Domain On Information Forensics And Security Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

The aim of the information forensics and security is to give a combined locus for archival study on the basic contributions and the mathematics behind information forensics, information safety measures, observation, and systems applications that incorporate these features. Technical topics within the scope include: Digital rights management technology, including watermarking and fingerprinting; of images, video, and audio, Steganography and steganalysis. Tampering, modification of, and attacks on, original information, Signal processing for biometrics, Signal processing for forensic analysis, Signal modeling and channel modeling for secure content delivery, Quality metrics and benchmarking, Technical analysis of system vulnerabilities, Content identification and secure content delivery, Information embedding and media explanation. The relationship of technology with legal and ethical issues.

1.1.2 Overview of present work:

Disruption tolerant network has intermittent connectivity between mobile nodes to send and receive data. Because a lack of consistent connectivity, two nodes exchange data only when they move into the transmission range of each other. Thus, DTN routing follows store carry and forward that means, when a node receives some packets, it stores these packets in its buffer, and sends the packets to the next node.

A node may misbehave by dropping packets even when it has enough space to store packet. Routing misbehavior can be caused by selfish nodes that are unwilling to spend resources to forwarding packets of others, or caused by malicious nodes that drop packets to launch attacks. Routing misbehavior will reduce the packet delivery ratio and waste system resources of the mobile nodes that have carried and forwarded the dropped packets.

Routing misbehavior has been widely used in mobile ad hoc networks. These works uses neighborhood monitoring or acknowledgement (ACK) to detect packet dropping, and avoid the misbehaving nodes in path selection.They do not consider the intermittent connectivity in DTNs and cannot be applied to DTNs.To address routing misbehavior in DTNs two questions are used. How to detect packet dropping and how to limit the traffic flowing to the misbehaving nodes. In this scheme, a node is need to keep previous signed contact records, and report them to the next contact node which can detect if the node has dropped packets based on the reported records. Misbehaving nodes may change some records to avoid being detected, but this will violate some steadiness rules. To detect such inconsistency, a small part of each contact record is spread to some selected nodes which can collect appropriate contact records and detect the misbehaving nodes with certain probability. This scheme to mitigate routing misbehavior by limiting the number of packets forwarded to the misbehaving nodes.

Each node has two separate buffers. One has unlimited space and is used to store its own packets. The other one has limited space and is used to store packets received from other nodes, but the two nodes should be in the same time slot at any time. Since the intercontact time is usually at the scale of minutes or hours, the time slot can be at the scale of one minute.

There are two types of nodes: unruly nodes and normal nodes. A misbehaving node drops the received packets. But it does not drop its own packets. It may also drop the control messages to avoid being detected. A normal node may drop packets when its buffer overflow. In this DTN applications, each packet has a certain lifetime, and then expired.Such dropping can be identified if the expiration time of the packet is signed by the source. Such dropping is not misbehavior.

Mis-behaving node is required to generate a contact record during each contact and report its previous contact records to the contacted node. Based on the reported contact records, the contacted node detects if the misbehaving node has any dropped packets. The misbehaving node may change the misreport that means it report forged contact records to hide its misbehavior. But forged records cause inconsistencies which make misreporting detectable. To detect misreporting, the nodes in the network also randomly selects a certain number of witness nodes. The summary of each reported record are send to the witness node when it contacts them. The witness compare the contacts records to detect the misbehaving nodes.

a) If a misbehaving node misreports, it will be blacklisted and will not receive any packet from other nodes.

b) if it reports its contact records honestly, its dropping behavior can be watched by its contacted nodes, and it will receive much less packets from them.

1.1.3 Concept overview

Fig1.1 concept overview

1.1.4 Misbehavior mitigation after the detection of misbehaving node

Fig1.2 Misbehavior mitigation after the detection of misbehaving node

1.2 Literature review:

1.2.1. Mitigating routing misbehavior in mobile adhoc networks.

To detect packet dropping watch dog solutions is followed.In this method the sending node operates in immoral mode and check the medium to check if the packet is truely sent out by its neighbor.The watchdog technique has advantages and disadvantages.It can detect the misbehaving node at the forwarding level and not just the link level. Watchdog's disadvantages are given below:

1. Indefinite collisions

2. Recipient collisions

3. Limited transmission power

4. False misbehavior

However, neighborhood monitoring depends on connected link between the sender and its neighbor, which most likely will not exist in DTNs because of the irregular connectivity.

1.2.2. An acknowledgement based approach for the detection of routing misbehavior in MANETs

It uses the acknowledgement (ACK) packet to confirm if the packet has been forwarded by the next hop. This paper proposed a 2ACK scheme in which the sender waits for an ACK from the next hop of its neighbor to confirm that the neighbor has forwarded the data packet to the next hop. It overcomes several problems including ambiguous collisions, receiver collisions, and limited transmission powers. This technique is vulnerable to collusions. The neighbor may forward the packet to a colluder which drops the packet. End-to-end ACK schemes are resistant to this type of colluding attacks, still the ACK packets may be lost in DTNs. In routing protocols each packet has multiple replicas, it is difficult for the source to verify which replica is acknowledged The 2ACK scheme is a network-layer technique.It is used to detect misbehaving links and to alleviate their effects. It can be implemented as a protocols for MANETs, such as DSR. A 2ACK packet is assigned a fixed route of two hops (three nodes), in the opposite direction of the data traffic route. Consider some nodes that N1, N2, and N3 are three consecutive nodes along a route. The route from a source node S, to a destination node, D, was generated in the Route Discovery phase N1 sends a data packet to N2 and N2 forwards the packet to N3, but it is unclear to N1 whether N3 receives the data packet or not. Such an doubt exists even when there are no misbehaving nodes. The problem becomes severe in open MANETs with potential misbehaving nodes. The 2ACK method needs an clear acknowledgment to be sent by N3 to notify N1 of its successful reception of a data packet. when node N3 receives the data packet successfully,it sends out a 2ACK packet over two hops to N1 with the ID of the corresponding data packet. The three nodes N1 ->N2 -> N3 is derived from the route. This triplet is used by N1 to monitor the link N2 -> N3. 2ACK transmission takes place for every set of triplets along the route.The first router will not act as a 2ACK packet sender. The last router just before the destination and the destination will not serve as 2ACK receivers. To detect misbehavior, the 2ACK packet sender maintains a list of IDs of data packets that have been sent out but have not been acknowledged.

1.2.3. Thwarting blackhole attacks in disruption-tolerant networks using encounter tickets.

In DTNs, black hole attack is the severe routing misbehavior. In this method bloak hole node act itself as a perfect relay for all destinations, but drops the received packets. This describes an approach that prevents the forgery of routing metrics. The metric is encounter tickets. This is used to secure the evidence of each contact metric. In this scheme, nodes has a unique way of merging the contact history by making observations.This observations based on the collected encounter tickets. An encounter ticket is a piece of evidence which certifies that nodes A and B encountered at time t. The encounter ticket has the following format:

Ticket = A;B; t;ERKAfH(AjBjt)g;ERKBfH(AjBjt)g

Dempster-Shafer theory is used to form trust and confidence opinions towards the ability of each encountered forwarding node. However, if the black hole node really has a good routing metric for many destinations, their approach will not work.But this method still works by limiting the number of packets forwarded to the black hole node, and also this is not possible during collusion between malicious nodes. Two attackers can generate many encounter tickets with false future time stamps.

1.2.4. Routing in Socially Selfish Delay Tolerant Networks:

Nodes are unwilling to forward packets for others in delay tolerant network. In the world, most people are socially selfish that means they are willing to forward packets for nodes with whom they have social ties but not others, and such willingness depends on with the strength of the social tie. It consider the design for user technique, one technique is proposed for this purpose that is Social Selfishness Aware Routing (SSAR) algorithm. This allows user selfishness and provide better routing performance in an well-organized way. To select a forwarding node, SSAR selects both users willingness to forward and their contact resulting in a better forwarding plan than purely contact-based approaches.

Social selfishness will affect node behaviors. As a forwarding service provider, a node will not forward packets received from those with whom it has no social ties, and it gives preference to packets received from nodes with stronger ties when the resource is limited. Thus,a DTN routing algorithm should take the social selfishness into consideration. It describes, different from existing incentive based schemes which stimulate individually selfish nodes to forward for all other nodes, we follow a new philosophy of "design for user". It takes social selfishness as a user demand and allow socially selfish nodes to behave in the aforementioned ways to satisfy such demand. With this in mind, we need to address the problem of how to enforce users' social selfishness in routing. This is not easy since the routing performance (e.g., the number of packets delivered to their destinations) may be affected when social selfishness is considered. For example, when a packet is forwarded to a node that is unwilling to forward, it will most likely be dropped. It proposed a Social Selfishness Aware Routing (SSAR) algorithm to address these challenges. To maintain social selfishness, SSAR allocates resources such as buffers and bandwidth based on packet priority which is related to the social relationship among nodes. To maintain the routing performance, SSAR quantifies the relay's willingness to evaluate its forwarding capability and thus reduces the packet dropping rate.

1.2.5. Characterizing Pair wise Inter-contact Patterns in Delay Tolerant Networks:

A good understanding of contact patterns in delay tolerant networks (DTNs) is essential for the design of effective routing schemes. This is, described about the pair wise inter-contact patterns, a more refined and efficient tool for characterizing DTNs.They provided a detailed statistical analysis of pair wise inter-contact times in three reference DTN data sets. This pair wise inter-contact times processes, which have a great impact on routing.

1.2.6. Detecting Wormhole Attacks in Delay Tolerant Networks:

The Delay Tolerant Networks (DTNs) are especially useful in providing mission critical services including emergency scenarios and battlefield applications. However, DTNs are vulnerable to wormhole attacks, in which a malicious node records the packets at one location and tunnels them to another colluding node, which replays them locally into the network. Wormhole attacks are a severe threat to the normal network operation in DTNs. It described various methods that have been developed to detect wormhole attacks. However, most of them cannot work efficiently in DTNs. To detect the presence of a wormhole attack, a detection mechanism that exploits the existence of a forbidden topology in the network.

Adversaries can launch a wormhole attack in various ways in ad hoc networks. For instance, attackers can compromise two nodes, which are far apart and then build a direct link between them; attackers can also introduce two new nodes with the transceivers that are compatible with the other nodes into the network and connect them using a direct link. This kind of direct link can be established using an out-of-band channel or a logical link via packet encapsulation. After the direct link is established, one end node can forward packets it receives from its neighbors to the other colluding end-node via the wormhole link. The latter end-node replays the received packets into the network. A wormhole attack can heavily affect the network topology and hence disrupt the normal operation of routing protocols in ad hoc networks. Furthermore, the wormhole link can make the tunneled packets arrive with fewer hops compared with the packets transmitted over the normal routes. As a result, the malicious end nodes of the wormhole link may attract more routes through them.


2.1 System architecture design

Fig 2.1 system architecture design

The above figure describes about the overall architecture of the system. This approach contains source node, destination node and the overall network designer. This network designer is responsible for form the witness node to monitor the overall network. The main purpose of source is given below:

Neighbor node selection

Maintain contact record

Send data

The main purpose of destination is given below:

Receive data

Maintain contact record

Send acknowledgement

The network designer is responsible for the below operations:

Select the witness node

Witness node operations are given below:

Collect contact records from all the nodes

Compare the contact records

Identify the false record using sequence number and consistency rule

Notify about the misbehaving node

The above points explain about the overall concept of the system.

2.2 Feature Extraction:

This project mainly concentrates on detection of misbehaving nodes and routing misbehavior. Routing misbehavior can be caused by selfish nodes that are unwilling to spend resources such as power and buffer on forwarding packets of others. So that more packets are dropped.In this situation attackers can easily launch the attacks. Therefore the originality between the sender and receiver is lost. Misbehaving nodes are identified with the help of contact records. Contact records are signed by both sender and receiver for integrity purpose. After the detection of misbehaving node, packets forwarded to that nodes are limited.


This system organization concept explains about the data flow diagram and the use case diagrams to carry out the process. Data flow diagrams are diagram which shows how information or data are passed from one logical level to next logical level, and also say about how the control information transferred from one logical level to next level.

3.1 Dataflow Diagram:

3.1.1 Level 0 Data flow Diagram:

Fig 3.1 Level 0 Dataflow Diagram

3.1.2 Level 1 Data Flow Diagram:

Fig 3.2 Level 1 Data flow Diagram

3.1.3 Level 2 Data Flow Diagram:

Fig 3.3 Level 2 Data flow diagram

3.2 UML diagrams:

3.2.1 Use case Diagram

Fig 3.4 Use case Diagram

3.2.2 Sequence Diagram:

Fig 3.5 Sequence diagram

3.2.3 Activity Diagram:

Fig 3.6 Activity Diagram

3.2.4 Collaboration Diagram:

Fig 3.7 Collaboration Diagram

3.2.5 Class Diagram:

Fig 3.8 Class Diagram


This section describes about the modules or methods present in this project. They

are defined as below:

First Phase modules:

Maintain contact records

Witness Node Process

Maintain contact record summary

Packet dropping detection process

Second Phase modules:

Misreporting Detection processes

Detected Signer Misreporting

Alarm Generation

Routing Misbehavior Mitigation

Detection of Parasite Attack

4.1 Maintain contact records

When two nodes contact, they create a contact record which shows when this contact happens, which packets are in the buffers before data exchange, and what packets they send or receive during the data exchange. The record also contains the unique sequence number that each of them assigns for this contact. The record is signed by both nodes for integrity protection. A node is required to carry the record of its previous contact, and report the record to its next contacted node, which will detect if it has dropped packets since the previous contact.

4.2 Witness Node Process

The witness node is used to collects two inconsistent contact records which can detect the misreporting node. To detect misreporting, the contacted node also randomly selects a certain number of witness nodes and sends a summary of each reported record to them when it contacts them. A misbehaving node may report a false record to hide the dropping from being detected. However, misreporting will result in inconsistent contact records generated by the misbehaving node. To detect misreporting, for each contact record that a normal node generates with other nodes, the normal node selects w witness nodes and transmits the record summary to them. The summary only includes a part of the record necessary for detecting the inconsistency caused by misreporting. With some probability, the summaries of two inconsistent contact records will reach a common witness node which will detect the misreporting node.

4.3 Maintain contact record summary

If any contact happens between node N1 and N2 at time t . Without loss of generality, suppose i<j . LetBV1 and BV2 denote the vector of packets buffered by N1 and N2 before this contact, respectively. Let RV1 and RV2 denote the identifiers of the packets received by N1 and N2 during this contact, respectively. Then the record of this contact that will store and report is as follows:

R=N1, Sn1,N2,Sn2,t,BV1,RV1,RV2,Sig1,Sig2:

Sn1and Sn2 are the sequence numbers assigned by N1 and N2 for this contact, respectively. A node assigns sequence number 1 to its first contacts, and increases the number by one after each contact.

4.4 Packet dropping detection process:

In a contact, each of the contacting node reports its previous contact record to the other node. In this contact, the two nodes also exchange their current vector of buffered packets In this way, one node knows the two sets of packets the other node buffers at the beginning of the previous contact and the beginning of the current contact, which are denoted by Sbgn and Send, respectively. It also knows the two sets of packets the other node sends and receives in the previous contact, which are denoted by Ssend and Srec respectively. A misbehaving node may drop a packet but keep the packet ID, pretending that it still buffers the packet. However, the next contacted node may be a better relay for the dropped packet according to the routing protocol, which can be determined when the two exchange the destination (included in packet ID) of the buffered packets.