International Journal of Computer Information Systems,
Vol. 2, No. 5, 2011
A Comprehensive Study on Intrusion Detection
System and Its Prevalent Challenges in Mobile Ad
Hoc Networks
K.P.Manikandan Dr.R.Satyaprasad
HOD/MCA CSE Department
Chirala Engineering College Achariya Nagarjuna University
Chirala-523157.A.P.,India Nagarjuna Nager-522 510,India
+919908847047 +919848487478
manikandankp@yahoo.com profrsp@gmail.com
Abstract- A Mobile ad hoc network (MANET) has an emerging
dynamic topology in communication arena because of its
anywhere, anytime communication. However, for its deployment
nature, MANETs are more vulnerable to malicious attacks. The
absolute security in the mobile ad hoc network is very arduous
task to achieve for the reason of its fundamental characteristics,
such as dynamic topology, open medium, limited power and
limited bandwidth. Even though, the attack prevention measures,
such as authentication and encryption, can be used as the first
line of defense for mitigating the possibilities of attacks. However,
these techniques have a limitation on the effects of prevention
techniques in general and they are designed for a set of known
attacks. They are unlikely to prevent newer attacks that are
designed for evading the existing security measures. For this
reason, there is a need of an efficient mechanism (Intrusion
Detection System) must be deployed to facilitate the identification
and isolation of attacks. In this paper we comprehensively
studied and presented various intrusion detection methods and
its most frequent and very common challenges in MANET. We
then suggested important future research directions.
Keywords-IDS; Architecture of IDS; Misbehaving Nodes in
MANET; Methods of IDS; Techniques of IDS
I. INTRODUCTION
Intrusion detection is a security mechanism which is used
to identify those who are trying to break and misuse the
system without authorization and those who have legitimate
access to the system but misusing the privileges [3]. Intrusion
detection can be defined as a process of monitoring activities
in a system which can be a computer or a network. The
mechanism that performs this task is called an Intrusion
Detection System (IDS). If the intrusion is detected, a
response can be initiated to prevent or minimize damage to the
system. Some assumptions are made in order for intrusion
detection systems to work [1]. The first assumption is that user
and program activities are observable. The second assumption,
which is more important, is that normal and intrusive activities
must have distinct behaviors, as intrusion detection must
capture and analyze system activity to determine if the system
Special Issue Page 37 of 52
Dr.K.Rajasekhararao
PRINCIPAL
KL University
Vadeshwaram-522502,India
+919848452344
krr_it@yahoo.co.in
is under attack. According to the type of the audit data
collected, we can classify the IDS into two categories [2]:
1. Host-based: It depends on the operating system audit
data to analyze the events resulting from programs or
users on the host. It is able to detect abnormal actions
such as repeated failed access attempts, changes to
system files, and monitoring real time system usage.
Host-based does not depend on network bandwidth,
and is usually used in small networks, where each
host dedicates its processing power to achieve the
task of system monitoring. We have to note that,
running this type of intrusion detection can slow
down the hosts and decline the performance of the
host battery.
2. Network-based: Generally, it runs at the switches,
gateways, or routers in a wired network in order to
analyze the captured packets that traverse through the
network hardware interfaces. On the other hand,
MANET does not have such types of network
elements, where the IDS can collect audit data for the
entire network. In wired network, network traffic is
monitored on the wired network segment, while in ad
hoc network, nodes can only monitor network within
their observable radio range. In contrary to firewall,
network based intrusion detection can analyze the
entire packet not only the header. They are able to
look at the payload within a packet, in order to know
which host application has been accessed, and to raise
alerts when an adversary tries to compromise such
application. Network-based, in wired network, can
run as black box to monitor the entire network.
Based on detection techniques, IDS can also be
classified into three categories as follows [2].
1. Anomaly detection systems: The normal profiles (or
normal behaviors) of users are kept in the system.
The system compares the captured data with these
profiles, and then treats any activity that deviates
ISSN 2229 5208

from the baseline as a possible intrusion by informing
system administrators or initializing a proper
response.
2. Misuse detection systems: The system keeps patterns
(or signatures) of known attacks and uses them to
compare with the captured data. Any matched pattern
is treated as an intrusion. Like a virus detection
system, it cannot detect new kinds of attacks.
3. Specification-based detection: The system defines a
set of constraints that describe the correct operation
of a program or protocol. Then, it monitors the
execution of the program with respect to the defined
constraints.
In this paper, IDS architectures in MANET have been
classified so that each one is suitable for different network
infrastructures. Then different techniques for intrusion
detection are investigated and compared. Further we discuss
the common challenges for IDS in MANET and finally the
conclusion and future directions are given in the last section.
II. ARCHITECTURE FOR IDS IN MANETS
The network infrastructures that MANETs can be
configured to are either flat or multi-layer, depending on the
applications. Therefore, the optimal IDS architecture for a
MANET may depend on the network infrastructure itself [4].
In a flat network infrastructure, all nodes are considered equal,
thus it may be suitable for applications such as virtual
classrooms or conferences. On the contrary, some nodes are
considered different in the multi-layered network
infrastructure. Nodes may be partitioned into clusters with one
clusterhead for each cluster. To communicate within the
cluster, nodes can communicate directly. However,
communication across the clusters must be done through the
clusterhead. This infrastructure might be well suited for
military applications. There are four main architectures on the
network [6], as follows: 1) Standalone IDS, 2) Distributed and
Collaborative IDS, 3) Hierarchical IDS, and 4) Mobile Agent
for Intrusion Detection Systems.
1. In the standalone architecture, the IDS runs on each
node to determine intrusions independently. There is
no cooperation and no data exchanged among the
IDS on the network. This architecture is also more
suitable for flat network infrastructure than for
multilayered network infrastructure.
2. The distributed and collaborative architecture has a
rule that every node in the MANET must participate
in intrusion detection and response by having an IDS
agent running on them. The IDS agent is responsible
for detecting and collecting local events and data to
Special Issue Page 38 of 52
International Journal of Computer Information Systems,
Vol. 2, No. 5, 2011
identify possible intrusions, as well as initiating a
response independently.
3. The hierarchical architecture is an extended version
of the distributed and collaborative IDS architecture.
This architecture proposes using multi-layered
network infrastructures where the network is divided
into clusters. The architecture has cluster heads, in
some sense, act as control points which are similar to
switches, routers, or gate ways in wired networks.
4. The mobile agent for IDS architecture uses mobile
agents to perform specific task on a nodes behalf the
owner of the agents. This architecture allows the
distribution of the intrusion detection tasks. There are
several advantages using mobile agents [[7], [5]], for
intrusion detection.
III. MISBEHAVING NODES IN MANETS
Those nodes in the network which cause dysfunction in
network and damage the other nodes are called Misbehaving
or Critical nodes. Mobile Ad hoc networks (MANETs) like
other wireless networks are liable to active and passive
attacks. In the passive attacks, only eavesdropping of data
happens; while in the active attacks, operations such as
repetition, changing, or deletion of data are necessitated.
Certain nodes in MANETS can produce attacks which cause
congestion, distribution of incorrect routing information,
services preventing proper operation, or disable them [13].
Those nodes in the network which perform active attacks
to damage other nodes and cause disconnection in the network
are called Malicious or Compromised nodes. Also, those
nodes which do not send the received packets (used for storing
battery life span to be used for their own communications) are
called Selfish nodes [4]. A Selfish node impacts the normal
network operations by not participating in routing protocols or
by not sending packets. A Malicious node may use the routing
protocols to announce that it has the shortest route to the
destined node for sending the packets. In this situation, this
node receives the packets and does not send them. This
operation is called "blackhole" attack [1]. Malicious nodes
stop the operation of a routing protocol by changing the
routing information or by structuring false routing
information; this operation is called the "wormhole" attack. As
two malicious nodes create a wormhole tunnel and are
connected to each other through a private link, it can be
concluded that they have a detour route in the network. This
allows a node to create an artificial route in the current
network and shorten the normal currency of routing messages
in a way that the massages will be controlled by two attackers.
Selfish nodes can intensively lower the efficiency of the
network since they do not easily participate in the network
operations. Malicious nodes can easily perform integrity
attacks by changing the protocol fields in order to destroy the
ISSN 2229 5208

transportation of the packets, to deny access among legal
nodes, and can perform attacks against the routing
computations. Spoofing is a special case of integrity attacks
with which a malicious node, due to lack of identity
verification in the special routing protocols, forges the identity
of a legal node. The result of such an attack by malicious
nodes is the forgery of the network Topology which creates
network loops or partitioning of the network. The lack of
integrity and authentication in the routing protocols creates
forged or false messages [15].
If a node participated in routes finding but does not forward a
packet, it is a misleading node and misleads other nodes. But
if a node does not participate in routes finding, it is a selfish
node [12].
IV. DIFFERENT METHODS FOR INTRUSION DETECTION
SYSTEM
A. Distributed and Cooperative IDS
Zhang and Lee also proposed the model for
distributed and cooperative IDS as shown in Figure 1 [1]. The
model for an IDS agent is structured into six modules. The
local data collection module collects real-time audit data,
which includes system and user activities within its radio
range. This collected data will be analyzed by the local
detection engine module for evidence of anomalies. If an
anomaly is detected with strong evidence, the IDS agent can
determine independently that the system is under attack and
initiate a response through the local response module (i.e.,
alerting the local user) or the global response module (i.e.,
deciding on an action), depending on the type of intrusion, the
type of network protocols and applications, and the certainty
of the evidence. If an anomaly is detected with weak or
inconclusive evidence, the IDS agent can request the
cooperation of neighboring IDS agents through a cooperative
detection engine module, which communicates to other agents
through a secure communication module.
Figure 1: A Model for an IDS Agent
Special Issue Page 39 of 52
International Journal of Computer Information Systems,
Vol. 2, No. 5, 2011
B. Local Intrusion Detection System (LIDS)
Albers et al. [8] proposed a distributed and collaborative
architecture of IDS by using mobile agents. A Local Intrusion
Detection System (LIDS) is implemented on every node for
local concern, which can be extended for global concern by
cooperating with other LIDS. Two types of data are exchanged
among LIDS: security data (to obtain complementary
information from collaborating nodes) and intrusion alerts (to
inform others of locally detected intrusion). In order to analyze
the possible intrusion, data must be obtained from what the
LIDS detect on, along with additional information from other
nodes. Other LIDS might be run on different operating
systems or use data from different activities such as system,
application, or network activities; therefore, the format of this
raw data might be different, which makes it hard for LIDS to
analyze. However, such difficulties can be solved by using
Simple Network Management Protocol (SNMP) data located
in Management Information Base (MIBs) as an audit data
source. Such a data source not only eliminates those
difficulties, but also reduces the increase in using additional
resources to collect audit data if an SNMP agent is already run
on each node. For the methodology of detection, Local IDS
Agent can use either anomaly or misuse detection. However,
the combination of two mechanisms will offer the better
model. Once the local intrusion is detected, the LIDS initiate a
response and inform the other nodes in the network. Upon
receiving an alert, the LIDS can protect itself against the
intrusion.
Figure 2: LIDS Architecture in a Mobile Node
C. Multi-Sensor Intrusion Detection
Kachirski and Guha [9] proposed a multi-sensor intrusion
detection system based on mobile agent technology. The
system can be divided into three main modules, each of which
represents a mobile agent with certain functionality, i.e.,
monitoring, decision-making and initiating a response.
ISSN 2229 5208

Figure 3: Layered Mobile Agent Architecture
 Monitoring agent: Two functions are carried out at
this class of agent: network monitoring and host
monitoring.
 Action agent: Every node also hosts this action agent.
The action agent can initiate a response, such as
terminating the process or blocking the node from
the network, if it meets intrusion activities where it
lives.
 Decision agent: The decision agent is run only on
certain nodes, mostly at the nodes that run network
monitoring agents. If the local detection agent cannot
make a decision on its own due to insufficient
evidence of an intrusion, it will report to this
decision agent in order to investigate deeply on the
suspected node. Since nodes move arbitrarily across
the network, a static hierarchy is not suitable for such
dynamic network topology.
D. Dynamic Intrusion Detection
Sterne et al. [10] proposed a dynamic intrusion detection
hierarchy that is potentially scalable to large networks use
clustering. This method is similar with Kachirski and Guha
[9], but it can be structured in more than two levels. Thus,
nodes on first level are cluster heads, while nodes on the
second level are leaf nodes. In this model, every node has the
task to monitor, log, analyze, respond, and alert or report to
cluster heads. The Cluster heads, in addition, must also
perform: 1) Data fusion/integration and data filtering, 2)
Computations of intrusion, and 3) Security Management.
Figure 4: Dynamic Intrusion Detection Hierarchy
Special Issue Page 40 of 52
International Journal of Computer Information Systems,
Vol. 2, No. 5, 2011
E. Zone Based IDS
B.Sun [11] proposed Zone Based IDS (ZBIDS). In the
system, the MANET is spitted into non overlapping zones
(zone A to zone I). The nodes can be categorized into two
types: the intra zone node and the inter-zone node (or a
gateway node). Each node has an IDS agent run on it. This
agent is similar to the IDS agent proposed by Zhang and Lee.
Others components on the system are data collection module
and detection engine, local aggregation and correlation
(LACE) and global aggregation and correlation (GACE). The
data collection and the detection engine are responsible for
collecting local audit data (for instance, system call activities,
and system log files) and analyzing collected data for any sign
of intrusion respectively. The remainder, LACE module is
responsible for combining the results of these local detection
engines and generating alerts if any abnormal behavior is
detected. These alerts are broadcasted to other nodes within
the same zone. However, for the GACE, its functionality
depends on the type of the node. If the node is an intra-zone
node, it only sends the generated alerts to the inter-zone nodes.
Thus, if the node is an inter-zone node, it receives alerts from
other intra-zone nodes, aggregates and correlates those alerts
with its own alerts, and then generates alarms. The intrusion
response module is responsible for handling the alarms
generated from the GACE.
Figure 5: ZBIDS for MANETs
Figure 6: An IDS agent in ZBIDS
ISSN 2229 5208

V. INTRUSION DETECTION TECHNIQUES FOR
MISBEHAVIOR NODE IN MANETS
Since there is no infrastructure in mobile ad hoc networks,
each node must rely on other nodes for cooperation in routing
and forwarding packets to the destination. Intermediate nodes
might agree to forward the packets but actually drop or modify
them because they are misbehaving. There are several
proposed techniques and protocols to detect such misbehavior
in order to avoid those nodes, and some schemes also propose
punishment as well [16, 17].
Figure 7: How watchdog works: Although node B intends to transmit a packet
to node C, node A could overhear this transmission.
A. Watchdog and Pathrater
Two techniques were proposed by Marti, Giuli, and Baker
[18], watchdog and pathrater, to be added on top of the
standard routing protocol in ad hoc networks. The standard is
Dynamic Source Routing protocol (DSR) [19]. A watchdog
identifies the misbehaving nodes by eavesdropping on the
transmission of the next hop. A pathrater then helps to find the
routes that do not contain those nodes.
In DSR, the routing information is defined at the source
node. This routing information is passed together with the
message through intermediate nodes until it reaches the
destination. Therefore, each intermediate node in the path
should know who the next hop node is. In addition, listening
to the next hop's transmission is possible because of the
characteristic of wireless networks - if node A is within range
of node B, A can overhear communication to and from B.
Figure 7 shows how the watchdog works. Assume that
node S wants to send a packet to node D, which there exists a
path from S to D through nodes A, B, and C. Consider now
that A has already received a packet from S destined to D. The
packet contains a message and routing information. When A
forwards this packet to B, A also keeps a copy of the packet in
its buffer. Then, it promiscuously listens to the transmission of
B to make sure that B forwards to C. If the packet overheard
from B (represented by a dashed line) matches that stored in
the buffer, it means that B really forwards to the next hop
(represented as a solid line). It then removes the packet from
the buffer. However, if there's no matched packet after a
certain time, the watchdog increments the failures counter for
node B. If this counter exceeds the threshold, A concludes that
B is misbehaving and reports to the source node S.
Pathrater performs the calculation of the”path metric" for
each path. By keeping the rating of every node in the network
Special Issue
International Journal of Computer Information Systems,
Vol. 2, No. 5, 2011
that it knows, the path metric can be calculated by combining
the node rating together with link reliability, which is collected
from past experience. Obtaining the path metric for all
available paths, the pathrater can choose the path with the
highest metric. In addition, if there is no such link reliability
information, the path metric enables the pathrater to select the
shortest path too. As a result, paths containing misbehaving
nodes will be avoided. From the result of the simulation, the
system with these two techniques is quite effective for
choosing paths to avoid misbehaving nodes. However, those
misbehaving nodes are not punished. In contrast, they even
benefit from the network. In another word, they can use
resources of the network - other nodes forward packets for
them, while they forward packets for no one, which save their
own resources. Therefore, misbehaving nodes are encouraged
to continue their behaviors.
B. Confidant
Buchegger and LeBoudec [16] proposed an extension to
DSR protocol called CONFIDANT (Cooperation Of Nodes,
Fairness In Dynamic Ad-hoc NeT-works), which is similar to
Watchdog and Pathrater. Each node observes the behaviors of
neighbor nodes within its radio range and learns from them.
This system also solves the problem of Watchdog and
Pathrater such that misbehavior nodes are punished by not
including them in routing and not helping them on forwarding
packets. Moreover, when a node experiences a misbehaving
node, it will send a warning message to other nodes in the
network, defined as friends, which is based on trusted
relationship.
The process of how they work can be divided into two
parts: the process to handle its own observations and the
process to handle reports from trusted nodes.
 From observations: The monitor uses a
“neighborhood watch" to detect any malicious
behaviors within its radio range, i.e., no forwarding,
unusually frequent route update, etc. (This is similar
to the watchdog in the previous scheme) If a
suspicious event is detected, the monitor then reports
to the reputation system. At this point, the reputation
system performs several checks and updates the
rating of the reported node in the reputation table. If
the rating result is unacceptable, it passes the
information to the path manager, which then removes
all paths containing the misbehavior node. An
ALARM message is also sent by the trust manager to
warn other nodes that it considers as friends.
 From trusted nodes: When the monitor receives an
ALARM message from its friends, the message will
first be evaluated by the trust manager for the
trustworthiness of the source node. If the message is
trustworthy, this ALARM message, together with the
Page 41 of 52 ISSN 2229 5208

level of trust, will be stored in the alarm table. All
ALARM messages of the reported node will then be
combined to see if there is enough evidence to
identify that it is malicious. If so, the information
will be sent to the reputation system, which then
performs the same functions as described in the
previous paragraph.
Since this protocol allows nodes in the network to send
alarm messages to each other, it could give more opportunities
for attackers to send false alarm messages that a node is
misbehaving while it's actually not. This is one form of denial
of service attacks.
C. Core
Michiardi and Molva [17] presented a technique to detect
a specific type of misbehaving nodes, which are selfish nodes,
and also force them to cooperate. Similar to those in Section A
and B, this technique is based on a monitoring system and a
reputation system, which includes both direct and indirect
reputation from the system as will be described shortly.
As nodes sometimes do not intentionally misbehave, i.e.,
battery condition is low, these nodes should not be considered
as misbehaving nodes and excluded from the network. To do
this, the reputation should be rated based on past reputation,
which is zero (neutral) at the beginning. In addition,
participation in the network can be categorized into several
functions such as routing discovery (in DSR) or forwarding
packets. Each of these activities has different level of effects
to the network; for example, forwarding packets has more
effect on the performance of the system than that of routing
discovery. Therefore, significance weight of functions should
be used in the calculation of the reputation. Like
CONFIDANT, each node can receive a report from other
nodes. However, the difference is CORE allows only positive
reports to be passed while negative reports are passed in
CONFIDANT. In another word, CORE prevents false
accusation, thus, it also prevents a denial of service attack,
which cannot be done in CONFIDANT. The negative rating is
given to a node only from the direct observation when the
node does not cooperate, which results in the decreased
reputation for that node. The positive rating, in contrast, is
given from both direct observation and positive reports from
other nodes, which results in the increased reputation. CORE
can then be said to have two components, the watchdog
system and the reputation system. The watchdog modules, one
for each function, work the same way as in the previous two
schemes above. For the reputation system, it maintains several
reputation tables, one for each function and one for
accumulated values for each node. Therefore, if there is a
request from a bad reputation node (the overall reputation is
negative), the node will be rejected and not be able to use the
network.
Special Issue Page 42 of 52
International Journal of Computer Information Systems,
Vol. 2, No. 5, 2011
D. Ocean
Bansal and Baker [20] also proposed an extension on top
of the DSR protocol called OCEAN (Observation-based
Cooperation Enforcement in Ad hoc Networks). OCEAN also
uses a monitoring system and a reputation system. However,
in contrast to the previous approaches above, OCEAN relies
only on its own observation to avoid the new vulnerability of
false accusation from second-hand reputation exchanges.
Therefore, OCEAN can be considered as a stand-alone
architecture. OCEAN categorizes routing misbehavior into
two types: misleading and selfish. If a node has participated in
the route discovery but not packet forwarding, this is
considered to be misleading as it misleads other nodes to route
packets through it. But if a node does not even participate in
the route discovery, it is considered to be selfish.
In order to detect and mitigate the misleading routing
behaviors, after a node forwards a packet to a neighbor, it
buffers the packet checksum and monitors if the neighbor
attempts to forward the packet within a given time. Then, a
negative or positive event is given as the result of the
monitoring to update the neighbor rating. If the rating falls
below the faulty threshold, that neighbor node is added to a
faulty list which will be added in the RREQ as an avoid-list. In
addition, all traffic from the faulty neighbor node will be
rejected. Nonetheless, the faulty timeout is used to allow the
faulty node to join back to the network in case that it might be
false accused or it behaves better.
Each node also has a mechanism of maintaining chip
counts for each neighbor to mitigate the selfish behavior. A
neighbor node earns chips when forwarding a packet on behalf
of the node and loses ships when asking the node to forward a
packet. If the chip count of the neighbor is below the
threshold, packets coming from that neighbor will be denied.
V. CONCLUSION AND FUTURE DIRECTIONS
As the use of mobile ad hoc networks (MANET) has
increased, the security in MANETs has become of paramount
importance. With the nature of mobile ad hoc networks,
almost all of the intrusion detection systems (IDSs) are
structured to be distributed and have a cooperative
architecture. The number of new attacks is likely to increase
quickly and those attacks should be detected before they can
do any harm to the systems or data. These features present
new challenges for intrusion detection techniques and as such,
achieving security in ad hoc network is more difficult
compared to wired networks. In this study paper, we briefly
explained the various intrusion detection methods and also
analyzed some challenges and problems of intrusion detection
in MANET. There is an utmost need of a general foundation
for all intrusion detection and supporting activities that can
able to adapt dynamic network conditions. These activities
include detecting all types of attack on MANET; collecting,
ISSN 2229 5208

and correlating intrusion events; responding to intrusions; and
managing intrusion detection and all related functions to cater
for a secure communication.
International Journal of Computer Information Systems,
Vol. 2, No. 5, 2011
[16] S. Buchegger and J. Le Boudec, “Performance Analysis of the CONFI-
DANT Protocol (Cooperation Of Nodes - Fairness In Dynamic Ad-hoc
NeTworks)," Proceedings of the 3rd ACM International Symposium on
Mobile Ad Hoc Networking and Computing (MobiHoc'02), pp. 226-336,
June 2002.

[17] P. Michiardi and R. Molva, “Core: A Collaborative Reputation

REFERENCES
[1] Y. Zhang, W. Lee, and Y. Huang, “Intrusion Detection Techniques for
Mobile Wireless Networks," ACM/Kluwer Wireless Networks Journal (ACM
WINET), Vol. 9, No. 5, September 2003.
[2] A. Mishra, K. Nadkarni, and A. Patcha, “Intrusion Detection in Wire-less
Ad Hoc Networks," IEEE Wireless Communications, Vol. 11, Issue 1, pp. 48-
60, February 2004.
[3] Marjan Kuchaki Rafsanjani, Ali Movaghar, and Faroukh Koroupi
“Investigating Intrusion Detection Systems in MANET and Comparing IDSs
for Detecting Misbehaving Nodes” World Academy of Science, Engineering
and Technology, 44, 2008.
[4] P. Brutch and C. Ko, “Challenges in Intrusion Detection for Wireless Ad-
hoc Networks," Proceedings of 2003 Symposium on Applications and the
Internet Workshop, pp. 368-373, January 2003.
mechanism to enforce node cooperation in Mobile Ad Hoc Networks," Com-
munication and Multimedia Security Conference (CMS'02), September 2002.
[18] S. Marti, T. J. Giuli, K. Lai, and M. Baker, \Mitigating Routing
Misbehavior in Mobile Ad Hoc Networks," Proceedings of the 6th Annual
International Conference on Mobile Computing and Networking (Mo-
biCom'00), pp. 255-265, August 2000.
[19] D. B. Johnson, and D. A. Maltz, ”The Dynamic Source Routing Protocol
for Mobile Ad Hoc Networks (Internet-Draft)," Mobile Ad-hoc Network
(MANET) Working Group, IETF, October 1999.
[20] S. Bansal and M. Baker,”Observation-Based Cooperation Enforcement in
Ad hoc Networks," Research Report cs.NI/0307012, Stanford Uni- versity,
2003.

[5] C. Krugel and T. Toth. “Applying mobile agent technology to intrusion

detection”. In ICSE Workshop on Software Engineering and Mobility, 2001.

[6] T. Anantvalee and J. Wu. “A Survey on Intrusion Detection in Mobile Ad

Hoc Networks”, Book Series Wireless Network Security, Springer, pp. 170 –
196, ISBN: 978-0-387-28040-0 (2007).

[7] A.J. Menezes, S.A. Vanstone, P.C. Van Oorschot, “Handbook of Applied
Cryptography”. CRC Press, Inc., USA (2001)

[8] P. Albers, O. Camp, et al. “Security in Ad Hoc Networks: a General

Intrusion Detection Architecture Enhancing Trust Based Approaches”.
Proceedings of the 1st International Workshop on Wireless Information
Systems (WIS-2002), pp. 1-12, April 2002.

[9] O. Kachirski, R. Guha. “Effective Intrusion Detection Using Multiple

Sensors in Wireless Ad Hoc Networks.” Proceedings of the 36th Hawaii
International Conference on System Sciences (HICSS’03), IEEE, 2003

[10] D. Sterne, P. Balasubramanyam, et al. “A General Cooperative Intrusion

Detection Architecture for MANETs”. In Proceedings of the 3rd IEEE
International Workshop on Information Assurance (IWIA'05), pp. 57-70, 2005

[11] B. Sun, K.Wu, and U. W. Pooch. “Alert Aggregation in Mobile Ad Hoc

Networks”. The 2003 ACM Workshop on Wireless Security in conjuction
with the 9th Annual International Conference on Mobile Computing and
Networking (MobiCom'03), pp. 69-78, 2003

[12] Y. Xiao, X. Shen, and D.Z. Du, Wireless/Mobile Network Security,

Springer, 2006. Ch.7.

[13] A. Karygiannis, E. Antonakakis, and A. Apostolopoulos, “Detecting

critical nodes for MANET intrusion detection systems,” in Proc. 2nd
International Workshop on Security, Privacy and Trust in Pervasive and
Ubiquitous Computing, 2006.

[14] L. Blazevic, L. Buttyan, S. Capkun, S. Giordano, J. Hubaux, and J. Le

Boudec, “Self-organization in mobile ad-hoc networks: the approach of
terminodes,” IEEE Communications Magazine, vol. 39, no. 6, pp. 166–
174, 2001.

[15] M. K. Rafsanjani, A. Movaghar, “Identifying monitoring nodes in

MANET by detecting unauthorized and malicious nodes,” in Proc. 3rd IEEE
Int. Symposium on Information Technology (ITSIM’08), August 2008, pp.
2798-2804.

Special Issue Page 43 of 52 ISSN 2229 5208