DoS-Resistant Broadcast Authentication Protocol with Low End-to-end Delay

Transcription

1 DoS-Resistant Broadast Authentiation Protool with Low End-to-end Delay Ying Huang, Wenbo He and Klara Nahrstedt {huang, wenbohe, Department of Computer Siene University of Illinois at Urbana-Champaign Siebel Center, 1 N. Goodwin Ave. Urbana, IL 6181 Whay C. Lee Whay.Lee@motorola.om Networks and Systems Researh Center Motorola Labs 111 Loke Drive, Marlborough, MA Abstrat In mission-ritial networks, ommand, alerts, and ritial data are frequently broadast over wireless networks. Broadast traffi must be proteted from maliious attaks, wherein soures are impersonated or broadast pakets are forged. Even though broadast authentiation eliminates suh attaks, attakers an still launh Denial-of-Servie attaks by injeting substantive false pakets, whih onsume both ommuniation and omputation resoures. Due to inevitable proliferation of dupliates of broadast pakets, it is espeially important to limit false paket propagation range. Evidently, authentiating eah paket before forwarding an effetively ontain false pakets within one hop. But it results in onsiderable end-to-end delay penalty on authenti pakets. In this paper, we propose a randomized authentiation sheme, DREAM, whih ontains most of false pakets in one-hop range of attakers and yet keeps end-to-end delay relatively low. Dream also ontinuously monitors the ontextual threat and dynamially adjusts the trade-off among ontainment and end-to-end delay performane. Extensive evaluations in ns validate our idea. I. INTRODUCTION Mobile ad ho wireless networks (MANET) are deployed for many mission-ritial appliations, suh as military operations, emergeny response and disaster reovery. Often operating in multi-hop and open wireless environment, they are vulnerable to various attaks, suh as paket modifiation, impersonation, and Denial-of-Servie (DoS) attaks. Thus, the primary onern is to onsistently assure availability of ommuniation resoures, arefully grant authorized aess and prevent maliious tamper on network funtion from outside the administrative domain. Commands, alerts and data are frequently broadast network-wide to relay time-sensitive information and support ritial deision-making proess. If broadast traffi is not authentiated, soures an be impersonated and message ontent an be forged by adversaries and rivals. Misleading or false information ould ause unneessary operation or wrong deision. Thus, it is important and ommon to authentiate broadast traffi. However, without areful design, broadast authentiation may suffer from DoS attaks and negatively affet performane of broadast protool. In DoS attaks, attakers need neither to ompromise legitimate devies nor to know trust and key information. They only flood faked and format-ompatible pakets so as to onsume exessive bandwidth, omputation and memory resoures network-wide. Even though ounterfeit pakets are rejeted after signature validation, they ause serious problems: (1) validating those pakets wastes energy and CPU resoures; () before they are verified, storing those pakets temporally wastes buffer spae; () transmitting those pakets wastes limited wireless bandwidth. Therefore, broadast authentiation protools must ontain forged messages near attakers to prevent the rest of the network from infetion. A typial plae to perform broadast authentiation is at the ends of ommuniation, whih means that forwarders do not hek the integrity of pakets. This broadast authentiation sheme residing at appliation layer an be onsidered as a sheme using forward-first poliy: a node rebroadasts eah paket if needed and then delivers authenti ones to appliation after signature validation. Pure forward-first sheme misses the ontainment apability. A false paket is broadast everywhere before its authentiity is verified. In order to ontain false pakets, an intuitive way is to apply hopby-hop authentiation sheme based on authentiate-first poliy at routing layer: a node only rebroadasts authenti messages after validation. In this way, false pakets are filtered out at the first hop and devies outside the transmission range of attakers are immune. However, this hop-by-hop authentiation sheme imposes remarkable penalty on endto-end delay of legitimate traffi due to authentiation delay at eah intermediate hop. The aumulated delay postpones paket delivery to nodes far away from the soures and the maximal delay is proportional to network diameter in hops. Publi key sheme and one-way hash funtion sheme represented by TESLA [1] are two ommon ryptographi primitives for broadast authentiation (Other alternatives are extensively surveyed in []). TESLA is an effiient protool that utilizes one-way hash hains and delayed key dislosure to authentiate broadast traffi. But, TESLA inurs seurity vulnerability if used together with authentiate-first poliy. This is beause at the time forwarding nodes are able to authentiate a paket Msg, the seret hash key hkey used to sign Msg is already released by the soure. Afterwards, no nodes an trust any newly reeived pakets signed by hkey. Hene, the intermediate hop has to resign M sg under his identity before forwarding. By manipulating resigning proess, a ompromised node ould flood as many pakets as it wants and viiously laim that those pakets are sent by other innoent soures.

2 In this paper, we present a novel broadast authentiation sheme, alled DREAM, an aronym for DoS-Resistant Effiient Authentiation Mehanism. It effetively limits false data injetion via frequently using authentiate-first poliy based on publi-key authentiation. It also redues the endto-end delay by allowing a small perentage of unverified pakets forwarded probabilistially via forward-first poliy so that remote nodes obtain the broadast messages quikly. Compared with most pertinent work onsidering ontainment of false broadast injetion [][][], DREAM offers the following two advantages: (1) The remote nodes, who reeive the unverified pakets, are randomly determined for eah paket. Hene, DREAM avoids a single point of failure and ahieves load balaning. () In order to redue end-to-end delay, not everyone in the neighborhood of a broadast soure has to forward unverified pakets. Allowing only a small number of pakets to reah remote regions is suffiient to redue delay, while it effetively restrits ontagious areas of false pakets. II. DESIGN GOAL AND SYSTEM MODEL To guarantee that appliation reeives only authenti pakets, there is no doubt that every node needs to authentiate eah paket. Resoures of nodes in one-hop neighborhood of attakers annot be proteted unless they beome inative. Nevertheless, we want to eliminate faked pakets as early as possible to protet resoures far away from attakers and still keep average end-to-end delay low for authenti pakets. Next, we present our network, broadast traffi and attaker models. A. Node and Network Model We onsider an ad ho multi-hop wireless network supporting ommuniation among a large number of devies. They may be mobile, but without rapid hanges of network topology. These devies are all dispathed from a single administrative domain. Before deployment, eah devie reeives digital ertifiates and neessary keying materials from a trusted server. These devies are thus able to establish pairwise trust relationship and shared serets in field without ontating the remote trusted server. B. Broadast Model All of the nodes partiipate in a predetermined broadast protool. The protool an be in any form, ranging from flooding, probabilisti broadast [6] to tree-base broadast [7]. Although DREAM is designed based on flooding, it works with other broadast protools by minor modifiation. Any devie an originate broadast messages. A broadast message is uniquely defined by the ID of the originator and a sequene number. Upon message arrival, the reipients deide about dupliation suppression, rebroadast, and delivery to appliations aording to the broadast protool used. All broadast messages are sent in lear text. Broadast pakets are authentiated before delivered to appliations. C. Attaker Model Attakers are unaffiliated with the administrative domain, and they have neither valid ertifiates nor keys. Via snooping on wireless hannels, attakers an gather the details of broadast and authentiation protool. They intend to launh DoS attaks by flooding false or old pakets. Sine attakers do not have keys or ertifiates, they annot produe valid signatures in false pakets and those pakets are dropped ultimately. Their ommon strategy is to let false pakets permeate throughout the network as muh as possible to aggressively onsume ommuniation and omputation resoures network-wide. III. DREAM In order to promptly ontain injeted false pakets, we need to push publi-key authentiation from appliation layer down to network layer so that the broadast protool only allows authenti pakets to be rebroadast after validation. A hopby-hop authentiation sheme relying on authentiate-first poliy perfetly ontains false pakets in one hop range of an attaker. However, it unfavorably imposes signifiant delay penalty on authenti traffi, espeially for the traffi to the set of nodes far away from broadast soures. DREAM addresses this end-to-end delay issue by relaxing ontainment requirement. The main idea is to allow a small and ontrolled number of pakets transmitted to remote loations quikly without authentiation in a probabilisti manner. A path segment over whih paket P is not validated before forwarding is referred to as an unverified forwarding path for P. Nodes along the unverified forwarding paths forward pakets before authentiating; while the other nodes, representing the majority of the network, authentiate pakets before forwarding. Those unverified transmissions virtually redue the network radius from the broadast soure and derease end-to-end delay. 1 Beause of the diversified suppression poliies of broadast protools, DREAM is integrated with broadast protool and independently runs at eah devie. The arhiteture of DREAM ontains three modules as shown in Figure 1. Broadast + Paket Authentiation Fig. 1. Appliation Risk Management Neighbor Management MAC DREAM DREAM Arhiteture Paket Authentiation Module is responsible for signing and validating pakets. There are two operating modes yielding different delay and ontainment trade-offs. Risk Management Module ontinuously monitors ontextual threat. When evidene of false paket injetion shows up, the module adjusts the operating mode in Paket Authentiation Module to a more defensive and seure mode. Neighbor Management Module periodially exhanges hello messages with one-hop neighbors. Hello messages not only indiate a node s liveness but also inlude a field speifying a node s one-hop neighborhood size. In order to prevent maliious tampering, hello messages are signed and verified. Next two setions are devoted to Paket Authentiation and Risk Management modules separately. 1 This may introdue out-of-order pakets with large delay variane. We assume that appliations will reorder pakets if in-order delivery is required.

3 A. Paket Authentiation Paket Authentiation Module omprises two parts: (a) signing at soures and (b) verifiation and forwarding at reeivers. Whenever a soure sends out a broadast paket, it signs the paket. Upon reeiving a broadast message, a node probabilistially determines to forward it first or to authentiate it first. When a node authentiates the paket first, we all the node an authentiating node. No matter whih hoie is made, eah node will (a) only forward a unique broadast paket at most one (it does not forward identified false pakets); and (b) validate the paket and send the authenti one to appliations. The message format is: ID sr, Seqno, Msg, P ubkeysign sr, HT, ID fwder, wherein P ubkeysign sr = Sign sr P ubkey(id sr, Seqno, Msg) ID sr and ID fwder are IDs of the soure and the last forwarder, respetively. When the soure signs M sg, ID fwder is set to ID sr sine soure is the last forwarder. P ubkeysign sr is the publi key signature signed by the soure and is never hanged during forwarding proess. HT is the number of hops traversed sine the last authentiating node. It is reset to at every authentiating node. Soures always set HT to. Eah forwarder, who forwards the unverified opies, inreases HT by 1. Here, we assume that reeivers know the publi key of the soure; otherwise, soures ertifiates should be broadast as well. Next, we will desribe paket verifiation and forwarding algorithm at reeiver sides based on flooding. We redue average end-to-end delay at the ost of imperfet ontainment. Therefore, it is ruial to arefully ontrol unverified forwarding. We have the following requirements: The deision is independently made to avoid message negotiation; The deision is probabilistially made to ahieve load balaning and to prevent a single point of failure; The number of hops that an unverified message is allowed to travel is ontrolled so that on one hand, broadast pakets spread out in spae fast and on the other hand, false injeted pakets are ontained near their originators; The number of forward-first nodes is kept small to redue the ost of ommuniation and publi key omputation wasted on false pakets. Publi key signature verifiation is an expensive operation and usually takes time in seonds or tens of milliseonds in resoure-onstrained wireless mobile devies. Hene, a verifiation queue is plaed in DREAM to buffer the pakets waiting for signature verifiation. We assume for simpliity that at any moment, only one signature verifiation is performed so that spare CPU resoures are reserved for other tasks. A verifiation demon proess, whenever free, ontinuously monitors the verifiation queue. One a paket is found at the head of the queue, the verifiation proess removes the paket from queue, verifies its publi key signature and relays the authenti one to appliations. In addition, if the authenti paket has not been forwarded yet, it rebroadasts the paket not under suppression. When the demon proess ompletes proessing a paket, it beomes free. Upon reeiving a broadast message m, a node v probabilistially determines whether to forward m first or authentiate m first aording to Algorithm 1. Rand is a random number generated uniformly from [, 1]. b, and K are system parameters. b and are the expeted numbers of neighbors in the one-hop neighborhood of the soure and the last forwarder m.id fwder (other than the soure) respetively, who forwards m first. K is the maximum number of hops that m is allowed to travel without verifiation. Algorithm 1: Verifiation and Forwarding Algorithm input : An overheard broadast message m 1 if (overheard messages with the same (m.id sr, m.seqno) before) then return; if (m.ht == & m.id fwder is unknown neighbor) then return; if (I am one-hop neighbor of m.id sr ) then prob = b/ Nbr(m.ID fwder ) ; else prob = / Nbr(m.ID fwder ) ; end if (Rand > prob or m.ht == K) then // authentiate m first; m.ht = ; plae m into verifiation queue; else // forward m first; m.ht + +; rebroadast m; plae m into verifiation queue end Algorithm 1 inorporates steps: (i) Suppression and Filtering (Line 1-): If v has reeived at least one message with the same sequene number from the soure before, message m is dropped. Thereby, a node forwards eah broadast message at most one. If v is onehop away from the last authentiator, whih is an unknown neighbor, message m is ignored due to lak of trust. (ii) Probabilisti Pruning (Line -17): v deides whether to forward m first or authentiate m first probabilistially. Nbr(m.ID fwder ) is the neighborhood size of last forwarder m.id fwder. This value is available via Neighbor Management module. b is usually set to an appropriate value so that unverified broadast messages an over most diretions ( for instane). is seleted from [1, ] to make the event that all the one-hop neighbors are pruned unlikely. Both b and annot be too large, beause we need to ontrol the number of unverified pakets. The onstant before in line 6 aounts for the fat that on average, half of the neighbors of the last forwarder have already heard m. Considering a ase that m is forwarded from node A to v, via B, averagely half neighbors of B have already heard m broadast by A, thus suppressing m aording to line 1. If m has already traversed K hops without verifiation, it is better to authentiate m first to onfine its permeation in ase of a false paket. If v deides to authentiate m first,

4 it resets HT field and plaes m in the verifiation queue. If v deides to forward m first, it inreases HT field by 1, forwards m and then plaes m in the verifiation queue. The verifiation proess is responsible for rebroadast after signature verifiation. If m.ht >, verifiation proess knows that m has already been forwarded one. Sine we use Nbr(m.ID fwder ) to make probabilisti forwarding deision (in Line and 6), network topology should be relative stable so that during the Hello period, the neighbor information is aurate. Otherwise, inaurate and outdated neighborhood sizes may result in more or less number of nodes forwarding the paket first from the last forwarder. B. Risk Management Nodes working as in previous setion are said to be in Normal Mode. Via signature verifiation, they are able to detet emergene of false paket attaks if the number of reeived pakets with invalid signature in a time interval exeeds a predetermined threshold. They swith to hop-by-hop authentiation sheme and totally disable the forward first poliy to ontain false paket injetion in a defensive way. They are then said to be in Alert Mode. Conversely, when the false paket attak lessens, nodes swith bak to Normal Mode to trade for improved end-to-end delay. The transition between two modes is shown in Figure. # false pakets in urrent time window is low Normal Alert # false pakets in urrent time window is high Fig.. Adaptation to Contextual Threat Eah node ontinuously monitors the number of deteted false pakets every riskw indow interval. The node swithes to Alert Mode if this number reahes α and swithes bak to Normal Mode if this number drops to β. α and riskw indow are related to the tolerable perentage of CPU resoure spent in evaluating false pakets before swithing to Alert Mode. Suppose the proessing time to validate one publi key T signature is T val seonds, a node an tolerate val α riskw indow CPU resoure wasted on validating false pakets. For mission ritial networks, this perentage an be set to a small value. β is there to avoid frequent transitions and instability. Swithing to Alert Mode adversely inreases end-to-end delay. However, we isolate the rest of network from infetion and their omputation and ommuniation resoures are proteted. It is expeted that when onverging, only the nodes around the attakers enter Alert Mode. Other nodes an still reeive the pakets through alternative forwarding paths quikly. IV. EVALUATION In this setion, we evaluate the performane of DREAM in ns network simulator by omparing it with hop-by-hop authentiation sheme and (DW) sheme proposed in []. In sheme, the forwarding deision is made by omparing the size of a loally maintained dynami window on sensor nodes and the number of hops the inoming message traversing after its last authentiation: if window size is larger, they use forwarding-first; otherwise, they use authentiation-first. Additive Inrease Multipliative Derease (AIMD) tehnique is used to dynamially manage the window: if an authenti message is reeived, window size inreases; otherwise, window size dereases. The riteria of our evaluation represents two aspets: penalty on authenti messages and ontainment apability of false messages. We have the following metri for legitimate pakets: The average end-to-end delay: End-to-end (authentiation) delay of paket m from broadast soure sr at node v is defined as the interval between the moment sr broadasts m into wireless networks and the moment v finishes verifiation of m. We have the following metris for false pakets: The number of nodes forwarding the false pakets. The number of nodes reeiving the false pakets. The number of publi key signature validation. Publi-key signature validating time is set to. seond. At any moment, a devie performs a single publi key validation and all the other validation requests, up to, are queued. Publi key signature has size bytes. Eah node is equipped with an omni-diretional antenna operating on a single hannel. The hannel model is two-ray path-loss propagation model. The broadast traffi is sent via CBR (onstant bit rate) traffi with paket size 6 bytes in UDP DCF Medium Aess Control protool is used with default onfiguration. Transmission range is m. We investigate two network topologies, i.e. grid topology and random topology. A. Grid Topology The first senario we study is grid topology and eah data point is averaged over runs of simulations. Sine delay penalty is ritial in large sale networks with long diameter, we plae nodes in a grid. Eah row (olumn) ontains nodes equally spaed with distane meters apart. There is a single broadast soure loated at the left top orner. It ontinuously sends CBR traffi at the rate of a paket every seonds. The average network radius from the broadast soure is 1 hops based on the setting. First, we study end-to-end authentiation delay for legitimate traffi in absene of attakers. We vary K from to and from 1. to.. b is set equal to. The length of riskw indow is 6 seonds. α = 6 and β = 1. For Dynami Window Sheme, the initial window size is set to 6. Additive inrease and multipliative values are 1 and separately, default as in []. As shown in Figure 6, the average end-to-end delay in hopby-hop authentiation is the worst, above.6 seonds beause the average length of paths from the broadast soure is 1 hops and the publi key validation delay is. seond. Clearly, the average end-to-end delay in sheme is optimal at about half a seond. Beause there are no false pakets deteted, the window size is at least 6, whih is always greater than the number of hops traversed sine last authentiator. The performane of DREAM is shown by the middle lines. As inreases, the end-to-end delay dereases sine more nodes are inlined to forward pakets first, thus

5 # of False Pakets Reeived.. DREAM K= DREAM K= Dynami WIndow # of False Pakets Forwarded DREAM K= DREAM K= # of False Pakets Validated DREAM K= DREAM K= Fig.. Normalized # of False Pakets Reeived Fig.. virtually reduing the end-to-end path length. However, as inreases above 1., the degree of improvement levels off. When K inreases, end-to-end delay dereases beause distane between two suessive authentiators is lengthened and the entire network is quikly overed. Normalized # of False Pakets Forwarded End to end Delay (s) Fig.. Normalized # of False Pakets Validated DREAM K= DREAM K= End to end Delay (s) DREAM K= DREAM K= Fig. 6. End-to-End Delay Next, we study the ontainment apability of DREAM and its response to maliious injetion from Figure to. Clearly, if attakers always flood less than α false pakets in riskw indow interval, DREAM never swithes to Alert Mode. However, this is not the best interest for attakers. Therefore, we fous on ases of high-rate false injetion. Again, we use the same onfiguration as before exept that an attaker is flooding simultaneously near the soure at the left top orner of grid. The attaker floods pakets at the rate of 1 paket per seond. During the false injetion attak, it is out of question that all the neighboring nodes have to reeive the false pakets and validate them. But our sheme an effetively onfine the false pakets within a small number of nodes. The number of false pakets is normalized by the total number of false pakets sent by the attaker. The normalized number of reeived false pakets is below for both DREAM and sheme sine they both swith to defensive mode. However, before the window size in DW is adjusted down, many false pakets are broadast to the whole network. Furthermore, the mixing traffis of good and false pakets interdit the slowdown of dynami window. For every paket sent by attaker, DW has 1 nodes to forward, nodes to reeive and 19 nodes to verify the message. On the ontrary, the ontainment performane of DREAM is lose to hop-byhop authentiation. The infetion of false injetion inreases as or K inreases. However, waste on both transmission and omputational resoures by the false pakets are under ontrol. The end-to-end authentiation delay in presene of the attaker is shown in Figure 7. Delay for both DREAM and sheme inreases, ompared with the ase in absene of attakers. From the above measurements, we see lear tradeoff between end-to-end authentiation delay and ontainment apability, i.e. publi key signature omputational overhead and Fig. 7. End-to-End Delay forwarding overhead for false pakets. B. Random Topology The seond senario we study is random topology with nodes randomly plaed in a m*m network. We make sure that the resulting topology is almost onneted. There are 1 broadast soure randomly seleted to send CBR traffi at rate of pakets per seonds and two attakers randomly seleted to send CBR traffi at rate of 1 pakets per seonds eah. Nodes swith to Alert Mode whenever the number of false pakets in 6-seond interval reahes and falls bak to Normal Mode when this number drops to 1. Sine the proessing time for one publi key signature validation is. seond, a node an tolerate at most./6 = % CPU spend in evaluating false signatures. End to End Delay (s) DREAM =1. K= DREAM =1. K= 1 Senario Fig. 8. End-to-End Delay The end-to-end delay for two example onfigurations of DREAM is ompared with the delay for and hop-by-hop authentiation shemes in Figure 8. X-axis shows random senarios with different loation deployments. As usual, hop-by-hop authentiation has the worst end-to-end delay for authenti traffi. DREAM with set to 1. halves the end-to-end delay. Further improvement is present with set to 1.. Even though Sheme has the best performane in terms of end-to-end delay, it is not resilient to false paket injetion mixed with the legitimate traffis. As shown in Table I, for the total false pakets sent by attakers, sheme forwards more than false pakets in order to ahieve the desired delay. But DREAM only forwards tens of false pakets before nodes

6 around attakers swith to Alert Mode. Due to spae limit, we do not plae the results for the number of false pakets reeived and validated here. Those two results are similar as the number of false pakets being forwarded. TABLE I NORMALIZED # OF FALSE PACKETS FORWARDED Senario I Senario II Senario III DREAM = DREAM = Hop-by-Hop We show sensitivity to b in Figure 9, varying and fixing K at in absene of attakers. The same onfiguration as in Figure 8 is used. Inreasing b dereases end-to-end delay, but without dramati improvement. Possible reasons are lak of enough number of neighbors around broadast soures or the set of non-authentiating forwarders are not spread out enough in all diretions. End to end Delay (s) =1., b= =1. b= =1. b= =1. b= =1. b= =1. b= 1 Senario Fig. 9. End-to-End Delay V. RELATED WORK Wang, Du and Ning proposed a dynami window sheme to ontain bogus data by publi key ryptography (PKC) authentiation [], where sensor nodes determine whether to verify a message first or forward the message first by estimating their distane from the maliious attakers and how many hops the inoming message has passed without authentiation. As we show in the evaluation setion, despite the fat that sheme displays good potential to improve end-to-end delay of authenti traffi, it is not robust against smart attakers who maliiously manipulate AIMD sheme. Additional, during the dereasing proess of AIMD, a large number of false pakets are broadast to the whole network. Drissi and Gu onsidered a large sensor network with a few predetermined trusted and better seured nodes whih divides the whole network into subnets [][]. Trusted nodes use TESLA to broadast messages to its subnet and eah ordinary node, upon reeiving broadast messages from its subnet, rebroadasts them before validation. Trusted nodes exhange broadast messages among themselves. A soure other than the trusted nodes sends messages to a nearby trusted node. However, the predetermined set of trusted nodes may attrat attaks and too muh authentiation and oordination overhead onsumes their battery and the battery of nodes around them quikly. Besides, how messages are sent from soure to trusted nodes, from trusted nodes to trusted nodes and from trusted nodes to subnets may introdue additional vulnerability, suh as DoS attaks and jamming. [8] proposed an effiient, onetime signature-based broadast authentiation sheme that redues storage usage and inludes a re-keying mehanism and [9] introdued a novel ryptographi paradigm of broadast authentiation with preferred verifiers. But, none of them offers ontainment apability against false injetion attaks. VI. CONCLUSION In this paper, we propose a novel broadast authentiation sheme, whih onfines false paket injetion mostly inside one-hop neighborhood around attakers with improved end-to-end delay for legitimate traffi. Via frequently using authentiate-first poliy, DREAM ontains most of faked pakets in one-hop neighborhood of attakers. Probabilisti forward-first deision dramatially improves the end-to-end delay for nodes far away from the broadast soure. With dynami adaptation to hanging threat level, our sheme is flexible to trade off delay with ontainment apability. Extensive simulation verifies end-to-end delay and ontainment performane in DREAM. In the future, we plan to integrate DREAM with other broadast protools and test its performane. DREAM relies on the probabilisti deision to push unverified pakets remotely. But the unverified forwarding path may not be optimal for quik overage. We will apply GPSR routing protool [1] to deterministially forward the unverified pakets further along the best diretion. We will also investigate ountermeasurement for attaks on broadast suppression, wherein attakers pretend to be the broadast soure and send pakets with higher or equal sequene numbers before the true soure. ACKNOWLEDGEMENT The researh in this paper is supported by Motorola grant REFERENCES [1] A. Perrig, R. Canetti, D. Tygar, and D. Song, The tesla broadast authentiation protool,. [Online]. Available: iteseer.ist.psu.edu/perrigtesla.html [] D. Liu, P. Ning, S. Zhu, and S. Jajodia, Pratial broadast authentiation in sensor networks, in MOBIQUITOUS : Proeedings of the The Seond Annual International Conferene on Mobile and Ubiquitous Systems: Networking and Servies,. [] R. Wang, W. Du, and P. Ning, Containing denial-of-servie attaks in broadast authentiation in sensor networks, in MobiHo 7: Proeedings of the 8th ACM international symposium on Mobile ad ho networking and omputing, 7, pp [] Q. Gu and J. Drissi, Dominating set based overhead redution for broadast authentiation in large sensor networks, in ICNS 7: Proeedings of the Third International Conferene on Networking and Servies. Washington, DC, USA: IEEE Computer Soiety, 7, p. 81. [] J. Drissi and Q. Gu, Loalized broadast authentiation in large sensor networks, in ICNS 6: Proeedings of the International onferene on Networking and Servies, 6, p.. [6] Y. Sasson, D. Cavin, and A. Shiper, Probabilisti broadast for flooding in wireless mobile ad ho networks, in Proeedings of IEEE Wireless Communiations and Networking Conferene (WCNC ). [7] J. E. Wieselthier, G. D. Nguyen, and A. Ephremides, On the onstrution of energy-effiient broadast and multiast trees in wireless networks, in INFOCOM (),, pp [8] S.-M. Chang, S. Shieh, W. W. Lin, and C.-M. Hsieh, An effiient broadast authentiation sheme in wireless sensor networks, in ASIACCS 6: Proeedings of the 6 ACM Symposium on Information, omputer and ommuniations seurity. ACM, 6, pp. 11. [9] M. Ramkumar, Broadast authentiation with hashed random preloaded subsets, in eprint Arhive,. [1] B. Karp and H. T. Kung, Gpsr: greedy perimeter stateless routing for wireless networks, in MobiCom : Proeedings of the 6th annual international onferene on Mobile omputing and networking.