1 Introduction

Mobile ad hoc network (MANET), a self-organizing independent communication infrastructure, is a collection of mobile nodes equipped with a wireless transmitter and a receiver. Nodes can dynamically and freely self-organize into arbitrary and temporary ad hoc network topologies to communicate with each other within its transmission range via bidirectional wireless links either directly or indirectly without any central infrastructure. The node relays on other nodes to communicate with nodes outside its transmission range. MANET has its applications in commerce, emergency services, military, education, e-health, the tactical networks, rescue operation, communication, and entertainment [15, 7, 8, 10, 2226].

As the nodes lack physical protection, malicious attackers can easily capture and compromise nodes to achieve attacks, that is, generally routing protocols considers how every node in the network behaves with other nodes and not maliciousness; hence, attackers can easily compromise MANETs by inserting malicious or non-cooperative nodes into the network [1, 2731].

The dynamic nature of MANET makes it highly susceptible to several link attacks. Security based routing protocols must ensure confidentiality, availability, authenticity, and integrity. Most of the existing security solutions for wired networks are inefficient in MANET environment since the transmission occurs in open medium causes security attacks. The effect of various attacks can be reduced due to the presence of security protocol. In MANET, the nodes with insufficient physical protection may become malicious and reduce the network performance. Even though all routing protocols assume that nodes provide secure communication, some nodes become malicious that disrupt the network operation by altering routing information [3237].

MANETs are subjected to two levels of attacks. The first level of attack happens during basic mechanisms such as routing, whereas the second one damages the security mechanisms used in the network. Attacks are divided into two major types: internal and external. Internal attacks are directly led to the attacks on nodes presents in network and links interface between them, whereas external attacks prevent the network from normal communication and producing additional overhead to the network [3841]. External attacks are further divided as passive and active attack. Passive attacks do not alter the data transmitted within the network, whereas active attacks are severe on the network as it prevents message flow between the nodes [42, 43].

Sybil attacks pose a serious threat though MANETs need a unique, distinct, and persistent identity per node for their security protocols to networks. It occurs in network layer. A Sybil attacker can either create more than one identity on a single physical device to launch a coordinated attack on the network or can switch identities to weaken the detection process, thereby promoting lack of accountability in the network [3]. There are also attacks like neighbor attack, jelly fish attack, replay attack and denial of service attack [1114, 44].

In MANET, employing a high-cost anonymous routing in a battlefield, a low quality of service in voice and video data transmission due to depleted resources may lead to disastrous delay in military operations [2, 4547].

There is no combined mechanism for preventing Sybil attacks and providing authentication in case of location-based routing. Moreover, most of the existing attack detection techniques did not consider the quality of service parameters. In ALERT, although source and destination anonymity protection is provided, it suffers from Sybil attack. A Sybil attacker can disrupt location-based or multipath routing by participating in the routing, giving the false impression of being distinct nodes on different locations or node-disjoint paths [2]. The attackers can be battery powered nodes that passively receive network packets and detect activities in their vicinity. They can also be powerful nodes that pretend to be legitimate nodes and inject packets to the network according to the analytical results from their eavesdropped packets. Moreover, the routing and control messages exchanged by the nodes can be fabricated or altered. Hence, efficient authentication is required to ensure the integrity.

To overcome this issue, in this paper, defense against Sybil attacks and authentication for anonymous location-based routing is proposed in MANET.

The paper is organized as follows. Section 2 describes the related works and Sect. 3 provides the detailed explanation of the proposed work. Section 4 explains the simulation results. Finally, Sect. 5 concludes the work.

2 Literature review

Shengrong Bu et al. [6] have presented a distributed scheme combining authentication and intrusion detection where the most suitable biosensors for authentication or IDSs are dynamically selected based on the current security posture and energy states. Dempster–Shafer theory has been used for IDS and sensor fusion to enhance the concept as multiple devices are used at a time slot. The problem has been formulated as a POMDP multi-armed bandit problem, and its optimal policy can be chosen using Gittins indexes. The distributed multimodal biometrics and IDS scheduling process can be divided into offline and online parts to mitigate the computational complexity. Simulation results show that this scheme improves network security. Such methods of combining multiple sensor information in a distributed fashion lend themselves well to the concept of cross-layer security, which is a topic that is gaining interest in MANET security. However, there is computational complexity.

Boppana and Su [8] have presented quantitative evaluations of false positives and their impact on monitoring based intrusion detection for ad hoc networks. Experimental results showed that even for a simple three-node configuration, an actual ad hoc network suffers from high false positives; these results are validated by Markov and probabilistic models. However, this false positive problem cannot be observed by simulating the same network using popular ad hoc network simulators, such as NS-2, OPNET, or Glomosim. A probabilistic noise generator model implemented in the Glomosim simulator for recovery, and the simulated network exhibits the aggregate false positive behavior similar to that of the experimental test bed with this model. Simulations of larger (50-node) ad hoc networks indicate that monitoring-based intrusion detection has very high false positives. These false positives can reduce the network performance or increase the overhead. In a simple monitoring-based system where no secondary and more accurate methods are used, the false positives impact the network performance in two ways: reduced throughput in normal networks without attackers and inability to mitigate the effect of attacks in networks with attackers. However, there are passive monitoring issues.

Li and Liu [9] have presented a fully distributed ID-based multiple secrets key management scheme (IMKM) implemented through a combination of ID-based multiple secrets and threshold cryptography. The certificate-based authenticated public key distribution requirement is eliminated by this, and an efficient mechanism is provided for key update and key revocation schemes leading to more suitable, economic, adaptable, scalable, and autonomous key management for MANET. However, the average completion time for the key update process is very large in terms of different cluster sizes and speeds.

Ayday and Fekri [10] have developed an iterative malicious node detection mechanism for delay/disruption tolerant networks (DTNs) referred as ITRM, which is a graph-based iterative algorithm motivated by the prior success of message passing techniques for decoding low-density parity-check codes over bipartite graphs. The iterative reputation management scheme far more effective than well-known reputation management techniques like Bayesian framework and Eigen Trust by applying ITRM to DTNs for various mobility models provides high data availability and packet-delivery ratio with low latency in DTNs under various adversary attacks attempting to both undermine the trust and detection scheme and the packet delivery protocol.

Khalil and Bagch [15] have presented stealthy attacks in wireless ad hoc networks: detection and counter measure (SADEC), a protocol presenting two techniques based on local monitoring, that is, neighbors maintaining extra information of routing path, and adding some checking responsibility to each neighbor, to detect and isolate stealthy packet dropping attack efficiently. SADEC provides an innovative mechanism to better utilize local monitoring by considerably increasing the number of nodes in a neighborhood that can do monitoring. Baseline local monitoring fails to efficiently mitigate most of the presented attacks while SADEC successfully mitigates them. However, the listening activity for detecting malicious behavior is more complicated due to the presence of multiple channels and multiple radios.

van der Merwe et al. [16] have proposed a public key management service called trustworthy key management for MANET (AdHocTKM) taking the advantages of threshold cryptography and certificate chaining and integrates it with self-certified public keys and self-certificates to yield a key management service that is secure, trustworthy and highly available to users. Cryptographic key issuing protocol allows negotiation between a single entity and a distributed authority for an implicit self-certified public key, without the authority gaining knowledge of the corresponding private key. This algorithm is called as threshold self-certified public keying.

From the literature review done, we can observe that there is no fixed security architecture which provides defense against various attacks as well as provide authentication for routing and data packets in MANET.

3 Proposed solution

3.1 Overview

In this paper, to detect the Sybil attack, each random forwarder has a table of RSS values estimated from the previous message exchanges across a zone. The difference in RSS values of two neighboring nodes are estimated based on which the node’s arrival angle into the zone is detected. Then depending on the arrival angle, the nodes can be categorized into safety zone and caution zone. Based on the mean value of RSS of all the nodes in safe zone, a safety threshold (ST) is estimated and further transmission is compared against this safety threshold. The nodes whose RSS difference is larger than the safety threshold are considered as abnormal nodes and are put under the caution zone. This scheme works better even in mobile environments and can detect both join-and-leave and Sybil attackers with a high degree of accuracy.

The messages exchanged between the Forwarders and senders can be protected by means of group signature. In group signature scheme, any member of a large and dynamic group can sign a message, thereby producing a group signature. A group signature can be verified by anyone who has a copy of a constant-size group public key. A valid group signature implies that the signer is a genuine group member. In ALERT, each mobile node periodically signs its current location (link-state) information which will be verified by the RFs and destination. Ant colony optimization (ACO) technique is used to establish a route from source and destination. When the packet is sent to the wrong next hop, misrouting packet drop attack may happen. This attack can be detected and eliminated by incorporating the identity information of nodes in the ant agent.

3.2 RSS based on arrival angle

The protection against Sybil attack is provided by received signal strength (RSS) [4] values. RSS is used to estimate the distance between the destination node and neighboring node [18]. Each node will capture and store the signal strength of the transmissions received from its neighboring nodes in the RSS value table. In MANET, the nodes move dynamically. The position of nodes changes according to the time interval. Each node has different RSS values in different timings. The RSS difference (DRSS) value is calculated as

$$DRSS = \frac{{T_{2} - T_{1} }}{{t_{2} - t_{1} }} \,$$
(1)

In Eq. (1), T2 is the RSS value at time t2 and T1 is the RSS value at time t1. The RSS table is shown in the Table 1.

Table 1 RSS value table
Full size table

In Table 1, status field is binary either 0 or 1. If the node is malicious node, then value will be 1. If the node is not malicious, then value will be 0. The table contains the RSS values at time t1 and t2. Malicious node is detected using Algorithm 2. Consider the network shown in Fig. 1:

Fig. 1
figure 1

Sample network

Full size image

In Fig. 1, a sample network is shown. In that network, each node has many neighboring nodes, and they change their position dynamically. Consider node B has node X, P, M, U, Z, and C as neighboring nodes.

In Fig. 2, four neighboring nodes are entering into the coverage area of node B.

Fig. 2
figure 2

Calculating node’s arrival angle

Full size image

The zone within the node’s coverage area is termed as stable zone, and the zone at the boundary of the coverage area is termed as caution zone. The node’s arrival angle θ is the angle at which a neighboring node enters the coverage area of a target node, which is calculated using DRSS. The critical angle θa is defined as the arrival angle so that when a neighboring node arrives at this angle, it remains in the caution zone without getting into the stable zone. Critical angle is useful to decide the angle of a neighboring node. In Fig. 2, when the neighboring nodes (C, Z, M and U) enter into the coverage area of node B, then it remains in the caution zone. Zone selection and metric value calculation is explained in the algorithm given below.

figure c

The metric value is used to determine the quality of the neighboring nodes considering the estimated arrival angle. This metric is included in the RREQ packet. This metric is called as minimum link metric along the path. The metric is decided using Table 2.

Table 2 Metric value
Full size table

When the neighboring node is entering into the caution zone angle θ, it is compared with the arrival angel. If the θ < θa, then the metric value will be 1. If θ ≥ θa, then the metric value will be −1. If the neighboring node is located in the safety zone, then the metric value will be 2. If the neighboring node leaves the safety zone, then the metric value will be −2. It will consider as bad neighbor node.

RSS threshold value is calculated as

$$T{\text{V }} = \, \sum\limits_{{{\text{i}} = 1}}^{\text{n}} {{\text{RSS}}_{\text{t}} } \,$$
(3)

In Eq. (3), TV is the RSS threshold value. If the node RSS value is greater than the RSS threshold value, then it is considered as malicious node and the value 1 is added to the status field in Table 1. A broadcast message is send to the all remaining nodes about the malicious node. Each node has RSS value and all nodes RSS values are added to the table using the algorithm given below.

figure d

In algorithm (2), if the node address does not exist in the table (this node has not been interacted with before), then a new record is created and the node address is added. Each node has the address, RSS value and timer. Each node calculates the RSS value for end of timer. The new value is updated in the table. Sybil attack detection is explained in the algorithm given below.

figure e

In algorithm (3), the RSS values of each node are updated for time in timer. If any node RSS value is not updated then those is added to temp list. Get the previous RSS values for the nodes in the temp list and compare with the threshold value. If the nodes have RSS value more than the threshold value, those nodes are added as the malicious node. Otherwise, that node is out of range.

3.3 Group signature with self-distinction

Group signatures are defined as public key signatures with additional privacy features. The messages exchanged between the random forwarders (RFs) and senders can be protected by means of group signature. Group signature can easily be verified by the one who has a copy of a constant-size group public key. The signature is valid, only when the signer is a genuine group member. Group signature scheme [17] is used to protect the network against attacks by outsiders and passive (honest-but-curious) insiders. Self-Distinction is a special feature that is used to underlying the group signature, when the resistance to Sybil attack is needed. Self-Distinction provide the node privacy across time slots is still preserved, but it is disagree with what group signatures try to achieve anonymity and unlinkability.

This approach is different with all group signature methods. In this method, each node in the group has a common random number that is generated by random number generator. That random number is changed for each round of signing. If any node uses same random number sign twice, then it consider as the affected node. Two examples of group signatures with self-distinction are [18] and [19]. It is unscalable to maintain a group key as a common parameter. Another efficient approach is Sequential Aggregate Signatures (SAS).

3.3.1 Sequential aggregate signatures (SAS)

Each node uses its private key to sign other forwards packets. These signatures can be aggregated to maintain a constant aggregate signature in the node. If an attacker attacks the network by impersonating the other nodes, then it will detected due to mismatching signatures in received forwarded packets.

All these sequential aggregate signatures [17] are constant in size and this SAS is constructed based on RSA [20] and its signature generation is equivalent to a plain RSA signature. The cost of verification is increases linearly with number of signers on the path and this cost is minimized using the small public exponents. SAS is explained as follows.

  1. 1.

    Step 1 Each node has one private key and one public key. Node private key is PRKi = Pi and pair of public key is PUKi = (ni,mi).

  2. 2.

    Step 2 In SAS is expanded by t bits S1, S2, S3, …, St and t is the number of signers in the aggregate signature.

  3. 3.

    Step 3 In this process, if the ith signature is Zi ≥ ni+1, then Si is set to 1. Otherwise, it is set 0. In the verification phase, if Si is 1 then \(n_{i + 1}\) is added to the \({\rm Z}_{i}\) before proceeding with the verification of \({\rm Z}_{i}\). \({\rm Z}_{i}\) is the normal public key signature.

These three steps are required to generate a sequential aggregate signature. It is explained with the example given in Fig. 3.

Fig. 3
figure 3

Example for sequential aggregate signatures

Full size image

Assume S wants to send the packets to destination D. In between the sender and destination, two neighboring nodes B and C are present. S sends the packets to the D through the B and C.

At node S: S computes the \(h_{s} = H(n_{s} ,m_{s} )\) and \({\rm Z}_{s} = (h_{s} )^{{p_{s} }} (\bmod s)\). \({\rm Z}_{s}\) is added to the packet.

At node B: If \({\rm Z}_{s} \ge n_{b}\), set \({\rm Z}_{s} = {\rm Z}_{s} - n_{B}\) S1 = 1 else S1 = 0 compute \(h_{B} = H(n_{B} ,m_{B} )\) and \({\rm Z}_{SB} = (h_{s} + h_{B} )^{{S_{B} }} (\bmod n_{s} )\). \({\rm Z}_{SB}\) is added instead of \({\rm Z}_{s}\).

At node C: If \({\rm Z}_{SB} \ge n_{C}\), set \({\rm Z}_{SB} = {\rm Z}_{SB} - n_{C}\) S2 = 1 else S2 = 0 compute \(h_{C} = H(n_{c} ,m_{c} )\) and \({\rm Z}_{SBC} = (h_{B} + h_{C} )^{{S_{C} }} (\bmod n_{C} )\). \({\rm Z}_{SBC}\) is added instead of \({\rm Z}_{SB}\).

At node D:

$$h_{C} = H(n_{c} ,m_{c} ),$$
$${\rm Z}^{{\prime }}_{SB} = {\rm Z}^{{m_{c} }}_{SBC} - h_{C} (\bmod n_{C} )$$
$${\rm Z}_{SB} = {\rm Z}^{{\prime }}_{SB} + b_{2} n_{c} ,$$
$$path_{B} = H(n_{B} ,m_{B} ),$$
$${\rm Z}^{{\prime }}_{S} = {\rm Z}^{{m_{B} }}_{SB} - h_{B} (\bmod n_{B} ),$$
$${\rm Z}_{S} = {\rm Z}^{{\prime }}_{S} + b_{1} n_{B} ,$$
$$h_{S} = H(n_{S} ,m_{S} )$$

And finally \({\rm Z}^{{Y_{S} }}_{S} (\bmod n_{S} )\) is equal to \(h_{S}\). If the signature did not match then the packets choose another path.

3.4 Packet drop attack detection

Stealthy packet dropping [21] disrupts the packet from reaching the destination through malicious behavior at an intermediate node. This can occur due to misrouting of packets in which the intermediate node relays the packet to the wrong next hop. This can be avoided by including the identity of the next hop for the packet being relayed at each guard. The routing table is created with the identity information, source address, and destination address. The routing table is shown in Table 3. The identity is collected during route discovery. Each packet header contains the identity information, so that it does not create any additional traffic in the network. Guard nodes are the group of nodes that performs local monitoring for detecting security attacks.

Table 3 Simulation parameters
Full size table

When a source node wants to send a message to some destination node and does not already have a valid route to that destination, it initiates a route discovery process to locate the other node. The route discovery is done by using ant colony optimization (ACO) technique.

3.4.1 Ant based route discovery for detection

Ant colony optimization (ACO) technique is used here to discover the route from the source to the destination. Forward ant agent (FA) establishes the pheromone path to the source while backward ant agent (BA) establishes the pheromone path to the destination. These ant agents collect the identity information of each node that is required for mitigating misrouting packet drop. When FA reaches the destination, BA is created and information gathered in FA is transferred to BA. BA traverses in the same path but in the opposite direction of FA and updates the path information at all the intermediate nodes.

Source node creates FA with source address and broadcasts it to the neighbor nodes in the network. After receiving the FA, the neighbor node verifies the destination address of FA. If the destination address of FA is not similar, then it adds its own address, destination address and identity from the routing table and broadcasts it to its neighbor nodes. In order to gather the next-hop identity information, the forwarder of the FA attaches the previous two hops to the packet header. From Fig. 3, the previous hop of C is B for a route from source S to destination D, and the next hop from C is H. Node C broadcasts the FA with the identity of B and its own identity in the packet header.

The format of the FA packet header is given by: <S: D: id (B): id (C)>.

When H and the other neighbors of C get the FA from C, they keep in a verification table (VT). The format of FA information stored in VT are <S: D: id (B): id(c): _>. In this table, the last field is left blank. When H broadcasts the FA, the common neighbors of C and H update their VT to include H. Then the format of VT becomes <S: D: id(B): id(C): id(H)>.

When H receives a BA to be relayed to C, H includes the identity of the node in BA that C needs to communicate to B. Therefore, all the guards of C know that C not only needs to forward the BA but also that it should forward it to B.

Guards have the responsibility to monitor the BA agent. First, the guard G of a node C verifies that C forwards the BA to the correct next hop. Second, G verifies that node C has updated the forwarded BA header correctly. The format of BA packet header, when the input packet to B from C is <BA: S: D: id(H): id(C): id(B)>, then the output BA packet format from B should be <BA: S: D: id(C): id(B): id(S)>.

Using the information collected by ant agents, the misrouting attacks can be detected as follows. Assume that source S wants to send a data packet to destination D through a route that includes <S B C H D>. Let us consider that C be the malicious node. Here, C cannot misroute the data packet received from B to a node other than the next hop, as each guard of C over the link C–H has an entry in its VT. VT indicates H as the correct next hop. This is due to the additional checking of the guard node. In addition, C cannot frame another neighbor E, by misrouting the packet to E as the guards of E over link C–E do not have an entry like <S: D: id(B): id(C): id(E)> (Fig. 4).

figure f
Fig. 4
figure 4

Route discovery using ACO

Full size image

4 Simulation results

4.1 Simulation model and parameters

The network simulator (NS-2) [21] version 2.32 is used to simulate the proposed architecture. In the simulation, the mobile nodes move in a 500 meter × 500 meter region for 20 s of simulation time. All nodes have the same transmission range of 250 meters. The simulated traffic is Constant Bit Rate (CBR).

The simulation settings and parameters are summarized in Table 3.

4.2 Performance metrics

The proposed defense against Sybil attacks and authentication for anonymous location-based routing (AALBR) is compared with the ALERT [2] and ALARM [17] techniques. The performance is evaluated for packet delivery ratio, packet drop and overhead metrics.

4.3 Results

  1. (a)

    Varying the number of nodes

The number of mobile nodes is varied as 50,100,150 and 200 with a speed of 2 m/s and performance is evaluated.

Figures 5, 6 and 7 show the results of packet delivery ratio, packet drop and overhead for the 3 techniques, when the number of nodes is increased. From the figures, it can be observed that AALBR outperforms the other two techniques in terms of all the metrics. It attains 8 and 21 % higher delivery ratio when compared to ALERT and ALARM. Similarly it has reduced packet drops by 66 and 81 % compared to ALERT and ALARM. The overhead of AALBR is 90 and 80 % less when compared to ALERT and ALARM.

Fig. 5
figure 5

Nodes versus delivery ratio

Full size image
Fig. 6
figure 6

Nodes versus drop

Full size image
Fig. 7
figure 7

Nodes versus overhead

Full size image
  1. (b)

    Varying the node speed

The speed of 100 mobile nodes is varied as 2, 4, 6, 8 and 10 m/s and the performance is evaluated.

Figures 8, 9 and 10 show the results of packet delivery ratio, packet drop and overhead for the 3 techniques, when the node speed is increased. From the figures, it can be observed that AALBR outperforms the other two techniques in terms of all the metrics. It attains 6 and 17 % higher delivery ratio when compared to ALERT and ALARM. Similarly it has reduced packet drops by 42 and 62 % compared to ALERT and ALARM. The overhead of AALBR is 81 and 78 % less when compared to ALERT and ALARM.

Fig. 8
figure 8

Speed versus delivery ratio

Full size image
Fig. 9
figure 9

Speed versus drop

Full size image
Fig. 10
figure 10

Speed versus overhead

Full size image

5 Conclusion

In this paper, we have proposed a defense against Sybil attacks and authentication for anonymous location-based routing in MANET. To detect the Sybil attack, each node has a table of RSS values estimated from the previous message exchanges across a zone. Then depending on the arrival angle, the nodes can be categorized into safety zone and caution zone. Based on the mean value of RSS of all the nodes in safe zone, a safety threshold is estimated and further transmission is compared against this safety threshold. The messages exchanged between the RFs and senders can be protected by means of group signature. In group signature scheme, any member of a large and dynamic group can sign a message, thereby producing a group signature. A valid group signature implies that the signer is a genuine group member. Finally, misrouting packet drop attack is detected and eliminated by using ant colony optimization (ACO) technique. This scheme works better even in mobile environments and can detect both join-and-leave and Sybil attackers with a high degree of accuracy along with the detection of misrouting packet drop arrack.