Ad hoc networks are generally described as those comprised of mobile, wireless nodes, where any node is capable of forwarding IP packets. Such networks have been extensively studied over the last few years, and multiple routing and other protocols have been proposed for enabling configuration and communication. The mobile and wireless nature of ad hoc networks, coupled with the possibility of any node potentially having visibility to all network traffic, has implied that they are more susceptible to malicious attacks than wire-line networks. Significant effort has been expended over the last few years on approaches for detecting, preventing, and recovering from attacks on ad hoc networks. A large proportion of this work has focused on attacks on routing protocols, since routing is a critical component of the ad hoc network infrastructure. An attack that has been studied, but not definitively addressed, and can be as damaging as routing attacks, is when malicious ad hoc network nodes selectively drop packets that are supposed to be forwarded. The presence of such a malicious packet dropping node can be detrimental to the network “good-put” even when using reliable transport protocols such as TCP. This is because the throughput of TCP flows is affected significantly when faced with packet loss rates of 5% or beyond. A malicious node could also drop critical control packets, resulting in adverse effects on the ad hoc network's stability. The problem of detecting such malicious nodes is complicated due to the wireless, and hence “lossy” nature of the network links as this blurs the distinction between malicious and accidental dropping.
Prior solutions have been designed for specific types of network traffic, and have made assumptions that are not reasonable for practical usage. Previous attempts to solve this problem have relied upon promiscuous monitoring of network links, which is not a practical assumption. This is because promiscuous monitoring suffers from various problems such as being resource intensive, being specific to a link layer technology, susceptible to evasion and insertion techniques and it is also not scalable.
In promiscuous mode, packets do not flow through the internet protocol suite (IPS). A sensor analyzes a copy of the monitored traffic rather than the actual forwarded packet. The advantage of operating in promiscuous mode is that the IPS does not affect the packet flow with the forwarded traffic. The disadvantage of operating in promiscuous mode, however, is the IPS cannot stop malicious traffic from reaching its intended target for certain types of attacks, such as atomic attacks (single-packet attacks). The response actions implemented by promiscuous IPS devices are post-event responses and often require assistance from other networking devices, for example, routers and firewalls, to respond to an attack. While such response actions can prevent some classes of attacks, for atomic attacks, however, the single packet has the chance of reaching the target system before the promiscuous-based sensor can apply an access control list (ACL) modification on a managed device (such as a firewall, switch, or router).
The present invention provides a scalable, effective and practical approach for detection of packet-drop attacks in ad hoc networks. The invention relies upon network nodes reporting statistics regarding IP flow packets originated, received, or forwarded to neighbors. These statistics are analyzed and correlated to determine nodes suspected of dropping packets.