Mobile Ad Hoc Network Intrusion Detection System (IDS)

Published Date: 02 Mar 2018

Chapter 1

1. Introduction

Mobile ad hoc networks (MANETs) and wireless sensor networks (WSNs) are relatively new communication paradigms. MANETs do not require expensive base stations or wired infrastructure. Nodes within radio range of each other can communicate directly over wireless links, and those that are far apart use other nodes as relays. Each host in a MANET also acts as a router as routes are mostly multichip. The lack of fixed infrastructure and centralized authority makes a MANET suitable for a broad range of applications in both military and civilian environments. For example, a MANET could be deployed quickly for military communications in the battlefield.

A MANET also could be deployed quickly in scenarios such as a meeting room, a city transportation wireless network, for fire fighting, and so on. To form such a cooperative and self configurable network, every mobile host should be a friendly node and willing to relay messages for others. In the original design of a MANET, global trustworthiness in nodes within the whole network is a fundamental security assumption. Recent progress in wireless communications and micro electro mechanical systems (MEMS) technology has made it feasible to build miniature wireless sensor nodes that integrate sensing, data processing, and communicating capabilities. These miniature wireless sensor nodes can be extremely small, as tiny as a cubic centimeter. Compared with conventional computers, the low-cost, battery-powered, sensor nodes have a limited energy supply, stringent processing and communications capabilities, and memory is scarce.

The design and implementation of relevant services for WSNs must keep these limitations in mind. Based on the collaborative efforts of a large number of sensor nodes, WSNs have become good candidates to provide economically viable solutions for a wide range of applications, such as environmental monitoring, scientific data collection, health monitoring, and military operations.

Despite the wide variety of potential applications, MANETs and WSNs often are deployed in adverse or even hostile environments. Therefore, they cannot be readily deployed without first addressing security challenges. Due to the features of an open medium, the low degree of physical security of mobile nodes, a dynamic topology, a limited power supply, and the absence of a central management point, MANETs are more vulnerable to malicious attacks than traditional wired networks are. In WSNs, the lack of physical security combined with unattended operations make sensor nodes prone to a high risk of being captured and compromised, making WSNs vulnerable to a variety of attacks.

A mobile ad hoc network (MANET) is a self-configuring network that is formed automatically by a collection of mobile nodes without the help of a fixed infrastructure or centralized management. Each node is equipped with a wireless transmitter and receiver, which allow it to communicate with other nodes in its radio communication range. In order for a node to forward a packet to a node that is out of its radio range, the cooperation of other nodes in the network is needed; this is known as multi-hop communication.

Therefore, each node must act as both a host and a router at the same time. The network topology frequently changes due to the mobility of mobile nodes as they move within, move into, or move out of the network.

A MANET with the characteristics described above was originally developed for military purposes, as nodes are scattered across a battlefield and there is no infrastructure to help them form a network. In recent years, MANETs have been developing rapidly and are increasingly being used in many applications, ranging from military to civilian and commercial uses, since setting up such networks can be done without the help of any infrastructure or interaction with a human. Some examples are: search-and-rescue missions, data collection, and virtual classrooms and conferences where laptops, PDA or other mobile devices share wireless medium and communicate to each other. As MANETs become widely used, the security issue has become one of the primary concerns. For example, most of the routing protocols proposed for MANETs assume that every node in the network is cooperative and not malicious [1]. Therefore, only one compromised node can cause the failure of the entire network.

There are both passive and active attacks in MANETs. For passive at tacks, packets containing secret information might be eavesdropped, which violates confidentiality. Active attacks, including injecting packets to invalid destinations into the network, deleting packets, modifying the contents of packets, and impersonating other nodes violate availability, integrity, authentication, and non-repudiation. Proactive approaches such as cryptography and authentication were first brought into consideration, and many techniques have been proposed and implemented. However, these applications are not sufficient. If we have the ability to detect the attack once it comes into the network, we can stop it from doing any damage to the system or any data. Here is where the intrusion detection system comes in.

Intrusion detection can be defined as a process of monitoring activities in a system, which can be a computer or network system. The mechanism by which this is achieved is called an intrusion detection system (IDS). An IDS collects activity information and then analyzes it to determine whether there are any activities that violate the security rules. Once AN ID determines that an unusual activity or an activity that is known to be an attack occurs, it then generates an alarm to alert the security administrator. In addition, IDS can also initiate a proper response to the malicious activity. Although there are several intrusion detection techniques developed for wired networks today, they are not suitable for wireless networks due to the differences in their characteristics. Therefore, those techniques must be modified or new techniques must be developed to make intrusion detection work effectively in MANETs.

In this paper, we classify the architectures for IDS in MANETs, each of which is suitable for different network infrastructures. Current intrusion detection systems corresponding to those architectures are reviewed and compared.

Chapter 2

Background

2.1 Intrusion Detection System (IDS)

Many historical events have shown that intrusion prevention techniques alone, such as encryption and authentication, which are usually a first line of defense, are not sufficient. As the system become more complex, there are also more weaknesses, which lead to more security problems. Intrusion detection can be used as a second wall of defense to protect the network from such problems. If the intrusion is detected, a response can be initiated to prevent or minimize damage to the system.

To make intrusion detection systems work, basic assumptions are made. The first assumption is that user and program activities are observable. The second assumption, which is more important, is that normal and intrusive activities must have distinct behaviors, as intrusion detection must capture and analyze system activity to determine if the system is under attack.

Intrusion detection can be classified based on audit data as either host- based or network-based. A network-based IDS captures and analyzes packets from network tra±c while a host-based IDS uses operating system or application logs in its analysis. Based on detection techniques, IDS can also be classified into three categories as follows [2].

Anomaly detection systems: The normal profiles (or normal behaviors) of users are kept in the system. The system compares the captured data with these profiles, and then treats any activity that deviates from the baseline as a possible intrusion by informing system administrators or initializing a proper response.

Misuse detection systems: The system keeps patterns (or signatures) of known attacks and uses them to compare with the captured data. Any matched pattern is treated as an intrusion. Like a virus detection system, it cannot detect new kinds of attacks.

Specification-based detection: The system defines a set of constraints that describe the correct operation of a program or protocol. Then, it monitors the execution of the program with respect to the defined constraints.

2.2 Intrusion Detection in MANETs

Many intrusion detection systems have been proposed in traditional wired networks, where all track must go through switches, routers, or gateways. Hence, IDS can be added to and implemented in these devices easily [17, 18]. On the other hand, MANETs do not have such devices. Moreover, the medium is wide open, so both legitimate and malicious users can access it. Furthermore, there is no clear separation between normal and unusual activities in a mobile environment. Since nodes can move arbitrarily, false routing information could be from a compromised node or a node that has outdated information. Thus, the current IDS techniques on wired networks cannot be applied directly to MANETs. Many intrusion detection systems have been proposed to suit the characteristics of MANETs, some of which will be discussed in the next sections.

2.3 Architectures for IDS in MANETs

The network infrastructures that MANETs can be configured to are either at or multi-layer, depending on the applications. Therefore, the optimal IDS architecture for a MANET may depend on the network infrastructure itself [9]. In an network infrastructure, all nodes are considered equal, thus it may be suitable for applications such as virtual classrooms or conferences. On the contrary, some nodes are considered different in the multi-layered network infrastructure. Nodes may be partitioned into clusters with one cluster head for each cluster. To communicate within the cluster, nodes can communicate directly. However, communication across the clusters must be done through the cluster head. This infrastructure might be well suited for military applications.

2.3.1 Stand-alone Intrusion Detection Systems

In this architecture, an intrusion detection system is run on each node independently to determine intrusions. Every decision made is based only on information collected at its own node, since there is no cooperation among nodes in the network. Therefore, no data is exchanged. Besides, nodes in the same network do not know anything about the situation on other nodes in the network as no alert information is passed. Although this architecture is not elective due to its limitations, it may be suitable in a network where not all nodes are capable of running IDS or have IDS installed. This architecture is also more suitable for an network infrastructure than for multi-layered network infrastructure. Since information on each individual

node might not be enough to detect intrusions, this architecture has not been chosen in most of the IDS for MANETs.

2.3.2 Distributed and Cooperative Intrusion Detection Systems

Since the nature of MANETs is distributed and requires cooperation of other nodes, Zhang and Lee [1] have proposed that the intrusion detection and response system in MANETs should also be both distributed and cooperative as shown in Figure 1. Every node participates in intrusion detection and response by having an IDS agent running on them. An IDS agent is responsible for detecting and collecting local events and data to identify possible intrusions, as well as initiating a response independently. However, neighboring IDS agents cooperatively participate in global intrusion detection actions when the evidence is inconclusive. Similarly to stand-alone IDS architecture, this architecture is more suitable for a network infrastructure, not multi-layered one.

2.3.3 Hierarchical Intrusion Detection Systems

Hierarchical IDS architectures extend the distributed and cooperative IDS architectures and have been proposed for multi-layered network infrastructures where the network is divided into clusters. Clusterheads of each cluster usually have more functionality than other members in the clusters, for example routing packets across clusters. Thus, these cluster heads, in some sense, act as control points which are similar to switches, routers, or gateways in wired networks. The same concept of multi-layering is applied to intrusion detection systems where hierarchical IDS architecture is proposed.

Each IDS agent is run on every member node and is responsible locally for its node, i.e., monitoring and deciding on locally detected intrusions. A clusterhead is responsible locally for its node as well as globally for its cluster, e.g. monitoring network packets and initiating a global response when network intrusion is detected.

2.3.4 Mobile Agent for Intrusion Detection Systems

A concept of mobile agents has been used in several techniques for intrusion detection systems in MANETs. Due to its ability to move through the large network, each mobile agent is assigned to perform only one specific task, and then one or more mobile agents are distributed into each node in the network. This allows the distribution of the intrusion detection tasks. There are several advantages for using mobile agents [2]. Some functions are not assigned to every node; thus, it helps to reduce the consumption of power, which is scarce in mobile ad hoc networks.

It also provides fault tolerance such that if the network is partitioned or some agents are destroyed, they are still able to work. Moreover, they are scalable in large and varied system environments, as mobile agents tend to be independent of platform architectures. However, these systems would require a secure module where mobile agents can be stationed to. Additionally, mobile agents must be able to protect themselves from the secure modules on remote hosts as well.

Mobile-agent-based IDS can be considered as a distributed and cooper ative intrusion detection technique as described in Section 3.2. Moreover, some techniques also use mobile agents combined with hierarchical IDS, for example, what will be described in Section 4.3.

2.4 Sample Intrusion Detection Systems for MANETs

Since the IDS for traditional wired systems are not well-suited to MANETs, many researchers have proposed several IDS especially for MANETs, which some of them will be reviewed in this section.

2.4.1 Distributed and Cooperative IDS

As described in Section 3.2, Zhang and Lee also proposed the model for distributed and cooperative IDS as shown in Figure 2 [1].

The model for an IDS agent is structured into six modules.

• The local data collection module collects real-time audit data, which includes system and user activities within its radio range. This collected data will be analyzed by the local detection engine module for evidence of anomalies. If an anomaly is detected with strong evidence, the IDS agent can determine independently that the system is under attack and initiate a response through the local response module (i.e., alerting the local user) or the global response module (i.e., deciding on an action), depending on the type of intrusion, the type of network protocols and applications, and the certainty of the evidence. If an anomaly is detected with weak or inconclusive evidence, the IDS agent can request the cooperation of neighboring IDS agents through a cooperative detection engine module, which communicates to other agents through a secure communication module.

2.4.2 Local Intrusion Detection System (LIDS)

Albers et al. [3] proposed a distributed and collaborative architecture of IDS by using mobile agents. A Local Intrusion Detection System (LIDS) is implemented on every node for local concern, which can be extended for global concern by cooperating with other LIDS. Two types of data are exchanged among LIDS: security data and intrusion alerts. In order to analyze the possible intrusion, data must be obtained from what the LIDS detect, along with additional information from other nodes. Other LIDS might be run on different operating systems or use data from different activities such as system, application, or network activities; therefore, the format of this raw data might be different, which makes it hard for LIDS to analyze. However, such difficulties can be solved by using SNMP (Simple Network Management Protocol) data located in MIBs (Management Information Base) as an audit data source. Such a data source not only eliminates those difficulties, but also reduces the in-Figure 3: LIDS Architecture in A Mobile Node [3] crease in using additional resources to collect audit data if an SNMP agent is already run on each node.

To obtain additional information from other nodes, the authors proposed mobile agents to be used to transport SNMP requests to other nodes. In another words, to distribute the intrusion detection tasks. The idea differs from traditional SNMP in that the traditional approach transfers data to the requesting node for computation while this approach brings the code to the data on the requested node. This is initiated due to untrustworthiness of UDP messages practiced in SNMP and the active topology of MANETs. As a result, the amount of exchanged data is tremendously reduced. Each mobile agent can be assigned a specific task which will be achieved in an autonomous and asynchronous fashion without any help from its LIDS. The LIDS architecture is shown in Figure 3, which consists of ² Communication Framework: To facilitate for both internal and external communication with a LIDS.

• Local LIDS Agent: To be responsible for local intrusion detection and local response. Also, it reacts to intrusion alerts sent from other nodes to protect itself against this intrusion.
• Local MIB Agent: To provide a means of collecting MIB variables for either mobile agents or the Local LIDS Agent. Local MIB Agent acts as an interface with SNMP agent, if SNMP exists and runs on the node, or with a tailor-made agent developed specifically to allow up- dates and retrievals of the MIB variables used by intrusion detection, if none exists.
• Mobile Agents (MA): They are distributed from its LID to collect and process data on other nodes. The results from their evaluation are then either sent back to their LIDS or sent to another node for further investigation.
• Mobile Agents Place: To provide a security control to mobile agents.
• For the methodology of detection, Local IDS Agent can use either anomaly or misuse detection. However, the combination of two mechanisms will offer the better model. Once the local intrusion is detected, the LIDS initiate a response and inform the other nodes in the network. Upon receiving an alert, the LIDS can protect itself against the intrusion.

2.4.3 Distributed Intrusion Detection System Using Multiple Sensors

Kachirski and Guha [4] proposed a multi-sensor intrusion detection system based on mobile agent technology. The system can be divided into three main modules, each of which represents a mobile agent with certain func- tionality: monitoring, decision-making or initiating a response. By separate in functional tasks into categories and assigning each task to a different agent, the workload is distributed which is suitable for the characteristics of MANETs. In addition, the hierarchical structure of agents is also developed in this intrusion detection system as shown in Figure 4.

• Monitoring agent: Two functions are carried out at this class of agent: network monitoring and host monitoring. A host-based monitor agent hosting system-level sensors and user-activity sensors is run on every node to monitor within the node, while a monitor agent with a network monitoring sensor is run only on some selected nodes to monitor at packet-level to capture packets going through the network within its radio ranges.
• Action agent: Every node also hosts this action agent. Since every node hosts a host-based monitoring agent, it can determine if there is any suspicious or unusual activities on the host node based on anomaly detection. When there is strong evidence supporting the anomaly detected, this action agent can initiate a response, such as terminating the process or blocking a user from the network.

• Decision agent: The decision agent is run only on certain nodes, mostly those nodes that run network monitoring agents. These nodes collect all packets within its radio range and analyze them to determine whether the network is under attack. Moreover, from the previous paragraph, if the local detection agent cannot make a decision on its own due to insufficient evidence, its local detection agent reports to this decision agent in order to investigate further. This is done by using packet-monitoring results that comes from the network-monitoring sensor that is running locally. If the decision agent concludes that the node is malicious, the action module of the agent running on that node as described above will carry out the response.

The network is logically divided into clusters with a single cluster head for each cluster. This clusterhead will monitor the packets within the cluster and only packets whose originators are in the same cluster are captured and investigated. This means that the network monitoring agent (with network monitoring sensor) and the decision agent are run on the cluster head. In this mechanism, the decision agent performs the decision-making based on its own collected information from its network-monitoring sensor; thus, other nodes have no influence on its decision. This way, spooffing attacks and false accusations can be prevented.

2.4.4 Dynamic Hierarchical Intrusion Detection Architecture

Since nodes move arbitrarily across the network, a static hierarchy is not suitable for such dynamic network topology. Sterne et al. [16] proposed a dynamic intrusion detection hierarchy that is potentially scalable to large networks by using clustering like those in Section 4.3 and 5.5. However, it can be structured in more than two levels as shown in Figure 5. Nodes labeled \1" are the first level clusterheads while nodes labeled \2" are the second level clusterheads and so on. Members of the first level of the cluster are called leaf nodes.

Every node has the responsibilities of monitoring (by accumulating counts and statistics), logging, analyzing (i.e., attack signature matching or checking on packet headers and payloads), responding to intrusions detected if there is enough evidence, and alerting or reporting to cluster heads. Clues treads, in addition, must also perform:

Data fusion/integration and data reduction: Clusterheads aggregate and correlate reports from members of the cluster and data of their own. Data reduction may be involved to avoid conflicting data, bogus data and overlapping reports. Besides, cluster heads may send the requests to their children for additional information in order to correlate reports correctly. Intrusion detection computations: Since different attacks require different sets of detected data, data on a single node might not be able to detect the attack, e.g., DDoS attack, and thus clusterheads also analyze the consolidated data before passing to upper levels.

Security Management: The uppermost levels of the hierarchy have the authority and responsibility for managing the detection and response capabilities of the clusters and cluster heads below them. They may send the signatures update, or directives and policies to alter the configurations for intrusion detection and response. These update and directives will flow from the top of the hierarchy to the bottom. To form the hierarchical structure, every node uses clustering, which is typically used in MANETs to construct routes, to self-organize into local neighborhoods (first level clusters) and then select neighborhood representatives (cluster heads). These representatives then use clustering to organize themselves into the second level and select the representatives. This process continues until all nodes in the network are part of the hierarchy. The authors also suggested criteria on selecting cluster heads. Some of these criteria are:

• Connectivity: the number of nodes within one hop
• Proximity: members should be within one hop of its cluster head
• Resistance to compromise (hardening): the probability that the node will not be compromised. This is very important for the upper level cluster heads.
• Processing power, storage capacity, energy remaining, bandwidth cape abilities
• Additionally, this proposed architecture does not rely solely on promiscuous node monitoring like many proposed architectures, due to its unreliability as described in. Therefore, this
• architecture also supports direct periodic reporting where packet counts and statistics are sent to monitoring nodes periodically.

2.4.5 Zone-Based Intrusion Detection System (ZBIDS)

Sun et al. [24] has proposed an anomaly-based two-level no overlapping Zone-Based Intrusion Detection System (ZBIDS). By dividing the network in Figure 6 into nonoverlapping zones (zone A to zone me), nodes can be categorized into two types: the intrazone node and the interzone node (or a gateway node). Considering only zone E, node 5, 9, 10 and 11 are intrazone nodes, while node 2, 3, 6, and 8 are interzone nodes which have physical connections to nodes in other zones. The formation and maintenance of zones requires each node to know its own physical location and to map its location to a zone map, which requires prior design setup.

Each node has an IDS agent run on it which the model of the agent is shown in Figure 7. Similar to an IDS agent proposed by Zhang and Lee (Figure 2), the data collection module and the detection engine are re-sponsible for collecting local audit data (for instance, system call activities, and system log les) and analyzing collected data for any sign of intrusion respectively. In addition, there may be more than one for each of these modules which allows collecting data from various sources and using different detection techniques to improve the detection performance.

The local aggregation and correlation (LACE) module is responsible for combining the results of these local detection engines and generating alerts if any abnormal behavior is detected. These alerts are broadcasted to other nodes within the same zone. However, for the global aggregation and correlation (GACE), its functionality depends on the type of the node. As described in Figure 7,

if the node is an intrazone node, it only sends the generated alerts to the interzone nodes. Whereas, if the node is an interzone node, it receives alerts from other intrazone nodes, aggregates and correlates those alerts with its own alerts, and then generates alarms. Moreover, the GACE also cooperates with the GACEs of the neighboring interzone nodes to have more accurate information to detect the intrusion. Lastly, the intrusion response module is responsible for handling the alarms generated from the GACE. The local aggregation and correlation

Algorithm used in ZBIDS is based on a local Markov chain anomaly detection. IDS agent rust creates a normal profile by constructing a Markov chain from the routing cache. A valid change in the routing cache can be characterized by the Markov chain detection model with probabilities, otherwise, it's considered abnormal, and the alert will be generated. For the global aggregation and correlation algorithm, it's based on information provided in the received alerts containing the type, the time, and the source of the attacks.

2.5 Intrusion Detection Techniques for Node Cooperation in MANETs

Since there is no infrastructure in mobile ad hoc networks, each node must rely on other nodes for cooperation in routing and forwarding packets to the destination. Intermediate nodes might agree to forward the packets but actually drop or modify them because they are misbehaving. The simulations in [5] show that only a few misbehaving nodes can degrade the performance of the entire system. There are several proposed techniques and protocols to detect such misbehavior in order to avoid those nodes, and some schemes also propose punishment as well [6, 7].

2.5.1 Watchdog and Pathrater

Two techniques were proposed by Marti, Giuli, and Baker [5], watchdog and pathrater, to be added on top of the standard routing protocol in ad hoc networks. The standard is Dynamic Source Routing protocol (DSR) [8]. A watchdog identifies the misbehaving nodes by eavesdropping on the transmission of the next hop. A pathrater then helps to find the routes that do not contain those nodes. In DSR, the routing information is defined at the source node. This routing information is passed together with the message through intermediate nodes until it reaches the destination. Therefore, each intermediate node in the path should know who the next hop node is. In addition, listening to the next hop's transmission is possible because of the characteristic of wireless networks - if node A is within range of node B, A can overhear communication to and from B.

Figure 8 shows how the watchdog works. Assume that node S wants to send a packet to node D, which there exists a path from S to D through nodes A, B, and C. Consider now that A has already received a packet from S destined to D. The packet contains a message and routing information. When A forwards this packet to B, A also keeps a copy of the packet in its buffer. Then, it promiscuously listens to the transmission of B to make sure that B forwards to C. If the packet overheard from B (represented by a dashed line) matches that stored in the buffer, it means that B really forwards to the next hop (represented as a solid line). It then removes the packet from the buffer. However, if there's no matched packet after a certain time, the watchdog increments the failures counter for node B. If this counter exceeds the threshold, A concludes that B is misbehaving and reports to the source node S.

Path rater performs the calculation of the path metric" for each path. By keeping the rating of every node in the network that it knows, the path metric can be calculated by combining the node rating together with link re- liability, which is collected from past experience. Obtaining the path metric for all available paths, the pathrater can choose the path with the highest metric. In addition, if there is no such link reliability information, the path metric enables the pathrater to select the shortest path too. As a result, paths containing misbehaving nodes will be avoided.

From the result of the simulation, the system with these two techniques is quite effective for choosing paths to avoid misbehaving nodes. However, those misbehaving nodes are not punished. In contrast, they even benefit from the network. Therefore, misbehaving nodes are encouraged to continue their behaviors.

Chapter 3

3. Literature survey

3.1 Introduction

The rapid proliferation of wireless networks and mobile computing applications has changed the landscape of network security. The nature of mobility creates new vulnerabilities that do not exist in a fixed wired network, and yet many of the proven security measures turn out to be ineffective. Therefore, the traditional way of protecting networks with firewalls and encryption software is no longer sufficient. We need to develop new architecture and mechanisms to protect the wireless networks and mobile computing applications. The implication of mobile computing on network security research can be further demonstrated by the follow case. Recently (Summer 2001) an Internet worm called Code Red has spread rapidly to infect many of the Windows-based server machines.

To prevent this type of worm attacks from spreading into intranets, many. This paper was accepted for publication in ACM MONET Journal in 2002 and appears in this issue of ACM WINET due to editorial constraints. Companies rely on firewalls to protect the internal net works. However, there are multiple incidents that the Code Red worm has been caught from within the intranet, largely due to the use of mobile computers. As more and more business travelers are carrying laptops and more and more public venues provide wireless Internet access, there are higher and higher chances that an inadequately protected laptop will be infected with worms. For example, in a recent IETF meeting, among the hundreds of attendees that carry laptops, a dozens have been detected to be infected with Code Red worm. When these laptops are later integrated back into their company networks, they can spread the worms from within and deem the firewalls useless in defending this worm.

3.2 Vulnerabilities of Mobile Wireless Networks

The nature of mobile computing environment makes it very vulnerable to an adversary's malicious attacks. First of all, the use of wireless links renders the network susceptible to attacks ranging from passive eavesdropping to active interfering. Unlike wired networks where an adversary must gain physical access to the network wires or pass through several lines of defense at firewalls and gateways, attacks on a wireless network can come from all directions and target at any node. Damages can include leaking secret information, message contamination, and node impersonation.

All these mean that a wireless ad-hoc network will not have a clear line of defense, and every node must be prepared for encounters with an adversary directly or indirectly. Second, mobile nodes are autonomous units that are capable of roaming independently. This means that nodes with inadequate physical protection are receptive to being captured, compromised, and hijacked. Since tracking down a particular mobile node in a global scale network cannot be done easily, attacks by a compromised node from within the network are far more damaging and much harder to detect.

Therefore, mobile nodes and the infrastructure must be prepared to operate in a mode that trusts no peer. Third, when decision-making is decentralized in mobile computing environment, some wireless network algorithms depend on the cooperative participation of all nodes and the infrastructure. Due to lack of centralized authority the adversaries can make use of this weakness for unique attacks intended to crack the cooperative algorithms. For example, many of the current MAC protocols for wireless channel access are vulnerable. Irrespective of the developments in types of MAC protocols, the fundamental working principles are alike.

In a contention-based method, each node must compete for control of the transmission channel each time it sends a message. Nodes must strictly follow the pre-denned procedure to avoid collisions and to recover from them. In a contention-free method, each node must seek from all other nodes a unanimous promise of an exclusive use of the channel resource, on a one-time or recurring basis. Regardless of the type of MAC protocol, if a node behaves maliciously, the MAC protocol can break down in a scenario resembling a denial-of-service attack. Although such attacks are rare in wired networks because the physical networks and the MAC layer are isolated from the outside world by layer-3 gateways/firewalls, every mobile node is completely vulnerable in the wireless open medium.

In addition, different kinds of computational and communication systems that regularly appear in fixed or wired environment were introduced by mobile computing. For example, mobile users tend to be stingy about communication due to slower links, limited bandwidth, higher cost, and battery power constraints; mechanisms like disconnected operations and location-dependent operations only appear to mobile wireless environment. Unsurprisingly, security measures developed for wired network are likely inept to attacks that exploit these new applications. Applications and services in a mobile wireless network can be a weak link as well. In these networks, there are often proxies and software agents running in base-stations and intermediate nodes to achieve performance gains through caching, content trans coding, or traffic shaping, etc. Potential attacks may target these proxies or agents to gain sensitive information or to mount DoS attacks, such as using the cache with bogus references, or having the content trans coder do useless and expensive computation.

To summarize, a mobile wireless network is vulnerable due to its features of open medium, dynamic changing network topology, cooperative algorithms, lack of centralized monitoring and management point, and lack of a clear line of defense. Future research is needed to address these vulnerabilities.

3.3 The Need for Intrusion Detection

Intrusion prevention measures, such as encryption and authentication, can be used in ad-hoc networks to reduce intrusions, but cannot eliminate them. For example, encryption and authentication cannot defend against compromised mobile nodes, which often carry the private keys. Integrity validation using redundant information (from different nodes), such as those being used in secure routing, also relies on the trust worthiness of other nodes, which could likewise be a weak link for sophisticated attacks. The history of security research has taught us a valuable lesson no matter how many intrusion prevention measures are inserted in a network; there are always some weak links that one could exploit to break in just like the example at the beginning of this paper. Intrusion detection presents a second wall of defense and it is a necessity in any high-survivability network. In summary, mobile computing environment has inherent vulnerabilities that are not easily preventable. To secure mobile computing applications, we need to deploy intrusion detection and response techniques, and further research is necessary to adapt these techniques to the new environment, from their original applications in fixed wired network.

In this paper, we focus on a particular type of mobile computing environment called mobile ad-hoc networks and propose a new model for intrusion detection and response for this environment. We will first give a background on intrusion detection, then present our new architecture, followed by an experimental study to evaluate its feasibility.

3.4 Intrusion Detection and the Challenges of Mobile Ad-Hoc Networks

When an intrusion (defined as any set of actions that attempt to compromise the integrity, confidentiality, or availability of a resource" ) takes place, intrusion prevention techniques, such as encryption and authentication (e.g., using passwords or biometrics), are usually the first line of defense. However, intrusion prevention alone is not sufficient because as systems become ever more complex, and as security is still often the after-thought, there are always exploitable weaknesses in the systems due to design and programming errors, or various socially engineered" penetration techniques.

For example, even though they were first reported many years ago, exploitable buffer overflow" security holes, which can lead to an unauthorized root shell, still exist in some recent system software's. Furthermore, as illustrated by the Distributed Denialof-Services (DDoS) attacks launched against several major Internet sites where security measures were in place, the protocols and systems that are designed to provide services (to the public) are inherently subject to attacks such as DDoS. Intrusion detection can be used as a second wall to protect network systems because once an intrusion is detected, e.g., in the early stage of a DDoS attack, response can be put into place to minimize damages, gather evidence for prosecution, and even launch counter-attacks.

The most important assumptions of intrusion detection consists of a. user and program activities are observable, b. normal and intrusion activities have distinct behavior. To determine whether the system is under attack, intrusion detection captures audit data and analyses about the evidence in the data.

The audit data used will decide whether applied intrusion detection systems (IDSs) come under network-based category or host-based category. Generally network-based IDS will function at the gateway of a network to capture and examine network packets that passes through

the network hardware interface. But the host-based IDS depend on operating system audit data to observe and examine the events produced by programs or users on the host. Anomaly detection

and Misuse detection are two categories of Intrusion detection techniques. Misuse detection systems, e.g., IDIOT and STAT, use patterns of well-known attacks or weak spots of the system to match and identify known intrusions. For incidence, in general more than 4 unsuccessful login attempts within two minutes is considered to be guessing password attack. The main advantage of misuse detection is that it can accurately and efficiently detect instances of known attacks. The main disadvantage is that it lacks the ability to detect the truly innovative (i.e., newly invented) attacks. Anomaly detection (sub)systems, for example, the anomaly detector in IDES, ag observed activities that deviate significantly from the established normal usage profiles as anomalies, i.e., possible intrusions.

For example, the normal profile of a user may contain the averaged frequencies of some system commands used in his or her login sessions. While monitoring a session and the frequencies are considerably lower or higher an anomaly alarm will raise. The ultimate benefit of anomaly detection is, it works without prior information of intrusion and will detect new intrusions and the basic challenge is, it may fail to describe the attack and may have elevated fake positive rate.

3.5 Problems of Current IDS Techniques

The vast difference between the fixed network where current intrusion detection research are taking place and the mobile ad-hoc network which is the focus of this paper makes it very difficult to apply intrusion detection techniques developed for one environment to another. The most important difference is perhaps that the latter does not have a fixed infrastructure, and today's network-based IDSs, which rely on real-time traffic analysis, can no longer function well in the new en4 Y Zhang, W Lee, & Y Huang / Intrusion Detection Techniques for Mobile Wireless Networks environment. Compared with wired networks where traffic monitoring is usually done at switches, routers and gateways, the mobile ad-hoc environment does not have such traffic concentration points where the IDS can collect audit data for the entire network.

Therefore, at any one time, the only available audit trace will be limited to communication activities taking place within the radio range, and the intrusion detection algorithms must be made to work on this partial and localized information. Another significant big difference is in the communication pattern in a mobile computing environment. As we have mentioned earlier, mobile users tend to be stingy about communication and often adopt new operation modes such as disconnected operations. This suggests that the anomaly models for wired network cannot be used as is. Furthermore, there may not be a clear separation between normalcy and anomaly in mobile environment.

A node that sends out false routing information could be the one that has been compromised, or merely the one that is temporarily out of sync due to volatile physical movement. Intrusion detection may find it increasingly difficult to distinguish false alarms from real intrusions. In summary, we must answer the following research questions in developing a viable intrusion detection system for mobile ad-hoc networks:

• What is a good system architecture for building intrusion detection and response systems that fits the features of mobile ad-hoc networks?
• What are the appropriate audit data sources? How do we detect anomaly based on partial, local audit traces { if they are the only reliable audit source?
• What is a good model of activities in a mobile computing environment that can separate anomaly when under attacks from the normalcy?

3.5.1 Vulnerabilities In AODV

ADOV is vulnerable to many different types of attacks [1]. In this section, we examine specific vulnerabilities in AODV that allow subversion of routes. In addition, we provide several attack scenarios that exploit the vulnerabilities to motivate our research.

3.5.2 Overview of AODV

The Ad hoc On-demand Distance Vector (AODV) routing protocol is a reactive and stateless protocol that establishes routes only as desired by a source node using route request (RREQ) and route reply (RREP) messages. As a node requires identifying a route to a targeted node, it transmits a Route Request (RREQ) message with a exclusive RREQ ID (RID) to all its neighbors. When RREQ message reaches a node, the sequence number of source node will be updated by node and positions reverse routes to the source node in the routing tables. When the node is either destination or has a route to the destination which has the fresh requirements, a route reply will be uncasted (RREP) back to the source node.

In the routing tables, the node that receives RREP will revise its forward route to destination; it may be source node or the intermediate node. Otherwise, it continues broadcasting the RREQ. Node will discard and stops a RREQ message when it receives a RREQ message that was already processed. In AODV, sequence number (SN) plays a role to indicate the freshness of the routing information and guarantee loop-free routes. Sequence number is increased under only two conditions: when the source node initiates RREQ and when the destination node replies with RREP. Only through source or destination, the sequence number can be updated.

If RREQ or RREP is forwarded each hop, to determine the shortest path and to increase by 1 Hop count (HC) is used. All transitional nodes will erase the entry in their routing tables as a link breaks, also the route error packets (RERR) are broadcasted to the source node along the reverse route. By distributing hello message regularly AODV preserves the connectivity of neighbor nodes.

3.5.3 Vulnerable Fields in AODV Control Messages

In general, AODV is efficient and scalable in terms of network performance, but it allows attackers to easily advertise falsified route information to redirect routes and to launch various kinds of attacks. In each AODV routing packet, some critical fields such as hop count, sequence numbers of source and destination, IP headers as well as IP addresses of AODV source and destination, and RREQ ID, are essential to the correct protocol execution. Any misuse of these fields can cause AODV to malfunction. Table 2 denotes several vulnerable fields in AODV routing messages and the possible effects when they are tampered.

An attacker could launch a single (packet) attack consisting of several carefully modified fields, or an aggregate attack consisting of multiple attack messages, which cause more damages and last longer than a single attack does. The reader is referred to [1] for a more detailed classification of such attacks (termed atomic and compound attacks) as well as simulations of the impact of such attacks. A few of the attacks are described below.

3.6 Examples of Single Attacks

3.6.1 Forging Sequence Number

Sequence numbers indicates the freshness of route to the associated node. If an attacker sends out an AODV control packet with a forged large sequence number of the victim node, it will change the route to that victim node. For example, in our example AODV scenario (see Figure 1), if M sends a RREQ, m1, to C with SN.Src equal to 200 (>100), it will take precedence over b1. The route from C to A will go through M instead of going through B. Then the route between A and D can be controlled by node M. As another example, if M sends a RREP to B with SN.Dst equal 100 (>61), it will take precedence over c2. B will send data through M to D instead of C; M can then control the route between A and D. This attack can be self-corrected by the protocol when the victim node issues a RREQ or RREP with its sequence number larger than that in the attack packet.

3.6.2 Forging Hop Count

The damage caused by forging of the hop count field will not last as long as the sequence number forging attacks. However, this attack is harder to detect since it is difficult to know the correct hop count to verify the hop count in the attack packet. For example, if M sends a RREQ

3.7 Examples of Aggregated Attacks

The attacker can combine multiple single attacks to perform a more complicated attack or make the attack last longer. Some interesting attacks are described below.

3.7.1 Man in the Middle Attack

The attacker could issue a fake RREQ and a RREP to poison other node's forwarding table to divert route. The attacker could send a RREQ to C, m1, which is the same as b1 but with higher SN.Src =200 (>100) to take precedence over b1, and send a RREP to B, m2, which is the same as c2 but with SN.Dst=100(>61) in order to take precedence over c2. The next hub of reverse route of C is M instead of B so D and C will go to A through M. The next hub of forward route of B is M instead of C so A and B will go to D through M. Then M could forward the diverted packets from B and C. Therefore, the complete route is ABMCD instead of ABCD

3.7.2 Tunneling Attack

Tunneling attack is done by two cooperating malicious nodes that falsely represent the length of available paths by building a tunnel between them. In this way, the malicious nodes can force traffic to route through them.

As shown in figure 11, there is no direct link between M1 and M2, but M1 and M2 can pretend to be directly adjacent by tunneling. M1 encapsulates the message and sends it through A, B and C to M2, and falsely claim there is a direct link between M1 and M2. In AODV, when S broadcasts RREQ to A and M1, it will get RREP from A and M1, where their path are {S, A, B, C, D} and {S, M1, M2, D}. S will choose {S, M1, M2, D} but it is actually {S, M1, A, B, C, M2, D}. M1 and M2 successfully prevent S from choosing the really shortest path, {S, A, B, C, D}. Even a cryptography-based solution, such as ARAN [15], cannot prevent this kind of attack.

3.7.3 An Architecture for Intrusion Detection

Intrusion detection and response systems should be both distributed and cooperative to suite the needs of mobile ad-hoc networks. In our proposed architecture (Figure 1), every node in the mobile ad-hoc network participates in intrusion detection and response. Each node is responsible for detecting signs of intrusion locally and independently, but neighboring nodes can collaboratively investigate in a broader range.

In the systems aspect, individual IDS agents are placed on each and every node. Each IDS agent runs independently and monitors local activities (including user and systems activities, and communication activities within the radio range). It detects intrusion from local traces and initiates response. If anomaly is detected in the local data, or if the evidence is inconclusive and a broader search is warranted, neighboring IDS agents will cooperatively participate in global intrusion detection actions. These individual IDS agent collectively form the IDS system to defend the mobile ad-hoc network. The internal of an IDS agent can be fairly complex, but conceptually it can be structured into six pieces (Figure 2). The data collection module is responsible for gathering local audit traces and activity logs. Next, the local detection engine will use these data to detect local anomaly. Detection methods that need broader data sets or that require collaborations among IDS agents will use the cooperative detection engine. Intrusion response actions are provided by both the local response and global response modules. The local response module triggers actions local to this mobile node, for example an IDS agent alerting the local user, while the global one coordinates actions among neighboring nodes, such as the IDS agents in the network electing a remedy action. Finally, a secure communication module provides a high-confidence communication channel among IDS agents.

3.7.3.1 Data Collection

The first module, local data collection, gathers streams of real-time audit data from various sources. Depending on the intrusion detection algorithms, these useful data streams can include system and user activities within the mobile node, communication activities by this node, as well as communication activities within the radio range and observable by this node. Therefore, multiple data collection modules can coexist in one IDS agent to provide multiple audit streams for a multi-layer integrated intrusion detection method (Section 3.5).

3.7.3.2 Local Detection

The local detection engine analyzes the local data traces gathered by the local data collection module for evidence of anomalies. It can include both misuse detections and anomaly detection (Section 2.1). Because it is conceivable that the number of newly created attack types mounted on mobile computing environment will increase quickly as more and more network appliances become mobile and wireless, anomaly detection techniques will play a bigger role. We will have further discussion on anomaly detection in mobile wireless environment.

3.7.3.3 Cooperative Detection

Any node that detects locally a known intrusion or anomaly with strong evidence (i.e., the detection rule triggered has a very high accuracy rate, historically), can determine independently that the network is under attack and can initiate a response. However, if a node detects an anomaly or intrusion with weak evidence, or the evidence is inconclusive but warrants broader investigation, it can initiate a cooperative global intrusion detection procedure. This procedure works by propagating the intrusion detection state information among neighboring nodes (or further downward if necessary).

The intrusion detection state information can range from a mere level-of-confidence value such as

• "With p% confidence, node A concludes from its local data that there is an intrusion"
• "With p% confidence, node A concludes from its local data and neighbor states that there is an intrusion"
• "With p% confidence, node A, B, C, ... collectively conclude that there is an intrusion" to a more speci_c state that lists the suspects, like
• "With p% con_dence, node A concludes from its local data that node X has been compromised" or to a complicated record including the complete evidence. As the next step, we can derive a distributed consensus algorithm to compute a new intrusion detection state for this node, using other nodes' state information received recently. The algorithm can include a weighted computation under the assumption that nearby nodes have greater effects than far away nodes, i.e., giving the immediate neighbors the highest values in evaluating the intrusion detection states. For example, a majority-based distributed intrusion detection procedure can include the following steps:
• The node sends to neighboring node an "intrusion (oranomaly) state request";
• Each node (including the initiation node) then propagates the state information, indicating the likelihood of an intrusion or anomaly, to its immediate neighbors;
• Each node then determines whether the majority of the received reports indicate an intrusion or anomaly; if yes, then it concludes that the network is under attack;
• Any node that detects an intrusion to the network can then initiate the response procedure.
• The rationales behind this scheme are as follows. Audit data from other nodes cannot be trusted and should not be used because the compromised nodes can send falsified data. However, the compromised nodes have no incentives to send reports of intrusion/anomaly because the intrusion response may result in their expulsion from the network. Therefore, unless the majority of the nodes are compromised, in which case one of the legitimate nodes will probably be able to detect the intrusion with strong evidence and will respond, the above scheme can detect intrusion even when the evidence at individual nodes is weak. A mobile network is highly dynamic because nodes can move in and out of the network. Therefore, while each node uses intrusion/anomaly reports from other nodes, it does not rely on fixed network topology or membership information in the distributed detection process. It is a simple majority voting scheme where any node that detects an intrusion can initiate a response.

3.7.3.4 Intrusion Response

The type of intrusion response for mobile ad-hoc networks depends on the type of intrusion, the type of network protocols and applications, and the confidence (orcertainty) in the evidence. For example, here is a few likely responses:

• Re-initializing communication channels between nodes (e.g., force re-key).
• Identifying the compromised nodes and re-organizing the network to preclude the promised nodes.

For example, the IDS agent can notify the enduser, who may in turn do his/her own investigation and take appropriate action. It can also send a \re-authentication" request to all nodes in the network to prompt the end-users to authenticate themselves (and hence their mobile nodes), using out-of-bound mechanisms (like, for example, visual contacts). Only the re-authenticated nodes, which may collectively negotiate a new communication channel, will recognize each other as legitimate. That is, the compromised/malicious nodes can be excluded.

3.7.3.5 Multi-Layer Integrated Intrusion Detection and Response

Traditionally, IDSs use data only from the lower layers: network-based IDSs analyze TCP/IP packet data and host-based IDSs analyze system call data. This is because in wired networks, application layer firewalls can effectively prevent many attacks, and application specific modules, e.g., credit card fraud detection systems, have also been developed to guard the mission critical services. In the wireless networks, there are no firewalls to protect the services from attack. However, intrusion detection in the application layer is not only feasible, as discussed in the previous section, but also necessary. Certain attacks, for example, an attack that tries to create an unauthorized access \back-door" to a service, may seem perfectly legitimate to the lower layers, e.g., the MAC protocols. We also believe that some attacks may be detected much earlier in the application layer, because of the richer semantic information available, than in the lower layers.

For example, for a DoS attack, the application layer may detect very quickly that a large number of incoming service connections have no actual operations or the operations don't make sense (and can be considered as errors); whereas the lower layers, which rely only on information about the amount of network traffic (or the number of channel requests), may take a longer while to recognize the unusually high volume. Given that there are vulnerabilities in multiple layers of mobile wireless networks and that an intrusion detection module needs to be placed at each layer on each node of a network, we need to coordinate the intrusion detection and response efforts. We use the following integration scheme:

• If a node detects an intrusion that affects the entire network, e.g., when it detects an attack on the ad hoc routing protocols, it initiates the re-authentication process to exclude the compromised/malicious nodes from the network;
• If a node detects a (seemingly) local intrusion at a higher layer, e.g., when it detects attacks to one of its services, lower layers are notified. The detection modules there can then further investigate, e.g., by initiating the detection process on possible attacks on ad hoc routing protocols, and can respond to the attack by blocking access from the offending node(s) and notifying other nodes in the network of the incident.

In this approach, the intrusion detection module at each layer still needs to function properly, but detection on one layer can be initiated or aided by evidence from other layers. As a first cut of our experimental research, we allow the evidence to own from one layer to its (next) lower layer by default, or to a specific lower layer based on the application environment. The \augmented" versions of the detection model at a lower level are constructed as follows. In the \testing" process, the anomaly decision, i.e., either 1 for \yes" or 0 for \no" from the upper layer is inserted into the deviation score of the lower level, for example, (0.1, 0.1) now becomes (0.1, 0.1, 0). In other words, the deviation data also carries the extra information passed from the upper level. An anomaly detection model built from the augmented data therefore combines the bodies of evidence from the upper layers and the current layer and can make a more informed decision. The intrusion report sent to other node for cooperative detection also includes a vector of the information from the layers. With these new changes, the lower layers now need more

than one anomaly detection model: one that relies on the data of the current layer and therefore indirectly uses evidence from the lower layers, and the augmented one that also considers evidence from the upper layer. Multi-layer integration enables us to analyze the attack scenario in its entirety and as a result, we can achieve better performance in terms of both higher true positive and lower false positive rates.

For example, a likely attack scenario is that an adversary takes control of the mobile unit of a user (by physically disable him or her), and then uses some system commands to send falsified routing information. A detection module that monitors user behavior, e.g., via command usage, can detect this event and immediately (i.e., before further damage can be done) cause the detection module for the routing protocols to initiate the global detection and response, which can result in the exclusion of this compromised unit.

As another example, suppose the users are responding to a fire alarm, which is a rare event and may thus cause a lot of unusual movements and hence updates to the routing tables. However, if there is no indication that a user or system software has been compromised, each intrusion report sent to other nodes will have a \clean" vector of upper layer indicators, and thus the detection module for the routing protocols can conclude that the unusual updates may be legitimate.

3.7.3.6 Anomaly Detection in Mobile Ad-Hoc Networks

In this section, we discuss how to build anomaly detection models for mobile wireless networks. Modeling algorithms, amount of available audit data and the format could be different for detection that is based on activities in different network layers. However, we believe that the principle behind the approaches will be the same. To illustrate our approach, we focus our discussions on ad-hoc routing protocols.

Building an Anomaly Detection Model

Framework The basic premise for anomaly detection is that there is intrinsic and observable characteristic of normal behavior that is distinct from that of abnormal behavior. We use information-theoretic measures, namely, entropy and conditional entropy, to describe the characteristics of normal information flows and to use classification algorithms to build anomaly detection models.

For example, we can use a classifier, trained using normal data, to predict what is normally the next event given the previous n events. In observing, if the authentic event is different from the one classifier has expected, an anomaly is there. When constructing a classifier, features with high information gain are needed. That is, a classifier needs feature value tests to partition the original dataset into pure subsets, each ideally with one class of data. Using this framework, we employ the follow