1 1. Introduction An Adhoc network is a collection of nodes that are capable to form dynamically a temporary network without the support of any centralized fixed infrastructure. Two important properties of an Adhoc network are that it is self-organized and adaptive. The absence of a fixed infrastructure requires mobile hosts in MANETs to cooperate with each other for message transmissions. To form such a cooperative self-configurable environment, every mobile node is supposed to be a friendly node and is willing to relay messages for others to their ultimate destinations. Global trustworthiness in all network nodes is the main fundamental security assumption in MANETs. Adhoc wireless networks inherited the traditional problem of wireless and mobile communication, such as band width optimization, power control and transmission quality enhancement [1]. In addition topology is highly dynamic & random & very hard to predict. Physical security is limited. Detecting malicious nodes in Adhoc network in which participating nodes have no previous security association’s presents a number of challenges not faced by traditional wired networks. The major issues irrespective of traditional wireless system, are given as • Highly Dynamic Topology • Routing in Mobile Adhoc Network • Security in Mobile Adhoc Network • IP Configuration in Mobile Adhoc Network • Battery Backup Problem Intrusion detection is a security technology that attempts to identify individuals who are trying to break into and misuse a system without authorization and those who have legitimate access to the system but are abusing their privileges [2]. The system protected is used to denote an information system being monitored by an intrusion detection system. It can be a host or network equipment, such as a server, a firewall, a router, or a corporate network, etc [3]. In MANETs, intrusion prevention and intrusion detection techniques need to complement each other to guarantee a highly secure environment. They play different roles in different status of the network. Intrusion prevention measures, such as encryption and authentication, are more useful in preventing outside attacks. Once the
Transcript
1
1. Introduction
An Adhoc network is a collection of nodes that are capable to form dynamically a
temporary network without the support of any centralized fixed infrastructure. Two
important properties of an Adhoc network are that it is self-organized and adaptive. The
absence of a fixed infrastructure requires mobile hosts in MANETs to cooperate with
each other for message transmissions. To form such a cooperative self-configurable
environment, every mobile node is supposed to be a friendly node and is willing to relay
messages for others to their ultimate destinations. Global trustworthiness in all network
nodes is the main fundamental security assumption in MANETs.
Adhoc wireless networks inherited the traditional problem of wireless and mobile
communication, such as band width optimization, power control and transmission
quality enhancement [1]. In addition topology is highly dynamic & random & very hard
to predict. Physical security is limited. Detecting malicious nodes in Adhoc network in
which participating nodes have no previous security association’s presents a number of
challenges not faced by traditional wired networks. The major issues irrespective of
traditional wireless system, are given as
• Highly Dynamic Topology
• Routing in Mobile Adhoc Network
• Security in Mobile Adhoc Network
• IP Configuration in Mobile Adhoc Network
• Battery Backup Problem
Intrusion detection is a security technology that attempts to identify individuals who
are trying to break into and misuse a system without authorization and those who have
legitimate access to the system but are abusing their privileges [2]. The system
protected is used to denote an information system being monitored by an intrusion
detection system. It can be a host or network equipment, such as a server, a firewall, a
router, or a corporate network, etc [3].
In MANETs, intrusion prevention and intrusion detection techniques need to
complement each other to guarantee a highly secure environment. They play different
roles in different status of the network. Intrusion prevention measures, such as
encryption and authentication, are more useful in preventing outside attacks. Once the
2
node is compromised, however, intrusion prevention measures will have little effect in
protecting the network. Therefore, Intrusion Detection Systems (IDSs), serving as the
second line of defence for Adhoc Network.
2. Motivation
Research on IDSs began with a report by Anderson [4] followed by Denning’s
seminal paper [5], which lays the foundation for most of the current intrusion detection
prototypes. Since then, many research efforts have been devoted to wired network IDSs.
Numerous detection techniques and architecture for host machines and wired networks
have been proposed. A good taxonomy of wired IDSs is presented in [3].
Mobile Adhoc Network IDS is categorized as Incentive Based approaches and
Reputation based approach. And reputation based approaches are punishing the intruder
nodes whereas incentive based approach foster the positive behaviour of the node. A lot
of research work is done in each phase but no one is perfect and able to provide the
complete solutions for MANET IDS. For Incentive based approaches models and
algorithms are proposed by Zhang et al. [6], Huang et. Al [7], Bhargava and Agrawal
[8], Bal Krishnan [9], Razak et. Al [10] Abusalah et. Al [11] Pirzada et. Al [12], Yan et.
Al [13], Eschenauer et. Al [14], Mahmoud et. Al [15], Ping Y. et. Al [16], Komninos N.
[17], & Ramachandran , C. et. Al [18]. All of them provided very good solution but
each one has its own limitations like model is limited only for misuse detection, rules
are very brief, model is routing protocols dependent, most of them are conceptual model
and no statistics are considered, dependent on geography and mobility, centralized
architecture is needed. Some models/ algorithms are not IDS but proposal for only
reliable routing, and detect specific kind of attacks.
For Reputation based schemes also lot of research work is done, including Song et.
Al [19], Yan et. Al [20], Mundinger J. et. Al [21], Subhadrabandhu, D. et. Al [22],
Perich, F. et. Al [23], Haiyun Luo et Al. [24], Madhavi et. Al [25], Rebahi, Y. et Al.
[26]. Each scheme has its own advantages and disadvantages also. Most of them are
based on Watchdog mechanism but it is helpful when we have one or two compromised
node in the network. If number increased more than that then this schemes fails and also
reputation based scheme punishes the node and boycott it for further communication.
Adhoc environment is based on friendly atmosphere and chances of false positive are
3
very high and if we are punishing the node forever then network will be destroyed
automatically.
So for this research we will use incentive based schemes and try to resolve the
limitation imposed by the previous research and identified certain Rules of Thumb for
preceding the work further.
2.1 Rules of Thumb for Intrusion Detection System in Adhoc
Environment
1. It should be Platform Independent & Geographical independent.
2. No Restriction over mobility while designing and during deployment of IDS.
3. IDS for MANET should not be Routing Protocol dependent.
4. It should be Light Weighted and Fast Responsive.
5. Reduced False Alarm and high number of True Positive.
6. No overhead while number of nodes increases (It should be easy to adapt
scalability).
7. Not only to prevent specific kind of attacks and allows the attack which are not
defined in definitions of attacks.
8. Suitable Deployment of IDS in layered Architecture.
9. A node should not be declared permanently as an Intruder.
10. Never rely on decision of single node, Fair Voting mechanism should be there
while declaring a node as intruder.
4
3. Statement of the Problem
It is very challenging to design an intrusion detection system for mobile ad-hoc net-
works. The lack of fixed infrastructures and monitoring points make it difficult to
collect audit data for the entire network. MANET’s scared resources should be
considered while designing the IDS framework. In MANET it is more difficult to
distinguish between false alarms and real intrusions.
Main objective of the research is to design the Intrusion Detection Framework for
Intrusion Detection System in mobile Adhoc environment. This problem can be divided
into following sub problems.
3.1 To Design Light Weighted Intrusion Detection Framework For Mobile
Adhoc Environment.
3.2 To Construct Detection Engine Based On The Statistical Security Features
3.3 To Evaluate The Performance Of The MANET Intrusion Detection System
& Validate The Work.
4. Description of the Research work
a. Problem Definition
The first question in intrusion detection research is what statistical features of interest
should be used to construct the model. In the history, short sequences of system calls
used by privileged processes can be used to effectively distinguish normal and intrusive
behaviour and utilized to construct host based IDSs. Tcpdump data may be used to
construct detection engine for attacks possible using TCP Segment Header. However
Adhoc Network is in its premature stage and no application is designed to use the
services of TCP protocol till date. But, likely to be designed in future and most probable
solution for Attacks using TCP Segment is described and important Friend Features are
used to detect the Intruder and normal node. Model File is generated which could be
used for predicting the behaviour of the node.
By collecting the statistical features of interest based on the experimental results, to
identify the malicious and normal node for Denial of Service attack, Black Hole Attack
5
and worm hole attacks for Network Layer, attacks are not limited there subcategory
included packet drops, delay in packet transmission, cache poisoning and selfishness.
The performance of the system is obtained with and without attacks and describes that if
there is only one malicious node then how much extent it can disturb the network.
Except the TCP segment header based attack rest of the simulation will be carried out in
approximately real scenario, as we know that the main contribution of the Adhoc
network is towards the military application hence in maximum cases number of nodes
may be limited that’s why we take only 21 nodes and there speed will vary from (0-20)
m/sec which is logically acceptable and trajectory they will follow a random trajectory
likely to be similar to the real environment. However research is not limiting to the
scalability or number of malicious or trusted node. In this research we have applied only
one malicious node and collected the statistics for that node. If number of malicious
nodes will increase then it has no impact on research because in this designing of
detection system, whatever the number of trusted or malicious node present in the
network.
b. Research Methodology
After extensive research and analysis, we have decided to take Opnet Modeler for
running the simulation for different kind of attacks and measuring the performance with
and without attack, then data generated by the simulation is collected and features are
identified for attacks and rule set are designed then for training and testing the data set
SVM LIGHT
is used, which is best among the ANN and other mining tools [27], [28],
[29], [30], [31], & [32].
Hence for Network Simulation
Opnet Modeler (Version 14.0 and above)
For classification and Prediction (Data Mining Tools)
SVMLIGHT
; used binary classification.
5. Proposed Contents of the Thesis
It is very difficult to design a once-for-all intrusion detection system. Instead an
incremental enhancement strategy may be more feasible. A secure protocol should at
least include mechanisms against known attack types. In addition, it should provide a
scheme to easily add new security features in the future. The general methodology is:
we first identify the attacks possible in Adhoc Environment then develop framework to
facilitate the cooperation of IDS and design of detection engines using statistics
6
collected for known attack types. The whole dissertation is organized as follows.
Chapter II, summarizes the related work which has been done in wired and wireless
intrusion detection systems. We further introduce a few important existing prototypes
and detection algorithms for Mobile Adhoc Networks, and demonstrate that very few
research efforts have been devoted to MANET IDSs. On behalf of the literature review
we identify Research Gap and rules of thumb for Adhoc Network. Note that the
research described in this dissertation only focuses on the detection part, although
intrusion response component is necessary in the system.
In Chapter III, we proposed the prototype model which we will use for further
Intrusion Detection System; In this we divided the model in two modules Local IDS and
Global IDS, local ids will work on the data collected from the network and identify the
friend list for first phase, these friend list are again tested in Global IDS module for
rigorous checking, before declaring a node as friend or intruder Gids will use the voting
mechanism. In this chapter we will discuss the tools used for simulation to extract the
features and statistics to design the detection engine.
In Chapter IV, attacks applied to the network using TCP segment header and collect
the result to design the detection engine for Transport layer, training and testing of data
set to design the detection engine and to check the accuracy of the detection system.
However, it is not necessary in this dissertation but it will provide the new directions in
the field of security for Mobile Adhoc Network.
In Chapter V, Denial of Service attack applied to the network layer of Adhoc
Network, evidences are collected to design intrusion detection engine specifically to
defend against Denial of Service attacks. Feature extraction and induction of rule sets
from the statistics collected, and applied to design detection engine, support vector
machine is used to check the accuracy of the detection engine.
In Chapter VI, Black Hole and Worm Hole attacks are applied to the Adhoc Network.
Evidences are collected, features are extracted and rules are inducted to design intrusion
detection engine specifically to defend against Black Hole attacks for MANET Intrusion
Detection System (IDS). Support Vector Machine is used for training and testing the
data set and checking the accuracy of the model file generated which will be used to
deploy for detection engine.
7
Chapter VII concluded this dissertation and lists important future work. Because not
many research efforts have been devoted to MANET IDSs, this research only provides
the initial effort in constructing a viable and statistical based MANET IDS.
6. Conclusion
This research describes a Cooperative Friend Features based Intrusion Detection
System for mobile ad-hoc networks. It consists of the detailed description of the local
IDS and the Global IDS based framework for the IDS. They complement each other to
make complete intrusion detection system for MANETs. Because of the importance of
routing protocols in MANETs, we implemented and carried out the simulation using
Reactive based routing because it is best suited for Adhoc Environment but research can
be carried out using proactive based routing also.
Model is designed for MAC Layer as well as Network Layer based Intrusion detection
system, but we implemented it only for Network Layer i.e. Anomaly based Intrusion
detection system.
7. References
[1] Chakrabarti, S.; Mishra, A.; , "QoS issues in ad hoc wireless networks," Communications
Magazine, IEEE , vol.39, no.2, pp.142-148, Feb 2001, doi: 10.1109/35.900643
