DSSAM: digitally signed secure acknowledgement method for mobile ad hoc network

Mobile ad hoc network (MANET) is an infrastructure-less, self-motivated, arbitrary, self-configuring, rapidly changing, multi-hop network that is self-possessing wireless bandwidth-conscious links without centrally managed router support. In such a network, wireless media is easy to snoop. It is firm to the surety to access any node, easier to insertion of bad elements or attackers for malicious activities in the network. Therefore, security issues become one of the significant considerations for such kind of networks. The deployment of an effective intrusion detection system is important in order to provide protection against various attacks. In this paper, a Digitally Signed Secure Acknowledgement Method (DSSAM) with the use of the RSA digital signature has been proposed and simulated. Three different parameters are considered, namely secure acknowledgment, node authentication, and packet authentication for study. This article observes the DSSAM performance and compares it with two existing standard methods, namely Watchdog and 2-ACK under standard Dynamic Source Routing (DSR) routing environment. In the end, it is noticed that the rate of detection of malicious behaviour is better in the case of the proposed method. However, associated overheads are high. A trade-off between performance and overhead has been considered.

The MANET is a decentralized kind of network, where nodes of the network relay packet to each other on the concept of the store and forward, i.e. nodes may also act as routers finding and maintaining routes to one another. Here, nodes can participate freely and leave without centralized control. Generally, due to the varying velocity of mobile nodes, the network topology may variate arbitrarily and rapidly in an irregular way. Therefore, the phenomenon of frequent link breakage is quite common. The moments of nodes are independent of one another, unlike others which use committed nodes to endorse functions such as network management, packet forwarding, and routing [1]. These functions are distributed to all available nodes by the ad hoc networks since the ambiance causes the nodes to be easily captured and compromised. Hence, it is essential to provide security measures [2, 3]. Therefore, security in MANET is a crucial consideration. In addition, the routing of operations could also be easily compromised if safety measures are not integrated into the network functions.

In general, in MANETs, routing protocols are designed with assumptions that every participating node will fully cooperate with each other. This network does not have any type of centrally administrative services. All networks that function such as network control, routing, forwarding packets, including switching, etc., are communicated between terminals (nodes) either in cooperation or independently. Therefore, coordination between nodes is rather solicited. However, due to its transparent characteristics and restricted on-hand battery power of nodes, malicious activities can also be done in this network. Moreover, the MANETs structure may differ based on their various applications from static, small to dynamic, highly mobile in nature (vehicular, FANET, etc.), and large-scale network which is highly energy constrained [4, 5].

In the MANET environment, the array of mobile wireless nodes is interconnected either for generic aims such as time-critical applications like tactical, law enforcement, and emergency operations or for distinct goals like only shares their resources for ensuring global connectivity [6]. However, few resources, for example, battery power, are consumed rapidly as participating nodes have to perform network functioning tasks. When node power is prime factor for particular environment, so there may chance that denying of sharing own resources in order to save battery power [8]. These participating nodes are termed as misbehaving or selfish nodes and their activities are called misbehaviour or selfishness [10]. This kind of network is a cooperative network. So, in order to provide good cooperation among participant nodes, an already significant amount of control overheads packets is needed. Therefore, security measures are generally not implemented in the protocols to keep the overhead low, i.e. nodes are not checked for maliciousness. Due to this reason, MANETs are easy targets for attackers. The attackers perform the malicious activity in one and most common way by injecting non-cooperative nodes into the network. Therefore, the development and implementation of the intrusion detection system become one of the prime duties in this network.

Already, various techniques [7, 9, 11,12,13,14,15,16,17,18,19,20] have further presented in the literature study in order to identify and reduce the effect of such misbehaviour or selfish nodes in a MANET, and VANET (vehicular ad hoc network) environment, that is, inspections of past works cover intrusion detection and prevention techniques. Many of these techniques have been evaluated based on performance metrics and routing schemes of MANETs. Among various techniques, Watchdog, Pathrater, and 2-ACK [11, 23] are highlighted one, which can significantly identify and reduce the impact of network maliciousness, respectively. Watchdog provides the mechanism to recognize bad elements in the network by overhearing the wireless transmission media and is the passive type of overhearing method, while the Pathrater technique does not allow malicious nodes to participate in the process of route determination. 2-ACK security scheme reduces the bad effect of such immoral elements. From a previously reported works, one can observe that still various issues like obscure and receiver collision, false behaviour, limited transmission range, etc., still need to be addressed and can be considered as a weakness of most highlighted security techniques.

Our proposed system uses the cryptographic mechanism to make the network secure and try to overcome the above-mentioned weakness. Three important security aspects of MANET have been considered, namely secure acknowledgment, node authentication, and packet authentication. Our presented DSSAM performs better, in the sense of identification of malicious nodes and its activities, but with the cost of the significant amount of overheads.

DSSAM is well suited in high level use of various Internet of things (IoT) application scenarios where the proposal will be applicable as security solution in terminal to terminal communications at hybrid ad hoc network solutions. Actually, IoT is the next eon of communication in which physical objects can be empowered to create, receive, and exchange data in a seamless manner with heterogeneous network environment also. The various IoT applications focus on automating different tasks and are trying to empower the inanimate physical objects to act without any human intervention. The existing and upcoming IoT applications are highly promising to increase the level of comfort, efficiency, and automation for the users and for such environment. To be capable to gizmo such an ecosphere in a constantly emergent approach requires better and high security, authentication, privacy, and recovery from attacks. In this respect, it is imperious to make the required modifications in the design of IoT applications for achieving secure IoT atmospheres. In this paper, a detailed discussion and improvement over watchdog to 2-ACK and then 2-ACK to DSSAM method is explained with considering few performance metrics. The proposed DSSAM approach will help to achieve a high degree of trust and increase the level of security in the potential useful IoT applications with hybrid environment such as:

1. a.

   Smart transportation system.

2. b.

   Smart agriculture and animal farming.

3. c.

   Smart emergencies environment.

4. d.

   Smart communication at defence scenario.

5. e.

   Smart commercial, residential and Industrial area, and many more.

1.1 Motivations and principal contributions

Since the last few decades, the outlook of wireless networking is drastically changing due to fast growth in wireless technologies and requirements of new wireless services and various applications as well. The wireless industries have experienced unexcelled growth, from satellite broadcasts into countless households to Wireless Personal Area Networks (WPAN) [13], VANET [15], WSN [16], etc. Consequently, the cost of wireless access falls; hence, it can replace wired access in many aspects. One of the greatest advantages of wireless is to provide connectivity among users while roaming. However, the distance between users is limited due to the short distance of transmitter or their vicinity to Wireless Access Point (WAP) [13]. Later, in the 70s onward era, the development of MANET has overcome this problem by involving intermediate nodes to forward data packets to the outside range of nodes [1, 2].

One of the most vibrant and rapidly growing fields nowadays is the MANET. It is also called as the wireless mobile multi-hop or mobile packet radio network. In this realm, significant research is going on since last nearly fifty years in order to its betterment. Due to infrastructure-less, self-configuring, and self-motivated properties of MANET, it has got possible future applications in different fields such as tactical environments, emergency operations, home and enterprise, commercial, civilian environments, traffic environment [19], location-aware services, and extension of coverage [8, 14]. This network is vulnerable due to its important features such as distributed service, open medium, autonomous terminal, dynamic topology, lightweight terminals, asymmetrical communication, fluctuating link capacity, and constrained capability [27]. These above fundamental characteristics introduce several challenges for researchers in the MANET environment, where security issue is one of the significant issues. MANET can maximize its Quality of Service (QoS) parameters such as throughput, Packet Delivery Fraction (PDF), etc., by using all the intermediate nodes accessible to route and then forwarding packets. However, the node can consequently behave badly by refusing to supply providers or shedding down the packets in the community due to the fact of its selfishness, malicious exercise, etc. [28, 29]. Identifying and preventing misbehaving nodes from them can be one of the biggest challenges for a network like that. The principal contributions of the current research article are as follows:

1. a.

   State-of-the-art of various user authentication schemes and intrusion detection strategies have been analysed for the MANET and WSN environment.

2. b.

   The MANET application layer has attracted vast research as well as the scientific community during the last few decades. As a result, many user authentication techniques for MANET and WSN have been proposed and published in the literature. Among them, a few most closely relevant to our proposed method are explored.

3. c.

   Article also discusses the possible security attacks on different security goals along with its target and prevention schemes.

4. d.

   Due to open and decentralized characteristics of MANET, misbehaving or the suspicious nodes may be involved in the process of route discovery. Further, they may refuse to provide the information/services in the network, i.e. deny forwarding the data packets. Therefore, this article tries to identify the existing intrusion detection systems that can identify and prevent disruptive network operations.

5. e.

   Existing intrusion detection techniques such as Watchdog and 2-ACK are explored in terms of their strength and weakness.

6. f.

   To provide secure authentication and an acknowledgment mechanism in MANET, we proposed DSSAM that is based on RSA digital signature. This scheme overcomes the weakness of existing intrusion detection techniques such as receiver collision and false identity problem.

7. g.

   Finally, the proposed authentication approach has been compared with the current techniques.

This research article is structured as follows: immediate subsequent section presents background with a literature survey on co-related work in this area followed by a discussion of intrusion detection techniques in the next section. Moreover, after that digital signature with its needs, including signature creation and verification steps have been discussed in the next section followed by problem definition and the proposed method. Further, performance evaluations of DSSAM, Watchdog, and 2-ack have been made through a simulation study followed by results and discussion. At last, it comes to its conclusion and possible future scope.

1.2 Literature survey

The conveyed work in the state-of-the-art of secure acknowledgment in MANET, WSN, and related domain by several scientists and researchers has been presented in this section.

The work in [23] explained routing misbehaviour in MANETs and suggested a 2-ACK technique for identifying and minimizing the impact of selfish nodes in the routing. 2-ACK is based on a simple 2-hop acknowledgment packet that is returned by the next-hop link recipient. The 2-ACK mechanism operates as an alternative routing scheme strategy for detecting routing misconduct and reducing its adverse effects. The 2-ACK mechanism solves several problems, including limited transmission powers, ambiguous collisions, and receiver collisions. The 2-ACK scheme can be used efficiently in DSR in MANET. Trust Aware Routing Protocol (TARP) as an advanced security routing mechanism based on the level of trust was presented and evaluated [24]. TARP is a technique that allows for the search of safe routes in MANET. The authors measured the trust parameter based on a defined set of parameters and used it in TARP. The study shows that TARP will improve an ad hoc network's defence and rising routing congestion while preserving a reasonable route discovery period and an appropriate pause. The routing traffic relates specifically to the collection of nodes that meet the sender's requirements. Two techniques of Watchdog and Pathrater are explained in [11] that helps to increase ad hoc network throughput. Both methods are extensions of DSR algorithms to reduce the impact of ad hoc network routing misconduct. Watchdog identifies nodes that are misbehaved, and the Pathrater strategy helps to redirect protocols to prevent packet movement of those nodes. The yield of these two strategies improves the efficiency of a relatively mobile network by 17 per cent, thus growing the ratio of overhead transmission to data transmission from 9 to 17 per cent of the regular routing protocol.

The black hole attacks are a serious problem widespread in mobile ad hoc networks [25]. Work focuses on the vulnerabilities of MANET, and it looks at the black hole attacks. They portrayed the creation of an enhanced algorithm called Radical Watchdog and Pathrater for recognizing and removing black hole attacks. In the article [26], the authors introduced a scheme called cluster-based trust to alleviate the internal attacks. In this research, the network is divided into cluster groups. Every cluster is certified as having the cluster head. The node decides the trust value and delivers it to the head of the cluster for their one-hop neighbours. In addition, the cluster head gives its participant nodes the certificate of confidence. This mechanism gives a good fraction of packet delivery and resilience to internal attacks. A novel technique is proposed to secure MANETs by addressing network configuration and security issues during the response and recovery phase [27]. This work analysed the threats to security and presented the security goals to be achieved and set up a stable key management system in an ad hoc communication environment. A MANET-based algorithm for effective security and trust management is provided in [28]. In the sense that the produced nonce is not easily detectable, the time-based nonce is produced at specific time intervals that give the suggested approach reliability. It has been compared with the already existing trust-based approach and finds better detection performance of the security threat in MANET. Several techniques are discussed in [29], for example, reverse engineering, repacking, and hex editing to circumvent the host anti-virus signatures. Comprehensive comparison studies were conducted of various methods where malware could get the hosts from outside of the networks. A new honey-net-based intrusion detection technique is also discussed. In MANETs, a complete survey of intrusion detection systems (IDSs) is well presented in [30, 31]. They categorize the architectures for intrusion detection framework in the MANET, and each one is ideal for evaluating and comparing various network infrastructures on node cooperation. Similarly in another research [21], authors proposed pseudonym generation-based genetic algorithm to solve the location privacy problem in vehicular ad hoc network, and thus guaranteed un-traceability by an adversary. Further, authors of [22] study the physical layer security issues in vehicular environment. They show that how the secrecy capacity and secrecy outage probability of a vehicular network can improved with respect to the source power and eavesdropper distance.

Due to vast applications of WSNs, it is ensuring that the only permitted availability of information is accessible via sensor nodes is often an open challenge. In this review work [32, 33], twenty-two features have been presented in which a secure user authentication mechanism should be in place, and then, seven possible schemes were tested against the features specified. The analysis has been started from Wong's work [34] in 2006 and has been concluded at Vaidya et al.’s technique implemented in 2012 [35]. In each scheme, the user impersonation and gateway nodes (GWN) bypass attacks and are likely. There is almost no scheme like that provides consumer confidentiality and repairability in case of failure or theft of smart cards. A scheme that only withstands an impersonation attack by a sensor node and a parallel session attack [36]. The replication attack and the fake verifier attack can only be taken on scheme suggested by Wong et al.’s and Tseng et al.’s in [34, 37]. Yoo et al.'s scheme offer mutual authentication between SN and GWN, and Khan-Alghatbar's scheme achieves success in mutual authentication between users and GWN and even SN and GWN [36, 38]. Just one scheme avoids DoS attack and offers hidden parameter protection to the gateway node. In short, no scheme is completely protected to all available features and all the strategies meet no authentication feature. The network communication security is one of the most important challenges in WSN [39]. HWSNs has optimized network capacity and introduced high-resource network sensor nodes. An efficient adaptive authentication and key management schemes are being proposed for HWSNs in this article. The proposed protocol provides the authentication and key management for HWSNs along with optimization of security level, memory consumption, computational complexity, and overhead coordination which in effect enhances energy efficiency. The key distribution algorithm described here for producing dynamic keys focuses on pre-existing information. Therefore, the exchange of keys does not involve a secure channel and the process of sharing. Therefore, it increases security and energy efficiency.

We carry out an extensive literature review and make an analysis of the existing techniques for the identification and removal of different forms of attacks within the ad hoc network. Our work culminates with the design of a digitally signed secure acknowledgment algorithm for enhanced security in the ad hoc network. It aims to tackle Watchdog's restricted communication power and collision problems with receivers with better securing the system by securing acknowledgment, node authentication, and packet authentication with digital signature technique.

The presence of attackers in the network cannot be taken too lightly. Therefore, the basic functionality of different attacks that may impact the various securing schemes of MANET needs to be understood. In this section, few essential parameters such as security goals, attack models, and usability attributes have been discussed. Moreover, this section also describes the various intrusion detection schemes like Watchdog, 2-Ack. These preliminary studies are indeed needed for a better understanding of our proposed security mechanism: DSSAM.

2.1 Security goals, security attack models, and usability attributes

This subsection presents various attacks that are supposed to be resisted by MANETs. The various useful features are also presented in this subsection that should offers by the proposed authentication method to provide an amicable and a reliable security mechanism. The different security goals such as confidentiality, integrity, availability, and end-to-end authentication, may be threatened by various security attacks [33, 40]. The comparative study of various security attacks in terms of their target and its prevention is illustrated in Table 1 [41].

2.1.1 Security goals (SG)

The different kinds of security goals are as given:

1. a.

   SG1. Confidentiality All communicating individuals (i.e. approved parties) can understand the content of a message.

2. b.

   SG2. Integrity Guarantee that the message received at another individual is the same as the message originally sent by the sender when the message is inserted into the network (i.e. the message will not be modified in any way).

3. c.

   SG3. Availability Message shall be made accessible only to authorized entities.

4. d.

   SG4. Authentication Guarantee that anyone sending or accessing the sensitive message has to be approved.

2.1.2 Security attack (SA) models

Figure 1 also shows different security threats as follows:

Various possible security attacks

Full size image

1. a.

   SA1. Snooping This is a passive type of attack relating to unauthorized access or interception of communications content. SA1 may be prevented by using encipherment methods to make the content of communications non-intelligible.

2. b.

   SA2 Traffic Analysis: Such groups of attackers basically consider one communication pattern within the MANET environment.

   • Network traffic monitoring: e.g. log files, Web pages, etc.

   • Seek to obtain valuable statistical analytical information: e.g. who interacts with whom, where, for how long, where? And who cares about what content, etc.?

3. c.

   SA3. Modification This is something of a deliberate kind of attack. Attackers attempt to change the information in order to make their own benefit after accessing the document. In this scenario, attackers also often seek to delete or interrupt the post, to harm or benefit the machine.

4. d.

   SA4. Masquerading Masquerading or spoofing form of attack may be deployed on the ad hoc mobile network, while someone else is being impersonated by the attacker. Firstly, an intruder intercepts one or more legitimate authentication queries. Later, modify this request to allow it to pass MANET's authentication test and get authorization to access services inside the network.

5. e.

   SA5. Replaying Anyway, in this SA model, the intruder receives a copy of a message received by the legitimate user to either access the MANET or trick the lawful user by claiming himself to be a genuine service provider. If an intruder fails, then it could be considered the assault as a replay defence threat.

6. f.

   SA6. Repudiation It is something of a particular kind of attack from the one that has been mentioned before. SA6 is conducted by either source or destination on one of the two permitted communication parties within the MANET. The message sender denies later that he sent the message in this case, or the receiver can later deny that he received the message.

7. g.

   SA7 DoS: It is an aggressive kind of attack and generally very normal. It can slow it down or completely disrupt a system/network service [30]. In this scenario, attackers may initiate several ways to reach the target. We can inject too many fake requests into the network that the server crashes due to the heavy traffic load. If the intruder succeeds in launching this attempt, then the node of MANET is irresponsive, and no one can link to it.

2.1.3 Usability attributes (UA)

The proposed authentication MANET scheme also supports various usability attributes along with resistance capacity against different attacks. The several usability attributes are listed out in Table 2 with its descriptions.

2.2 Intrusion detection techniques in MANETs

Each node in MANETs presumes that other nodes work together to transmit and receive data. This paves the attackers the opportunity to respond and carry out the malicious operation with few compromised nodes on the network. To address this problem, three important functions, namely prevention, detection, and recovery, have been considered [31]. These functions provide three-layered security to MANETs. This section discusses the intrusion detection system usually the second security layer [32]. Two classical detection approaches, namely 2-ACK and Watchdog.

2.2.1 Watchdog method

The Watchdog methodology acts as a DSR extension. The feature named Watchdog that detects mischievous nodes; it has also built a component called Pathrater that calculates a path for these nodes to flee. Each node must execute certain modules on the network. Often Watchdog listens promiscuously for transmission of the next node. This also checks that the node is forwarding the received packet correctly. The Watchdog enables the feature of detection if the node has altered with the payload. The major question for this method is how it will perform, so the solution is to fit the listened packet to the freshly sent packet buffer. The Pathrater module processes data that the Watchdog receives to score the efficiency of any other node in the network knows and calculates a route metric derived by comparing the node scores in the route. The packets should then be routed through direction with the highest metric. This program can never be turned against the network because such conduct will be detected easily. Node X (mischievous) may falsely complain that node B does not forward packets in a route A–X–B–C–D. Nonetheless, acknowledgment of a message from A to D is moving accurately from D to A (Node X cannot leave packets or their acknowledgment, because both A & B will consider this malfeasance), and then, A is conscious that B is not misconducting because it is part of the route.

Considering the name of the path as A–B–C, the drawback of this framework is that in some subsequent situations the Watchdog operating in node A may fail to identify a node that is misbehaving.

• There may be a packet clash in A when A is listening to B. In this scenario, A cannot say if the collision was triggered by B transmitting the packet (well-behaving) or by transmitting another node when B has not transmitted the packet (misbehaving);

• A listen to the B forwarding to C, it seems that B correctly transmits the packet. Node A, however, cannot determine whether it has been received by C or crash in C and B did not re-send (misbehaving) the packet.

• Node B can change its transmission capacity (misbehaving) to allow A to identify that B is transmitting a packet to C but that C is not receiving it.

• Nodes B and C (both of which are misbehaving) will cooperate with the launch of an attack. Node transfers a packet to C appropriately, but it does not say C drops the packet.

• Node B can lose packets at such a lower rate than A's Watchdog's minimum threshold for misbehaviour.

The above-described method can be better understood with the block diagram of Fig. 2. It detects the misbehaving nodes [11]. Suppose a path runs from node S to D through A, B, and C. Still, A is not capable of transmitting to C, but it can respond to B. So, A can tell if B broadcast the packet. If encryption is not conducted on each connection (which itself is an expensive and complex affair), then A can also say whether B has tampered with either payload or header.

Watchdog method

Full size image

The DSR routing protocol can identify misconduct at the forwarding point. The weakness of Watchdog lies in the fact that it may not be capable of detecting a node mistreating in the context of following collisions:

• Ambiguous collisions,

• Collisions with receiver,

• Limited transmission power,

• False misbehaviour,

• Collision and partial dropping.

2.2.2 2-ACK method

It is a network layer strategy for detecting links that are misbehaving and mitigating their impact. This technique can be implemented as an extension to establish routing protocols such as DSR in MANETs already. A 2-ACK packet is assigned a fixed two hops path in the opposite way of the network traffic route. To overcome the weakness of Watchdog, Liu et al. [23] proposed a 2-ACK method. It aims to overcome Watchdog's limited transmitting power and collision problems with receivers. It responds as acknowledges on each data packet transmitted over two hops distance and all three consecutive nodes alongside the path from source to destination. In this way, it detects misbehaving links. Suppose three consecutive nodes (triplet) alongside a path are N1, N2, and N3. Node N1 will deliver packet 1 to N2, and N2 will deliver the same to N3.

Upon receiving the packet, N3 generates a 2-ACK packet containing the reverse path between N3 and N1 and return to N1. This message, when received by N1, shows packet successfully communicated from N1 to N3 or else, if this 2-ACK packet is not delivered within a predefined time, all N2 and N3 nodes will be identified as malicious. The same procedure applies in the remaining route to each of the three successive nodes. A considerable amount of unfavourable overhead network was added to the acknowledgment process in order to process each packet transmission [42, 43].

The above method we can better understand with a block diagram and a more explicit working approach. Figure 3 exhibits the working model of the 2-ACK method. In the route discovery process of the MANETs DSR system, the path from a source node (S) to a destination node (D) finds out. When N1 delivers a data packet to N2, and N2 transfers it to N3, it is uncertain if N3 receives the data packet successfully or not. There is such confusion, even when no nodes are misbehaving. The problem gets even more serious in open MANETs with potential nodes that misbehaved. The 2-ACK scheme requires a clear acknowledgment from N3 to notify N1 of its positive reception of a data packet. If node N3 receives the data packet efficiently, it passes a 2-ACK packet to N1 over two hops (i.e. the opposite routing route direction, as shown) with the discovery of the associated data packet. The triplet [N1 → N2 → N3] comes from the direction of initial data traffic. N1 uses such a triplet to track the N2 → N3 connection. For display simplicity, we mark N1 as the 2-ACK packet recipient or the observer node and N3 as the 2-ACK packet sender in the triplet [N1 → N2 → N3]. For any group of triplets along the path such a 2-ACK connection happens. Consequently, only the first router of the source does not act as a 2-ACK packet sender just before arrival and destination the last router will not be functioning as 2-ACK receivers. The 2-ACK packet sender keeps a record of data packet IDs that were submitted but were not recognized for misbehaviour. For example, after N1 sends a data packet on a particular direction, say, [N1 → N2 → N3] shown in Fig. 3, it attaches the data ID to LIST (see Fig. 4, showing the data structure retained by the observing node), i.e. to its list corresponding to N2 → N3). At the same moment, a list of data packets transmitted, Cpkts, is incremented.

2-ACK method

Full size image

Data structure maintain by observing node

Full size image

Each ID will remain on the list for τ seconds at N1, the reception timeout for 2-ACK. Before the expiration of the time if a 2-ACK packet matching to this ID, the ID will be deleted from the list. Alternatively, the ID would be deleted at the end of its timeout period, incrementing a counter called Cmis. Once N3 encounters a data packet, it determines if it will send a 2-ACK packet to N1. 2-ACK packets must accept only a fraction of the data packets to reduce the extra overhead routing caused by the 2-ACK method. Such a percentage is called the Ratio (Rack) identification factor. By adjusting the Rack, we can efficiently balance the overhead for 2-ACK packet transfers. Node N1 watches the behaviour of node N2 and N3 for a time called Tobs. At the end of the observation period, N1 calculates the sum of missing 2-ACK packets as Cmis / Cpkts and compares them with a Rmis threshold. When the ratio is greater than Rmis, it is deemed to be misbehavioural and N1 sends out a RERR packet (or misbehavioural notification). Since only a fraction of the obtained data packets is identified, Rmis will satisfy Rmis > (1–Rack) with the goal of removing false alarms triggered by such a partial acknowledgment technique. The node obtains or overhears such a RERR marks the N2 as misbehaving connection N3 and adds such misbehaving links to the blacklist it maintains. If a node later begins its own data flow, it stops using these connections as part of its route as misbehaving. As shown in Fig. 5, the pseudo-coded 2-ACK method is given for the 2-ACK packet sender side (N3) and the observing node side (N1) with the formal way of representing the 2-ACK execution process.

2-ACK executions process

Full size image

2.3 Digital signature

In the conventional signature scheme, a handwritten signature is embodied with the documents which specify that this person is responsible for it. The importance of signature can be seen in everyday circumstances, such as contract signing, money withdrawn from the bank, and letter writing. One of the most identification and authentication mechanisms in a now day’s digital world is the digital signature. It is a process to sign a message that is stored in electronic form, and then, this signed message can be sent to the network towards its destination. It allows source users to create a code for the message that acts as a signature. A digital signature for any message can be created in the public key set-up by taking a message hash value and encrypting it or signing it using a private key of its own. Basically, digital signature guarantees the integrity of the message and signer’s identity. The digital signature scheme mainly offers some set of security abilities that very hard to implement in any other way.

2.3.1 Needs of digital signature

In general, the message authentication defends two communicating parties from any other third party that is exchanging the message with each other. But still, it does not provide the protection between them against each other. There may be numerous forms of the dispute between two parties could that are as follows:

1. a.

   Receiving party (Bob) may create a different message and claim that it has come from source party (Alice). For this, Bob creates a message and attached an authentication code with this message by using a shared key, which was shared by Alice and Bob, previously.

2. b.

   After sending the message, later Alice can deny that he has sent messages to Bob. So, there is no way for Bob to prove that this message has in fact received by the Alice.

In the above both situations, it could be said that there is no complete trust between two communicating parties. Due to this reason, something more than authentication is required.

The best way to avoid the above problem could be the use of the digital signature. The analogous to digital signature is the handwritten signature. The digital signature must meet specific attributes:

• Able to verify the sender identification along with the time and date of signature.

• Able to authenticate the content of the information at the time of signature.

• If any disagreement exists than any other third party must be able to verify it.

2.3.2 Digital signature techniques

Any digital signature technique includes two different components: one is the signing algorithm (SIGN_K) and the second one is the signature verification algorithm (SIGN_VERk), both should be the polynomial-time functions of any key that is from key-space. The first one will be kept secret, and the second one will be publicly available. The formal definition or steps of the creation of the digital signature and its verification schemes are presented out in Table 3. Consider any two communicating parties, say the sender is Alice and the receiver is Bob. Now, Alice may create the message (X) and encrypt this message or sign the message using signature (S) that depends on his own private key (d). After receiving the signed message, Bob will verify or decrypt this signed or an encrypted message: Y = S(X) using Alice public key (e) that is available in the Public Key Directory (PKD). For a pair of the message and signature/signed message (X, Y), the verification algorithm reverts either true or false that depends on whether signature Y is valid or not for created message X.

The hash function or hash code and possibilities of digital signature creation techniques are shown in Fig. 6. A hash function (H) could be implemented in any size of the block of data that is variable length and generates a fixed message length as shown in Fig. 6(A). A hash function is required because the implementation of the digital signature scheme on the large size of massage, especially in the public key set-up is very costly. Figure 6b, c shows the creation of the digital signature and its verification in symmetric and public key set-up, respectively. In symmetric key set-up, Bob can play the role of the adversary by modifying the original content of a message. Alice does not have any way to prove his actual message. So, overall, these issues can be avoided by the public key set-up. However, in both public and symmetric key set-up, the only authentication can be made still confidentiality of information is not preserved. Authentication of the users as well as the confidentiality of information both could be maintained from digital creation schemes of Fig. 6d, e because here the message is not directly sent. In both schemes, the signing process is done with Alice's private key. Finally, it is sent out in the channel using a symmetric shared key and Bob public key, respectively. In the state-of-the-art, there are a few digital signature schemes such as RSA, El-Gamal, Rabin algorithm, etc. Here, the RSA digital signature algorithm has been used.

a Hash function and Digital Signature: b Symmetric Key Set-up, c Public Key Set-up, d both Public and Symmetric Key Set-up, e Only by Public Key Set-up

Full size image

2.3.2.1 RSA digital signature scheme

The Rivest, Shamir, and Adelman (RSA) cryptosystem can be used to provide a digital signature, and it is known as the RSA digital signature scheme. The required set-up to create the RSA signature is demonstrated in Table 4. Moreover, Fig. 7 illustrates the explicit demonstration of the creation and verification of the RSA digital signature scheme. RSA algorithm [44] is helpful to provide secure data transmission in a public-key cryptosystem that basically deals with digital signature including the message recovery scheme. The key generation in RSA digital signature is similar to the key generation in RSA.

RSA digital signature: creation and verification

Full size image

The approach proposed is designed to solve three shortcomings of the Watchdog system, namely receiver collision, limited transmission power, and false identity problem. In the case of receiver collisions (Fig. 8), after I transmit Packet 1 to J, it will try to overhear whether J will forward this packet to K; meanwhile, X is forwarding Packet 2 to K. In such case, I overhear that J has successfully forwarded Packet 1 to K but failed to detect that K did not receive this packet due to a collision between Packet 1 and Packet 2 at K.

Receiver collisions

Full size image

In the case of limited transmission power (Fig. 9), J purposely decreases its transmission capacity to maintain its own battery life, so it is loud enough to be grasped by I, but still not strong enough to be heard by K.

Limited transmission power

Full size image

In the case of false misbehaviour acknowledge (Fig. 10), while I secretly recorded successfully that J forwarded Packet 1 to K, I also inform J as behaving badly. Due to the versatile platform and remote distribution of MANETs, attackers can easily catch and hack nodes to execute this attack to report misbehaviour.

False misbehaviour report

Full size image

DSSAM stands for a digitally signed secure acknowledgment method that using the digital signature technique to avoid the falsification of packets by the attacker. DSSAM consists of explicitly three major activities:

1. A.

   Secure ACK,

2. B.

   Node authentication,

3. C.

   Packet authentication

It uses the advantage of a 2-ACK method which already helpful to get overcome basic problems with Watchdog approaches, namely insufficient transmitting capacity and collision with the receiver. After that, we tried to solve the false misbehaviour activity by securing acknowledgment, node authentication, and packet authentication. The function of such detection schemes largely depends on the acknowledgment packets. Hence, it is also very important to guarantee that acknowledgment packets are valid and authentic as well as secure. To this concern, a digital signature is introduced.

We safeguard two-layered defence for security. Additional bits allocated in the first layer are used to carry sequence numbers, keeping transmission time fixed to define the packets sequence in the proper interval for that time. This is done for the transmission of both packet and acknowledgment. The next layer is defined by twofold safeguarding the forwarded packets, by putting digital signature. According to the draft of DSR [45, 46], seven bits are reserved in the DSR header. These seven bits have been used to maintain sequence numbers. We assume bi-directional communication links with source and destination not being malicious. Both data packets and packets of acknowledgments must be digitally signed by the source and authenticated by the destination. In our proposed scheme, RSA is used to encrypt the packet.

This section discusses the simulation method, setting up of simulations and review of comparative results with existing ones such as DSR, Watchdog, and 2-Ack.

5.1 Simulation approach

To examine the performance of DSSAM with several kinds of attacks, we have planned two case scenarios to simulate diverse kinds of attacks by seeding proportionate misbehaving nodes in our simulation terrain set-up:

CASE 1: Firstly, we conducted a packet-dropping and delay attack [47]. The malicious nodes lose all the packets got, meaning that mollify all the packets are lost. This scenario's concept is to measure the efficiency of intrusion detection against both the two limitations of the Watchdog; restricted transmission power and collision with the receiver as when there is a fixed range specified transmission power.

CASE 2: It is considered to examine intrusion detection systems performances against fake acknowledgment. Here, malicious nodes more cleverly behave with often falling the packets and return a fake acknowledgment whenever possible.

5.2 Simulation set-up

We have conducted the simulation using Intel Core i5 2.5 GHz processor and 8 GB 1600 MHz DDR3 main memory, with the consideration of both the physical layer and MAC layer 802.11b for simulation. Further, the experiment is performed through the QualNet Simulator-7.0 on a desktop as a simulation resource. For each scheme, each simulation ran 10 Telnet sessions and calculated the average. The 2-ACK scheme observational time is fixed at Tobs = 0.9 s. Unless otherwise stated the Rack = 0.25 recognition ratio being used by the 2-ACK scheme, acknowledgment miss ratio Rmis = 0.80 and a timeout value of T = 0.12 s. Along with the above explained parameters, there is Table 5, which gives the configuration of the experimental set-up that is used for the analysis of the simulation. Thereafter, the performance of the proposed method has been evaluated with respect to by seeding malicious node percentage in terrain as 10%, 20%, 30%, 40%, 45% in uniformly distribution one by one.

We have observed the performance of DSSAM and compared it with Watchdog and 2-Ack. For this, we have considered Packet Delivery Fraction (PDF), Routing Overhead (RO) and Average End-to-End Delay, as the performance metrics:

PDF is the proportion of the number of packets received by the top layer sources (i.e. application layer) and the number of packets obtained by the destination. This explains the rate of loss the transport protocol should experience.

RO: RO defines as the routing data of the network obtained by an application using a proportion of the required bandwidth. This additional data are called as Routing Overhead.

Average End-to-End Delay: It is the average amount of time that is taken by a packet to reach final destination from source. It is the sum of delays at links. The delay at a link is the sum of the following components (if, retransmission is not considered).

1. a.

   Processing delay

2. b.

   Queuing delay

3. c.

   Transmission delay

4. d.

   Propagation delay

Average End-to-End Delay = Ʃ (tr—ts)/Pr, where ts is the packet send time and tr is the packet receive time.

During the simulation, the origin node sends an RREQ packet to all other neighbours that broadcast will be within its range of communication. Neighbours received this RREQ message, so each neighbour adds their addresses consequently to the message and then sends an attached message to their neighbours. There is one important scenario that whenever any node receives more than one same RREQ, it completely denies it. In case any failed node is noticed, a message RERR is sent to the origin node, which usually implies a split link in flat routing protocols like DSR. When the RREQ destination node is identified as the end destination node, this node activates an RREP message and transfers back from the original RREQ message to the source node using the reverse route request process.

With reference to the digital signature system, we took up an open-source library called Botan [48]. For RSA schemes, we have considered a 512-b RSA key for each node in this network. For each node, we presumed that a private key and a public key were created and circulated in advance. The key file sizes of 512-b are 256 and 512 B, respectively. The signature file size for RSA is 120 B.

5.3 Results analysis and discussion

Case 1: Here, malicious nodes lost packets completely which passing through it. Figure 11 and Table 6 show the results, based on Packet Delivery Fraction. Here, we spot that all acknowledgment-based intrusion detection systems method like 2-ACK and DSSAM perform better than the Watchdog method. Our proposed method DSSAM outperforms Watchdog’s performance by an average of 15% as 20% malicious nodes availability into the network. We observe that 2-ACK and DSSAM acknowledgment-based schemes are capable of detecting malfeasance with a receiver collision and limited transmission capacity. Nevertheless, if the percentage of malicious nodes exceeds 40%, the efficiency of our suggested DSSAM method is average 17% good than others. The reason behind that is the introduction of Packet Authentication Scheme (PAS) under DSSAM approach with choked route avoiding system, which is followed for the next time transmission through similar route with similar choked nodes. As whenever sender wait too long to receive a PAS acknowledgment from the destination node; means, that the waiting time exceeds the predefined threshold. This level is met for DSSAM only up to 50% of the involvement of malicious nodes, as network rises with more than 50% of malicious nodes, preceded by its fully compromised network. Thereafter, it again started decreasing because of generalize rule for any communication network; if malicious node presence increased by more than 50% then communication network system breaking up rate is increase by two times of normal decay rate in every 10% slot.

Case 1-Packet Delivery Fraction

Full size image

The obtained Routing Overhead in case 1 of simulation environment is shown in Fig. 12 and Table 6. It is observed that DSR and Watchdog scheme attains better result because they do not require acknowledgment method to detect mischief-nodes. As remaining two schemes; 2-ACK and DSSAM have effective overhead. However, the DSSAM requires a digital signature and acknowledgment for all data packets, which cause to increase the Routing Overhead. Nevertheless, DSSAM still performs well compared to other acknowledgment techniques in most cases.

Case 1-Routing Overhead

Full size image

The graph of Average End-to-End Delay for case 1 has been shown in Fig. 13, and its value is tabulated in Table 6. It is noticed that DSR and Watchdog method achieves better performance in terms of delay due to not requirement of acknowledgment packet to identify mischief-nodes as well in compared to 2-ACK and DSSAM. DSSAM took more Average End-to-End Delay time because of the enhanced feature of 2-ACK as digital signature incorporate for advance security feature as compared to previously existed method. However, if the percentage of malicious nodes exceeds by 30%, our suggested DSSAM framework is become bit quite slower more than others. Even watchdog performance is better in respect to Average End-to-End Delay.

Case 1-Average End-to-End Delay

Full size image

Case 2: Here, we seeded malicious nodes that send the fake acknowledgment to the source node as it is likely. This case is designed to check the intrusion detection system’s performance under fake acknowledgment. Figure 14 and Table 6 show the results for Packet Delivery Fraction. If the percentage of malicious nodes is 10%, DSSAM's output is around 3% higher than 2-ACK. DSSAM scheme beats all other schemes when the malicious nodes reach at 20% and 30%. DSSAM maintains the PDR to over 85% and if we compare it with 2-ACK than the output is 18% higher approximately. It performs similar to 2-ACK also in few point for particular this case. We be certain that the introduction of PAS scheme under DSSAM method framework mainly contributes to this performance.

Case 2-Packet Delivery Fraction

Full size image

Figure 15 and Table 6 display the simulation outcomes of the Routing Overhead in case 2. DSSAM in certain cases retains a lower overhead network particularly in comparison to 2-ACK and Watchdog schemes. Routing Overhead, however, is increasingly growing with the rise in malicious nodes. Therefore, there is a requirement for more digital signatures and acknowledgment packets. The Routing Overhead for DSSAM is more compared to other techniques; this is due to the hybrid nature and extra processing for digital signature. However, it is compensated by high Packet Delivery Fraction and better security level in the packet communication.

Case 2-Routing Overhead

Full size image

The outcome of Average End-to-End Delay for case 2 in Fig. 16 and Table 6 exhibits moderate high for 2-ACK and DSSAM method with 40% or more malicious node presence. This high average delay presence due to the features of 2-ACK algorithm incurred extra overhead for two hops moment with acknowledgement-based handshaking property. In case 2, if more than 30% nodes shall start falsifying acknowledgement, in that point actual successful transmission would be reduced because proportionate percentage of retransmission increased to get actual transmission due to the false acknowledgement. DSSAM method is also facing same situation as 2-ACK but due to hybrid nature of extra security decrease the Average End-to-End Delay for DSSAM.

Case 2-Average End-to-End Delay

Full size image

The results revealed affirmative performances against Watchdog and 2-ACK, in the circumstances of receiver collision, limited transmission power, and false acknowledgement; proposed method also provides secure ACK with node authentication and packet authentication. Our proposed method DSSAM outperforms with Watchdog’s and 2-ACK’s performance in Packet Delivery Fraction in both the cases for up to 50% malicious node presence in the communication network. In Routing Overhead concern, the non-acknowledgement methods attain better results than acknowledgement-based method. Our proposed method also lags here, but it still performs well compared to other acknowledgment techniques in most cases. The Average End-to-End Delay in case 1, it is observed that DSR and Watchdog method achieves better result because they do not require acknowledgment method to detect mischief-nodes as compared to 2-ACK and DSSAM. DSSAM took more Average End-to-End Delay time because of the digital signature incorporate for advance security feature as compared to previously existed method.

There are many possible reasons for packet drop in MANETs that fall broadly under two types, namely intentional and unintentional mischief. The unintentional misbehaviour could be caused by overloaded node (due to extreme dearth of CPU cycles and restricted buffer space), collision, and traffic delays. The packet drop can happen due to connection errors because of intrusion or evaporation by the mischievous intruders. The packet-dropping attack represents a massive risk to secure the MANETs. This paper explains that we have described and simulated the method DSSAM in a standard environment and compared it with existing methods under different scenarios. The obtained simulation outcome provides enhanced performance against Watchdog and 2-ACK in the points of false misbehaviour acknowledgment, collision with the receiver, and the limited transmission capacity. We incorporated the digital signature in the method. While in a few circumstances, it creates more Routing Overhead, but increases the network's efficiency in terms of the fraction of packet transmission. It would be an interesting topic for a future research study to understand and estimate the performance when partially misbehaving nodes intentionally degrade performance owing to their greediness for saving their own battery power, and to estimate the battery consumption with varying percentage of greedy nodes in the same environment.

Not applicable.

MANETs:

Mobile ad hoc networks

DSSAM:

Digitally Signed Secure Acknowledgement Method

DSR:

Dynamic Source Routing

WSN:

Wireless Sensor Network

TARP:

Trust Aware Routing Protocol

IDSs:

Intrusion detection system

2-ACK:

Two hop acknowledgement method

SG:

Security goals

SA:

Security attack

DoS:

Denial of Services

Cpkts:

Counter of forwarded data packets

Cmis:

Misbehaviour counter

SIGN_K :

Signing algorithm

UA:

Usability attributes

SIGN_VERk:

Signature verification algorithm

PKD:

Public Key Directory

Tobs:

Observation period of the 2-Ack scheme

Rack:

Acknowledgement ratio

Rmis:

Acknowledgement miss ratio

PDF:

Packet Delivery Fraction

RO:

Routing Overhead

Not applicable.

Authors and Affiliations

1. JNPS OxyJoy Pvt. Ltd. (OXY), Atal Incubation Centre, CDC Building, BHU, Varanasi, 221005, Uttar Pradesh, India

   Ashutosh Srivastava

2. School of Electronics and Communication Engineering, Shri Mata Vaishno Devi University, Kakryal, Katra, 182320, Jammu & Kashmir, India

   Sachin Kumar Gupta

3. Department of Electrical and Electronic Engineering, College of Engineering, University of Jeddah, Jeddah, 21589, Saudi Arabia

   Mohd Najim

4. Centre for Applied Research in Electronics, Indian Institute of Technology, Delhi, 110016, India

   Nitesh Sahu

5. School of Science and Technology, Nottingham Trent University, Nottingham, NG11 8NS, UK

   Geetika Aggarwal

6. Department of Computer Science and Engineering, Institute of Engineering and Rural Technology, Prayagraj, 211002, Uttar Pradesh, India

   Bireshwar Dass Mazumdar

Contributions

Ashutosh Srivastava and Sachin Kumar Gupta are the main authors of the current paper. They contributed to the development of the ideas, design of the study, theory, result analysis, and paper writing. Mohd Najim, Nitesh Sahu, Geetika Aggarwal, and Bireshwar Dass Mazumdar contributed to the result analysis and paper revision. All authors read and approved the final manuscript.

Corresponding author

Correspondence to Sachin Kumar Gupta.

Competing interests

The authors declare that they have no competing interests.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions