Novel cross layer detection schemes to detect blackhole attack against QoS-OLSR protocol in VANET

Vehicular Communications 5 (2016) 9–17

Contents lists available at ScienceDirect

Vehicular Communications www.elsevier.com/locate/vehcom

Novel cross layer detection schemes to detect blackhole attack against QoS-OLSR protocol in VANET Raghad Baiad b , Omar Alhussein a , Hadi Otrok b,∗ , Sami Muhaidat b a b

School of Engineering Science, Simon Fraser University, Burnaby, Canada Department of ECE, Khalifa University, Abu Dhabi, United Arab Emirates

a r t i c l e

i n f o

Article history: Received 20 February 2016 Received in revised form 10 July 2016 Accepted 1 September 2016 Available online 13 September 2016 Keywords: Cross layer VANET QoS-OLSR Watchdog Blackhole attack

a b s t r a c t In this paper, we propose novel cross-layer cooperative schemes for detecting blackhole attack that commonly targets the quality of service secure optimized link state routing protocol (QoS-OLSR) in vehicular ad-hoc networks (VANETs). The QoS-OLSR relies mainly on the multi-point relays (MPRs) that are responsible for establishing the routing among the nodes in the network. Such nodes are victims of the well known attack named as blackhole where packets are intentionally dropped to cause a denial of service. In the literature, watchdogs are used to detect such an attack by utilizing the captured network layer information. Improving the detection performance of such a technique and minimizing the drawbacks due to the high channel collision are the main goals of this work. As a solution, we propose two detection schemes that allow the information to be exchanged across two and three layers respectively. The first scheme utilizes the information among physical and network layers, while the second one relies on the physical, MAC and network layers to enable an efficient and reliable detection. In the physical layer detection technique, each legitimate user is assigned a signature key that is multiplied by the message, and each monitoring node uses the maximum likelihood approach to determine whether the message is legitimate or not. On the other hand, the MAC detection technique monitors the number of RTS/CTS (request to send/clear to send) requests among all the neighbors while the cooperative watchdog technique is implemented at the network layer to overhear the transmitted exchanged packets among the neighbors. Simulation results are conducted to show that utilizing a cooperative cross layer design enhances the detection rate and minimizes the false alarm rate compared to other contemporary state-of-the-art detection schemes. © 2016 Elsevier Inc. All rights reserved.

1. Introduction Recent research advances in information and wireless technologies have led to growing interests in the development of intelligent transportation systems (ITSs). These systems promise significant improvements in road safety and traffic flow, and shall enable new data services. As being a key component of ITS, vehicular ad-hoc networks (VANETs), including inter-vehicular communications and vehicle to infrastructure communications, are attracting attention in both industrial and academic communities [1,2]; due to its huge commercial potential. Yet, VANETs present several challenges, particularly in aspects related to security and privacy. Therefore, many works have been proposed to address these issues. In [3] Georgios

*

Corresponding author. Fax: +971 (0)2 447 2441. E-mail addresses: [email protected] (R. Baiad), [email protected] (O. Alhussein), [email protected] (H. Otrok), [email protected] (S. Muhaidat). http://dx.doi.org/10.1016/j.vehcom.2016.09.001 2214-2096/© 2016 Elsevier Inc. All rights reserved.

et al. indicate that most recent promising applications in vehicular networks are the security concepts. In [1], the authors propose a security technique that depends on cryptographic primitives and plausibility checks to mitigate false position injection. However, these schemes suffer from a huge distinction between efficiency and security, where one is implemented in account of the other. In [4], Raya et al. propose an algorithm to balance between efficiency and security. Their algorithm depends on relaying the information among vehicles. Thus, the focus is on message aggregation, in which there are three main major classes, namely combined signatures, overlapping groups, and dynamic group key creation. In this paper, we take this existing compromise between security and efficiency into account. VANET’s quality of service optimized link state routing (QoS)OLSR [5] protocol is proposed to form a stable vehicular network. It is taken from the classical OLSR protocol [6], where the multipoint relays (MPRs) are selected by the normal nodes to broadcast the network topology information. The idea behind this protocol is to divide the network into clusters, where each cluster is com-

10

R. Baiad et al. / Vehicular Communications 5 (2016) 9–17

posed of a cluster head (CH) for each group of neighbor nodes located in the same transmission range called voters. To partition the network into clusters and elect a set of optimal cluster heads, each node votes for its neighbor which has the highest QoS value. A node can also vote for itself, if it has the maximal QoS value. The nodes use their Hello messages to broadcast their votes. This solution yields a one-hop clustering model. Each node is one-hop away from its designated cluster head. Once the election algorithm is performed, the CHs select a set of multi-point relays (MPRs) that connect various clusters together and reduce the overhead messages by minimizing the number of transmissions. In this protocol, there exists a tradeoff between QoS requirements and high speed mobility constraints. In this work, we assume the VANET QoS-OLSR protocol [5] which although provides efficiency in terms of connection, still vulnerable to several types of attacks, such as wormhole and blackhole attacks. A blackhole attack [7] is categorized as a packet drop attack, where the attacker node exploits the routing protocol and advertises itself as a legitimate relay to the destination node. Once it receives the data packets, it starts discarding them without necessarily informing the source [8], thus compromise the security of the network routing. To that end, various techniques are proposed to detect blackhole attacks. They can be classified based on the nature of their operation into three main categories, namely acknowledgment (ACK)-based [9], reputation-based [5,10], and detection-based [11,12] schemes. It is worth mentioning that most of the works proposed in the literature adopt the third category. Watchdog monitoring technique is widely implemented due to the fact that it is independent on the utilized routing protocol or technology. There, the monitoring nodes maintain a buffer of recently sent packets and compare each incoming overhead packet with the ones in the buffer to validate if a match exists [11]. However, watchdog provides detection only at the routing level which puts limitations on this technique and leads to high probability of false positives, mainly due to: (1) Watchdogs at the routing level are not able to determine whether a packet dropping event is due to packet collisions or an attack; and (2) They are not able to detect accurately if the watchdogs themselves have problems. With the aforementioned limitations of the watchdog technique, our main dilemma in blackhole detection is that one needs to determine whether packet drops are due to an attack or just a mere collision. Therefore, further techniques should be proposed to fix the aforementioned network layer detection technique limitations. Many solutions in recent works consider the joint optimization of important system parameters residing in different IOS layers systematically to achieve the best detection capability. For instance, in [13], the authors propose a modular cross layer intrusion detection which makes use of the context information from different layers and sources. On every node, different modules are in charge of collecting audit data from different layers, namely the network and application layers. At the network level, the nodes are responsible for collecting data from neighboring nodes for forwarding attitudes, whereas at the application layer level, they are responsible on receiving warning messages. Subsequently, a local decision is made with the aid of additional information available from other devices, such as the GPS system. Moving to [14], IEEE wireless access in vehicular communication (WAVE) cross-layer message verification scheme is proposed to verify the safety application on the received message. The verification mechanism consists of signature generation, transmission of a periodic safety message, and verification of the received message. In [15], a novel detection system is designed to perform two levels of detection by analyzing the pattern of trace files. However, to the best of our knowledge, none of the mentioned schemes provide a real evaluation in detecting real attack. Also, there is no cross layer scheme proposed in the liter-

ature that takes the trade-off between network connectivity and security. In this paper, we propose novel cooperative cross layer based intrusion detection schemes (IDSs) to enhance the performance of the watchdog detection technique in tackling blackhole attack. It is noted that in the literature, the terms cooperative and cross layer are sometimes used interchangeably. Here cooperative refers to the cooperation between nodes in the network, while cross layer refers to the information exchange that occurs between the three different layers. Our main focus is on the development of detection techniques designed for assisting watchdog monitoring in blackhole attack, whereby the cooperative and cross layer approach shall enable us to further minimize the intrinsic increase in the false-alarm rate, and thus, enhance the overall detection performance. We approach this by introducing the individual intrusion detectors for each layer, and then, we propose two cross layers detection schemes, and lastly integrate them together to build a reliable and efficient IDS scheme. In what follows, we briefly describe each local detector. First, for the physical layer, we propose a signature key based detector, where each legitimate user is provided with a signature key. Then, by utilizing the maximum likelihood test and based on the signature key, a monitoring node decides whether a received signal is from a legitimate user or an intruder. If the signal is determined to be from an intruder, then the signal is dropped. Otherwise, the signal is passed to the next layer of defense, namely the network layer. It is worth noting that depending solely on the physical layer detector would not be sufficient since high noise levels or physical channel interference may lead to a detection error. As a second layer of defense, in the network layer, we implement the aforementioned watchdog technique to further decide the authenticity of the received signal. Lastly, in the MAC layer, we count and compare the number of sent RTS packets to the number of received CTS packets. If a discrepancy is detected, we indicate that the packet loss is due to collision and not an intrusion. The proposed ID schemes also utilize cooperation between watchdogs located at the same cluster and monitoring nodes from other layers. This is achieved by allowing the monitoring nodes to overhear the communications between other nodes, and therefore, build a final unified decision. The main contribution of this work is a novel cross layer detection framework that can improve the detection against Blackhole attack targeting QoS-OLSR protocol. Such a cooperative framework will be able to reduce the false alarm rate generated due to collisions and falsely reported detection. Our schemes are able to increase the detection rate and minimize the false alarm rate compared to the work proposed in the literature. Simulations are conducted, using Matlab, to evaluate the performance and robustness of the proposed schemes. The rest of this paper is organized as follows: Section 2 demonstrates the problem statement which identifies the need to develop novel cooperative cross layer based approaches. While the proposed cooperative cross layer techniques are introduced in Section 3. Finally, simulation results are shown in Section 4, while Section 5 concludes this work. 2. Problem statement One of the foremost challenges in VANETs is to design routing protocols that can handle the high mobility of vehicles and constant changes in the underlying topology [16]. In the proposed schemes, we adopt the VANET QoS-OLSR protocol which is proposed in [5]. However, in addition to that model we take into account the direction of the node during the cluster head selection process which provides a more realistic scenario. Cluster head selection process is based on the maximum quality of service value, where each node votes for itself and the nodes in its transmission

R. Baiad et al. / Vehicular Communications 5 (2016) 9–17

11

Fig. 2. Various levels of monitoring.

Fig. 1. Blackhole attack impact as percentage of disjoint clusters versus number of nodes, with 10% attackers.

range. Upon selecting cluster heads, it becomes their responsibility to select the set of MPRs. Here we calculate the QoS value for each ith node as follows,

Q o S (i ) = Rd(i ) × N (i ) ×

1 V (i )

the network level, high noise level and interference can produce wrong threshold values, and hence, provide wrong decisions. Also, since the signature key is assigned randomly to each legitimate user, some mistakes in assigning the key may lead to false detections as well. Moreover, the work proposed in [14], proves that adopting this technique, without taking the routing level connectivity issues coming from the routing protocol into consideration, causes packets drop. To overcome these problems, novel cooperative cross layer detection schemes are proposed, in which watchdog monitors are correlated with physical and MAC layers schemes, and several observations from different layer are aggregated equally to form one final decision and improve malicious detection. 2.1. Threat model

,

(1)

where Rd(i ) is the remaining distance to exit the highway lane, N (i ) is the 1-hop neighbor nodes located in the same direction, and V (i ) is the average speed of the ith node. Note that here, in contrast to [5], we allow nodes to vote only for the CHs that share their moving direction. Once the corresponding CHs are selected, we follow the same approach employed in [5] to choose the MPRs. As mentioned earlier, blackhole attack causes packet drop in most of the routing protocols. In the adopted protocol, it targets the MPR nodes, causing a serious impact on the network connectivity. To illustrate the significance of this problem, we adopt the parameters in Table 1 in Section 4 and consider 10% of the MPRs to be malicious. Fig. 1 shows the percentage of disconnected clusters due to the blackhole attack. It should be noticed that we had fully connected clusters from the routing point of view before the attack occurred, and all the nodes could communicate with each other easily. However, once malicious nodes exist, the percentage of disconnected clusters keeps increasing as long as the number of nodes increases. This is due to the fact that when the network becomes more dense, the nodes become closer to each other and connected by more MPRs. Therefore, the number of attackers increases which in turn degrades the network connectivity. This illustration demonstrates the need to develop a detection technique that can detect the presence of malicious vehicles. Watchdog based approaches are implemented in the literature [17]. Unfortunately, such monitoring techniques have two major drawbacks. First, they cannot differentiate whether a packet dropping event is due to some malicious attack or just legitimate reasons, such as packet collision. The second problem arises when the watchdogs have problems while listening to an attack, and accuse innocent nodes to be misbehaving. For instance, if we have a watchdog that is monitoring one node in a cluster, and at the same time, it receives data from its neighbor node in a different cluster, this would lead to collision and thus would report a misbehavior. The drawbacks of watchdog detection model have been studied thoroughly in [18] and the resulting false positive rate was proven to be high. Additionally, if we are only to adopt the signature key technique in the physical layer to detect such attacks in

In an effort to address the impact of blackhole attack in VANET, we want to enhance the performance of the well-known watchdog detection scheme in tackling the collision problem while monitoring. It should be noted that our main threat model assumes malicious behavior from the MPR nodes during packets exchange among several nodes in the network. The classical watchdog technique fails to differentiate between collisions and attacks. A remedy to this problem is the use of cross layering, where different monitoring nodes from different layers cooperate to enhance the performance of single detection scheme. Thanks to the cooperative and cross layering features, any falsely reported attacks can be handled. In this work, our main focus is to propose the cooperative cross layer detection framework, where watchdogs are selected randomly. Finally, attacks prior to packet transmission specifically during broadcast transmissions can be detected utilizing the watchdog without the need to adopt any cross layering schemes as proposed in [17]. 3. Cooperative cross layer design High and continuous movements of the nodes in VANETs is considered to be a serious issue that deteriorates any detection technique that might be applied. Therefore, cooperative cross layer scheme is proposed in the recent studies [19] to assist in solving this issue. The main objective of any cross layer scheme is to leverage the information between layers, and thus, enhance the network detection performance. In this section, we present the three levels detection techniques followed by the algorithms, starting with the physical layer detection, then the MAC layer detection technique, and the network layer. After that, as shown in Fig. 2 the three level cross layer detection schemes are proposed. Specifically, we have an information exchange between: (A) the physical layer and the network layer, (B) the MAC layer and network layer, (C) the three layers. 3.1. Physical layer intrusion detection In this sub-section, we introduce the physical layer based intrusion detector. This detector resembles the first layer of defense in

12

R. Baiad et al. / Vehicular Communications 5 (2016) 9–17

the proposed schemes, where the watchdog monitors the receiver node on the physical level before it decides whether to drop the signal or forward it to the upper layers for further detection, as shall be explained later. Consider a vehicular ad-hoc network topology, consisting of M legitimate user nodes. We assign a unique signature key for each legitimate ith user, denoted by δi , where i = 1, . . . , M. Practically, the signature keys can be assigned by the road side unit (RSU). Let xi denote the signal message sent from the ith legitimate user in the network. Then, at the watchdog, the intercepted received signal copy, y i , can have two possible hypotheses, modeled as



yi =

xi + n δi xi + n

 , H0 , , H1

(2)

2

vector (AWGN) with zero mean and variance σ2 per dimension. The null hypothesis, H0 , represents the possibility that the received signal is sent from an intruder, whereas the alternative hypothesis, H1 , represents the possibility that the received signal is indeed legitimate, since it is multiplied by a corresponding signature key δi . Under such formulation, the probabilities of the received signal conditioned on each hypothesis can be written as

Pr( y i |H1 ) = 

1 2

exp(−

2π ( σ2 ) 1 2

exp(−

2π ( σ2 )

( y i − xi )2 2

2( σ2 )

Pr( y i | H 1 ) Pr( y i | H 0 )

2

).

≷ HH 10 1.

(4)

H

2

.

2

2 σ2

2π σ2

(8)

)dy ,

(9)

δi − 1

(i )

P F A = Q ( xi √

2σ 2

(10)

),

where Q (.) is the standard Q -function, defined as Q (x) = √1

∞ 0

2

exp(− x2 )dx. Therefore, we can formulate the design prob-

lem as choosing some δi to satisfy a target false alarm threshold, such that

√ (opt )

δi

=

2σ 2 Q −1 ( P F A ) (i )

xi

+ 1.

(11)

With the chosen threshold, we can calculate the resultant probability of detection, P d , as follows

∞  xi (δi +1) 2

1 2

exp(−

( y − δi xi )2 2

2 σ2

2π σ2

)dy ,

(opt )

1−δ (i ) P d = Q ( xi √ i ). 2σ 2

(12)

Note here that the noise of the transmitting medium have an ex(i ) ponential deteriorating effect on P d . Algorithm 1 describes the practical design aspects of the proposed physical layer based detector. Where we assume that all the nodes at the same transmission range to be neighbors, and all neighbors are being monitored.

(6) Algorithm 1: Physical layer detection algorithm.

which results in the following decision threshold

xi (δi + 1)

( y − xi )2

|H 0 }

which results in

(5)

2 y i xi (1 − δi ) + x2i (δi2 − 1) ≷ H 10 0,

H

2

exp(−

2

where after some mathematical manipulations, we arrive at

Pd =

By taking the logarithm, and after some mathematical simplifications, we obtain

y i ≷ H 10

xi (δi +1) 2

1

xi (δi + 1)

P d = 1 − Pr( H 0 | H 1 }

( y i − δi xi )2 2( σ2 )



PFA =

(3)

),

Consequently, by utilizing the maximum log-likelihood test, the detector identifies a received signal as legitimate when Pr( y i | H 1 ) > Pr( y i | H 0 ), i.e. when

( y i ) 

∞

2π

where n ∼ CN (0, σ 2 ) is complex additive white Gaussian noise

Pr( y i |H0 ) = 

(i )

P F A = Pr{ H 1 | H 0 } = Pr{ y i >

(7)

All watchdog monitoring nodes overhear and checks the data exchange occurring in their transmission range, where the signaare stored in their buffers. If the received signal ture keys {δi }m i =1 was perceived to be from an intruder, then the watchdog would drop the message. On the other hand, if the physical layer detector identified the user as legitimate, then the received message is parsed to the MAC and network layers for further detection. Note here that, from a practical perspective, one can tolerate more missdetection events than false alarm events; Due to the nature of the proposed detection mechanism, if an intruding message was not detected by the physical layer detector, then it would pass into other checking procedures, whereas if a legitimate message was identified as an intrusion wrongly, then it would be dropped. Therefore, it is important to characterize the miss detection and false alarm probabilities of the proposed detector, in order for the system designer to make informed choices of the choice of δi , based on some predefined false-alarm or miss-detection probability. The probability of false alarm, i.e. identifying an intruder as legitimate, can be computed as

Input: Let m_no be the number of malicious nodes Let δ be the threshold value derived previously Let N be the neighbors Let MN be the number of monitoring nodes Let path be the path from the source to the destination Let y be the received signal Output: Let ph_d be the physical layer detection number Let detection_% be the detection rate of the physical layer level monitoring Algorithm: for i = 1 to m_no do for j = 1 to MN do if N(m_no(i),MN(j)) = 1 then for k=1 to length(path) do if path(k) = m_no(j) then if y ≤δ then ph_d = ph_d + 1 end end end end end end

detection_% = ph_d ×

1 MN

×

1 m_no

(13)

R. Baiad et al. / Vehicular Communications 5 (2016) 9–17

3.2. MAC layer intrusion detection Moving to the MAC layer, the IEEE 802.11 protocol mainly relies on the distributed coordination function (DCF) mechanism which uses a carrier sense multiple access with collision avoidance (CSMA/CA) protocol, as well as the request to send and clear to send (RTS/CTS) handshake to eliminate most interference [20]. However, one of the main issues that degrades the performance in multi-hop networks such as VANET is the intra hidden terminals problem which causes a packet collision at the MAC level. Nevertheless, this issue can be avoided using cluster based forwarding which is similar to the aforementioned routing protocol. This is due to the channel assignment by each cluster head for its neighbors, where each neighbor is allowed to transmit based on assigned channel [16]. To explain briefly what happens in the MAC layer when data exchange occurs between two nodes, we assume four nodes in the network, namely A, B, C and D. Nodes A and B resemble the source and destination respectively, while nodes C and D resemble the MPR and monitoring nodes respectively. If A wants to transmit data to C through B, it should initiate this by sending an RTS message, which might suffer from collision if another node out of node’s A transmission range but in node’s B range sends an RTS simultaneously. If there is no collision, node B replies with a CTS message. Once node A has accessed the medium (no collisions detected), it transmits the desired data to B. Finally, when the packet is received by B, the node may either forward it to C or drop it. If node B decides to drop the packet, the watchdog will detect a message sent from A and not received from C, and thus, node B will be detected as a malicious node. A falsely detected scenario can exist as follows, assuming that node B forwards the packet to node C but a collision occurs and node C does not receive the data transmitted from A. In this case the watchdog will detect B as a malicious node, although it is not the case. Therefore, we propose a cross layer scheme, where interaction between layers is desirable to improve this aspect, and upgrade the system performance. In fact, by monitoring the number of RTS sent and CTS received, at the MAC layer level, as well as data received and forwarded, at the network layer, the existence of an attacker can be determined with higher accuracy and false-alarm scenarios would be minimized as well. 3.3. Network layer intrusion detection Watchdog technique [11] is implemented in the network layer, where some nodes are chosen randomly as watchdogs to monitor the behavior of the MPR nodes and ensure they are fulfilling their tasks properly. These watchdog nodes overhear the communication between nodes located in their transmission range by comparing the packets forwarded from the source transmitter against those which are received by the destination receiver. Once a difference is noticed, the watchdog reports the corresponding node in the route as a malicious node. However, as stated in section 2, problems may occur at the watchdog. Therefore, following [21], cooperation between watchdogs is considered, where the final decision is based on aggregating the decisions of several watchdog nodes. In this cooperative scheme, all watchdogs are given equal voting weight. We point out that the undesirables tradeoffs of the cooperative monitoring scheme, namely an increase in the network transmission overhead, and a small computation overhead in the decision nodes, are beyond the scope of this paper. Although the cooperative monitoring scheme improves the detection performance, it still can have some detection errors. For instance, the watchdog detects a packet drop due to legitimate collisions as a malicious attack, which has a negative effect on the network, it degrades the performance and increase the false alarm

13

Algorithm 2: Cooperative network layer detection algorithm. Input: Let m_no be the list of malicious nodes Let wd be the watchdog monitoring nodes in the network layer Let N be the neighbors if 1 they are neighbors Let true be the true detections for intruders from legitimate list using cooperative watchdog scheme Let m_no be the list of malicious nodes Output: Let yes be weighted detections for each watchdog Let detection_% be the detection rate of the network level monitoring Algorithm: for i = 1 to length(m_no) do for k = 1 to length (wd) do if N(m_no(i),wd(k)) = 1 then true =true + 1 end end yes = yes + (true (k)) end

detection_% =

yes length(m_no)

(14)

rate which is the number of legitimate nodes detected as attackers. Therefore as proposed in our previous work [19], in addition to having a cooperative monitoring scheme between the MAC layer based watchdog nodes, we consider a cross layer intrusion detection. In the consequent section, we show that having a cross layer design enhances the detection rate and minimizes the false alarm rate. Algorithm 2 explains the mechanism of the cooperative watchdog monitoring technique, where the number of true detections increased every time the watchdog notices difference between the original packets stored in its buffer and the received ones from the source. Then the results are all summed up to give the detection percentage which can be defined as the number of detections to the total number of misbehaving nodes. 3.4. Physical and network cross layer design Starting with the physical layer, we choose some trusted nodes to act as physical layer monitoring nodes that assist in enhancing the detection rate cooperatively. For each monitored node by the watchdog at the network layer, the physical monitor will check for the signature key. If the source has the key it is legitimate user if not it will be reported as an intruder. In the network layer, each watchdog monitoring node detects the packets that are sent from the source to the destination, as mentioned earlier. Algorithm 3 indicates that all the nodes that reported to be legitimate have then signals sent to the upper network layer for further detection. For instance, there might be some errors in assigning the key since it is chosen randomly. Also, high noise level and interference may give wrong threshold value, and thus, cause false alarms. It is going to be detected in the network level, by that the number of true detections is going to increase, and hence, the detection rate increases as well. 3.5. MAC and network cross layer design Moving to the MAC layer, we are concerned about differentiating between attacks and collisions. It should be noted that, the MAC level of monitoring is considered as an adds-on technique, where counting the number of RTS/CTS requests assists in improving the detection of the watchdog. Algorithm 4 shows the cooperative cross layer mechanism and steps of reducing the false alarms, re-evaluating the watchdogs’ weights and calculating the detection percentage.

14

R. Baiad et al. / Vehicular Communications 5 (2016) 9–17

Algorithm 3: Physical and Network Cross layer detection algorithm. Input: Let leg_list be the legitimate users list results from physical layer detection Let wd be the watchdog monitoring nodes in the network layer Let N be the neighbors if 1 they are neighbors Let m_no be the list of malicious nodes Output: Let true be the true detections for intruders from legitimate list using cross layering scheme Let detection_% be the detection rate of the PHY and network level monitoring Algorithm: for i = 1 to length(leg_list) do for k = 1 to length (wd) do if (N(leg_list(i),wd(k)) = 1) && (leg_list(i) is member of m_no list) then true = true + 1 end

Algorithm 5: Physical, MAC, and network detection algorithm. Input: Let m_no be the list of malicious nodes Let new_weight be the physical monitoring nodes resulted from crossing with MAC layer Let N be the neighbors if 1 they are neighbors Let true_cross be the true detections for intruders from legitimate list using cooperative watchdog scheme Let m_no be the list of malicious nodes Output: Let yes_cross be weighted detections for each watchdog Let detection_% be the detection rate after cross layering the three levels Algorithm: for i = 1 to length(m_no) do for k = 1 to length (new_weight) do if N(m_no(i),new_weight(k)) = 1 then true_cross = true_cross + 1 end end yes_cross = yes_cross + (true_cross(k))

end end

end weight = count(wd)

detection_% = true ×

1 weight

×

detection_% =

1 length(m_no)

(15)

yes_cross length(m_no)

(17)

3.6. Physical, MAC, and network cross layer detection Algorithm 4: Network and MAC Cross layer detection algorithm. Input: Let wd_report be the watchdog detected malicious nodes Let MAC_report be the MAC monitors reports Let no_d be the new number of detection after filtering Let wd be the watchdog nodes Let no_malicious be the number of malicious nodes Let MAC be the MAC monitor nodes Let MAC_s be the MAC status of either 1 or 0 Output: Let new_weight_a the aggregation of two decisions Let new_weight counting the number of watchdogs after eliminating the ones with problems Let new_d_% be the detection percentage after cross layering between MAC and network layers Algorithm: Part A for i = 1 to length(wd_report) do for j = 1 to length (MAC_report) do if MAC( j) = wd_report(i) then wd_report(i) = 0 end end end no_d = wd_report Part B for i = 1 to length(wd) do for j = 1 to length (MAC) do if wd(i) and MAC( j) are neighbors then new_weight_a(i) = wd(i)*MAC_s( j); end end

1 ne w_weight

×

1 no_malicious

× no_d

4. Simulation results 4.1. Simulation scenario and parameters

end new_weight = count(new_weight_a)

ne w_d% =

Lastly, adopting both cross layer schemes mentioned previously and introducing the MAC monitoring mechanism at the physical level, will enhance the detection rate further. For instance, any collisions that occurred during the watchdog monitoring and physical monitoring and led to false alarms will be detected using MAC monitoring. Moreover, if there are collisions at the monitoring nodes themselves and cause for false detections also will be enhanced by the MAC monitors. It should be noticed again that MAC monitoring technique can be used as add-on any detection scheme and it can not be applied by itself, it will enhance the detection systems and minimize the false rates. Algorithm 5 explains how applying the watchdog technique to the physical monitors (that is enhanced by the proposed MAC filtering technique), increase the detection rate and improve the overall detection performance.

(16)

Firstly, having some nodes in promiscuous mode at MAC level will enable them to detect collisions. Therefore, when the results from the network layer are passed to the MAC layer, we can eliminate the watchdog reports that detected from MAC as collisions, as indicated in Algorithm 4 part A. Additionally, if the watchdog has problems while listening, it can be eliminated from being watchdog. The watchdog weight will change as shown in Algorithm 4 part B, and hence, achieve better detection percentage. It should be noticed that these weights are assigned by the cluster heads which presumably are trusted and have all the information about the monitoring nodes.

The main objective of this section is to investigate whether the proposed cooperative cross layer techniques have an impact on the watchdog detection. However, the cooperative watchdog detection itself is implemented first in order to measure its efficiency in detecting attackers. Then, cross layering between the layers is implemented, and a performance analysis addressing the detection percentage and false-alarm rate is illustrated. MATLAB-8.0 [22] and Mobisim simulator [23] have been used in our simulations. Although a number of simulators for real environment topology are available to provide scenarios that simulate realistic vehicular mobility models, the Mobisim Simulator has been chosen because it provides a mobility model (free way) that is not random and it provides nodes’ direction in its output trace files. Moreover, Mobisim generates an output file that contains some important parameters, such as time, direction, speed, and position. Thus, we use these output trace files to simulate the vehicular network using MATLAB. The transmission range of the vehicles is selected to be 300 meters such that a fully connected network is achieved [24]. The simulation parameters are summarized in Table 1. The VANET physical layer is based on the orthogonal frequencydivision multiplexing (OFDM) [25], and the signal is transmitted using binary phase shift keying (BPSK) modulation over AWGN

R. Baiad et al. / Vehicular Communications 5 (2016) 9–17

15

Table 1 Simulation scenario. Parameter

Value

Mobility model Environment topology Area Number of nodes Speed range Transmission range MAC Layer Protocol

Freeway Highway 1000 ∗ 100 m2 30–60 80–120 km/h 300 m IEEE 802.11p

scenario. As for the MAC layer, we implement the IEEE 802.11p protocol as mentioned in Section 3.3. In order to study the proposed schemes on both light and dense networks, we vary the number of nodes from 30 to 60, and apply the detection models for different number of nodes with specific percentage of the MPRs being malicious and specific percentage of the other nodes being monitoring nodes, which implies that all nodes are monitoring the MPRs in their transmission range, and it should be noted that these monitoring nodes were chosen randomly.

Fig. 3. Detection rate versus the number of nodes for three different cross layer designs, with 25% of the MPRs attackers and 10% monitoring nodes.

4.2. Simulation results In this section, we compare the different proposed cross layer detection schemes in terms of detection rate and false alarm rate. Firstly, the probability of detection is calculated by dividing the number of true detections by the number of attacks. Fig. 3 demonstrates that our approach, regardless of the cross layering combination, has significantly increased the detection rate as long as the number of nodes increases. This is because the network becomes more dense, and thus, the nodes become closer to each other and connected by more MPRs. Moreover, the increase in the number of nodes increases the number of watchdogs and the monitoring nodes in all layers, and hence, increase the detection rate. In fact, for a network with 50 nodes, using network and MAC cross layering, as in [19], increases the probability of detection up to 20%, and aggregating the physical detection with the network detection would give a boost of 25% which is greater from the previous result. This is justified by the fact that MAC layer detection is an add-on technique that may enhance the existing detection by eliminating the monitors that have problems from voting, and not detecting new attacks as the signature key monitoring at the physical layer would. Most importantly, combining all the monitoring layers together improves the detection rate up to around 30%. In Fig. 4, it is shown that our proposed IDS incrementally minimizes the false alarm rate, which is defined as the percentage of normal nodes detected as attackers due to collisions (falsely reported) [26]. For instance, when the number of nodes is 50, adding the MAC and physical layers of detection to the network layer minimizes the false positive rate by about 5% and 4%. Overall, the false alarm rate is minimized by 12%. Perhaps, the most interesting result is that the false alarm remains constant when adding more nodes. Simulations presented in Figs. 5 and 6 were conducted to illustrate the impact of the percentage of watchdogs on the detection percentage and false alarm rate respectively, for a proportion of 10, 30, 50, 70 and 90% monitoring nodes. The nodes were chosen randomly and they are assumed to be trusted. It is clearly shown that low number of monitoring nodes results in lower detection probability, which is trivial since the monitoring is an energy consuming process. Different percentages of attackers affect the detection results significantly, and this is shown in Table 2, where the variation in the detection percentage and false alarm rate is noticed when cross layering is applied for different number of attackers. It should be

Fig. 4. False alarm rate versus the number of nodes for three different cross-layer designs, with 25% of the MPRs attackers and 10% monitoring nodes.

Fig. 5. Detection percentage versus the percentage of watchdogs for three different cross-layer designs, with 25% of MPRs attackers and network size of 30 nodes.

16

R. Baiad et al. / Vehicular Communications 5 (2016) 9–17

Fig. 6. False alarm rate the percentage of watchdogs for three different cross-layer designs, with 75% of MPRs attackers and network size of 30 nodes.

cient. This demonstrated the importance of launching a cooperative cross layer design which leverages the boundaries between the nodes and layers. Based on this, we have proposed a novel cooperative cross layer IDS that enhances the detection of the watchdogs. Assigning signature key for each legitimate user at the physical layer along with utilizing the watchdog monitoring technique at the routing layer enhanced the overall detection of the system. Additionally, since cooperative watchdog detection considers any legitimate collision to be malicious, the false positive rate were further minimized by distinguishing between collisions and attacks in the MAC layer. We have demonstrated and corroborated, by means of simulations, the importance and impact of the proposed technique. The proposed IDS model was able to increase the detection probability by about 82% and 97% for non-dense, and dense networks, respectively. Further, it minimized the false positive rate by about 12% and 5% for dense and non-dense networks respectively. As a future work, we are planning to consider the Application and MAC layers related attacks, namely broadcast transmissions attack. Moreover, to improve our framework we can adapt the solution proposed in [21] where each monitoring node has a reputation based on its performance. References

Table 2 Detection rate (30 nodes, 90% monitoring nodes). Attackers % Net + M AC P hy + Net P hy + M AC + Net

det% False alarm rate det% False alarm rate det% False alarm rate

25

50

75

87.166 28.124 94.56 18 97.345 10.8

38.88 29.1655 54.167 25 65 11.75

26.69 32.805 29.167 27.08 31.25 12.5

noticed that the detection percentage is simulated along with the corresponding false alarm rate for blackhole attack. The simulations are performed for 25%, 50% and 75% malicious MPR nodes, and 90% of the other nodes being watchdogs. Given that 25% of the MPRs are attackers, we can realize that overall cross layer design is more efficient than the two layers approach. In fact 97.345% of the malicious MPR nodes were detected using the cooperative cross layer detection model, whereas around 94.56% and 87.166% of the attackers were detected when adopting the physical-withnetwork, and network-with-MAC designs respectively. It is noteworthy that the physical-with-network cross layer approach yields better results that the latter combination. Due to the nature of the detection criteria and density of the network, detection rate higher than 97.345% could not be achieved [27]. Increasing the attackers’ percentage to 50% makes the detection rate decrease to 54.167% and 38.88% for the two cross layer approach, and 65% for the overall IDS design. In summary, based on the simulations, we showed that malicious nodes have bad effect on the network connectivity. Thus, we need a robust intrusion detection system that will enhance the watchdog detection technique. The proposed detection model based on unifying the cooperative watchdog technique with the cross layer design results in better results when compared to our previous work [19], which only adopts the network and MAC cross layering. Utilizing the three layers together shows promising results regarding the detection percentage and false alarms rate of malicious nodes. 5. Conclusion In this paper, we showed that the presence of malicious nodes has a considerable negative impact on the network connectivity. The detection capabilities of the routing level alone is not suffi-

[1] C. Harsch, A. Festag, P. Papadimitratos, Secure position-based routing for VANETs, in: 2007 IEEE 66th Vehicular Technology Conference, 2007, VTC-2007 Fall, IEEE, 2007, pp. 26–30. [2] F. Li, Y. Wang, Routing in vehicular ad hoc networks: a survey, IEEE Veh. Technol. Mag. 2 (2) (2007) 12–22, http://dx.doi.org/10.1109/MVT.2007.912927. [3] G. Karagiannis, O. Altintas, E. Ekici, G. Heijenk, B. Jarupan, K. Lin, T. Weil, Vehicular networking: a survey and tutorial on requirements, architectures, challenges, standards and solutions, IEEE Commun. Surv. Tutor. 13 (4) (2011) 584–616. [4] M. Raya, A. Aziz, J.-P. Hubaux, Efficient secure aggregation in VANETs, in: Proceedings of the 3rd International Workshop on Vehicular Ad Hoc Networks, ACM, 2006, pp. 67–75. [5] O.A. Wahab, H. Otrok, A. Mourad, VANET QoS-OLSR: QoS-based clustering protocol for vehicular ad hoc networks, Comput. Commun. 36 (13) (2013) 1422–1435. [6] T. Clausen, P. Jacquet, Optimized link state routing protocol (OLSR), RFC3626, https://www.rfc-editor.org/info/rfc3626, Oct. 2003. [7] M. Al-Shurman, S.-M. Yoo, S. Park, Black hole attack in mobile ad hoc networks, in: Proceedings of the 42nd Annual Southeast Regional Conference, ACM, 2004, pp. 96–97. [8] S. Ramaswamy, H. Fu, M. Sreekantaradhya, J. Dixon, K.E. Nygard, Prevention of cooperative black hole attack in wireless ad hoc networks, in: International Conference on Wireless Networks, vol. 2003, 2003. [9] K. Liu, J. Deng, P.K. Varshney, K. Balakrishnan, An acknowledgment-based approach for the detection of routing misbehavior in manets, IEEE Trans. Mob. Comput. 6 (5) (2007) 536–550. [10] C. Basile, Z. Kalbarczyk, R.K. Iyer, Inner-circle consistency for wireless ad hoc networks, IEEE Trans. Mob. Comput. 6 (1) (2007) 39–55. [11] S. Marti, T.J. Giuli, K. Lai, M. Baker, et al., Mitigating routing misbehavior in mobile ad hoc networks, in: International Conference on Mobile Computing and Networking: Proceedings of the 6th Annual International Conference on Mobile Computing and Networking, vol. 6, 2000, pp. 255–265. [12] S. Buchegger, J.-Y. Le Boudec, Performance analysis of the confidant protocol, in: Proceedings of the 3rd ACM International Symposium on Mobile Ad Hoc Networking & Computing, ACM, 2002, pp. 226–236. [13] T. Leinmüller, A. Held, G. Schäfer, A. Wolisz, Intrusion detection in VANETs, in: Proceedings of 12th IEEE International Conference on Network Protocols (ICNP 2004) Student Poster Session, Citeseer, 2004. [14] S. Biswas, J. Misic, A cross-layer approach to privacy-preserving authentication in wave-enabled VANETs, IEEE Trans. Veh. Technol. 62 (5) (2013) 2182–2192. [15] S. Bose, A. Kannan, Detecting denial of service attacks using cross layer based intrusion detection system in wireless ad hoc networks, in: International Conference on Signal Processing, Communications and Networking, ICSCN’08, 2008, IEEE, 2008, pp. 182–188. [16] B. Jarupan, E. Ekici, A survey of cross-layer design for VANETs, Ad Hoc Netw. 9 (5) (2011) 966–983. [17] O.A. Wahab, H. Otrok, A. Mourad, A cooperative watchdog model based on Dempster–Shafer for detecting misbehaving vehicles, Comput. Commun. 41 (2014) 43–54, http://dx.doi.org/10.1016/j.comcom.2013.12.005, http://www. sciencedirect.com/science/article/pii/S0140366413002892. [18] J. Hortelano, J.-C. Cano, C.T. Calafate, P. Manzoni, Watchdog intrusion detection systems: are they feasible in manets, XXI Jornadas de Paralelismo (CEDI2010).

R. Baiad et al. / Vehicular Communications 5 (2016) 9–17

[19] R. Baiad, H. Otrok, S. Muhaidat, J. Bentahar, Cooperative cross layer detection for blackhole attack in VANET-OLSR, in: 2014 10th International Proceeding Wireless Communications and Mobile Computing Conference, IWCMC, IEEE, 2014. [20] K. Xu, M. Gerla, S. Bae, How effective is the IEEE 802.11 RTS/CTS handshake in ad hoc networks, in: Global Telecommunications Conference, vol. 1, GLOBECOM’02, IEEE, 2002, pp. 72–76. [21] H. Sanadiki, H. Otrok, A. Mourad, J.-M. Robert, Detecting attacks in QoS-OLSR protocol, in: 2013 9th International IWCMC, Wireless Communications and Mobile Computing Conference, IEEE, 2013, pp. 1126–1131. [22] A. Gilat, MATLAB: An Introduction with Applications, John Wiley & Sons, 2009. [23] S.M. Mousavi, H.R. Rabiee, M. Moshref, A. Dabirmoghaddam, Mobisim: a framework for simulation of mobility models in mobile ad-hoc networks, in: Third

[24] [25]

[26]

[27]

17

IEEE International Conference on Wireless and Mobile Computing, Networking and Communications 2007, WiMOB 2007, IEEE, 2007, p. 82. I.-H. Ho, K.K. Leung, J.W. Polak, Connectivity dynamics for vehicular ad-hoc networks in signalized road systems, in: Teletraffic Congress, IEEE, 2009, pp. 1–8. A. Hamieh, J. Ben-Othman, L. Mokdad, Detection of radio interference attacks in VANET, in: Global Telecommunications Conference 2009, GLOBECOM 2009, IEEE, IEEE, 2009, pp. 1–5. Y. Zhang, W. Lee, Intrusion detection in wireless ad-hoc networks, in: Proceedings of the 6th Annual International Conference on Mobile Computing and Networking, ACM, 2000, pp. 275–283. Y. Snoussi, J. Robert, H. Otrok, Novel detection mechanisms for malicious attacks targeting the cluster-based OLSR protocol, in: 2011 IEEE 7th International Conference on Wireless and Mobile Computing, Networking and Communications, WiMob, IEEE, 2011, pp. 135–140.