Enhanced Timestamp Discrepancy to Limit Impact of Replay Attacks in MANETs

Mobile Ad hoc NETworks (MANETs), characterized by the free move of mobile nodes are more vulnerable to the trivial Denial-of-Service (DoS) attacks such as replay attacks. A replay attacker performs this attack at anytime and anywhere in the network by interception and retransmission of the valid signed messages. Consequently, the MANET performance is severally degraded by the overhead produced by the redundant valid messages. In this paper, we propose an enhancement of timestamp discrepancy used to validate a signed message and consequently limiting the impact of a replay attack. Our proposed timestamp concept estimates approximately the time where the message is received and validated by the received node. This estimation is based on the existing parameters defined at the 802.11 MAC layer.


Introduction
Mobile Ad hoc NETwork (MANET) [1] is consisted of mobile nodes MNs which can be either router or normal nodes, are able to communicate by using wireless network interfaces without the aid of any fixed infrastructure or centralized administration.A MANET is considered as an infrastructure less network because their MNs can dynamically establish routes among themselves to transmit messages temporarily.In a MANET, two given MNs can communicate directly when each one is in the transmission communication range of the other one.Otherwise, those MNs communicate throw intermediate MNs that relay their messages [2].So, the success of a given communication between the sender and receiver MNs is strongly dependent on the cooperation of the intermediate MNs.
Denial-of-Service (DoS) attacks in MANET can seriously affect the network connectivity and disrupt further the networking functions, such as control and data message delivery.In other words, we can say that DoS attacks are capable to harshly degrade the overall MANET performance [3,4].Indeed, at the physical layer, the attacker can launch a DoS attack with a wireless Jammer by sending a high power signal to cause an extremely low signal-to-interference ratio at a legitimate receiver MN [5].At the 802.11MAC layer [6], a replay attack [2,7,8] can be done by intercepting a valid signed mes-sages of MN (the validation is assured by the timestamp concept) and by retransmitting them later in order to produce a DoS attack.At the network layer, a DoS attacker makes the use of the existing protocols vulnerabilities, that can be classified further into three types: routing disruption, forwarding disruption and resource consumption attacks [4,9,10].At the application layer, a random DoS attack [11] is to flood a network with a large number of service requests.Since the MNs have a limited transmission range, they expect that their neighbors relay messages to remote receiving MNs.The relayed messages are supposed to be performed by intermediate MNs with a good cooperation as a fundamental assumption of MANETs.This assumption becomes invalid when MNs have tangential or contradicting objectives.To overcome their security problems, MANETs adopt new secure solutions [2].When the most known attacks can be avoided, replay attacks are still subject of various research works due to their easy technique based on recording and re-sending a valid signed messages in the network.So, to avoid those replay attacks in MANET, a timestamp concept is developed [12][13][14][15].Indeed, the timestamp concept permits to a receiving MN to validate the received signed messages.Consequently, a signed message, injected by a replay attacker, arriving with invalid timestamp discrepancy MUST be dropped.
In a MANET, the fixed value of the timestamp discrepancy t  is pre-negotiated between two communi-cating MNs [13,14].In reality, the choice of the threshold is large enough and consequent MANET becomes more exposed to a wide range of DoS attacks including replay attacks.In this attack, the objective of the attacker is to resend the intercepted signed messages without exceeding the threshold defined by the timestamp discrepancy in the beginning of a communication.So, to avoid this problem a new timestamp discrepancy is required.

t 
In this paper, we present a new timestamp discrepancy to limit the impact of replay attacks.Our proposed timestamp approach is based on the 802.11MAC layer parameters and on MN capabilities in term of buffering and CPU processing.Moreover, our proposition of timestamp discrepancy enables MNs to limit and reduce the redundant messages injected by a replay attacker.
The rest of this paper is organized as follows.Section 2 presents a related work that gives an overview on DoS attacks related to the 802.11MAC Layer.Section 3 presents the 802.11MAC Layer functions.Section 4 presents our improvement.Section 5 presents simulations and results.The conclusion is given in the last Section 6.

Related Works
In a MANET, communications between MNs are articulated on the 802.11MAC layer protocol that is vulnerable to DoS attacks [4,[16][17][18][19][20].In papers [17,20], it was discussed that a DoS attacker can exploit the binary exponential back-off scheme to access the channel.Moreover, in the RTS/CTS attack [21], a malicious MN can send the RTS/CTS frames to spuriously reserve the channel without real data transmissions.In the NAV attack [3], an attacker sets large duration values in RTS or CTS frames to reserve channel for maximum time duration.In paper [16], a misbehaving MN can get better throughput by modifying unilaterally the binary exponential back-off algorithm parameters.
Other DoS attack is replay attack [2,4] where the malicious MN can perform attack by recording old valid messages and by re-sending them.This makes other MNs update their internal data structure with stale information (for example updating routing table with a wrong route).The replay attack is achieved when control messages bear a digest or a digital signature without including a timestamp [3,13].Indeed, while existing mechanisms provide the guarantee to the receiving MN that the message was received as sent, there is no absolute guarantee that a message is being used as intended.The originated MN and the sent message are authenticated, but nothing else.A message that has been captured or intercepted by a malicious MN and is replayed later.It will still be authenticated properly as long as the encryption keys were not changed and the timestamp discrepancy was still valid.Also, it's relatively hard to avoid replay attacks at the 802.11MAC layer due to the stochastic nature of the DCF and to the similarities between the effects of DoS attacks and congested traffic conditions.Indeed, paper [16] describes that if legitimate MNs can link sequential transmissions from a malicious MN, statistical models can be used to detect MNs that cheat the DCF by choosing low back-off values in order to gain an advantage in terms of throughput.Also, a malicious MN can be readily identified by a detection technique, in which neighbor MNs calculate the actual transmission time by sensing DATA/ACK frames [21].Assuming the random back-off values are observable, a receiving MN can carry out a sequential test to analyze the distribution of this random variable [16].

802.11 MAC Layer Overview
The 802.11 MAC protocols support two models of operation called Distributed Coordination Function (DCF) and Point Coordination Function (PCF).Whereas DCF does not use a centralized control, PCF needs an access point (AP) to coordinate the activity of nodes in its area and to operate only in infrastructure-based networks.When PCF is an optional feature at different 802.11 implementations, DCF is obligatory.
The DCF is based on the CSMA/CA protocol.Before a node starts to transmit a packet, it senses the channel idle for a duration DIFS plus an additional backoff time.The backoff time is an integer multiple of a basic slot duration  , where the back-off number is drawn randomly in the range   0, CW 1  , where CW is called a contention window.Once the channel becomes idle, the node waits for another DIFS period before it starts to decrement its counter after each idle slot.When the backoff number reaches to zero, the node transmits its packet.When the receiver finishes its receiving, it waits for a shorter period SIFS and then sends back to the sender an ACK packet to inform the sender that the transmission is successful.If the sender hasn't received the ACK for a specified timeout or if it finds out some other node is transmitting a packet on the channel, the sender doubles its contention window CW and chooses a random number in the range   0, CW 1  .Figure 1 shows that the IEEE 802.11 adds two more signaling packets: the request to send (RTS) and the clear to send (CTS).When sending (RTS) to the destination node, the length of the transmission is attached; hence every node receiving this packet stores this information in a local variable named network allocation vector (NAV).After waiting a SIFS, the destination node replies with a CTS packet.This CTS packet also contains the duration of the transmission, therefore any node hearing this packet will set its NAV.All nodes within the range of the source

Our Improvement
The replay attack is an easy DoS attack which can be produced by a malicious MN through two basic operations.The first operation is the record of listened valid messages.The second is the resend of the recorded valid messages.Indeed, for a given communication between two MNs in the network, the replay attacker intercepts messages sent to destination MN and re-sends them later within a valid timestamp discrepancy , independently, to any encryption mechanisms used by the sender MN.So the standard timestamp concept is not enough to limit impact of this type of DoS attacks on network performance.

t 
The Figure 2 illustrates a typical replay attack scenario where malicious MN, in the first step, intercepts and records signed messages listened from sender MN S. In second step and after a waiting time, within the timestamp discrepancy interval t  , the attacker MN resends the stored signed messages, towards the receive MN D. As a result, all re-send messages by the replay attacker that verify the timestamp discrepancy present an overhead of messages which impact directly the network performance.
Recent works [22][23][24] are still using, in the process of message signature, a prefixed timestamp discrepancy t  negotiated in the step of encryption key exchange [25].This choice of static timestamp gives a greatest weakness due to its independence on MN characteristics and duration of communication.Indeed, as shown in Figure 3, the replay attacker intercepts and stores the valid signed message before the end of time interval t    .Thereafter, he achieves its attack by re-sending the previous stored messages in the dead time denoted  .
In this section, we present an enhanced timestamp discrepancy aiming to limit the impact of duplicated valid messages injected by a replay attacker intercalated between a pair of communicated MNs.Our approach has the advantage not to require any additional functions because it only based on the existing parameters defined in the MAC layer of the IEEE 802.11 standard.Our timestamp approach estimates approximately the date when the signed message is received and processed by a destination MN.Moreover, this estimation is a lightweight calculation and it is based on the standard parameters of 802.11MAC layer.Referring to the Figure 1, the sender MN begins communication after receiving the CTS message sent by the receiver MN.In the same time, the neighbors MNs update their NAV parameter to defer   access (DA) to the communication medium to avoid collisions.So, a sent signed message from a sender MN should arrive, to the receiver MN, and be processed before the NAV time expiration.The NAV expiration is delimited by the two messages: RTS (sent by the sender MN) and CTS (sent by the receiver MN).This means that the maximum time for a signed message to reach destination is the total time including NAV time plus processing times at the sender and receiver MNs.
Based on this observation, we can define the enhanced timestamp discrepancy between two given communicating MNs, S and D (See Figure 4) as follow [26]: where:  S T is the time to process message at MN S.  D T is the time to process message at MN D.    is the time duration of communication between sender (S) and receiver (D) MNs.

NAV CTS
In the following part of this work, in order to show the importance of our proposed improvement, we suppose that the communicating MN clocks are synchronized.This is a necessary condition for a replay attacker to re-send valid signed messages [22].The times and T D represent respectively the total time at two MNs S and D including times of buffering and CPU processing.In the literature, buffering and CPU processes are respectively represented by the queuing and service systems.Precisely, the model that represents these two systems is an M/M/1 model [27], characterized by the following assumptions: S T 1) The messages arrive according to a Poisson process with a total average arrival rate  (i.e.arrival messages/sec).
2) The receiver MN (that plays the role of a single server characterized by an exponential service times, by an unlimited FIFO (or not specified queue) and by an unlimited messages population.We denote the average service rate at the receiver MN by  .
By supposing that MNs in MANET having the same characteristics, we can consider that i j .So, the total time including queering and service times according to the M/M/1 model, at each MN, is given by the following formula: Consequently, the Equation (1) becomes as follow: Based on the Equation (3), we can define a local discrepancy timestamp between two closed MNs (or neighbor MNs) in MANET as the average of total discrepancy timestamp divided by the number of hop count, that we denoted N, between S and D nodes.So, the local discrepancy timestamp 4) is defined as follow: In the next section, we proceed to apply our proposed approach on a two given communicating MNs in MANET, using 802.11MAC layer to allow medium to exchange their messages.Our approach is integrated in the standard 802.11MAC Layer without any additional parameters or extra processing costs at MNs in the network.

Simulation Environment
To improve the impact of our proposed timestamp concept, we simulated a local replay attack when a replay attacker is intercalated between two closed MNs in a MANET (each MN is in the transmission range of the other MN).Moreover, to have the same conditions of simulation, we assumed that all MNs in the network have the same characteristics of buffering (  ) and processing (  ) with a stable M/M/1 system, i.e. the rate service is greater than the arrival rate.That's why we choose the values 30 and 33 for  and  respectively for all MNs in the MANET.
In the next sub-section we proceeded to a comparison between two scenarios of communication with the same replay attack behavior.The first scenario is called a classic scenario where the communicated MNs use the classical timestamp discrepancy.The second scenario is called an enhanced scenario that uses our enhanced timestamp discrepancy.This comparison study is carried out in the Network Simulator (NS2) platform [28].The communicating MNs, in a network, uses an UDP traffic to exchange data during a total time of simulation equal to 150 seconds.Moreover, we suppose that the MNs are homogenous in terms of transmission range (i.e.all MNs have a same transmission range equal to 250 m), and in order to show the effect of our approach, we have neglected the mobility produced by the free move of MNs.Finally, the considered replay attack interval when the attacker performs the attack is defined, in seconds, by the interval (100, 150).

Result and Discussion
To achieve a replay attack, the MN of the attacker requires a high performance, in terms of buffering r  and processing r  , compared to the ordinary MNs in the network.For this end, we have taken in our simulation the malicious behavior of the replay attacker when it's varying their proper parameters r  and r  .Precisely, to study the impact of each parameter on our enhanced timestamp discrepancy, we fixed, in first time, the parameter r  and we varied r  .In second time, we fixed the parameter r  and we varied r  .
By fixing r  at 33 and varying r  , Figure 5 provides a light enhancement of our proposed timestamp (red line) discrepancy comparing to the old timestamp discrepancy (black line).Indeed, for all values of r  (5, 10, 15, 20, 25, 30, 40, 45 and 49), the enhanced scenario that implements the dynamic timestamp discrepancy have the same behavior compared to the classic scenario with a limit of 2% approximately of the messages retransmitted and injected by the replay attacker.According to this result, it can be seen that our solution limits the number of the injected messages by the replay attacker even it changes the r  parameter.
According to Figure 6, it can be seen that our enhanced scenario gives good result when the replay attacker changes its processing parameter.Indeed, for all values of r  (50, 55, 60, 65, 70, 75, 80, 85, 90, 95 and 100), the enhanced scenario (red line) that implement the dynamic timestamp discrepancy keeps the same behavior as the classic scenario (black line) with more rigorous limitation of injected messages.In particular, our approach  According to this result, we can say that our solution is reactive and watchful when the replay attacker changes its processing parameter r  .
Based on the above re ts, sul we conclude that our propo

Figure 3 .
Figure 3. Vulnerability with the classical timestamp discrepancy.

Figure 4 .
Figure 4. Typical path between sender and receiver MNs.

Figure 6 .
Figure 6.Enhanced timestamp discrepancy when replay attacker varies μ r .ives a better reduction of replay attacker messages at g points where r  takes the following values: 55, 80 and 95.According to this result, we can say that our solution is reactive and watchful when the replay attacker changes its processing parameter r