Detecting Wormhole Attacks in Mobile Ad Hoc Networks through Protocol Breaking and Packet Timing Analysis

We have implemented a fully-functional wormhole attack in an IPv6 802.11b wireless mobile ad hoc network (MANET) test bed running a proactive routing protocol. Using customised analysis tools we study the traffic collected from the MANET at three different stages: i) regular operation, ii) with a "benign" wormhole joining distant parts of the network, and iii) under stress from wormhole attackers who control a link in the MANET and drop packets at random. Our focus is on detecting anomalous behaviour using timing analysis of routing traffic within the network. We first show how to identify intruders based on the protocol irregularities that their presence creates once they begin to drop traffic. More significantly, we go on to demonstrate that the mere existence of the wormhole itself can be identified, before the intruders begin the packet-dropping phase of the attack, by applying simple signal-processing techniques to the arrival times of the routing management traffic. This is done by relying on a property of proactive routing protocols- that the stations must exchange management information on a specified, periodic basis. This exchange creates identifiable traffic patterns and an intrinsic "valid station" fingerprint that can be used for intrusion detection