This dissertation has been submitted by a student. This is not an example of the work written by our professional dissertation writers.

Chapter 1

1. Introduction

Mobile ad hoc networks (MANETs) and wireless sensor networks (WSNs) are relatively new communication paradigms. MANETs do not require expensive base stations or wired infrastructure. Nodes within radio range of each other can communicate directly over wireless links, and those that are far apart use other nodes as relays. Each host in a MANET also acts as a router as routes are mostly multichip. The lack of fixed infrastructure and centralized authority makes a MANET suitable for a broad range of applications in both military and civilian environments. For example, a MANET could be deployed quickly for military communications in the battlefield.

A MANET also could be deployed quickly in scenarios such as a meeting room, a city transportation wireless network, for fire fighting, and so on. To form such a cooperative and self configurable network, every mobile host should be a friendly node and willing to relay messages for others. In the original design of a MANET, global trustworthiness in nodes within the whole network is a fundamental security assumption. Recent progress in wireless communications and micro electro mechanical systems (MEMS) technology has made it feasible to build miniature wireless sensor nodes that integrate sensing, data processing, and communicating capabilities. These miniature wireless sensor nodes can be extremely small, as tiny as a cubic centimeter. Compared with conventional computers, the low-cost, battery-powered, sensor nodes have a limited energy supply, stringent processing and communications capabilities, and memory is scarce.

The design and implementation of relevant services for WSNs must keep these limitations in mind. Based on the collaborative efforts of a large number of sensor nodes, WSNs have become good candidates to provide economically viable solutions for a wide range of applications, such as environmental monitoring, scientific data collection, health monitoring, and military operations.

Despite the wide variety of potential applications, MANETs and WSNs often are deployed in adverse or even hostile environments. Therefore, they cannot be readily deployed without first addressing security challenges. Due to the features of an open medium, the low degree of physical security of mobile nodes, a dynamic topology, a limited power supply, and the absence of a central management point, MANETs are more vulnerable to malicious attacks than traditional wired networks are. In WSNs, the lack of physical security combined with unattended operations make sensor nodes prone to a high risk of being captured and compromised, making WSNs vulnerable to a variety of attacks.

A mobile ad hoc network (MANET) is a self-configuring network that is formed automatically by a collection of mobile nodes without the help of a fixed infrastructure or centralized management. Each node is equipped with a wireless transmitter and receiver, which allow it to communicate with other nodes in its radio communication range. In order for a node to forward a packet to a node that is out of its radio range, the cooperation of other nodes in the network is needed; this is known as multi-hop communication.

Therefore, each node must act as both a host and a router at the same time. The network topology frequently changes due to the mobility of mobile nodes as they move within, move into, or move out of the network.

A MANET with the characteristics described above was originally developed for military purposes, as nodes are scattered across a battlefield and there is no infrastructure to help them form a network. In recent years, MANETs have been developing rapidly and are increasingly being used in many applications, ranging from military to civilian and commercial uses, since setting up such networks can be done without the help of any infrastructure or interaction with a human. Some examples are: search-and-rescue missions, data collection, and virtual classrooms and conferences where laptops, PDA or other mobile devices share wireless medium and communicate to each other. As MANETs become widely used, the security issue has become one of the primary concerns. For example, most of the routing protocols proposed for MANETs assume that every node in the network is cooperative and not malicious [1]. Therefore, only one compromised node can cause the failure of the entire network.

There are both passive and active attacks in MANETs. For passive at tacks, packets containing secret information might be eavesdropped, which violates confidentiality. Active attacks, including injecting packets to invalid destinations into the network, deleting packets, modifying the contents of packets, and impersonating other nodes violate availability, integrity, authentication, and non-repudiation. Proactive approaches such as cryptography and authentication were first brought into consideration, and many techniques have been proposed and implemented. However, these applications are not sufficient. If we have the ability to detect the attack once it comes into the network, we can stop it from doing any damage to the system or any data. Here is where the intrusion detection system comes in.

Intrusion detection can be defined as a process of monitoring activities in a system, which can be a computer or network system. The mechanism by which this is achieved is called an intrusion detection system (IDS). An IDS collects activity information and then analyzes it to determine whether there are any activities that violate the security rules. Once AN ID determines that an unusual activity or an activity that is known to be an attack occurs, it then generates an alarm to alert the security administrator. In addition, IDS can also initiate a proper response to the malicious activity. Although there are several intrusion detection techniques developed for wired networks today, they are not suitable for wireless networks due to the differences in their characteristics. Therefore, those techniques must be modified or new techniques must be developed to make intrusion detection work effectively in MANETs.

In this paper, we classify the architectures for IDS in MANETs, each of which is suitable for different network infrastructures. Current intrusion detection systems corresponding to those architectures are reviewed and compared.

Chapter 2


2.1 Intrusion Detection System (IDS)

Many historical events have shown that intrusion prevention techniques alone, such as encryption and authentication, which are usually a first line of defense, are not sufficient. As the system become more complex, there are also more weaknesses, which lead to more security problems. Intrusion detection can be used as a second wall of defense to protect the network from such problems. If the intrusion is detected, a response can be initiated to prevent or minimize damage to the system.

To make intrusion detection systems work, basic assumptions are made. The first assumption is that user and program activities are observable. The second assumption, which is more important, is that normal and intrusive activities must have distinct behaviors, as intrusion detection must capture and analyze system activity to determine if the system is under attack.

Intrusion detection can be classified based on audit data as either host- based or network-based. A network-based IDS captures and analyzes packets from network tra±c while a host-based IDS uses operating system or application logs in its analysis. Based on detection techniques, IDS can also be classified into three categories as follows [2].

    Anomaly detection systems: The normal profiles (or normal behaviors) of users are kept in the system. The system compares the captured data with these profiles, and then treats any activity that deviates from the baseline as a possible intrusion by informing system administrators or initializing a proper response.

    Misuse detection systems: The system keeps patterns (or signatures) of known attacks and uses them to compare with the captured data. Any matched pattern is treated as an intrusion. Like a virus detection system, it cannot detect new kinds of attacks.

    Specification-based detection: The system defines a set of constraints that describe the correct operation of a program or protocol. Then, it monitors the execution of the program with respect to the defined constraints.

2.2 Intrusion Detection in MANETs

Many intrusion detection systems have been proposed in traditional wired networks, where all track must go through switches, routers, or gateways. Hence, IDS can be added to and implemented in these devices easily [17, 18]. On the other hand, MANETs do not have such devices. Moreover, the medium is wide open, so both legitimate and malicious users can access it. Furthermore, there is no clear separation between normal and unusual activities in a mobile environment. Since nodes can move arbitrarily, false routing information could be from a compromised node or a node that has outdated information. Thus, the current IDS techniques on wired networks cannot be applied directly to MANETs. Many intrusion detection systems have been proposed to suit the characteristics of MANETs, some of which will be discussed in the next sections.

2.3 Architectures for IDS in MANETs

The network infrastructures that MANETs can be configured to are either at or multi-layer, depending on the applications. Therefore, the optimal IDS architecture for a MANET may depend on the network infrastructure itself [9]. In an network infrastructure, all nodes are considered equal, thus it may be suitable for applications such as virtual classrooms or conferences. On the contrary, some nodes are considered different in the multi-layered network infrastructure. Nodes may be partitioned into clusters with one cluster head for each cluster. To communicate within the cluster, nodes can communicate directly. However, communication across the clusters must be done through the cluster head. This infrastructure might be well suited for military applications.

2.3.1 Stand-alone Intrusion Detection Systems

In this architecture, an intrusion detection system is run on each node independently to determine intrusions. Every decision made is based only on information collected at its own node, since there is no cooperation among nodes in the network. Therefore, no data is exchanged. Besides, nodes in the same network do not know anything about the situation on other nodes in the network as no alert information is passed. Although this architecture is not elective due to its limitations, it may be suitable in a network where not all nodes are capable of running IDS or have IDS installed. This architecture is also more suitable for an network infrastructure than for multi-layered network infrastructure. Since information on each individual

node might not be enough to detect intrusions, this architecture has not been chosen in most of the IDS for MANETs.

2.3.2 Distributed and Cooperative Intrusion Detection Systems

Since the nature of MANETs is distributed and requires cooperation of other nodes, Zhang and Lee [1] have proposed that the intrusion detection and response system in MANETs should also be both distributed and cooperative as shown in Figure 1. Every node participates in intrusion detection and response by having an IDS agent running on them. An IDS agent is responsible for detecting and collecting local events and data to identify possible intrusions, as well as initiating a response independently. However, neighboring IDS agents cooperatively participate in global intrusion detection actions when the evidence is inconclusive. Similarly to stand-alone IDS architecture, this architecture is more suitable for a network infrastructure, not multi-layered one.

2.3.3 Hierarchical Intrusion Detection Systems

Hierarchical IDS architectures extend the distributed and cooperative IDS architectures and have been proposed for multi-layered network infrastructures where the network is divided into clusters. Clusterheads of each cluster usually have more functionality than other members in the clusters, for example routing packets across clusters. Thus, these cluster heads, in some sense, act as control points which are similar to switches, routers, or gateways in wired networks. The same concept of multi-layering is applied to intrusion detection systems where hierarchical IDS architecture is proposed.

Each IDS agent is run on every member node and is responsible locally for its node, i.e., monitoring and deciding on locally detected intrusions. A clusterhead is responsible locally for its node as well as globally for its cluster, e.g. monitoring network packets and initiating a global response when network intrusion is detected.

2.3.4 Mobile Agent for Intrusion Detection Systems

A concept of mobile agents has been used in several techniques for intrusion detection systems in MANETs. Due to its ability to move through the large network, each mobile agent is assigned to perform only one specific task, and then one or more mobile agents are distributed into each node in the network. This allows the distribution of the intrusion detection tasks. There are several advantages for using mobile agents [2]. Some functions are not assigned to every node; thus, it helps to reduce the consumption of power, which is scarce in mobile ad hoc networks.

It also provides fault tolerance such that if the network is partitioned or some agents are destroyed, they are still able to work. Moreover, they are scalable in large and varied system environments, as mobile agents tend to be independent of platform architectures. However, these systems would require a secure module where mobile agents can be stationed to. Additionally, mobile agents must be able to protect themselves from the secure modules on remote hosts as well.

Mobile-agent-based IDS can be considered as a distributed and cooper ative intrusion detection technique as described in Section 3.2. Moreover, some techniques also use mobile agents combined with hierarchical IDS, for example, what will be described in Section 4.3.

2.4 Sample Intrusion Detection Systems for MANETs

Since the IDS for traditional wired systems are not well-suited to MANETs, many researchers have proposed several IDS especially for MANETs, which some of them will be reviewed in this section.

2.4.1 Distributed and Cooperative IDS

As described in Section 3.2, Zhang and Lee also proposed the model for distributed and cooperative IDS as shown in Figure 2 [1].

The model for an IDS agent is structured into six modules.

  • The local data collection module collects real-time audit data, which includes system and user activities within its radio range. This collected data will be analyzed by the local detection engine module for evidence of anomalies. If an anomaly is detected with strong evidence, the IDS agent can determine independently that the system is under attack and initiate a response through the local response module (i.e., alerting the local user) or the global response module (i.e., deciding on an action), depending on the type of intrusion, the type of network protocols and applications, and the certainty of the evidence. If an anomaly is detected with weak or inconclusive evidence, the IDS agent can request the cooperation of neighboring IDS agents through a cooperative detection engine module, which communicates to other agents through a secure communication module.

2.4.2 Local Intrusion Detection System (LIDS)

Albers et al. [3] proposed a distributed and collaborative architecture of IDS by using mobile agents. A Local Intrusion Detection System (LIDS) is implemented on every node for local concern, which can be extended for global concern by cooperating with other LIDS. Two types of data are exchanged among LIDS: security data and intrusion alerts. In order to analyze the possible intrusion, data must be obtained from what the LIDS detect, along with additional information from other nodes. Other LIDS might be run on different operating systems or use data from different activities such as system, application, or network activities; therefore, the format of this raw data might be different, which makes it hard for LIDS to analyze. However, such difficulties can be solved by using SNMP (Simple Network Management Protocol) data located in MIBs (Management Information Base) as an audit data source. Such a data source not only eliminates those difficulties, but also reduces the in-Figure 3: LIDS Architecture in A Mobile Node [3] crease in using additional resources to collect audit data if an SNMP agent is already run on each node.

To obtain additional information from other nodes, the authors proposed mobile agents to be used to transport SNMP requests to other nodes. In another words, to distribute the intrusion detection tasks. The idea differs from traditional SNMP in that the traditional approach transfers data to the requesting node for computation while this approach brings the code to the data on the requested node. This is initiated due to untrustworthiness of UDP messages practiced in SNMP and the active topology of MANETs. As a result, the amount of exchanged data is tremendously reduced. Each mobile agent can be assigned a specific task which will be achieved in an autonomous and asynchronous fashion without any help from its LIDS. The LIDS architecture is shown in Figure 3, which consists of ² Communication Framework: To facilitate for both internal and external communication with a LIDS.

  • Local LIDS Agent: To be responsible for local intrusion detection and local response. Also, it reacts to intrusion alerts sent from other nodes to protect itself against this intrusion.
  • Local MIB Agent: To provide a means of collecting MIB variables for either mobile agents or the Local LIDS Agent. Local MIB Agent acts as an interface with SNMP agent, if SNMP exists and runs on the node, or with a tailor-made agent developed specifically to allow up- dates and retrievals of the MIB variables used by intrusion detection, if none exists.
  • Mobile Agents (MA): They are distributed from its LID to collect and process data on other nodes. The results from their evaluation are then either sent back to their LIDS or sent to another node for further investigation.
  • Mobile Agents Place: To provide a security control to mobile agents.
  • For the methodology of detection, Local IDS Agent can use either anomaly or misuse detection. However, the combination of two mechanisms will offer the better model. Once the local intrusion is detected, the LIDS initiate a response and inform the other nodes in the network. Upon receiving an alert, the LIDS can protect itself against the intrusion.

2.4.3 Distributed Intrusion Detection System Using Multiple Sensors

Kachirski and Guha [4] proposed a multi-sensor intrusion detection system based on mobile agent technology. The system can be divided into three main modules, each of which represents a mobile agent with certain func- tionality: monitoring, decision-making or initiating a response. By separate in functional tasks into categories and assigning each task to a different agent, the workload is distributed which is suitable for the characteristics of MANETs. In addition, the hierarchical structure of agents is also developed in this intrusion detection system as shown in Figure 4.

  • Monitoring agent: Two functions are carried out at this class of agent: network monitoring and host monitoring. A host-based monitor agent hosting system-level sensors and user-activity sensors is run on every node to monitor within the node, while a monitor agent with a network monitoring sensor is run only on some selected nodes to monitor at packet-level to capture packets going through the network within its radio ranges.
  • Action agent: Every node also hosts this action agent. Since every node hosts a host-based monitoring agent, it can determine if there is any suspicious or unusual activities on the host node based on anomaly detection. When there is strong evidence supporting the anomaly detected, this action agent can initiate a response, such as terminating the process or blocking a user from the network.
  • Decision agent: The decision agent is run only on certain nodes, mostly those nodes that run network monitoring agents. These nodes collect all packets within its radio range and analyze them to determine whether the network is under attack. Moreover, from the previous paragraph, if the local detection agent cannot make a decision on its own due to insufficient evidence, its local detection agent reports to this decision agent in order to investigate further. This is done by using packet-monitoring results that comes from the network-monitoring sensor that is running locally. If the decision agent concludes that the node is malicious, the action module of the agent running on that node as described above will carry out the response.

The network is logically divided into clusters with a single cluster head for each cluster. This clusterhead will monitor the packets within the cluster and only packets whose originators are in the same cluster are captured and investigated. This means that the network monitoring agent (with network monitoring sensor) and the decision agent are run on the cluster head. In this mechanism, the decision agent performs the decision-making based on its own collected information from its network-monitoring sensor; thus, other nodes have no influence on its decision. This way, spooffing attacks and false accusations can be prevented.

2.4.4 Dynamic Hierarchical Intrusion Detection Architecture

Since nodes move arbitrarily across the network, a static hierarchy is not suitable for such dynamic network topology. Sterne et al. [16] proposed a dynamic intrusion detection hierarchy that is potentially scalable to large networks by using clustering like those in Section 4.3 and 5.5. However, it can be structured in more than two levels as shown in Figure 5. Nodes labeled \1" are the first level clusterheads while nodes labeled \2" are the second level clusterheads and so on. Members of the first level of the cluster are called leaf nodes.

Every node has the responsibilities of monitoring (by accumulating counts and statistics), logging, analyzing (i.e., attack signature matching or checking on packet headers and payloads), responding to intrusions detected if there is enough evidence, and alerting or reporting to cluster heads. Clues treads, in addition, must also perform:

Data fusion/integration and data reduction: Clusterheads aggregate and correlate reports from members of the cluster and data of their own. Data reduction may be involved to avoid conflicting data, bogus data and overlapping reports. Besides, cluster heads may send the requests to their children for additional information in order to correlate reports correctly. Intrusion detection computations: Since different attacks require different sets of detected data, data on a single node might not be able to detect the attack, e.g., DDoS attack, and thus clusterheads also analyze the consolidated data before passing to upper levels.

Security Management: The uppermost levels of the hierarchy have the authority and responsibility for managing the detection and response capabilities of the clusters and cluster heads below them. They may send the signatures update, or directives and policies to alter the configurations for intrusion detection and response. These update and directives will flow from the top of the hierarchy to the bottom. To form the hierarchical structure, every node uses clustering, which is typically used in MANETs to construct routes, to self-organize into local neighborhoods (first level clusters) and then select neighborhood representatives (cluster heads). These representatives then use clustering to organize themselves into the second level and select the representatives. This process continues until all nodes in the network are part of the hierarchy. The authors also suggested criteria on selecting cluster heads. Some of these criteria are:

  • Connectivity: the number of nodes within one hop
  • Proximity: members should be within one hop of its cluster head
  • Resistance to compromise (hardening): the probability that the node will not be compromised. This is very important for the upper level cluster heads.
  • Processing power, storage capacity, energy remaining, bandwidth cape abilities
  • Additionally, this proposed architecture does not rely solely on promiscuous node monitoring like many proposed architectures, due to its unreliability as described in. Therefore, this
  • architecture also supports direct periodic reporting where packet counts and statistics are sent to monitoring nodes periodically.

2.4.5 Zone-Based Intrusion Detection System (ZBIDS)

Sun et al. [24] has proposed an anomaly-based two-level no overlapping Zone-Based Intrusion Detection System (ZBIDS). By dividing the network in Figure 6 into nonoverlapping zones (zone A to zone me), nodes can be categorized into two types: the intrazone node and the interzone node (or a gateway node). Considering only zone E, node 5, 9, 10 and 11 are intrazone nodes, while node 2, 3, 6, and 8 are interzone nodes which have physical connections to nodes in other zones. The formation and maintenance of zones requires each node to know its own physical location and to map its location to a zone map, which requires prior design setup.

Each node has an IDS agent run on it which the model of the agent is shown in Figure 7. Similar to an IDS agent proposed by Zhang and Lee (Figure 2), the data collection module and the detection engine are re-sponsible for collecting local audit data (for instance, system call activities, and system log les) and analyzing collected data for any sign of intrusion respectively. In addition, there may be more than one for each of these modules which allows collecting data from various sources and using different detection techniques to improve the detection performance.

The local aggregation and correlation (LACE) module is responsible for combining the results of these local detection engines and generating alerts if any abnormal behavior is detected. These alerts are broadcasted to other nodes within the same zone. However, for the global aggregation and correlation (GACE), its functionality depends on the type of the node. As described in Figure 7,

if the node is an intrazone node, it only sends the generated alerts to the interzone nodes. Whereas, if the node is an interzone node, it receives alerts from other intrazone nodes, aggregates and correlates those alerts with its own alerts, and then generates alarms. Moreover, the GACE also cooperates with the GACEs of the neighboring interzone nodes to have more accurate information to detect the intrusion. Lastly, the intrusion response module is responsible for handling the alarms generated from the GACE. The local aggregation and correlation

Algorithm used in ZBIDS is based on a local Markov chain anomaly detection. IDS agent rust creates a normal profile by constructing a Markov chain from the routing cache. A valid change in the routing cache can be characterized by the Markov chain detection model with probabilities, otherwise, it's considered abnormal, and the alert will be generated. For the global aggregation and correlation algorithm, it's based on information provided in the received alerts containing the type, the time, and the source of the attacks.

2.5 Intrusion Detection Techniques for Node Cooperation in MANETs

Since there is no infrastructure in mobile ad hoc networks, each node must rely on other nodes for cooperation in routing and forwarding packets to the destination. Intermediate nodes might agree to forward the packets but actually drop or modify them because they are misbehaving. The simulations in [5] show that only a few misbehaving nodes can degrade the performance of the entire system. There are several proposed techniques and protocols to detect such misbehavior in order to avoid those nodes, and some schemes also propose punishment as well [6, 7].

2.5.1 Watchdog and Pathrater

Two techniques were proposed by Marti, Giuli, and Baker [5], watchdog and pathrater, to be added on top of the standard routing protocol in ad hoc networks. The standard is Dynamic Source Routing protocol (DSR) [8]. A watchdog identifies the misbehaving nodes by eavesdropping on the transmission of the next hop. A pathrater then helps to find the routes that do not contain those nodes. In DSR, the routing information is defined at the source node. This routing information is passed together with the message through intermediate nodes until it reaches the destination. Therefore, each intermediate node in the path should know who the next hop node is. In addition, listening to the next hop's transmission is possible because of the characteristic of wireless networks - if node A is within range of node B, A can overhear communication to and from B.

Figure 8 shows how the watchdog works. Assume that node S wants to send a packet to node D, which there exists a path from S to D through nodes A, B, and C. Consider now that A has already received a packet from S destined to D. The packet contains a message and routing information. When A forwards this packet to B, A also keeps a copy of the packet in its buffer. Then, it promiscuously listens to the transmission of B to make sure that B forwards to C. If the packet overheard from B (represented by a dashed line) matches that stored in the buffer, it means that B really forwards to the next hop (represented as a solid line). It then removes the packet from the buffer. However, if there's no matched packet after a certain time, the watchdog increments the failures counter for node B. If this counter exceeds the threshold, A concludes that B is misbehaving and reports to the source node S.

Path rater performs the calculation of the path metric" for each path. By keeping the rating of every node in the network that it knows, the path metric can be calculated by combining the node rating together with link re- liability, which is collected from past experience. Obtaining the path metric for all available paths, the pathrater can choose the path with the highest metric. In addition, if there is no such link reliability information, the path metric enables the pathrater to select the shortest path too. As a result, paths containing misbehaving nodes will be avoided.

From the result of the simulation, the system with these two techniques is quite effective for choosing paths to avoid misbehaving nodes. However, those misbehaving nodes are not punished. In contrast, they even benefit from the network. Therefore, misbehaving nodes are encouraged to continue their behaviors.

Chapter 3

3. Literature survey

3.1 Introduction

The rapid proliferation of wireless networks and mobile computing applications has changed the landscape of network security. The nature of mobility creates new vulnerabilities that do not exist in a fixed wired network, and yet many of the proven security measures turn out to be ineffective. Therefore, the traditional way of protecting networks with firewalls and encryption software is no longer sufficient. We need to develop new architecture and mechanisms to protect the wireless networks and mobile computing applications. The implication of mobile computing on network security research can be further demonstrated by the follow case. Recently (Summer 2001) an Internet worm called Code Red has spread rapidly to infect many of the Windows-based server machines.

To prevent this type of worm attacks from spreading into intranets, many. This paper was accepted for publication in ACM MONET Journal in 2002 and appears in this issue of ACM WINET due to editorial constraints. Companies rely on firewalls to protect the internal net works. However, there are multiple incidents that the Code Red worm has been caught from within the intranet, largely due to the use of mobile computers. As more and more business travelers are carrying laptops and more and more public venues provide wireless Internet access, there are higher and higher chances that an inadequately protected laptop will be infected with worms. For example, in a recent IETF meeting, among the hundreds of attendees that carry laptops, a dozens have been detected to be infected with Code Red worm. When these laptops are later integrated back into their company networks, they can spread the worms from within and deem the firewalls useless in defending this worm.

3.2 Vulnerabilities of Mobile Wireless Networks

The nature of mobile computing environment makes it very vulnerable to an adversary's malicious attacks. First of all, the use of wireless links renders the network susceptible to attacks ranging from passive eavesdropping to active interfering. Unlike wired networks where an adversary must gain physical access to the network wires or pass through several lines of defense at firewalls and gateways, attacks on a wireless network can come from all directions and target at any node. Damages can include leaking secret information, message contamination, and node impersonation.

All these mean that a wireless ad-hoc network will not have a clear line of defense, and every node must be prepared for encounters with an adversary directly or indirectly. Second, mobile nodes are autonomous units that are capable of roaming independently. This means that nodes with inadequate physical protection are receptive to being captured, compromised, and hijacked. Since tracking down a particular mobile node in a global scale network cannot be done easily, attacks by a compromised node from within the network are far more damaging and much harder to detect.

Therefore, mobile nodes and the infrastructure must be prepared to operate in a mode that trusts no peer. Third, when decision-making is decentralized in mobile computing environment, some wireless network algorithms depend on the cooperative participation of all nodes and the infrastructure. Due to lack of centralized authority the adversaries can make use of this weakness for unique attacks intended to crack the cooperative algorithms. For example, many of the current MAC protocols for wireless channel access are vulnerable. Irrespective of the developments in types of MAC protocols, the fundamental working principles are alike.

In a contention-based method, each node must compete for control of the transmission channel each time it sends a message. Nodes must strictly follow the pre-denned procedure to avoid collisions and to recover from them. In a contention-free method, each node must seek from all other nodes a unanimous promise of an exclusive use of the channel resource, on a one-time or recurring basis. Regardless of the type of MAC protocol, if a node behaves maliciously, the MAC protocol can break down in a scenario resembling a denial-of-service attack. Although such attacks are rare in wired networks because the physical networks and the MAC layer are isolated from the outside world by layer-3 gateways/firewalls, every mobile node is completely vulnerable in the wireless open medium.

In addition, different kinds of computational and communication systems that regularly appear in fixed or wired environment were introduced by mobile computing. For example, mobile users tend to be stingy about communication due to slower links, limited bandwidth, higher cost, and battery power constraints; mechanisms like disconnected operations and location-dependent operations only appear to mobile wireless environment. Unsurprisingly, security measures developed for wired network are likely inept to attacks that exploit these new applications. Applications and services in a mobile wireless network can be a weak link as well. In these networks, there are often proxies and software agents running in base-stations and intermediate nodes to achieve performance gains through caching, content trans coding, or traffic shaping, etc. Potential attacks may target these proxies or agents to gain sensitive information or to mount DoS attacks, such as using the cache with bogus references, or having the content trans coder do useless and expensive computation.

To summarize, a mobile wireless network is vulnerable due to its features of open medium, dynamic changing network topology, cooperative algorithms, lack of centralized monitoring and management point, and lack of a clear line of defense. Future research is needed to address these vulnerabilities.

3.3 The Need for Intrusion Detection

Intrusion prevention measures, such as encryption and authentication, can be used in ad-hoc networks to reduce intrusions, but cannot eliminate them. For example, encryption and authentication cannot defend against compromised mobile nodes, which often carry the private keys. Integrity validation using redundant information (from different nodes), such as those being used in secure routing, also relies on the trust worthiness of other nodes, which could likewise be a weak link for sophisticated attacks. The history of security research has taught us a valuable lesson no matter how many intrusion prevention measures are inserted in a network; there are always some weak links that one could exploit to break in just like the example at the beginning of this paper. Intrusion detection presents a second wall of defense and it is a necessity in any high-survivability network. In summary, mobile computing environment has inherent vulnerabilities that are not easily preventable. To secure mobile computing applications, we need to deploy intrusion detection and response techniques, and further research is necessary to adapt these techniques to the new environment, from their original applications in fixed wired network.

In this paper, we focus on a particular type of mobile computing environment called mobile ad-hoc networks and propose a new model for intrusion detection and response for this environment. We will first give a background on intrusion detection, then present our new architecture, followed by an experimental study to evaluate its feasibility.

3.4 Intrusion Detection and the Challenges of Mobile Ad-Hoc Networks

When an intrusion (defined as any set of actions that attempt to compromise the integrity, confidentiality, or availability of a resource" ) takes place, intrusion prevention techniques, such as encryption and authentication (e.g., using passwords or biometrics), are usually the first line of defense. However, intrusion prevention alone is not sufficient because as systems become ever more complex, and as security is still often the after-thought, there are always exploitable weaknesses in the systems due to design and programming errors, or various socially engineered" penetration techniques.

For example, even though they were first reported many years ago, exploitable buffer overflow" security holes, which can lead to an unauthorized root shell, still exist in some recent system software's. Furthermore, as illustrated by the Distributed Denialof-Services (DDoS) attacks launched against several major Internet sites where security measures were in place, the protocols and systems that are designed to provide services (to the public) are inherently subject to attacks such as DDoS. Intrusion detection can be used as a second wall to protect network systems because once an intrusion is detected, e.g., in the early stage of a DDoS attack, response can be put into place to minimize damages, gather evidence for prosecution, and even launch counter-attacks.

The most important assumptions of intrusion detection consists of a. user and program activities are observable, b. normal and intrusion activities have distinct behavior. To determine whether the system is under attack, intrusion detection captures audit data and analyses about the evidence in the data.

The audit data used will decide whether applied intrusion detection systems (IDSs) come under network-based category or host-based category. Generally network-based IDS will function at the gateway of a network to capture and examine network packets that passes through

the network hardware interface. But the host-based IDS depend on operating system audit data to observe and examine the events produced by programs or users on the host. Anomaly detection

and Misuse detection are two categories of Intrusion detection techniques. Misuse detection systems, e.g., IDIOT and STAT, use patterns of well-known attacks or weak spots of the system to match and identify known intrusions. For incidence, in general more than 4 unsuccessful login attempts within two minutes is considered to be guessing password attack. The main advantage of misuse detection is that it can accurately and efficiently detect instances of known attacks. The main disadvantage is that it lacks the ability to detect the truly innovative (i.e., newly invented) attacks. Anomaly detection (sub)systems, for example, the anomaly detector in IDES, ag observed activities that deviate significantly from the established normal usage profiles as anomalies, i.e., possible intrusions.

For example, the normal profile of a user may contain the averaged frequencies of some system commands used in his or her login sessions. While monitoring a session and the frequencies are considerably lower or higher an anomaly alarm will raise. The ultimate benefit of anomaly detection is, it works without prior information of intrusion and will detect new intrusions and the basic challenge is, it may fail to describe the attack and may have elevated fake positive rate.

3.5 Problems of Current IDS Techniques

The vast difference between the fixed network where current intrusion detection research are taking place and the mobile ad-hoc network which is the focus of this paper makes it very difficult to apply intrusion detection techniques developed for one environment to another. The most important difference is perhaps that the latter does not have a fixed infrastructure, and today's network-based IDSs, which rely on real-time traffic analysis, can no longer function well in the new en4 Y Zhang, W Lee, & Y Huang / Intrusion Detection Techniques for Mobile Wireless Networks environment. Compared with wired networks where traffic monitoring is usually done at switches, routers and gateways, the mobile ad-hoc environment does not have such traffic concentration points where the IDS can collect audit data for the entire network.

Therefore, at any one time, the only available audit trace will be limited to communication activities taking place within the radio range, and the intrusion detection algorithms must be made to work on this partial and localized information. Another significant big difference is in the communication pattern in a mobile computing environment. As we have mentioned earlier, mobile users tend to be stingy about communication and often adopt new operation modes such as disconnected operations. This suggests that the anomaly models for wired network cannot be used as is. Furthermore, there may not be a clear separation between normalcy and anomaly in mobile environment.

A node that sends out false routing information could be the one that has been compromised, or merely the one that is temporarily out of sync due to volatile physical movement. Intrusion detection may find it increasingly difficult to distinguish false alarms from real intrusions. In summary, we must answer the following research questions in developing a viable intrusion detection system for mobile ad-hoc networks:

  • What is a good system architecture for building intrusion detection and response systems that fits the features of mobile ad-hoc networks?
  • What are the appropriate audit data sources? How do we detect anomaly based on partial, local audit traces { if they are the only reliable audit source?
  • What is a good model of activities in a mobile computing environment that can separate anomaly when under attacks from the normalcy?

3.5.1 Vulnerabilities In AODV

ADOV is vulnerable to many different types of attacks [1]. In this section, we examine specific vulnerabilities in AODV that allow subversion of routes. In addition, we provide several attack scenarios that exploit the vulnerabilities to motivate our research.

3.5.2 Overview of AODV

The Ad hoc On-demand Distance Vector (AODV) routing protocol is a reactive and stateless protocol that establishes routes only as desired by a source node using route request (RREQ) and route reply (RREP) messages. As a node requires identifying a route to a targeted node, it transmits a Route Request (RREQ) message with a exclusive RREQ ID (RID) to all its neighbors. When RREQ message reaches a node, the sequence number of source node will be updated by node and positions reverse routes to the source node in the routing tables. When the node is either destination or has a route to the destination which has the fresh requirements, a route reply will be uncasted (RREP) back to the source node.

In the routing tables, the node that receives RREP will revise its forward route to destination; it may be source node or the intermediate node. Otherwise, it continues broadcasting the RREQ. Node will discard and stops a RREQ message when it receives a RREQ message that was already processed. In AODV, sequence number (SN) plays a role to indicate the freshness of the routing information and guarantee loop-free routes. Sequence number is increased under only two conditions: when the source node initiates RREQ and when the destination node replies with RREP. Only through source or destination, the sequence number can be updated.

If RREQ or RREP is forwarded each hop, to determine the shortest path and to increase by 1 Hop count (HC) is used. All transitional nodes will erase the entry in their routing tables as a link breaks, also the route error packets (RERR) are broadcasted to the source node along the reverse route. By distributing hello message regularly AODV preserves the connectivity of neighbor nodes.

3.5.3 Vulnerable Fields in AODV Control Messages

In general, AODV is efficient and scalable in terms of network performance, but it allows attackers to easily advertise falsified route information to redirect routes and to launch various kinds of attacks. In each AODV routing packet, some critical fields such as hop count, sequence numbers of source and destination, IP headers as well as IP addresses of AODV source and destination, and RREQ ID, are essential to the correct protocol execution. Any misuse of these fields can cause AODV to malfunction. Table 2 denotes several vulnerable fields in AODV routing messages and the possible effects when they are tampered.

An attacker could launch a single (packet) attack consisting of several carefully modified fields, or an aggregate attack consisting of multiple attack messages, which cause more damages and last longer than a single attack does. The reader is referred to [1] for a more detailed classification of such attacks (termed atomic and compound attacks) as well as simulations of the impact of such attacks. A few of the attacks are described below.

3.6 Examples of Single Attacks

3.6.1 Forging Sequence Number

Sequence numbers indicates the freshness of route to the associated node. If an attacker sends out an AODV control packet with a forged large sequence number of the victim node, it will change the route to that victim node. For example, in our example AODV scenario (see Figure 1), if M sends a RREQ, m1, to C with SN.Src equal to 200 (>100), it will take precedence over b1. The route from C to A will go through M instead of going through B. Then the route between A and D can be controlled by node M. As another example, if M sends a RREP to B with SN.Dst equal 100 (>61), it will take precedence over c2. B will send data through M to D instead of C; M can then control the route between A and D. This attack can be self-corrected by the protocol when the victim node issues a RREQ or RREP with its sequence number larger than that in the attack packet.

3.6.2 Forging Hop Count

The damage caused by forging of the hop count field will not last as long as the sequence number forging attacks. However, this attack is harder to detect since it is difficult to know the correct hop count to verify the hop count in the attack packet. For example, if M sends a RREQ

3.7 Examples of Aggregated Attacks

The attacker can combine multiple single attacks to perform a more complicated attack or make the attack last longer. Some interesting attacks are described below.

3.7.1 Man in the Middle Attack

The attacker could issue a fake RREQ and a RREP to poison other node's forwarding table to divert route. The attacker could send a RREQ to C, m1, which is the same as b1 but with higher SN.Src =200 (>100) to take precedence over b1, and send a RREP to B, m2, which is the same as c2 but with SN.Dst=100(>61) in order to take precedence over c2. The next hub of reverse route of C is M instead of B so D and C will go to A through M. The next hub of forward route of B is M instead of C so A and B will go to D through M. Then M could forward the diverted packets from B and C. Therefore, the complete route is ABMCD instead of ABCD

3.7.2 Tunneling Attack

Tunneling attack is done by two cooperating malicious nodes that falsely represent the length of available paths by building a tunnel between them. In this way, the malicious nodes can force traffic to route through them.

As shown in figure 11, there is no direct link between M1 and M2, but M1 and M2 can pretend to be directly adjacent by tunneling. M1 encapsulates the message and sends it through A, B and C to M2, and falsely claim there is a direct link between M1 and M2. In AODV, when S broadcasts RREQ to A and M1, it will get RREP from A and M1, where their path are {S, A, B, C, D} and {S, M1, M2, D}. S will choose {S, M1, M2, D} but it is actually {S, M1, A, B, C, M2, D}. M1 and M2 successfully prevent S from choosing the really shortest path, {S, A, B, C, D}. Even a cryptography-based solution, such as ARAN [15], cannot prevent this kind of attack.

3.7.3 An Architecture for Intrusion Detection

Intrusion detection and response systems should be both distributed and cooperative to suite the needs of mobile ad-hoc networks. In our proposed architecture (Figure 1), every node in the mobile ad-hoc network participates in intrusion detection and response. Each node is responsible for detecting signs of intrusion locally and independently, but neighboring nodes can collaboratively investigate in a broader range.

In the systems aspect, individual IDS agents are placed on each and every node. Each IDS agent runs independently and monitors local activities (including user and systems activities, and communication activities within the radio range). It detects intrusion from local traces and initiates response. If anomaly is detected in the local data, or if the evidence is inconclusive and a broader search is warranted, neighboring IDS agents will cooperatively participate in global intrusion detection actions. These individual IDS agent collectively form the IDS system to defend the mobile ad-hoc network. The internal of an IDS agent can be fairly complex, but conceptually it can be structured into six pieces (Figure 2). The data collection module is responsible for gathering local audit traces and activity logs. Next, the local detection engine will use these data to detect local anomaly. Detection methods that need broader data sets or that require collaborations among IDS agents will use the cooperative detection engine. Intrusion response actions are provided by both the local response and global response modules. The local response module triggers actions local to this mobile node, for example an IDS agent alerting the local user, while the global one coordinates actions among neighboring nodes, such as the IDS agents in the network electing a remedy action. Finally, a secure communication module provides a high-confidence communication channel among IDS agents. Data Collection

The first module, local data collection, gathers streams of real-time audit data from various sources. Depending on the intrusion detection algorithms, these useful data streams can include system and user activities within the mobile node, communication activities by this node, as well as communication activities within the radio range and observable by this node. Therefore, multiple data collection modules can coexist in one IDS agent to provide multiple audit streams for a multi-layer integrated intrusion detection method (Section 3.5). Local Detection

The local detection engine analyzes the local data traces gathered by the local data collection module for evidence of anomalies. It can include both misuse detections and anomaly detection (Section 2.1). Because it is conceivable that the number of newly created attack types mounted on mobile computing environment will increase quickly as more and more network appliances become mobile and wireless, anomaly detection techniques will play a bigger role. We will have further discussion on anomaly detection in mobile wireless environment. Cooperative Detection

Any node that detects locally a known intrusion or anomaly with strong evidence (i.e., the detection rule triggered has a very high accuracy rate, historically), can determine independently that the network is under attack and can initiate a response. However, if a node detects an anomaly or intrusion with weak evidence, or the evidence is inconclusive but warrants broader investigation, it can initiate a cooperative global intrusion detection procedure. This procedure works by propagating the intrusion detection state information among neighboring nodes (or further downward if necessary).

The intrusion detection state information can range from a mere level-of-confidence value such as

  • "With p% confidence, node A concludes from its local data that there is an intrusion"
  • "With p% confidence, node A concludes from its local data and neighbor states that there is an intrusion"
  • "With p% confidence, node A, B, C, ... collectively conclude that there is an intrusion" to a more speci_c state that lists the suspects, like
  • "With p% con_dence, node A concludes from its local data that node X has been compromised" or to a complicated record including the complete evidence. As the next step, we can derive a distributed consensus algorithm to compute a new intrusion detection state for this node, using other nodes' state information received recently. The algorithm can include a weighted computation under the assumption that nearby nodes have greater effects than far away nodes, i.e., giving the immediate neighbors the highest values in evaluating the intrusion detection states. For example, a majority-based distributed intrusion detection procedure can include the following steps:
  • The node sends to neighboring node an "intrusion (oranomaly) state request";
  • Each node (including the initiation node) then propagates the state information, indicating the likelihood of an intrusion or anomaly, to its immediate neighbors;
  • Each node then determines whether the majority of the received reports indicate an intrusion or anomaly; if yes, then it concludes that the network is under attack;
  • Any node that detects an intrusion to the network can then initiate the response procedure.
  • The rationales behind this scheme are as follows. Audit data from other nodes cannot be trusted and should not be used because the compromised nodes can send falsified data. However, the compromised nodes have no incentives to send reports of intrusion/anomaly because the intrusion response may result in their expulsion from the network. Therefore, unless the majority of the nodes are compromised, in which case one of the legitimate nodes will probably be able to detect the intrusion with strong evidence and will respond, the above scheme can detect intrusion even when the evidence at individual nodes is weak. A mobile network is highly dynamic because nodes can move in and out of the network. Therefore, while each node uses intrusion/anomaly reports from other nodes, it does not rely on fixed network topology or membership information in the distributed detection process. It is a simple majority voting scheme where any node that detects an intrusion can initiate a response.
  • Intrusion Response

    The type of intrusion response for mobile ad-hoc networks depends on the type of intrusion, the type of network protocols and applications, and the confidence (orcertainty) in the evidence. For example, here is a few likely responses:

    • Re-initializing communication channels between nodes (e.g., force re-key).
    • Identifying the compromised nodes and re-organizing the network to preclude the promised nodes.

    For example, the IDS agent can notify the enduser, who may in turn do his/her own investigation and take appropriate action. It can also send a \re-authentication" request to all nodes in the network to prompt the end-users to authenticate themselves (and hence their mobile nodes), using out-of-bound mechanisms (like, for example, visual contacts). Only the re-authenticated nodes, which may collectively negotiate a new communication channel, will recognize each other as legitimate. That is, the compromised/malicious nodes can be excluded. Multi-Layer Integrated Intrusion Detection and Response

    Traditionally, IDSs use data only from the lower layers: network-based IDSs analyze TCP/IP packet data and host-based IDSs analyze system call data. This is because in wired networks, application layer firewalls can effectively prevent many attacks, and application specific modules, e.g., credit card fraud detection systems, have also been developed to guard the mission critical services. In the wireless networks, there are no firewalls to protect the services from attack. However, intrusion detection in the application layer is not only feasible, as discussed in the previous section, but also necessary. Certain attacks, for example, an attack that tries to create an unauthorized access \back-door" to a service, may seem perfectly legitimate to the lower layers, e.g., the MAC protocols. We also believe that some attacks may be detected much earlier in the application layer, because of the richer semantic information available, than in the lower layers.

    For example, for a DoS attack, the application layer may detect very quickly that a large number of incoming service connections have no actual operations or the operations don't make sense (and can be considered as errors); whereas the lower layers, which rely only on information about the amount of network traffic (or the number of channel requests), may take a longer while to recognize the unusually high volume. Given that there are vulnerabilities in multiple layers of mobile wireless networks and that an intrusion detection module needs to be placed at each layer on each node of a network, we need to coordinate the intrusion detection and response efforts. We use the following integration scheme:

    • If a node detects an intrusion that affects the entire network, e.g., when it detects an attack on the ad hoc routing protocols, it initiates the re-authentication process to exclude the compromised/malicious nodes from the network;
    • If a node detects a (seemingly) local intrusion at a higher layer, e.g., when it detects attacks to one of its services, lower layers are notified. The detection modules there can then further investigate, e.g., by initiating the detection process on possible attacks on ad hoc routing protocols, and can respond to the attack by blocking access from the offending node(s) and notifying other nodes in the network of the incident.

    In this approach, the intrusion detection module at each layer still needs to function properly, but detection on one layer can be initiated or aided by evidence from other layers. As a first cut of our experimental research, we allow the evidence to own from one layer to its (next) lower layer by default, or to a specific lower layer based on the application environment. The \augmented" versions of the detection model at a lower level are constructed as follows. In the \testing" process, the anomaly decision, i.e., either 1 for \yes" or 0 for \no" from the upper layer is inserted into the deviation score of the lower level, for example, (0.1, 0.1) now becomes (0.1, 0.1, 0). In other words, the deviation data also carries the extra information passed from the upper level. An anomaly detection model built from the augmented data therefore combines the bodies of evidence from the upper layers and the current layer and can make a more informed decision. The intrusion report sent to other node for cooperative detection also includes a vector of the information from the layers. With these new changes, the lower layers now need more

    than one anomaly detection model: one that relies on the data of the current layer and therefore indirectly uses evidence from the lower layers, and the augmented one that also considers evidence from the upper layer. Multi-layer integration enables us to analyze the attack scenario in its entirety and as a result, we can achieve better performance in terms of both higher true positive and lower false positive rates.

    For example, a likely attack scenario is that an adversary takes control of the mobile unit of a user (by physically disable him or her), and then uses some system commands to send falsified routing information. A detection module that monitors user behavior, e.g., via command usage, can detect this event and immediately (i.e., before further damage can be done) cause the detection module for the routing protocols to initiate the global detection and response, which can result in the exclusion of this compromised unit.

    As another example, suppose the users are responding to a fire alarm, which is a rare event and may thus cause a lot of unusual movements and hence updates to the routing tables. However, if there is no indication that a user or system software has been compromised, each intrusion report sent to other nodes will have a \clean" vector of upper layer indicators, and thus the detection module for the routing protocols can conclude that the unusual updates may be legitimate. Anomaly Detection in Mobile Ad-Hoc Networks

    In this section, we discuss how to build anomaly detection models for mobile wireless networks. Modeling algorithms, amount of available audit data and the format could be different for detection that is based on activities in different network layers. However, we believe that the principle behind the approaches will be the same. To illustrate our approach, we focus our discussions on ad-hoc routing protocols.

    Building an Anomaly Detection Model

    Framework The basic premise for anomaly detection is that there is intrinsic and observable characteristic of normal behavior that is distinct from that of abnormal behavior. We use information-theoretic measures, namely, entropy and conditional entropy, to describe the characteristics of normal information flows and to use classification algorithms to build anomaly detection models.

    For example, we can use a classifier, trained using normal data, to predict what is normally the next event given the previous n events. In observing, if the authentic event is different from the one classifier has expected, an anomaly is there. When constructing a classifier, features with high information gain are needed. That is, a classifier needs feature value tests to partition the original dataset into pure subsets, each ideally with one class of data. Using this framework, we employ the following procedure for anomaly detection:

    • Select audit data so that the normal dataset has low entropy;
    • Perform appropriate data transformation according to the entropy measures.
    • Compute classifier using training data;
    • Apply the classifier to test data; and
    • Post-process alarms to produce intrusion reports. Attack Models.

    In this study, we only consider attacks on routing protocols. In general, these attacks are in the following forms :I. Route logic compromise: These attacks will be active by influencing routing information. This influence can be either externally by parsing false route messages or internally by maliciously changing routing cache information. In specific, several special cases are considered: (i) misrouting and (ii) false message propagation.

    II. Traffic pattern distortion:

    These attacks alter default or normal traffic behavior: (i) Packet generation with faked source address; (ii) Packet dropping; (iii) Denial-of-service and (iv) Corruption on packet contents. Notice that these two kinds of attacks can be combined together in a single intrusion. In this study, the following attacks in simulation are implemented:

    Falsifying route paths/route entry in a node's own cache; and (2) random packet dropping. The first is an abstraction of routing attacks because they resort to changing the routing information for malicious purposes. The second is simply traffic pattern distortion. Each intrusion session we simulated includes only one of these attack types. However, each execution trace can contain several intrusion sessions with different attack types. Audit Data We suggest these two local data sources be used for anomaly detection: (1) local routing in- formation, including cache entries and traffic statistics; and (2) position locator, or GPS, which we assume will not be compromised and can therefore reliably provide location and velocity information of nodes within the whole neighborhood. We use only local information because remote nodes can be compromised and their data cannot be trusted.

    Feature Selection

    This is a crucial and difficult step in developing a detection model. Due to usage of classifiers as detectors, it's required to select and/or construct features, from the existing audit data, which is having high information gain. The criteria of information gain are not a priori. To construct the feature set, an unsupervised method is under practice. Initially a huge feature set to cover a broad range of behaviors was constructed. It is not efficient to run all experiments with all of these features. A corresponding model was developed for every training run. The features that appear in the models and have weights not smaller than a minimum threshold are selected into the essential feature set. For different routing protocols and different scenarios, the essential feature set is different. Practically, the feature set should be changed along with the changes that take place in characteristics of routing behavior with time.

    Classifier: There are two classifiers in this study. The first one is a rule induction program, a decision-tree equivalent classifier, RIPPER, and the second one is a Support Vector Machine classifier, SVM Light. RIPPER searches the available feature space and works out rules that separate data into appropriate (intended) classes. SVM Light instead pre-processes the data to represent patterns in much higher dimension than the given feature space.

    The heuristic is that with sufficiently high dimension, data can be separated by a hyperplane, thus achieving the goal of classification. When there are underlying complex patterns in the data which are not readily represented by the given set of features SVM Light can build a more accurate classifier than RIPPER.


    In an execution trace, to examine each observation primarily a detector will be applied. Then a post-processing scheme is used to examine the predictions and generate intrusion reports: (1) choose a parameter l and let the window size be 2l + 1; (2) for a region covered by the current window, if there are more abnormal predictions than normal predictions, i.e, the number of abnormal observations is greater than l, then the region is marked as \abnormal"; (3) label every observation within an abnormal region as \abnormal" and every observation within a normal region as \normal"; (4) shift the sliding window with one window size, i.e, 2l + 1, and repeat (2) and (3) until the whole trace is processed; (5) count all continuous abnormal regions as one intrusion session. In our experiments, we use l = 3. The intuition here is that a detection model can make spurious errors and these false alarms should be filtered out. In contrast, a true intrusion session has \locality", i.e., it tends to result in many alarms within a short time window. Therefore, these alarms can be grouped into a single intrusion report.

    3.7.4 Detecting Abnormal Updates to Routing Tables

    The main requirement of an anomaly detection model and intrusion detection systems in general, is low false positive rate, calculated as the percentage of normalcy variations detected as anomalies, and high true positive rate, calculated as the percentage of anomalies detected. We need to first determine the trace data to be used that will bear evidence of normalcy or anomaly. For ad-hoc routing protocols, since the main concern is that the false routing information generated by a compromised node will be disseminated to and used by other nodes, we can define the trace data to describe, for each node, the normal (i.e., legitimate) updates of routing information.

    A routing table usually contains, at the minimum, the next hop to each destination node and the distance (number of hops). A legitimate change in the routing table can be caused by the physical movement of node or network membership changes. For a node, its own movement and the change in its own routing table are the only reliable information that it can trust. Hence, we use data on the node's physical movements and the corresponding change in its routing table as the basis of the trace data. The physical movement is measured mainly by distance and velocity. The routing table change is measured mainly by the percentage of changed routes (PCR), the percentage of changes in the sum of hops of all the routes (PCH), and the percentage of newly added routes. We use percentages as measurements because of the dynamic nature of mobile networks.

    The trace data is gathered for each node. The trace data sets of all nodes in the training network are then aggregated into a single data set, which describes all normal changes in routing tables for all the nodes. A detection model which is learned from this aggregated data set will therefore be capable of operating on any node in the network. A normal profile on the trace data in effect specifies the correlation of physical movements of the node and the changes in the routing table. We can use the following scheme to compute the normal profile:

    • signify PCR the class, distance, velocity, and PCH, etc. the features describing the concept;
    • use n classes to represent the PCR values in n ranges, for example, we can use 10 classes each representing 10 percentage points that is, the trace data belongs to n classes;
    • to learn a classifier for PCR, a classification algorithm should be applied to the data;
    • repeat the above for PCH, that is, learn a classifier for PCH;

    A classification algorithm, e.g., RIPPER, can use the most discriminating feature values to describe each concept. For example, when using PCR as the concept, RIPPER can output classification rules in the form of: if then PCR = 2; else if ...". Each classification rule (an \if") has a \confidence" value, calculated as the percentage of records that match both the rule condition and rule conclusion out of those that match the rule condition. The classification rules for PCR and PCH together describe what are the (normal) conditions that correlate with the (amount of) routing table changes. We use these rules as the normal profiles. Checking an observed trace data record (that records a routing table update) with the profile involves applying the classification rules to the record. A misclassification, e.g., when the rules say it is \PCR = 3" but in fact it is \PCR = 5", is counted as a violation. We can use the \confidence" of the violated rule as the \deviation score" of the record. In the \testing" process, the 10 Y Zhang, W Lee, & Y Huang / Intrusion Detection Techniques for Mobile

    Wireless Networks deviation scores are recorded. For example, if abnormal data is available, we can have deviation data like those shown in Table 4. We can then apply a classification algorithm to compute a classifier, a detection model, which uses the deviation scores to distinguish abnormal from normal. If abnormal data is not available, we can compute the normal clusters of the deviation scores, where each score pair is represented by a point (PCR deviation, PCH deviation) in the two-dimensional space, e.g., (0.0, 0.0), (0.2, 0.2), (0.3, 0.1), etc. The \outliers", i.e., those that do not belong to any normal cluster, can then be considered as anomalies.

    Clustering is often referred to as \un-supervised learning" because the target clusters are not known a priori. Its disadvantage is that the computation (i.e., the formation) of clusters is very time consuming. If the application environment allows a tolerable false alarm rate, e.g., 2%, then the clustering algorithm can be parameterized to terminate when sufficient, e.g., greater than 98%, points are in proper clusters.

    A poor performance of the anomaly detection model, e.g., a higher than acceptable false alarm rate, indicates that the data gathering (including both \training" and \testing" processes) is not sufficient, and/or the features and the modeling algorithms need to be refined. Therefore, repeated trials may be needed before a good anomaly detection model is produced. In the discussion thus far, we have used only the minimal routing table information in the anomaly detection model to illustrate our approach, which can be applied to all routing protocols. For a specific protocol, we can use additional routing table information and include new features in the detection model to improve the performance. For example, for DSR ad-hoc routing protocol , we can add source route information (the complete, ordered sequence of network hops leading to the destination). We can also add predictive features according to the \temporal and statistical" patterns among the routing table updates, following the similar feature construction process we

    used to build intrusion detection models for wired networks . For example, for a wired TCP/IP network, a \SYN-ood" DoS attack has a pattern which indicates that a lot of half open connections are attempted against a service in a short time span. Accordingly, a feature, \for the past 2 seconds, the percentage of connections to the same service that are half-open" was constructed and had been proved to be highly predictive. Similarly, in a mobile network, if an intrusion results in a large number of routing table updates, we can add a feature that measures the frequency (how often) the updates take place. Our objective in this study is to lead to a better understanding of the important and challenging issues in intrusion detection for ad-hoc routing protocols. First, using a given set of training, testing, and evaluation scenarios, and modeling algorithms (e.g., with RIPPER as the classification algorithm for protocol trace data and \nearest neighbor" as the clustering algorithm for deviation scores), we can identify which routing protocol, with potentially all its routing table information used, can result in better performing detection models. To develop more robust routing protocols, this observation can be used.

    To find the best performing model we can explore the feature space and algorithm space using a given routing protocol. This will give insight to the general practices of building intrusion detection for mobile networks.

    4.7. Detecting Abnormal Activities in Other Layers

    Anomaly detection for other layers of the wireless networks, e.g., the MAC protocols, the applications and services, etc., follows a similar approach. For example, the trace data for MAC protocols can contain the following features: for the past s seconds, the total number of channel requests, the total number of nodes making the requests, the largest, the mean, and the smallest of all the requests, etc. By a node, the range of the current requests can be the class. The normal context (i.e. history) of a request will be described by a classifier on this trace data.

    An anomaly detection model can then be computed, as a classifier or clusters, from the deviation data. Similarly, at the mobile application layer, the trace data can use the service as the class (i.e., one class for each service), and can contain the following features: for the past s seconds, the total number of requests to the same service, the number of different services requested, the average duration of the service, the number of nodes that requested (any) service, the total number of service errors, etc. A classifier on the trace data then describes for each service the normal behaviors of its requests. As the features explained are developed to get the statistical behavior of the requests, the attacks, when studied with the feature values, will experience huge differences than the general requests. For example, compared with normal requests to MAC or an application-level service, DoS attacks via resource exhaustion normally involve a huge number of requests in a very short period of time; a DDoS has the additional tweak that it comes from many different nodes.

    Chapter 5

    5.1 Specification- based Monitoring of AODV

    Specification-based monitoring compares the behavior of objects with their associated security specifications that capture the correct behavior of the objects. In general specifications are manually crated depending on the security policy, functionalities of the objects, and predicted rate of usage. Intrusion will not be detected directly by specification-based detection. It detects the effect of the intrusions as run-time violation of the specifications instead. Specification-based detection will detect not only known attacks but also others, this is possible because specifications by default concerned with the proper behavior of objects. The specification-based detection approach has been successfully applied to monitor security critical programs [8], applications, and protocols [7]. In particular, specifications for the Address Resolution Protocol (ARP) and the Dynamic Host Configuration Protocol (DHCP) have been used to detect attacks that exploit vulnerabilities in these protocols.

    Normally a network protocol specification will limit the messages transformed by the network nodes. The specifications could limit the path the messages are transformed the contents. By using some desirable global invariants about the protocol, the specifications could also be developed.

    To monitor AODV while exercising the specification techniques, first focus will be on the routing messages that are transmitted in the detection of routes. In specific, there is an attempt to check every RREQ and RREP messages in a request-reply flow from a source node to a destination node and return to the source. In the following subsections, we describe how to monitor a request-reply flow using distributed Network Monitors (NM).

    5.2 Basic Assumptions

    In order to narrow the scope of the problem, we employ the following assumptions. Future investigation of the problem will relax some of the assumptions.

    1. The MAC addresses and IP addresses of all mobile nodes are registered in network monitors and remain unchanged.
    2. MAC addresses cannot be forged.
    3. Every network monitor and its messages are secure and authenticated.
    4. Every node must forward or respond to the messages according to the protocol within some finite period of time.
    5. Network monitors are well selected to be able to cover all nodes and perform all required functionality.
    6. If a node is out of range of a network monitor, it must be in the range of neighboring monitors.
    7. If some nodes do not respond to broadcast messages, this will not cause serious problems.
    8. 3 Run-time monitoring of Request-Reply Flow

    The nature of ad hoc networks prohibits any single IDS node to observe all messages in a request-reply flow. Therefore, tracing of RREQ and RREP messages in a request-reply flow have to be performed by distributed network monitors (NMs).

    Figure 14 depicts the architecture of a network monitor. Networks monitors passively listening to AODV routing message and detect incorrect RREQ and RREP messages. Messages are grouped based on the request-reply flow to which they belong. A request reply flow can be uniquely identified by the RREQ ID, the source and destination IP addresses. A RREQ or RREP message can map to a request-reply flow based on these fields as shown below. RREQ: AODV Source address and RREQ ID RREP: AODV Source and Destination address A network monitor keeps track of the RREQ and RREP message last received by each monitored node and maintains the forwarding table of each monitored node.

    In addition, as each request-reply flow could have several branches - RREQ is a broadcast message and more than one neighbor could continue broadcasting it - NM maintains a session tree to trace the branches. When NM sees an AODV packet as a current packet, NM searches the session tree to find the previous packet of that packet. If NM cannot find the previous packet to match the current packet in the session tree, it will ask its neighboring NMs to find the previous packet. If one of the neighboring NM answers, NM receives the information of the previous packet and the tree it belongs to. Otherwise, NM will treat it as an "Active forge" anomaly. After comparing the current and previous packet, NM inserts the current packet into the session tree for the next current packet. If it is RREP message, NM will mark the new link as red link. Forwarding table will be updated by its NM. By tracing the session tree, NM can easily match the current and previous packet to detect anomaly, especially in RREQ. Moreover, NM can detect incorrect hop counts and their previous nodes in RREQ. NM can also identify the broken links of corresponding RERR so that it can mark out the broken links and tell its nodes not to use those links in a period of time. Even NM could mark out the node suffering from poor connection and issuing lots of RERR.

    Bandwidth overhead is generated by NMs when it needs to ask its neighboring NMs for the information of the nodes which are out of the range of its radio range. This happens when the nodes move out of the range of the NM, or the packet is forwarded to a node that is out of its range.

    5.4 Finite-state Machine Constraints

    A network monitor employs a finite state machine (FSM) for detecting incorrect RREQ and RREP messages. It maintains a FSM for each branch of a request-reply flow. A request flow starts at the Source state. It transmits to the RREQ Forwarding state when a source node broadcasts the first RREQ message (with a new REQ ID). When a forwarded broadcasting RREQ is detected, it stays in RREQ Forwarding state unless a corresponding RREP is detected. Then if a unicasting RREP is detected, it goes to RREP Forwarding state and stays there until it reaches the source node and the route is set up. If any suspicious fact or anomaly is detected, it goes to the suspicious or alarm states.

    When a NM compares a new packet with the old corresponding packet, the primary goal of the constraints is to make sure that the AODV header of the forwarded control packets is not modified improperly. If an intermediate node responds to the request, the NM will verify this response from its forwarding table as well as with the constraints in order to make sure that the intermediate node does not lie. In addition, the constraints are used to detect packet drop and spoofing.

    Figure 16 shows the suspicious and alarm states. If either sequence number (SN) or hop count (HC) is not consistent, it goes to SN/HC Forged Suspicious and NM will ask neighbor NMs to confirm it (Shown as (1)). If none of them disagrees, the request flow goes to SN/HC Forged Alarm. Otherwise, it goes to RREQ Forwarding State if it is RREQ, or it goes to RREP Forwarding State if it is RREP. Out of Range Suspicious state is only applied for RREP and NM will also ask neighbor NMs to confirm it (Shown as (3)). When there is no disagreement, it passes to Drop/Lost Alarm. If not, it passes to RREP Forwarding state. If the IP and MAC address mapping is unknown, it goes to Spoofing alarm (Shown as (2)). Each branch of a request flow is independent and will be treated separately.

    5.5 Matching Current and Previous Messages

    To determine the validity of a message (sent by a node, say A), a network monitor needs to identify the corresponding incoming message to A. For unicast messages, such as RREP, a NM can map current and previous packets easily by looking their source and destination addresses in IP headers. However, in broadcast messages, such as RREQ, the destination address will always be the broadcast address ( To keep track of the RREQ path, we add one more field to AODV, called previous node (PN). This field indicates the node that previously forwarded the RREQ to the current node.

    For example, in the scenario described in Section 3 (Figure 1), the RREQ message broadcasted by A is forwarded from B to C then to D. Given the previous node field, we can identify the intermediate path AB by the RREQ message sent by B and the path BC by the RREQ message sent by C. The NM knows D responds to this request to C by source and destination address in the IP header of RREP from D. Now, the NM can know that A's request is forwarded by B, C and responded to by D, and therefore have a complete request path from A to D. Also, the NM can know the response path from D to A by the source and destination addresses of the IP header of the unicast RREP messages. Therefore, the NM can trace the complete request flow from A to D and from D back to A.

    5.5.1 The Need for Previous Node Field

    When NM hears a RREQ with PN, it is able to update the next hop of the reverse route in the forwarding table regarding to PN in RREQ. Otherwise, NM is not able to detect the following two attacks:

    1. A malicious node forwards a RREP to the node that is not the next hop of the reverse route.
    2. If a node, M, forwards RREP to A, but A does not forward it to S, then NM cannot determine if: a. The destination, A, dropped the packet, or b. M told the fake smaller hop count in the RREQ it forwarded and M forwards RREP to A via the reverse route it claimed but actually A is always out of M's radio range. In order to achieve this attack, M has to know the network topology nearby M and claims a shorter reverse route that is actually invalid. In (1), with PN, NM can know the next hop of reverse route and therefore can detect a malicious node forwarding packets to the wrong place. In (2), NM could mark out the link between A and M as a bad link. When S rebroadcasts RREQ, D gets a RREQ from M with PN=A, and it will ignore this RREQ. Without PN, D would not know RREQ sent by M was sent from A or some other nodes. Hence D will either ignore all RREQs from M resulting in false negatives, or accept all of them resulting in false positives.

    5.5.2 Functionality of NM

    NMs passively listen to wireless media to monitor AODV packets. They exchange information through a secure channel, and only when additional information of nodes is needed, for example, when the session path moves across multiple NM's radio ranges. Moreover, based upon the AODV control messages heard, a NM stores the expected forwarding tables of the nodes within its radio range in order to be able to examine in the future if the nodes are misbehaving. With the low overhead and memory storage, NMs are able to detect system errors and anomalies that could lead to potential (and possibly unknown) attacks in real time with low false positives by employing predefined finite state machine constraints (see below).

    5.6 Construction and Processing of Session Trees

    Procedure 1 below describes the process at each Network Monitor (NM). Each NM listens to the channel and start processing when it hears a message M being sent within its radio range.

    5.6.1 Detect Spoofing

    Since each NM has a complete mapping between the Mac address and IP address of every node in the network, a NM can examine M to determine if the Mac-IP address is consistent with the preconfigured data in order to detect the spoofing attack (lines 3, 4).

    5.6.2 Monitoring RREQ - Building Session Trees

    If M is a RREQ, the NM employs AddSessionTree (M) described in procedure 2. SessionTreeList is the list of trees in which each tree corresponds to each RREQ session. In Retrieve Tree procedure (Line 1), AODV source address (AODVSrc) and RREQ ID (RID) in the RREQ are used to identify and retrieve the session tree. If M.IPSrc (Source IP address in IP header of message) is equal to M.AODVSrc (Source IP address in AODV), it indicates that a node has initiated a new RREQ request; so a new session tree will be created. If it cannot retrieve a tree, the NM will request one from its neighboring NMs. If none of them can find a corresponding session tree, an active forged RREQ anomaly is detected.

    In RetrivePrevMsg procedure (Line 2), the NM searches the RREQ message (PrevM) that is forwarded right before the current RREQ message (M) according to M's previous node field (M.PrevNode) in the session tree. If the NM and its neighboring Ms fail to find one, it means that the previous node field given in M is incorrect and a fake previous node anomaly is detected.

    Otherwise, in Check Consistency procedure (Line 3), the NM verifies values in M such as SN, HC correspond to those in PrevM. Then, the NM trusts the values in M, adds it into the session tree (Line 4) and updates the forwarding table (F) (Line 5) according to the reverse route given in M.

    5.6.3 Monitoring RREP

    If M is an RREP, the NM processes M in ProcessSessionTree(M) (shown in Procedure 3). In Retrieve Tree procedure (Line 1), the AODV source address (AODVSrc) and AODV destination address (AODVDst) in RREP are used to identify and retrieve the session tree. If the NM and its neighboring NMs fail to get one, an active forged RREP is detected. InitRREP (Line 2) is true if a node (M.IPSrc) that is not in the tree replies a RREP to one of the node (M.IPDst) in the tree. NotDst is true if the sender (M.IPSrc) is not the destination of the request (M.AODVDst). The NM will only verify a new RREP generated by an intermediate node according to its forwarding table since NMs trust new RREP issued by the destination of AODV request. ForwardedRREP is true if the sender of the RREP is the tail of RREP path and the destination of the RREP is not in the RREP path but in the session tree. Then the NM retrieves the previous message (PrevM) which is the tail of RREP path and check consistency according to PrevM. Now NM trusts this new RREP, adds it into the RREP path of the tree, and updates the forwarding table (F) according to the forwarding route given in M. In addition, if all RREP paths go back to the source of the request (M.AODVSrc) and no more RREPs are detected, then the whole tree can be discarded. Also, before a complete RREP path to source is established, if no RREP is added in a period of time, the NM will report a drop/loss anomaly.

    5.5.4 Monitoring RERR

    Finally, if M is an RERR, then the NM updates the forwarding table according to which node is unreachable by which node. To prevent an attacker from repeatedly using RERR to perform an attack, a broken link is forced to remain in that state for a finite period of time.

    Chapter 6

    6. Evaluation

    In order to show how the IDS detect attacks, we first describe how the network monitors trace AODV packets based on the AODV scenario in Section 3.1. Then we show how we detect the single attacks in Section 3.3 and aggregated attacks in Section 3.4.

    6.1 Tracing AODV Packets

    In Figure 9, two networks monitors, N1 and N2, work cooperatively and trace the request flow shown in section 3.1. Table 3 shows the AODV packets that N1 and N2 see in each time slot. Table 4 shows how N1 and N2 build up their session trees step by step according to the AODV packets shown in table 3. At time slot 2, N2 sees b1 but did not see the original packet sent from A, so N2 asks its neighboring monitor, N1, to confirm this. Similarly, at time slot 5, N1 sees c2 and asks N2 to retrieve the complete session tree. Tables 5 and 6 show the forwarding tables of N1 and N2 according to AODV packets they see in each time slot.

    6.2 Detecting Simple Attacks

    6.2.1 Detect Attacks by Forged Sequence number

    According to the forwarding table in N1 and N2— SN.Src = 100 and SN.Dst=61. If N1 or N2 detect any packet having SN that is larger than it should be and that packet is not sent by the owner of SN (IP.Src not equal to source or destination Node (depending on message being RREQ or RREP)), it will treat it as an attack.

    6.2.2 Detect Attacks by Forged Hop count

    According to the forwarding table and session tree, if the hop count does not increase by 1 following the session tree, NM will treat it as an attack.

    6.3 Detecting Aggregated Attacks

    6.3.1 Man in the middle attack

    Since SN of the packets sent by M is larger than that NMs have and the packets were not sent by the owner of SN, (IP.src not equal to source or destination Node (depending on message being RREQ or RREP)) the NM will detect the attack.

    6.3.2 Tunneling attack

    In this attack, the attack claims that the route is {S, M1, M2, D} although the real route is {S, M1, A, B, C, M2, D}. When M2 gets the unicasting RREP which is actually forwarded to C, our IDS would know it by checking its IP header and notice that it is not forwarded by M1 according to the route given by the AODV packets sent by M1 and M2. Therefore, our IDS detects that the link between M1 and M2 is actually fake.


    So far, research to find security solutions for MANETs and WSNs has originated from the prevention point of view. For example, in both networks, there exist many key distribution and management schemes that can be built based on link-layer security architecture, prevention of denial of service attacks, and secure routing protocols. There is also research targeted to specific services and applications. For example, one of the most important purposes of deploying WSNs is to collect relevant data. In a data collection process, aggregation was required to save energy, thus prolonging the lifetime of a WSN. However, aggregation primitives are vulnerable to node compromise attacks. This leads to falsely aggregated results by a compromised aggregator. Hence, effective techniques are required to verify the integrity of aggregated results. Prevention based approaches can significantly reduce potential attacks. However, they cannot totally eliminate intrusions. After a node is compromised, all the secrets associated with the node are open to attacks. This renders prevention- based techniques less helpful for guarding against malicious insiders. In practice, insider scan cause much greater damage.

    Proposed Solution:

    Intrusion detection systems (IDSs), serving as the second line of defense, are indispensable in providing a highly-secured information system. By modeling behaviors of proper activities, An ID can effectively identify potential intruders and thus provide in-depth protection.

    An intrusion is defined as a set of actions that compromises confidentiality, availability, and integrity of a system. Intrusion detection is a security technology that attempts to identify those who are trying to break into and misuse a system without authorization and those who have legitimate access to the system but are abusing their privileges. The system can be a host computer, network equipment, a firewall, a router, a corporate network, or any information system being monitored by an intrusion detection system.

    An IDS dynamically monitors a system and users' actions in the system to detect intrusions. Because an information system can suffer from various kinds of security vulnerabilities, it is both technically difficult and economically costly to build and maintain a system that is not susceptible to attacks. Experience teaches us never to rely on a single defensive technique. IDS, by analyzing the system and users' operations, in search of undesirable and suspicious activities, may effectively monitor and protect against threats.



    An intrusion is defined as a set of actions that compromises confidentiality, availability, and integrity of a system. Intrusion detection is a security technology that attempts to identify those who are trying to break into and misuse a system without authorization and those who have legitimate access to the system but are abusing their privileges. The system can be a host computer, network equipment, a firewall, a router, a corporate network, or any information system being monitored by an intrusion detection system.

    An IDS dynamically monitors a system and users' actions in the system to detect intrusions. Because an information system can suffer from various kinds of security vulnerabilities, it is both technically difficult and economically costly to build and maintain a system that is not susceptible to attacks. Experience teaches us never to rely on a single defensive technique. An IDS, by analyzing the system and users' operations, in search of undesirable and suspicious activities, may effectively monitor and protect against threats. Generally, there are two types of intrusion detection: misuse-based detection and anomaly based detection [3]. A misuse-based detection technique encodes known attack signatures and system vulnerabilities and stores them in a database.

    If a deployed IDS finds a match between current activities and signatures, an alarm is generated. Misuse detection techniques are not effective to detect novel attacks because of the lack of corresponding signatures. An anomaly-based detection technique creates normal profiles of system states or user behaviors and compares them with current activities. If a significant deviation is observed, the IDS raises an alarm. unknown attacks can be detected by anomaly detection. However, normal profiles are usually very difficult to build. For example, in a MANET, mobility-induced dynamics make it challenging to distinguish between normalcy and anomaly. It is, therefore, more challenging to distinguish between false alarms and real intrusions. The capability to establish normal profiles is crucial in designing an efficient, anomaly based IDS.

           As a promising alternative, specification based detection techniques combine the advantages of misuse detection and anomaly detection by using manually developed specifications to characterize legitimate system behaviors. Specification-based detection approaches are similar to anomaly detection techniques in that both of them detect attacks as deviations from a normal profile. However, specification-based detection approaches are based on manually developed specifications, thus avoiding the high rate of false alarms. However, the downside is that the development of detailed specifications can be time-consuming.


    It is very challenging to present a once-for-all detection approach. The analysis of existing attack models can facilitate the extraction of effective features, which turns out to be one of the most important steps in building an IDS. The following are representative types of attacks in the context of a MANET IDS:

    • Routing Logic Compromise: In routing protocols, typical attack scenarios include black hole, routing update storm, fabrication, and modification of various fields in routing control packets (for example, route request message, route reply message, route error message, etc.) during different phases of routing procedures. All these attacks can lead to serious dysfunction in a MANET.
    • Traffic Distortion: This includes attacks such as packet dropping, packet corruption, data flooding, and so on. Motivated by their different objectives, attackers may take different actions to manipulate packets. For example, attackers may randomly, periodically, or selectively drop received packets to selfishly save power or intentionally prevent other nodes from receiving data.

    In addition to these, attacks such as rushing, wormhole, and spoofing also have been discussed in the context of a MANET. Furthermore, it is not difficult to fabricate intrusions based on the combination of attacks mentioned previously.


    The pioneer ID research in the context of a MANET appears in a series of works in . In the system concept, an agent is attached to each node. Each node can perform intrusion detection and response functionality individually. One of the most important steps in IDS research is to construct effective features. Focusing on MANET routing protocols, Zhang et al. [2] use an unsupervised method to construct a feature set and select an essential set of features (e.g., distance to a destination, node moving velocity, the percentage of changed routes, the percentage of changes in the sum of hops of all routes, etc.) that have high information gain. Information gain is an important metric to measure the effectiveness of features. Features with high information gain can facilitate a constructed IDS to achieve desirable performance. Different routing protocols may result in different feature sets. Intrusion detection can be formulated as a pattern classification problem, in which classifiers are designed to classify observed activities as normal or intrusive. In [2], based on an identified feature set, Zhang et al. apply two well known classifiers, RIPPER and support vector machine (SVM) Light, to construct a suite of anomaly detection models. RIPPER is a decision- tree equivalent classifier for rule induction. By separating provided data into appropriate classes, RIPPER can compute rules for the system. SVM Light can produce a more accurate classifier when the data that is provided cannot be represented by the given set of features. Because of the locality of one intrusion session, post-processing also is introduced to filter out false alarms. In post-processing, if there are more abnormal predictions than normal predictions in a predefined period of time, activities defined in this period of time are deemed abnormal. In this way, spurious errors that occur during normal sessions can be removed. Because of the importance of feature selection in IDS research, Huang et al. further introduce a new learning-based method to utilize cross-feature analysis to capture inter-feature correlation patterns. Suppose that L features, f1, f2, ..., fL, are identified, where each fi denotes one feature characterizing either topology or route activities. The classification problem to be solved is to create a set of classification model Ci: {f1, ..., fi-1, fi+1, ..., fL} ® fi from the training process. Here one feature fi is chosen as the target to classify. Then, the classification model Ci can be used to identify temporal correlation between one feature and all of the other features. The prediction of Ci is very likely in normal situations. However, when there are malicious events, the prediction of Ci becomes very unlikely. Based on this, normal events and abnormal events can be distinguished. Local detection alone is not sufficient because of the distributed nature of a MANET. Huang and Lee further elaborate on mechanisms in which one node can collaborate with its neighbors and initiate a detection process over a broader range. This can be used not only to get more accurate detection results, but also for more information in terms of attack types and sources. After fairly and periodically electing a monitoring node in a cluster of neighboring MANET mobiles, a cluster-based detection scheme is proposed. Each node maintains a finite state machine, with possible states of Initial, Clique, Done, and Lost. Based on the finite state machine, a set of protocols, including a clique computation protocol, a cluster-head computation protocol, a cluster-valid assertion protocol, and a cluster recovery protocol are detailed. Resource constraint problems faced by a MANET are addressed when these protocols are designed. Based on a specification-based approach to describe major functionality of Ad hoc On Demand Distance Vector (AODV) routing algorithms at data layers and routing layers, Huang and Lee [6] propose an extended finite state automaton (EFSA), where transitions and states can carry a finite set of parameters. In this way, the proposed EFSA can detect invalid state violations, incorrect transition violations, and unexpected action violations. The construction of EFSA can lead naturally to a specification-based approach. Based on a set of statistical features, statistic learning algorithms are then adopted to detect abnormal patterns from anomalous basic events.

    Based on Dynamic Source Routing (DSR) protocols, Marti et al. propose to install extra facilities, watchdog and path rater, to identify and respond to routing misbehaviors in a MANET.

    In data transmission processes, a node may misbehave by agreeing to forward packets and then fail to do so. Consider the example illustrated in Fig. 2 to understand the watchdog approach. Suppose a path exists from a source node S to a destination node D through intermediate nodes A, B, and C. Node A can overhear node B's transmissions. Node A cannot transmit directly to node C and must go through node B. To detect whether node B is misbehaving, node A can maintain a buffer of packets recently sent by node A. Node A then compares each overheard packet from node B with a buffered packet of node A to see if there is a match. A failure tally for node B increases if node A finds that node B is supposed to forward a packet but fails to do so. If the tally is above one threshold, node B is deemed to be misbehaving. Each node maintains a rating for each node it knows about in the network. Then, a path metric can be calculated by averaging the node ratings in the path. Path rater can then select the path with the highest metric.

    Marti et al. also discuss several limitations of this approach, including limitations resulting from packet collisions, false reports of node misbehavior, and potential watchdog circumvention mechanisms. Focusing on AODV routing protocols, Tseng et al. [8] propose a specification-based ID technique. A finite state machine (FSM) is constructed to specify correct behaviors of AODV, that is, to maintain each branch of a route request/route reply (RREQ/RREP) flow by monitoring all of the RREQ and RREP messages from a source node to a destination node. Then, the constructed specification is compared with actual behaviors of monitored neighbors. The distributed network monitor passively listens to AODV routing protocols, captures RREQ and RREP messages, and detects run-time violations of the specifications. A tree data structure and a node coloring scheme also are proposed to detect most of the serious attacks. Sun et al. [9] propose using a Markov chain (MC) to characterize normal behaviors of MANET routing tables. A MC-based local detection engine can capture temporal characteristics of MANET routing behaviors effectively. Because of the distributed nature of a MANET, an individual alert raised by one node must be aggregated with others to improve performance. Motivated by this, a nonoverlapping zone-based intrusion detection system (ZBIDS) is proposed to facilitate alert correlation and aggregation [9], as illustrated in Fig. 3. Specifically, the whole network is divided into nonoverlapping zones. Gateway nodes (also called interzone nodes, i.e., those nodes that have physical connections to different zones) of each zone are responsible for aggregating and correlating locally generated alerts inside a zone. Intrazone nodes, after detecting a local anomaly, generate an alert and broadcast this alert inside the zone. Only gateway nodes can utilize alerts to generate alarms, which can effectively reduce false alarms.

    In a ZBIDS, the aggregation algorithm can reduce the false alarm ratio and improve the detection ratio. An alert data model conformed to intrusion detection message exchange format (IDMEF) also is presented to facilitate the interoperability of IDS agents. Based on this, gateway nodes can further provide a wider view of attack scenarios. Considering that one of the main challenges in building a MANET IDS is to integrate mobility with IDSs and to adjust IDS behavior, Sun et al. [10] demonstrate that a node's moving speed, a commonly used parameter in tuning MANET performance, is not an effective metric to tune DS performance under different mobility models. Sun et al. then propose an adaptive scheme, in which suitable normal profiles and corresponding proper thresholds can be selected adaptively by each local IDS through periodically measuring its local link change rate, a proposed performance metric that can reflect mobility levels. The proposed scheme is less dependent on underlying mobility models and can further improve performance.

    Chapter 7


    Intrusion detection systems, if well designed effectively can identify malicious activities and help to offer adequate protection. Therefore, An IDS has become an indispensable component to provide defense-in-depth security mechanisms for MANETs. In this article, we provided an introduction to mobile ad hoc networks and presented challenges in constructing IDSs for MANETs. We then surveyed existing intrusion detection techniques in the context of MANETs.


    1. James Binkley. Authenticated ad hoc routing at the link layer for mobile systems. Technical Report 96-3, Portland State University, Computer Science, 1996.
    2. A. Boukerche and Mirela Sechi Moretti Annoni Notare. Neural fraud detection in mobile phone operations. In Proceeding of the IPDPS 2000 Workshops, Cancun, Mexico, pages 636{644, May 1-5 2000.
    3. J. Broch, D. Johnson, and D. Maltz. The dynamic source routing protocol for mobile ad hoc networks. Internet draftdraft-ietf-manet-dsr-01.txt, December 1998.
    4. William W. Cohen. Fast effective rule induction. In Proc. 12th International Conference on Machine Learning, pages 115{123. Morgan Kaufmann, 1995.
    5. T. M. Cover and J. A. Thomas. Elements of Information Theory. Wiley, 1991.
    6. K. Fall and e Varadhan. The ns Manual (formerly ns Notes and Documentation), 2000.
    7. S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longsta_. A sense of self for Unix processes. In Proceedings of the 1996 IEEE Symposium on Security and Privacy, pages 120{128, Los Alamitos, CA, 1996. IEEE Computer Society Press.
    8. R. Heady, G. Luger, A. Maccabe, and M. Servilla. The architecture of a network level intrusion detection system. Technical report, Computer Science Department, University of New Mexico, August 1990.
    9. K. Ilgun, R. A. Kemmerer, and P. A. Porras. State transition analysis: A rule-based intrusion detection approach. IEEE Transactions on Software Engineering, 21(3):181{199, March 1995.
    10. S. Jacobs and M. S. Corson. MANET authentication architecture. Internet draftdraft-jacobs-imep-auth-arch-01.txt, expired 2000, February 1999.
    11. T. Joachims. Making large-scale SVM learning practical, chapter 11. MIT-Press, 1999.
    12. D. Johnson. Routing in ad hoc networks of mobile hosts. In 16 Y Zhang, W Lee, & Y Huang / Intrusion Detection Techniques for Mobile Wireless Networks Workshop on Mobile Computing Systems and Applications, Santa Cruz, CA, U.S., 1994.
    13. D. B. Johnson and D. A. Maltz. Dynamic source routing in ad hoc wireless networks. In Tomasz Imielinski and Hank Korth, editors, Mobile Computing, pages 153{181. Kluwer Academic Publishers, 1996.
    14. Young-Bae Ko and Nitin H. Vaidya. Location-aided routing (LAR) in mobile ad hoc networks. ACM/Baltzer Wireless Networks (WINET) journal, Vol 6-4 - Extended version of the Mobicom'98 paper., 2000.
    15. S. Kumar and E. H. Spa_ord. A software architecture to support misuse intrusion detection. In Proceedings of the 18th National Information Security Conference, pages 194{ 204, 1995.
    16. W. Lee and S. J. Stolfo. Data mining approaches for intrusion detection. In Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, January 1998.
    17. W. Lee, S. J. Stolfo, and K. W. Mok. A data mining framework for building intrusion detection models. In Proceedings of the 1999 IEEE Symposium on Security and Privacy, May 1999.
    18. T. Lunt, A. Tamaru, F. Gilham, R. Jagannathan, P. Neumann, H. Javitz, A. Valdes, and T. Garvey. A real-time intrusion detection expert system (IDES) - _nal technical report. Technical report, Computer Science Laboratory, SRI International, Menlo Park, California, February 1992.
    19. D. A. Maltz, J. Broch, J. Jetcheva, and D. B. Johnson. The e_ects of on-demand behavior in routing protocols for multi hop wireless ad hoc networks. IEEE Journal on Selected Areas in Communications, August 1999.
    20. T. Mitchell. Machine Learning. McGraw-Hill, 1997.
    21. C. Perkins and P. Bhagwat. Highly dynamic destination sequenced distance-vector routing (DSDV) for mobile computers. In ACM SIGCOMM'94 Conference on Communications Architectures, Protocols and Applications, pages 234{ 244, 1994.
    22. C. Perkins and E. Royer. Ad-hoc on-demand distance vector routing. In the 2nd IEEE Workshop on Mobile Computing Systems and Applications, pages 90{100, February 1999.
    23. S. Jacobs S. Glass, T. Hiller and C. Perkins. Mobile IP authentication, authorization, and accounting requirements. Request for Comments 2977, Internet Engineering Task Force, October 2000.
    24. M. Satyanarayanan, J. J. Kistler, L. B. Mummert, M. R. Ebling, P. Kumar, and Q. Lu. Experiences with disconnected operation in a mobile environment. In Proceedings of USENIX Symposium on Mobile and Location Independent Computing, pages 11{28, Cambridge, Massachusetts, August 1993.
    25. B. R. Smith, S. Murthy, and J.J. Garcia-Luna-Aceves. Securing distance-vector routing protocols. In Proceedings of Internet Society Symposium on Network and Distributed System Security, pages 85{92, San Diego, California, February 1997.
    26. Lakshmi Venkatraman. Secured routing protocol for ad-hoc networks. Master's thesis, University of Cincinnati, OH, March 2000.
    27. L. Zhou and Z. J. Haas. Securing ah hoc networks. IEEE Network, 13(6):24{30, Nov/Dec 1999.