For understanding the Sybil attacks in Mobile Ad-hoc network (MANETs), first we have to understand MANET deeply. When many nodes are collected together and form an independent network such a network is known as MANET. Wireless Links are used by nodes for getting communicated with each other. Mobile ad-hoc network produces a distributed system that may be complex and in this the mobile nodes may self-distributed and designed dynamically into network topologies and topologies will be temporary. When there is no existing infrastructure for the communication for example disaster recovery environments, then the complex distributed system represented by MANET grants the permission for people & devices to internetwork in that areas where no preexisting infrastructure for communication exists. The main characteristics of MANET are
1. Dynamic topology
2. Resource Constraint device
3. Posing a number of non-trivial challenges for light weight security protocol design.
A mobile ad-hoc network is an ad-hoc network but an ad-hoc network is not necessarily a mobile ad-hoc network. MANET now-a-days is an emerging realm in the communication era and is a center point of research for various researchers. A MANET is an infrastructure less network whereas a traditional network uses an infrastructure. Disadvantages of MANET are lack of centralized identity management and the requirement of unique, different and persistent per node for security protocols. In MANET every node performs the task of being source or destination node as well as a router. All the nodes are mobile as well as resource constraint. The incoming packet must be forward from the source node to destination after the enabling of routing.
If the information contained in the packet is not accurate, then the discovery of path from source to destination will not be clear. The packet which is consisted of information must be consisted of accurate information in order to discover a path from source to destination.
There are different routing algorithms, which one algorithm should be use this is depending upon the size of network. An efficient routing algorithm is an algorithm that is designed for the limited resource in MANET and at the same time changing network conditions like topology, traffic and number of nodes should be able to adapt this. Designing of such an algorithm is very difficult because of limited resources in MANET.
Fig. 1.1 Mobile ad hoc network
1.3 SECURITY MANAGEMENTIN MANETs
In a MANET, the nodes forward packets and also perform some other networking functions such as routing in a self organizing manner. Security includes a group of investments that are adequately funded. Due to these reasons, making a mobile ad-hoc network secured is a difficult and challenging task. These are some pillars on which we can identify the security of a MANET.
Accessibility of assets: This ensures that the assets are available to all the authenticated groups and parties at required and desired time. Accessibility is also imposed for the data and the service.
1.3.1 Accessing Power
It can also be called confidentiality and it ensures that the accessing power must be given to authorize person and party. For managing the privacy of a MANET, we have to keep track on unauthorized parties.
1.3.2 Modification of Assets
This is also called integrity. Integrity is meant by editing, changing, modifying the assets but only by authentic persons. Modification contains creation, deletion, changing status. Integrity assures that the massage sent cannot be corrupted.
We can ensure the authenticity because only honest node can present a message that will be decrypted by shared key. In this, a node is able for the identification of a peer node that is communicating with it. This also ensures that the communicating participants are authorized.
1.3.4 Identification and Privacy of Owner
This can be defined in one word anonymity. This describes that information should be used for the identification of a current user and owner. Also they should be by default private and not distributed by node itself.
1.3.5 Accessing Rights
This property is about to provide the accessing rights to users. These are provided by administrators. Admin selects the users and gives the accessing rights. Only authorize parties can access the assets.
If we talk about secured ad hoc networks, this can be classified into three broad groups, each of which can be susceptible to the Sybil attack.
1.4.1 PKI Based Protocol
Secure routing is an important field nowadays which has achieved a tremendous amount of attention of different researcher. There are different variations of protocol has been presented to militate the routing attacks. These protocols use different approaches. Some uses central authority, some uses other type of mechanism for providing the cryptographic keys in the routing. These cryptographic materials are provided either during deployment or prior. Systems with central authority are not completely flexible. When a central authority system is used, then the merit of ad-hoc network degrades. Whenever nodes are connected without pre-distributing keys, thus the chances of Sybil attacks are increased.
1.4.2 Threshold Based Protocol
To avoid the untenable requirement of a PKI, the protocol use threshold cryptography. In this approach the cryptographic keys are distributed by trusted nodes after the agreement of new members on the trustworthiness of that group. If a Sybil attacker creates Sybil node to overcome the threshold requirement it can effectively control the routing of network
1.4.3 Reputation Scheme
There are also some other security mechanism for an ad-hoc network. These are the protocols used for determining and maintaining reputation information for the identities in the group. Each node creates trustworthiness in the other nodes and describes the accuracy and correctness of route. The Sybil attack overtakes these protocols because a node can use multiple nodes for vouching illegally or support an identity that will gain a bad reputation.
1.5 KINDESOF MANETs
‘ Vehicular Ad hoc Networks (VANETs) are used for getting communicated among vehicles and between vehicles and roadside equipment. Intelligent vehicular ad hoc networks are a type of artificial intelligence that helps vehicles to behave in intelligent manners during vehicle-to-vehicle collisions, accidents, drunken driving etc.
‘ Internet based mobile ad hoc networks (I-MANETs) are ad hoc networks that establishes a connection among mobile nodes and fixed Internet-gateway nodes. For example, multiple sub-MANETs may be connected by in a classic Hub-Spoke VPN to create a geographically distributed MANET. In such type of networks normal ad-hoc routing algorithms don’t apply directly.
‘ Tactical MANETs are used by military units with emphasis on security, range and integration with existing systems. Common waveforms include the US Army’s SRW, Harris’s ANW2 and HNW, Persistent Systems’ Wave Relay, and Trellis ware’s TSM.
1.6 APPLICATIONS OF MANETs
Nowadays ubiquitous computing is widely used in communication network. That is a well-known commercial example of MANETs. In this, computers as well as data networks are used. Computers and other devices are used in simply forwarding the data from source to destination, whereas data network are involved for accessing the installed infrastructure. Actually there is a requirement of a network that must be widely available and easy to use.
Fig 1.2 MANET consisted of different entities
Another application of sensor MANET is sensor network Sensor network is a network consisted of huge number of small sensors. This is used in the detection of different demerits of an area like toxins, pollutions, temperature, pressure etc. The qualities and abilities of every sensor are very short and limited. Each sensor is depending on its neighbor sensor and other sensors, for forwarding the date packets. Individual sensors are constrained in their computing capability and are prone to failure & loss MANET sensor network can be a key for future security.
1.8 MANET SUSPECTIBILITY
1.8.1 No Centralized Server
This is very difficult to keep track in dynamic and large scale ad-hoc network. MANET does not have centralized server for monitoring. When centralized monitor server is not present then the detection and prevention of attacks is very tough. Lack of centralized management will impede trust management for nodes.
1.8.2 Resource Availability
Making a communication safe, secure and protected in changing environment from specific type of threats and attacks is a major issue in MANETs. This problem meets with the requirement of designing of different security approaches, mechanism and architectures. Collaborative ad-hoc environment also allow implementation of self-organized security mechanism.
1.8.3 Mobility of Nodes
The nodes are mobile. Because of the mobility of nodes the ad-hoc network scale gets changes time to time. So the scalability is a big trouble in the security. Security approach must be able to take care of both small and large network.
Actually most of the routing algorithm believes that identities in MANET are coordinating, co-operative and not malicious. Using this concept a Sybil attacker presents itself a good routing agent and destroys network functions and also tries to disrupt the network
1.8.5 Dynamic Topology
The mixture of dynamic topology and identities that are getting changed can be reason for removing the trust and faith relationship among identities. If there are found some nodes compromised, then the trust can be removed partially. This dynamicity can also be more secured with distributed and adaptive security approach.
1.8.6 Lack of Power Supply
Limited power supply is a reason that can create several issues. The selfishness of a node is also in one of them. In a MANET, a node can be a selfish node if it gets limited power supply. Nodes that have limited power supply may harm at a huge level.
1.8.7 Low Capacity Links
Variable low capacity links exists as compared to wireless network which are more susceptible to external noise, interference and signal attenuation effects.
1.8.8 Opposition inside Network
In a MANET, the nodes are free to leave and connect in the network. In this condition some nodes can work like malicious nodes. This type of attack becomes more harmful, dangerous and tough attack as compared to external attack. In an external attack, this is easy to check behaviour of a node. But against it in internal network this is difficult to detect the behavior of a node that is malicious. These nodes are known as compromised nodes.
1.8.9 No Concept of Predefined Boundary
In a MANET, no physical boundaries are defined of a network. The identities perform their task in a nomadic atmosphere where they can easily connect and disconnect the wireless network. As soon as the adversary in the radio ranges of a node it will be able to communicate with that node. The attacks include Denial of Service, reply, tempering, eves dropping impersonation.
2.1 CLASSIFICATION OF ATTACKS
The mobile infrastructure is challenged in MANET. The identities are encouraged to connect and disconnect easily.
Attack classification on the basis of layers
1. Physical Layer – Interference, eves dropping, traffic handling
2. Data link/MAC- Active & Passive attack, internal& external attack,
malicious and selfish behavior
3. Network Layer – Black, grey and worm hole attack, Link spoofing and Links
Withholding, flooding, location discourse, Sybil
4. Transport – Malicious code, Repudiation
5. Application – Session hijacking, flooding
There are some drawbacks of participating nodes in the network like limited power of battery & bandwidth, high error rates, change in topology regularly and the mobility in the behavior of nodes. Actually these drawbacks are responsible for the creation of complexities in the nodes. Those complexities may impact so, there is need to prepare a routing protocol. Also there are some complexities included in this type of network and in the designing of routing protocol. For producing the sufficient and efficient functionality for the MANET, this is required to modify the designed protocol. Designed protocols are classified into three categories-
Proactive protocols are also called table driven protocols in which each node maintains the routing information of other nodes in the network, through regular exchange of network topology packets
In reactive routing protocols, the packets are flooded into network to discover the routes, on demand
Hybrid protocols are the combination of both proactive and reactive protocols.
Fig 2.1 Classification of routing protocols in MANET
Moreover this network is distributed in nature. So if we apply centralized mechanism, this must be very difficult to impose completely. MANET is very strange in terms of opportunities and challenges. If MANET is in distributed mode then sometimes provides some opportunities but there are several drawbacks of being distributed like poor security, less confidentiality, integrity, availability, access and authentication etc.
Fig 2.2 Classification of attacks over routing
2.2 CO-OPERATIVE ATTACKS
i- Passive Vs. active (On the basis of behavior of attack)
ii- Internal Vs. External (On the basis of source of attack)
iii- Wired Vs Mobile (On the basis of processing capacity)
iv- Single Vs. Multiple (On the basis of number of attack)
2.2.1 Passive vs. Active Attack
There can be different kind of passive attack. Common types of existing attacks are
2. Traffic Jamming
If we talk about the passive attack this attack targets to steal the important data either in overall communication network or from at least two nodes that are communicating whereas the active attacks performs the work of modifying the original information. Examples of active attack include modification in any massage. Passive attacks are practically considered as illegitimate function. Passive attacked can also be considered as legitimate action. Actually the mode of operation to be legitimate or illegitimate is depending on situation. For example If an admin wishes to test the network for two reasons
1. Is it working in its proper way than is any problem of any type or not?
2. Is there any traffic jamming or not?
So when passive attack is performed for a kind purpose then it is said to be legitimate action. If an attacker tries to steal some confidential information then the passive attack is declared as illegitimate attack.
Fig 2.3 Comparison of passive and active attacks
2.2.2 Internal Vs External Attack
Fig 2.4 Compare of Internal and External attacks
Both attacks perform the function as their names imply. Internal attack is an attack which is done by an attacker inside the network whereas external attack is an attack that is performed by an attacker who stays outside physically of network. External attacker makes a network congested, disturbed traffic, deny access for special functions and also sometimes disrupts the overall network. The internal attack can also do the same. The difference between internal and external attack is only the location of attacker. Both attackers harm the same to a network. Sometimes this is very difficult to capture an internal attacker because we mostly focus on attack from outside of a network i.e. external attack. We provide tight security mechanism for an external attacker, and we don’t like to put more emphasize on internal attacker. Internal attackers can’t be easily traced while external attacker can be found easily.
Fig. 2.5 Internal attack with the help of misbehaving node
In the above figure the external node tries to attack in the network. The external node hijacks an internal node in the network involved for transmission. After hijacking the internal node, the external node makes this internal node as a mediator node. In this way the external attack begins as an internal attack. The node that has been converted into the mediator node will either be compromised node or misbehaving node which is authorize to access the system resources but fail to use them according to way it should be used. Attacks done by internal node is very difficult in terms of detection, because mediator nodes establish the connection with other nodes and other nodes try to accomplish the communication with other nodes. In this, mostly nodes are the victim of internal attack. Internal attack detection can’t be easy, because the external node is not working as an attacker, but instead the attacking task is done by internal node. Internal node detection is so hard.
2.3 HOMOGENEOUS ATTACK
A homogenous attack can also be defined as first level of attack. This is either a black hole or wormhole attack, also contains two or more than two nodes that are processing with the help of either wired or wireless network
2.3.1 Direct Homogeneous Attack
An attack can be said a direct homogeneous attack under following conditions
1. When external node makes a mediator node in the network of internal nodes
2. When a malicious node joins the network
3. Attacker Nodes existing in original network
Black hole and wormhole attack are in this category. In a black hole attack more than two malicious nodes try to disturb the whole network or sometimes disrupt the overall network. Three nodes are named as
1. Source node
2. Black hole node
3. Destination node
Actually all three nodes produce themselves as shortest distance to the destination node.
Fig. 2.6 Direct Homogeneous Attacks including two sybil nodes
Node 1 wants to send data packets to Node 6; it will first broadcast the RREQ (Route Request) to the neighbouring nodes. Node 3 and 5 are black hole nodes and then also received RREQ from source node. These malicious nodes will immediately send out the RREP (Route Reply) to claim that it is the shortest path to destination node 5. The RREP from 3 and 5 will reach the source node before other nodes, thus the source node 1 start transmitting data packets. On the receipt of data packets, 3 can either simply drop them or forward them to 5, and then 5 may simply drop or forward the data packets. Finally, little or no data packet can reach the intended destination node 6.
Fig. 2.7 A Wormhole attack with two colluding malicious nodes
The second attack belonging to this category is the wormhole attack; there always exists two colluding malicious nodes, since they can tunnel data packets back and forth even packets not addressed to them without being known by other nodes. Thus, the wormhole attack involves at least two physical nodes. In Figure, two malicious colluding nodes M1 and M2 can tunnel data packets to each other to analyze and tamper the network by using either a wired link or a long-range wireless medium
Wormhole attack uses two colluding malicious node that always already exists. The existing nodes can transmit the data backward as well as forward. The packet consisted of these data is not known by other nodes. At least two nodes are aware of this data packet. Sometimes other than two nodes some other nodes can also be aware about this transmission and sometimes may not involve in the forwarding of packet. Thus wormhole attack uses two physical nodes.
2.3.2 Indirect Homogeneous Attacks
For the creation of fake nodes and other nodes those will perform like bad activities there are used different nonexistent nodes. The nonexistent nodes are also used for redirecting the date packets to malicious nodes. This type of attack is called indirect collaborative attack. In this the nodes that are used in the attack, are not the existing nodes, but the attacker nodes are created as per requirement. The attacker nodes are designed along the line of their attack. Two main attacks that fall in indirect collaborative category are
1. Sybil attack
2. Routing table overflow
2.3.3 Sybil Attack
In this a malicious node can create any number of nodes that belong to it. In the creation of arbitrary number of additional nodes, the malicious node will use only one physical node. This physical node can be either a legitimate node or a node that is already compromised.
2.3.4 Routing Table Overflow
In this attack the malicious node is involved in generation of possible routes to nonexistent nodes. Its target is to block new routes from being produced.
2.4 MULTIPLE NODE ATTACK
2.4.1 Black Hole Attack
An attack is said to be black hole attack when a malicious node tries to impersonate the destination or to make a forgery with route reply message that has been sent to the source node with this into that there is no effective route to the destination. The packets that are received in the network can be ignored by malicious node. Malicious node usually creates undesired traffic. When this malicious node that is involved in illegal activities, creates its impact on one or more nodes and makes them malicious then this node is called black hole node and the attack is referred as black hole attack. This is also called multiple node attack or collaborative attack.
Fig. 2.8 Black hole attack using a single node
The malicious node declares itself a node having shortest path to the node that it is impersonating, making it easier to intercept the message. The malicious node tries almost for getting a reply by its nearby nodes for finding a secure route. This route is presented as valid, safe and genuine route to the source node.
2.4.2. Wormhole Attack
This is an attack in which two choke points are generated by the attacker. These two choke are jointly created in the network. These are also involved in the analysis of traffic in nodes. Wormhole attack uses a tunnel which notifies the traffic data and packet at any one place in the network and transffers that traffic data to another place from recorded place. In this attack, the attacker is hidden in the higher layers of network and this attack is usually found in ad-hoc routing protocols. Now the wormhole node and other nodes which are involved in the attack are invisible in MANET. Variations of wormhole attack are
1. In band worm hole
2. out of band worm hole.
184.108.40.206 InBond Wormhole Attack
This category of wormhole attack does not require any extra node. This usually uses the medium of existing communication in its routing. This can be dangerous as compared to method of wormhole attack builds up a secret overlay tunnel within the active wireless medium. Two kinds of in bond wormhole attack are.
i) Self-contained worm hole.
ii) Extended in band worm hole.
The self-contained wormhole attack produces a false link for the connection of attacker nodes. Whereas in the extended in band worm hole attack, there are presently a fake link between two nodes which are attackers nodes.
Fig. 2.9 In-bond Wormhole attack
220.127.116.11 Out of Bond Wormhole Attack
In this type of attack, a direct connection is established between two choke points used for the linking. This type of link is either being a wired link or a wireless link. At the one end of this link the packets are being accepted whereas on the second end the packets are being sent. This provides a room for a huge amount of data for the transmission by worm hole.
2.4.3 Routing Table Overflow Attack
This attack is a multiple node attack. This tries to send the packet consisted of confidential information to the MANET and involved in making the network disrupt. This disrupts the network by degrading the rate at which new updates are created in the routing table. This attack destroys the network using non-existent node. This attack basically tries to disrupt the network of proactive routing protocol, because proactive routing protocols update their route periodically. Updating of route after certain period make protocol insecure (vulnerable). Against it a reactive routing protocol provides a route when a route is desired to routing table overflow attack.
2.4.4 Sybil Attack
Sybil attack is an attack in which a malicious node performs the task of two or more than two nodes instead of one node. This attack is also known as multiple node attack. A series of false nodes generates the Sybil nodes in a MANET. Only one physical device may generate additional identities that are involved in the creation of Sybil nodes.
Fig. 2.10 A view of Sybil Attack
3.1 HOW NAME WAS COINED
In Christian theology the sybils was thought to have sharp knowledge, before the Christian theology, in Greek and Roman legend there was ten female prophets which are named as Sybyls. It is used to say that they participated in various sites in the world. After the Greek and Roman legends this name was used in Christian theology. After the Christian theology this name was derived to England. In England, it was spelled Sybil instead sybyl. It became famous at a high scale in 19th century. Actually this name was used as Benjamin Disraeli’s novel ‘Sybil’ in 1845.
This name was used in or before 2002 by Brian Zill at Microsoft research. It was used after the name of book Sybil which was the story of a woman with a dissociative identity disorder which is previously known as multiple personality disorder. Before the term Sybil, there was another term ‘pseudo-spoofing’ which was given by L. Detweiter was mostly used.
Multiple personality disorder currently known as dissociative identity disorder is a disorder in which the mind of a person feels two distinguish personalities that alternatively controls the behavior of a person. In this disorder, the important information is produced by ordinary forgetfulness. Dissociative identity disorder (DID) is accompanied by memory impairment for important information not explained by ordinary forgetfulness. These symptoms are not accounted by neither substances, abuses, seizures and other medical conditions nor by imaginative play in children. Diagnosis is often difficult as there is considerable co morbidity with other mental disorders. Malingering should be considered if there is possible financial or forensic gain, as well as factitious disorder if help-seeking behavior is prominent. DID is one of the most controversial psychiatric disorders with no clear consensus regarding its diagnosis or treatment. Research on effectiveness of treatment has been concerned primarily with clinical approaches and case studies. Dissociative symptoms range from common lapses in attention becoming distracted by something else, and daydreaming, to pathological dissociative disorders. No systematic, empirically-supported definition of “dissociation” exists.
Fig. 3.1 Multiple personality disorder
3.2 SYBIL ATTACK
Sybil attack was first introduced by J. R. Douceur. According to Douceur, the Sybil attack is an attack in which a single entity can control a substantial fraction of the system by presenting multiple identities
Fig. 3.2 Honest and Sybil nodes
When an identity performs the function of multiple identities or we can say that a single node presents the behavior of multiple nodes then the particular single node is considered as a Sybil node. Actually in the network there is a condition imposed that a single node can function as single behavior. When a node presents the behaviour of multiple identities, this has to be considered as Sybil or malicious node. The Sybil attack can also occur in a system that is operating without a central authority. In mobile ad-hoc network, there is a technique for the detection of Sybil identities, in this technique the sending and receiving of manages are recorded over a shared broadcast communication channel. When a node sands massages to more than one node identities. The node spoofing the identities of the nodes is called malicious node. The nodes whose identities are spoofed are called Sybil nodes.
There are some disadvantages of MANETs like topologies are changing dynamically over & over, open nature, management’s type to be simple and lack of infrastructure. These disadvantages cause different kind of attack in a MANET. One of them is Sybil attack which causes many serious threats in the network. In other words Sybil attack in network security is a type of attack in which a reputation system is subverted by forging identities in P2P network. In this type of attack, the attackers mostly use more than one Internet protocol address for the central controlling of overall network. Also a side effect is there of this attack in terms of disturb and corrupted communication among the nodes that are involved in the network. The Sybil attackers design multiple identities in place of single identities and this makes an illegal impact on the functioning of network nodes that uses open membership. Email, instant messaging, delivery system are the same examples of these type of systems.
Fig. 3.3 Representation of domination over false identities
When a secured network loses its security, then an attacker dominates on multiple identities. For example in a network the communication is based on unique identifier and unique identifier uses a unique address for communicating to its corresponding node. Also another identifier corresponds to its particular node address. There is a one to one mapping between identifier and node through its address. Hence two identities imply two distinct nodes. When any node claims two or more distinct identifier this is known as Sybil attack, in which an attacker dominates on multiple identities on a single physical storage device. In such of case, there is a need for detection of attack.
3.3 SPECIFIC TYPES OF SYBIL ATTACKS
Routing may be sometimes very important, specially the multicast routing. Sybil attack disturbs the routing protocols in ad-hoc network. Disjoint paths may be the victim of Sybil attack. Another victim may be geographical routing in which the selfish nodes will appear at more than one place at the same time. This attack can be a huge type of attack if there are involved many fake identities in ad-hoc network. Examples include denial of service attack.
3.3.2 Tempering with Voting and Reputation System
This approach is based on voting system. Where there is a voting scheme is used instead of purpose. Purpose can be to produce report, to identify the behaviors of nodes. If the behaviors of all nodes or the behavior of a particular node is different from other’s nodes, this is required to update the reputation system. The attacker’s trick for the attack will be same i.e. an attacker has to create many malicious nodes for overcoming on legitimate nodes. Also after making a removal of normal nodes, the illegal nodes design a defense system to keep themselves safe.
3.3.3 Fair Resource Allocation
In this approach the attacker is ready to observe an unfair sharing or resources at a big scale. These resources are either to be distributed or have been distributed among the nodes involved in the creation of network.
3.3.4 Distributed Storage
There may be a chance of compromise for a P2P network because of Sybil attack. The p2p network as well as sensor network may be compromised by Sybil attack. The getting of this is done by beating the fragmentation and replication process in file system. A system can be tricked into storing data in the multiple Sybil identities of same node on network.
3.3.5 Data Aggregation
Query protocols are used for in a network for the calculation of network readings instead of reading each and every sensor network. Energy can also be conserve. Sybil identities enable themselves for producing incorrect reading. Thus there will be an influence in the overall calculated aggregate.
3.4. DIMENTIONS OF SYBIL ATTACK
Fig. 3.4 Dimensions of Sybil Attack
This defines how Sybil nodes communicate with legitimate nodes. Sybil nodes perform the task of introduction in the network of normal nodes. This has two types.
18.104.22.168 Direct Communication
In this the Sybil nodes communicate directly with the legitimate nodes. Now the Sybil nodes become the neighbor of legitimates nodes. Actually this is not done in reality but this is an illusion of legitimate nodes. Now the malicious nodes perform the tasks of sending and receiving the packets.
22.214.171.124 Indirect Communication
This is the opposite of direct communication. The Sybil nodes do not communicate directly with legitimate nodes. Sybil nodes do not act for becoming the neighbor to the legitimate nodes. Malicious nodes are used for establishing a communication with between Sybil nodes and legitimate nodes. Malicious nodes work as a router to accomplish a communication between Sybil and legitimate nodes.
This describes how Sybil nodes are involved in the network of legal nodes. These nodes can be made participation in two ways. This has to types
In case of simultaneous mode, the malicious nodes create Sybil identifies simultaneously i.e. all illegal identities at once.
126.96.36.199 Non Simultaneous
In case of non-simultaneous mode, the malicious node creates Sybil identities one by one.
This dimension represents the spoofing of identities for the Sybil nodes. There are two methods by which a Sybil node can get the identity: In the first method a Sybil node can steal the identity of a legitimate node by impersonating it. The second method involves the fabrication of a fresh fake identity.
4.1 DETECTION MECHANISM FOR SYBIL ATTACK
The Sybil attacker is that who tries to make the behavior of an honest into corrupt node. Or we can say when an honest node or nodes behave like corrupted or illegal nodes this is called a Sybil attack. The Sybil attack establishes the identities of an honest node in several ways using IP address MAC address or public keys. Because the concerned resources are normally used in elaborating the multiple identifies. For example if an attacker is using single channel radio then particular identity is constrained in storage or bandwidth. In a mobile environment a single node impersonating a number of identities have an important concept that can be found out because a physical device has different identifies and identities are a part of that physical device. Independent malicious can move as they wish.
S. No. Name of approach Prize Type of Architecture Abstract
01 Lightweight Sybil Attack Detection Cheap Distributive The nodes entering in the network with speed greater than the threshold speed are detected as Sybil nodes.
02 Robust Sybil Attack Detection Cheap Distributive The nodes having the same path or pattern are detected as Sybil nodes.
03 Secure Address Allocation Cheap Distributed The Sybil attack is prevented as Unique addresses are allocated to each node in the network.
04 Received Signal Strength based cheap Distributed Plot the RSS of nodes
in order to determine and visualize the behavior of the new
legitimate nodes and the Sybil attackers
Table 4.1: Detection mechanism for Sybil Attack
For detection of a Sybil attack there are different techniques produced by different researches. Some of them are traditional techniques and some of than are advanced and modern. Traditional method protects on trusted identities provided by a certificate authority. But this approach is not more suitable for mobile ad-hoc network. The reason behind unsuitability is heavy cost of setting up and incurs overhead regarding maintaining and distributing cryptographic keys. The widely used detection mechanisms are light weight Sybil attack detection and robust Sybil attack detection. Also there are some other techniques such as secure socket address allocation, and received signal strength based analysis.
4.1.1 Lightweight Sybil Attack
In this method the RSS value of every node in recorded. RSS values of all the nodes are recorded. Also the difference is found out on the basis of RSS value. If the RSS value of newly joined node in network is low then the node is honest node otherwise it is declared as Sybil node.
Fig. 4.1: Lightweight Sybil attack detection
The decision is made that honest node can’t have speed greater than 10m/s, this is called threshold speed. Using threshold value the RSS value is found. It the RSS value of newly joined network is greater than or equal to the value of threshold, then these nodes are considered as Sybil nodes otherwise honest node.
Node ID RSS LIST
Node 1 R1 T1——————————–R2 T2———————————–Rn Tn
Table 4.2 RSS value of Neighbor nodes
How Algorithm works
1) Received RSS value is passed to addnewRSS.
2) If the address is not present in RSS state then it implies that it is a new node.
3) Now its RSS value is compared with upper bound threshold Value.
4) If RSS value is greater than threshold value then this is considered as legitimate node and address is added to the list of legitimate node.
4.1.2 Robust Sybil Attack Detection
(1) An authentication method like cryptographic techniques is used in robust Sybil attack detection. In this, packets are sent from source to destination. There are public & private keys are used for providing security. Each packet is authenticated by sender’s private key and these are duly signed by nodes which are used in traversed by it to reach the destination. At destination side these are authenticated by receiver’s public key. By using authenticator (public & private keys), this is verified that the time, location and direction of packet which is sent by sender is all correct and then it delivers to the destination.
(2) After verifying the time, location and destination, the similarity of path is checked for detection of Sybil attack. For checking the similarity of path, there is used novel location based Sybil attack detection. Nodes having the path similar to each other are detected as malicious nodes and called as Sybil attack. Overlapping components plays a vital role. With the help of them it is known that how much components are over lapped.
How Algorithm works
1. Every node path is prepared by observation table.
2. Prepared path is matched with existing cluster.
3. If prepared path is also same as existing cluster then create a new node.
4. Add this to the existing cluster and also checking of every node pattern is done.
5. Pattern of node is exactly same as existing node.
6. On the basis of above point the nodes are declared as legitimate and malicious.
Fig. 4.2 Robust Sybil attack detection
4.1.3 Prophet Address Allocation
For assigning the unique IP address to the nodes, prophet address allocation uses partition function which is also called state function and is associated with begin state or seed. These seeds are concerned with the generating many sequences of integers. These sequences have following features–
1. In the repeating sequence, there must be huge gap.
2. The occurrences of same number again in a sequence should be very low.
There may be a chance that there can be the occurrences of same IP addresses. For removing this problem, an integer calculation is considered. Using this, the address is allocated or the addresses are to be allocated.
If we talk about the disadvantages of prophet address allocation is that in the network the seed value will be constant. When a malicious node wishes for knowing the seed value to convert a new node, then this causes different attack. In one of them is Sybil attack.
188.8.131.52Secure Prophet Address Allocation
It is an advance version of prophet address allocation. In this, the acknowledgement consists of four variables.
A) Authentication of Seed Value
The value which is generated by initial node in the network is called seed value. The authentication of seed does not belong to malicious node. So, the unique address in the network is depending on uniqueness of exponential array. During the authentication of address allocation, the seed value is constant. When a new node takes place in network then the authentication process is done by exponential array.
In the prophet address allocation, updating is performed only in the states when the address is allocated. If we talk about secure prophet address allocation. When the address is allocated then updates are flooded in whole network.
C) Exponential Array
The new node is inherited the parameter by its ancestors for conducting and calculating its own address.
D) Priority Variable
The greater number shows that new state of the node. The new node selects priority number variable having high state which is added to some arbitrary value for finding the address. As the address occurs then it use to flood the acknowledgement about priority variable in overall network. The addresses are computed and calculated. In this, the address of each & every node is unique. No two nodes address will be same, so this method is used for protecting system against Sybil attack.
4.1.4 RSSI Based Analysis
For setting up the detection threshold, there is a need to know the speed of network. Also we have to keep this concept in mind that any node never move fast as compared to maximum speed. If RSS is greater than newcomer’s threshold is implied an abnormal entry for its neighborhood, so the threshold will create difference. There is requirement for generating the limit of speed that we have to use as upper bound to detect the threshold from following fig.
Fig. 4.3 Sybil attack detection based received signal strength
For getting the actual value of speed limit, the radio ranges of a node is divided into two groups named as white Zone and Gray Zone. The basis for division is taken as speed oriented detection threshold. Wider gray zones will be present with higher speed threshold. If several speed oriented thresholds are grouped together, it is not possible to detect whitewashing in this area, because in the gray zone the first presence will give us a normal entry in the radio range of a node.
We have to select 10m/s, the speed limit of an upper bound. Because practically, the nodes in the ad-hoc network also including vehicular ad-hoc network in urban or congested area can’t move faster than (36km/h) 10m/s. So this is found out that the sufficient speed limit will be 10m/s.
By the conclusion drawn on the basis of figure it is conducted that larger speed threshold can’t work better as compared to smaller speed threshold. Smaller speed threshold is quite sufficient because of their high positive. The detection will be sometimes easy by using smaller speed threshold. So, any new node can be work as whitewashing, it can be said a Sybil node.
For example if speed is 2m/s, the reason behind the improvement of threshold detection that is based on speed will give us narrow gray zone. But sometimes there may be problem, that a good node can also be detected as Sybil node if it appears in the white zone of a node.
We can easily understand this concept with help of an example. Suppose we have two nodes a source node A and a destination C. Source node A is not aware of its destination node C. Also the destination node C in not receiving any bus consisted of traffic from node A. The reason behind no communication between node A & node C may be any like broken connection or low connection. Actually here reason does not mater, but this is pointed out that node A & node C are not communicating due to any reason of being broken connection. But if we want to make aware of node A to node C, then there are two options either to establish a new connection or to reestablish the previous connection. If we consider that the connection has been re-established between node A & node C, then node C is detected as a white washer node with false positive. Now the question arises, how to remove the false positive. Actually the basic reason behind the false positives is that nodes are not communicating to each other, they are not aware of each other. So this is required that each node should register its presence in the network. For continuously presenting it to a node there must be either scheduled transition or periodically transmitting of massaging. But regular massaging will create a new issue in term of overhead i.e. substantial communication overhead. This problem can be overcome by keeping track on data and control frames. In the network each data and transmitted control frames must be checked by each node. In an ad-hoc network when a node is working like a forwarder of massage, then it can transmit any number of data to/from other nodes, no matter it is connected or not. Such false positives can be easily removed by listening the control frames transmitted and data sent.
Two nodes can be easily distinguished. Suppose node A is a source node and node C is a destination nodes, also there is a node B neighbor node of node A. This is captured by an attacker and node is working as an identity of Sybil attack. The attacker is pretending that node B is new node and wishes to join the network as a new node. How a Sybil attacker attacks? Actually this is based on RSS value. The RSS value determines that a node is either in white zone or in gray zone. If a node has the value greater than threshold then the node is in white zone and that particular node is created by attacker and said to be malicious mode or a Sybil node. Now consider second case, if RSS value is than less threshold value then the particular node is not in white zone, but it is situated in gray zone. If a node has its first RSS value less than threshold then this cleared that particular node is in gray zone. If a node is in gray zone then there is no chance of that node to be a Sybil node. So this can be added in the network of legitimate node. Actually RSS value is very important and plays a vital node in detection of a node as Sybil node. A node has malicious attitude or it is legitimate, this can be clear, if we use RSS value. Sybil attacker creates an ambiguity in the network by making change in behavior of network nodes. An attacker creates a pretend to insert a new node in the network. If the node is inserted without check on its RSS, then there may be multiple identity behavior for a node, this can take a form of Sybil attack.
Now the question arises how to detection that particular Sybil identity. The detection is made with help of update of detection packets. Actually detected starts with sending of a special type of ‘detection update’ packet and also sends intimation to neighbors using transmission of these packets, when each node receives two or more than two packets from two distinct nodes then an identity will be declared as Sybil node. There are also found two troubles in this detection mechanism.
1. First thing is that what should be done if a particular node made switched off its transmitter in neighborhood and turn it to another neighbor. For the solution, the legitimate node would have to reveal their identities on every emergence; they have to preserve their identities. The group of node having legitimate nodes list in the network will get the presence of existing node easily in the network.
2. Second thing is that when a Sybil attacker tries to vary its transmission power for a mimic arrival from a particular distance?
For the detection of a Sybil node created by a white washer the received RSS is checked by algorithm and is passed to addNewRSS function with its transmitter address and reception time.
If the address is not in the table, this means that this is a new node and is not used earlier in the network. The concerned RSS is first appearance. The received RSS is checked against upper bound threshold. The comparison of RSS and UB threshold determines, in which zone, either white zone or gray zone, a particular node falls. The parameters for measuring the behavior of node are same. If it’s RSS value is greater than threshold or if sometimes equal to their holds than the particulars will be white zone. The node is said to malicious node because it is not entered normally. The address of this node is added to the list of illegal node (malicious nodes).
IF: Address is not in the table
IF: rss>= upper bound threshold
Then: add it to malicious node list
Add to table
Push back (rss, time recv)
IF: list_size> LIST_SIZE
FOR: each address in the table
IF(Current_time get_time())> time>threshold
Then: add to malicious list (address)
Else: normal node
To control the size of table 4.2, there is a need to delete all the unnecessary records, unused records; previous histories (now unused) that are residing there in the table. These all increase the size of table. It the size of table increases, this is not in favor, because it would be indefinite. There are two reasons behind unnecessary and unused records.
1) When an illegal node changes it identity then old record of this node remains in RSS table. It is easy for a node to leave and join the network at any time. So the previous records of joining of nodes with new records of leaving the network are present in the RSS table.
2) This is very important to control the size of RSS table; In order to control the size of the table we have to destroy unused record. For destroying unused records a timer is used. The records are destroyed using global timer. The records are flushed until the timer works. When the timer expires rssTable check is used. This is used for checking the last received RSS against the threshold for every address of table. Obtain time is compared to threshold, if it is greater than the threshold, then it intimates from a long time it is not used from the node. Now there is a need to check the reasons behind in disappearance of node.
5.1 PREVENTION TECHNIQUES
S. No. Technique to mitigate Sybil attack Disadvantages / Limitations Application Domain
01 Trusted Certification Significant performance overhead and expense General
02 Resource Testing Ineffective for most systems General
03 Recurring Fees Requires the use
of electronic cash or of significant human effort General
04 Privilege Attenuation Only applies to monotonic policies. Significant run-time and storage overhead for generalized extensions of the idea Social Network Systems
05 Economic Incentives May encourage Sybil attackers that have no interest in subverting the application protocols, but that are interested in being paid to reveal their presence General
06 Location/Position Verification Limited only to ad hoc networks Wireless ad hoc networks
07 Random Key Pre distribution Limited to Sensor Networks Sensor Networks
Table 5.1 Technique to prevent Sybil attack
5.1.1 Trusted Certification
Actually there are a little bit disputes among the researches. Some are agreeing on this that Sybil attacks can’t be eliminated. They can only be preventing. But ‘Douceur’ has proved that the trusted certification method is only method that can purely remove the Sybil attack. It is cited as most common solution .In this, only one identification is given to particular node. This theory believes in this that a centralized authority will ensure that each entity has at-most one identity. Douceur gave this method and suggested this only technique that completely removes Sybil attacks. But also he was unable to ensure the uniqueness of such method. Practically it will be performed by a manual process. But this will be very costly in the implementation of large scale systems. For making this system effective there is a need to ensure that the captured list or stolen identities are discovered and revoked. If the performance can be improve, then this approach can completely eliminate Sybil attacks.
5.1.2 Resource Testing
The aim of resources testing is to check for the ability to computing, ability for storage, bandwidth for network and IP address. Morris and Freedman gave a method for testing the IP address in distinguish domains and also for autonomous system. Heterogeneous IP address can be use for the prevention of some kind of attacks but they limit the usability of an application. But some researchers said that resource testing is ineffective. They said that this approach gives a little bit Sybil attack defense. This type of approach says that nodes can be discouraged and can’t be prevent. By using this approach an attacker can have only less number of nodes. But this is insufficient method for several applications, because an attacker can have sufficient number of identities for a successful attack.
If we consider another kind of resource test, Sybil guard technique believes limited availability between nodes .Reason behind this ineffectiveness of this approach is that a Sybil attacker can have at least its required nodes easily even it is expensive. This approach requires out of band key sharing and a trusted relationship for social networking.
5.1.3 Recurring Cost and Fee
We know that in recourse testing a less number of nodes are required for a big and dangerous Sybil attack. Also the computational power is tested. After the computational power testing is done, there is a need of search of identities that can be easily captured for a Sybil attacker. If we talk about the computational power that can be said at one time cost like the cost of purchasing a computer system. This is not a big issue for attacker even sometimes the cost of purchasing may be high but this can be helpful for attackers to capture the nodes on a large scale for a Sybil attack. Taking precautions about Sybil attack Awerbuch and Scheidler has given the use of testing test like imposing captcha but this impact in the form of recurring fee. Dragovic suggested a for identity certification. But the method is not purely sufficient for certification. Also this is not trusted. Gatti did an analysis of cost effectiveness on pear to pear network. He presented the analysis when an approach can be cost effective. He said that pear to pear network uses an economic game theoretical approach for checking when attacks on censorship resistant attack network are cost effective.
In another method it is shown that as compared to Sybil attack, each entity that participates is more effective positively in terms of charging onetime fee. For many applications recurring fee can incur a cost to the Sybil attack that increases linearly total numbers of participating identities, onetime fee incur only a constant cost.
5.1.4 Privilege Attenuation
Fong searched a new type of Sybil attack. This is totally different from other types of Sybil attacks. This attacks directly on reputation system as well as peer to peer network. This attack targets the trusted identities; this totally converts the behavior of legitimate node into malicious nodes. This attack believes in creating fake and illegal identities in a social network system and changes the trusted relationship among legitimate identities into fake identities. These relationships are produced with the help of graph theoretic relationship and is said to be a social graph. The relationship lies between the owner of resources and a perspective accesser of same source. This relationship based control also provides basis for an authorized decision in the systems such type of relationship is very popular and mostly used in social network system like Facebook. When in a social network system the fake identities are getting active, they get the capability to access the confidential, personal, hidden user information. Also they found the power of accessibility of large scale searching on social graph. For the defense of these types of Sybil attacks, Fong has given an approach, which is improvement and enhancement of Denning’s principle of privilege attenuation. This is very sufficient method to mitigate these types of attack along with a static policy analysis to verify POPA compliance.
5.1.5 Incentive Based Detection
An economic incentive based on a general protocol is proposed by Morgolin and Levine. This is not a specific for a particular application. This is a sufficient and totally a general solution to all application domains. An entity plays an important role. This works like a detective and called a detective identity. This is used for revealing Sybil attacks. There will two identities i.e. source and destination. A source entity provides the detail of target peer and also a security deposit to detective identity while the target identity receives the deposit. No physical tokens are needed such as radio and clocks unlike other Sybil attack detection approaches.
5.1.6 Random Key Distribution
There is a random key distribution and registration based key validation method. In this method there is a pool of keys, the pool is consisted of ‘m’ keys and we have to pick ‘k’ keys randomly. The number ‘m’ shows that two nodes will share at least one key with some possibility after they pick their keys. The node identity and the selected particular set of keys are grouped together. Using this way any node can be easily access by authorized some or all keys which it claims posses. But there is also a disadvantage of this method that there is a huge memory space needed because the keys are stored with pair and also with its neighbour.
5.1.7 Location/Position Verification Method
Tangpong gave location based Sybil detection method for MANETs that is based on similarity of path. The identities can be accessed in a similar path or identities that traverse the paths in a similarity format are said to Sybil nodes. The behaviour of that are totally changed or compared to legitimate node. To mitigate the Sybil attack in these types of nodes, there is a hip by hop protocol is used. This is an authorized protocol. In this approach, instead of selecting a faithful land, mostly nodes believe in exchanging the traffic observation for analyzing the potential existence of a Sybil attacks.
5.2 OTHER PREVENTION TECHNIQUES
5.2.1 Karlof and Wanger Approach
Karlof and Wanger proposed a technique for the verification of identities of two nodes. A unique symmetric key is distributed and shared in all the nodes and trusted base station works like key distribution center. To identify and verify two identity nodes, the base station provides a shared key. This method can prevent the Sybil attack, but can’t detect and remove it. If an adversary succeeds in compromising a node then, it can create multiple identities for the communication with other nodes.
5.2.2 Zhang Approach
Zhang introduced about Sybil attack prevention the concept of cryptographic keys based on location. The ID of each and every node along with its geographic location is grouped together with its private key. With the help of pairing, the location based keys are generated by trusted and authorized authority and are based on cryptography. The protocol is consisted of key that has the basis of neighbourhood authentication method and another method to establish both intermediate and multi-hop pair wised shared keys. When a malicious node wants to insert in the network of legitimate node, but using this method it is not possible because the malicious node have no authorize location based key and it never performs mutual authentication with other legitimate node. Forged IDs can’t be claimed by illegal or Sybil node. Although this method is not fully suitable for large scale networks but this effectively and successfully prevents the Sybil attack.
5.2.3 Bazzi Approach
Another method is given by Bazzi that is based on network coordinates and is specially used for distinguishing the nodes from malicious to legitimate or vice-versa. This approach believes on assumption that a malicious node can have one network position and is described in terms of minimum latency to a group of beacons. For getting a successful group of beacons that is required for the authorization of nodes, the nodes try to submit geometric certificate that contains verified ping times for the collection of standard beacon nodes. If there are more than one virtual machines those are located on different physical locations, will get shut down with that same certificate and this can be treated as probably corrupted malicious node. The network coordinates in a dimension space in adversary controlling more than the malicious node at the different network position can fabricate an arbitrary number of network coordinates and that defeats the security. This approach is so complex.
5.2.4 Wan Approach
Wan proposed a technique that is called TDOA and is based on time difference of arrival source and the beacon nodes. The category of required nodes is primary and secondary. There are needed three beacons. First is called primary beacon and remaining are called secondary beacons. Actually this method is totally based on arrival of time of nodes. When an illegal node wishes to insert in the network of honest node, this sends a message consisted of Sybil Ids to all the beacon nodes that are following primary beacon node and records the arrival time of beacon nodes respectively. After getting the information about the arrival time of primary beacon node, the secondary beacon node sends their message to primary beacon node. This primary beacon node plays an important role in this approach. It calculates the ratio of time difference of arrival of messages at secondary beacon node with respect to itself. This is the first step, but if malicious node again sends the message, then also the primary beacon node calculates ratio of time difference of arrival of messages and this is compared to the previous ratio. If it is same as previous ratio or approx same as previous ratio, then the detected node is a Sybil node. But this approach is not fully suitable for MANETs because there is a continuous movement of nodes in different directions along with non-uniform speed.
5.2.5 Piro Approach
Piro method proposed by Piro is based on movement of nodes as a special identification of Sybil attack in MANET. This method is about the mobility of nodes. Actually this method believes that the malicious and legitimate node will move together as a group. When the group is seen more than once, this is susceptible. There can be some Sybil nodes. Actually in the start this method contains only one observer node that determines that there are one or more Sybil nodes. But the efficiency of this technique can be improved by adding more than one observer nodes. But this scheme fails when malicious node regularly changes the identification of its Sybil nodes. Moreover the trusted nodes can also be impersonated by Sybil attacker.
5.2.6 Random Feedback
If one assumes a working key management among all the nodes, then the nodes can acknowledge forwarded packets across multi-hop.
Assume that there are three nodes A, B and C. A is the source node, B is intermediate node and C is destination node. A has to send some data to node C. But during the path there is an intermediate B which can work like an intruder, so the packet that contains data is encrypted nonce. After receiving the packet, node C acknowledges the received packet with correct nonce. Node B has no capability of decrypting the packet. So there are two things, first if node B tries to decrypt the packet, then it is verified as a cheater otherwise node B simply forwards the packet without any illegal activity.
There is a simple approach, source node sends a packet to its intermediate nodes, the node intermediate simply forwards it and provides the path of another intermediate node or to destination node. The identification of a cheater node is very easy. Actually this node don’t have the power to decrypt the packet consisted of confidential data. If intermediate node tries to decrypt the packet then, the node is verified as an illegal functioning node. But there are two major issues in this simple approach.
1. First there will be packet collision between node A and node B that will be a reason of false negative detection, A fails to recognize successful retransmission. Also there will be a collision between node B and node C that will a reason for false positive detection. Node A acknowledges the retransmission even it fails. This approach believes that all the nodes including intermediate node has the same power to send the packet forward along its path.
2. When a node finds this information that one or more than intermediate nodes are not supporting in the packet forwarding. The observer node does not speed up this information that some nodes are not supporting in routing the packets and observer node tries to find a new route for packet forwarding. For the node, it is rational to avoid the selfish node and increase its own throughput but for the net at large this is not a good choice as it does not punish the selfish node but only burdens the co-operating once with more work.
Fig. 5.1: A view of Watchdog approach
5.2.8 Distributed Reputation
Distributed reputation is used to overcome the weakness of watchdog system. This system provides rating about it neighbours as well reputation values from its own and other nodes. There are many protocols and different ways for implementing these protocols. Some most important protocols are collaborative reputation mechanism (CORE) and cooperation of nodes (CONFIDENT).
5.2.9 Mobile IDs
There can be an increment in the probability of attack if one have all possible events such as route/request, number of errors, data bus, and nodes joining/leaving. In this approach the detection is based on comparison of entropy and trained values. Every node works like an intruder detection node that is used for conducting the events in network and to share the data with other node and tries to find a malicious node. After conducting the data information theoretic entropy and conditional entropy are calculated for the analysis of collected data. If conditional entropy is found less than the previously trained entropy, then an intruder node is found.
Once there is detection in any node, then it will be passed to other nodes and the data passes to intermediate and other nodes. After spreading the data to other nodes, it should be easy for mobile IDs to detect all the malicious nodes. Mobile IDs work at global level as well as local level.
Fig.5.2: IDs agents
5.2.10 Currency System
Mostly techniques use carrot & stick rule i.e. they punish nodes having misbehavior and they use some kind of reward for nodes having fine behavior, coordination & co-operation. There is also a currency system for sending & receiving data. There are three protocols that are based on carrot & stick rule.
1) The first protocol is NUGLETS that is based on currency system and this is probably basis to all other currency system. This is well known for temper proof hardware model which should be included in all devices to ensure proper incentive, to detect and block the attack. This protocol is totally a decentralized protocol and there is no need of a central system.
2) The second protocol is SPRITE, a totally cheat proof credit based system, but this does not require temper proof hardware and uses a central clearance service to track all network message.
3) Third protocol is CASHNET (Co-operation & accounting strategy for hybrid network protocol). This is a hybrid network protocol. This uses temper proof hardware as well as central devices.
The main target of these systems is to provide -:
If we talk about the security, this can be easily achieved. Because there are some techniques for providing the security, but the most common technique is cryptography. With the help of encryption and decryption, the security can be easily done. But achievement of incentive is very hard because this is not depending on a particular factor. This depends on different factor. Net plays an imp role and creates a big difference. If the net is highly connected, then the sending and receiving of data will be in a ratio and a simple payment by volume works. If the MANET is spread around a gateway, then there will be a chance for inner nodes to forward the data packet to other nodes, but there is chance to forward data for outer chance.
5.2.11 Trusted Devices
For providing security, entities of on application can be linked to specific type of hardware in a secured way. Analogous to any central authority handing out cryptographic certificates, there are no special techniques to prevent the attacker from selecting multiple devices other than manual intervention. The cost for hiring multiple devices may be high. Some are the application domain of trusted devices
‘ Mobile Networks
Getting the exact location may distinguish among different devices. Border of mobility can give the limit to attacker’s traversal. If an attacker has a single device only, then it is possible that all the Sybil nodes will move together. The defense from Sybil attack is limited in mobile network. This security is not getting imposed outside of mobile network. Each device in different devices having recurring cost is controlled by single entity that can’t be protected.
For checking the correctness of an identity, an audit technique can be used. In some cases, audit can be used to determine the correctness of identity behaviour. If audit is cheap, the Sybil attack has little benefit: for instance, a large number of apparently independent identities cannot successfully convince another entity that they have factored a large number unless they have actually done so.
5.3 Reputation System
Reputation system is also known as mitigation technique for Sybil attacks. This can be classified as symmetric or asymmetric approach. Chang & Friedman has found the disadvantages of reputation system and categorize them into two classes known as symmetric & asymmetric. Reputation system is well known system for different types of point to point system such as mobile ad-hoc network, online markets etc.
5.3.1 Symmetric Reputation
A reputation system is a system in which the reputation of an identity is based on trusted graph. Time identity has no relation with the nodes. When an attacker wants to attack in the network, the first task to be performed by attacker is to create some Sybil nodes for the creation of a copy of trusted graph. If it is successful in creation of a copy of trusted graph, then it is very easy for the attacker to attack in network. For creation of a copy of trusted graph, there is required an increment in reputation system. A simple reputation system can’t distinguish between original nodes and copied nodes. Thus the Sybil node has reputation equal or better than equal to original nodes.
5.3.2 Asymmetric Reputation
This is different from symmetric reputation system. In this approach no Sybil attacker is enabled for creating a copy of trusted graphs because each identity has its own unique value and also with its unique path for the identification of other identities in the system. There are specifically trusted nodes from which all reputation values propagate in this. Actually for the attacker to attack, there is required some Sybil nodes for making the trust, but in this system, the identities are changing its value time to time, so this is very difficult to the attacker because attackers must prove themselves by offering benefits before getting anything in return.
5.3.4 Active Role of Reputation System
Reputation system is a system which is basically used to prevent the Sybil attack. This can provide security is long as it is in enable state. This provides the facility to keep track on the behavior of nodes which has totally a different behavior from original nodes. This takes care of original, nodes and notices the behavior of misbehaving nodes. This is done by ‘
This keeps track the behavior of both original and misbehaving nodes. When it is in observing mode, this is used for distinguishing the original modes from Sybil.
The terms reputation and trust have been used for various concepts, also synonymously. Reputation here is to mean the performance of a node in participating in the base protocol as seen by other nodes. For mobile ad hoc networking this means participation in routing and forwarding. By trust we mean the performance of a node in the policing protocol that protects the base protocol, here reliability as a witness to provide honest reports.
Detection and reputation systems aim at isolating nodes that are deemed misbehaving by not using them for routing and forwarding, and most also isolate them additionally by denying them service
5.3.5 Features of Reputation System
This describes the conversion of specific events that are stored and translated into the reputation rating. This also defines the how these events are translated into reputation rating. These ratings are also useful for the categorization of response. In case of information found different from first hand, the reputation system will surely believe on its information only, but sometimes this can use of information collected from others.
The use of trust influences the decision of using second-hand information. The design choices are about how to build trust, out-of-band trust vs. building trust on experience, how to represent trust, and how to manage the influence of trust on responses.
‘ Redemption & Secondary Response
When a node is almost isolated or completely isolated from network, then after isolation, this is not required to observe that node. If there are two ways, if the isolation is permanent then there is no chance for improving that node, but second condition is that if the isolation i.e. misbehavior of node is temporary, then there is a possibility to come back in the network. This will be ensured by redemption mechanism that a node that had been isolated will make come back or not.
‘ Liar Detection
In this scenario nodes not only misbehave in forwarding (and routing), but also in the reputation system itself, by spreading spurious ratings. Untrustworthy nodes can have different strategies to publish their falsified first-hand information when attempting to influence reputation ratings (e.g., when they want to discredit regular nodes).If the lies are big, they will not pass the deviation test of CONFIDANT. A more sophisticated alternative is stealthy lies. Although nodes do not know the content of the reputation ratings held by others, they could try to infer from published first-hand information and then lie only enough to just pass the deviation test. CORE does not consider negative ratings, so only flattering has an impact. SORI are vulnerable to liars that are cooperative when forwarding. Context-aware detection copes with single liars or very small collisions by majority voting. Path-rater has no defense against liars.
5.4 Implementation of Reputation System
There are many algorithms are existing in different literatures for implementing reputation system in mobile ad hoc network. These have been implemented as an add-on to the DSR [Dynamic Source Routing] routing protocol. In MANET [Mobile Ad-hoc network] the nodes have to cooperate to find path between nodes [route discovery, route maintenance etc. The successful design of a reputation system is decided by how the system is free from misbehaving nodes where misbehaviors are packet dropping, identity spoofing and packet modification.
5.4.1 Existing Algorithms
‘ Watchdog &Path Rater
This approach is consisted of two components.
1. Watch dog
2. Path rater
This works in this format, firstly there is a packet from the group of sent packets is maintained and compared with all overhead packets. If the packet is same, then it is removed from the set of packet, if it is not same, then there is a decrement in the reputation value of next hope. The node will be considered as a selfish node, if reputation value is found less than the value of threshold.
‘ Co-ordination of Nodes
In this, a manager plays a vital role. Actually the mechanism is based on a protocol that provides a manager for watch dog and path rater scheme. Also this protocol adds a reputation system to this approach. Thus manager makes an analysis on the behavior of nodes. This distinguishes the activities of malicious nodes from legitimate nodes.
Fig.5.3: Confident architecture
‘ Collaboration Reputation
This reputation is prepared with the help of monitored data entities of local types and some information collected by other nodes that are also involved in every operation. The value for reputation is proportional to resources that the node can utilize.
The routing decisions are made on the basis of the behavior of neighboring nodes. It exactly bans the exchange of information of duplicate kind. It also provides stick mechanism for the nodes that are producing misbehave.
Fig. 5.4 CORE Architecture
‘ LARS (Locally Aware Reputation System)
This is based on packet dropping behavior. Nodes reputation is collected by the keeping track on the behavior of nodes called direct observation. Reputation value increment and decrement is based on the behavior of a node. The reputation value will be decrement if a node finds a packet drop of its neighbor. This node is called a malicious node and when it is identified then K-hop neighbor becomes aware about the selfishness of particulars node.
‘ PLRSA (Promiscuous Listening Routing Security Algorithm)
It interacts with all packets which are passing through the mobile nodes. It uses promiscuous behavior for each mobile host regardless of destination address of packet. When the behavior of particular node is noted different from others then it is susceptible and declared as malicious node. There can be different reasons for suspect about this node such as dropping the data packets, fabricating the spurious packets. Finally the node is declared as Sybil node after the comparison of the level of trust with threshold value. If the threshold value is greater than the value of trust level then the node is declared as malicious nodes.
‘ E- Hermes:
o This uses following terms ‘
o Trustworthiness of other nodes
o Packet forwarding.
o Gathering firsthand information observed by other nodes.
o Collection of second hand information by other nodes.
‘ LMSRA (Local Monitoring Based Reputation System with Alert)
This scheme derives the trustworthiness based on the direct observation experienced by a node from its next hop neighbors and also it does not exchange the trust values with the rest of the nodes in the network. This scheme generates an explicit alert and sends it to source node of the monitored transmission, whenever it declares its next hop node as a misbehaving node. This enables the packet originating node to select an alternate route for its current transmission, which in turn increases the overall network throughput. This has an additional feature. Actually this explicitly produces a signal to the source node of transmission after the declaration of next hop as a malicious node. If a malicious node is found in the path from source to destination of packet forwarding, then there is a need to change the rate of traversal. Then there is also required to choose on alternate path for the transmission.
‘ Collaborative Alert in a Reputation System
Based on neighborhood monitoring approach to detect and isolate the colluding packet droppers with explicit alert mechanism.
‘ Neighborhood Monitoring
This is based on a time out approach. It imposes a time out mechanism for finding the active nodes. This produces a route packet to intimate the link of malicious node, regeneration of misbehave by nodes with the help of route request packet.
‘ Next Hop Monitoring
This is the duty of all the nodes excluding source and destination to me keep track on the behavior of next hop for the identification of node’s behavior.
‘ Neighborhood Monitoring
A node monitors the behavior of its neighbor’s node transmission. This also adds flexibility in monitoring.
5.4.2 Drawbacks of Existing Algorithms
‘ Confused Collision
There can be interference in the simultaneous transmissions of two nodes. A node can be Sybil node if it is unable to overhear the transmission of other nodes in its neighborhood.
‘ Receiver’s Collision
By the occurrence of collision, the transmission of one node is overheard by another node, but not received. This is helpful for selfish node. That will not send it again.
‘ False misbehavior
The claim by a node is that a node has behaved selfishly although it is not the case.
‘ Limited transmitter power
A node sets its power as less as possible that it can only be overhear by received but never be reach at receive.
Studies on MANET have focused more on single attacks. In the meanwhile some attacks involving multiple nodes have received little attention since they are unanticipated and combined attacks. There have been no proper definition and categorization of these kinds of attacks (multiple node attacks) in MANET. Some mitigation plans have been proposed to counteract against some form of multiple node attacks; thus, there is need to figure out the consequences of the category of collaborative attacks and their possible mitigation plans. Moreover, the effects of these kinds of attacks on MANET have not been well measured since each researcher tends to use different simulators to visualize those attacks and determine the consequences such as impact on packet delivery ratio, throughput, and end to end delay. Based on the features related to MANETs and the cause of problems and vulnerabilities in such networks, our study on MANET has focused more on non-single attacks and some kinds of attacks involving multiple nodes. We have not been able to find any proper definition and categorization of this kind of attacks in MANET. This issue is our main focus in the thesis. In addition, there is a need to figure out the consequences of this category of attacks and their possible mitigation plans.
A Sybil attack is also used by companies that increase the Google Page Rank rating of the pages of their customers and has been used to link particular search terms to unexpected results for political commentary. Reputation systems are a common target for Sybil attacks including real-world systems like eBay. Spammers can use this attack to gain access to multiple accounts on free email systems. Peer-to-peer computing systems which use voting to verify correct answers, such as [email protected], are also susceptible to accepting false solutions from a Sybil attacker. Ad hoc mobile network routing can be manipulated when a Sybil attacker appears to be many different mobile nodes at once. In systems that provide anonymity between peers, such as Tor, the Sybil attack is generally capable of revealing the initiator of a connection and there is no defense against this attack. It also allows free riding in services in cooperative file storage systems such as Pastiche. Despite this work, there is no general solution to the attack. Proposed solutions most commonly use resource testing, though Douceur has shown this cannot prevent the attack in practical situations. A wide variety of applications have considered the effects of the attack. Below we first summarize approaches that have been cited in the literature to protecting against or detecting the attack. We then review results that are specific to different applications vulnerable to the attack.
There are two commonly used techniques that are Lightweight Sybil attack detection method and Robust Sybil Attack Detection method. In Lightweight Sybil attack detection algorithm and Robust Sybil Attack Detection Algorithm, the Comparison is done between these two techniques. In Robust Sybil attack detection technique; there is requirement of directional antennae to check the location of the nodes, so it is costly whereas in Lightweight Sybil attack detection technique there is no requirement of any extra hardware or directional antennae, therefore it is called as lightweight and it is also cheap in cost than robust technique. Parameters used in robust technique are time and location and parameters used in lightweight technique are RSS and speed. Robust technique, 80% detects the Sybil node as Sybil node and 20% detects the legitimate node as Sybil node whereas lightweight technique, 90% detects the Sybil node as Sybil node and 10% detects the legitimate node as Sybil node. So on the basis of comparison Lightweight Sybil attack detection technique is better than the robust technique.
Though many researchers are aware that the Sybil attack is a potential problem, they present no solution to it for in their work. We cite these publications to point out that the Sybil attack remains an unsolved problem that is correctly acknowledged where applicable, and not to disparage the works.
1. Sohail Abbas, Madjid Merabti, David Llewellyn-Jones, and Kashif Kifayat (Lightweight Sybil Attack Detection in MANETs)
2. Chris Piro, Clay Shields, Brian Neil Levine (Detecting the Sybil Attack in Mobile Ad hoc Networks)
3. Roopali Garg, Himika Sharma, Prevention Techniques for Sybil Attack, INTERNATIONAL JOURNAL OF COMPUTERS & TECHNOLOGY, Vol.11 pp. 3060-62, (2013).
4. Brian Neil Levine Clay Shields2 N. Boris Margolin, A Survey of Solutions to the Sybil Attack, pp:03-04.
5. Haifeng Yu Michael Kaminsky Phillip B. Gibbons Abraham Flaxman, SybilGuard: Defending Against Sybil Attacks via Social Networks.
6. Himadri Nath Saha, Dr. Debika Bhattacharyya , Dr. P. K.Banerjee, Semi-Centralized Multi-Authenticated RSSI Based Solution to Sybil Attack., International Journal of Computer Science & Emerging Technologies (E-ISSN: 2044-6004) 338 Volume 1, Issue 4,( 2010).
7. G. S. Mamatha, Dr. S. C. Sharma, A Robust Approach to Detect and Prevent Network Layer Attacks in MANETS, International Journal of Computer Science and Security, Volume (4): Issue (3).
8. K. Kayalvizhi1, N. Senthilkumar, G. Arulkumaran, Detecting Sybil Attack by Using Received Signal Strength in Manets, (IJIRSE) International Journal of Innovative Research in Science & Engineering, 2347-320).
9. Mangesh M Ghonge, Pradeep M Jawandhiya, Dr. M S Ali, Countermeasures of Network Layer Attacks in MANETs, IJCA Special Issue on ‘Network Security and Cryptography’ NSC, (2011)
10. George Danezis and Stefan Schi_ner, (Sybil attacks and Reputation systems, On Network formation, December, (2006).
11. The Sybil Attack, John R. Douceur, Microsoft Research.
12. Haifeng Yu Michael Kaminsky Phillip B. Gibbons Abraham Flaxman, SybilGuard: Defending Against Sybil Attacks via Social Networks.
13. RoopaliGarg,Himika Sharma, Comparison between Sybil Attack Detection Techniques: Lightweight and Robust, International Journal of Advanced Research in Electrical, Electronics and Instrumentation Engineering, Vol. 3, Issue 2,(2014)
14. Brian Neil Levine Clay Shields N. Boris Margolin, A Survey of Solutions to the Sybil Attack.
15. Amol Vasudeva and Manu Sood SYBIL ATTACK ON LOWEST ID CLUSTERING ALGORITHM IN THE MOBILE AD HOC NETWORK, International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.5, September 2012.
16. Nitish Balachandran, Sugata Sanyal A Review of Techniques to Mitigate Sybil Attacks, Int. J. Advanced Networking and Applications.
17. IRSHAD ULLAH, SHOAIB UR REHMAN, Analysis of Black Hole Attack on MANETs Using Different MANET Routing Protocols , School of Computing, Blekinge Institute of Technology, June, 2010,
18. Attacks on structured P2P overlay networks Simulating Sybil Attacks Mismaku Tefera, The Department of Information Technology and Media (ITM).
19. Diogo M??onica, Thwarting The Sybil Attack in Wireless Ad Hoc Networks.
20. PRITHA BAIDYA, Received Signal Strength Based Sybil Attack Detection having Fabricated Identities, School of Education Technology, JADAVPUR UNIVERSITY, KOLKATA.
21. K. Gopalakrishnan & Rhymend Uthariaraj, in V.. 2011, ‘Neighborhood Monitoring Based Collaborative Alert Mechanism to Thwart the Misbehaving Nodes in Mobile Ad-Hoc Network ‘, European Journal of Scientific Research ISSN 1450-216X Vol.57 No.3 pp.411-425.
22. Marti, S., Giuli, TJ., Lai, K., Baker, M., 2000. ‘Mitigating Routing Misbehavior in Mobile Ad-Hoc Networks’, In: 6th International Conference on Mobile Computing and Networking, pp.255-265. ACM, Boston.
23. Nguyen Tran,Combating Sybil attacks in cooperative systems, Department of Computer Science, Courant Institute of Mathematical Sciences, New York University, Sep 2012,
24. G. Kesidis, A. Tangpong, C. Griffin, ‘A Sybil-proof Referal System Based on Multiplicative Reputation Chains, IEEE Communication Letters, 2009.
25. Douceur, J. R. (2002) ‘The Sybil Attack,’ in Proc. IPTPS, Cambridge, MA.
26. Priyanka Goyal, Vinti Parmar and Rahul Rishi, ‘MANET: Vulnerabilities, Challenges, Attacks, Application’, IJCEM International Journal of Computational Engineering & Management, Vol. 11, January 2011.
27. Mohammad Wazid , Rajesh Kumar Singh and R. H. Goudar, ‘A Survey of Attacks Happened at Different Layers of Mobile Ad-Hoc Network & Some Available Detection Techniques ‘ International Journal of Computer Applications?? (IJCA) International Conference on Computer Communication and Networks CSI- COMNET-2011.
28. Fan-Hsun Tseng, Li-Der Chou and Han-Chieh Chao ‘ A survey of black hole attacks in wireless mobile ad hoc networks’ Human-centric Computing and Information Sciences 2011.
29. J. Kong, X. Hong and M. Gerla, ‘A new set of passive routing attacks in Mobile ad hoc networks’, Proc. IEEE Military Communication conference MILCOM, OCT. 2003
‘ ‘Mobile ad hoc networks and features present on it’ [available online] http://www.bluetronix.net/mobile_ad_hoc_networks.htm.
‘Mobile adhoc networks and application'[available online], http://en.wikipedia.org/wiki/Mobile Ad Hoc
...(download the rest of the essay above)