You are on page 1of 7

2011 IEEE Symposium on Computers & Informatics

Distributed Cross Layer Approach For Detecting Multilayer Attacks In Wireless Multi- hop Networks
Divya Bansal Asst. Professor, CSE, PEC University of Technology Chandigarh, India Sanjeev Sofat Professor, CSE, PEC University of Technology Chandigarh, India Prafulla Kumar Director, Department of Information Technology Ministry of Communication & Technology. New Delhi, India.

Abstract- To deter internal attacks, Intrusion Detection Systems are the most favorable solutions for detecting intrusions and raising alerts for desired action since using encryption software for secure communication is not enough. A number of intrusion detection systems have been proposed for ad-hoc networks. Such intrusion detection systems cannot perform well for wireless mesh networks due to its multihop decentralized architecture. The selection of optimal and secure routing path and detection of multilayer security attacks cannot be achieved using traditional single layer IDS. Most of the MAC layer attacks occur due to non compliance of protocols by the nodes. Such a malicious behavior cannot be detected using conventional IDS. In this paper, a Cross Layer based Intrusion detection system has been proposed which takes advantage of the information available across different layers of protocol by activating multiple layer monitoring and detection. The proposed Cross layer based IDS is novel in its architecture and is able to detect multi layer attacks of compound nature. It can also detect low intensity attacks and attack switching behaviors which have been the major shortcoming of most of the existing IDS for Wireless Networks. Key words: Wireless Mesh Networks, multi layer attacks, Cross Layer Approach, Intrusion Detection Systems.

I. INTRODUCTION Unlike WLAN, mesh networks are self-configuring systems where each Mesh Point (MP) can relay messages on behalf of others, thus increasing the communication range and available bandwidth. In WLAN, the wireless AP has to be wired to the infrastructure, whereas in WMNs MPs can be connected to the rest of the network by wireless radio links only [1, 2]. WMNs are easy to install, require no cable cost, connections amongst nodes are automatic, offer network flexibility, easy discovery of newly added nodes, redundancy, and self healing reliability. WMNs are important for distributed applications that cannot rely on a fixed infrastructure, but require instant deployment, dynamism, self-configuration and self-organization. Due to the architecture and the characteristics of WMN, attacks and consequences become obvious. WMNs are extremely vulnerable to attacks due to their dynamically changing topology, absence of conventional security infrastructures and open medium of communication, which, unlike their wired counterparts, cannot be secured [5,6]. The past research work has extensively focused on the data confidentiality, integrity and mutual authentication for wireless security. As another essential security requirement,

availability has not been considered sufficiently. Nowadays, Denial of Service (DoS) attacks can reduce the availability of resource and result in massive service disruption. From the point of view of security and management, a robust WMN application should be resilient to DoS attacks and should be able to defend against such attacks launched either by the end devices or other adversaries. DoS attacks appear to be inevitable due to the physical characteristics of wireless links. WMNs suffer from yet another type of attacks which are termed as MAC misbehavior attacks. MAC layer misbehavior can be introduced by several techniques which include tweaking the MAC protocol or not complying with the protocols. These attacks can also affect the availability of resources for other legitimitate nodes leading to DoS attacks. Such a misbehaving technique does not depend upon security weaknesses of the standard. They are simpler and more efficient than known methods for misbehaving in the network [9]. Handling such MAC Layer misbehavior is also an important requirement to prevent DoS attacks and thus guaranteeing service availability. In this paper a cross layer based IDS has been proposed which can successfully detect the mis behaviour attacks for WMN. The attack strategies of smart selfish nodes have been implemented and analyzed. In the first part of this paper it has been demonstrated that most of the MAC misbehavior related attacks are practical to implement in WMN and the range of their practical effectiveness has been investigated on 802.11s standard. The effects of these attacks on network performance and other parameters have also been experimented and analyzed. A new cross layer based distributed and cooperative architecture of IDS for WMN has been proposed. II. RELATED WORK Current research in the area of security and management in WMN is still in early stages. The technology has been implemented mostly in the form of the experimental testbeds with little production use. Most of the IDS which act as an important line of defense have been proposed and implemented for 802.11 WLAN, MANETs or WSNs. Watchers[10] have been proposed for distributed environments. They can detect network traffic anomalies and misbehavior attacks but have huge memory requirements increasing cost. Watchdog & Pathraters [11, 12] detect

978-1-61284-691-0/11/$26.00 2011 IEEE


intrusions for mainly network layer and are based on DSR routing. CONFIDANT [13] is based on reputation based approaches and is efficient mostly for packet dropping attacks. It cannot detect protocol deviation based attacks. Several research efforts have been made in developing approaches based on Cross layer designs [14,15]. The results clearly show that Cross Layer based designs outperform single layer based IDS and are especially efficient for multihop wireless networks. In [14] a cross layer based IDS has been proposed for adhoc networks which can detect attacks at link layer and network layer. However the IDS is host based and does not exploit the advantages offered by WMN. In [16] Cross layer IDS has been proposed for multihop networks. It has been designed mainly for MANETs and WSNs which are highly constrained with energy. In [17] a novel cross layer based IDS has been proposed for WMN which detects attacks based on information collected from different layers. However the current design does not consider attacks based on protocol deviation and the implementation is for local systems and does not examine the performance overheads. In [18] the cross layer IDS called CRADS has been proposed based on non linear machine learning technique. However the design only considers routing attacks. Most of the IDS under research cannot detect attacks of compound form and cannot be directly extended to WMN. This paper introduces Cross Layer based Intrusion Detection System which takes advantage of the information available across different layers of protocol by activating multiple layer monitoring and detection. The proposed Cross layer based IDS is novel in its architecture and is able to detect multi layer attacks of compound nature and attack switching behaviors which have been the major limitation of most of the existing IDS for Wireless Networks. III. THREAT MODEL AND ASSUMPTIONS Standard protocols are implemented in the form of software and firmware improvising higher flexibility thus making wireless network devices easily programmable. An attacker can tamper with software and firmware to modify its default parameters ultimately forcing the protocol to deviate from its normal intended behavior. The objective, however, may vary from a selfish user trying to obtain better access to the valuable wireless resources such as bandwidth, channel access, etc to a malicious user attempting to disrupt network services to other legitimate users. As already discussed WMN are susceptible to many kind of threats. In our threat model it is assumed that an attacker can launch any attack or combination of attacks compounding the attack scenario. Our threat model considers attacks at both routing layer and MAC layer and is specified in Table I. In a mesh network, the MAC layer has to ensure that no station is starved of bandwidth. Ensuring fairness includes two distinct aspects: access to the radio channel and access for traffic forwarded through a given station. The former is the MAC layers responsibility, and the latter falls to the routing or path-selection protocols [3]. The attacks considered in our threat model are described in next sub section.

Layer Routing Layer MAC Layer

TABLE I THREAT MODEL Associated Parameters Attacks Optimal & Secure Path Packet dropping and route Selection misdirection leading to blackhole, greyhole, wormhole Fairness, bandwidth, Unfairness, Selfish MAC throughput, media access delay

A. Routing Layer Attacks Packet Dropping: The adversary node can drop packets resulting in denial of service to the destination node. Any of the control or data packets can be dropped by the attacker node. This directly affects the availability of resources for the source node whose packets were dropped. Route Misdirection: This attack occurs when an attacker node forwards the packet of the source node to a wrong destination node. This also affects the availability of resources for the source node whose packets were misdirected. B. MAC Layer Attacks: Misbehaving nodes in WMN typically misbehave to improve their own performance which includes nodes that refuse to forward packets on behalf of other nodes in order to conserve energy. Greedy nodes may exploit the vulnerabilities of IEEE 802.11 to increase their share of bandwidth at the expense of other users. The possible attacks due to MAC misbehavior have been explained below [4, 8]: 1. Shorter than DIFS Time Attack (ShDIFS): In 802.11 networks, the stations before sending the packets and after sensing the channel to be idle wait for Distributed Coordination Function Inter Frame Spacing (DIFS) amount of time in order to avoid collision. DIFS is equal to 2*slot time + SIFS. However as per the protocol, whenever the channel is sensed to be idle sender node should not send data before waiting for the required DIFS amount of time slots. While performing shorter than DIFS attack, the malicious node instead of waiting for DIFS amount of time either waits for SIFS amount of time or equal to slot time. It thus helps the attacker in getting faster access to the channel. Meanwhile all the other stations as per the protocol wait for DIFS amount of time before starting their backoff timers. The malicious node waits for only SIFS amount of time and starts its backoff timer. The misbehaving node thus gets the priority of accessing the media thereby delaying the media access of other competing nodes. 2. Oversized NAV Attack (ONAV): In 802.11, to avoid collisions prior to sending packets, the stations send RTS(Request to Send) and CTS (Clear to Send). On listening to these RTS and CTS the nodes in the vicinity of communicating nodes stop their transmissions and set their net allocation vector fields (NAV) as per the duration id specified in RTS/CTS. The duration field in RTS/CTS specifies the period for which communication will takes place between the sender and the receiver (sending RTS and CTS) and for that specified duration the neighboring nodes suspend their transmission. In case of oversized NAV attack, the attacker


node sets the duration field value to a maximum possible value repeatedly. The receiving nodes update their NAV according to the received duration value. As a consequence, if the misbehaving node has more packets to transmit, it may get access to the channel for a longer duration as compared to other well-behaving nodes thereby increasing its throughput and reducing its latency compromising the fair access to channel by other legitimate stations. Another purpose of setting maximum NAV is to keep the channel occupied so that no other node is able to access the channel. Reduced backoff Value Attack (Rboff): Reduced backoff attack is another type of attack in which the attacker node deviates from the protocol. According to 802.11 MAC protocol, all the nodes desirous of transferring data select a random backoff time from a fixed contention window (for 802.11a CWmin=15 and CWmax=1023 while in case of 802.11b/g CWmin=31 and CWmax=1023) and then waits for the selected time before the packet transmission. In case of collisions and subsequent retransmissions, backoff interval is increased according to the predefined set of rules. In case of reduced backoff attack, the attacker does not follow the predefined contention window or the contention window used by the other nodes. Instead it follows a smaller contention window (say CWmin=1 and CWmax=4). By using the smaller backoff values, the attacker node will be able to access the channel more often than the legitimate and well behaved neighboring nodes. The advantage of selecting the smaller contention window is that even after collision when the node is required to double the size of backoff, the attacker node has a small impact. This is so because the initial size of contention window chosen by attacker node is quite small and hence the backoff value remains smaller than other nodes even if it doubles after the collision. Thus, the misbehaving node attains faster access to the channel in comparison to other competing well behaved nodes. C. Implementation of Threat Model To study the impact of the attacks on the draft IEEE 802.11s, various attacks were implemented in Qualnet 4.5 [7] which otherwise were not available as a part of the standard library. In the scenario simulated for evaluating the attacks, two nodes have been configured as backbone network which are connected to a mesh portal. Two nodes are configured as both AP and MPs as they receive data from 802.11 STA and then forward them using the MPs. Thus configuring them as AP helps them in being able to receive data from the stations which follow 802.11 MAC protocol and MP configuration helps them in forwarding packets between MPs. Eight nodes 6have been configured as stations which are communicating with each other at application level. One node has been configured as the root MP while four nodes have been configured as are MPs. The initialization time for sending data is set to 13 sec since MPs take around 12sec to create the path amongst them and if the data is sent at the same time then there are chances of collisions between the mesh path formation data and data of the stations. The CBR links are 3.

established between the nodes: Node 8 ->11, Node 12->7, Node 10->13, Node 6->9. Node 6 is configured as the attacker node and the results are observed at 4 different seed values. Seed is a random number generator which is used to validate the results. There are certain cases when the seed favors a particular node and hence the effect of attack is visible but is very marginal. While performing the attacks different number of packets i.e. 25, 35, 45, 60, 75, 100 and 500 are used and then their average is considered. To study the impact on different parameters of malicious node pair, duration field of NAV of the malicious sender was increased and the graph was plotted for difference in throughput obtained after and before the attack. In oversized NAV attack the default value of duration field is 3030 microseconds. To perform the attack the value of duration field is multiplied by 60. Thus the new value of duration field is 60*3030 microseconds. To study the impact of backoff attack on malicious node pair, backoff of the malicious sender was decreased and the graph was plotted for difference in average end to end delay after and before the launch of attack. In reduced backoff attack, the attack is performed by reducing the contention window size of attacker node. The default contention window is CWmin = 31 and CWmax = 1023. To perform the attack, the attacker nodes contention window time was reduced to: CWmin = 1 and CWmax = 4. To study the impact of ShDIFFS attack of malicious node pair, the malicious node was made to wait for time shorter than DIFS (DCF Inter Frame Spacing) and the graph was plotted for difference in number of packets received

Figure 1: Difference in throughput after and before attack

after and before the launch of attack. In shorter than DIFS attack, the attack is performed by reducing both the DIFS waiting time and Tx DIFS time to SIFS time. The value of DIFS for legitimate node is SIFS + (2* Slot Time) and for Tx DIFS is also txSIFS + (2* Slot Time). When the attack is performed the value for malicious node is kept as DIFS = SIFS and txDIFS = txSIFS.


Figure 2: Difference in average E2E Delay after and before attack

Figure 3: Difference in received packets after and before attack

Throughput: From the Figure 1 it can be seen that there is an increase in the average throughput of the node 9, which receives packets from the attacker node while for all other nodes the throughput either decreases or remains constant. This is attributed to the fact that the attacker node sets a higher value of duration field completely occupying the channel resulting in a decreased throughput for other nodes and hence favorable network conditions. This results in a faster transfer of bits with lesser collisions and hence improved throughput. End to End Delay(E2E): End-to-end delay refers to the time taken for a packet to be transmitted across a network from source to destination. It includes transmission delay, propagation delay and processing delay. The processing delay also includes the queuing delay which is a key component of network delay. It is the time for which the packet remains in queue till it can be executed. The impact of oversized NAV attack, Rboff attack and ShDIFS attack on E2E delay is shown in Figure 2. In case of ONAV attack, higher value of duration field set by malicious node decreases the E2E delay of the malicious node. This is because the channel access time for malicious node decreases in this case and so does the time between two consecutive packets of the malicious node. As a result, the malicious node is able to send more number of packets after a single RTS. This in turns increases the E2E delay of the legitimate nodes because the malicious node occupies the channel for higher duration due to which the contention period for legitimate nodes increases, raising the channel access time. The packets remain queued for a longer duration for other legitimate nodes leading to higher E2E delay. Similarly, for Rboff attack, end to end delay has decreased for the malicious node pair since the malicious node is able to acquire the channel on highest priority. This is so because it deviated from the protocol and waited for a very small backoff time and hence started its transmission of packets much earlier. The packets of malicious node did not have to wait in the queue for long and also the contention time for the node was also the lowest reducing the average end to end delay of the malicious node to be the minimal. Meanwhile for all other legitimate nodes the end to end delay has

increased due to increased contention time and hence higher queuing delay. Similarly for ShDIFF attack, it can be seen that average E2E delay for the malicious node has decreased considerably in comparison to the legitimate nodes. This attributes to the fact that malicious node is able to acquire the channel faster and more frequently. While the packets of all other legitimate nodes had to wait in the queue till the channel gets idle. Further, since the other nodes contest at the same time so the number of retransmissions of other nodes also increase which results in overall increase in E2E delay of the legitimate node. Total number of received packets: As seen from the Figure 3 the total number of packets received by the malicious node pair is highest in case of both Rbof and ShDIFS attack. This is so because the attacker node waits for least amount of time to access the channel and also acquires the access to the channel more frequently and thus sends more number of packets as compared to other legitimate nodes in the network. Meanwhile, received total number of packets for all other nodes in the network have been decreased. This attributes to the fact that since the malicious node waited for the smallest amount of time (as all other nodes waited for DIFS or higher backoff), it could get an access to the channel faster and more frequently and hence was able to send its packets without collisions and retransmissions. All other nodes had been waiting for the channel to get idle since malicious node could always acquire the channel first by the virtue of protocol deviation, so the packets to be sent for all other legitimate nodes remain queued up. As soon as the contention period starts, all the nodes start contesting after long waiting leading to more number of collisions and hence more retransmissions, due to which the total number of packets of legitimate nodes decreases as compared to that of malicious node. IV. CROSS LAYER BASED INTRUSION DETECTION FOR WMN In the present work, cross layer intrusion detection system or CIDS is designed to determine the attacks which seek parameters from one layer but their effects are visible on the other layer. These attacks are difficult to detect when a single layer IDS is used because such attacks mainly take place


between two layers and hence cannot be determined by single layer IDS. CIDS can be employed to detect such attacks which take place between two layers. In IEEE 802.11s (draft), routing is embedded over MAC layer and below network layer. It uses some parameters from MAC layer but do not use entire functions of MAC layers to perform path selection and forwarding. Since mesh layer lies between MAC and network layer hence there are some attacks which cannot be detected by single layer IDS developed for either of these layers. This is so because protocol at mesh layer use parameters from MAC layer but their effect is seen in layer above i.e. mesh layer. The WLAN Mesh protocol layer supports set of services which include control, management, and other operation, including the transport of MSDUs between MPs within the WLAN Mesh. This cross layer interactions can therefore enable IDS to make more informed decision about the intrusion in the network. The design goals of Cross layer Intrusion detection system are as follows: - Increase true positives by correlating information from multiple layers - Detect multi layer attacks targeting different layers in protocol stack - Increase detection accuracy by selecting parameters from MAC layer and network layer The proposed design architecture exercises two levels of intrusion detection. Level-I detection monitor intrusions at a single layer and informs other layers. Level-II detection detects multiple intrusions at the same layer using information received from other layers. To confirm the suspicious behaviour of the malicious nodes, the information obtained from various layers of protocol stack are combined and analyzed. Collecting information from different layers increases information about the malicious node thus aiding in identifying malicious nodes with more accuracy. A. Components of CIDS The proposed cross layer intrusion detection approach shall have following components: - Monitoring Component: This is used for local events monitoring. The monitoring component will implement the detection algorithm. Algorithm is the core component and the efficiency and accuracy of detecting and responding intrusion is totally dependent on the underlying algorithm. - Intrusion database: It consists of the records of recent misbehaviours and reputation value of the neighbouring nodes. The monitoring algorithm will generate a suspicious list based on the monitoring results of single layer. This will go as input to the analysis engine for further processing. This list is also sent to all neighbours who can use it as additional information and decide its own response. - Analysis Engine: It collects inputs from multiple layers in the form of suspicious list. It will correlate information to confirm intrusions. The complexity of the analysis engine will depend upon the environment for which IDS has to

be deployed. However for simplicity we have considered statistical approaches in our analysis engine. The analysis engine will update the intrusion list after confirming the status of the misbehaving node. Response component: It is used to respond in case intrusion is detected. The response in the form of global intrusion list is broadcasted to all the nodes. The list is also protected using PTK/GTK like other data packets to ensure integrity of the list. The working of the CIDS is shown in the form of a flowchart in Figure 4. The algorithms which will be used for monitoring and hence detection of attacks considered have been given in Table II.

TABLE II MONITORING ALGORITHMS Algorithm for detection of reduced backoff attack Determine the time of last ACK received, Tack Determine the time of last ACK received, Tack Determine the time of latest RTS sent, Trts Determine if the node id of the receiver of ACK and the sender of RTS is same If the node id is same Then determine k = (Trts Tack) -DIFS If (k<31) f(ks,kw)=

malicious list if ks Well behaved if ks

Set SA = ks

and kw and kw

k k

p p

//where 31 is the CW min for 802.11a/g

Then node will be declared as malicious

//SA is the selfish Aspect; WA is the Well behaved aspect

Algorithm for detection of shorter then DIFS attack Determine the time of last ACK received, Tack Determine the time of last ACK received, Tack Determine the time of latest RTS sent, Trts Determine if the node id of the receiver of ACK and the sender of RTS is same If the node id is same Then determine k = (Trts Tack) Backoff time If (k< Min. calculated DIFS time) f(ks,kw)=

malicious list if ks Well behaved if ks

Set SA = ks

and kw and kw

k k

p p

//DIFS=SIFS+2*slot time

Algorithm for detection of Oversized NAV Attack Determine the duration field of received RTS, Drts for k transmissions If (Drts <=3031). //duration field for f(ks,kw)= data packet is constant, in case of malicious list if ks and kw k p normal node it is Well behaved if ks and kw k p 3030 // ks: SA, kw: WA //SA is the Selfish Set SA = ks Aspect denoting reputation at the monitor node Algorithm for detection of Packet Dropping Packet drop is found, denote it as suspected node If (source add. of packet drop suspicious list)

//Packet drop can be monitored using watchdog/ pathrater //Packet dropping


Initiate route discovery from itself to original destination If suspected node newroute No Congestion Attack detected and declared as the malicious node, insert the node details in suspicious list Else : Node is congested Algorithm for detection of Route Misdirection If node forwards packets if ( source address of forwarded packet == source address sent by itself) If ( DA of pkt DA of original pkt ) Detect node as misdirecting packets to a different destination

could be due to source nodes malicious behavior //Existence of suspected node in new route implies no Congestion //Packet drop due to malicious node

agent works on Mesh portal on the basis of information collected from mesh IDS agents (MPs) as well as its own collected information. Mesh portal collects all such local intrusion lists, performs analysis and generates a global intrusion list along with the reaction to be taken for each malicious node. This list is received by all the mesh points that will follow the reaction as specified in the global intrusion list. In case of multiple mesh portals, multiple global lists will evolve. The three tier architecture is shown in figure 5. CONCLUSION In this paper it has been demonstrated that most of the misbehavior related attacks are practical to implement in WMN. The results show that the selfish nodes can achieve significant resources by deviating from the standard media access protocols degrading the performance of well behaved nodes. Our proposed detection model for selfish MAC misbehavior stacks detects can detect these attacks by considering several parameters at different layers. The proposed cross layer Intrusion Detection System can detect




A new type of architecture called asymmetric distributed and cooperative IDS is proposed for WMN environment which
Network Layer


MAC Layer Monitoring Suspicious List Analysis Engine


Intrusion Found? YES


Report to Mesh Router

Local Intrusion List Figure 4: Working of IDS

Broadcast to neighbors

Figure 5: Two-Tier IDS Architecture

complements the hierarchical structure of WMN. IDS deployed in each tier of WMN will use distributed collaborative approach to monitor and analyze traffic, however there shall be different responsibilities for different nodes (MPs/MAPs/MPPs). Three-Tier Architecture has been designed for environments with relatively higher scale of mesh deployments where MAPs and MPs have different functionality and mesh spans across much larger areas. In this case MAPs will perform the monitoring and send the information to their MPs as per the hierarchy. The receiving MPs will perform monitoring as well as detect local level intrusions and hence trigger local intrusion lists to be used by their neighbours as well as MAPs in their domains. Each one is independently responsible for local intrusion, and the neighboring nodes cooperatively monitor a wider scope or realize rapid detection. But the response is local. The information so generated by MPs will also be sent to the mesh portal for further analysis. IDS central

multilayer internal attacks of compound nature which are very difficult to circumvent using traditional single layer based IDS.. ACKNOWLEDGMENT This work is done in Cyber Security Research Center (CSRC), PEC University of Technology. The authors would like to thank Government of India, Ministry of Communications and Information Technology, Department of Information Technology, New Delhi, for funding the Project Design and Development of Dependable, Secure and Efficient Protocol for Wireless Mesh Network(WMN), under which this research work has been done.

REFERENCES G. R. Hiertz, S. Max, R. Zhao, D. Dee, L. Berlemann, Principles of IEEE 802.11s, in proceedings of 16th International Conference on Computer Communications and Networks (ICCCN), Honolulu, Hawaii, USA, Aug. 2007.



[3] [4] [5] [6] [7] [8] [9] [10] [11] [12]




[16] [17]


G. R. Hiertz, S. Max, T. Junge, L. Berlemann, D. Denteneer, S. Mangold, and B. Walke, Wireless Mesh Networks in the IEEE LMSC in Proceedings of the Global Mobile Congress 2006, Beijing, China, Oct.2006, pp. 6. S.M. Faccin, C. Wijting, J. Kenckt, A. Damle, Mesh WLAN networks: concept and system design, IEEE Wireless Communications, Apr 2006. L. Guang and C. Assi. On the resiliency of ad hoc networks to MAC layer misbehavior", in Workshop on PE-WASUN, ACM MsWiM, October 2005. Akyildiz, I.F.; Xudong Wang A survey on wireless mesh networks in Communications Magazine, IEEE Volume 43, Issue 9, Sept. 2005 Page(s): S23 - S30 . F. Akyildiz, X.Wang, W. Wang, Wireless mesh network: a survey, Computer Networks, Volume 47, Issue 4, 15 March 2005, Pages 445487. M. Raya, J. P. Hubaux, and I. Aad, DOMINO: Detecting MAC Layer Greedy Behavior in IEEE 802.11 Hotspots, to appear in IEEE Trans. Mobile Computing, 2006. Lei Guang, Chadi Assi and Abderrahim Benslimane, MAC Layer Misbehavior in Wireless Networks: Challenges and Solutions IEEE Wireless Communications, Aug 2008. Chen M., Kuo S., Li P., and Zhu M., Intrusion Detection in Wireless Mesh Networks, CRC Press, 2007. Caballero J., Vulnerabilities of Intrusion Detection Systems in Mobile Ad-hoc Networks: The Routing Problem, in Proceedings of TKK T-110.5290 Seminar on Network Security, Japan,pp. 1-2, 2006. Rafsanjani K., Movaghar A., and Koroupi F., Investigating Intrusion Detection Systems in MANET and Comparing Idss for Detecting Misbehaving Nodes, in proceedings of World Academy of Science, Engineering and Technology, Canada, pp. 123-128, 2008. S. Buchegger, J-Y. Le Boudec, Performance analysis of the CONFIDANT protocol (Cooperation of Nodes: Fairness in Dynamic Ad-hoc Networks), 3rd ACM Int. Symp. on Mobile Ad Hoc Networks and Computing, Switzerland, 2002, pp. 226-236. Geethapriya Thamilarasu, Ramalingam Sridhar, "CIDS: cross-layer intrusion detection system for mobile ad hoc networks", International Journal of Mobile Network Design and Innovation 2009 - Vol. 3, No.1 pp. 10 - 20 Jim Parker, Anand Patwardhan, Anupam Joshi Cross-layer Analysis for Detecting Wireless Misbehavior Consumer Communications and Networking Conference, 2006. CCNC 2006. 3rd IEEE, Vol. 1, Jan. 2006, pp. 6 9 Shafiullah Khan, Kok Keong Loo, Zia Ud Din, Cross layer design for routing and security in multi-hop wireless networks in Journal of Information Assurance and Security 4 (2009) pp.170-173. Xia Wang, Johnny S. Wong, Fred Stanley, Samik Basu, "Cross-Layer Based Anomaly Detection in Wireless Mesh Networks," saint, pp.915, 2009 Ninth Annual International Symposium on Applications and the Internet, 2009 C.J. John Felix*, A.Das, B.C.Seet*, B.S.Lee, 2008, CRADS: Integrated Cross Layer Approach for Detecting Routing Attacks in MANETs, IEEE Wireless Communications and Networking Conference (WCNC) 2008.