Secure Reporting of Traffic Forwarding Activity in Mobile Ad Hoc Networks
Heesook Choi, William Enck, Jaesheung Shin, Patrick McDaniel, Thomas F. La Porta
Department of Computer Science and Engineering
Pennsylvania State University, University Park, PA 16802
Nodes forward data on behalf of each other in mobile
ad hoc networks. In a civilian application, nodes are as-
sumed to be selfish and rational, i.e., they pursue their own
self-interest. Hence,theabilityto accuratelymeasuretraffic
forwarding is critical to ensure proper network operation.
These measurements are often used to credit nodes based
on their level of participation, or to detect loss. Past solu-
tions employ neighbor monitoring and reporting on node
forwarding traffic. These methods are not applicable in
civilian networks where neighbor nodes lack the desire or
ability to perform the monitoring function. Such environ-
constrained, or in networks where directional antennas are
used and reliable monitoring is difficult or impossible.
In this paper, we propose a protocol that uses nodes on
the data path to securely produce packet forwarding re-
ports. Reporting nodes are chosen randomly and secretly
so that malicious nodes cannot modify their behavior based
uponthe monitoring point. The integrity and authenticity of
reports are preserved through the use of secure link layer
acknowledgments and monitoring reports. The robustness
of the reporting mechanism is strengthened by forwarding
the report to multiple destinations (source and destination).
We explore the security, cost, and accuracy of our protocol.
The establishment of a wireless infrastructure is non-
trivial, especially in volatile environments where node mo-
bility dominates. Occasionally, erecting xed infrastruc-
tures is not feasible due to location or temporal validity.
For example, it is not possible to build a wireless tower in
the middle of a hostile battleeld. Furthermore, the tower
cannot be moved as an attack progresses. In other mission-
oriented scenarios such as search and rescue, terrestrial ob-
stacles, e.g. avalancheprone mountains, inhibit the creation
of xed access points.
In the absence of a xed infrastructure, mobile ad hoc
networks (MANETs) can be used.
xed infrastructure or centralized control for communica-
tion, MANETs are well suited for the aforementioned sce-
narios. Within the network, multi-hop paths are created
between nodes that formerly could not communicate. Ide-
ally, each node selessly forwards each packet to the next
node in the path. As nodes move, they leave and join vari-
ous communication links, thus promoting many ephemeral
Reliable operation in a MANET requires explicit coop-
eration between nodes. While this is feasible to assume for
mission-oriented scenarios, careful consideration needs to
take place when applyingMANETs to civilian applications.
In a civilian mobile ad hoc network, communicating nodes
will use any relay points present. It is conceivable that self-
ish or malicious nodes exist in these networks. Addition-
ally, reliability can be severely impacted by network con-
gestion and mobility. Ergo, there is a need to detect self-
ish or malevolent behavior, promote cooperation between
nodes, and route around network congestion.
One method for detecting malicious behavior is to gen-
erate reports on trafc ow between nodes. This informa-
tion can be used to not only detect misbehavior, but also to
indicate good network citizens. By identifying nodes that
play fairly, a payment scheme can be implemented in order
to further promote cooperation. Trafc reports can also be
used to detect bottlenecks.
to eavesdrop on data transmissions in order to generate re-
ports. While this may work well in networks with trusted
nodes, i.e. military settings, it is not feasible for civilian ad
hoc networks. Furthermore, such techniques may also fail
in military settings if directional antennas are used, since
nodes cannot reliably monitor data transmissions.
In this paper, we propose a secure random reportingpro-
tocol for a civilian ad hoc network, in which the source and
destination collect reports from intermediate nodes on the
routing path. Every data packet delivered initiates a re-
port from one intermediate node that is randomly chosen
By not requiring a
by a source node. The chosen node then integrates its self-
report into the packet before forwarding the transmission.
The symmetric-keyconstructionefciently prevents disclo-
sure of the selected node’s identity from all adversaries ex-
ceptthose that can mountlargescale trafc analysis attacks.
Note that reports may become lost due to mobility and con-
gestion. In order to provide robustness in the face of loss,
the report is sent to the source, the destination, or both.
While the secure random reporting protocol provides se-
cret node selection, as well as integrity and authenticity of
reports, it does not guarantee that the self-report is accu-
rate. Although nodes cannot manipulate others’ reports,
theymay not be trusted to generateaccurate reports. To rec-
tify this inadequacy,we propose a forgerydetection scheme
that provides proofs of delivery implementedby secure net-
work layer acknowledgments.
We have simulated these schemes using ns-2 . Our
results show that we accurately monitor packet forwarding
activity even in lossy networks. We further simulate ma-
licious packet dropping to look at the effectiveness of our
secure random reporting protocol.
The rest of this paper is organized as follows. Section 2
reviews previous research in malicious node detection and
cooperation in ad hoc networks. Section 3 describes possi-
overview of the proposed random reporting protocol. This
scheme is then strengthened in Section 5 as we extend it
to provide report integrity, node selection condentiality,
and preventionof falsied reports. Next, Section 6 provides
simulationresults andcomputationaloverheadofthe secure
random reporting protocol. Finally, Section 7 concludes.
2. Related Work
Detection of malicious behavior and collection of coop-
eration history for crediting are two motivating factors for
monitoring nodes. This section discusses previous research
in these areas.
2.1. Detection of Malicious Behavior
The Watchdog/Pathrater  scheme proposes the use
of a watchdog for detecting misbehaving nodes, and a
pathrater to help the routing protocol avoid detected misbe-
having nodes. The design utilizes intermediate nodes along
the routing path, wherein a node sends a packet to an in-
termediate downstream node and veries the node that for-
wards it. If the node does not send the packet within a pre-
dened period, it is declared as misbehaving, and the moni-
toringnode noties the source. Pioneering the area of intru-
sion detection in ad hoc networks, Zhang and Lee [16, 17]
propose a general architecture, in which all nodes partic-
ipate in the monitoring of data transmission. Each node
is responsible for monitoring a transmission range and co-
operating with neighboring nodes in order to detect intru-
sions. Zhang and Lee later proposed a second scheme to
reduce the number of nodes involved in monitoring . In
this cluster-based scheme, a cluster head (CH) is elected
for monitoring data trafc within the transmission range.
The elected CH is responsible for monitoring all neighbor-
ing nodes and checking statistics. AODVSTAT  im-
plements an intrusion detection system (IDS) within the
AODV  routingprotocol. The system monitorsforrout-
ing message drops, data-packet drops, MAC/IP spoong,
and resource depletion attacks. In AODVSTAT, an IDS
monitorsall observabletransmissionsfromneighbors. Note
that all of the above schemes require some level of commu-
nication eavesdropping. These solutions are not feasible in
our target environments because reliable eavesdropping is
Awerbuchet al. proposeanalternateschemethat uses
intermediate nodes on the data path. If a source does not re-
ceive an ACK from a destination, the source begins probing
all intermediate nodes. This causes each node along the
path to send an ACK back to the source. Unfortunately,due
to the dynamic characteristics of MANETs, data paths can
change frequently, possibly before the failed link is found.
Many times, cooperation between nodes cannot be
expected without incentives.
been proposed that use payment schemes. A node may
be paid via a credit for behaving cooperatively or ex-
cluded/penalized for misbehaving.
Sprite  proposes an incentive system where selsh
nodes are encouraged to cooperate. In Sprite, each node is
motivatedtohonestlyreportits actions,evenin thepresence
of selsh node collusion. Intermediatenodes retain receipts
of received messages. The receipt is then sent to the CCS
(Credit Clearance Service) as proof of forwarding, and the
CCS then charges/credits based on the received reports.
CORE , another cooperation algorithm, uses a col-
laborative reputation mechanism to encourage nodes to co-
operate. The reputation is calculated via both direct and
indirect observation by a node and its neighboring nodes,
respectively, within the transmission range.
scheme, CONFIDANT , each node monitors nodes ex-
isting one hop away. If a node detects and concludes mal-
ice, it generates an ALARM message to either a source or
a friend. This, in turn, causes misbehaving nodes to be ex-
cluded from the community.
All of the aforementioned detection and cooperation
schemes require the observation of neighboring nodes. Ad-
ditionally, these schemes deal only with detection or coop-
eration. Our reporting protocol targets more general appli-
Several algorithms have
cations, including both detection of malicious behavior and
crediting for cooperation. The information provided by the
reportingscheme is also vital for detectingdatabottlenecks.
3. Threat Model
tential for anomalous behavior. Inconsistencies arise from
self-interest, maliciousness, network congestion, and mo-
bility. This section discusses these threats and how they
pertain to packet forwarding activity and report collection.
The discussion illuminates the set of threats to which we
aim to be resilient.
It is important to note that the high loss and delay preva-
lent in wireless and mobile networks exacerbates the prob-
lem of detecting selsh/malicious nodes. If a node drops
packets and moves, it is difcult to detect whether the
packet loss is from mobility or selshness/maliciousness.
Likewise, in a congested network, packets are dropped be-
cause of packet buffer overows. Distinguishing between
selsh/malicious drops and congestion is difcult. Regard-
less of the reasons for packet loss, a source node may wish
to avoid particular nodes due to the mere occurrence of lost
packets, whether it be the result of selsh/malicious behav-
ior or simply network congestion.
Most formsofnon-cooperationresult indenialofservice
(DoS). In the extreme case, an ill-performing node would
simply refrain in participating in routing, and hence would
never be placed on a path. Possibly more damaging, a sim-
ilar attack would allow the node to accept a position on the
path, but it would not forward data packets. Our protocol
does nothing to prevent or detect attacks on the routing pro-
tocol, but ratherfocuses on accurate reportingof packet for-
Nodes may also drop packets selectively. For example,
a selsh node may choose not to forward packets for a spe-
cic source or destination, or conversely, simply favor a
source or destination by dropping trafc for others when
they are in competition. Similarly, the node can choose par-
ticular applications to drop or show preferential treatment.
Finally, a node may randomly drop packets in order to sim-
ply save energy.
Note that only a few well-selected drops are necessary
to vastly reduce the throughput between a source and des-
tination: each drop causes the congestion control algorithm
to aggressively throttle trafc . Connection recovery is
slow, and the attacker gains advantagewith little effort.
Moresubtleattacksexist. Increditbasedsystems, anode
benets from forwarding more packets than its neighbors.
To gainan advantage,a maliciousnodeinjects fakepackets.
This expends the energy of all forwarding nodes, thereby
rendering them incapable of forwarding future legitimate
packets. The known defense for this attack is to use inter-
leaved hop-by-hop authentication schemes [19, 20], where
fake packets are ltered mid-transmission. This paper does
not address this type of attack.
Existing proposed cooperation schemes for civilian ad
hoc networks use rewards or penalties to encourage coop-
eration. Rewards and penalties are dictated by reports of
mobile node behavior. The credit for relaying other trafc
The policy motivates mobile nodes to cheat, manipulate, or
dropthe reports so that they get more credit and avoid being
penalized. Defending against potential forwarding and re-
play attacks on the reporting data is a challenging issue for
monitoring the packet forwarding activity.
4. Overview of Random Reporting Protocol
Forthe purposesofthis paper,it is assumedthat dynamic
source routing (DSR)  is used. The DSR routing proto-
col provides a full path between the source and destination.
This is advantageouswhen choosing a random intermediate
node. It is reasonable to assume that the source and desti-
nation nodes are trusted, as they are the entities responsible
for the data trafc. The protocol focuses on the secure re-
porting of forwarding activities for the data transmission.
Each intermediate node only needs to keep track of its
own contribution, instead of observing the actions of other
nodes. Using intermediate nodes in this manner is rational
when dealing with a civilian ad hoc network. The rest of
this section provides an overview of the Random Report-
ing Protocol. While alone the Random Reporting Protocol
is not secure, Section 5 introduces the Secure Random Re-
4.1. Basic Periodic Reporting
Basic Periodic Reportingis a simplistic methodin which
intermediate nodes periodically send reports to the destina-
tion. These reportsare collected by the destination andused
to analyze network paths. The compiled report is then used
for future path engineering, crediting, and determination of
This simple periodic reporting scheme functions well
for static networks, but it does not work well for dynamic
networks, or networks with malicious nodes.
scheme’s quality is highly dependent on report transmis-
sion frequency. Additionally, rapid changes due to mobility
or congestion quickly degrade its effectiveness, because re-
ports may be lost or paths may change before reports are
gathered. Since reliable transmission is not guaranteed, the
disappearance of a node’s report may cause it to be viewed
as an anomalous or congested point, even if it has correctly
forwarded all data packets. The report data is transmitted
via the same path as normal data. This allows a selsh or
c) Random Bidirectional Reporting: At node 2, report is transmitted to both S and D
b) Random Node and Direction Selection: Node 2 sends a report to the source S
a) Random Node Selection: Node 2 is chosen.
Figure 1. Random Reporting Protocol: source S and destination D
malicious node to know the source of any report. The node
can then drop or change particular reports for their own self
4.2. Random Reporting Node Selection (RRNS)
In order to address the aforementioned problems with
packet manipulation and dynamic networks, we propose a
Random Reporting Node Selection (RRNS) method. For
every packet, the source randomly chooses one intermedi-
ate node to send a report to the destination. This is accom-
plished by coupling each data packet with a report, so that
when the report is received by the destination, the relaying
In RRNS, if the path consists of n intermediate nodes,
any node can be chosen with probability 1/n. Figure 1-(a)
illustrates RRNS where node 2 has been randomly chosen.
1. For all packets p, source S randomlychooses (uniform
distribution) intermediate node nito send a report. S
attaches a report request RR to p, identifying nias the
2. For a packet p with RR for ni, niattaches report R to
p before forwarding to destination D.
3. Destination D receives p, including R from all inter-
mediate nodes, and periodically analyzes the reports,
looking for trafc deviations.
The idea of choosing a random node is motivated by
micro-payment [7, 11], in which a randomly chosen trans-
action is used for a merchant to deposit some amount of
money. Applied to RRNS, the randomly chosen intermedi-
ate node should add to the forwarding packet the number of
packets it has forwarded since joining the path.
Since the intermediate node is selected randomly, other
nodesare unableto predict the selection schedule. This pre-
vents nodes from timing their attacks to maximize their du-
ration. While the randomness provides better reports, the
described scheme is vulnerable to attack. Without taking
precautions, reports may be manipulated by downstream
nodes with selsh intentions. Section 5 addresses this by
introducing secret node selection. In summary, RRNS is
advantageous, because it gathers reports from nodes in real
time and has very low communication overhead, due to the
couplingof reportswith everydata packet. We quantifythis
overhead in Section 6.
4.3. Random Reporting Node and Direction Selec-
In RRNS, if packets are lost due to congestion or mobil-
ity, the destination will only receive the reports sent before
the anomaly occurred. Thus, the destination may misinter-
pret the location of the problem.
Random Reporting Node and Direction Selection
(RRNDS) is proposedto makeRRNS morerobust. RRNDS
extendsStep 2 of RRNS byrandomlydecidingthedirection
to send the report at the chosen node. If the report is sent
towards the destination, it is attached to the data packets,
just as in RRNS. On the other hand, if a source-bound di-
rection is chosen, a separate report message is transmitted.
Figure 1-(b) shows this scheme.
4.4. Random Bidirectional Reporting (RBR)
The report in RRNDS is transmitted to either the source
or the destination. Unfortunately, the amount of report in-
formation received by the destination or source is reduced
in RRNDS. Due to this shortage of reports, the source or
destination may not precisely analyze the relaying activity
of intermediate nodes.
We address this problem by modifying Step 2 of RRNS
to transmit the report to both the source and destination.
This technique, shown in Figure 1-(c), is referred to as
Random Bidirectional Reporting (RBR). In the gure, node
2 sends a report to the destination and source node. Simu-
lation results reported in Section 6 show that bidirectional
reporting improves effectiveness in the face of mobility.
Additionally, for both RRNDS and RBR, if the com-
munication between source and destination is bidirectional,
source-bound reports are attached to data packets destined
for the source. This reduces communication overhead.
5. Secure Reporting Protocol
The random reporting protocols discussed in Section 4
are based upon random node selection.
nodes (selsh or malicious) discover a packet including a
report and the selected node, the information may be ma-
nipulated or dropped.
This section proposes an efcient construction that con-
ceals the node selection from other intermediate nodes. In
civilian mobile ad hoc networks, the intermediate nodes
cannot be assumed to be honest; lying may provide more
credit. Thus, in order to assure the validity of node reports,
a chain of HMACs on the link layer acknowledgments is
proposed. This addition provides forgery detection.
The following notations are used in the secure reporting
protocol and forged report detection schemes.
• IDi: Identier of node ni.
• Kij: a pair-wise key between node niand nj.
• hash(x): Cryptographic hash function computation
• σ: HMAC(KSD,DATA|IDi) computation result
for the data and IDi.
• DATA: Data transmitted between the source and des-
Mobile devices are less powerful in computation and
have a battery of limited lifetime. Therefore, symmetric
cryptography is often more appropriate for mobile devices
in ad hoc networks. The secure random reporting protocol
requires three pairs of symmetric keys: source and destina-
tion, source and intermediate nodes, and destination and in-
termediate nodes. Key management schemes for distribut-
ing symmetric keys in ad hoc networks have been proposed
[9, 4], and thus will not be discussed. Any efcient sym-
metric keymanagementscheme can be used fordistributing
symmetric keys to mobile nodes; its choice does not impact
5.1. Secure and Random Reporting Protocol
DSR allows the source node to know the full routing
path. The source node chooses one intermediate node ni
uniformlyat random,and computes Token, which is added
to the data packet. The Token contains the node selection
information which is not disclosed. The use of an HMAC
in the computation of the Token provides randomness and
secrecy in the node selection.
- Choose one intermediate node ni
- Compute σ = HMAC(KSD,DATA|IDi),
- Compute Hi= hash(KSi|σ)
- Generate Token = σ ⊕ Hi
→ rst intermediate node: [DATA,σ,Token]
When a node receives a packet, it needs to determine if
it is the randomly selected node. At the same time, no other
nodes can be allowed to know which node has been chosen.
Upon receiving a data packet(DATA,σ,Token), an inter-
mediate node njcomputes Hj= hash(KjS|σ) and XORs
it with the received Token. If the result of the XOR opera-
tion is equal to the received σ, the node knows it was cho-
sen. This is only satised at node nisince the source used a
pairwisekeyKSi. Sincethe abovetest inotherintermediate
nodes is not satised, they do not generate reports.
The chosen intermediate node nisends its report by at-
taching it to the data packet. The report R includes the
number of packets the node forwarded for the source and
destination. For integrity purposes, the chosen intermedi-
ate node computes hash with its report R and its pair-wise
symmetric key shared with the destination.