NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

Research Projects

Secure Communication and Service Discovery for Hybrid MANETs

The proliferation of mobile devices and the pervasiveness of wireless technology have motivated researchers to replicate network-based Service Discovery technologies in wireless and mobile networks. However, existing service discovery protocols and delivery mechanisms fall short of accommodating the complexities of the ad-hoc environment. Service Discovery in hybrid mobile ad hoc networks is challenging because of the absence of any central intelligence in the network. Our project focuses on providing secure communication and service advertisement and discovery services for hybrid ad-hoc wireless networks. Our hybrid networks are comprised of low-mobility sensors networks coupled with high-mobility wireless devices such as wireless collector nodes, PDAs or Laptops through mobile gateways. We are developing a mechanism that provides each device with the ability to advertise and discover services within its own hybrid network and across the Internet querying partner networks, through mobile Internet gateways. The communication is secured via authentication and encryption using a PKI approach that relies on distributed Certificate Authorities. NIST's AODV with new support for multicasting is chosen as the routing protocol for the mobile nodes, and Open SLP is adopted as the base-layer for the Service Advertising and Discovery modules. Open SSL is used for cryptographic services.


Back to Top

mLab

The testing of ad hoc networking protocols in a laboratory environment allows researchers the opportunity to validate theories and simulations in practice, to test simulation assumptions, and to discover practical problems facing ad hoc network users and developers alike. Testing ad hoc network implementations in a laboratory environment, however, also presents a number of challenges. The most obvious challenge is to be able to test the effects of node mobility on the ad hoc routing protocols and ad hoc applications.

mLab is a tool for ad hoc routing protocol and application developers to bridge the gap between simulations and field testing. The mLab software allows users to automatically generate arbitrary logical network topologies in order to perform real-time performance measurements of routing protocols or network applications.. By changing the logical topology of the network, mLab users can conduct tests in an ad hoc network without having to physically move the nodes in the ad hoc network. The tool allows users to replay different mobility scenarios, produces an output in the form of an adjacency matrix, and provides a framework for building ad hoc networking test tools.
The main mLab modules are:

  • A network configuration module with which the user can assign wired IP, wireless IP and wireless MAC to individual nodes;
  • The mNet module, which is responsible for generating random logical topologies based on user-defined rules;
  • A malicious node module, where the user can select from a number of attacks against a network;
  • A network traffic generator, where the user can create simple traffic between nodes using a number of different protocols (UDP-TCP and ICMP);
  • A network information tool that allows the user to view and set several options of the wireless network, including signal strength, wireless network administrative features, wireless adapter hardware, and software info; and
  • A network sniffing tool, which allows the user to observe all overheard traffic and apply filters to it.

The mLab hardware requirements are:

  • mLab server: ix86 system with Debian stable, 1 wired interface (any pci network Ethernet card 10/100) and one wireless (pci to PCMCIA wireless adapter and PCMCIA wireless network card 802.11 a/b/g).
  • mLab client:
    • ARM: CerfCube, iPAQ or Zaurus and a compact flash wireless card 802.11 a/b/g, familiar OS, kernel 2.4.19, hostap wireless drivers. [For iPAQ and Zaurus you will need USB networking]
    • ix86: Any desktop or laptop with Linux flavor (rec. Debian stable), any pci network Ethernet card 10/100, pci to PCMCIA wireless adapter and PCMCIA wireless network card 802.11 a/b/g.

For all the above devices there are ready kernels and cross tools in order to help the developers. Feel free to contact Manos Antonakakis by e-mail for further details.

Download (.tar.gz zipped file) (11.0 MB)


Back to Top

Sensor Network Security

Sensor networks are comprised of tiny, low-cost wireless electronic devices, capable of gathering environmental information and forwarding them to a base station. The limited computational and communication capabilities, that their reduced cost and size enforce, introduce a plethora of resource-related challenges in their function and efficiency, let alone security. The majority of existing security schemes and techniques are deemed unsuitable for the sensors' design constraints and require careful redesign. One of our project's goals is to design, implement and evaluate an Intrusion Detection System, which aims at transferring the computational load of its operation from the sensors to the base station. The task of intrusion detection becomes more complicated in sensor networks, given that power consumption determines the sensors' lifetime, thus the network's lifetime. As a result, any additional functionality should aim at utilizing the radio (the most ravenous component of a sensor, in terms of energy) as scarcely as possible, while requiring the least memory as possible. In addition, the need for light-weight communication protocols results in smaller headers than in other network designs, hence less information is available for an IDS . Moreover, we are trying to establish a set of metrics regarding energy consumption, memory requirements, design patterns, security features provided, etc., in order to have a common point of reference among researchers and developers when comparing protocols and applications.


Back to Top

Ad Hoc Network Security

Ad hoc networks are well suited for sensor networks comprised of small wireless electronic devices that can measure and monitor events and physical properties such as temperature, movement, pressure, and location. These sensors can be used to provide visual and audio feedback in environments not easily accessible by humans. Inexpensive wireless sensors can be used to monitor bridges, factories, highways, and buildings, for example, to help improve public safety. Mobile handheld devices such as PDAs and laptops can be used by first responders and today's emerging mobile workforce to easily and quickly set up networks to communicate with their peers. The objective of this research project is to develop security mechanisms that support secure routing, communication and intrusion detection within small-scale wireless mobile ad-hoc networks (MANET). The project team is working with the University of Maryland to implement a secure bootstrapping and routing protocol for MANETs that does not rely on pre-existing trust associations between nodes or the availability of an on-line service to establish these trust associations. The research team is also working with the University of Maryland Baltimore County (UMBC) on intrusion detection techniques for MANETs. Additional areas of research include: secure ad hoc communications, secure distributed storage management, distributed trust management, and ad hoc wireless testing tools.


Back to Top

MANET Intrusion Detection Systems

Mobile Ad hoc Networks (MANETs) present a number of unique problems for Intrusion Detection Systems (IDS). Differentiating between malicious network activity and spurious, but typical, problems associated with an ad hoc networking environment is a challenging task. In an ad hoc network, malicious nodes may enter and leave the immediate radio transmission range at random intervals or may collude with other malicious nodes to disrupt network activity and avoid detection. Malicious nodes may behave maliciously only intermittently, further complicating their detection. A node that sends out false routing information could be the one that has been compromised, or merely one that has a temporarily stale routing table due to volatile physical conditions. Dynamic topologies make it difficult to obtain a global view of the network and any approximation can become quickly outdated. Traffic monitoring in wired networks is usually performed at switches, routers and gateways, but an ad hoc network does not have these types of network elements where the IDS can collect audit data for the entire network. Network traffic can be monitored on a wired network segment, but ad hoc nodes or sensors can only monitor network traffic within its observable radio transmission range. NIST is working with the University of Maryland Baltimore County (UMBC) to simulate, implement, and test various MANET IDS.

Numerous schemes have been proposed for secure routing and Intrusion Detection for ad hoc networks. Yet, little work exists in actually implementing such schemes on small handheld devices. We have implemented a proof-of-concept prototype secure routing protocol based on AODV over IPv6, further reinforced by a routing protocol-independent Intrusion Detection System (IDS) for ad hoc networks. Security features in the routing protocol include mechanisms for nonrepudiation and authentication, without relying on the availability of a Certificate Authority (CA) or a Key Distribution Center (KDC). The design and implementation details of our system, the practical considerations involved, and how these mechanisms can be used to detect and thwart malicious attacks, are discussed in our paper "Secure Routing and Intrusion Detection for Ad Hoc Networks," published in the Proceedings of PerCom 2005. In the paper we discuss several scenarios where the secure routing and intrusion detection mechanisms isolate and deny network resources to nodes deemed malicious. You can download our proof-of-concept code here.

Download (.tar.gz zipped file)


Back to Top

Secure Routing for MANETs

The majority of the routing protocols proposed in the literature are assuming non-hostile environments. Due to its dynamically changing topology, open environment and lack of centralized security infrastructure, a MANET is extremely vulnerable to malicious node presence and to certain types of attacks that can occur. To address these concerns, several secure routing protocols have been proposed recently: SAODV, Ariadne, SEAD, CSER , SRP, SAAR, BSAR, and SBRP.

Our implementation is based on the Secure Bootstrapping and Routing Protocol proposed in BSAR. Our implementation provides trust establishment on-demand among the nodes that are collaborating to detect malicious activities. A trust relationship is established based on a dynamic evaluation of the sender's "secure IP" and of signed evidence. This routing protocol enables the source and destination nodes to establish a secure communication channel between them based on a concept of "statistically unique and cryptographically verifiable" (SUCV) identifiers which ensure a secure binding between IP addresses and keys without assuming any trusted certification authority (CA) or key distribution center (KDC). The concept of SUCV is similar to that of Cryptographically Generated Address (CGAs) and it associates a host's IPv6 address with its public key in order for other nodes to verify the ownership of the address.

The Secure Bootstrapping and Routing Protocol runs on Linux-based iPAQs and laptops properly equipped with wireless cards. The implementation has been derived from the HUT-AODV that has been implemented based on the IETF drafts: "Ad-Hoc On-Demand Distance Vector Routing (AODV)" and "Ad-Hoc On-Demand Distance Vector Routing for IP version 6". In our "SecAODV" implementation of HUT-AODV we incorporated all secure features described in BSAR and modified the logic of the program as needed. The is a joint research project between the University of Maryland and NIST.

Download (tar file)