(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 3, March 2012
An Intrusion Detection System Framework for AdHoc Network
Arjun Singh 1
Dept. of Computer Science & EngineeringSir Padampat Singhania UniversityUdaipur, Indiaarjun.singh@spsu.ac.in
Surbhi Chauhan 2
Dept. of Computer Science & EngineeringAmity UniversityNoida,IndiaSurbhichauhan2009@gmail.com
Kamal Kant 3
Dept. of Computer Science & EngineeringAmity UniversityNoida, Inidakamalkant25@gmail.com
Reshma Doknaia 4
Sr. Software EngineerBMC Pvt. Ltd.Pune, Indiareshma.dokania@gmail.com
Abstract
—
Secure and efficient communication among a set of mobile nodes is one of the most important aspects in ad-hocwireless networks. Wireless networks are particularly vulnerable to intrusion, as they operate in open medium, and use cooperative strategies for network communications. By efficiently merging audit data from multiple network sensors, we analyze the entire ad hoc wireless network for intrusions and try to inhibit intrusion attempts. This paper presents an intrusion detection system for ad hoc network, which uses reputation system to minimize the usage of battery power and bandwidth. Keywords-IDS, LID, MDM,ADM,SSD
I.
I
NTRODUCTION
Ad hoc network are dynamic, peer-to-peer networks thatdo not have a pre-existing infrastructure and are characterizedby wireless multi-hop communication .The unreliability of wireless links between nodes, constantly changing topologydue to the movement of nodes in and out of the network, andlack of incorporation of security features in staticallyconfigured wireless routing protocols not meant for ad hocenvironments all lead to Increased vulnerability and exposureto attacks .Securing wireless ad hoc networks is particularlydifficult for many reasons including the following:
Vulnerability of channels.
As in any wireless network,messages can be eavesdropped and fake messages can beinjected into the network without the difficulty of havingphysical access to network components.
Vulnerability of nodes.
Since the network nodes usuallydo not reside in physically protected places, such aslocked rooms, they can more easily be captured and fallunder the control of an attacker.
Absence of infrastructure.
Ad hoc networks are supposedto operate independently of any fixed infrastructure. Thismakes the classical security solutions based oncertification authorities and on-line servers inapplicable.
Dynamically changing topology.
In mobile ad hocnetworks, the permanent changes of topology requiresophisticated routing protocols, the security of which is anadditional challenge. A particular difficulty is that incorrectrouting information can be generated by compromised nodesor as a result of some topology changes and it is hard todistinguish between the two cases.II.
EI
NTRUSION DETECTION IN WIRELESS AD HOCNETWORK
Intrusion Detection Systems (IDS) may be classified basedon the data collection maintaining the integrity of thespecifications mechanism, as well as the technique used todetect events. While the requirement of intrusion detectionfor both fixed wired and wireless ad-hoc networks are thesame, wireless ad-hoc networks impose additionalchallenges. The effectiveness of IDS solutions thatwere designed for fixed wired networks is limited forwireless ad-hoc network, as described below:
Wireless ad-hoc networks lack key concentration pointswhere network traffic can be monitored. This limits theeffectiveness of a network-based IDS sensor, since onlythe traffic generated within radio transmission range maybe monitored.
In a dynamically changing ad-hoc network, it may bedifficult to rely on the existence of a centralized server toperform analysis and correlation.
The secure distribution of signatures may be difficult, dueto the properties of wireless communication and mobilenodes that operate in disconnect mode.Intrusion detection can be classified into three broadcategories:
45http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 3, March 2012
1.
Anomaly detection, signature2.
Misuse detection, and3.
Specification based detection.
A.
Anamoly Detection
In an anomaly detection system a baseline profile of normal system activity is created. Any system activity thatdeviates from the baseline is treated as a possible intrusion.The problems with strict anomaly detection are that:
Anomalous activities that are not intrusive are flagged asintrusive.
Intrusive activities that are not anomalous result in falsenegatives.One disadvantage of anomaly detection for mobile computingis that the normal profile must be periodically updated and thedeviations from the normal profile computed. The periodiccalculations can impose a heavy load on some resourceconstrained mobile devices; perhaps a lightweight approachthat involves comparatively less computation might be bettersuited.
B.
Misuse Detection
In misuse detection, decisions are made on the basis of knowledge of a model of the intrusive process and whattraces it ought to leave in the observed system.
Legal
or
illegal
behavior can be defined and observed behaviorcompared accordingly. Such a system tries to detect evidenceof intrusive activity irrespective of any knowledge regardingthe background traffic (i.e., the normal behavior of thesystem).
C.
Specification- Based Detection
This defines a set of constraints that describe the correctoperation of a program or protocol, and monitors theexecution of the program with respect to the definedconstraints. This technique may provide the capability todetect previously unknown attacks, while exhibiting a lowfalse positive rate.III.
INTRUSION DETECTION ARCHITECTURE
Each node on the ad hoc network has an IDS agent runningon it. The IDS agents work together through cooperativeintrusion detection to decide when and how the network isbeing attacked. The architecture is divided into two parts:the mobile IDS agent, which resides on each node in thenetwork, and the stationary secure database, which containsglobal signatures of known misuse attacks and storespatterns of each user’s normal activity in a non-trustedenvironment. An IDS agent runs at each mobile node doeslocal intrusion detection independently, and neighboringnodes collaboratively work on a larger scale. Individual IDSagents placed on each and every node run independentlyFigure1. Architecture of IDSand monitor local activities, detect intrusions from localtraces, and initiate responses.Figure 2. IDS Agent ArchitectureNeighboring IDS agents cooperatively participate in globalintrusion detection actions when an anomaly is detected inlocal data. The data collection module gathers local audittraces and activity logs that are used by the local detectionengine to detect local anomaly. Detection methods that needbroader data sets or require collaborations among local IDSagents use the cooperative detection engine. Both the localand global response modules provide intrusion responseactions. The local response module triggers actions local tothis mobile node, while the global one coordinates actionsamong neighboring nodes, such as the IDS agents in thenetwork electing a suitable action. A secure communicationmodule provides a high-confidence communication channelamong IDS agents.
SecureCommunicationSecure stationarydatabaseMobile nodeIDS agentMobile nodeIDS agent
IDS Agent
LocalLocalIntrusionDatabase(LID)Global ResponseCo-operativedetection andsecuredstationaryengineSecured communication channel
Alert Message
46http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 3, March 2012
IV.
REPUTATION MECHANISM
Reputation mechanism is used within ad hoc networks toaddress some of the threats arising from misbehavingnetwork nodes. These mechanisms are potentially of particular value in addressing the threats arising from selfishnodes. In the context of ad hoc networks, these mechanismsseek to dynamically assess the trustworthiness of neighboringnetwork nodes, with a view to excluding untrustworthynodes. There are three types of reputation, which arecombined to form a global reputation value for a communitymember. Each calculation is normalized so that a reputationvalues ranges from -1(bad) to +1 (good). 0 represents aneutral view, and this is used when there is not enoughobservation to make an accurate assessment of a node'sreputation. The three reputation types are as follows:1.
Subjective reputation is locally calculated, where node Acalculates the reputation of a neighbor node B at a given timefor a particular function.2.
Indirect reputation are accepted by node A from node Cabout node B. only positive reputation values are used, toeliminate an attack where a malicious node transmitsnegative reputation information to cause a denial-of-service.3.
Functional reputations are related to a certain functionwhere each function is a weight as to its importance.Each node maintains a reputation table. This table contains of the reputations of other nodes, with each entry consisting of aunique ID, recent subjective observation, recent indirectobservations and the composite reputation for a givenfunction. Thus a reputation table has to be maintained foreach function that is to be monitored.There are 3 ways in which a reputation table is updated.1.
A node A requests a service from node B, but noderefuses to perform the service. Thus node A will decreaseits perceived reputation of node B. this is a calculation of node B's subjective reputation.2.
A global distribution of reputation takes placewithin a reputation dissemination phase. This phaseinvolves sending messages containing a list of entities,which have successfully co-operated in providing afunction, i.e., a list of nodes with positive reputation.3.
The reputation is gradually decreased to a null valueif there is no interaction with observed node.When a node A, with a good reputation, is asked toperform a service by a node B, who has a bad reputationNode A can refuse to cooperate in doing so. Node A isrequired to send a message to all nodes in the ad hocnetwork, stating that it is denying services to node B. Theneighbor nodes of A and B must check that node B'sreputation is negative in their own reputation table. If one of the neighbor nodes does not agree with node A's negativereputation value for node B, then this neighbor node deceasesthe reputation of node A, i.e., the node which sent the denialof service message.Reputation system alerts path manager. The path managerranks routed according to security metric. All paths, whichcontain a bad behaving node, are deleted. The path manageralso decides what to do with requests received from badlybehaved nodes. The local intrusion detection system (LIDS)is distributed in nature and utilizes mobile agents on each of the nodes of the ad hoc network .In order to make localintrusions a global concern for the entire network; the LIDSexisting on different nodes collaborate. Collaboration amongthe nodes is achieved using two types of data: security data toobtain complementary information from collaborating hosts,and intrusion alerts to inform others of a locally detectedintrusion.
A.
Mobile IDS Agents
Each node in the network will have an IDS agent runningon it all the time. This agent is responsible for detectingintrusions based on local audit data and participating incooperative algorithms with other IDS agents to decide if thenetwork is being attacked. Each agent has five parts: a localaudit trial, a local intrusion database (LID), a securecommunication module, anomaly detection modules (ADM),and misuse detection modules (MDM)
.
B.
Local Intrusion Database (LID)
LID is a local database that collects all informationnecessary for the IDS agent, such as the signature files of known attacks, the established patterns of the users on thenetwork, and the normal traffic flow of the network. TheADM and MDM communicate directly with the LID todetermine if an intrusion is taking place.
C.
Secure communication module
This is necessary to enable an IDS agent to communicatewith other IDS agents on other nodes. It will allow the MDMand ADM to use cooperative algorithms to detect intrusions.It may also be used to initiate a global response when an IDSagent or a group of IDS agents detects an intrusion. Datacommunicated via the secure communication module needsto be encrypted.
D.
Anamoly Detection Modules (ADM)
ADM are responsible for detecting a different type of anomaly. There can be from one to many ADM on eachmobile IDS agent, each working separately or cooperativelywith other ADM.
47http://sites.google.com/site/ijcsis/ISSN 1947-5500
Search History:
Result 00 of 00
00 results for result for
p.
An Intrusion Detection System Framework for Ad Hoc Networks
Secure and efficient communication among a set of mobile nodes is one of the most important aspects in ad-hoc wireless networks. Wireless networks are particularly vulnerable to intrusion, as they operate in open medium, and use…
(More)
212
Reads
0
Readcasts
0
Embed Views
Get Scribd Mobile
To get Scribd mobile enter your number and we'll send you a link to the Scribd app for iPhone & Android.We've sent a link to the Scribd app. If you didn't receive it, try again.
We'll never share your phone number.
More From This User
Notes
Load more
