The Study of Secure Congestion Control for TCP in Ad Hoc Networks

Ad hoc networks are vulnerable to various attacks. In addition, congestion caused by limited resources may occur at any time in the transmission of the packets at intermediate nodes. This paper proposes a dynamic congestion control method of the selection of a secure path. By estimating the average queue length at the nodes, the congestion level at present is detected. If the occurrence of the possible congestion is predicted, the network will select a new path where all nodes have been certified as trusted nodes, generating session keys in the TCP three-way handshake to prevent the denial of service attacks. Simulation results show that the new algorithm is superior to TCP Reno algorithm in terms of security, packets loss rate, throughput, and end-to-end delay.


Introduction
Ad hoc network possesses the features of distribution, flexible infrastructure, and equal nodes.AA Gutub [1] proposes a new trend of data visualization, trying to link illogical data inputs which are as source of judgments in interactive ways.Hajj services are improved to gain advantage from the development of the exploratory data visualization technology [2].However, it is vulnerable to all kinds of security attacks due to the poor security management.High security system suitable to hide sensitive text-data on personal computer is proposed and implemented [3].The system hiding techniques involves AES cryptography followed by image based steganography as two layers to insure high security.The flexible security system provides security information to the user to select the Journal of Information Security cover-image within the PC based on his/her security priority [4].Prevention methods such as cryptography [3] [5] only consume limited resources, but also are costly.From the detection [4] perspective, intrusion detection system is necessary to detect attackers.
The main purpose of the congestion control is to improve the network performance by reducing the delay and buffering the overflow caused by network congestion.However, the traditional congestion control cannot be used directly in the Ad hoc network.This is because the delay and packets loss are not necessarily caused by network congestion, but may be mistaken as congestion loss.
Here, we focus on the congestion control that can adapt to the security of Ad hoc networks and propose a new algorithm.By estimating the average queue length at the nodes, the congestion control is dynamically adjusted.When the occurrence of the possible congestion is predicted, the network will select a new path where all nodes have been certified as trusted nodes, generating session keys in the TCP three-way handshake to prevent the denial of service attacks.So it has important theoretical significance and the value of practical application in the field of information security and wireless network security.

The Selection of Secure Path
In the past decades, the watchdog system [6] using promiscuous-hearing technology has been implemented to increase the failure counter of sending node if packets loss is observed.In an adaptive confirmation system [7], if the source node receives the acknowledgement packet from the destination node, it represents a successful transmission.Otherwise, the source node switches to double ACK mode to detect malicious nodes.In the proposed enhanced adaptive confirmation [8] system with intrusion detection, secure ACK (SACK) is an improved version of the double ACK system.When a malicious behavior is found in SACK mode, the source node will switch to misbehavior report authentication (MRA) to find an alternative path to reach the destination node, affecting the malicious behavior report.
In solving the problem of black hole attack [9], all legal nodes will send joining request with a trust value of 1 at the initial stage of the network.If the requesting node does not receive acknowledgement from the delegate node, it will stop sending joining request.Each node first verifies the node's address before processing any request and then processes the request if the node is on the trust-list.When the delegate node receives the joining request, it will validate the trust value of the requesting node.If the trust value is matched, the requesting node is added to the trusted list and gets broadcasted in the network.The threshold for the joining request is set to 20 requests per second.Figure 1 shows the algorithm's flow chart.
The concept of bilinear mapping [10] is introduced to allocate the nodes' key to handle the denial of service attacks [11] and ensure the security of the connection W. N. Zhang et al. of TCP three-way handshake.After allocating the resource for the source node (S), S starts to send packets with authentication tags.Whenever the intermediate node detects congestion, it will send Explicit Congestion Notification (ECN) to Acknowledgement (ACK) [12].

The Design of Congestion Control
A simple example is shown in Figure 2. The source node S sends packets to the destination node D, the primary path is S to 1 to 3 and then to D. When intermediate node 1 predicts the occurrence of possible congestion, it will stop sending packets and initialize the safe route discovery mechanism.From the trust-list of node 1, node 2 is selected as the next hop.After receiving the packets from node 1, node 2 will send packets to the destination node D.
The average queue length can provide a direct measurement of the congestion status.The maximum value of the threshold (Max) and minimum value of the threshold (Min) are set to the queue length respectively, and the queue threshold represents the current state of the queue.Here, w q stands for the queue weight, and the link utility would be very low if the three thresholds' values are set too small.On the other hand, congestion may occur before the node is notified if the thresholds are too large.Equation ( 1), (2), and (3) are used to set the thresholds' values.The average queue length is used to specify all traffic fluctuations, which reflect persistent congestion in the network through a long-term variation of the instant queue.The average queue length is calculated by Equation ( 4) as followed.

35% Que_length
( ) Equation ( 3) is used to dynamically set w q .H represents hop counts, and S represents the number of packets sent per second.If the average queue length is smaller than the value of Min and the instant queue is smaller than half of the queue length, nodes are in the normal status.
The congestion may occur when the average queue length is between the values of Min and Max, and the discovery mechanism for a secure path is initiated.
When the instant queue is larger than Max, the value of Max should be reset because of the wrong selected path.If the average queue length is larger than Max, the nodes are in the congestion status and the congestion control is carried out.The flow chart of the algorithm is shown in Figure 3.

Simulation Results and Analysis
Here, NS-2 [13] is used to compare the performance of the new algorithm with a secure congestion control and the TCP Reno algorithm under malicious attacks.The number of malicious nodes is set to 10 and the maximum running speed of nodes is 20 m/s.The wireless propagation model is two-ray ground.Figure 4 and Figure 5 show the difference between the two algorithms in packets loss rate and throughput with the increase of simulation time.
As shown in Figure 4, during secure attacks, the new algorithm reduces the possibility of link-disconnection caused routing reestablishment.In comparison, link interruptions frequently occur for the TCP Reno algorithm.As a result, packets loss rate gets more severe with the increasing simulation time.
In Figure 5, with the increase of simulation time, the number of packets received by the receiver per second declines for the TCP Reno algorithm, resulting    We then fixed simulation time at 300 s and Studied the difference between the packets loss rate and the end-to-end delay under different hop counts.
In Figure 6, when the number of hop counts is less, because the nodes are in the normal status, the end-to-end delay is relatively low for both algorithms.
The congestion may occur during the increase of the number of hop counts.The new algorithm selects a new path to prevent the attack of malicious nodes, while the TCP Reno algorithm continues to send packets on the original path, which can only drop packets when congestion occurs.As a result, the end-to-end delay is larger for the TCP Reno algorithm.
In Figure 7, with the increase of hop counts, the probability of packets loss in the network will increase for both algorithms.The TCP Reno algorithm causes serious packets loss due to its incapability to predict the congestion.In comparison, the new algorithm makes a prediction based on the average queue length and changes the path in advance, reducing the number of packets loss.

Figure 1 .
Figure 1.The algorithm of selecting a secure path.

Figure 2 .
Figure 2. A simple example for secure congestion control.

Figure 3 .
Figure 3.The algorithm of congestion control.

Figure 4 .
Figure 4. Comparison of packets loss rate with different time.

Figure 5 .
Figure 5.The algorithm of selecting a secure path.

Figure 6 .
Figure 6.Comparison of end-to-end delay.

Figure 7 .
Figure 7.Comparison of packets loss rate with different hops.

Perform the algorithm of the new path discovery Ins_queue is larger than Max? sends packets on the new path Reset Max Congestion control No Yes Yes No No Yes Journal
of Information Security a sharp decrease in the throughput.In comparison, the new algorithm has very low packets loss rate and makes most packets received successfully, providing a relatively constant throughput.