Efficient Key Management Mechanism with Trusted Gateways for Wireless Mesh Networks

trust-based security mechanism includes distributed authentication and deauthentication algorithms that validates backbone mesh routers as well as gateway nodes. Particularly, this proposed model targets DDoS attacks in the network. The proposed DDoS attack prevention mechanism (DAPM) uses distributed authentication and deauthentication algorithms to build trusted group heads for managing secure data communication in the network. Our research and practical results show that the proposed mechanism decreases the severity of malicious nodes and strengthens the security compared to existing centralized schemes such as digital signature authentication (DSA-Mesh, MENSA, Mobisec, and AHKM). The experimental solutions show the signi ﬁ cance of the proposed work with 10% to 12% of better performance than the existing techniques.


Introduction
Nowadays, wireless mesh network (WMN) technologies such as 802.11 s, 802. 15,802.16 (WiMAX), and 802.20 have evolved widely in the wireless arena [1][2][3][4]. In this case, multihop client mesh architecture, distributed server authentication, and other sophisticated capabilities are still expected in the IEEE 802. 16 standard. In this domain, the existing standards have only a limited impact on the scalability and availability of a network's infrastructure since they only address a subset of WMN features. The available techniques are still in the early stages of development as they are reliant on wireless standards [5,6]. WMNs have various security issues that must be addressed with compatibility and integration. The basic design of WMN is shown in Figure 1(a). As we discussed, protection of the legitimate nodes from the adversary nodes at the MAC layer of mesh networks is a tough task [6]. We split critical management solutions into two groups such as centralized systems and distributed systems to secure the data from the adversaries. The communication overhead and unreliable qualities of centralized key management technologies like adaptive key management (AKHM) and Mobisec can be linked to their ineffectiveness. The faulttolerance of approaches like DSA-Mesh and the IEEE 802.16j multihop relay security architecture does not protect unicast and broadcast communications from MAC layer attacks in these systems.
Multilevel key management mechanisms have recently been included to make key distribution easier. On a variety of levels, these solutions are ineffective to address the security issues connected with the backbone mesh. In this connection, WMNs are expected to use multilevel key management mechanisms to protect legitimate mesh nodes from rogue nodes in order to work with stability [7]. Particularly, the development of a multilevel key management mechanism, distributed public key authentication, deauthentication procedures, and confidentiality management in group leaders is employed to protect legal mesh nodes in WMNs. This practice creates a possibility to make effective use of the trustworthy group heads for secure data communication in WMNs.
Against unauthorized access, suitable authentication systems are required for WMNs. The cooperative DDoS attacks can harm the network to isolate legitimate mesh nodes from WMNs. Malicious attackers cooperate in this scenario to isolate genuine mesh nodes by prohibiting them from exchanging data or authentication request messages. Since there are no distributed key management processes, DDoS attacks have a significant impact on the backbone mesh. As a result of this requirement, the need for a distributed key management solution to protect against backbone mesh DDoS attacks has evolved.
Security for heterogeneous devices with backbone mesh allows communication with each other and access. WMNs typically use a two-tier key distribution scheme, with the gateway and router serving as the primary distribution points. The primary work of two-level distributed architecture is deploying stable gateways and nodes. Mesh routers are less mobile than regular routers, and gateways must authorize these nodes on a second level before they can operate. Existing security measures are designed to address security vulnerabilities at the gateway or router level. As a result, WMN's two-tiered design is vulnerable to various DDoS attacks. To secure genuine mesh nodes, mesh networks must incorporate a comprehensive two-level security key management approach, which is currently lacking in the present mechanisms.
The novelty of the proposed work lies in the successful authentication of the internal mesh router point and gateway point. The contributions of the proposed work are listed below.
(i) Gateway router authentication (ii) Distributed node authentication (iii) Dual authentication procedures against cooperative DDoS (iv) Providing distributed perimeter security in WMN According to the major contributions listed above, the proposed system ensures multilayered authentication and deauthentication principles at different network levels. Particularly, the novel authentication principles are executed against DDoS attacks through the transmission of both route requests and route replies around the distributed WMNs. In addition, this proposed model supports the maximum reachability rate through data transmission and data reception. Under this experiment, the proposed security model has gateway authentication principles and internal router authentication principles to raise protection against DDoS attacks. Accordingly, the proposed mechanism gives efficient attack protections against both internal malfunctions and external malfunctions. This novel practice ensures overall distributed perimeter security against DDoS attacks (internal/external) in the complicated WMNs. The remaining sections of this article are organized as follows. Section 2 describes the notable works of various literature. DAPM and the technical features are presented in Section 3. Section 4 discusses the performance of DAPM in WMNs. Section 5 concludes this paper.

Related Works
This section describes the existing centralized and distributed key architectures in WMNs. Dong et al. [8] suggested a Mobisec security architecture in which the public and private key pairs are distributed to newly joined routers by a centralized key distribution server.
In this framework, a new router prepares a signed authentication request and broadcasts it to nearby routers after validating the request. The neighboring router rebroadcasts the request if it is valid, and the procedure is repeated by intermediate routers until the request reaches the server. The server transmits the symmetric key as a reply to a new router for secure communication once the signed request message is valid. This work proposed the SeGroM architecture for WMNs. The SeGroM architecture uses a centralized key distribution approach and places the mesh nodes in a hierarchical tree structure. The mesh nodes are classified into two types, such as gateways and routers. The gateway node is the trusted node for all one-hop connected downstream mesh nodes and issues the keys to each downstream group node for secure link communication [9][10][11].
In this approach, control overhead is minimum since each gateway (group head) issues the keys only to downstream mesh routers instead of issuing the keys to both upstream and downstream members. The wireless standard 802.11i has a centralized key distribution architecture that secures the communication between the mesh clients and a mesh router [12]. Based on this work, the mesh router and mesh client use a four-way handshake to set up the Pairwise Transient Key (PTK) for secure link communication and the Group Wise Transient Key (GTK) for establishing a secure group communication. The wireless standard 802.11 s has centralized key distribution architecture for securing multihop communication in WMN.
Based on the security features of 802.11 s, mesh nodes are classified into three types, such as mesh key distributor (MKD), supplicant, and mesh authenticator (MA) [13]. MA nodes are successfully authenticated by the authentication server, and they can forward the authentication request messages of a supplicant (new mesh router) node to an MKD node when the supplicant does not have a direct link to the MKD. The MKD node replies to the supplicant through the MA node. The MA node and supplicant node use a four-way handshake protocol for the secure exchange of the PTK and GTK. Theil et al. proposed a hybrid wireless mesh network distributed security architecture [14]. In this security architecture, IEEE 802.11w protects the communication between the mesh points [15], and an enhanced four-way authentication protocol (IEEE 802.11i) is used to create the shared symmetric key between the access point and the mesh point.
Under this circumstance, the management frame protection of IEEE 802.11w provides end-to-end data secrecy between mesh points, and a shared symmetric key provides data confidentiality between the mesh point and the access point. To keep data safe in the path under hybrid wireless mesh networks, both mesh point security and access point security are required. DSA-Mesh has a distributed security key architecture that protects the backbone mesh networks' general routes and core routers. Core routers choose the peer master node in this design, and this node's job is to broadcast the request message and generate the session key from the random integers chosen by other core routers. The peer master node establishes a session key and broadcasts it to core routers after receiving reply messages from preceding routers. The session key encrypts the general router's joining request message. As a result, the general router sends a decryption request message to all core routers. The generic router waits for a minimum of t reply messages from the source.
Praveen et al. presented an authentication security architecture to protect the cloned AP from internal attackers. The new joining access point (AP) broadcasts the MAC details as a request message in this process [16,17]. Consequently, the gateway node checks these details in the existing database after receiving this request. Once the details of the AP are already contained in the database, the gateway node assumes the request message is from a cloned AP. Otherwise, the gateway node saves these details in a database and sends join AP information to its network nodes through broadcast.
Similarly, the recent works mainly identify various types of attacks and counter solutions in wireless networks [18][19][20]. Gayatri et al. [21] and Kasirajan et al. [22] proposed trust-based feedback routing and authentication mechanisms in wireless networks. Similarly, Soundararajan et al. [23] proposed secure watchdog mechanisms in wireless sensor networks. Most of the recent works are hardly trying to secure distributed wireless medium using either centralized solutions or distributed solutions. These works are mainly using lightweight distributed authentication and confidentiality procedures. Anyhow, the need for an optimal dual authentication mechanism is important against cooperative DDoS attacks in WMN [24,25]. The lack of suitable authentication mechanisms against DDoS attacks at gateways and distributed nodes are considered a major research problem. This article is motivated to build resilient two-way authentication mechanisms against the current security issues.

DDoS Attack Prevention Mechanism (DAPM)
Our proposed DAPM uses two levels of authentication, such as gateway level authentication and router level authentication, 3 Wireless Communications and Mobile Computing to protect legitimate routers. In DAPM, distributed authentication and deauthentication algorithms make use of gateway nodes as trust nodes. These gateway nodes are specialized routers that have very minimal resource constraints. The implementation of the gateway-level trust has been discussed in Section 3.2. These nodes use the WMN's authentication and deauthentication algorithms that have been discussed in Section 3.3 to ensure that mesh routers can connect securely to the network [26,27].
3.1. DAPM. The descriptions of DAPM notations are shown in Table 1. Table 1 illustrates the trusted gateway nodes, as fg i g fi=1,⋯,jGjg , where g i represents the i th gateway node. Each gateway node ðg i Þ creates a digital signature on the messages ð fMg K −1 g i Þ with its private key (K −1 g i ) and other network nodes. In this case, the gateway node (g i ) with public key ðK g i Þ uses to verify the messages. Mesh routers are represented as R = fr i,j g i=1,⋯,jGj and j=1,⋯,jRj , where j is a router id which belongs to i th gateway. The neighboring mesh routers are represented as (RN = frn i,j g fi=1,⋯,jG ′ j and j=1,⋯,jR ′ jg ), where j is a neighboring mesh router id belongs to i th gateway and G ′ and R ′ are other network nodes. Mesh router provides secure communication using its public key (K r i,j ) and private key (K −1 r i,j ). Each mesh router maintains router and gateway ids and their public keys in the authentication table (AT i,j ). The gateway maintains all authenticated router and gateway ids and their key pairs in the gateway authentication table (AT i ).
Every new mesh router receives a unique router id from the gateway node (g i ), as well as Advanced Encryption Standard-(AES-) 128 bit session key (S K i,j ) for secure communication between the gateway and the mesh router. Gateway node issues the timeout interval (T i,j ) to the new router. The new router must join in the backbone mesh during this T i,j period. Gateway also issues maximum waiting time (T max i,j ) of a router to get the reply message from the gateway for the corresponding request packet.
ARQ i,j messages are sent by the router to join the backbone mesh. DARQ i,j messages are transferred by the router to leave the backbone mesh. Mesh router authentication replies (ARP i,j ) and deauthentication responses (DARP i,j ) are generated by the gateway in response to the successful authentication and deauthentication of the router. Routers and gateways use the number of node disjoint paths (t d ) with the minimal degree of gateway (g i ) to forward the authentication request (ARQ i,j ) and deauthentication request (DARQ i,j ). A mesh router (r i,j ) creates the collision-free oneway hash function (HðMÞ S K i, j ) for message integrity check using its session key (S K i, j ).

Gateway-Level Trust.
In the backbone mesh, gateway nodes or group heads trust each other via a traditional wired network. Due to the availability of industry-standard security methods, wired networks are more secure than wireless medium. In this work, the mutual authentication between group heads is considered using the standard wired security protocol (IPsec). Likewise, group heads provide the security of the backbone mesh by providing authentication, confidentiality, integrity, and nonrepudiation to each router using IPsec in the network. By signing group head signatures, each group head (g i ) verifies their corresponding router request messages and shares the updated authentication table ððAT i Þ K g i Þ with other group heads. Finally, gateway nodes authenticate with the corresponding group head's public key (K g i ).
As given in Figure 1(b), the entire DAPM functions are illustrated with crucial multilayered authentication principles. As mentioned, WMNs are constructed with the help of both gateways and internal routers (neighbors). Gateway routers are responsible for analyzing the external and internal network traffics. At the same time, the internal routers or other forwarding nodes are vulnerable to get internal malicious events. The proposed model is implemented to set authentication and identity evaluation mechanisms at both gateway points and internal points. On this basis, the proposed model establishes distributed authentication rules for transmitting requests and responses. This approach detects reply attacks, DDoS attacks, and other authentication attacks and isolates the malicious events in the entire WMN at both gateways and internal routers.
Collision free one-way hash function (key uses)

Wireless Communications and Mobile Computing
In this security framework, forwarding nodes and gateway nodes execute authentication and deauthentication principles under the distributed scenario. The continuous security management principles ensure node authentication policies and path authentication policies. Thus, the entire WMN is protected under the secure circumstance. The technical characteristics and algorithms are illustrated in detail in the following sections.

Authentication and Deauthentication at Router Level.
The proposed work uses authentication and deauthentication algorithms to secure mesh router's connection establishment rules. In mesh router authentication, group head g i issues the signed unique router-id (fidg K −1 g i ) to every new router (r i,j ). Before joining the group, a new mesh router (r i,j ) sends a request message for the validation of its signed router-id ðfidg K −1 g i Þ to the corresponding group head g i . Upon receiving this request message, group head with a session key ðS K i,j Þ, where message M consists of id and router timeout interval ðT i,j Þ, maximum waiting time ðT max i,j Þ for the reply message. Once, the new mesh router (r i,j ) receives the parameters from g i , then r i,j has to join in backbone mesh within timeout interval (T i,j ). A router r i,j generates its own public and private key pair < (K r i,j ), (K −1 r i,j ) > and creates an authentication request (ARQ i,j ) message to join in the backbone.
where HðM′Þ S K i, j is a 512-bit unique code generated by SHA-512 Hash algorithm. The one-way hash function is calculated as Finally, a router r i,j disseminates ARQ i,j request message at time T, and r i,j stores it as a time stamp (T s ). Once ARQ i,j requeset is received by all its neighboring mesh router (rn i,j ), rn i,j decrypts the message fMg K −1 g i with the group head public key (K g i ). A neighboring router rn i,j successfully verified router id and T i,j , and if it is new router id, then rn i,j stores router id. After rn i,j rebroadcasts the ARQ i,j message, dupilcate ARQ i,j messages are dropped by veryfying the router id. This process continues until ARQ i,j reaches to group head g i . On the other hand, ARQ i,j message is received by another group's neighbor router rn kl . This router can verify ARQ i,j message because routers maintain public keys of trusted group heads (gateway nodes). Thus, rn kl decrypts the message fMg K −1 g i through the public key of the corresponding group head (g i ) and verifies router id and T i,j . Once router id is not added in the table and if found that the T i,j is valid, the r kl stored the new router id in the authentication table. Further, the authentication message is transmitted to its group head g k through the path that was formed earlier. Once the authentication request message is received, other group head g k verifies the ARQ i,j for its validity, and then, the message is unicasted to the associated group head g i .
Once group head g i receives the ARQ i,j message, g i verifies the received request message by its public key (K g i ) and their session key (S K i,j ). Once the message is found to be a valid, the group head g i stores r i,j public key (K r i,j ) in authentication table with an authentication reply (ARP i,j ) message (id, T i,j , and r i,j public key K r i,j , (ARP i,j = fid, T i,j , fK r i,j gg). Consequently, g i signs on the authentication reply (ARP i,j A) message with its private key (K −1 g i ) and sends signed ARP i,j message. After a neighboring router (rn i,j ) receives signed ARP i,j message, rn i,j decrypts signed ARP i,j message with public key (K g i ). Once new router r i,j public key (K r ij ) is verified, rn i,j adds the K r i,j in their authentication table. Consequently, rn i,j forwards signed ARP i,j message to next the immediate mesh router and repeats ARP i,j message until signed ARP i,j message reaches r i,j .
A new mesh router (r i,j ) is successfully joined in backbone mesh once r i,j receives the signed ARP i,j message in T s +T max i the time interval; otherwise, r i,j rebroadcasts the ARQ i,j message once timeout interval T i,j is not expired. In this sequance, g i disseminates router id and K r i,j to other group heads for updating their authentication tables AT i,j and AT t .
The valid mesh routers use their key pairs for the secure communication. Mesh router (r i,j ) authentication request and response message reachability are explained in Algorithms 1 and 2. Figure 2 summarizes the crucial technical flow of Algorithm 1. According to the aspects, the algorithm validates mesh router attributes and makes the valid routers authentic entities in the network. In this connection, each router raises an authentication request message from inside the network and through the gateways. The authentication request messages are validated using router identifiers and network attributes initially to find the valid requests. On the basis of valid identifiers, the request has been forwarded into the network. In the next level, the requesting router characteristics are authenticated based on mesh configuration properties and gateway attributes.
On the successful validation, the authentication requests are forwarded to the neighbor nodes for ensuring local authentication policies at each node. Accordingly, the network path is protected from attacks. Figure 3 illustrates the functions of Algorithm 2. Algorithm 2 describes the authentication procedures in order to identify the fake reply attacks. In this regard, Figure 3 shows the mesh node's reply validation and isolation tasks based on their correctness. In the first level, Figure 3 gives the validation of network path and destination causes in the replies.
The valid reply is forwarded to neighbor nodes for validating Address Resolution Protocol (ARP) messages, routing node's public keys, identities, time stamps, and other mesh attributes. Similarly, the node's (router) logical association is validated to confirm the authentication reply of the mesh router (node).
In the process of a router (r i,j ) deauthentication, r i,j creates a deauthentication request (DARQ i,j ) with its unique id. Consequently, r i,j signs on DARQ i,j message with its private key (K −1 r i,j ) and forwards fDARQ i,j g K −1 r i,j message to its group head g i through "t d " number of node disjoint paths in backbone at time T. Once signed, DARQ i,j message is received by a neighboring router/gateway ðrn i,j /g t Þ; it decrypts this message by the mesh router's public key ðK r i,j Þ.
Once signed DARQ i,j message is valid, then rn i,j /g t transmits this message to the subsequent routers. Otherwise, message is dropped by rn i,j . Upon receiving /* Initial mesh router id validation*/ //intput: Gateway nodes(G<-{g 1 ,g 2 ,g 3 ,g 4 …….g n }, //Routers(R<-{{ r 1,1, r 1,2 ⋯ ::r 1,n }, { r 2,1, r 2,2 ⋯ ::r 2,n },……{ r n,1, r n,2 ⋯ ::r n,n }),), //Authentication Request Message ARQ= fM, id, T, K r , HðMÞg //Authentication Tables and router and gateway nodes public and private key pairs flag=0 //Invalid or fake request packet Mesh router (r i,j ) sends a request (fidg K −1 else g i does not send a reply message to r i,j /* Deploying r i,j in the backbone mesh*/ r i,j generates its own public and private key pair flag =1 // initial flag value set to zero g i stores the public key and drops S K i, j g i creates a signed ARP i,j ðfid, fK r i, j gg Forwards signed ARP i,j to r ij through disjoint paths (t d ) g i disseminates router id and K r i, j to gateway nodes and its group members for updating their AT i,j &AT t else g i drops ARQ ij without reply message if(flag=0) rn k,l jg t does not f orward the ARQ ij DARP i,j to router r ij through disjoint paths (t d ); also, the r i,j deauthentication information disseminates to other group heads and its group members [27][28][29]. Figures 4 and 5 depict the details of deauthentication procedures as discussed. These figures are representing Algorithms 3 and 4, respectively. Figure 4 has analyzed the router's or node's authentication request and its successful completion upon various validation procedures. Consequently, the request is involved in deauthentication procedures and signature validation procedures in each router (gateway or mesh node). A gateway router or any internal mesh router is responsible for extracting the path attributes, channel participant attributes and digital signatures of each initiative. According to that, the internal mesh node or gateway traffics are identified for deauthentication policies as shown in Algorithm 3 and Figure 4.
In the same way, Figure 5 shows the deauthentication steps on response messages and validation steps on disjoint paths in the network. As mentioned in Figure 5 and Algorithm 4, the false responses and false logical paths are Intput: Gateway nodes(G<-{g 1 ,g 2 ,g 3 ,g 4 …….g n }, Routers(R<-{{ r 1,1, r 1,2 ⋯ ::r 1,n }, { r 2,1, r 2,2 ⋯ ::r 2,n },……{ r n,1, r n,2 ⋯ ::r n,n }),), Authentication Request Message ARP=fid, T, K r g Authentication Tables and router and gateway nodes public and private key pairs flag =0 //invalid or fake reply messages rn k,l jg t jg i receives fARP i,j gK −1 rn k,l / g t add new router { router id′, k i,j } in the AT k,l /AT t rn k,l / g t forwards signed ARP i,j to the next router else if( rn k,l = r i,j )  Once a neighboring mesh router/gateway (rn i,j /g t ) receives signed DARP i,j message, router/gateway rn i,j /g t decrypts signed DARP i,j message using group head's public key (K g i ). Once group head g i public key (K g i ) is successfully decrypts the signed DARP i,j message, then rn i,j /g i deletes the router {id, K r il } from the authentication table (AT i,j /AT t ) and forwards signed ARP i,j message to the subsequent routers and gateways, and this process repeats until signed DARP i,j message reaches to r i,j . Once the signed DARP i,j message is received, r i,j is completely isolated from the backbone network [30][31][32]. Mesh router (r i,j ) deauthentication is explained in algorithms 3 and 4.

Security Analysis.
In this section, we analyze the security of the proposed distributed authentication technique against various authentication attacks like impersonation attacks, replay attacks, deprivation attacks, and information security distributed denial of service attacks. Various inferences show that the secure multiwatchdog system could guard nodes that have maximum coverage. Additionally, single point failure of a single watchdog system shall be avoided through the deployment of the secure multiple watchdog system.
The impersonation attack harms the router once a router node broadcasts an authentication request message. However, other fake gateway nodes respond to the router request message. In the proposed approach, any node replies to the  Figure 4: Mesh router (r ij ) deauthentication request message reachability. 8 Wireless Communications and Mobile Computing router other than the corresponding gateway node. It can be easily detected by the router by verifying the signature on the reply message with the public key of the corresponding group head. Replay attack creates a serious problem in WMN. The authentication request message sent out by the legitimate mesh router can be intercepted and replayed by an attacker in order to join the mesh network. Once the attack is successfully initiated, the attacker enters the active phase and sends messages on behalf of the target node. In our proposed approach, each request message is protected from the replay attack, by maintaining the sequence number and time stamp of the request message. In this case, the attacker employs a replay attack in the mesh node, which is easily detectable and dropped. The node deprivation attack is similar to the replay attack in that it starts with the capture of the legitimate mesh router's deauthentication request message. After that, an attacker replays the deauthentication request message in order to isolate the mesh router when it rejoins the network [33][34][35].
The authentication flooding attack is raised to restrict the transmitting messages for every t seconds. Once the t value lies between 10 seconds and 100 seconds, we can prevent the DoS and DDoS attacks. DDoS attackers work together to flood the fake authentication request messages to isolate the target mesh router during a colluding attack. A consequence of this is that the authentication request message from the mesh router is not received by the gateway node. The proposed mechanism resists DDoS attack paths between the mesh router and the gateway node up to "t d − 1" where "t d " is the total number of node disjoint paths.

Attack Model Definition.
Assume that the attacker AT N initiates authentication attacks such as false identification, identity duplication, data repetition, identity masking, and other malicious activities around the set of network nodes, SðnÞ. In this model, the attacker AT N has the attack properties, AðPÞ = fi, j, k, lg as predefined attack rules to harm the network.
The properties i, j, k, l denote the attack engines. In the overall mesh network, there are n * AT N attackers can raise n * AðPÞ possibilities of authentication attacks as mentioned earlier. The n * AT N attackers can be either external participants or compromised nodes in the network. In this regard, crucial authentication attacks need to be identified through different security analysis models. As mentioned earlier, router-centric authentication and deauthentication procedures analyze the outcomes as given below.

Lemma and Proof.
The development of proposed security analysis model, PðAuthÞ against n * AðPÞ of attackers n * AT N creates a stable legitimate property group GðlÞ in the network. The GðlÞ over the security perimeter SðpÞ called as stable security group SGðlÞ. In addition, this group allows the network system to choose a security bias parameter, ∅ ⟶f0, 1g with dual-collision points between both sender and receiver. The security analysis steps and proofs are as follows: It has to be proved as AðuÞ:dt has the consistency range ∅⟶f0,0:5g at changing time interval dt. Assume that n * AðPÞ has hold the permutations on fi, j, k, lg as fp, q, r, sg to initiate the attacks in to the nodes or channels. This lemma needs to prove that a quadruple of fp, q, r, sg:dt ≤ lðAðuÞ:dt kDðuÞ:dtÞ. In this proof, lðAðuÞ:dtkDðuÞ:dtÞ indicates the expected legitimate properties of derived authentication and deauthentication policies. This is common security need for l  Figure 5: Mesh router (r ij ) deauthentication response message reachability.

Wireless Communications and Mobile Computing
Intput: Gateway nodes(G<-{g 1 ,g 2 ,g 3 ,g 4 …….g n }, Routers(R<-{{ r 1,1, r 1,2 ⋯ ::r 1,n }, { r 2,1, r 2,2 ⋯ ::r 2,n },……{ r n,1, r n,2 ⋯ ::r n,n }),), Authentication Request Message DARQ=fid:K r g Authentication Tables and router and gateway nodes public and private key pairs flag=0 //invalid or fake request message r i,j sends a signed deauthentication reply (fDARQ i,j g K −1 r i, j ) message to g i through node disjoint paths ( ' t d ') and sets T s value message received by any of its neighboring node/nodes (rn k,l / g t ) Neighboring node (rn k,l / g t ) extracts router id from fDARQ i,j g K −1 if( rn k,l / g t ≠ r i,j / g i ) rn k,l / g t in t d paths verify fDARP i,j g K −1 3.5. Router Message Reachability Analysis. Attackers are using DDoS attacks to disturb the functions of WMNs. Since these attackers are preventing genuine mesh router connection activities, they are having an impact on the network's scalability. Once a centralized system authenticates and deauthenticates backbone mesh routers, the routers are at risk of being compromised. Mesh routers' cooperative behavior reduces the impact of collaborating attackers on the backbone mesh. For heterogeneous and homogeneous radio-range wireless devices, Bhoi et al. [36] proposed a network node connection probability model based on probability distributions. In this model, node communication ranges and overall network size are linked impactfully with coverage factors [37]. The reachability of communications in a hostile network has required certain changes to this concept. The connectivity probability model is used for analyzing the DAPM in comparison with other current centralized authentication schemes such as Mobisec and DSA-Mesh. In this scenario, the percentage of malicious mesh routers varies from 0% to 100% causing a hostile backbone mesh to be created. We specify the notations that are used in this model as follows: (1) The number of gateways in the WMN is N G = jGj where k denotes minimal node degree and the "effective range" r min = min ffr j gj = 1, ⋯, jJj, r min g. Thus, Equation (2) shows the length of the communication range between backbone nodes, the density of mesh routers, and the number of gateway nodes. These entities have an impact on the readability of messages from a mesh router to a gateway [38][39][40]. As per the proposed DAPM, the number of gateways required for routers differs significantly from the number of gateway nodes required by the existing techniques (Mobisec and DSA-Mesh). As a result, we compare the performance of proposed and existing solutions by changing the number of gateway nodes in each solution.
In  [25][26][27]. In order to authenticate mesh router in DSA-Mesh, the mesh router message must be received by a minimum of ðN G /2Þ + 1 group heads.
On the other hand, AHKM only authenticates one-hop distance routers. The network radio range to join new routers to the network is limited, and MENSA nodes are directly connected to group heads. All network nodes should be adjacent to group heads to join or leave the network [41][42][43][44].
The proposed DAPM message reachability is very high due to the fact that the routing message process by any group head [45,46]. According to Figure 6, the average message reachability of the DAPM is 69%, the existing scheme's average message reachability is 60%, MENSA average message reachability is 58%, Mobisec average message reachability is 57%, and AHKM average message reachability is 27% in the hostile network (0-100 percent malicious nodes), for an N G value of 5. It has been shown that the proposed DAPM is better than DSA-Mesh, MENSA, Mobisec, and AKHM by 9%, 10%, 12%, and 42%, respectively.
Based on the message reachability analysis with 10 group nodes, the average message reachability of the proposed DAPM is 76%. The existing scheme's average message reachability is 64%, MENSA's average message reachability is 62%, Mobisec's average message reachability is 59%, and AHKM's average message reachability is 35% in a hostile network, as shown in Figures 7(a)

12
Wireless Communications and Mobile Computing nodes). According to the authors, when N G is set to 10, the proposed DAPM-DA performs 12% better than DSA-Mesh, 14% better than MENSA, 17% better than Mobisec, and 31% better than AHKM. DAPM reduces the severity of network attacks by increasing the range of transmission or the number of routers in the backbone mesh [47,48]. Since the proposed DAPM is developed based on heterogeneous device connectivity probability model, it outperforms DSA-Mesh, MENSA, Mobisec, and AHKM in a hostile network [28][29][30]. In the next section, a simulation study has been performed to compare the proposed DAPM with the DSA-Mesh, MENSA, Mobisec, and AHKM schemes, with the N G value of each scheme being varied.

Simulation Results
In this work, network simulator (NS-2) is used to implement the proposed DAPM as well as existing schemes such as DSA-Mesh, MENSA, Mobisec, and AHKM.
A uniform random generator selects the x and y coordinates of n r =100 mesh routers on a 1000 meter × 1000 meter   14 Wireless Communications and Mobile Computing (m) area in the simulation environment [49]. Particularly, the NS-2 tool has been used for creating the WMN circumstance with required nodes (0 to 100). Among these nodes, internal mesh nodes and gateway nodes communicate each other to transmit the data. In this case, the energy level of gateway nodes and internal nodes is configured as 50 joules and 30 joules, respectively. Similarly, each node has limited transmission range from 150 meter to 250 meter (omnidirectional). In addition, the implementation of proposed and existing techniques is done using object tool command  generate 100 bytes of messages for mesh router authentication and deauthentication. To simulate the WMN, we set the pause time to 2 ms. We established communication ranges ranging from 150 meter to 250 meter for both longdistance and short-distance wireless links. We employ a random waypoint model for node mobility. We ran 10,000 simulations in this setup, varying the number of malicious nodes from 0 to 100%. Compared to the proposed model, existing techniques provide notable security provisions. DSA-Mesh is the existing technique to enable distributed key management principles in each mesh router. In this regard, the Digital Signature Algorithm (DSA) is used to ensure distributed authenticated solutions. Compared to other existing techniques, DSA-Mesh is an effective authentication technique that is suitable for mesh networks and large distributed networks. Due to this reason, DSA-Mesh attains an optimal message reachability rate than other existing techniques.
On the scope, a two-level verification mechanism is used in AHKM, with a one-hop path for nodes inside the cluster and a multihop path for nodes outside the transmission range. In a one-hop route, all nodes have direct access to the base station, and nodes send authentication requests directly to the base station. In a multihop route, nodes cannot send messages directly to the base station; instead, they must send the message to a neighboring node, which can then pass it on to the base station. This approach typically employs a two-hop distance to authenticate a new node.
MENSA, the first hybrid key management and authentication solution in microgrids that includes public key infrastructure and web-of-trust concepts, was developed by Bolgouras et al. [33] MENSA's authoritative nodes issue the certificate to the other nodes in the network. Each node's certificate is checked by an authoritative node. In this topol-ogy, if a node joins the network, all network nodes are connected in a ring. A new node that receives multiple certificates from various certifying authorities has a good chance of succeeding. The authoritative nodes must be within one hop of each other for new nodes to join. However, MENSA and AHKM are providing moderate results than the DSA-Mesh technique. Due to unstable key production and effective internal authentication procedures, these techniques are limited to distributed security policies.
In this concern, Mobisec provides the security architecture with data confidentiality and authentication policies. Mobisec has been specially made for WMN security at medium access control layer functions. On this basis, this approach is called Mobimesh with second-layer encryption principles. On the basis of overall comparison, the existing DSA-Mesh performs better than other techniques in terms of distributed authentication rules. At the same time, DSA-Mesh is limited in terms of dual point authentication policies (gateway/internal). The experiment has been conducted, and the performance of security systems is evaluated using the metrics such as message reachability rate, attack detection accuracy, packet delivery ratio (PDR), false acceptance rate (FAR), and false positive rate (FPR), computational complexity, and attack detection time.
Message reachability rate is defined as the rate of probability between the number of messages reached by each neighbor or gateway node and the total messages transferred in the network. Attack detection accuracy can be determined as the total number of malicious events detected from a total number of attacks initiated in the network. FAR is the rate determined as the number of malicious events counted as legitimate events in the WMN. In the contrast, FPR is measured as the number of events counted as malicious when they are really legitimate in the network. In addition, the

16
Wireless Communications and Mobile Computing overall time complexity taken by each algorithm is more important to understanding the timeline issues in the execution. On the other side, attack detection time helps to identify the time domain performance of each existing system and proposed DAPM. In this regard, time complexity and attack detection time are identified as the execution time taken by the algorithm phases and DDoS attack detection procedures, respectively. The experiment base measures the time complexity in terms of milliseconds. Figure 8 depicts the performance of the DSA-Mesh, MENSA, Mobisec, and AHKM schemes when N G is set to 5. DAPM has message reachability of 77%, DSA-Mesh has an average reachability of 67%, MENSA has an average reachability of 64%, Mobisec has message reachability of 60%, and AHKM has an average reachability of 31%. Figure 9 depicts the performance of the DAPM scheme, DSA-Mesh, and Mobisec schemes when N G is set to 10. It is observed from the figure that the average reachability of DAPM, MENSA, Mobisec, and AHKM are 68%, 64%, 64%, and 34% respectively.
According to our results analysis, the proposed DAPM's router message reachability is very high (10% to 38%) in hostile environments compared to the DSA-Mesh, MENSA, Mobisec, and AHKM schemes. In this comparison, Mobisec is a centralized key management system, and DSA-Mesh is the distributed key management system. Thus, the proposed key management mechanism has been compared with both centralized and distributed key management mechanisms. In addition to that, the proposed scheme has been compared with two other distributed key management mechanisms AHKM and MENSA.
At the end, the proposed DAPM has been compared with other existing techniques as illustrated in Table 2. In this evaluation, DAPM is experimented in its maximum network extend with number of nodes (100), attack frequency (35 malicious events/session), and network failures (10 faults/seconds). Table 2 shows the better performance of DAPM in terms of average quantities of various metrics taken through iterative simulation cycles. In this case, the proposed DAPM has 98.4% of attack detection accuracy rate. At the same time, the existing techniques are limited to multilayer authentication procedures for validating active attacks.
The average FAR and FPR are minimal for proposed model compared to existing techniques. These parameters are identified to validate the negative performance of any  17 Wireless Communications and Mobile Computing security models. Under this case, DSA-Mesh (3.11% to 3.67%) works optimally than other existing techniques. Consequently, the proposed model increases the PDR by securing both gateway and internal mesh transactions.
On the other hand, the proposed DAPM optimizes the time complexity rate at attack detection phases and overall complexity rate. Notably, the computational complexity of the proposed algorithms is illustrated in Table 3. Computational complexity is measured in terms of cycles per second. Table 3 shows the individual procedural complexity of Algorithms 1, 2, 3, and 4 in the computation domain. It shows that authentication procedures take more computational complexity than deauthentication procedures. Apart from these complexities, the attack detection rules in each router, and data transmission procedures impact the overall time complexity. The overall computation complexity in milliseconds of the proposed algorithms is illustrated in Table 2. From the overall experimental analysis, the proposed DAPM has been identified as a suitable technique for providing multilayer authentication at gateways and internal WMN nodes. Thus, the proposed system provides overall distributed security in WMN.

Conclusion
In this work, a DDoS attack prevention mechanism has been proposed for WMNs. Our proposed DAPM protects gateways and mesh routers from network attacks. The major component of this mechanism is the creation of trust among group heads using IPSec and distributed authentication and deauthentication schemes to secure the legitimate mesh nodes' join/leave operations. The distributed authentication and deauthentication algorithms protect heterogeneous devices' communication in a hostile environment. Using a binomial probability distribution model and the simulations, we prove that DAPM has better message reachability than the existing centralized and distributed key mechanisms in the backbone mesh. The overall gateway authentication and mesh router authentication procedures create a novel distributed protection against DDoS attacks, identity attacks, and reply attacks. As WMNs contain numerous internal nodes and gateway points, the crucial authentication and deauthentication are proposed by this article on round-trip transmission. This is the major contribution of the proposed model compared to existing techniques. In this regard, the implementation section shows the proposed model attains better performance than the existing techniques by 10% to 16%. Anyhow, this approach is limited to active attacks only in the mesh networks. Still, the research challenges are iden-tified for handling more passive attacks than active attacks raised in the WMNs. On the scope, the future findings are expected to be improved with a resilient authentication model against multiple attacks in WMNs.

Data Availability
The data used to support the findings of this study are available from the first author upon request (guncity11@gmail.com).

Conflicts of Interest
The authors declare that they have no conflicts of interest.