Preventing Layer-3 Wormhole Attacks in Ad-hocNetworks with Multipath DSR

Luis Fernando Garcia and Jean-Marc RobertEcole de technologie superieure

Departement de genie logiciel et des TIMontreal, Quebec, Canada

Email:jean-marc.robert@etsmtl.ca

Abstract—Wormhole attacks in ad-hoc networks have beenattracting much attention over the years. They consist in twomalicious nodes tunneling traffic from one end of the networkto the other. Several approaches are proposed to detect theseattacks but only few solutions exploit the information provided bymultipath routing schemes. A new approach detecting wormholeattacks is presented in this paper. The Witness Integration Mul-tipath protocol is based on the multipath DSR routing protocoland finds suspicious behaviour related to wormhole attacks. Itdoes not require any major protocol modification nor as muchcryptographic processing as the previous solutions.

Index Terms—MANET, source routing, multipaths, wormholes.

I. INTRODUCTION

Mobile ad-hoc networks have been an attractive field ofresearch for many years now. Due to their characteristics, thesenetworks are an excellent choice for emergency operations,vehicular communication and short-live networks.

Ad-hoc networks must deal with threats from externalagents and compromised internal nodes. The lack of a centralcontrol and the fact that each node must forward packetsof other nodes represent major security challenges. In suchenvironments, it is difficult to assure the confidentiality andthe integrity of the communications as well as the availabilityof the services.

In this paper, we focus on the wormhole attacks. In theseattacks, two malicious nodes tunnel traffic from one end of thenetwork to the other end using an out-band link. Their maingoal is to attract traffic to drop, alter or, simply, look at thepackets later on.

Due to the characteristics of the wormhole attacks, cryp-tographic solutions are not sufficient. Numerous physical ap-proaches have been proposed to secure the neighbour discov-ery process. Most of the solutions presented so far requirethat the nodes handle information about self-location, performclocks synchronization or rely on specialized antennas or oninformation such as trust relationship. Only few solutions havebeen proposed to secure the overall end-to-end route discoveryprocess.

In this paper, we propose a new approach based on a mul-tipath source routing protocol to prevent and detect potentialLayer-3 wormhole attacks. The Witness Integration MultipathDSR (WIM-DSR) solution relies on the information providedby the routing protocol to determine if there are some typical

inconsistencies associated usually to wormhole attacks. Thissolution does not require any cryptographic processing bythe intermediate nodes if no incoherency has been discovered(i.e. no attack takes place). This point represents the mainadvantages over the previous solutions.

II. WORMHOLE ATTACKS AND THEIR GOALS

S D{A}M1 M2

(c)

S D{AM1 M2}(b)

S DA{M1 M2}(a)

Fig. 1. Wormholes: (a) closed, (b) half-open and (c) open wormholes [1]

In a wormhole attack, an adversary tunnels traffic from oneend of a network to the other end. It is done usually by twomalicious nodes strategically located. In Fig. 1, the maliciousnodes M1 and M2 perform a wormhole attack tunnelling thetraffic sent by the source S to the destination D. According toWang et al. [1], there are three types of wormholes. In closedwormholes, the neighbour discovery beacons are tunnelledbetween M1 and M2 without adding any self information.Thus, S and D believe that they are neighbours. The maliciousnodes are external agents such as simple transceivers that canstay invisible for S and D. This attack targets the neighbourdiscovery process. In open wormholes, both malicious nodesare compromised internal nodes participating to the routingprotocol. Finally, in half-open wormholes, only one maliciousnode is a compromised node. The other node is simply anexternal agent. In such a case, the beacons of the compromisednode M1 are tunnelled towards the external malicious nodeM2 and the beacons of the M2 neighbours are tunnelled backtowards M1.

The 8th IFIP Annual Mediterranean Ad Hoc Networking Workshop 2009

978-1-4244-4661-2/09/$25.00 ©2009 IEEE 15

Another characterisation of the wormhole attacks is pro-posed by Buttyan and Hubaux [2]. The term wormhole attackis used for a Layer-2 attack where the malicious agents areinvisible transceivers exchanging messages from one end ofthe network to the other end (closed wormholes). The termtunnelling attack is proposed for a Layer-3 attack where thecompromised internal nodes interact actively with the routingprotocol (open wormholes).

The malicious nodes can use either a physical out-of-bandlink (wired or wireless) or a logical encapsulated tunnel in thenetwork itself. However, the first alternative is more realisticsince it is more efficient and flexible. This is particularlyimportant for the wormhole attacks targeting the neighbourdiscovery process.

The goal of the malicious nodes is to improve the likelihoodof being involved in the shortest path linking two nodes,visibly or not. They should have access to traffic that couldbe out of reach otherwise. Once the malicious nodes haveaccessed to the traffic, they can perform black hole attacks(dropping all the packets), grey hole attacks (dropping onlysome packets), or simply eavesdrop on the traffic searchingfor vital information.

D

v1

v2

v4M1

M2

S v3

(a)

S v4 D

v1

v2

M1

v3 M2

v6

v7v5(b)

Fig. 2. Open wormholes: (a) weak and (b) strong open wormholes

The objective of this paper is to propose a new mechanismto prevent and detect potential open wormholes in ad-hocnetworks using a variant of a multipath routing protocol.Two types of open wormholes are considered: the weak openwormholes and the strong open wormholes. In the former case,the tunnel connects a malicious node at d-hop from the sourceto one at (d+1)-hop (see Fig. 2a). In the latter case, the secondmalicious node is at least at (d + 2)-hop from the source (seeFig. 2b). If weak open wormholes do not give necessarilyshorter paths to the destinations, strong open wormholes do.They represent a real threat and should always be chosen byany routing protocol selecting the shortest paths.

III. RELATED WORKS

Several approaches have been developed to prevent or todetect wormhole attacks. The main solutions are reviewedbriefly in this section. The first three solutions address mainlythe closed wormhole attacks. They present how to protect theneighbour discovery process.

Hu et al. [3] propose the addition of leashes containingtiming and/or position information to packets. A leash restrictsthe maximum transmission distance permitted to a packet.They propose two kinds of leashes: geographical and tem-poral. To use geographical leashes, each node must knowits own location (e.g. GPS) and all nodes must have looselysynchronized clocks. To use temporal leashes, all nodes musthave tightly synchronized clocks. Thus, if a receiving nodedetermines that the neighbour discovery beacon of a givennode has travelled too far, the node should discard it.

Capkun et al. [4] estimate the distance separating two nodesfrom the round-trip travel time taken by a message and itsacknowledgement. This mechanism relies on a specializedhardware allowing the destination to send a response to a one-bit challenge message as fast as possible.

Hu and Evans [5] use directional antennas to detect worm-hole attacks. If a node uses a specific sector to communicatewith a neighbour, this neighbour should use its opposite sector.The existence of a wormhole would introduce inconsistenciesin the network that could be detected by the other nodes simplyby adding some sector information to the packets.

The next solutions address the open wormhole attacks.They present how to prevent or detect malicious actionsfrom compromised internal agents. Pirzada and McDonald [6]derive a trust relationship for neighbour nodes based upontheir compliance to a routing protocol (DSR). The nodes’ trustlevels are then used to avoid communication through potentialwormholes.

Khalil et al. [7] propose that the nodes in a static networkobtain in a secure way the one-hop and two-hops topologicalinformation from their neighbours. Then, each node observesthe behaviour of their neighbours searching for typical patternsrelated to wormhole attacks. The same authors also propose tosupport nodes mobility by adding a trusted central authorityin charge of authorizing nodes to move and to create newneighbour associations [8].

Wang et al. [1] extend the geographical leashes and usethem in an end-to-end verification process. This process de-termines whether all the supposedly neighbour pairs of a pathare not too far apart.

Finally, Qian et al. [9] present a different approach todetect wormhole attacks. The solution is based on statisticalanalysis of the information gathered during the multipathrouting process (SMR). A link generating a wormhole attackshould be used by the routing protocol with an unusually highfrequency. Unfortunately, only uniform grid networks havebeen considered.

16

IV. WIM-DSR

A. Multi-path Routing

The Dynamic Source Routing (DSR) protocol [10] is an on-demand source routing protocol for mobile ad-hoc networks.When a source needs a path towards a destination, it broadcastsRoute Request (RREQ) messages. As these messages areforwarded, they gather the intermediate nodes they go through.Then, the destination replies with unicast Route Reply (RREP)messages to the source. The source chooses its path basedon the received RREP messages. To avoid too many RREQpackets in the network, the protocol uses two mechanisms:local cache and selective broadcasting for intermediate nodes.An intermediate node can respond if it has a valid path in itscache. Otherwise, it forwards the request message if it is anew one.

The DSR protocol has been adapted to discover disjointmultipaths between a source and a destination. Using multiplepaths can improve the quality of service as well as the faultresilience of a network.

The routing protocol used in this paper is based on a mod-ification of the Split Multipath Routing (SMR) protocol [11]proposed by Quian et al. [9]. The modified protocol allowsintermediate nodes to forward repeated copies of a RREQmessage, as long as their hop counts are not larger than thehop counts of already received copies. The destination shouldreceive numerous copies of the RREQ message. Thus, thedestination should be able to build a list of available pathsfrom the source; this information gives a partial view of thenetwork that would be used by the WIM-DSR protocol in thediscovery of possible wormhole attacks.

The WIM-DSR final step is slightly different from theprevious protocols. The destination chooses a path and broad-casts it towards the source. The intermediate nodes should re-broadcast only one copy of a given RREQ message. This stepshould allow intermediate nodes to validate the information.

B. Assumptions and Threat Model

The main objective of WIM-DSR is to gather informationduring the route discovery phase and to find possible anoma-lies due to open wormhole attacks. To limit these attacks, thefollowing assumptions are made:

Assumption I: The number of malicious nodes par-ticipating in a wormhole attack is restricted to twonodes.

Assumption II: Each legitimate node can carry outsecurely its neighbour discovery process by usingtemporal leashes [3].

Assumption III: Each legitimate node has a uniquecryptographic identity which can be used to authen-ticate control messages. All legitimate nodes canverify these authentication tags.

Assumption IV: The cryptographic identity is im-plemented in a secure tamperproof token (e.g. asmart card).

The second assumption has two important benefits: thenodes know the identity of their neighbours and a maliciousnode cannot use another remote malicious node as an oracle– limiting the chance to perform Sybil attacks [12].

Finally, the last two assumptions limit the capacity of a com-promised node to impersonate another compromised node byusing multiple wireless interfaces and multiple cryptographicidentities locally – limiting again the chance to performSybil attacks successfully. These assumptions are rarely statedexplicitly but numerous papers rely on them (e.g. [7] and [1]).

C. Edge Witnesses

WIM-DSR determines if the information gathered by themodified routing protocol during the route discovery showsthe typical behaviour of wormhole attacks.

Let us introduce some notations. Let G(r) = (N,E(r))denote the geometric graph defined by the set of nodes Nand the transmission range of the nodes r. In this graph, twonodes are connected if and only if their distance is less thanor equal to r. This graph represents the underlying topologyof the network. Finally, let LG(X , d) define the set of nodesin G at d hops of the node X . This can be obtained by abreadth-first search from X .

An open wormhole attack between two malicious compro-mised nodes should simply add an edge between the two nodesin G(r). This should shorten the distance between some pairsof nodes.

During the route discovery, the destination receives multiplecopies of a RREQ message. Each copy represents a distinctpath between the source and the destination. Thus, the desti-nation can reconstruct a subset of G(r). This subset is denotedGRREQ(r).

WIM-DSR presented in the next section relies on thefollowing concept of edge witnesses:

Definition 4.1: Let e = {vi, vj} be an edge of a path fromS to D in GRREQ(r). A node vw is a weak forward witnessfor e iff

i. (∃d)[vi, vw ∈ LGRREQ(S, d)];

ii. the edge {vw, vj} is in GRREQ(r).Definition 4.2: Let e1 = {vi, vj} and e2 = {vj , vk} be two

consecutive edges of a path from S to D in GRREQ(r). A nodevw is a strong forward witness for the subchain (vi, vj , vk) ofthe path iff

i. (∃d)[vj , vw ∈ LGRREQ(S, d)];

ii. the edges {vi, vw} and {vw, vk} are in GRREQ(r).The second definition gives a stronger witness and should

be preferred. It simply states that there is two distinct pathsjoining two nodes in the network. Since there are only twomalicious nodes (Assumption I), these strongly witnessednodes cannot forma wormhole.

Intuitively, an edge witness gives more evidence that twonodes are really neighbours and are not part of a wormhole.For example, in Fig. 2b, M1 is the only node at one-hop fromS claiming to be adjacent to M2. Hence, no forward witnesscan be found for the edge {M1,M2}.

17

The aim of WIM-DSR is to find fully witnessed paths,i.e. paths with only witnessed edges between the source andthe destination. The algorithm constructs the fully forwardwitnessed path inductively. Assuming that the source S is notcompromised, it proceeds forward hop by hop constructing thesets of nodes LGRREQ

(S, i), for i > 0. Unfortunately, such aforward path does not always exist. In such a case, assumingthat the destination D is not compromised, the algorithmproceeds backward hop by hop. Definitions 1 and 2 have tobe adapted accordingly to define backward witnesses.

Fully witnessed path should not contain any open worm-hole. Strongly witnessed paths should be preferred. However,weakly witnessed paths should also be considered since thestrongly witnessed condition is very restrictive and can gen-erate numerous false positive alarms.

(a)

S D

v1 v2

v3 v4

S Dv1

v2

v3

(c)

S Dv1

v2

v4

(d)

(b)

DS

v4 v5

v1 v2 v3

Fig. 3. The dashed line is (a) a weakly backward, (b) a longer weaklyforward, (c) a strongly forward or (d) a strongly backward witnessed path

In the above figure, (a) v2 is a weak backward witness for{v3, v4}, (b) v4 and v5 are weak forward witnesses for {v1, v2}and {v2, v3}, respectively, (c) v3 is a strong forward witnessfor (S, v1, v2) and, finally, (d) v4 is a strong backward witnessfor (v1, v2,D).

D. WIM-DSR route discovery

When a source S wants to discover a route to a destinationD, it broadcasts a RREQ message. Each intermediate noderebroadcasts these messages, as long as their hop counts arenot larger than the hop counts of already received messages. Inthis process, the nodes add their identification to the messages.Thus, several messages should arrive to D.

With all the different RREQ messages received, D is ableto build a partial representation of the network topologyGRREQ(r). The next step is to find if there is a fully forwardwitnessed path p = (S = vi0 , vi1 , · · ·, vil−1 , vil

= D) in thisgraph s.t.

• (∀k s.t. 0 ≤ k < l − 2)[∃ strong forward witness wk for (vik

, vik+1 , vik+2)], or• (∀k s.t. 1 ≤ k < l − 1)

[∃ weak forward witness wk for {vik, vik+1}].

The first alternative is presented in Algorithm 1 and findsstrong forward witnessed paths. The second alternative ispresented in Algorithm 2 and finds weak forward witnessedpaths. Both algorithms can be adapted easily to determinewhether fully backward witnessed paths exist or not.

Input : The paths P = {p1, p2, ..., pt} obtained fromthe RREQ messages.

Output: A strongly forward witnessed path p from Sto D in GRREQ(r).

Compute the graph GRREQ(r) from the paths in P .1

Compute the set of neighbours N(vi), for all node vi2

in GRREQ(r).Find if there is a path pi = (vi0 , vi1 , · · · , vil

) ∈ P s.t.3

|N(vij) ∩ N(vij+2)| ≥ 2, for all 0 ≤ j < l − 2.4

Return the shortest path pi with its strong forward5

witnesses, if one exits.

Algorithm 1: Strong forward witnessed path selection

Input : The paths P = {p1, p2, ..., pt} obtained fromthe RREQ messages.

Output: A weakly forward witnessed path p from S toD in GRREQ(r).

Compute the graph GRREQ(r) from the paths in P .1

Using a breadth-first search, compute LGRREQ(S, d)2

for d ≥ 1.∀vi ∈ LGRREQ

(S, d), let ni be equal to3

|{vj ∈ LGRREQ(S, d − 1)|(vj , vi) is in GRREQ(r)}|.

// An edge (•, vi) has a witness if ni > 1∀vi ∈ LGRREQ

(S, 1), assume that ni = 2.4

Using a breadth-first search, find if there is a path p5

between S and D in GRREQ(r) s.t. the value nijof

every internal node vijis greater that 1.

Return the shortest path p with its weak forward6

witnesses, if one exits.

Algorithm 2: Weakly forward witnessed path selection

Once a fully witnessed path is found, the destination signsits RREP message and broadcasts it towards the source. Fora strong witnessed path, the destination broadcasts a uniquesigned RREP message which is rebroadcast by all the nodesof the path. The other nodes simply overhear it. This allowseach witness to receive the message from at least two nodes.For a path of length l, only l − 1 RREP messages are sentoverall.

For a weak witnessed path, the destination unicasts a signedRREP message along the path. Moreover, for each witness, thedestination also unicasts a signed confirmation RREP messagealong a path going through that witness. For a path of lengthl, l − 1 messages are sent by the nodes in LGRREQ

(S, i),1 ≤ i < l. Therefore, (l − 1)2 messages are sent in total.

18

TABLE ISHORTEST PATHS FOUND BY THE ROUTING PROTOCOL

Without the malicious nodes

1 S - v1 - v3 - D2 S - v2 - v3 - D3 S - v2 - v4 - D

With the malicious nodes

4 S - v1 - M2 - D5 S - v2 - M2 - D6 S - M1 - v3 - D7 S - M1 - v4 - D

Wormhole S - M1 - M2 - D

Strongly witnessed paths should be preferred. The answer-ing process is more efficient. Moreover, these paths give somealternatives. The subchain (vi−1, wi, vi+1) witnessed by thevi can replace the subchain (vi−1, vi, vi+1) witnessed by thenode wi.

E. Analysis

The path selection algorithms cannot discover a weak openwormhole attack. In Fig. 2a, M1 and M2 have establisheda wormhole between them. The algorithms should find twostrong forward (v1 and v2), two strong backward (v3 andv4), two weak forward (v1 and v2) and two weak backward(v3 and v4) witnesses for this wormhole. This represents afalse-negative detection for WIM-DSR. However, this doesnot increase the security risk significantly. Even without thistunnel, M1 and M2 would have belonged to four of the sevendiscovered shortest paths (see Table 1). Thus, the weak openwormhole just adds one shortest path between the source andthe destination.

The real gain for the malicious nodes is the strong openwormhole attack (see Fig. 2b). In such a case, they would beselected by any protocol selecting the shortest paths. Such awormhole represents a shortcut in the network.

The effectiveness of WIM-DSR to detect open wormholeattacks is proven in the following lemmas. They show thatthe path selection algorithms cannot find false witnesses forstrong open wormholes.

x y

M1

w

M2

(a)

M1

w

M2

(b)

y

LGRREQ(S, d∗)

LGRREQ(S, d)

LGRREQ(S, d − 1)

Fig. 4. (a) Fake strong and (b) fake weak forward witnesses (d∗ > d + 1)

Lemma 4.3: Let p be a path containing a strong openwormhole. Algorithm 1 cannot find any false strong forwardwitness for the wormhole connecting the two malicious nodeswithout being detected.

Proof: Let (x, y,M1,M2) be the subchain of p containingthe strong open wormhole between the only two maliciousnodes M1 and M2 (Assumption I) – the simpler case wherey = S is omitted. By definition, there is no strong forwardwitness connecting y and M2. Thus, M1 with the help ofM2 would have to forge a fake RREQ message including thepartial path (· · · , y, w,M2) to force Algorithm 1 to find thefake witness w.

First suppose that y receives the RREP message from M1

(see Fig. 4a). If w is a legitimate neighbour of y, y acceptsthe message and rebroadcasts it. Then, w verifies the signatureof the message, rejects it and broadcasts a signed warningmessage. It is important here that M1 cannot impersonate M2

for w during the neighbour discovery process (Assumptions IIto IV). If w is not a legitimate neighbour of y, y verifies thesignature of the message, rejects it and broadcasts a warningmessage.

Now suppose that M1 impersonates y and unicasts theRREP message directly to x. When x rebroadcasts the mes-sage, y detects an anomaly, verifies the signature of the mes-sage and broadcasts a signed warning message. This appliesalso if M1 impersonates any node in the path between Sand M1. Thus, any fake witness can be fought back from alegitimate node.

Lemma 4.4: Let p be a path containing a strong openwormhole. Algorithm 2 cannot find any weak forward witnessfor the wormhole connecting the two malicious nodes withoutbeing detected.

Proof: Let (M1,M2) be the subchain of p containingthe strong open wormhole between the only two maliciousnodes M1 and M2 (Assumption I) and let (· · · ,M2, w, y, · · ·)be the reverse path taken by the confirmation RREP mes-sage for the d-level witness i.e. w ∈ LGRREQ

(S, d) andy ∈ LGRREQ

(S, d−1) (see Fig. 4b). By definition, there is noweak forward witness connecting y and M2. Thus, M1 withthe help of M2 would have to forge a fake RREQ messageincluding the partial path (· · · , y, w,M2) to force Algorithm2 to find the fake witness w.

First suppose that w receives the confirmation RREP mes-sage from M2 through M1 (see Fig. 4b). Then, w verifies thesignature of the message, rejects it and broadcasts a signedwarning message. It is crucial that M1 cannot impersonate M2

for w during the neighbour discovery process (Assumptions IIto IV).

Now suppose that M1 tries to impersonate w and unicaststhe confirmation RREP message directly to y. This can bediscarded by asking to y to unicast an acknowledgement to w.Thus, any fake witness can be fought back from a legitimatenode.

For efficiency, an intermediate node validates the signatureof a message only if it claims falsely that the node is connectedto another node, showing an inconsistency, or if it is a warningmessage. Thus, if there is no attack, the intermediate nodesdo not have to do any cryptographic processing. This is animportant improvement on the solution proposed by Wang etal. [1].

19

Finally, the malicious nodes M1 and M2 can cause denialsof service by altering the information provided during thesource routing protocol. They can add or remove nodes inthe messages. This can be prevented by secure source routingprotocols [13]. However, these protocols are quite demandingand do not prevent strong open wormhole attacks.

V. SIMULATION RESULTS

The last point to verify is if the WIM-DSR protocol woulddetect numerous false attacks. A program simulating 100 staticnodes randomly distributed in a 1000m × 1000m square hasbeen developed. Each simulation analyzes the paths connect-ing all the possible pairs of source and destination nodes in theset. Each experiment presented here corresponds to the averageof 1000 simulations on independent sets. The objective is todetermine how many pairs of source and destination nodes donot have fully witnessed paths in a given set of points. Thesepairs would represent the false positive alarms for the protocol.

The network density is important for ad-hoc networks. Fora given region, there are two ways to increase the density: (1)increase the number of nodes or (2) increase the transmissionrange of the nodes. Since the complexity of the simulationprogram depends on the number of nodes, the number of nodesis fixed and different range values are used.

It is essential to find a lower bound on the transmissionrange to assure that G(r) would be connected or, at least,would have a large connected component containing mostof its nodes. The properties of such graphs on a unit torushave been studied extensively. It has been proven that sucha graph with n nodes is connected with a high probability

if the transmission range is at least√

ln n+O(1)πn [14]. Such a

bound has been observed during the simulations in the plane.Only 128, 44 and 17 cases out of 1000 simulations were notconnected for 190m, 210m and 230m, respectively. It seemsthat the bound is greater in the plane since the border nodesare not connected to the opposite border nodes contrary to thetorus case. Thus, 210m seems the minimal lower bound onthe transmission range to consider.

We are now ready to present the results of our simulations.

TABLE IIPERCENTAGE OF PAIRS OF NODES (AVERAGE ON 1000 SIMULATIONS)

Paths 190m 210m 230m

Paths with length = 1 9.6% 11.5% 13.5%Paths with length = 2

Strong fully witnessed paths 9.2% 12.5% 15.9%No witnessed paths 5.0% 5.2% 5.3%

Paths with length > 2Strong fully witnessed paths 56.4% 62.9% 62.7%If not, weak fully witnessed paths 6.1% 3.5% 1.4%

No path between the pair of nodes 0.4% 0.1% 0.05 %

No witnessed path (false positive) 13.2% 4.3% 1.1%

It should be noted that a non-negligible number of pairsof nodes at distance 2 do not have any strong witness. Sincethe source and the destination are not malicious, no Layer-3wormhole is possible in such a case. Thus, these case can bedismissed.

Therefore, for an appropriate network density (210m or230m), only few pair of nodes (false positive alarms) cannotfind fully witnessed paths. In such cases, they should payattention more closely to their communications.

VI. CONCLUSIONS

We introduce a new approach preventing strong open worm-hole attacks. The WIM-DSR protocol uses the informationcollected by the destination node during the route discoveryprocess of a multipath routing protocol to detect suspiciousbehaviour. The results obtained in this paper show that theWIM-DSR protocol is able to detect all strong open wormholeattacks with a very low rate of false positive alarms. Thissolution does not require any cryptographic processing by theintermediate nodes, if no attack takes place. This representsan improvement on the solution presented by Wang et al. [1].

In future works, we will focus on relaxing the assumptionson which WIM-DSR relies. Specially, we will investigate howto allow more malicious nodes.

ACKNOWLEDGMENT

This research has been partially supported by a Discoverygrant of the Natural Sciences and Engineering Research Coun-cil (NSERC) of Canada.

REFERENCES

[1] W. Wang, B. Bhargava, Y. Lu, and X. Wu, “Defending against wormholeattacks in mobile ad hoc networks,” Wireless Communications andMobile Computing, vol. 6, pp. 483 – 502, 2006.

[2] L. Buttyan and J.-P. Hubaux, Security and Cooperation in WirelessNetworks. Cambridge University Press, 2008.

[3] Y.-C. Hu, A. Perrig, and D. Johnson, “Wormhole attacks in wirelessnetworks,” IEEE Journal on Selected Areas in Communications, vol. 24,pp. 370 – 380, 2006.

[4] S. Capkun, L. Buttyan, and J.-P. Hubaux, “Sector: secure tracking ofnode encounters in multi-hop wireless networks,” in Proc. of the 1stACM workshop on Security of ad hoc and sensor networks (SASN),2003, pp. 21 – 32.

[5] L. Hu and D. Evans, “Using directional antennas to prevent wormholeattacks,” in Proc. of the Network and Distributed System SecuritySymposium, 2004.

[6] A. A. Pirzada and C. McDonald, “Detecting and evading wormholesin mobile ad-hoc wireless networks,” Int. Journal of Network Security,vol. 3, pp. 191 – 202, 2006.

[7] I. Khalil, S. Bagchi, and N. B. Shroff, “Liteworp: Detection and isolationof the wormhole attack in static multihop wireless networks,” ComputerNetworks, vol. 51, pp. 3750–3772, 2007.

[8] ——, “Mobiworp: Mitigation of the wormhole attack in mobile multihopwireless networks,” Ad Hoc Networks, vol. 6, pp. 344–362, 2008.

[9] L. Qian, N. Song, and X. Li, “Detection of wormhole attacks in multi-path routed wireless ad hoc networks: a statistical analysis approach,”Journal of Network and Computer Applications, vol. 30, pp. 308 – 330,2007.

[10] D. Johnson and D. Maltz, Dynamic Source Routing in Ad Hoc WirelessNetworks. Kluwer Academic Publishers, ch. 5, pp. 153 – 181.

[11] S. Lee and M. Gerla, “Split multipath routing with maximally disjointpaths in ad hoc networks,” in Proc. of the IEEE International Conferenceon Communications, 2001, pp. 3201 – 3205.

[12] J. Newsome, E. Shi, D. Song, and A. Perrig, “The sybil attack insensor networks: analysis & defenses,” in Proc. of the 3rd InternationalSymposium on Information Processing in Sensor Setworks, 2004, pp.259–268.

[13] Y.-C. Hu, A. Perrig, and D. Johnson, “Ariadne: A secure on-demandrouting protocol for ad hoc networks,” Wireless Networks, vol. 11, pp.21 – 38, 2005.

[14] M. Penrose, “On k-connectivity for a geometric random graph,” RandomStructures and Algorithms, vol. 15, pp. 145–164, 1999.

20