Detecting Malicious Packet Dropping in the Presence of Collisions and Channel Errors in Wireless Ad hoc Networks Thaier Hayajneh, Prashant Krishnamurthy, David Tipper, and Taehoon Kim Graduate Networking and Telecommunications Program University of Pittsburgh, Pittsburgh, PA, USA Email: {hayajneh, prashant, dtipper, tkim}@sis.pitt.edu Abstract—Detecting malicious packet dropping is important in ad hoc networks to combat a variety of security attacks such as blackhole, greyhole, and wormhole attacks. We consider the detection of malicious packet drops in the presence of collisions and channel errors and describe a method to distinguish between these types. We present a simple analytical model for packet loss that helps a monitoring node to detect malicious packet dropping attacks. The model is analyzed and evaluated using simulations. The results show that it is possible to detect malicious packet drops in the presence of collisions and channel errors. I. I NTRODUCTION Nodes in ad hoc networks rely on other nodes to forward and route data packets to the destination. Malicious nodes can exploit this situation and disrupt ad hoc network operation by dropping data packets and not delivering them to the next hop. In its obvious version, a malicious node will simply discard all the data packets that it is supposed to relay (this is referred to as the black hole attack [1]). The nodes in an ad hoc network communicate using wireless links which are by nature vulnerable to interference and channel errors that may corrupt some or many data packets. Moreover, the nodes share the physical medium, compete to transmit data packets and suffer collisions. Thus, one of the problems in detecting malicious nodes that drop packets is that it may not be clear as to whether the packet was dropped due to channel errors, collisions, or due to malicious intent. In most detection mechanisms, the number of packets that are not forwarded is recorded by a passive listener. A threshold on the number of dropped packets is then used to decide whether or not a node is malicious. Depending on the threshold and data load, a burst of errors on the channel or an increase in the number of collisions can trip the threshold creating false alarms. As described in the next section, previous work on distin- guishing between causes for dropped packets considered only collisions and channel errors [2]–[5] and ignored malicious packet drops. On the other hand, protocols that detect mali- cious packet dropping [6]–[8] ignored collisions and channel errors. In this paper we adopt a unified approach to packet loss considering collisions, channel errors, and malicious packet drops. We consider two possibilities for a malicious node. First, it aims to disrupt network operation by not relaying a packet to the next hop. In this case the node will acknowledge the packet to the sender. The sender typically believes that the forwarded packet was lost due to some natural reason (colli- sion or channel error). Second, the malicious node intends to drain the energy of a node. Here the malicious node will not acknowledge receipt of a packet. The sender retransmits the data packet unnecessarily several times expending energy. The rest of the paper is organized as follows. Section II describes related work on distinguishing between causes for packet drops and detection of malicious nodes that drop packets. Section III provides the framework used to determine the probability that a node is malicious. Section IV presents the performance evaluation and Section V discusses the limitations and concludes the paper. II. RELATED WORK Related work in this area assumes 802.11-like nodes. We assume that the reader is familiar with 802.11 access proce- dures. A classification of the types of interference that impacts packet loss was presented in Ma et al. [9]. In Type-1 interfer- ence, the interference signal arrives prior to the desired signal. In Type-2 interference, the interference signal arrives after the desired signal, and in the case of collisions, both signals arrive at the same time. Statistics computed at each node are used to determine the packet loss rate due to each type of interference. Pang et al. [2] distinguished between packet loss due to collisions and link errors. The main idea is that shorter RTS/CTS and MAC headers in 802.11 are less vulnerable to errors than data. Thus, during the RTS/CTS access procedure, errors are assumed to be due to collisions. If the node receives the CTS frame but not the ACK frame then the transmission has more likely failed due to a channel error. However, if an RTS/CTS frame is not received, then the transmission more likely failed due to a collision. If a basic access procedure is used, the sender depends on feedback from the receiver to determine the cause of packet loss. If a packet with a corrupted header is received, the receiver sends nothing and the sender will timeout and assume that a collision occurred. If a packet with a correct header is received but the data part is corrupted, the receiver can recognize the sender and reply with a NAK frame. Here, the sender will assume that the packet was lost due to channel errors. The collision aware rate adaptation (CARA) scheme in [3] depends on RTS probing to differentiate collisions from channel errors. The technique is