Integrating Quality of Protection into Ad Hoc Routing Protocols Seung Yi, Prasad Naldurg, Robin Kravets Department of Computer Science, University of Illinois at Urbana-Champaign Urbana, IL 61801, USA Abstract We propose a new routing technique called Security-Aware ad hoc Routing (SAR) that incorporates security attributes as parameters into ad hoc route discovery. SAR enables the use of security as a negotiable metric to improve the rele- vance of the routes discovered by ad hoc routing protocols. We develop a two-tier classification of routing protocol se- curity metrics, and propose a framework to measure and en- force security attributes on ad hoc routing paths. Our frame- work enables applications to adapt their behavior according to the level of protection available on communicating nodes in an ad hoc network. 1 Introduction Wireless ad hoc networks have been proposed to support dy- namic scenarios where no wired infrastructure exists. Most ad hoc routing protocols are cooperative by nature [1], and rely on implicit trust-your-neighbor relationships to route packets among participating nodes. This na¨ ıve trust model allows malicious nodes to paralyze an ad hoc network by inserting erroneous routing updates, replaying old routing information, changing routing updates, or advertising incor- rect routing information [2, 3]. While these attacks are pos- sible in fixed networks as well, the nature of the ad hoc en- vironment magnifies their effects, and makes their detection difficult [4]. The characteristics of an ad hoc network demand new metrics for routing. Traditionally, distance (measured in hops) is used as the metric in most ad hoc route-discovery algorithms (e.g., AODV [5], DSR [6], TORA [7] etc.). The use of other metrics (e.g., geographic location [8], signal sta- bility [9] etc.) can improve the quality and the relevance of the routes discovered for particular applications and config- urations. Along these lines, we explore the use of different security attributes to improve the quality of the security of an ad-hoc route. In this paper, we present “Security-Aware ad-hoc Routing (SAR)”, an approach to routing that incor- porates security levels of nodes into traditional routing met- rics. Our goal is to characterize and explicitly represent the trust values and trust relationships associated with ad hoc nodes and use these values to make routing decisions. In addition to determining a secure route, the information in the routing messages must also be protected against alter- ation that can change routing behavior. In this paper, we an- alyze the security of ad hoc routing algorithms with respect to the protection associated with the transmission of rout- ing messages. We identify the attributes of a secure route and define appropriate metrics to quantify the ”level of se- curity” associated with protocol messages. These metrics are adapted from their equivalents in security of wired rout- ing protocols [10, 11, 12]. In the rest of this paper, we present our motivation and the generalized SAR protocol for secure route discovery, update, and propagation. We then briefly describe our threat model, develop an attack classification, and validate our pro- tocol against this model. Finally, we describe our experi- mental test bed and present our simulation results and con- clusions. 2 Motivation While the dynamics of ad hoc routing protocols have been well researched, the security issues and concerns have not been addressed in depth. In this section, we exemplify the need for security awareness in an ad hoc network at the routing level with a battlefield communication scenario. In Private Officer General Shortest Route Route Secure Range Transmission Figure 1: Security-aware Routing - Motivation Figure 1, two generals establish a route using a generic on- demand ad-hoc routing protocol. During the mission, the generals detect that some of the privates have defected. The generals decide that they can only trust nodes owned by of- ficers to route their packets. Relaying these messages us- ing potentially compromised nodes can leak information to untrusted entities and jeopardize the mission. Even if the