A Proposed Model for Intrusion Detection System for Mobile Adhoc Network

Publish in

Articles & News Stories


Please download to get full document.

View again

of 4
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
  Int’l Conf. on Computer & Communication Technology     __________________________________ 978-1-4244-9031-8/10/$26.00©2010 IEEE 99 A Proposed Model forIntrusionDetectionSystem for Mobile Adhoc Network  Husain. Shahnawaz 1 , Dr.S.C.Gupta 2 ,Chand.Mukesh 1 , Dr. H.L.Mandoria 3 1 Research Scholar, Graphic Era University,Dehradun(U.K) India 2 Prof.EmeritusIIT Roorkee(U.K.) India. 3 shahnawaz.husain@hotmail.com,mukesh.geu@gmail.comProf. CoET, G.B.Pant University,India  Abstract  An ad-hoc network is a collection of temporary nodes that are capable of dynamically forming a temporary network without the support of any centralized fixed infrastructure. These networks can be formed, merged or partitioned into separate networks on the fly, without necessarily relying on a fixed infrastructure to manage the operation. Two important properties of an ad-hoc network are that it is self-organized and adaptive. In a mobile ad hoc network (MANET) where security isa crucial issue, trust plays an important factor thatcould improve the number of successful datatransmission process. The higher the numbers of nodesthat trust each other in the network means the highersuccessful communication process rates could beexpected. Since there is no central controllerto determine the reliable & Secure communication paths in MANET, eachnode in the ad hoc network has to rely on each other in order toforward packets, thus highly cooperative nodes are required toensure that the initiated data transmission process does not fail.In this paper, we provide a model & evidence through experiments on how a friendship concept could be used to minimize the number of false alarms raised in MANET Intrusion Detection System (IDS). I.INTRODUCTIONIntrusion detectionis a security technology that attempts to identify individuals who are trying to break into and misuse a system without authorization and those who have legitimate access to the system but are abusing their privileges [1]. The system protected is used to denote an information system being monitored by an intrusion detection system. It can be a host or a network equipment, such as a server, a firewall, a router, or a corporate network, etc [2]. An intrusion detection system (IDS) is a computer system that dynamically monitors the system and user actions in the network and computer systems in order to detect intrusions. Because an information system can pursue from various kinds of security vulnerabilities, it is both technically difficult and economically costly to build and maintain a system which is not susceptible to attacks. Experience teaches us never to rely on a single defensive line or technique. IDSs, by analyzing the system and user operations in search of activity undesirable and suspicious, can effectively monitor and protect against threats. IDSs have been widely regarded as being part of the solution to protect today’s computer systems. Research on IDSs began with a TABLEI:LISTOFUTC&APF1. Unfair use of the transmission channel (UTC)2. Anomalies in Packet Forwarding (APF)  Ignoring the MAC protocol  Jamming the transmission channel with garbage  Ignoring the bandwidth reservation scheme  Malicious flooding   Network Partition  Sleep Derivation  Drop packets  Blackhole Attack   Gray hole Attack   Delay packet transmissions  Wormhole Attack   Packet dropping  Routing Loop  Denial of Service (DoS)  Fabricated route messages  False Source Route  Cache Poisonings  Selfishness  Spoofing report by Anderson [3] followed by Denning’s seminal paper [4], which lays the foundation for most of the current intrusion detection prototypes.Since then, many research e orts have  been devoted to wiredIDSs. Numerous detection techniques and architecture for host machines and wired networks have  been proposed. A good taxonomy of wired IDSs is presented in [18]. With the rapid proliferation of wireless networks and mobile computing applications, new vulnerabilities that do not exist in wired networks have appeared. Security poses a serious challenge in deploying wireless networks in reality. However, the vast difference between wired and wireless networks make traditional intrusion detection techniques inapplicable. Wireless IDSs, emerging as a new research topic, aim at developing new architecture and mechanisms to protect the wireless networks.Attacks in Mobile Adhoc networks can be categorized as  provided in Table I.In MANETs, intrusion prevention and intrusion detection techniques need to complement each other to guarantee a highly secure environment. They play different roles in different status of the network. Intrusion prevention measures, such as encryption and authentication, are more useful in  preventing outside attacks. Considerable research has been done in preventing the misbehavior at the network layer. Once the node is compromised, however, intrusion prevention measures will have little effect in protecting the network. At this time, the role of intrusion detection is more important. In mobile ad hoc networks, it is much easier to gain physical  possession of the node. When a node is compromised, the  Int’l Conf. on Computer & Communication Technology    100attacker owns all its cryptography key information. Therefore, encryption and authentication cannot defend against a trusted  but malicious user.II.RELATEDWORK Intrusion detection systems can be classified broadly into two classes:ã Reputation based schemes.ã Incentive based approaches.Reputation based schemes detect misbehaving nodes and notify other nodes of the misbehaving nodes. Incentive based approaches aims to promote positive behavior to foster cooperation instead of relying on participants to report and  punish misbehaving nodes. Zhang et al. [5][6] have developed a distributed and cooperative intrusion detection system (IDS) where individual IDS agents are placed on each and every node. Each IDSagent runs independently, detects intrusion from local traces and initiates response. The authors have detailed intrusion detection methods for the following attacks: (a) Falsifying route entry in a node’s route and(b) Random packet dropping by intermediate nodes.The random packet dropping detection scheme relies on overhearing transmissions of neighboring nodes. Bhargava and Agrawal [7] have extended the IDS model described in [5]to enhance the security in AODV (Ad-hoc on demand Distance Vector) routing protocol. Watchdog [17] proposes to monitor packet forwarding on top of source routing protocols like DSR. Watchdog has the limitations of relying on overhearing packet transmissions of neighboring nodes for detecting anomalies in packet forwarding. It assumes symmetric bidirectional connectivity:if A can hear B, B can also hear A. Since the whole path is specified, when node A forwards a packet to the next hop B, it knows B’s next hop C. It then overhears the channel for B’s transmission to C. If it does not hear the transmission after a timeout, a failure threshold associated with B is increased. If the threshold exceeds a maximum value, A sends a report packet to the source notifying B’s misbehavior. Reference [8] follows the same concept but works with distance vector protocols such as ADOV. It adds a next hop field in AODV packets so that a node can be aware of the correct next hop of its neighbors. It also considers more types of attacks, such as packet modification, packet duplication, and packet-jamming DoS attacks. Each independent detection result is signed and flooded; multiple such results from different nodes can collectively revoke a malicious node of its certificate, thus excluding it from the network. Bal Krishnan [9] has proposed a way to detect packet dropping in ad-hoc networks that addresses the problems of receiver collisions, limited transmission power and directional antennas discussed earlier. This scheme (TWOACK) can be added on to a source routing  protocol such as DSR. In TWOACK each forwarded packet has to be acknowledged which may contribute to traffic congestion on the routing path. S-TWOACK (Selective TWOACK) reduces this extra traffic by sending a single acknowledgement for a number of packets instead to a single  packet . Trust features in existing trust-based routing schemes for MANET. TABLE II:LIST OF TRUST BASED ROUTING SCHEME [16] S.No.Previous WorkTrust feature 1Eschenauer[10]1. Encryption/Key2. Identity3. Location2Yan et al.[11]1. Packet Precision2. Blacklists3. Data Value4. Reference5. Identity6. Battery Power 3Nekkanti et al.[12]1. Encryption/Key2. Trust Value Metric4Pirzada &McDonald[13]1. Credit History/ACK 2. Packet Precision3. Gratuitous Route4. Blacklists5. Salvaging5Abusalah et al.[14]1. Encryption/Key2. Hardware Configuration3. Battery Power 4. Credit History/ACK 5. Exposure6. Organizational Hierarchy6Li & Sighal[15]1. Trust Value Metric III.PROPOSEDFRAMEWORK The proposed model is derived from previous research  provide evidence on how a friendship mechanism could be used to improve the accuracy of IDS in MANET [16]. One of the main issues in MANET IDS is on the number of false alarms raised in the network as a result of false claims/reports made by individual nodes. This anonymity problem is a big challenge in MANET because it is difficult for nodes to distinguish between trusted and un-trusted nodes in such autonomous networks. Initially we have some assumption that each node has a list of initial trust and that will be shared with the other nodes present in the network these initial trust list can be generated on behalf of profile database shown on figure-1. These initial lists are known as Direct Friend Mechanism (DFM). TABLE III:NODE’S INITIAL TRUST Node IDInitial Trust AB & CBC,D,ECA,D,BDC,BEA,C  Int’l Conf. on Computer & Communication Technology    101  A.IDS Alarm Analysis This provides four possible results for each traffic trace analyzed by the IDS True Positive (TP) when the attack succeeded and the IDS wasable to detect it (Success^Detection)True Negative (TN) when the attack failed and the IDS did not report it (¬Success ^ ¬ Detection)False Positive (FP) when the attack failed and the IDS reported on it (¬ Success ^Detection)False Negative (FN) when the attack succeeded and the IDS was not able to detect it (Success ^¬Detection)  B.Local IDS i) Data Collection Module The functionality of the data collection module is to collect the security related data from various audit data sources and  preprocess them to conform to the input format of the detection engines. There may exist many data collection modules in an IDS agent. Each module is responsible for collecting data from a particular data source. ii) Detection Engine a) Unfair Use of Transmission channel based detection  Engine (UDE) Unfair Use of Transmission channel based detection techniques operate based on the known attack scenarios and system vulnerabilitiesshown in Table 1. Their main disadvantage is that they are only effective in detecting known attacks. b)  Anomaly Based Detection Engine (ADE) Anomalybased detection techniquesare based on Anomalies in Packet Forwarding (APF), will play a main role in the MANET environment. iii) Feed-Back Table (FBT) Feed back is taken from both of the detection engine if value is 0 then it is a friend. TABLE IV: FBT UDEADEValue 000011101111 iv) Profile Database Profile database will maintain the list of trusted neighbor list on behalf of FBT. Fig. I.Local IDS C.Global IDS Module In the Global IDS module ADE &UDE is same as in Local IDS. In this module friend list generated by Local IDS system are again on rigorous testing. Fig.II.Global IDS Module i)Global Detection Engine In Global Detection Engine we collect the Direct Friend list and Indirect Friend Profile from the neighbors. By using mining algorithmswe can make the globally trusted list for the network. Anomaly Detection Engine ADE Unfair use of the transmission channel (UTC)Detection Engine (UDE)Audit Local Data (ALD) Feed -Back Table(FBT)To Global Data Collection Module(GDC)Profile Database Global Detection Engine (GDE)ADE & UDEAudit Global Data (AGD)Global ProfileFeed Back Table (FBT)Indirect ProfilFromLocalIDSTo The Neighbors(IndirectProfile )  Int’l Conf. on Computer & Communication Technology    102  D.Validation In the Local IDS and Global IDS we will follow the 20:80 rules for detecting the critical nodesfor fast response from the system, if node is compromised then itwill be easily find out in Local IDS, and friend list generated by Local IDS will be send to Global IDSmodulefor checking the rest of the  parameters, Global feed back table generated by Global IDSmodule is sent to the neighbors and stored in Global friends  profile, Global Detection engine will generate the list of trusted neighbors according to theirlevel of trust. TABLE V:TRUST LEVEL GENERATED BY GLOBAL DETECTION ENGINE Node IdTrust Level A2/5B3/5C4/5D2/5E1/5 IV.CONCLUSION&FUTUREWORK In this proposed model True positive will be reported very fast in Local IDS module. & Friend list generated by Local IDS module will be sent to the Global IDS module for further investigation. Global Detection Engine will generate the friend list according to trust level, higher the trust level of the node may be used for other different processes like routing, and deciding the cluster head for scalable adhoc networks. Future work include the designing the efficient algorithm for each  phase so that fast response of intrusion detection and requires less consumption of battery andlesscomputation. R  EFERENCES[1]Y. Zhang and W. Lee, “Intrusion Detection in Wireless Ad Hoc  Networks,” Proceedings of the 6th Annual International Conference on Mobile Computing and Networking (ACM MobiCom’00), Boston, MA,  pp. 275-283, Aug. 2000.[2]M. Satyanarayanan, J. J. Kistler, L. B. Mummert, M. R. Ebling, P. Kumar, and Q. Lu, “Experiences with Disconnected Operation in a Mobile Environment,” Proceedings of USENIX Symposium on Mobile and Location Independent Computing, Cambridge, MA, pp. 11-28, Aug. 1993.[3] J. P. Anderson, “Computer Security Threat Monitoring and Surveillance,” Technical Report, James P. Anderson Co., Fort Washington, PA, April, 1980.[4] D. E. Denning, “An Intrusion-Detection Model,”  IEEE Transactions on Software Engineering, vol. 13, no. 7, pp. 222-232, Feb. 1987.[5]Y. Zhang, W. Lee, “Intrusion detection in wireless ad-hoc networks” ,The 6th Annual International Conference on Mobile Computing and  Networking, pp. 275–283, 2000[6] Satria Mandala, Md. Asri Ngadi, A. Hanan Abdullah,“A Survey on MANET Intrusion Detection”www.cscjournals.org/csc/manuscript/Journals/ IJCSS-24.pdf [7] S. Bhargava and D. P. Agrawal. Security Enhancements in AODV  protocol for Wireless Ad Hoc Networks. In VTC, volume 4, pages 2143–2147, fall 2001.[8]J. Kong et al., “Providing Robust and Ubiquitous Security Support for Mobile Ad-Hoc Networks,” IEEE ICNP, 2001.[9]K. BAL Krishnan, J. Deng, P. K. Varhney. TWOACK: Preventing Selfishness in Mobile Ad Hoc Networks. In IEEE WCNC, Mar 2005.[10] Eschenauer, L. “On Trust Establishment in Mobile Ad-Hoc Networks,” Master’s Thesis,  Department of Electrical and Computer Engineering  ,University of Maryland, 2002.[11] Yan, Z., Zhang, P. and Virtanen, T. Trust Evaluation Based Security Solution in Ad Hoc Networks . In  Proceedings of the 7th Nordic Workshop on Secure IT Systems, NordSec 2003 , Gjovik, Norway, pp. 1-14, 2003.[12] Nekkanti, R. K. and Lee C-W. “Trust Based Adaptive on Demand Ad hoc Routing Protocol”. In  Proceedings of the 42nd Annual Southeast  Regional Conference , Huntsville, Alabama, pp. 88-93, 2004.[13] Pirzada, A. A and McDonald, C. “Establishing Trust in Pure Ad-Hoc  Networks”. In  Proceedings of the 27  th  Australasian Computer Science Conference, Dunedin, NewZealand, pp. 47-54, 2004.[14] Abusalah, L., Khokhar, A., BenBrahim, G. and ElHajj, W. “TARP: Trust-Aware Routing Protocol”. In  Proceedings of the 2006  International Conference on Communications and Mobile Computing (IWCMC) , Vancouver, Canada, pp. 135-140, 2006.[15] Li, H. and Singhal, M. “A Secure Routing Protocol for Wireless Ad Hoc  Networks”, In  Proceedings of the 39 th  Hawaii International Conference on System Sciences , pp.1-10, 2006.[16] Razak, S.A., Furnell, S., Clarke, N. and Brooke, P., “A Two-Tier Intrusion Detection System for Mobile Ad Hoc Networks--A Friend Approach”,  Lecture Notes In ComputerScience , volume 3975, pp. 590-595, Springer   , 2006.[17] Chengqi Song, Qian Zang,”Suppressing selfish behavior in adhoc networks with one more hop” 5th International ICST Conference on Heterogeneous Networking forQuality, Reliability, Security and Robustness,2008, ISBN:978-963-9799-26-4[18] H. Debar, M. Dacier, and A.Wespi, “A Revised Taxonomy for Intrusion Detection Systems,”  Annales des Telecommunications, vol. 55, pp. 361-378, 2000.
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks