Professional Documents
Culture Documents
Paper5 IJCIS
Paper5 IJCIS
Abstract- A Mobile ad hoc network (MANET) has an emerging is under attack. According to the type of the audit data
dynamic topology in communication arena because of its collected, we can classify the IDS into two categories [2]:
anywhere, anytime communication. However, for its deployment
nature, MANETs are more vulnerable to malicious attacks. The 1. Host-based: It depends on the operating system audit
absolute security in the mobile ad hoc network is very arduous
task to achieve for the reason of its fundamental characteristics,
data to analyze the events resulting from programs or
such as dynamic topology, open medium, limited power and users on the host. It is able to detect abnormal actions
limited bandwidth. Even though, the attack prevention measures, such as repeated failed access attempts, changes to
such as authentication and encryption, can be used as the first system files, and monitoring real time system usage.
line of defense for mitigating the possibilities of attacks. However, Host-based does not depend on network bandwidth,
these techniques have a limitation on the effects of prevention and is usually used in small networks, where each
techniques in general and they are designed for a set of known host dedicates its processing power to achieve the
attacks. They are unlikely to prevent newer attacks that are task of system monitoring. We have to note that,
designed for evading the existing security measures. For this running this type of intrusion detection can slow
reason, there is a need of an efficient mechanism (Intrusion
Detection System) must be deployed to facilitate the identification
down the hosts and decline the performance of the
and isolation of attacks. In this paper we comprehensively host battery.
studied and presented various intrusion detection methods and
its most frequent and very common challenges in MANET. We 2. Network-based: Generally, it runs at the switches,
then suggested important future research directions. gateways, or routers in a wired network in order to
analyze the captured packets that traverse through the
Keywords-IDS; Architecture of IDS; Misbehaving Nodes in network hardware interfaces. On the other hand,
MANET; Methods of IDS; Techniques of IDS MANET does not have such types of network
elements, where the IDS can collect audit data for the
entire network. In wired network, network traffic is
I. INTRODUCTION
monitored on the wired network segment, while in ad
hoc network, nodes can only monitor network within
Intrusion detection is a security mechanism which is used
their observable radio range. In contrary to firewall,
to identify those who are trying to break and misuse the
network based intrusion detection can analyze the
system without authorization and those who have legitimate
entire packet not only the header. They are able to
access to the system but misusing the privileges [3]. Intrusion
look at the payload within a packet, in order to know
detection can be defined as a process of monitoring activities
which host application has been accessed, and to raise
in a system which can be a computer or a network. The
alerts when an adversary tries to compromise such
mechanism that performs this task is called an Intrusion
application. Network-based, in wired network, can
Detection System (IDS). If the intrusion is detected, a
run as black box to monitor the entire network.
response can be initiated to prevent or minimize damage to the
system. Some assumptions are made in order for intrusion
Based on detection techniques, IDS can also be
detection systems to work [1]. The first assumption is that user
classified into three categories as follows [2].
and program activities are observable. The second assumption,
which is more important, is that normal and intrusive activities
1. Anomaly detection systems: The normal profiles (or
must have distinct behaviors, as intrusion detection must
normal behaviors) of users are kept in the system.
capture and analyze system activity to determine if the system
The system compares the captured data with these
profiles, and then treats any activity that deviates
Figure 7: How watchdog works: Although node B intends to transmit a packet B. Confidant
to node C, node A could overhear this transmission.
Buchegger and LeBoudec [16] proposed an extension to
A. Watchdog and Pathrater
DSR protocol called CONFIDANT (Cooperation Of Nodes,
Fairness In Dynamic Ad-hoc NeT-works), which is similar to
Two techniques were proposed by Marti, Giuli, and Baker
Watchdog and Pathrater. Each node observes the behaviors of
[18], watchdog and pathrater, to be added on top of the
neighbor nodes within its radio range and learns from them.
standard routing protocol in ad hoc networks. The standard is
Dynamic Source Routing protocol (DSR) [19]. A watchdog
This system also solves the problem of Watchdog and
identifies the misbehaving nodes by eavesdropping on the
Pathrater such that misbehavior nodes are punished by not
transmission of the next hop. A pathrater then helps to find the
including them in routing and not helping them on forwarding
routes that do not contain those nodes.
packets. Moreover, when a node experiences a misbehaving
node, it will send a warning message to other nodes in the
In DSR, the routing information is defined at the source
network, defined as friends, which is based on trusted
node. This routing information is passed together with the
relationship.
message through intermediate nodes until it reaches the
destination. Therefore, each intermediate node in the path
The process of how they work can be divided into two
should know who the next hop node is. In addition, listening
parts: the process to handle its own observations and the
to the next hop's transmission is possible because of the
process to handle reports from trusted nodes.
characteristic of wireless networks - if node A is within range
of node B, A can overhear communication to and from B.
From observations: The monitor uses a
Figure 7 shows how the watchdog works. Assume that “neighborhood watch" to detect any malicious
node S wants to send a packet to node D, which there exists a behaviors within its radio range, i.e., no forwarding,
path from S to D through nodes A, B, and C. Consider now unusually frequent route update, etc. (This is similar
that A has already received a packet from S destined to D. The to the watchdog in the previous scheme) If a
packet contains a message and routing information. When A suspicious event is detected, the monitor then reports
forwards this packet to B, A also keeps a copy of the packet in to the reputation system. At this point, the reputation
its buffer. Then, it promiscuously listens to the transmission of system performs several checks and updates the
B to make sure that B forwards to C. If the packet overheard rating of the reported node in the reputation table. If
from B (represented by a dashed line) matches that stored in the rating result is unacceptable, it passes the
the buffer, it means that B really forwards to the next hop information to the path manager, which then removes
(represented as a solid line). It then removes the packet from all paths containing the misbehavior node. An
the buffer. However, if there's no matched packet after a ALARM message is also sent by the trust manager to
certain time, the watchdog increments the failures counter for warn other nodes that it considers as friends.
node B. If this counter exceeds the threshold, A concludes that
B is misbehaving and reports to the source node S. From trusted nodes: When the monitor receives an
ALARM message from its friends, the message will
Pathrater performs the calculation of the”path metric" for first be evaluated by the trust manager for the
each path. By keeping the rating of every node in the network trustworthiness of the source node. If the message is
trustworthy, this ALARM message, together with the
[7] A.J. Menezes, S.A. Vanstone, P.C. Van Oorschot, “Handbook of Applied
Cryptography”. CRC Press, Inc., USA (2001)