Département Réseau, Sécurité et Multimédia Rapport d'Activités 2008

Malicious behavior detection in ad-hoc networksResearch Staff : Frédéric Cuppens, Nora Cuppens-Boulahia– Ph.D. Students: Tony RamardKeywords : Intrusion detection, Specification-based detection, Aspect-Oriented Programming, OLSRApplications : Ad-hoc networkPartners & Funding : partially funded by RED Celtic projet and a French DGA (Direction Générale del'armement) grant.IntroductionA Mobile Ad-hoc NETwork (MANET) is acollection of nodes that are able to connect toa wireless medium forming an arbitrary anddynamic network. The routing protocol ensuresthat all nodes at all times can reach alldestinations in the network.In this context, several attacks can occuragainst security in order to disrupt thenetwork. We especially investigate securityproperties of the Optimized Link-State Routing(OLSR) Protocol, a proactive routing protocolfor MANETs. We analyze the possible attacksagainst the integrity of the network routinginfrastructure, and present techniques tocounter some attacks. Our main approach isbased on a formal model to describe normaland incorrect node behaviors. This modelallows us to derive security properties. Thealgorithm checks if these security propertiesare violated. If they are, detection occurs toallow the normal node to find a path withoutincorrect node behavior.This work is supported by the RED Celticproject and a French DGA (Direction Généralede l'armement) grant.RealizationThe Optimized Link State Routing protocol(OLSR) is the most popular routing protocol forMANETS. OLSR is based on an optimizedflooding mechanism for diffusing link-stateinformation. The core optimization is that ofMultipoint Relays (MPRs): Each node mustselect MPRs from among its neighbor nodessuch that a message emitted by a node andrepeated by the MPR nodes will be received byall nodes two hops away.The availability properties in MANET routingprotocols, especially OLSR, have been studied.Our approach is based on specifying theseproperties thanks to node profiles (honest andcooperative nodes). For this purpose, we usethe Nomad model [1] to express nodebehaviors (normal and incorrect behaviors).Nomad combines deontic and temporal logics.Deontic logic is used to model permissions,prohibitions and obligations whereas temporallogic provides means to specify temporal andtemporized constraints about actions occurringin the model. In Nomad, we model conditionalprivileges and obligations with deadlines. Wealso formally analyze how privileges on nonatomic actions can be decomposed into morebasic privileges on elementary actions.From these expressions, we can deriveproperties to specify a security policy [2].These properties are woven into the OLSRprotocol using Aspect-Oriented Programming(AOP) languages such as AspectJ. Theseproperties are checked when a message isreceived in order to detect intrusions. Usingthis approach, a node can detect severalmalicious behavior of other nodes includinglazy, selfish, lying and secretive nodes.If a property is violated, a reaction occurs andthe node attempts to find another path orMultipoint Relay (MPR) keeping the maliciousnode away. In this case, the node sendsrelevant information related to the detection toits neighborhood. The neighbors of this noderecord this information but do not fully trust it.A function allows nodes to compute thereputation in their neighbors. The reputationquantification allows nodes to choose the bestpath to reach another node.This approach has been validated throughsimulation. The simulation results show thedifferent contents in the routing tables ofnodes following two modes: (1) when theanalysis mechanism is activated (i.e. nodescheck if the security properties are violated)and (2) when the analysis mechanism isdeactivated. We then analyze the topologywith the normal node behavior, the topologywith an intruder and without the analysismechanism, and finally the topology with anintruder and the analysis mechanism.Pracom’s Annual Report 2008 47