(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 2, 2011
PERFORMANCE EVALUATION OFCO-OPERATIVE GAME THEORY APPROACHFORINTRUSION DETECTION IN MANET
S.Thirumal M.C.A., M.Phil.,Assistant professor,Department of computer science,Arignar anna government arts college,cheyyar, tiruvannamalai district -604 407 1stdsmthirumal@gmail.com
Dr.V.Saravanan M.C.A.,M.Phil., Ph.D.,Professor and Director,department of computer applicationsDr.N.G.P institute of technology,Dr.N.G.P-Kallapatti road,coimbatore-641 048.
Abstract
Mobile Adhoc Network (MANET) is a collection of independent mobile nodes that can communicate to each othervia radio waves. The mobile nodes that are in range of each othercan directly communicate, whereas others need the aid of intermediate nodes to route their packets. These networks arefully distributed a and can work at any place without the help of any infrastructure. This property makes these networks highlyexible and robust. Intrusion Detection System (IDS) is an integralpart of any Mobile Ad-hoc Network (MANET). It is veryimportant for IDS to function properly for the efficientfunctioning of a MANET. In this paper I evaluate the Co-Operative game theory approach for intrusion detection inMANET by comparing it with the existing other approaches. Myevaluation is concentrated both on Intrusion in Application layerand network layer. Network simulator NS-2.34 is used for thesimulation of the intrusions in grid network.
I.
I
NTRODUCTION
A mobile ad hoc network is defined as a collection of mobile platforms or nodes where each node is free to moveabout arbitrarily. Each node logically consists of a router thatmay have multiple hosts and that also may have multiplewireless communication devices. The vision of mobile ad hocnetworking is to support robust and efficient operation inmobile wireless networks by incorporating routingfunctionality into mobile nodes. Such networks are envisionedto have dynamic, sometimes rapidly-changing, random, multihop topologies which are likely composed of relativelybandwidth-constrained wireless links. A MANET may besusceptible to varying degrees of intrusion that include passiveeavesdropping, broadcasting of false routing information,disrupting traffic flow, etc. The nodes in the network have tocooperate in analyzing the intrusion in MANET. Thus a cooperative Intrusion Detection System as shown in Figure 1.1 isneeded to detect any possible intrusions that occur in thenetwork and generate an appropriate action.Fig 1.1 Grid Architecture Model.In this paper, the performance of the Cooperative GameTheory that uses Shapley value algorithm to analyze thecontribution of each node in detecting the intrusion is evaluatedand compared with Anomaly detection approach. This ID willconstantly monitor the network and report the unusual behaviorof the network back to the head nodes. It will detect theunusual behavior at the application layer and at the network layer an aggregate function that computes the severity of theattack based on the values reported by the nodes is introduced.The appropriate measure is taken based on the value of theaggregation function.Many papers have been submitted earlier on detecting andanalyzing intrusions in MANET. Also some have proposedgame theoretic approach for monitoring intrusions. A few of
216 http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 2, 2011
them are mentioned below, A Cooperative Approach forAnalyzing Intrusions in Mobile Ad hoc Networks by Otrok,H. Debbabi, M. Assi, C. Bhattacharya, P.Concordia Univ.,Montreal consider the problem of reducing the number of falsepositives generated by cooperative intrusion detection systems(IDSs) in mobile ad hoc networks (MANETs). They define aflexible scheme using security classes, where an IDS is able tooperate in different modes at each security class. This schemehelps in minimizing false alarms and informing the preventionsystem accurately about the severity of an intrusion. Shapleyvalue is used to formally express the cooperation among all thenodes. A Game Theoretic Formulation for Intrusion Detectionin Mobile Ad Hoc Networks by Animesh Patcha and Jung-Minpresents a game-theoretic model to analyze intrusion detectionin mobile ad hoc networks. We use game theory to model theinteractions between the nodes of an ad hoc network. We viewthe interac- tion between an attacker and an individual node asa two player non-cooperative game, and construct models forsuch a game. A Moderate to Robust Game Theoretical Modelfor Intrusion Detection in MANETs by Hadi Otrok, formalizeda nonzero-sum noncooperative game theoretical model thattakes into consideration the tradeoff between security and IDSresource consumption. The game solution will guide the leader-IDS to find the right moment for notifying the victim node tolaunch its IDS once the security risk is high enough.To achieve this goal, the Bayesian game theory is used toanalyze the interaction between the leader-IDS and intruderwith incomplete information about the intruder. By solvingsuch a game, we are able to find the threshold value fornotifying the victim node to launch its IDS once the probabilityof attack exceeds that value. Simulation results show that ourscheme can effectively reduce the IDS resource consumptionwithout sacrificing security. Agah et al [4] suggested a gametheoretic framework for defending nodes in a sensor network.Three schemes of defense are designed. In the first scheme theauthors formulate attack-defense problem as a two-player,nonzero-sum, noncooperative game between an attacker and asensor network. It is shown that this game achieves Nashequilibrium and thus leading to a defense strategy for thenetwork. In the second scheme they use Markov decisionprocess to predict the most vulnerable sensor node.In the third scheme they use an intuitive metric (node'straffic) and protect the node with the highest value of thismetric. All the above work focuses on IDS in a mobile ad hocnetwork at network layer, where the cooperative game theoryapproach goes one step further and tries to provide IDS systemusing cross layer approach. In my work both application layerand network layer information are considered to provide IDS.At the application layer a grid architecture proposed byVetriselvi et al [5] is considered, where the game theoreticapproach to provide security to this architecture is included.
Existing system:
Mobile Ad hoc Networks are wireless networks that lack infrastructure. It is vulnerable to attacks. Intrusion attacks areof particular interest and concern to the nodes, because theyseek to render target systems inoperable. Many schemes areevolved to detect the attack but we can’t prevent the nodesfrom attack properly.
Packet drooping:
This approach ispresented using estimated congestion at intermediate nodes todecide if the intermediate node is not forwarding packets at thedesired rate because of congestion or because of maliciousbehavior. It is unclear how statistical anomaly detection willsucceed in the wireless domain, since it is a challenging onebecause of dynamic decentralization and a lack of concentration points where aggregated traffic can be analyzed.
Selfish nodes:
The
cooperative enforcement mechanism basedon a monitoring system, where the goal of this model is todetect selfish nodes and enforce them to cooperate. Each nodekeeps track of other nodes’ cooperation using reputation as thecooperation metric. The System ensures that misbehavingnodes are punished by gradually stopping communicationservices and provides incentives for nodes, in the form of reputation, to cooperate. It is calculated by informationprovided by other nodes involved in each operation then alsowe can’t stop the attack nodes, it is also less stable.
Anomalydetection
: If an anomaly is detected with weak evidence,because it uses a single layer of cluster heads. So a globaldetection process is initiated for further investigation about theintrusion through a secure channel. The limitations anddrawbacks of this model are performance penalties and falsealarm rates.
Defending node:
In a game theoretic framework,for defending nodes we use three schemes in a sensor network.In the first scheme the authors formulate attack-defenseproblem as a two-player, nonzero-sum, non cooperative gamebetween an attacker and a sensor network. It is shown that thisgame achieves Nash equilibrium and thus leading to a defensestrategy for the network. In the second scheme they useMarkov decision process to predict the most vulnerable sensornode. In the third scheme they use an intuitive metric (node'straffic) and protect the node with the highest value of thismetric.
II.
D
ESIGN AND WORKING OF THE
G
AME THEORY BASED
IDS
:
A.
The Grid Architecture
Heterogeneity of the mobile devices can be integrated toform an infrastructure known as grid. A grid by definition is asystem that coordinates resources that are not subject tocentralized control. Grid consists of three categories of nodes;Consumer node CN- Node which requests for a service,Service Provider node SPN- Node which processes the servicerequested by the CN, Grid Head node GHN- Node whichcoordinates all the nodes in its grid. This GHN is responsiblefor the allotment of an appropriate service provider node to anode requesting for particular service based on parameters suchas cost, service time, etc. VetriSelvi et al [5] have suggested aGrid architecture that efficiently makes use of heterogeneousresources in an ad hoc network. A trace based mobility modelis used to handle the movement of the nodes. Trace BasedMobility Model (TBMM) captures the regularity in movementas a movement pattern. The nodes that are going tocommunicate exchange this trace information that provides theposition of the destination and its associated stability time.With the help of the trace information as well as the resourceinformation appropriate service is provided to consumer nodes.
217 http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 2, 2011
Grid Formation and GHN Election
Any SPN has the privilege to contest for the grid head. ASPN starts sending ‘Hello’ messages to all the nodes within itshop limit. A hop limit is specified so as to keep a check on thenumber of nodes in a particular grid and also the density of datatraffic which will result due to this broadcasting of messages.The ‘Hello’ message contains the stability time of its senderand hop count. On receiving a ‘Hello’ message, any SPNwhich currently does not have a head checks if the sender’sstability is greater than its own stability. If it is the case itsimply stops broadcasting its own ‘Hello’ messages and startsbroadcasting the newly received message to all the nodes in itshop limit range after storing the stability of the sender as the‘GHN stability’. If not, it simply discards the message andcontinues to broadcast its own ‘Hello’ message. After findingthe GHN, it sends ‘Grid join’ message to GHN. If a SPN nodeis currently functioning under a grid head and receives a‘Hello’ message, it checks to see if the sender’s stability ishigher than its head’s stability and if true, it starts broadcastingthe newly received ‘Hello’ message after storing the stability as‘GHN stability’. Any CN on receiving a ‘Hello’ messagesimply forwards it. All the nodes store the first two higheststability times that they have received through ‘Hello’messages. The node with the second highest stability isappointed as the’ Secondary head’ of the grid. Any node whichgets elected as the GHN should periodically send ‘Hello’messages to all the other nodes and if it fails to do so, it is notconsidered to be alive by the other nodes and a reelection takesplace.
Service Processing
Any SPN joining a grid submits resource parameters,stability, position, type of service, service cost, etc to the GHN.A CN while requesting for a service states the type of servicerequired and cost. The GHN maintains a Grid MaintenanceTable (GMT), where in it stores the status of all the SPNsunder it- their service parameters and their availability. Onfinding a suitable SPN for the service, it refers the SPN id tothe requesting CN and assigns a job id to this service. The CNthen sends a ‘Service me’ message to the allotted SPN which inturn completes the service and sends a ‘Done’ message to theCN and a ‘Comp’ message to the GHN indicating thecompletion of its assigned task. The CN sends an ‘ACK’message to the GHN, acknowledging that it got the servicecompleted by the SPN. The GHN now updates the SPN’sstatus in the GMT. However, if an appropriate SPN isunavailable at a particular instant for a CN, it sends a servicedenial message prompting the CN to try later for the servicerequest.
Intrusions in Application Layer
In the paper, two probable intrusions in the applicationlayer - grid head which itself is found to be malicious andmisbehaving service provider nodes are considered.1)
Malicious GHN:
A GHN sends a service busy / servicedenial message when to a requesting CN if it does not find asuitable SPN. The CN keeps track of the count of the BUSYmessages sent by the GHN. Once it exceeds a predefinedthreshold limit, the CN reports a ‘Bad Head’ message to thesecondary head. Every time a service is being allotted to a SPNto a GHN, the SPN immediately sends ‘busy’ message to thesecondary head. Similarly after the successful completion of service, the CN sends a ‘complete’ message to the secondaryhead. Thus the secondary head maintains the list of SPNswhich are busy. When the secondary head receives the ‘BadHead’ message from a CN, it checks if the SPNs are actuallybusy. If not, it generates a ‘Ban’ message and broadcasts to allthe nodes. On receiving this message, all the nodes discard thatnode and no longer have it as their GHN and add that node’saddress to a list of banned nodes that they maintain after whicha reelection takes place for contention to become the new gridhead.2)
Misbehaving SPN:
After being allotted a specific SPNfor its service, a CN sends a ‘service me’ message to the SPN.A malicious SPN on receiving this message does only half theservice required and reports completion of the service to boththe GHN and the CN. On discovering that the service was notfully completed, the SPN generates a report to the GHN statingthe essential parameters like the SPN’s id, job id, etc. The GHNincrements its report count for the particular SPN node andwaits till the count reaches a particular predefined limit afterwhich it checks the coalitions against the reported node. If ithappens to be a winning coalition the GHN adds the SPN to thelist of banned nodes and broadcasts the message on to all othernodes in the network.
Intrusions in Network Layer
In the network layer, two highly probable intrusions –flooding and flow disruption caused by malicious nodes areproposed. Both of these intrusions are detected by the othernodes and a coalition is formed to report the intruder.1)
Flooding attack:
A malicious node starts sendinginnumerable route request/route discovery message to all theother nodes exhaustively. This affects the network bandwidthadversely and paralyses the network. This is resolved by usingparameters like no. of control packets expected and received.For a certain time interval, the total no: of control packetsreceived is counted and checked with the threshold limit. If it isexceeded then GHN is notified of the possibility of the attack.Grid Head then forms the coalition, calculates the attack value,checks whether it is a winning coalition and finds an intrusion.2)
Flow disruption attack:
A malicious node targets a routebetween a particular source and destination node and startssending junk route discovery messages to all the nodes in thatparticular route. Certain nodes are randomly identified as thetarget nodes by the attacker nodes. These attacker nodes are afew among the nodes which route data packets from and to thetarget nodes. When the ACK messages for the target nodesreach the attackers, they drop the packets instead of forwardingthem. This causes the route between the particular source anddestination to be broken thereby disrupting the flow between apair of targeted nodes. After a stipulated waiting time, thetarget nodes report to its grid head. On receiving the report, thegrid head carries out the similar processing of checking forcoalitions and spotting a winning coalition.
218 http://sites.google.com/site/ijcsis/ISSN 1947-5500
Search History:
Result 00 of 00
00 results for result for
p.
Performance Evaluation Of Co-Operative Game Theory Approach For Intrusion Detection In MANET
Mobile Adhoc Network (MANET) is a collection of independent mobile nodes that can communicate to each other via radio waves. The mobile nodes that are in range of each other can directly communicate, whereas others need…
(More)
956
Reads
1
Readcasts
2
Embed Views
More From This User
Notes
Load more
