CLUSTER-BASED CERTIFICATE REVOCATION IN MOBILE AD-HOC NETWORK USING FUZZY LOGIC Dipti S Sawant 1, Prof. E. Jayanthi 2 1,2

Transcription

1 CLUSTER-BASED CERTIFICATE REVOCATION IN MOBILE AD-HOC NETWORK USING FUZZY LOGIC Dipti S Sawant 1, Prof. E. Jayanthi 2 1,2 Department of Computer Engineering, Sinhgad College of Engineering, Pune, India. ABSTRACT: Mobile Ad-hoc NETwork (MANET) is a type of wireless communication network and it consists of multiple wireless mobile nodes. Security is an important issue in Mobile Ad-hoc NETworks. It is difficult to secure MANET because of its dynamic topology and lack of infrastructure. Certificate Revocation is widely used and reliable method to secure the MANET. Certificate Revocation isolates the malicious nodes from further participating in network activities. In this paper, we propose Cluster-based Certificate Revocation system using fuzzy logic. In this approach, nodes are self-organized to form a cluster. The Cluster Head (CH) plays an important role in detecting the falsely accused nodes within its cluster and revoking their certificates to solve the issue of false accusation. Fuzzy logic is used to distinguish normal nodes from the malicious nodes. Cluster-based Certificate Revocation system using fuzzy logic enhances the network security and performance of MANET. It also shows real-time results in terms of revocation time. Keywords: Mobile Ad-hoc Networks (MANETs), Security, Certificate Authority (CA), Clustering Technique, Certificate Revocation, Certificate Recovery, Fuzzy Logic. [1] INTRODUCTION Mobile Ad-hoc NETwork (MANET) is a collection of wireless nodes such as laptops, cell phones, walkie-talkie etc. [1]. These nodes can be dynamically set up anywhere and anytime without using any pre-existing infrastructure. Fig. 1 shows structure of MANET. All the nodes in the network are mobile devices; due to this MANET does not have any fixed topology [1]. These nodes can communicate with each other via radio waves. In MANET communication is not limited within a range. Communication in MANET is achieved by intermediate nodes i.e. mobile nodes uses multi-hop communication [1]. MANET is an open network environment [8]. In an open network environment, mobile nodes can join and leave the network at any time. That means MANETs are in dynamic nature. This wireless and dynamic nature of MANET makes them more vulnerable to various types of security attacks than wired networks. Any un-trusted node can join the network at any time [8] and this cause the damage to the network by either dropping the packets or provides wrong information to the network i.e. mobile nodes can be attacked by malicious attackers and these attackers can disrupt the security. Protecting the normal nodes from the malicious attacks must be achieved by using certification. Certificates are signed by Certificate Authority (CA) to make sure that, nodes can communicate with each other in the network. CA acts as a Trusted Third Party (TTP). CA is 41

2 Cluster-Based Certificate Revocation In Mobile Ad-Hoc Network Using Fuzzy Logic responsible for distribution and management of the certificates. Management of the certificate includes issuing and revoking of certificates. Before nodes can join the network, they have to acquire a valid certificate from Certificate Authority (CA). There are different security services provided in the cryptography such as authentication, confidentiality, integrity, non-repudiation and availability [9]. CA can distribute certificates to all nodes in a network. Mechanism performed by the CA plays an important role. Before nodes can join the network, they have to acquire a valid certificate from Certificate Authority (CA). There are different security services provided in the such as Figure: 1. Mobile Ad-hoc NETwork (MANET) Structure authentication, confidentiality, integrity, non-repudiation and availability [9]. CA can distribute certificates to all nodes in a network. Mechanism performed by the CA plays an important role in enhancing a network security. When any node in a network performs some malicious activity that time concept of certificate revocation is considered to provide a security. Malicious nodes will try to remove the normal nodes from the network by falsely accusing them as an attacker. Therefore issue of false accusation must be considered during designing of certificate revocation mechanism. Cluster-based Certificate Revocation technique is used to address this issue and it is also able to quickly revoke the certificates of malicious node. The reminder of this paper is organized as follows. In Section 2, brief overview of the related work on certificate revocation technique in MANET is discussed. Section 3 describes the structure of the Clusterbased Certificate Revocation scheme and certificate revocation process. Also this section tells about modules included to do the cluster-based certificate revocation in MANET and mathematical model. The real-time results for Revocation time Vs Number of iterations of malicious nodes is given in section 4. Finally conclusion and future work is given in Section 5. [2] LITRATURE REVIEW Mobile Ad-hoc NETworks (MANETs) are very popular because of its infrastructure less nature. Security is an important issue in Mobile Ad-hoc NETworks. It is difficult to secure MANET because of its dynamic topology and lack of infrastructure. As the number of malicious nodes increases in the network, performance is degraded. Certificate Revocation is one of the solutions to remove the malicious nodes completely from a network. So, the network performance is improved. So that, security can also increases. Certificate revocation helps to quickly revoke malicious node s certificates and recover falsely accused node s certificates. 42

3 Certificate revocation isolates the malicious node s from further participating in network activities [1]. Any data with a digital signature is known as a certificate. Certification is considered as a primary task to secure network communication. A certificate revocation lists and removes the certificates of the nodes, which are detected to launch attacks on neighborhoods [1]. Thus, nodes which launch the attacks are removed from the network. In this way, certificate revocation provides secure communication in MANET. URSA (Ubiquitous and Robust Security Architecture) paper published in October 2004 written by H. Luo et al. [4] and properties written by G. Arboit et al. [5] outlined the votingbased mechanism. Suicide for the Common Good paper published in July 2006 written by J. Clulow et al. [6] outlined the non-voting-based mechanism. The existing Certificate Revocation in MANET falls under two basic categories [1], [8]: 1. Voting-based mechanism and 2. Non-voting-based mechanism. [2.1] VOTING-BASED MECHANISM In voting-based mechanism, malicious attacker s certificate is revoked through the votes from the valid neighboring nodes [1]. This mechanism is based on URSA (Ubiquitous and Robust Security Architecture) proposed by H. Luo et al. [4] and by G. Arboit et al. [5]. In URSA proposed by H. Luo et al. [4], the certificates of newly joining nodes are issued by their neighboring nodes. It does not have Certificate Authority (CA). The certificate of a malicious node is revoked on the basis of votes from its neighboring nodes. Each node performs one-hop monitoring, and exchanges monitoring information with its neighboring nodes. When the number of negative votes exceeds a threshold number, the certificate of the accused node will be revoked. Revoking the certificate of a voted node implies isolation of that node from network activities. It does not solve problem of false accusation. The scheme proposed by G. Arboit et al. [5] allows all nodes in the network to vote together. Like URSA, Certificate Authority (CA) not exists in the network. Instead of that, each node monitors the behavior of its neighbors. The main difference from URSA is that, nodes vote with variable weights. The weight of a node is calculated in terms of the reliability and trustworthiness of the node and that is derived from its past behaviors, like the number of accusations against other nodes and that against itself from others. The certificate of an accused node is revoked, when the weighted sum from voters against the node exceeds a predefined threshold. By doing so, the accuracy of certificate revocation can be improved. Since, all nodes are required to participate in each voting, the communications overhead is quite high, and it also increases the revocation time. [2.2] NON-VOTING-BASED MECHANISM In non-voting-based mechanism, a given node deemed as a malicious node will be decided gby any node with a valid certificate [1]. 43

4 Cluster-Based Certificate Revocation In Mobile Ad-Hoc Network Using Fuzzy Logic Suicide for the Common Good strategy proposed by J. Clulow et al. [6] in which, certificate revocation can be quickly completed by only one accusation. However, certificates of both the accused node and accusing node have to be revoked simultaneously. This strategy does not differentiate falsely accused nodes from malicious nodes. [2.3] LIMITATIONS OF EXISTING CERTIFICATE REVOCATION MECHANISMS Existing certificate revocation methods does not differentiate falsely accused normal nodes from properly accused malicious nodes. Because of this, the accuracy and effectiveness of the system are degraded. Table 1 : Existing Approaches of Certificate Revocation Certificate Revocation Approaches Strengths Weaknesses Decision process is slow. Voting Based Mechanism High Accuracy High overhead. Takes longer time to judge the malicious node in a network. Non-voting-based Mechanism Takes fast decision Reduce communication overhead. Takes less time to judge the malicious node in a network. [3] IMPLEMENTATION DETAILS High operational cost. Low accuracy. Low reliability. [3.1] NEED OF CLUSTER-BASED CERTIFICATION REVOCATION METHOD Certificate Revocation with existing approaches has limitation that, sometimes malicious nodes will try to remove normal nodes from the network by falsely accusing them as an attacker. Also existing voting-based and non-voting-based mechanisms are having certain limitations in terms of cost, speed, accuracy, reliability and communication overhead. Cluster-based Certificate Revocation approach can address this issue of false accusation. By the formation of cluster, it is easy to exchange the information between the interacting nodes. Cluster Head (CH) plays an important role in detecting the falsely accused nodes within its cluster and revoking their certificates to solve the issue of false accusation [7]. It will try to achieve quick revocation and small overhead as compared to voting-based mechanism and improves the reliability and accuracy as compared to non-voting-based mechanism. Thus, Cluster-based Certificate Revocation has ability to enhance the network security, performance and trustworthiness of MANET using fuzzy logic. 44

5 [3.2] CLUSTER-BASED CERTIFICATE REVOCATION SYSTEM ARCHITECTURE Cluster-based Certificate Revocation System Architecture is given below in Fig. 2. [3.3] CONCEPT OF CERTIFICATE REVOCATION Certificate Revocation is an important task of removing the certificates of the malicious nodes from the network. If any node is misbehaved, it should be removed from the network by revoking the certificate. Cluster-based Certificate Revocation [1] involves two basic tasks such as: 1. Procedure of Revoking Malicious Certificates 2. Addressing False Accusation (Certificate Recovery) Figure 2- System Architecture [3.3.1] PROCEDURE OF REVOKING MALICIOUS NODE CERTIFICATES The revocation procedure starts at detecting the presence of malicious node. If certificate is valid, the accused node is considered as a malicious node and it is put into the BL. At the same time, the accusing node is present in the WL. Finally, CA broadcasts the information of BL and WL to all the nodes present in the network. Nodes that are present in the BL are successfully revoked from the network [1]. For example, a malicious node supposes node Praful-PC launches attacks within its one-hop communication range, as shown in Fig. 3. ` Figure 3. The procedure of revoking malicious node s certificate 45

6 Cluster-Based Certificate Revocation In Mobile Ad-Hoc Network Using Fuzzy Logic Where, Circle= Represents cluster, Praful-PC = Malicious Node, Hp-pc-PC and Praful-PC = Cluster Member, Swati-PC = Cluster Head, CA (Server) = Certificate Authority Process of Revoking Malicious node s Certificates: Malicious node such as node Praful-PC launches attack on the neighboring nodes Swati-PC and hp-pc-pc. If attacks are detected, each of them sends out a packet to the CA against Malicious node Praful-PC. Upon receiving packet (e.g., from node hp-pc-pc), the CA will check for hp-pc-pc s validation and then it will hold hp-pc-pc in WL and Praful-PC in the BL. CA broadcast the revocation message to all nodes in the network. Finally, nodes update their local WL and BL to revoke node Praful-PC s Certificate. [3.3.2] ADDRESSING FASLE ACCUSATION (CERTIFICATE RECOVERY) The CA broadcasts the information of the WL and BL to all the nodes (machines) present in the network. If there is a false accusation, then the nodes update their BL and WL from the CA. Since the CH does not identify any attacks from a particular malicious node present in the BL from the CA, the CH becomes aware of the occurrence of false accusation against its CM. Then, the CH sends a Recovery Packet (RP) to the CA in order to get back this member or node from the network. When the CA accepts the Recovery Packet and verifies the validity of the sender node, the falsely accused node will be free from the BL and put them in the WL. Furthermore, the CA propagates this information to all the nodes present in the network [1]. The diagrammatic representation of coping with false accusation (certificate recovery) is described in the following Fig. 4. Where, Circle = Represents cluster, Figure 4. The procedure of addressing false accusation 46

7 Praful-PC and hp-pc-pc = Cluster Members, Swati-PC = Cluster Heads, CA( Server) = Certificate Authority, Procedure for addressing False Accusation: The CA broadcast the information of WL and BL to all the nodes (machines) in the network. CH such as node Swati-PC updates their WL and BL, and determines that node Praful- PC was framed. Swati-PC sends a Recovery Packet (RP) to the CA to get the falsely accused node Praful-PC. Upon receiving the Recovery Packet (e.g., from Swati-PC), the CA removes node Praful-PC from the BL and put node Praful-PC in the WL, and then CA will inform to all other nodes in a network. The nodes revise their WL and BL to recover node Praful-PC. [3.4] MODULES OF PROPOSED CLUSTER-BASED CERTIFICATE REVOCATION SCHEME USING FUZZY LOGIC [3.4.1] MODULE 1- NETWORK FORMATION Network formation is the first module of the proposed scheme. The name itself will indicate that, it is used to create the network topology according to user requirement. To build the network, user needs to specify how many number of nodes N needs to be present in the network, so the network get created as per the user requirements. If user specifies N=4 then, this module creates the network with 4 nodes. Following are some situations in which this module is not able to create network: If user has not provided the value of number of nodes N. If user has specified the negative value for the N. If user has given the floating value for the N. In these 3 situations this module is not able to create the network. [3.4.2] MODULE 2- CERTIFICATE AUTHORITY (CA) Certificate Authority (CA) acts as a Trusted Third Party (TTP) and it is also used to management of certificates. Cluster-based certificate revocation scheme includes two lists such as Warning List (WL) and Black List (BL). CA updates these two lists and then they are used to hold accusing and accused nodes information, respectively. BL is responsible for holding malicious node and WL is used to hold the corresponding accusing node. CA updates each list according to the received control packets. After that, the CA broadcasts the information of the WL and BL to the entire network in order to revoke the certificates of nodes which are present in the BL and isolate those nodes from the network [1]. 47

8 Cluster-Based Certificate Revocation In Mobile Ad-Hoc Network Using Fuzzy Logic [3.4.3] MODULE 3- CERTIFICATE DISTRIBUTION The first duty of a node after creating a network, CA distributes certificate to all the nodes present in a network. Each node in the network would have to broadcast its certificate at least once after entering the network.this certificate would contain information such as owners id, issuer id, date of issue and time of expiration. The information in the certificate would helpful to find whether the node is trustable to communicate or not. We provide RSA encryption mechanism for the secure communication between the network nodes. [3.4.3] MODULE 4- CERTIFICATE ACQUISITION AND CERTIFICATE STORING In our scheme, the individual nodes within a network are responsible for all key management tasks, except issuing of certificates. Before nodes can join the network, they have to acquire a valid certificate from Certificate Authority (CA). It is also expected to have the public keys of the CA s that issued the certificates of the nodes. [3.4.4] MODULE 5- CLUSTER FORMATION Clustering is the method of grouping the nodes present in the MANET [7]. Due to cluster formation it is easy to exchange information between the interacting nodes. There can be more than one cluster and these clusters are communicated with each other. Nodes within this cluster are called as Cluster Members (CM). Every cluster will have Cluster Members (CMs) and a Cluster Head (CH). Cluster Heads are the backbone for communication in the network. Cluster Head (CH) is also called as a manager of the cluster. All the nodes will have certificate before joining the network, which they receive from certificate authority (CA). Fig. 5 shows the cluster members, cluster head. Figure 5. Cluster Formation Fig. 5 shows that there is availability of Custer Heads (CH) in each cluster, which maintains the information of other nodes. 48

9 Figure 6. Cluster Communication Both Cluster Head (CH) and Cluster Members (CM s) are located within the transmission range of their CH shown in Fig. 6. The CH node sends a CH hello packet (CHP) to all of its neighboring nodes and those nodes are in CHs transmission range will accept the packet and replies with CM hello packet (CMP). This process is called as Cluster Head (CH) selection process. In other words, to maintain a cluster, CH and CM frequently confirms their existence by exchanging messages. After this they will join the cluster. So when it moves out of one range it can search for another CHP and join new cluster [3]. [3.4.5] MODULE 6- NON-VOTING-BASED SCHEME WITH FUZZY LOGIC In non-voting-based scheme, a network node with a valid certificate can accuse node for a malicious node and after node is accused, the Cluster Head (CH) is responsible for detecting and solving the certificate revocation into the cluster. This module includes the concept of certificate revocation. This module is used to revoke the certificate of the node, which has been detected as a malicious node. With the help of fuzzy logic, we will find the malicious nodes from the network accurately by calculating Trust Values of a node at CA and CH. TV = (TV CA + TV CH ) / 2 Where, TV - Trust Value TV CA - Trust Value at Certificate Authority (CA) TV CH - Trust Value at Cluster Head (CH) Fig. 7. and Fig 8. Shows Membership Function (MF) for both CA and CH respectively. Figure 7. Membership Function for CA 49

10 Cluster-Based Certificate Revocation In Mobile Ad-Hoc Network Using Fuzzy Logic Figure 8. Membership Function for CH On the basis of two parameters, we have defined trust values in Table II and it s equivalent membership function is shown in Fig. 9. Figure 9. Membership Function for Trust Table 2: Fuzzy trust Value Linguistic Trust Range Fuzzy Numbers Malicious Below to 0.6 Not Malicious Above to 1 In this paper, following steps are used for calculating trust value of nodes [11]: 1. Assigning a Membership values to CA (Certificate Authority) and CH (Cluster Head) as a input and trust value as a output in Mamdani Fuzzy Inference System Using MATLAB R2010a. 2. Develop Fuzzy Rule Base. 3. Get crisp and fuzzy trust value. For each linguistic input variables (i. e. CA and CH), three linguistic terms (i. e. Low, High, Medium etc.) have been assigned. We may assign more linguistic terms like Very Low, Very High etc. There are 9 rules are taken into consideration to show the results in this paper. These trust values are shown in Table III. 50

11 Table 3: Trust Value Rules Rule If CA and CH Then 1 Low Low Malicious 2 Low Medium Malicious 3 Low High Non Malicious 4 Medium Low Malicious 5 Medium Medium Non Malicious 6 Medium High Non Malicious 7 High Low Non Malicious 8 High Medium Non Malicious 9 High High Non Malicious Fuzzy logic is used to distinguish malicious nodes from the non-malicious nodes [10]. [4] RESULTS AND DISSCUSSION In this section, the Revocation time for proposed Cluster-based Certificate Revocation is evaluated. Cluster-based Certificate Revocation scheme combined with merits of both voting-based and non-voting-based mechanisms, to revoke the malicious node s certificate. The proposed Cluster-based Certificate Revocation scheme has number of advantages over the existing certificate revocation such as: Distinguish normal nodes from the malicious nodes using fuzzy logic. Solves the problem of false accusation. It is more effective and reliable. It is more efficient to revoke the certificate of malicious nodes. Reduces revocation time. Achieves more security. In this section we discuss the real-time results of our proposed method using JAVA language. The purpose of our system is to evaluate the performance in terms of revocation time. Malicious node launches the attacks within the one-hop transmission range. [4.1] DETECTION TIME Here, we analyze the detection time required for detection of malicious node. Detection time represents the amount of time needed to detect the malicious node in a network. [4.2] REVOKED TIME Here, we also analyze the revoked time required for revoking the malicious node from the network. Revoked time represents the time needed to revoke the detected malicious node from the network. 51

12 Cluster-Based Certificate Revocation In Mobile Ad-Hoc Network Using Fuzzy Logic [4.3] REVOCATION TIME Here, we calculate the revocation time for all the malicious nodes. Revocation time is an important factor for evaluating the performance of the revocation scheme. Revocation time is defined as the time from an attacker node s launching an attack until its certificate is revoked. Revocation Time = (revoked Time detection Time) The result shows that, graph of number of iterations of malicious node Vs Time (in Milliseconds). Table 4 Figure 10 Revocation Time [5] CONCLUSION AND FUTURE SCOPE Mobile Ad-hoc network is vulnerable to various types of attacks due to its dynamic topology and infrastructure less nature. Now a day, there are many certificate revocation methods for MANET, but they all have certain limitations and weaknesses. It is only capable for certificate revocation. The proposed Cluster-based Certificate Revocation do both certificate revocation and detect false accusation in a real-time. In future, the accuracy and efficiency of the cluster-based certificate revocation method can be improved by recovering the normal node present in Warning List (WL) using Threshold-based mechanism and so that, increase the availability of normal node in the cluster. Because of this, there is a quick revocation of malicious node s certificate. [6] ACKNOWLEDGMENT It gives me a great pleasure to present the paper on Cluster-based Certificate Revocation in Mobile Ad-Hoc Network using Fuzzy Logic. I would like to express my gratitude to my guide for providing me the constant encouragement and guidance at every stage of this work. I am also thankful to Prof. P. R. Futane, Head of Computer Engineering Department for their kind support and valuable suggestions for this research work. 52

13 REFERENCES [1] Liu, Wei, et al. "Cluster-based certificate revocation with vindication capability for mobile ad hoc networks." Parallel and Distributed Systems, IEEE Transactions on 24.2 (2013): [2] Liu, Wei, et al. "A study on certificate revocation in mobile ad hoc networks."communications (ICC), 2011 IEEE International Conference on. IEEE, [3] Park, Kyul, et al. "Certificate revocation to cope with false accusations in mobile ad hoc networks." Vehicular Technology Conference (VTC 2010-Spring), 2010 IEEE 71st. IEEE, [4] H. Luo, J. Kong, P. Zerfos, S. Lu, and L. Zhang, URSA: ubiquitous and robust access control for mobile ad hoc networks, IEEE/ACM Trans. Networking, vol. 12, no. 6, pp , Oct.2004 [5] G. Arboit, C. Crepeau, C. R. Davis, and M. Maheswaran, A Localized Certificate Revocation Scheme for Mobile Ad Hoc Networks, Ad Hoc Network, vol. 6, no. 1, pp , Jan [6] Clulow, Jolyon, and Tyler Moore. "Suicide for the common good: a new strategy for credential revocation in self-organizing systems." ACM SIGOPS Operating Systems Review 40.3 (2006): [7] Attokaren, Ann Grace, and A. I. Khan. "Survey on Certificate Revocation Scheme for Mobile Ad Hoc Networks." International Journal of Computer Science & Information Technologies 5.3 (2014). [8] Shamsi, Nausheen, Ranjana B. Nagagoudar, and Amareshwari Patil. "Efficient Certificate Revocation with Vindication Capability for Mobile Ad-Hoc Networks."International Journal of Computer Science & Information Technologies 5.3 (2014). [9] Sakarindr, Pitipatana, and Nirwan Ansari. "Security services in group communications over wireless infrastructure, mobile ad hoc, and wireless sensor networks." Wireless Communications, IEEE 14.5 (2007): [10] Manoj V, Mohammed Aaqib, Raghavendiran N and Vijayan R NOVEL SECURITY FRAMEWORK USING TRUST AND FUZZY LOGIC IN MANET, International Journal of Distributed and Parallel Systems (IJDPS), Vol.3, No.1, January [11] Mahalle, Parikshit N., et al. "A fuzzy approach to trust based access control in internet of things." Wireless Communications, Vehicular Technology, Information Theory and Aerospace & Electronic Systems (VITAE), rd International Conference on. IEEE,