0.1 0.08 0.06 0.04 0.02 0

1

Delay (s)

Delay (s)

with schemes (termed SIG-CPLEX and HAFS-BCAST) presented in [32]. The biggest difference between the two frameworks is the processing of demand verifications. In the framework in [32], a demand of each TAP is verified

0.8 0.6 0.4 0.2 0

0

5

10

15

0

20

5

(a) τCcmtDetect CIRMA DSV SIG-CPLEX 2.5 HSV 2 HAFS-BCAST

Ratio

Delay (s)

1.5 1 0.5 0 5

15

20

(b) τTcmtDetect

3

0

10

Number of clients per a TAP

Number of clients per a TAP

10

15

0.04 0.035 0.03 0.025 0.02 0.015 0.01 0.005 0 0

20

5

10

15

20

Number of clients per a TAP

Number of clients per a TAP

(d) δ0

(c) τclaimDetect

0.16 0.14 0.12 0.1 0.08 0.06 0.04 0.02 0

1.2 1

Delay (s)

Delay (s)

Fig. 10. Performance comparison as Nclient (NTAP = 5, Nflow = 10 and linear topology).

0.8 0.6 0.4 0.2 0

0

5

10

15

20

0

Number of clients per a TAP

5

(a) τCcmtDetect CIRMA DSV SIG-CPLEX 2.5 HSV 2 HAFS-BCAST

Ratio

Delay (s)

1.5 1 0.5 0 5

10

15

Number of clients per a TAP

(c) τclaimDetect

15

20

(b) τTcmtDetect

3

0

10

Number of clients per a TAP

20

0.04 0.035 0.03 0.025 0.02 0.015 0.01 0.005 0 0

5

10

15

20

Number of clients per a TAP

(d) δ0

Fig. 11. Performance comparison as Nclient (NTAP = 5, Nflow = 10 and tree topology).

312

M. Kim et al. / Ad Hoc Networks 10 (2012) 299–316

demand verification in an unpredictable way, in order to decrease the verification processing and communication burden as well as provide the resistance against TAP collu-

sion attacks. We enhance the security by adding a neighbor report to restrain the misbehavior (i.e., the transmission of a demand different from a TAP commitment). Moreover,

0.25

1.2 1 Delay (s)

Delay (s)

0.2 0.15 0.1 0.05

0.6 0.4 0.2

0

0 0

5

10

15

20

0

10

15

Number of flows

(a) τCcmtDetect

(b) τTcmtDetect

CIRMA DSV SIG-CPLEX 2.5 HSV 2 HAFS-BCAST

Ratio

1.5 1 0.5 0 0

5

Number of flows

3

Delay (s)

0.8

5

10

15

20

0.04 0.035 0.03 0.025 0.02 0.015 0.01 0.005 0

20

0

Number of flows

5

10

15

20

Number of flows

(c) τclaimDetect

(d) δ0

0.25

1.2

0.2

1

Delay (s)

Delay (s)

Fig. 12. Performance comparison as Nflow (Nclient = 14, NTAP = 5 and linear topology).

0.15 0.1 0.05

0.8 0.6 0.4 0.2

0

0 0

5

10

15

20

0

5

Number of flows

(a) τCcmtDetect CIRMA DSV SIG-CPLEX 2.5 HSV 2 HAFS-BCAST

Ratio

Delay (s)

1.5 1 0.5 0 5

10

15

Number of flows

(c) τclaimDetect

15

20

(b) τTcmtDetect

3

0

10

Number of flows

20

0.04 0.035 0.03 0.025 0.02 0.015 0.01 0.005 0 0

5

10

15

Number of flows

(d) δ0

Fig. 13. Performance comparison as Nflow (Nclient = 14, NTAP = 5 and tree topology).

20

313

M. Kim et al. / Ad Hoc Networks 10 (2012) 299–316

we modify the key release process in the hash-based verification scheme in order to quickly detect the inconsistency with TAP commitments. We first obtain the defense performance of each scheme (i.e., the effect of fairness and aggregate throughput), as shown in Fig. 7. The same parameters and simulation settings as used in Fig. 3 are used to compare the defense degree of verification schemes with the effect of misbehavior on CIRMA. Fig. 7a and b shows the fairness index in the presence of one 3-hop misbehavior TAP and the aggregated throughput of flows in the presence of three misbehaving TAPs, respectively. All four verification schemes provide almost full performance from the fairness viewpoint. However, the fairness of CIRMA reveals the effect of misbehavior when the number of clients per TAP is 10 and the impact on the throughput is more severe. HSV and HAFS-BCAST generally provide similar throughput to the normal case of CIRMA, and more throughput than DSV and SIG-CPLEX because of the faster verification speed. DSV and HSV also provide more throughput than SIG-CPLEX and HAFS-BCAST, respectively, because of the much lower burden of demand verification. The detection speed results will be shown in subsequent figures. To evaluate the defense speed and overhead of verification schemes, our simulation uses the same parameters listed in Fig. 2a. Initially, the simulation is performed on a linear topology [L], as shown in Fig. 2b. The topology includes several TAPs connected to a GW, where each TAP has a set of associated clients generating traffic. For the sake of simplicity, it is assumed that clients are distributed equally over all TAPs. The clients are chosen at random on a per-TAP basis, and generate a CBR traffic toward wired network through a GW. We also assume that all the clients are already associated with a TAP in the network during network initialization. We do not simulate the scenarios where clients join, leave the network or migrate from one TAP to the other. Next, we develop the simulation topology to a general tree shape [T] as shown in Fig. 1. The other assumptions are the same as the linear topology. In Table 2, simulation parameters, measured performance metrics and verification schemes under comparison are summarized. As verification performance metrics, we first measure the time to detect inconsistency in a client commitment, a TAP commitment and a demand claim, i.e., forgery of each message. We also gather the ratio of added control for verification in comparison with CIRMA, in order to measure the overhead of our schemes. Figs. 8 and 9 show the performance metrics for the linear and tree topologies, respectively, when the number of TAPs (NTAP) increases. In increasing NTAP, the values of detection speed (sCcmtDetect, sTcmtDetect, and sclaimDetect) increase, except for the ratio of added control overhead do. As shown in Fig. 8a, the sCcmtDetect values from the four schemes are similar, but DSV and HSV have slightly lower delays. From the sTcmtDetect and sclaimDetect viewpoint in Fig. 8b and c, HSV and HAFS-BCAST provide faster detection than DSV and SIG-CPLEX because the hash-based signature is less of a burden than the processing of a digital signature. The sclaimDetect and do values of DSV in Fig. 8c and d are significantly enhanced compared to those of

SIG-CPLEX, because only one verifying TAP is used instead of many. Most control messages for verification are included in CIRMA (e.g., client commitment and demand), and thus the added communication overhead is tiny, as shown in Fig. 8d. Only the messages for key release, TAP commitment, and neighbor report are added. However, key release is performed by one or two broadcasts per scheduling round, and the TAP commitment and neighbor report are proportional to the number of transmitted demand claims. In particular, the overheads for DSV and HSV are smaller than for HAFS-BCAST and SIG-CPLEX because they reduce the transmitted messages for demand claim verification. The control overhead of HSV is greater than that of DSV because of the messages for key release. The overhead ratios of the three schemes (except HAFS-BCAST) decrease when NTAP increases, because the increasing ratio on CIRMA itself is greater than those of the verification schemes. Since CIRMA is a centralized scheduling scheme, the decreasing trend of do results from the increasing number of control messages in scheduling and routing themselves on many nodes. On the other hand, HAFS-BCAST shows an increasing or stable trend due to the added messages for key release and demand verification on all TAPs. As shown in Fig. 9, the tree topology outputs similar results to the linear topology. However, the detection speed of the linear topology generally shows a more definite increasing trend than that of the tree topology, and it is

Table 3 Cryptographic benchmark. Operation

Space size (bits)

Symbol of time

Operation time

md5 sha1 hmac des-cbc RSA sign RSA verify ECDSA sign ECDSA verify

128 128 128 64 1024 1024 160 160

tMD5 tSHA1 tHMAC tDES tRSASIGN tRSAVERIFY tECDSASIGN tECDSAVERIFY

1.1 ls 1.2 ls 0.8 ls 0.17 ls 2.9 ms 0.1 ms 0.4 ms 1.9 ms

Table 4 Computation time (G: generation, V: verification). Operation Client cmt. G [cG]

DSV

First cmt. [cG1]: tSIGN After first cmt. [cGn]: O(1) Client cmt. V First cmt. [cV1]: tVERIFY [cV] After first cmt. [cVn]: tHash TAP cmt. G [tG] tHash + tSIGN TAP cmt. V [tV] tHash + tVERIFY Demand G [dG] O(1) Demand V First cmt. [dV1]: [dV] tHash + (n + 1)  tVERIFY After first cmt. [dVn]: tHash + tVERIFY + n  tHash Neighbor rep. G [nG] tSIGN Neighbor rep. V [nV] tVERIFY

HSV tHash2 + tMAC + tHash1

2  tMAC + tDES

tHash2 + tMAC 2  tMAC + tDES tMAC + tHash1 (n + 1)  (2  tMAC + tDES)

tHash2 + tMAC 2  tMAC + tDES

314

M. Kim et al. / Ad Hoc Networks 10 (2012) 299–316

Fig. 14. Performance comparison for computation delay.

also slower because the number of TAPs on the linear topology is the same as the number of hops from the GW. However, the tree topologies have a maximum of four hops from the GW. Thus, the variable factor for processing messages in the tree topologies is small, the traffic is distributed at many nodes, and the increasing trend is stopped from 12 TAPs. Figs. 10 and 11 show the performance metrics for the linear and tree topologies respectively when the number of clients Nclient increases. The results are similar to the case in which the number of TAPs increases, because the increase of nodes, whether they are TAPs or clients, causes more control messages in CIRMA. However, the decrease in the overhead ratio is more definite, as shown in Fig. 11d. Figs. 12 and 13 show the performance metrics for the linear and tree topologies respectively, when the number of flows (i.e., demands) increases. The increasing and decreasing trends are similar to the cases in which the number of nodes increases. However, the increasing trends of detection speed (sCcmtDetect, sTcmtDetect, and sclaimDetect) are more linear and definite because the number of flows is directly related to the number of verification processes. In particular, the detection speed of sCcmtDetect is slower. 6.2. Computational overhead analysis To analyze the computational overhead of our schemes, we estimate the real computation time for verification, i.e., the time of cryptographic operations on a desktop system. We make use of the benchmarking suite provided by OpenSSL [31]. The specification of system used for this

benchmarking process is as follows: Intel Core2 Duo T2600 processor (2.16 GHz), 2.0 GB memory and 80 GB hard disk. Table 3 summarizes the cryptographic benchmark operations. We derive the computational overhead of each operation for verification as shown in Table 4. In the case of DSV, hash function is used from the generation of second client commitment. Thus there are two kinds of computation delay in the generation and verification operations of client commitment and demand. The parameter n is the number of client commitments in a demand of DSV. Finally, we depict Fig. 14 through Tables 3 and 4, where tHash in DSV, and tHash1 and tHash2 in HSV are applied with tMD5,tMD5, and tSHA1, respectively. Even though DSV requires about 1000 times more computational overhead for message generation and verification than HSV as shown in Fig. 14a and b, the delay of dV in DSV can be decreased after the first verification of a demand as in Fig. 14c, like a constant.

7. Conclusion In this paper, we proposed a generic verification framework to detect various misbehaviors not considered in existing fair scheduling schemes in a WMN. The verification framework makes use of commitments and demand claims in order to authenticate the traffic information exchanged as a part of the scheduling algorithm. We then instantiated the verification framework into two schemes. The first scheme is a digital signature based verification scheme that is ideal in a distributed authentication

M. Kim et al. / Ad Hoc Networks 10 (2012) 299–316

environment. In order to have a consistent view of client demands, a TAP receives a fresh commitment from the client at the beginning of each scheduling round, but a hash chain is used to decrease the burden of signature verification for commitments from the same client in each round. The second scheme is a verification scheme using hashbased signature for a centralized authentication environment where there exists a trusted CA. It uses relatively light process for verification through symmetric keys, and thus provides faster detection. Our extensive simulation and benchmark results showed that our schemes are practical and feasible to augment an existing scheduling scheme with an instance of the verification framework while incurring an insignificant overhead. Lastly, we analyzed our schemes in terms of security properties. In future, we will extend our approach for scheduling schemes with per-flow fairness and distributed fair scheduling, optimizing efficiency and performance.

Acknowledgments This work was partially supported by the US National Science Foundation (NSF) under Grant CAREER-0447761. Kim’s work was also was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education, Science and Technology (2011-0014020). Iyer’s work in this paper was done when he was a graduate student at North Carolina State University. The contents of this paper do not necessarily reflect the position or the policies of the US or Korean Government.

References [1] J. Jun, M. Sichitiu, The nominal capacity of wireless mesh networks, IEEE Wireless Communications 10 (5) (2003) 8–14. [2] S. Sarkar, L. Tassiulas, End-to-end bandwidth guarantees through fair local spectrum share in wireless ad-hoc networks, IEEE Transactions on Automatic Control 50 (9) (2005) 1246–1259. [3] B. Li, End-to-end fair bandwidth allocation in multi-hop wireless ad hoc networks, in: Proceedings of the IEEE International Conference on Distributed Computing Systems (ICDCS), June 2005, pp. 471–480. [4] S.G.Z. Wu, D. Raychaudhuri, IRMA: Integrated routing and mac scheduling in wireless mesh networks, in: Proceeding of the IEEE Workshop on Wireless Mesh Networks (WiMesh), September 2006, pp. 109–118. [5] N. Ben Salem, J.-P. Hubaux, A fair scheduling for wireless mesh networks, in: Proceeding of WiMesh, September 2005. [6] V. Gambiroza, B. Sadeghi, E.W. Knightly, End-to-end performance and fairness in multihop wireless backhaul networks, in: Proceeding of MobiCom, Sept. 2004, pp. 287–301. [7] A. Raniwala, P. De, S. Sharma, R. Krishnan, T. Chiueh, End-to-end flow fairness over ieee 802.11-based wireless mesh networks, in: Proceeding of IEEE INFOCOM, May 2007, pp. 2361–2365. [8] G. Badawy, A. Sayegh, T. Todd, Fair flow control in solar powered wlan mesh networks, in: Proceeding of Wireless Communications and Networking Conference (WCNC), April 2009, pp. 1–6. [9] R. Nelson, L. Kleinrock, Spatial TDMA: a collision-free multihop channel access protocol, IEEE Transactions on Communications 33 (9) (1985) 934–944. [10] S. Glass, M. Portmann, V. Muthukkumarasamy, Securing wireless mesh networks, IEEE Internet Computing 12 (4) (2008) 30–36. [11] N. Ben Salem, J.-P. Hubaux, Securing wireless mesh networks, IEEE Wireless Communications 13 (2) (2006) 50–55. [12] Y. Zhang, J. Luo, H. Hu, Wireless Mesh Networking, Auerbach Publications, Boston, MA, USA, 2006.

315

[13] M.A. Hamid, M. Abdullah-Al-Wadud, H. ChoongSeon, C. Oksam, L. Sungwon, A robust security scheme for wireless mesh enterprise networks, Annals of Telecommunications 64 (5–6) (2009) 401–413. [14] D. Tian, Q. Li, S. Chen, Anomaly intrusion detection methods for wireless lan, in: Proceedings of the Fourth International Conference on Natural Computation (ICNC), 2008, pp. 179–182. [15] D. Makaroff, P. Smith, N. Race, D. Hutchison, Intrusion detection systems for community wireless mesh networks, in: Proceedings of the 5th IEEE International Conference on Mobile Ad Hoc and Sensor Systems (MASS), 2008, pp. 610–616. [16] P. Kyasanur, N. Vaidya, Selfish MAC layer misbehavior in wireless networks, IEEE Transactions on Mobile Computing 4 (5) (2005) 502– 516. [17] H. Li, M. Xu, Y. Li, Selfish MAC layer misbehavior detection model for the ieee 802.11-based wireless mesh networks, Lecture Notes in Computer Science 4847 (2007) 382–391. [18] F. Oliviero, S. Romano, A reputation-based metric for secure routing in wireless mesh networks, in: Proceedings of IEEE Global Telecommunications Conference (GLOBECOM), 2008, pp. 1–5. [19] F. Martignon, S. Paris, A. Capone, A framework for detecting selfish misbehavior in wireless mesh community networks, in: Proceedings of the 5th ACM symposium on QoS and security for wireless and mobile networks (Q2SWinet), 2009, pp. 65–72. [20] A.D.R. Jain, G. Babic, Throughput Fairness Index: An Explanation, ATM Forum/99-0045 (February 1999). [21] J. Bicket, D. Aguayo, S. Biswas, R. Morris, Architecture and evaluation of an unplanned 802.11b mesh network, in: Proceedings of ACM Mobicom, 2005, pp. 31–42. [22] T. Salonidis, L. Tassiulas, Distributed dynamic scheduling for end-toend rate guarantees in wireless ad hoc networks, in: Proceedings of ACM international symposium on Mobile ad hoc networking and computing (MobiHoc), 2005, pp. 145G–156. [23] M. Leoncini, P.Santi, P. Valente, An STDMA-based framework for QoS provisioning in wireless mesh networks, in: Proceedings of IEEE Conference on Mobile Ad Hoc and Sensor System (MASS), 2008, pp. 223–232. [24] M. Cao, V. Raghunathan, P.R. Kumar, A tractable algorithm for fair and efficient uplink scheduling of multi-hop wimax mesh networks, in: Proceedings of WiMesh, 2006, pp. 93G–100. [25] Y. Amir, C. Danilov, M. Hilsdale, R. Musaloiu-Elefteri, N. Rivera, Fast handoff for seamless wireless mesh networks, in: Proceedings of ACM MobiSys, 2006, pp. 83–95. [26] A. Dhekne, N. Uchat, B. Raman, Implementation and evaluation of a TDMA MAC for WIFI-based rural mesh networks, in: Proceedings of ACM Workshop on Networked Systems for Developing Regions (NSDR), 2009. [27] A.A. Yavuz, P. Ning, Hash-based sequential aggregate and forward secure signature for unattended wireless sensor networks, in: Proceeding of the Annual International Conference on Mobile and Ubiquitous Systems (MobiQuitous), July 2009, pp. 1–10. [28] S. Goldwasser, S. Micali, R. Rivest, A digital signature scheme secure against adaptive chosen-message attacks, SIAM Journal on Computing 17 (2) (1988) 281–308. [29] A. Perrig, R. Canetti, J.D. Tygar, D. Song, The TESLA Broadcast Authentication Protocol, RSA CryptoBytes 5 (Summer). [30] The Network Simulator ns-2. . [31] OpenSSL. . [32] V.K.S. Iyer, Misbehavior Resistant Fair Scheduling in Wireless Backhaul Mesh Networks, Master Degree Thesis at North Carolina State University, August 2008.

Mihui Kim received the B.S. and M.S. degrees in Computer Science and Engineering from Ewha Womans University, Korea, in 1997 and 1999, respectively. During 1999–2003, she stayed in Switching & Transmission Technology Lab., Electronics and Telecommunications Research Institute (ETRI) of Korea to develop MPLS System and the 10Gbps Ethernet System. She also received the Ph.D. degree in Ewha Womans University in 2007. She was a postdoctoral researcher of the department of computer science, North Carolina State University from 2009 to 2010. She is currently a professor of the department of computer engineering, Hankyong National University in Republic of Korea. Her research interests include mobile network security, DDoS attack defense, and sensor network security.

316

M. Kim et al. / Ad Hoc Networks 10 (2012) 299–316 Varagur Karthik Sriram Iyer is now with Microsoft Corporation. He received his M.S. degree in the department of computer science, North Carolina State University in 2008. His research interests include network security and protocols.

Peng Ning is currently a professor of Computer Science in the College of Engineering at North Carolina State University. He was an assistant professor at NC State University from August 2001 to July 2006. He received his PhD degree in Information Technology from George Mason University in 2001. Prior to his PhD study, he received an ME in Communication and Electronic Systems in 1997, and a BS degree in Information Science in 1994, both from University of Science and Technology of China. He is a member of the ACM, the ACM SIGSAC, the IEEE, and the IEEE Computer Society. His research interests are mainly in computer and network security. He is particularly interested in new techniques for building trustworthy systems and wireless security.