1 Introduction

Mobile Ad-hoc Network (MANET) is a group of self-organized, infrastructure-less mobile nodes that relies on interdependence and cooperation of all nodes to carry out critical network functions. MANETs are vulnerable to jamming attacks due to the shared nature of the wireless medium. There are two main categories of jamming attacks: external jamming and insider jammingFootnote 1. External jamming attacks are launched by foreign devices that are not privy to network secrets such as the network’s cryptographic credentials and the transmission capabilities of individual nodes the network [1]. These types of attacks are relatively easier to counter through some cryptography based techniques, some spread spectrum methodologyFootnote 2, Antenna Polarization and directional transmission methods [3].

Smart insider jamming attacks on the other hand are much more sophisticated in nature because they are launched from a compromised node.Footnote 3 The attacker exploits the knowledge of network secrets to deceptively target critical network functions. In order to effectively prevent the smart insider jamming attack, we adopt a reputation mechanism to detect the presence of smart jammer nodes when they are passively eavesdropping and collecting information about the network prior to launching the jamming attack. A lower reputation threshold is set such that the jammer would not be able to successfully jam the network without being detected by its neighbors. In this paper, we propose a reputation-based coalition game to prevent an attack that could be posed by an erstwhile legitimate node. Game theoretic based approaches for mitigating attack can be seen in the works of [4] where a coalition game with cooperative transmission was implemented as a cure for the curse of boundary nodes in selfish packet-forwarding. Alibi-based protocol [5] and self-healing protocol [6] have been used to either detect or recover from a jamming attack. Our reputation-based coalition game differs from the aforementioned approaches by (1) Designing a coalition formation algorithm, (2) Maintaining the coalition via a reputation mechanism, (3) Identifying the insider jammer based on reputation score, and (4) Excluding the attacker from the coalition by rerouting transmission path and randomly modifying communication channel. The game is fully distributed and does not rely on any trusted central entity to operate at optimal performance.

The remainder of this paper is organized as follows. Section 2 we present relevant works that are closely related to our model; in Sect. 3 we present the network and jammer model; Sect. 4 contains the proposed defense model and in Sect. 5 we show our simulation results and finally in Sect. 6 we conclude the work and highlight prospective future work.

2 Related Work

Researchers have devoted great efforts on security in MANET. In [7] and [8], the authors used watchdog/pathrater and collaborative reputation (CORE) mechanisms respectively to prevent to mitigate node misbehavior in MANETs. Other works have used non-cooperative games to model security scenarios as well as the corresponding defense strategies to such attacks [9]. Most of these works focused on two player games where all legitimate nodes are modelled as a single node and attacker nodes are also modeled as a single node as well; this is only valid for centralized networks, whereas MANETs are self-organized networks.

Some researchers have also used coalition game to ensure security in MANETs. Li et al. [6] designed a self-healing wireless networks under insider jamming attacks. The concept of a pairwise key mentioned in their design shows that the design works best in a centralized system and not a self-organized system like MANETs. Some other works have only focused on node selfishness and not on intentional malicious acts or jamming attacks. Zhu et al. [4] used coalition game in which boundary nodes used cooperative transmission to help backbone nodes in the middle of the network and in return the backbone nodes would be willing to forward the boundary nodes’ packets.

Our approach is unique in that (1) we refrain from treating the nodes in a collective manner, instead we consider them as individual node by defining a security characteristic function for the coalition formation (2) we use reputation mechanism to prevent false positives (3) we kept a history of the nodes’ transmission rates (4) we successfully identify the insider jammer and excluded it from the coalition.

3 Network and Jammer Model

3.1 Network Model

Our network model involves a characteristic function and a coalition formation model. This model is similar to related efforts [1013]. It departs from the related efforts in the usage of accumulative feedback adaptation transmission rate (AFAT) [14] in the coalition formation; use of maximum transmission rate in security characteristic function; and the necessary conditions needed for the grand coalition formation.

Coation Formation Model. According to [11], a coalition game is an ordered pair \(\langle {N, v}\rangle \) where N = \(\left( 1,.., n\right) \) is the set of playersFootnote 4 and v is the characteristic function.Footnote 5 By convention, v( \(\phi \)) = 0, where \(\phi \) denotes the empty set [11].

The coalition formation process starts with nodes forming small disjoint coalition with neighboring nodes in their range of transmission and then gradually grows until the grand coalition is formed with the testimony of intersecting nodes. Such an intersecting node will serve as the referee for a new node that seeks to join the coalition. Our coalition formation process depends on the transmission rate table that has been stored according to the previous work done by [14].

In [14], we proposed an accumulative feedback adaptation transmission rate (AFAT). AFAT is a decentralized approach to ensure the communication of transmission rates between neighboring nodes in a network. The knowledge of neighbor’s transmission rates helps a node to adjust its own rate accordingly. In other words, AFAT provides the maximum transmission rates for the nodes in order to meet the specific application bandwidth requirements. According to AFAT, the transmission rates of the nodes is adjusted based on the history of neighbors’ transmission rates. A list of the transmission rates has been built into the transmission rate table and is updated during every time instant.

The final outcome of the coalition formation process is to form a stable grand coalition which comprises of all nodes in the network. The intersecting nodes would be very key to the formation of the grand coalition because they belong to the smaller coalitions that would be merged into a single coalition.

There are N nodes in the network, for any coalition, C \(\epsilon \) \(2^N\) Footnote 6 As mentioned previously, many literature [11, 12] have made use of the characteristic function in modeling a coalition game. This function helps to calculate the payoff of individual nodes such that they can see their joining the coalition as a rational decision since rationality is a key assumption in game theory.Footnote 7

A node has neighbors in its transmission range that can testify about its cooperation based on the transmission rate table updated at every time-slot. This testimony means that these neighboring node can give a firsthand information about the node when queried. Let \(\vert \) \(G_i\) \(\vert \) be the set of neighboring nodes in the transmission range of node i, therefore, at time slot t, the support rate for a node i in a coalition C, is:

$$\begin{aligned} S_t (C)= |G_i| - 1 \end{aligned}$$
(1)

The transmission rate, T \(_t (C)\), of coalition C at time, t, is another important parameter in the characteristic function, Li et al. [12] on the other hand made use of the overlapping distance. The nodes’ sharing of their transmission rate is very key to their admittance into the small coalition. In other to form a coalition with any node, there is a need to know the maximum available transmission rate. The maximum transmission rate ensures that the nodes match with the best nodes in terms of transmission rate before settling for the next best option as seen in the coalition formation algorithm. The maximum transmission rate in a coalition C is given by:

$$\begin{aligned} D_t (C)= max\lbrace {T_t (C)}\rbrace \end{aligned}$$
(2)
Table 1. A summary of notations provided for reference
Full size table

According to [12] the maximal admitting probability is given by:

$$\begin{aligned} A_t (C)= max_{j\epsilon C}\lbrace {\frac{\sum _{i\epsilon C}{P_{ij}}}{|C|} |C = \lbrace {i|i \epsilon C, i\ne j,P_{ij}\ne 0}\rbrace }\rbrace \end{aligned}$$
(3)

Incorporating these three parameters we can write the characteristic function by weighing each parameter. The characteristic function proposed is then;

$$\begin{aligned} v_t (C)= {\left\{ \begin{array}{ll} 0, &{} \mathrm{if}\, {|C|}= 1\\ \alpha S_t (C)+\beta A_t (C)+ \gamma D_t (C),&{} \mathrm{if}\, {|C|}\ge \text { 1} \end{array}\right. } \end{aligned}$$
(4)

These weight parameters \(\alpha , \beta \) and \(\gamma \) can be used to provide variability for the characteristic function of the nodes. Due to the mobility factor in our model, it is important to keep track of the neighbors of any node at a given time, \(\alpha \) helps to weigh the support rate parameter which is responsible for the number of neighbors of a node. Our assumption is that the nodes are slow-moving and there cannot be a rapid change of neighbors. \(\beta \) provides a weight value for the maximal admitting probability. The value assigned to \(\beta \) depends on the size of the coalition, if the coalition size is very big (say about 100 nodes), then it could be important to make it bigger than the other parameters. The transmission rate is affected by two major factors: propagation environment and the degree of congestion. Depending on these two factors, we could assign a weight value for the maximum transmission rate using \(\gamma \). The weights would have an impact on the coalition as a whole. It is important for these weights to add up to 1 in order to allow prioritization based on the topology of the network. Because of the nature of our network, we will give the highest weight to the maximum transmission rate parameter.

$$\begin{aligned} \alpha + \beta + \gamma = 1 \end{aligned}$$
(5)

New nodes are accepted into the grand coalition based on the testimony from intersecting nodes in the smaller coalition. Nodes take some time to gain a good reputation within the small coalition before it can be accepted into the grand coalition. There is a possibility that a new node might fail to enter into the grand coalition if it is out of range from the intersecting node when the smaller coalition is merged into a grand coalition. This merging process continues while there are intersecting nodes to testify about the new nodes which ensures that the grand coalition will continue to grow, thereby providing more robust security. Algorithm 1 shows the coalition formation process. The coalition formation is a dynamic process and no matter the location of a node in the network, it still has neighbors that can testify about it. From the coalition formation algorithm we can see that at each round of formation, every coalition looks to find a partner. The grand coalition is eventually formed only when two conditions are met: presence of an intersecting node to aid the merging and if v(N) is atleast greater than the individual payoff of any disjoint smaller coalition.

There are no fixed number of neighbors for a particular node because of the mobile nature of the wireless environment. From our proposed model the size of the grand coalition could be any size of three nodes and above. For rationality sake it is important to show the individual payoff of the nodes so that they would have a basis for joining a coalition. The individual payoff share is also found in [15]. For any node i \(\epsilon \) C, \(\mid C\mid > 1\), the individual payoffFootnote 8 share is defined in Eq. 6

figure a
$$\begin{aligned} x_t (i)=\frac{1}{|C|}(\alpha S_t (C)+\beta A_t (C)+\gamma D_t (C)) \end{aligned}$$
(6)

Based on the characteristic function used, we will be making use of the core. The core states that the sum of total payoff of all members of the coalition must be greater than the value of that single payoff of any individual node [11, 15]. Hence looking at Eqs. 4 and 6, we should be able to conclude that:

$$\begin{aligned} \sum _{i\epsilon C} x_t (i)\ge v_t (C) \end{aligned}$$
(7)

The game only has a core if it satisfies the concept of core of the coalition game [11].

Network Assumptions. We assume N mobile nodes with A attackers, where A is less than N / 2.Footnote 9 Below are the assumptions under which we present our work:

  • All players (or nodes) are rational (i.e. they would always choose the strategy that benefits them the most).

  • The network model does not adopt a hierarchical organization, such as, leader-follower or centralized organization.

  • The goal of the game is to form a stable grand coalition where any node that is unable to join this grand coalition would be designated as a malicious node.

  • The nodes are moving slowly because fast movement brings about a frequent change in the node’s neighbors which may affect the reputation of the nodes adversely.

  • A node’s continuous membership in the grand coalition is dependent on its reputation value.

3.2 Jammer Model

The jammer type modeled in this section is a smart insider jammer who only launches its attack after collecting enough information to cause huge network disruptions. The jammer’s goal is to launch a successful attack rather than building a very high reputation, however, it has to wait until it crosses the lower reputation threshold value, \(q_L\) before attempting to jam the network. The potential jammer is first a member of a smaller coalition where it earns a good reputation from its neighboring nodes. The attack is a combination of both subtle and palpable attacks as explained in [16]. The attacker passively scans the network as an eavesdropper while also sharing its transmission rate with all the neighbors in its range of transmission in the coalition. After a certain time, at which the attacker has gathered enough information about its neighbors and what channel they are transmitting on, the attacker stops sharing its own transmission rate because it needs enough power to jam the channel on which the best transmission rate is used.

The jammer would launch its attack when it knows that such an attack is feasible. By feasible, we mean that the jammer has the required jamming power, the chance of being detected is low and it has specific information about the channel on which the best transmission rate is used. The jammer would launch its palpable attack by intentionally sending a high-powered interference signal to that channel, thereby attempting to disrupt communication. The principal aim of jamming a selected channel is to disable the functionality of that channel. The complexity of the jamming can be seen in the fact the movement of the jammers may hinder the detection capability of the coalition. In Fig. 1, the jammers are part of two smaller coalitions which merged to become a grand coalition. The node marked yellow is the intersecting node for smaller coalitions.

Fig. 1.
figure 1

A Coalition of ten (10) nodes with two (2) jammers

Full size image

4 Proposed Defense Model

4.1 Maintaining the Coalition Through Reputation

We present a maintenance algorithm that employs the node reputation to track all the history of each node’s cooperation as they broadcast their transmission rate. Reputation is simply defined as the goodness of a node as observed by other neighbors in its transmission range or the coalition in general.Footnote 10 Specifically, we adapt the mechanism used for modeling increase and decrease of reputation values. The reputation of a node is maintained by nodes in the same transmission range as itself. Each node updates the reputation table every time slot.Footnote 11 When a node broadcasts it’s transmission rate, it receives an increment and if it fails the opposite happens. A new node that joins the network can be assigned a neutral reputation \(q_N\). All reputations would be valid for a time period, \(T_v\). There is an upper threshold, \(q_U\) and a lower threshold \(q_L\), where \(q_L< q_N < q_U\).

Reputation can be increased at the rate of \(\sigma \) and decreased at the rate of \(\lambda \), where \(\sigma \), \(\lambda \) < 1 and are both real numbers. For this algorithm, the two parameters are set equal to each other in order to ensure fairness. If these parameters are not made equal, for example when \(\sigma \) is larger than \(\lambda \), there is the tendency for a node to quickly attain the maximum reputation value in a very short time and then lack the enthusiasm to continue sharing its transmission rate as it should be doing in order for network activity to continue. Also decreasing at a high rate also results in an undeserved punishment for any node in an unpleasant network location due to the mobility of the system.

Algorithm 2 shows the monitoring process and how the reputation is either increased or decreased depending on the node’s behavior. m is the number of observations made by node j about node i’s refusal to share its transmission rate. \(T_f\) is the tolerance of the network i.e. m per reputation value before reducing reputation of a node. y is the number of observations made by node j when node i shares its transmission range in the time period \(b_f\). \(b_f\) is the broadcast factor of the network [17]. This algorithm makes use of only firsthand information as the support rate and the intersecting node is enough to cater for the need for a secondhand information.

figure b

4.2 Jammer’s Exclusion from the Coalition

The jammer prevention algorithm aims to reduce the number of false positives. False positive occurs when a legitimate node is been classified as a jammer when it fails to share its transmission rate at a particular time-slot due to been out of range, which is typical of MANET. Nodes that belong to the coalition have a monitor for observations and reputation records for first-hand information about the degree of cooperation of their neighbors as regards sharing their transmission rates. The coalition excludes the jammer by Algorithm 3.

figure c

For our setup, an excluded node will not be granted re-entry. Algorithm 3 provides the needed self-dependency and self-organization in MANET.

5 Simulation and Results

We evaluate the performance of the reputation-based coalition game by conducting simulations in NS2. We compare the performance of the reputation-based coalition game with non-reputation based mechanism. The non-reputation based scheme is gotten when we remove the reputation mechanism in our coalition maintenance. The evaluation is based on four metrics: the detection accuracy, detection delay, the percentage of false positives and the detection time of the insider jammer.

5.1 Simulation Setup

Table 2 shows a list of the simulation parameters. Twenty percent of the nodes in the network are classified as the insider jammers.

Table 2. Parameters for simulation
Full size table

5.2 Results

In Fig. 2, we compare the detection accuracy of the reputation-based scheme with a non reputation-based scheme. The non-reputation based scheme only detects the insider jammer half of the time, our reputation-based scheme, however, performs better with increasing coalition size. In our simulation results, the scheme achieves the maximum accuracy with a coalition of 80 nodes. Detection accuracy is of utmost importance because it is the most important factor that helps to reduce the number of false positives and false negatives.

Figure 3 illustrates the time taken by the coalition to detect the insider jammer. The support rate has an impact on the number of neighboring nodes which in turn affects the detection time. For the result shown in Fig. 3, the number of attackers is exactly twenty percent of the size of the coalition. The time taken to detect insider jammer reduces significantly with increasing number of nodes in the network.

Fig. 2.
figure 2

Detection accuracy

Full size image
Fig. 3.
figure 3

Detection delay

Full size image

Figure 4 compares false positives for the reputation-based model and the non reputation-based model. False positives are easily detected with our reputation-based mechanism because the rate of increase (\(\sigma \)) and decrease (\(\lambda \)) of reputation value is equal resulting in fewer instances of errors in detecting insider jammers. As observed in Fig. 4, the 80 node coalition has the least false positive percentage.

Fig. 4.
figure 4

False positives

Full size image
Fig. 5.
figure 5

Jammer exclusion time

Full size image

Figure 5 illustrates the time it takes to exclude the insider jammer from the grand coalition after detection. As the size of the coalition increases, the time taken to exclude insider jammers decreases because the jammer’s neighboring nodes quickly raises an alarm when the reputation values fall below \(q_L\).

6 Conclusion and Future Work

In this paper, we presented a reputation-based coalition game to detect insider threats in MANET. The key components of the game include algorithms for coalition formation, coalition maintenance and jammer exclusion and security characteristic function for admitting nodes into a coalition. Simulation results demonstrate the effectiveness of our reputation-based coalition game to detect insider jammers in a MANET. Specifically, the results demonstrate few false positives and small detection delay. In the future, we would like to investigate a case of a cooperative attacks that could occur when the excluded nodes form a coalition with the aim of jamming communication in the MANET.