ad hoc network security

8/4/2019 Ad Hoc Network Security

1/6

A Generalized Intrusion Detection & Prevention

Mechanism for Securing MANETsAdnan Nadeem

Centre for Communication Systems ResearchUniversity of Surrey, United Kingdom

[email protected]

Michael HowarthCentre for Communication Systems Research

University of Surrey, United [email protected]

Abstract Most of the research in securing Mobile adhoc networks (MANETs) has focused on proposals which

detect and prevent a specific kind of attack such as sleepdeprivation, black hole, grey hole and rushing attacks. In

this paper we broaden our previously developed algorithm

AIDP and propose a generalized intrusion detection andprevention mechanism. We use a combination of anomaly-based and knowledge-based intrusion detection. Thisapproach not only secures the MANET from a wide

variety of routing attacks but also has the capability todetect new unforeseen attacks. Simulation results of a case

study show that our proposed mechanism can successfullydetect a variety of attacks, including multiplesimultaneous different attacks, and identify and isolate the

intruders with an affordable network overhead.

Keywords ad hoc network security; intrusion detection& prevention; secure routing

I. INTRODUCTIONMobile ad hoc networks (MANETs) routing

protocols, such as AODV and DSR, operate on theassumption that there is no malicious intruder node inthe network. Malicious nodes can cause severedisruption without violating the routing protocol througha wide variety of attacks.

Intrusion detection and prevention (IDP) provides away to protect nodes against routing attacks. There aretwo ID techniques: knowledge-based intrusion detection(KBID) and anomaly-based intrusion detection (ABID).KBID has a potentially low false detection rate but it canonly detect attacks whose signatures are in the database.On the other hand ABID not only provides early

warnings of potential intrusions but also can detectattempts to exploit new and unforeseen vulnerabilities;however it is more prone to generate false positives thanKBID.

In our previous work [1] we proposed AdaptiveIntrusion Detection and Prevention (AIDP), which usedABID to detect denial of service (DoS) attacks. In thispaper we extend AIDP to a Generalised IntrusionDetection & Prevention (GIDP) mechanism. Wepropose a combination of anomaly-based andknowledge-based ID that takes advantage of both

techniques. GIDP not only guards MANETs against awide variety of attacks but also has the capability todetect new attacks or intrusive activities that degradenetwork performance; to the best of our knowledge thisis novel.

The reminder of this paper is organized as follows.Section II describes the related research in securingMANETs. Section III reviews typical MANETs routingattacks. Section IV presents our proposed mechanism,GIDP. Section V illustrates the implementation of ourproposed mechanism through a case study, includingsimulation. Finally, we summarize our results and futurework in Section VI.

II. RELATED RESEARCHResearch in securing MANETs has to date mostly

focused on detecting and preventing specific attacks.For example TOGBAD was proposed in [2] to identifynodes that attempt to create black hole attacks inMANETs that use the OLSR routing protocol.Kurosawa and Jamalipour [3] also propose a black holedetection mechanism, this time for AODV. Xiaopengand Wei [4] proposed a grey hole attack detectionscheme for the DSR routing protocol. Ping and Zhang[5] considered a route request (RREQ) flooding attackin MANETs. They proposed a RREQ floodingprevention mechanism based on neighbourssupervision. In [6] Perrig and Johnson analyzed how anattacker can launch a rushing attack (RU) in DSR andproposed a rushing attack prevention mechanism forMANETs.

Though most researchers have concentrated on

protecting MANETs against specific types of attack,some have suggested a more general approach. Forexample ARAN [7] is a hop-by-hop authenticatedrouting mechanism that can protect MANETs against anumber of attacks from external malicious nodes. Asimilar approach, Ariadne [8] has been proposed forend-to-end authentication based on shared key pairs.We believe more effort is needed on mechanisms whichcan guard MANETs against a wide variety of attacks.

Methods proposed in [7] & [8] protect MANETsmainly against external attackers through authenticatedrouting. However an insider trusted node can change9781-4244-3941-6/09/$25.00 2009 IEEE


2/6

its behaviour and initiate activities that results in severeattacks as we describe below in section III.

III. AODV ROUTING ATTACKSThe on-demand routing protocols in MANETs,

such as AODV and DSR, allow intruders to launch awider variety of attacks. In order to illustrate theserouting attacks we consider AODV as an example inthis paper. Using AODV we now give examples of howdifferent intrusive activities can cause various attacks inMANETs.

a) Sleep Deprivation through malicious RREQflooding:

Sleep deprivation (SD) [9] is a denial of serviceattack in which an attacker interacts with the node in amanner that appears to be legitimate; but where the

purpose of interaction is to keep the victim node out ofits power conserving sleep mode. An intruder can causeSD of a node by exploiting the vulnerability of the routediscovery process of protocol through malicious routerequest (RREQ) flooding in the following ways:Malicious RREQ Flooding 1: an intruder broadcasts aRREQ with a destination IP address that is within thenetwork address range but which does not exist. Thiswill compel all nodes to forward this RREQ becauseno-one will have the route for this destination IPaddress. Malicious RREQ Flooding 2: after broadcasting aRREQ an intruder does not wait for the ring traversal

time and continues resending the RREQ for the samedestination with higher TTL values.

b) Black & Grey Hole by false RREP& packetdropping:

In AODV, the destination sequence number(dest_seq) is used to describe the freshness of the route.A higher value of dest_seq means a fresher route. Onreceiving a RREQ an intruder can advertise itself ashaving the fresh route by sending a Route Reply(RREP) packet with a new dest_seq number larger thanthe current dest_seq number. In this way the intruderbecomes part of the route to that destination. Theintruder can then choose to drop all packets, causing a

black hole (BH) [3] in the network. The severity of theattack depends on the number of routes in the networkthe intruder successfully becomes part of; we analyzethis further in section V.

Grey Hole (GH) is a special case of BH attack, inwhich intruder only drops packets selectively, e.g. fromspecific nodes.

c)Rushing attack through a forged RREQ:In order to limit the control packet overhead an on-

demand protocol only requires nodes to forward thefirst RREQ that arrives for each route discovery. Anattacker can exploit this property by spreading RREQ

packets quickly throughout the network so as tosuppress any later legitimate RREQ packets. Anintruder can forward the forged rushed RREQ, giving

them a higher source sequence (src_seq) number andminimum delay. This will suppress the later legitimateRREQ and increase the probability that routes thatinclude the intruder will be discovered rather than othervalid routes, causing a rushing attack.

IV. GENERALIZED INTRUSION DETECTION &PREVENTION

A.AssumptionsWe use ABID to detect intrusion in the network;

this requires traffic traces that contain only normalactivities to build a training profile. However, in

contrast with fixed networks, data resources such as[10] that reflect normal activities or events are notcurrently available for MANETs. Therefore we assumethat the initial behaviour of the network formed on-the-fly is free from anomalies. We also disregard attacksaimed at physical and link layer. Further, we have notconsidered attacks from colluding intruders in thispaper. To illustrate the implementation of GIDP weassume a clustered MANET organization. We select themost capable nodes in terms of their processing abilitiesas cluster heads (CHs) and the others nodes becomescluster nodes (CNs). At present we assume securecommunication between CH and CNs.

B. GIDP Architecture & TerminologyWe now describe our proposed mechanism GIDP.

GIDP is a hybrid IDP approach that uses a combinationof anomaly-based and knowledge-based ID. Thearchitecture of GIDP is shown in Fig.1. A cluster headfirst gathers data in the form of two matrices: networkcharacteristic matrix (NCM) and a derived matrix(DM). The NCM contains data related to the networkrouting protocol; for example in the case study in thispaper, NCM consists of seven parameters:NCM={RREQ (route request), RREP (route reply), RERR

(routeerror), TTL (time to live) values, RREQ src_seq,

RREQ dest_seq, RREP dest_seq}

The DM consists of parameters which reflects thenetwork performance and can be derived from NCMparameters. For example in the case study in this paperDM consists of three parameters:DM= {CPO (control packet overhead), PDR (data packet

delivery ratio), CPD (number of control packet dropped)}Then the cluster head employs two phases: training

and testing. Fig.2 shows the time-based operation ofGIDP. When the network is established, the CHcontinuously gathers NCM and DM information andapplies the GIDP training module for N time intervals(TI), resulting in initial training profiles (ITPs) of NCM


3/6

Figure 1. Architecture of GIDP.

and DM. The ITPs reflects the normal behaviour of thenodes in the network and the expected networkperformance. In the testing phase the CH applies thetesting module after each TI. The testing phase consists

of several tasks as shown in fig.1. Firstly it detectsintrusion in the network. If there is no intrusion then itupdates the ITPs in order to adapt the variation in thenetwork behaviour as time progresses. If there isintrusion, in the second task the CH identifies the attackor attacks using existing information in the knowledgebase. In the case of known attacks the CH identifiesintruding nodes using intruder identification rulesspecific to the known attack. To optimise theprobability of identifying intruders correctly with a lowlevel of false positives, it maintains a test slidingwindow (TSW) as shown in fig.2, in which ddetectionsof a node are required in p time intervals (TI). If thisdetection threshold is passed then the CH will blacklistthe node and isolate the node by informing all CNs.

If attack identification detects an attack that doesnot match the rules for a known attack then the CHapplies the attack inferences. The attack inferencemodule stores the rule trace of current TI as DetectedRule Trace and looks for its match in a TSW. IfDetected Rule Trace match is found in a TSW then CHconfirms the new attack by constructing & adding arule for the new attack in the set of rules stored inknowledge base.

Figure 2. Time-based operation of GIDP.

C.Algorithm & Technical DetailsWe now explain the GIDP training & testing module.Training:

NCM consists ofXi parameters mentioned above,where i=1 to 7 and eachXi ={X1, X2, X3,,XM}is a setof random variables, where M is the maximum numberof random variables of parameter Xi. For example NCM [Xi] represent the number of RREQ received by

all CNs in a time interval (TI), where M is themaximum number of RREQ received in a TI. Theprobability distribution ofNCM[Xi] is calculated for the

TI. The CH then calculates the DM parameters CPO(i.e. number of control packet / data packet delivered),PDR (i.e. number of data packet received / data packetoriginated) & CPD (i.e. number of control packetdropped in establishing & maintaining routes in thenetwork) for the jth TI, and this whole process is thenrepeated for the N time intervals in the training phase.

We then calculate mean iX ofP(NCM[Xi ])and means

of CPO, PDR and CPD for N intervals, which is thenstored as an ITP (NCM) and ITP (DM) respectivelycontaining the expected values for that particular

network observed for the total time ofN*TIseconds.

Testing:In the testing phase GIDP operates in three stages:a) intrusion detection, b) attack identification andinferences and c) identification and isolation ofintruding nodes (Fig.1). Now we explain the algorithmsof stage a, b & c. For stage a) it employs ABID usingchi-square goodness of fit test on NCM and then KBIDusing a rule-based approach on both matrices NCM &DM is applied in stage b) and c).Testing ModulesThis module only takes NCM parameters into accountand applies chi-square test to identify any intrusion inthe network.

a)

Intrusion Detection. Do after each TI

. collect NCM( Xi) from all other CNs in TI, fori

. Calculate the probability distribution P (NCM(Xi))

.Calculate averages of P(NCM(Xi)) & stores as observed values

. End do

.Fori Perform Hypothesis Testing by first calculating

Chi- computed ( 2[i] using eq.1 ) for XiHo[i]: Observed distribution of NCM (Xi ) fits the expected

Ha[i]: Observed distribution of NCM (Xi )does not fit expected

.If (chi-computed[i] (.d.f[i]) > P-value[i] (.d.f[i]))

Reject Ho[i]. endif.

.End for.Combined Null Hypothesis Testing

Combine Ho: Observed distribution of NCMfits the expected

CombineHa: Observed distribution of NCM does not fit expected

.If (combined Ho is rejected)PerformAttack identification & inferences Fig.3 (b)

else: Update Expected values NCM( iX ) ( i.e. ITP(NCM))

.Exit

Figure 3a. Pseudocode of intrusion detection module.

2

1

2 ( ( ) ( ))[ ]( )

(1)( ).........M

ik ik i

k ik

N C M X N C M X i

N C M X

=

=

This module continuously monitors the network. Ineach TI the CH first performs hypothesis testing foreach parameter Xi of NCM at calculated chi-computedvalues obtain from eq.1, where Xi is the parameter ofNCM and k(1 to M) is the number of random variablein each parameter Xi. The CH then performs combined


4/6

hypothesis testing of NCM as shown in fig 3a. If thecombinedHo is rejected then it assumes intrusion in theTI. Else we update the ITP (NCM) using an

exponentially weighted moving average (EWMA) :( ) ( ) ( )1 1 1, , ,(1 ) (2)( ) ( ) ( )( )..

M M M q k q k q k

i i ii X X X NCM NCM NCM = +

where ( )1,( )M

q k

iX N C M and

( )1,( )M

q k

iXNCM represents

the expected and observed value for update periodnumber(q) respectively. The value of q is incrementedin the TI when no intrusion in the MANET is detected.krepresents the random variable from 1 to M in each Xiand =2/(q-1) is the weighting factor. As q increasesthe weighting for older data points decreasesexponentially giving more importance to the currentobservation.

b)Attack identification and inferences.Readset of rules Fig.3b (1).Set up the Interpreter for Rule-based approach

.Interpreter applies Forward-Chaining onset of rules Fig.3b (1)

.If (Any Goal Condition of known attacks are fulfilled)

Apply rules forIntruderIdentification & Isolation Fig.3c

.endif.

.If (Goal Condition== POTENTIALUNKNOWNATTACK)

ApplyAttack Inferences Fig.3b (2),

.endif.

. Exit.

Figure 3b. Pseudocode of Attack Identification & Inferences module.

Set of Rules exampleRule.1 x (chi-squaretest(NCM[x]))-> (CheckDerivedMatrix=TRUE)

Rule.2 CheckDerivedMatrix y (Test(DM[y]))->

(PotentialAttack=TRUE)

Rule.3 PotentialAttack ->(BestRule=TRUE)

Best Rules for some known attacks:

Rule.4 BestRules (chi-squaretest(NCM[RREQ]))

Test(DM[CPO]) -> SLEEP DEPRIVATION

Rule.5 BestRules (chi-squaretest(NCM[RREPdest_seq]))

(Test(DM[PDR]) V Lowest(PDR) ) -> BLACKHOLE

Rule.6 BestRules (chi-squaretest(NCM[RREPdest_seq]))

(Test(DM[PDR]) -> GREYHOLE

Rule.7 BestRules (chi-squaretest(NCM[RREQsrc_seq]))

(Test(DM[CPD]) -> RUSHING

Rule.8 (x (chi-square-test(NCM[x]))) (y( Test(DM[y]))) -->POTENTIALFALSEALARM

Rule.9 (Rule.1 Rule.2 BestRule) ->

POTENTIALUNKOWNATTACK

Figure 3b (1). Set of Rules example in knowledge base.

Attack Inferences. If (Detected Rule Trace is Empty)

Store Detected Rule Trace = Rule Trace

Else If (Rule Trace == Detected Rule Trace)New attack Rule Trace= Rule Trace

Construct a rule for New attack Rule Trace

Append New attack Rule Trace in set of rule trace

Set Detected Rule Trace =Empty . endif

.endif

Figure 3b (2). Pseudocode of Attack Inferences

In case of intrusion the CH calls the AttackIdentification and Inferences module (Fig.3b). Thismodule obtains a set of rules from the knowledge base,an example set being presented in fig.3b(1). We haveconstructed these rules from our previous work [1] (i.e.AIDP simulation results), analyzing various attacks &their impact on network performance through

c)Intruder Identification &Isolationa) Identifying intruding nodes

. Obtain known attack Rules for intruder Identification

. for all Goal condition fulfilled

Apply intruder identification rule for each detected known attackadd each detected node Vi to List of Nodes Detected (LND)

. endfor

b) Response MechanismFor all nodes Vi in LND

.If ( Vi detections in Potential Intruder List( PIL) >

Detections_required_To_ Accuse (d) )

CH: Blacklist Vi & Broadcast Accusation Packet (AP)

else : enter Vi in PIL .endif

.End for

c) Accusation Packet (AP) Handling. Each CN Vi maintain its local BlacklistTable (BLT)

.if CN Vi receives an AP for CN Vj.If CN Vi has node Vj in its BLT then Ignore AP

else: CN adds node Vj to its BLT & rebroadcast AP

.endif

.endifd) Isolating Intruding Nodes.if node Vi receives packet from node Vj

.If node Vj is in node Vi BLT

Ignore packet & drop all packets queued from Vj Else: handle & process packet .endif

.endif

Figure 3c Pseudocode of Intruder Identification & Isolation modules.

simulations and analysis of existing literature of knownattacks for example [3, 4 & 6]. In fig.3b(1) chi-squaretest(NCM[x]) predicate returns true if the parameterx isanomalous in NCM. Similarly predicate orpropositional function Test (DM[y]) returns true if thetest on parameter yof DM fails. This test uses a tool of

Statistical Process Control known as variable controlchart based on standard deviation . In the AttackIdentification & Inference module a ruled baseapproach is used in which an interpreter can eitheremploy forward or backward chaining system. Aforward chaining system process rules one by one bychecking premise (condition in the rule) to reachconclusions, it can also draw new conclusions. On theother hand backward chaining is goal driven, that is itreaches the conclusion first and keeps looking for rulesthat would allow the conclusion. In GIDP aninterpreter applies forward chaining on the set of rulesfig.3b (1), looking for when the Goal Condition is

fulfilled as described in fig.3b.In case of any known attack being detected in theTI, the interpreter applies the Intruder Identification &Isolation module (fig.3c) to identify and isolate theintruding nodes. This module first identifies theintruding nodes by applying known attack rules forintruder identification. For example in case of a SDattack it employs control chart (explained above) based

on of RREQ generated by all nodes and adds thedetected node Vi to the LND. Response mechanism(fig.3c(b)) then checks if detection threshold d isreached for any node Vi in the LND in p TI; if so itblacklists the node Vi and informs all other CNs by


5/6

sending an AP. When a CN receives an AP it firstchecks the broadcast id & source address to avoidprocessing a duplicate AP. If the accused node is

already blacklisted the CN will ignore & drop the AP toprevent unnecessary network traffic. Otherwise, the CNwill blacklist the accused node and rebroadcast the AP.Finally, to isolate the intruder from the network allnodes will not only drop the packets from a blacklistednode but also immediately ignore all packets in theirqueue from the blacklisted nodes as shown in Fig.3c(d).

If Goal Condition with POTENTIALUNKNOWNATTACKis fulfilled during the attack identification process theninterpreter save thisRule Trace and looks for the matchof this Rule Trace in current TSW. If a match is foundthen it confirms new attack detection by constructing anew rule and appending the new rule in a Set of Rulestored in knowledge base (fig.3b(2)).

V. CASE STUDY AND EVALUATIONTo assess the applicability and performance of

GIDP, we considered a case study with different attackscenarios. We present the simulation results of thesescenarios and some key findings from the analysis ofattacks. We used GloMoSim to build the simulationenvironment and then evaluate GIDP using simulation& GIDP parameters shown in Table 1.

TABLE I. Simulation & GIDP ParametersSimulation Parameters

Number of nodes 25 50

Terrain dimensions 500*500 metres 707 *707 metres

Node placement Uniform distributionSimulation Traffic CBR (Constant Bit Rate)

Simulation time 2500 seconds

Routing protocol AODV

MAC protocol IEEE 802.11

Mobility Random Way Point Model (RWP)

GIDP ParametersTime interval TI 100 seconds

Training, Testing TI Training=5 TIs, Testing= 20 TIs

Number of parameters NCM =7 & DM=3 parameters

Chi-square test () 5% (i.e. 95% confidence interval)

Test Sliding Window(TSW) 5 TIs

Detections-RequiredTo_Accuse (d)

2 in a TSW

Number of intruders Varies 1to 4

A. Scenario 1In the first scenario we test GIDP with a denial of

service attack (sleep deprivation) through maliciousRREQ flooding (MRF), as described in section III-a.The intruders launch MRF1 or MRF2 attacks. At eachtested mean speed and for each network size (25 or 50nodes) we performed 40 runs with no intrusion and 40runs with intruders using a mix of both MRF1 andMRF 2.

The graph on the left in Fig. 4 depicts the successrate ( SR ) and false alarm ( FA ) rate of GIDP as afunction of the nodes mean speed in 25 & 50 node

0

10

20

30

40

50

60

70

80

90

100

0 5 10 15 20

Percentag

eofDetection(%)

Nodes mean speed (m/s)

Sleep Deprivation attack through MRF

Success Rate:(25 nodes)

False Positive: (25 nodes)

Success Rate:(50 nodes)

False Positive:(50 nodes)

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0 5 10 15 20

Numbe

rofControlPer

DataPacketDelievered

Nodes Mean Speed (m/s)

Control Packet Overhead (25 nodes )

No attack in the network

Sleep Deprivation attack no prptection

Sleep Deprivation attack with GIDP

Fig. 4 Success rate, false alarm rate and control packet overhead as afunction of nodes mean speed (m/s).

networks with SD attack. By SR here we mean the rateof correctly detecting intrusion in the network,identifying the attack type and then identifying &isolating the node which is causing the attack. A falsealarm (FA) means that a correctly behaving node hasbeen incorrectly identified and isolated. The graphshows good performance of GIDP in terms of high SRand low FA rates against SD attack. The graph on the

right in Fig.4 shows the control packet overhead in a 25node network when there is a) no attack in the network,b) a sleep deprivation attack with no protection and c) asleep deprivation attack with GIDP in place. The graphshows that GIDP reduces the control packet overheadand increases network performance when it is used in anetwork under sleep deprivation attack.

B. Scenario 2In the second scenario we test GIDP with a mix of

black and grey hole attacks caused by initiating a falseRREP and then dropping packets as described insection III-b. In order to launch these attacks, on

receiving a RREQ an intruder generates a false RREPpacket with dest_seq=current dest_seq+f. Throughsimulations we observed that the value offshould be atleast 5 in a 25 node network, and higher for largernetworks, because some properly behaving nodes haveroutes fresher than the intruding node for thedestination node. We also note that the severity of theattacks depends on the number of paths in the networkthat the intruder manages to capture. One false RREPpacket only allows an intruder to capture the route ofone node in the network, because RREP packets areunicast.

A single simulation consists of 20 test TIs. Wemonitor the number of false RREP packets (e)generated by an intruding node in a simulation and itsimpact on packet delivery ratio. Fig.5 shows thatincreasing the value of e reduces the packet deliveryratio during the BH attack and therefore increases theseverity of the attack.

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0 4 8 12 16 20

Packet Delivery Ratio Vs Number of

false RREP by an intruder in 20 TIs (e)PDR vs Number of false RREP by

an intruder in 20 TIs (e)

Pac

ketDe

liveryRatio(PDR)

value ofe Fig.5 PDR vs Number of false RREP by an intruder(e) in a simulation.


6/6

The graph on the left in Fig.6 depicts the SR and FAof GIDP with black & grey hole attack with 8e

ad hoc network security

Documents