Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
12 Paper 25101111 IJCSIS Camera Ready Paper Pp. 68-73

12 Paper 25101111 IJCSIS Camera Ready Paper Pp. 68-73

Ratings: (0)|Views: 10|Likes:
Published by ijcsis

More info:

Published by: ijcsis on Feb 19, 2012
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Distributed Intrusion Detection System for Ad hoc MobileNetworks
Muhammad Nawaz Khan
Muhammad Ilyas Khatak 
Ishtiaq Wahid
School of Electrical Engineering & Computer Science, Department of Computing, Department of Computing & Technology,National University of Science & Technology (NUST) Shaheed Zulfikar Ali Bhutto Institute Iqra University IslamabadIslamabad, Pakistan. Of Science & Technology Islamabad, Pakistan Islamabad, Pakistan
In mobile ad hoc network resourcerestrictions on bandwidth, processing capabilities, battery life and memory of mobile devices leadtradeoff between security and resources consumption.Due to some unique properties of MANETs, proactivesecurity mechanism like authentication,confidentiality, access control and non-repudiationare hard to put into practice. While some additionalsecurity requirements are also needed, like co-operation fairness, location confidentiality, datafreshness and absence of traffic diversion. Traditionalsecurity mechanism i.e. authentication andencryption, provide a security beach to MANETs. Butsome reactive security mechanism is required whoanalyze the routing packets and also check the overallnetwork behavior of MANETs. Here we propose alocal-distributed intrusion detection system for ad hocmobile networks. In the proposed distributed-ID, eachmobile node works as a smart agent. Data collect by node locally and it analyze that data for maliciousactivity. If any abnormal activity discover, it informsthe surrounding nodes as well as the base station. It works like a Client-Server model, each node works incollaboration with server, updating its database eachtime by server using Markov process. The proposedlocal distributed- IDS shows a balance between falsepositive and false negative rate. Re-active security mechanism is very useful in finding abnormalactivities although proactive security mechanismpresent there. Distributed local-IDS useful for deeplevel inspection and is suited with the varying natureof the MANETs.
MANETs, Intrusion Detection System (IDS),security mechanism, proactive, reactive, Markov process, falsenegative and false positive.
MANETs is an autonomous system of mobile nodes, built onad hoc demands and work as wireless network, nodes movefrom place to place in peer to peer fashion. MANET has nopre-define structure, no centralized administration, henceany node may leave or enter the network. The self organizing nature of the ad hoc network comprises the nodesinto arbitrary and temporary ad hoc topology, this leads toinherent weakness of security [1]. Security for aninfrastructure-less and ad hoc nature of the network is a greatchallenged. On the other hand the resources constraints(limited power, limited communication range, processingcapabilities, and limited memory) of the mobile devices inthe MANET leads trade off s between security requirementsand resources consumptions [2].
Most of the time security in ad hoc network ensures by usingencryption and authentication. But the changing topologyand decentralized management of MANETs, mobile nodesare compromised in many ways. Actually these protocols donot examine the received packets and do not analyze theoverall network behavior but works in a traditional proactivemanner. Therefore another reactive mechanism is requiredwhich not only check the packets locally but also deeplyinspect that what is the internal state of the receiving data. Italso monitors the overall network performance that what isgoing on? If any misbehave action detects, it not onlyinforms the surrounding nodes but also take some necessaryaction against those intruders. The ad hoc closed-keynetworks is comparatively more secure than the open ad hocnetworks because closed-key networks have pre-definesecurity policy for authentication and encryption but open adhoc networks are free for any node to come in and becomesthe part of the ad hoc network with arbitrary topology.
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 1, January 201268http://sites.google.com/site/ijcsis/ISSN 1947-5500
In this paper a distributed local-IDS has proposed. Section-2of the paper consists on related work in security for ad hocnetworks, section-3 has a MANETs tread model and insection-4 the proposed system are discussed with pros andcons. Section-5 have the concluding remarks of the paper.II.
RELATED WORKThe traditional security mechanisms are insuring by usingthe concept of key management. But key managementbecomes difficult in the presence of an active attacker node.A reasonable solution is Certification Authority (CA) [3].CA has a public and private key pairs. The public key of theCA is known to everyone and it makes a certificate of havingthe public key of each node sign by its private key [4]. Thisapproach is valid with a massive overhead in the network because of dynamically changing topology of MANETs andevery times verification of each valid node. Another issue is,if the CA node is being down, who is next CA? MultipleCAs is also recommended but still overhead created in thenetwork. A distributed CAs concept also proposed but theproblem remains the same and network experiences an extraoverhead [5]. In fact, CA identifies each node have a validcertificate which prevent the spoofing and other maliciousactivities. But certificate verification requires a strongmanagement system between CAs and surrounding nodes.But due to the limited resources of each node and uniquecharacteristics of MANETs, it is implemented rarely andresearchers want a feasible solution to reduce this overhead.Symmetric key encryption is also used for authentication andauthorization process for a node within the network. Butnetwork layer issues are encounter when such approach isused for ad hoc networks [6]. Localized certification isanother approach which is based on public key infrastructure(PKI). The CAs and other nodes distribute secret sharedupdates with revocation list in such typical scenarios [7].Another solution is Secure Routing Protocol (SRP), in whichthe correct routs are discovered from time to time so thatcompromised and re-played route are find out and must bediscarded. Security associations exist between ends nodesbecause no intermediate nodes take participate in pathdiscovery. The unique identifier number and authenticationcodes are used for correct rout discovery [8].Many intrusion detection systems have also proposed. In [9],co-operative and distributed IDS for ad hoc networks haveproposed which works on statistical anomaly baseddetection. In [13], based on Suburban Ad-hoc Network (SAHN) an intrusion detection system been proposed knownas SAHN-IDS. SAHN-IDS useful for multi hop ad hocnetwork, where it detects misbehavior node by getting unfairshare of transmission channel. It also detects anomalies inpacket forwarding in effective and unique. The simulationresults show the efficiency of the proposed scheme. In [14],a "Cross Layer Based Intrusion Detection System"(CIDS)has proposed for ad hoc networks. It detects intruders byanalyzing the pattern of trace files. It communicates datasecurely from source to destination which increase network efficiency. Many other IDS for ad hoc network are proposed,but the principle is the same that all IDSs are design toprotect the MANETs from outsider and insider attacks. Theproposed local distributed-IDS are different in workingmechanism from previous approaches. It is very effective inthose situations where malicious code plays an importantrole in inside and outside network attacks.III.
THREAD MODELAd hoc networks work in co-operation by dynamicallychanging topologies between mobile nodes. This propertymakes ad hoc network more vulnerable to active and passiveattacks. Most of the attacks are meet in middle or denial of services (DOS) nature, which ranges from passiveinterfacing to active interfering. In MANETs, the DOSattack mostly launched due to the laptop nodes, which arerich in resources as compared to other nodes. In MANETs,DOS are launched in any layer, at physical layer the DOSattack is to constantly transmitting the signals whichinterferes the radio frequencies of the network. This can bedone by one or more nodes. Continuous retransmitting jamsthe network and infected for desire purpose. Dos attacks arealso launched on data link layer by violating thecommunication protocol (802.15.4 0r Zigbee) by continuallytransmitting messages in order to generate collisions. Assuch collisions would require retransmissions by the effectednode it is possible to deplete the power of the node. Innetwork layer, the DOS attack is launched on routingprotocols [10]. In MANETs, one dedicated DOS attacks isBlack hole router attack, the attacker node claim to be theshortest path node to surrounding nodes, getting informationfrom surrounding and does not forwarded to the base station.Other type is resource exhaustion, in which the attacker nodebroad cast or uni-cast a massage (HELLO flood attack) toother nodes again and again, which results resources
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 1, January 201269http://sites.google.com/site/ijcsis/ISSN 1947-5500
consumption of the nodes resources like battery, CPU andmemory [12]. A routing loop is another DOS attack, inwhich a loop is introduce in routing path, which results justcirculate the information but not reach to the base station.The meet in the middle (MIM) attack are also very obviousattack on MANETs. This attack is more easily launched dueto the ad hoc nature of the network. In MIM, the existingresources of MANETs are utilized in such a way that theynot only actively interferes the network traffic but also play avital role as an eavesdropper. Many types of MIM attacksare discovered in MANETs, replication attacks one of them.In this attack node is captured, analyze, replicate and insertthese replicas within the network. Another one is SybilAttack, in which a single malicious node masquerading withmultiple identities. This single node can then have a seriousimpact on fault-tolerant schemes such as distributed storage,data aggregation and multi-path routing [10]. The network attack is another one; the attacker node partitions theconnecting network into mini sub networks. These subnetworks are not communicated although they are connected[11]. The malicious node can also corrupt the data or missrouted it. The base station (BS) play very important rolebecause it is the central point of aggregate data, all decisionsabout network management are decide on the base station.So if base station is compromised, the whole network iscompromised, that is why the base station is protected fromevery promising attack.IV.
PROPOSED SYSTEMMany IDS for ad hoc network have proposed. Some of themhave critical for certain scenarios. Some of them are usedwith collaboration of routing protocols. Here we proposedistributive local-IDS for ad hoc networks. This local-IDmay be used for low energy nodes like sensor nodes. Sensornodes have limited resources with special design purpose.The proposed IDS can also used for more power full mobilenodes, having more resources. It is distributive because eachnode in the network analyze the data individually andindependently by smart agents and therefore each node havework as an IDS agent dispersed into the entire network. It islocal because each node checks data/network behaviorlocally. And it is co-operative because it informs other nodesas well as base station. The base station then responsible foroverall network performance and with the co-operation of other nodes it takes some necessary action against suchhateful activity.Fig.1 System Model of Local-IDS within a nodeFirst the data is collected and then analyzed for intruders.After analysis an appropriate action is taken. Each node hastheir own local IDS agent for checking the received data.These agents have some previous signature or pre-defineprofile. When data is entered into these agents, the node firstanalyzes the receiving data. It analyzes data by comparing itfor normal and abnormal activities with the threshold valueof the pre-define profile. If some activity been detected asmalicious, it must inform the base station or cluster head(CH) for further analysis. On the basis of investigation thebase station or CH tacks an appropriate action. The targetednode may also inform the surrounding nodes, to aware of such falsified malicious data. The local IDS agent must beprogram in such way that it must detect normal andabnormal activities. The smart agent works on Markovprocess. Each node in the network updates itsprofiles/signature according to the base station commands.When base station receives the data having a complaintmassage from the node, the base station first analyze thesame abnormal behavior/malicious data. The base stationinforms rest of the cluster heads in that particular area andalso informs other base station for this abnormalactivity/malicious data. The base station now watches theoverall network behavior and also waits the updates comingfrom other cluster heads as well as from other base stations.All these activities help the base station for checking theperformance of the network. The base station sends updatesto network nodes using Markov process. The last node in thehierarchy receives the difference of all of the nodes frombase station to the last node. The net difference between twoprofiles/signatures is the signature updates.
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 1, January 201270http://sites.google.com/site/ijcsis/ISSN 1947-5500

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->