Intrusion Detection Systems For Mobile Adhoc Networks

Published Date: 02 Nov 2017

In recent years, mobile ad hoc network (MANET) has become a very popular area for research. A mobile ad hoc network (MANET) is a self-configuring infrastructure less network of mobile autonomous mobile nodes connected by wireless links that form a dynamic, purpose-specific, multi-hop radio network in a decentralized fashion. The use of mobile ad hoc network (MANET) has been widespread in many applications such as rescue operations, tactical operations, environmental monitoring, conferences etc., including some mission critical applications, and as such security has become one of the major concerns in MANET. In a MANET, the nodes themselves implement the network management in a cooperative fashion and thus, all the network members share the responsibility for this. The wireless and distributed nature of MANET in conjunction with the absence of access points, providing access to a centralized authority, poses a great challenge to system security designers and finally makes them susceptible to a variety of active and passive attacks due to its limited physical security, dynamically changing network topology, energy constrained operations and lack of centralized administration. Things are getting worst when some nodes getting hijacked or compromised, make this network to stop from the smooth workings as prevention methods (cryptography techniques) alone are not sufficient o make them secure as these methods does not prevent the node from capture therefore detection should be added as another defense before an attacker can violate the working of the system. In this paper, we classify and review the architectures for intrusion detection systems (IDS) that have been introduced for MANETs in the literature. We then provide some directions for the future research.

Keywords: MANET, Security, Attacks, AODV, DSR , IDS etc.

I. INTRODUCTION

Ad hoc is "For a particular purpose (improvised made up in an instant)" or "spontaneous network "is especially useful where installation of fixed network is not so easy and in which some of the devices are part of network only for part of network only for the duration of a communication session . A mobile ad hoc network [1, 2, 3, 4, 5,] is a system of wireless mobile nodes with routing capabilities where each node operate both as host as well as router to forward the packets to each other, any group of them capable of forming an autonomous network that requires no infrastructure and is capable of organizing itself into arbitrary changeable topologies. In recent years, mobile ad hoc networks have received tremendous attention because of their self configuration capabilities.

The transmission in Mobile Ad Hoc Networks occurs on electromagnetic waves, know as radio waves. Mobile nodes within one another’s radio range can communicate through wireless links and thus dynamically form a network Wireless communication gives a freedom for routers and host to move freely in wireless communication zone network. To accompany this freedom wireless communication relay on channel know as radio frequency RF. The wireless medium is defenseless from outside the channel signals. The wireless medium is considerably less undependable then wired media. Mobile nodes that are not in direct range can communicate via other intermediate devices (this is multi-hop communication).

A mobile ad hoc network has following distinct characteristics:

Very Limited Transmission Range

Multi-Hop Routing Paths

Weaker In Security (Lack of Centralized Management Facility)

Device Size Limitation

Limited Battery Life

Dynamic Topology

Bandwidth and Slower Data Transfer Rate

Resource Constraints

No Infrastructure

Limited Physical Security

Distributed Operation

Unreliability of wireless links between nodes.

These unique characteristics of MANETs present a new set of non trivial challenges to the security design Apart from these limitation MANETs has many extensive application like: Military communication and operations, Automated battlefields , Search and rescue operations, Disaster recovery, Policing and fire fighting , supporting doctors and nurses in hospitals, Conferences, meeting rooms, Virtual classrooms, Wireless P2P networking etc.

The unreliability of wireless links between nodes, constantly changing topology owing to the movement of nodes in and out o f the network, and lack of incorporation of security features in statically configured wireless routing protocols not meant for ad hoc environments all lead to increased vulnerability and exposure to attacks. In mobile ad hoc network there can be node that will try to disrupt the proper network functioning by modifying packets, injecting packets or creating routing loops. These nodes can be malicious or selfish [6]. So, security is an important task in MANETs due to its characteristics: dynamic topology, infrastructure less, vulnerable of channels, vulnerable of Nodes. Consequently, the existing security solutions for wired networks do not directly apply to the MANET domain. The ultimate goal of the security solution for MANET is to provide security attributes, such as authentication, confidentiality, integrity, anonymity, and availability to the mobile users. Attacks from both external and internal nodes can easily affect the functioning and stability of the ad hoc networks. The degree of the influence depends largely on the active level of the malicious nodes.

One distinguishing characteristics of MANETs from the security design perspective is the lack of a clear line of defense. The wireless channel is accessible to both legitimate network users and malicious attackers. There is no well defined place where traffic monitoring or access control mechanisms can be deployed. As a result, the boundary that separates the inside network from the outside world becomes blurred.

II. VULNERABILITY IN MANETS

2.1. Vulnerability: Vulnerability is a weakness in security system. A particular system may be vulnerable to unauthorized data manipulation because the system does not verify a user’s identity before allowing data access. MANET is more vulnerable than wired network. Some of the vulnerabilities are as follows:-

2.1.1 Lack of Centralized Management: MANET doesn’t have a centralized Management System such as Server. The absence of management makes the detection of attacks difficult because it is not east to monitor the traffic in a highly dynamic and large scale ad-hoc network. In mobile ad hoc network, all the nodes are required to cooperate in the network operation, as there is no centralized authority and decision making in mobile ad hoc network which can distinguish nodes as trusted and non trusted for network operation.

2.1.2 Resource Availability: The availability of resources is an important issue in MANET. Ensuring secure communication in such changing environment as well as the protection against the specific threats and attacks, leads to the development of the various schemes and security architecture. Mobile ad hoc networks based on cooperative environments allow implementation of self-organized security mechanism.

2.1.3 Scalability: Unlike the traditional wired network in that its scale is generally predefined when it is designed and will not change much during the use but in Mobile Ad Hoc Networks, due to mobility of nodes, scale of network changing all the time. So scalability is a major issue concerning security. Security mechanism should be capable of handling a large network as well as small ones. As a result, the protocols and services that are applied to the ad hoc network should be compatible to the continuously changing scale of the ad hoc network, which may range from decades of nodes to thousands of nodes.

2.1.4 Cooperativeness: Routing algorithm for MANETs usually depends on the cooperation of the nodes. As a result, an attacker can easily become an important routing agent and disrupt the network operation by disobeying the protocol specifications.

2.1.5 Dynamic topology: Dynamic topology may violate the trust relationship among the nodes. The trust may also be compromised if some of the nodes are defined as a threat. This dynamic behavior can be better protected with the distributed and adaptive security mechanisms

2.1.6 Restricted power supply: Due to the mobility nature of nodes in the ad hoc network, it is common that the nodes in the ad hoc network will reply on battery. The nodes in mobile ad-hoc network need to consider restricted power supply, which will cause several problems. A node in mobile ad-hoc network may behave in a selfish manner when it is finding that there is only limited power supply and when there is a need for this node to cooperate with other nodes to support some functions in the network. The Second problem that may be caused by the restricted power supply is denial-of-service (DoS) attacks.

2.1.7 Bandwidth constraint: Mostly low power links exist over the wireless network, which are more susceptible to external noise attenuation, noise and the effect signal

2.1.8 Adversary inside the Network: Mobile nodes in MANETs are free to join and leave the network. Some nodes can behave maliciously and it is difficult to detect the behavior of a node is malicious. Thus, these types of attacks are more dangerous than external attacks. These nodes are called compromised nodes.

2.1.9 No Predefined Boundary: We cannot precisely define the physical boundaries of the network in the mobile ad hoc networks. The nodes operate in a nomadic environment, where they can join and leave a wireless network. As soon as an adversary comes in the radio range of a node it will be able to communicate with that node. The attacks include Eavesdropping impersonation; tempering, replay and Denial of Service (DoS) attack.

From the discussion held in this section, we can conclude that the mobile ad hoc network is insecure by its nature as there is no such a clear line of defense, lack of centralized coordinator, restricted power supply, continuously changing the scale of the network and bandwidth constraints in the mobile ad hoc networks.

2.2. Security Goals

In short, the goal of security is to provide security services to defend against all the kinds of threat explained in this chapter. Security services include the following:

Availability: The network must be available at all times to send and receive messages despite if it is under attack. It’s mainly targets DoS attacks and is the ability to sustain the networking functionalities without any interruption due to security threats

Confidentiality: Provides secrecy to sensitive data being sent over the network and unauthorized nodes cannot read the data. Confidentiality can also be required to prevent an adversary from undertaking traffic analysis and protects overall content or a field in a message.

Integrity: It ensures that messages being sent over the network are not modified.

Privacy: prevents adversaries from obtaining information that may have private content. The private information may be obtained through the analysis of traffic patterns, i.e. frequency, source node, routes, etc.

Authentication: It ensures the identity of the nodes in the network and ensures originator of a packet is the node that is claimed.

Non-Repudiation: In authentication the source proves its identity. Non-repudiation prevents the source from denying that it sent a packet. It ensures that the sender cannot deny having sent the message and are therefore responsible for its contents. It is particularly useful for detection of compromised nodes.

Authorization: Authorization is a process in which an entity is issued a credential, which is generally used to assign different access rights to different level of users. It authorizes another node to update information (import authorization) or to receive information (export authorization). Typically, other services such as authentication and integrity are used for authorization.

Access control: It is to prevent unauthorized use of network services and system resources.

Anonymity: It hides the source of a packet or frame. It is a service that can help with data confidentiality and privacy. Neither the mobile node nor its system software should default expose any information that allows any conclusions on the owner o r current user of the node.

Freshness: ensures that a malicious node does not resend previously captured packets.

Resilience to attacks: required to sustain the network functionalities when a portion of nodes is compromised or destroyed.

III. CLASSIFICATION OF THE SECURITY ATTACKS

2.1. Classification of the Attacks on the basis of nature: Active vs. Passive attacks.

The security attacks in MANET can generally be classified into two major categories on the basis of nature [8,9]:

Passive attacks: Passive attacks, where adversaries do not make any emissions, are mainly against data confidentiality.In passive attacks the attacker does not disturb the network function, instead try to extract the valuable information like node hierarchy and network topology from it. Passive attack is in nature of listens to the channel, attempting to retrieve valuable information or monitoring of transmission and a malicious node either ignores operations supposed to be accomplished by it. Detection of passive attack is very difficult since the operation of the network itself doesn’t get affected.

One of the solutions to this problem is to use powerful encryption mechanism to encrypt the data being transmitted, thereby making it impossible for the attacker to get useful information from the data overhead. Selfish Nodes are member nodes of the Network and perform passive attacks with the aim of saving battery life for their own communications are considered to be selfish. Selfish nodes can severely degrade network performances and eventually partition the network.

Active attacks: In active attacks, malicious acts are carried out not only against data confidentiality but also data integrity. Active attacks involve some modification of data stream or creation of false stream through which the malicious nodes has to bear some energy cost in order to perform some harmful operation. In an active attack, to harm the operation of network or some nodes, malicious nodes insert information to the network. Malicious Nodes that perform active attacks with the aim of damaging other nodes by causing network outage are considered to be malicious. An active attacker makes an emission or action that can be detected.

2.2. Classification of the Attacks on the basis of Domain: Internal vs. External attacks.

The security attacks in MANETs can also be classified into two categories on the basis of the Domain:

2.2.1. External attacks are carried out by external nodes that do not belong to the network with the aims to cause congestion, propagate fake routing information or disturb nodes from providing services. External attacks are typically active attacks that are targeted, e.g., to cause congestion, propagate incorrect routing information, prevent services from working properly, or shut them down completely. External attacks can typically be prevented by using standard security mechanisms such as firewalls, encryption, and so on.

2.2.2. Internal attacks are from compromised nodes that are part of the network. Since the attacker is already part of the network, internal attacks are more severe and hard to detect than external attacks since the insider knows valuable and secret information, and possesses privileged access rights. Some papers refer to outsider and insider attacks to theses attacks. Internal attacks are typically more severe attacks, since malicious insider nodes already belong to the network as authorized parties and are thus protected by the security mechanisms the network and its services offer. Thus, such malicious insiders, who may even operate in a group, may use the standard security means to actually protect their attacks.

Countermeasures

A variety of security mechanisms have been invented to counter malicious attacks. The conventional approaches such as authentication, access control, encryption, and digital signature provide a first line of defense. As a second line of defense, intrusion detection systems and cooperation enforcement mechanisms implemented in MANET can also help to defend against attacks or enforce cooperation, reducing selfish node behavior. There are two mechanisms which are widely used to protect the MANET from the attackers.

Preventive mechanism: In preventive mechanism, the conventional approaches such as authentication, access control, encryption and digital signature are used to provide first line of defense. Some security modules, such as tokens or smart card that is accessible through PIN, pass phrases or biometrics verification are also used in addition. The conventional authentication and encryption schemes are based on cryptography, which includes asymmetric and symmetric cryptography. Cryptographic primitives such as hash values (message digests) are sufficient in providing data integrity in transmission as well. Threshold cryptography can be used to hide data by dividing it into a number of shares. Digital signatures can also be used to achieve data integrity and authentication services.

2.3.2. Reactive mechanism: A number of malicious attacks could bypass the preventive mechanisms due to its design, implementation, or restrictions. An intrusion detection system provides a second line of defense. There are widely used to detect misuse and anomalies. A misuse detection system attempts to define improper behavior based on the patterns of well-known attacks, but it lacks the ability to detect any attacks that were not considered during the creation of the patterns; Anomaly detection attempts to define normal or expected behavior statistically. It collects data from legitimate user behavior over a period of time, and then statistical tests are applied to determine anomalous behavior with a high level of confidence. In practice, both approaches can be combined to be more effective against attacks. Some intrusion detection systems for MANET have been proposed in recent research papers. Reactive mechanism uses the schemes like intrusion detection system (IDS), cooperation enforcement mechanisms etc. Cooperation enforcement such as Nuglets, Confidant, CORE and Token-based reduce selfish node behavior.

The first line of defense using approaches such as authentication, access control, encryption, and digital signature by using different verification and encryption methods is to prevent attacks, however, from past experiments have shown that encryption and authentication used as security prevention method are not sufficient So, to resist against attacks, a second wall is needed which is Intrusion Detection (ID) and cooperation enforcement mechanisms that are monitoring activities for policy violation in mobile ad hoc networks. Intrusion detection systems are used to detect misuse and anomalies. These two mechanisms should act together to ensure high security requirements [7].

In this paper, we classify the architectures for IDS in MANETs, each of which is suitable for different network infrastructures. Current intrusion detection systems corresponding to those architectures are reviewed and compared. The rest of the paper is structured as follows. Section 2 describes the background on intrusion detection systems. Intrusion detection in MANETs - how it differs from intrusion detection in wired networks. In Section 3, IDS techniques and architectures that have been reviewed, In section 4, IDS techniques to detect the misbehavior nodes have been studied and compared reviewed IDS architectures in Section 5. Finally, the conclusion and future directions are given in Section 6.

2. BACKGROUND

2.1. Intrusion Detection System (IDS)

An intrusion detection system can be defined as process of monitoring activities in a system that attempt to compromise the integrity, confidentiality or availability of a resource with the following functionalities

[6, 8]:

• Continually monitor activities (packet traffic or host behavior)

• Automatically recognize suspicious, malicious, or inappropriate activities

• Trigger alarms to system administrator

The intrusion detection system should not introduce a new weakness in the MANET, should run continuously and remain transparent to the system and the users of the system, should use as little of the system resources as possible to detect the intrusions and it must be fault tolerant in the sense that it must be able to recover from system crashes, hopefully recover to the previous state, and resume the operations before the crash [9].

Apart from detecting and responding to intrusions, IDS should also resist subversion. It should monitor itself and detect whether it has been compromised by an attacker. It is desired that there should be fewer false positives and false negatives alarms.

The existing IDS architectures for MANETs fall under three basic categories [10]:

1. Stand-Alone Architecture

2. Distributed & Cooperative Architecture

3. Hierarchical Architecture

The stand-alone architectures use an intrusion detection engine installed at each node utilizing only the node’s local audit.

The cooperative architectures include an intrusion detection engine installed in every node, which monitors local audit data and exchanges audit data and/or detection outcomes with neighbouring nodes in order to resolve inconclusive.

The hierarchical architectures amount to a multilayer approach, by dividing the network into clusters. Specific nodes are selected to act as cluster-heads and a more comprehensive engine are running on these nodes and undertake various responsibilities and roles in intrusion detection that are usually different from those of the simple cluster members where only lightweight local intrusion detection engine that performs detection only on local audit data .

Depending upon the detection engine used in the architecture, the intrusion detection engines can be classified in three categories:

1. Anomaly / Behavior-based IDS

2. Signature / Misuse / Knowledge-based IDS

3. Specification based IDS.

When considering the area being the source of data used for intrusion detection, another classification of intrusion detection systems can be used in terms of the type of the protected system. There is a family of IDS tools that use information derived from a single host (system) — host based IDS (HIDS) and those IDSs that exploit information obtained from a whole segment of a local network (network based IDS, i.e. NIDS).

2.2 Limitations of IDS Solutions for Wireless Ad-hoc Networks [53]

Wireless ad-hoc networks lack key concentration points where network traffic can be monitored. Only the traffic generated within radio transmission range can be monitored.

In a dynamically changing ad-hoc network, it may be difficult to rely on the existence of a centralized server to perform analysis and correlation.

The secure distribution of signatures may be difficult, due to the properties of wireless communication and mobile nodes that operate in disconnect mode.

It may be difficult to physically secure a mobile host that could be captured, compromised, and later rejoin the network as a Byzantine node.

2.3 Intrusion Detection Techniques

(i) Anomaly/ Behaviour Based Detection: It detects intrusions as anomalies, i.e. deviations from normal behavior. It must first be trained from the normal data before it can be used in a detection mode of operation. For example, the normal profile of a user may have the averaged frequencies of some system commands that are used during login sessions, CPU usage for programs and the like. If for a monitored session, the frequency changed to a higher or a lower value, compared to average then an alarm will be raised. Various techniques e.g. statistical approaches and artificial intelligence techniques like data mining and neural networks have been applied for anomaly detection. The main advantage of this model is that it can detect unknown attacks. On the other hand, its disadvantage is that it has a high false positive alarm when normal user profiles, the operating system or network behavior vary considerably from their normal behavior.

Nakayama et al. [11] proposed an anomaly-based engine to detect malicious actions that uses machine learning approach to generate and maintain a normal profile and is based on principal component analysis (PCA) [12] to solve malicious behavior targeting the Ad-hoc on demand distance vector (AODV) [13] routing protocol.

P. Kabiri et al. [14] also proposed an anomaly-based engine that uses machine learning to generate and maintain a normal profile, and relies on PCA to resolve malicious behavior by focusing on the detection of

denial of Service (DoS) attacks.

J. Felix et al. [15] proposed an anomaly-based engine that uses a support vector machine (SVM) [16] classifier to distinguish malicious behavior to detect attacks amortization (i.e. nodes that do not cooperate in the operations of routing and forwarding of a network) in the MANETs [80].

Liu et al. [17] proposed a fully distributed approach for anomaly detection on MAC layer. The proposed approach selects the features of the MAC layer to profile normal behavior of mobile nodes, then apply cross-function analysis [18] on the feature vectors constructed from the training data[80].

Adrian Lauf et al. [19] proposed a two-step, anomaly-based detection engine designed to operate in environments with limited resources such as MANETs. Proposed the engine can be divided into two steps: in the first step of detecting is performed by the maxima detection system (MDS), while in the second detection system by the cross correlative detection system (CCSD). MDS is used to quickly identify a potential threat, and to calibrate a threshold for CCDS, while CCDS is used to accurately detect the source (s) of threat, and to detect multiple simultaneous attacks.

A. Nadeem and M. Howarth [20] proposed an anomaly-based engine to detect denial of service attacks in MANET. The proposed engine uses a normal dynamic profile and is based on a statistical analysis to solve malicious behavior. The authors assume that during training the behavior of a newly created network is free of anomalies. Subsequently, during the monitoring phase, the engine: (a) logs incoming route request packets in intervals of five seconds, (b) calculates the probability distribution of the data collected, and (c) compares the than the normal profile, using the chi-square [21]. If the distribution of data does not fit the normal profile then the observed behavior is considered suspicious and a counter is incremented and the node responsible for the symptom is marked as suspect [80]. If the repeat of the incident and counter exceeds a threshold values in a fixed time slot, the node from which the incident is labeled as malicious.

(ii) Signature / Misuse / Knowledge Based Detection: It compares a user's activities with patterns of well-known intrusions (signatures) to intruders attempting to compromise a system. It contains an internal table of abnormal patterns. This table shows the traces of the system corresponding to known attacks. If an activity matches a pattern in the table, an alarm will occur. The main advantage is that it can accurately and competently case detection of known intrusions. On the other hand, the disadvantage of misuse detection is that the abnormal patterns are based on known attacks, so further attacks can not be detected. Misuse Detection requires maintenance of a large central database of intrusion signatures each time a new intrusion is discovered. Furthermore, the misuse detection can be fooled by a smart intruder. For example, an intrusion can be a mixture between normal activity and a real intrusion, leading to a result which does not match any of the predefined templates.

Anjum et al. [22] proposed a signature-based approach to intrusion detection for wireless ad hoc networks based on the assumption that the attack signatures are well known in an ad hoc network. This approach examines the ability of different routing protocols to facilitate the process of intrusion detection. The authors show that reactive ad hoc routing protocols are less effective than proactive routing protocols in intrusion detection, even in the absence of mobility. There is a quest to study the effectiveness of signature-based techniques for MANET assuming that the signatures of known attacks.

(iii) Specification Based detection: Specification-based detection defines a set of constraints that describe the correct operation of a protocol or program and oversees the program with the constraints defined. This technique may provide the ability to detect unknown attacks with low false positive rate, when there is deviation from the proper functioning of a protocol. Each method has distinct advantages and disadvantages and areas of application appropriate intrusion detection.

The specification-based IDS in MANET is proposed by Tseng et al. [23]. A finite state machine (FSM) is designed to specify the correct behavior of AODV, that is to keep each branch of a route request / route reply (RREQ / RREP) by monitoring the flow of all RREQ messages and RREP from a source node to destination node. Then, the specification is built compared with the actual behavior of monitoring neighboring. The distributed network monitor passively listens to routing protocols AODV, RREQ capture and RREP messages, and detects run time violations of the specifications.

There are other specification-based approaches proposed for AODV [24] [25]. A specification-based approach combined with cryptography is given in [24]. In this approach RREQ and RREP messages' specifications are given as extended finite state machine in each node. Another finite state machine based approach proposed for DSR is given in [66].

3. ARCHITECTURES FOR IDS IN MANETS

The existing IDS architectures for MANETs fall under three basic categories:

1. Stand-Alone Architecture

2. Distributed & Cooperative Architecture

3. Hierarchical Architecture

Stand-alone Intrusion Detection Systems

Architectures using an autonomous intrusion detection engine installed at each node using only the data node local audit. This fact (i.e., based only on local audit data to solve malicious behavior) the limit in terms of detection accuracy and the type of attacks they detect.

Jacoby and Davis [28] proposed a stand-alone architecture for detecting malicious actions of MANET, by monitoring the power consumption level in the battery of every node. The detection is performed by comparing the power consumption of a node with a set of power consumption patterns induced by known attacks, using smart battery technologyy.

Nadkarni and Mishra [29] proposed a stand-alone IDS architecture that uses the detection compound to reduce the amount of false positive alerts, which usually appear in detecting abnormalities. He uses the setting of thresholds to determine malicious behavior. If the distribution of data does not fit the normal profile then the observed behavior is considered suspicious and a counter is incremented and the node responsible for the symptom is marked as suspect. If the repeat of the incident and counter exceeds a threshold values in a fixed time slot, the node from which the incident is labeled as malicious.

Lauf et al. [19] proposed a two-stage standalone IDS architecture designed to operate in environments with limited resources, such as MANETs. It installs two different detection engines in each node, where the first (called the maximum detection system (MDS)) is the anomaly detection engine that identifies statistical anomalies in the observed interactions of the application layer and is used to quickly identify a potential threat and calibrate the second engine (called the cross-correlative detection system (CCDS)) that calibrates a threshold value considering the attack. Then, calculates average values ​​of the application behaviour and compares each node with the threshold. Behaviors that exceed the threshold are marked as malicious.

In [31] , OCEAN has been proposed an extension of DSR protocol. OCEAN also uses a monitoring system and a reputation system. The proposed solution exchange second hand reputation messages. OCEAN implements standalone IDS architecture to prevent phantom intrusion detections. Depending on whether a node participates in the process of route discovery, OCEAN can detect misbehaving nodes and selfish nodes. However, the detection efficiency decreases rapidly OCEAN with increasing density of misbehaviour nodes.

Huang and Lee [32] propose a model with stand-alone IDS architecture that uses both specification-based detection of abnormal events that directly violate the AODV specifications and anomaly based detection to detect events that do not violate the specifications of the routing protocol but do not directly follow the specifications of the system, such as deleting an entry in the routing table, changes to route messages, etc., and require statistical measures. A basic (routing) event is defined as the smallest set of causal routing related operations as a receiving / delivering a packet, changing a routing setting. An abnormal event is defined as a basic event [32]. In this approach extended finite state automata (EFSA) are used to represent the specifications of AODV. In the statistical-based approach, features are determined to detect anomalous events that cannot be detected by the specification-based approach, then a set of detection rules is generated using the RIPPER classifier[27].

A hybrid solution, proposed in [33] with the approach of the stand-alone IDS architecture, combines the Watchdog of the evaluators and Pathrater proposed by Marti et al. and SCAN [10]. However, neither SCAN nor watchdog of the evaluators and Pathrater address the mobility issue as well. Consequently, this hybrid solution also suffers from similar problems. Moreover, there are no fixed nodes that can act as umpires.

The authors of [34] proposed two solutions to address the black hole attack in AODV. In the first solution, the source node checks apparently shared between nodes of the routes identified. If a shared node is identified then the source node sends data packets to the destination through multiple paths using different ID packets and sequence numbers. Moreover, if no shared node is identified, then the source node delays or aborts the transmission of data packets, leading to severe degradation of network performance[78]. To circumvent these drawbacks a second solution has been proposed. This new solution exploits the packet sequence number to detect the malicious nodes trying to hijack the traffic flow.

One of the most famous works in this category is the model introduced in [35]. This work proposes the use of a virtual currency, dubbed nuglets, as the currency of payment in order to motivate each node to transmit other data packets. Using Nuglets, the authors proposed two models: the Packet Purse Payment (PPM) and the Packet Trade Model (PTM). In the first model, the sender loads some nuglets in the packet before sending it. The forwarder of this packet earns some nuglets as a payment for the service. If the quantity of nuglets in the packet reaches zero, then it is dropped.

In the latter model, as opposed to the final destination of the former package reward the intermediate nodes using its own nuglets. This model can be described as follows: each intermediate node earns some nuglets by buying a package from his previous node for some nuglets and then selling it to the next node for more nuglets, and the total cost will be paid by the destination.

Cooperative IDS architectures

Cooperation between distributed host-based IDS was originally proposed for fixed wired networks in Cooperating security managers [36]. Intrusion detection for fixed wired network and hierarchical fixed is mainly based on the network, so that it is not necessary to engage the overhead associated with the exchange of messages required for this architecture. The IDS architecture is more suitable for flat wireless ad hoc networks, and a distributed and cooperative architecture was proposed for this environment in which the IDS agents residing on each node independently make local decisions intrusion detection, but in collaboration participate in global intrusion detection [37]. In this architecture, if a node detects an intrusion evidence weak or inconclusive, it can initiate a global procedure cooperative intrusion detection, or if a node detects intrusion locally with strong evidence, it can determine independently an attack on the network. A cooperative and distributive IDS architecture could be susceptible to attack by Byzantine nodes, which could make false statements regardless of the detection of an attack from a correct node with solid evidence, making it difficult to draw a consensus distributed. Confidant in the protocol, nodes cooperate and share the alarm messages with other nodes in the wireless ad-hoc list are friends of a node [38]. As the alarm messages are evaluated for their reliability, this should minimize the effect of a Byzantine node, who falsely accuses a correct node.

Zhang and Lee [39] proposed the model of a distributed and cooperative IDS. The model of the IDS agent is structured into six modules. The module local data collection collects audit data in real time, which includes the system and user activities within its radio range. These data will be analyzed by the detection engine module local evidence of abnormalities. If an abnormality is detected with solid evidence, the IDS agent can determine independently that the system is under attack and launch a response through the local response module (i.e. alerting the user local) or global response module (i.e. decide on an action), depending on the type of intrusion, the type of network protocols and applications, and the certainty of proof. If an abnormality is detected with weak or inconclusive evidence, the IDS agent may request the cooperation of neighboring IDS agents through a detection engine of cooperation module, which communicates to other agents through a secure communication module.

Albers et al. [40] proposed a distributed and collaborative architecture of IDS using mobile agents. An intrusion detection system local (LIDS) is implemented on each node of local concern, which can be extended to global concern by cooperating with other LIDS. Two types of data are exchanged between LIDS: security of data (for more information to work nodes) and intrusion alerts (to inform others of the intrusion detected locally). To analyze the possible intrusion, the data must be obtained from what LIDS detect, and additional information from other nodes. Other covers may be run on different operating systems or data using various activities such as activities of the system, application, or network, and therefore, the format of the raw data can be different, making it difficult for the covers for analysis.

A.Mitrokotsa et al. [30] proposed a distributed model. The proposed intrusion detection system is composed of multiple local IDSs agents. Each IDS agent is responsible for detecting possible intrusions locally. The collection of all the independent IDS agents forms the IDS system for the mobile wireless ad hoc network[75].

Each local IDS agent is composed of the following components: Data Collector: Responsible for selecting local audit data and activity logs.

Detection Engine: Responsible for detecting local anomalies using local audit data. The local anomaly detection is performed using the eSOM classification algorithm. The procedure that is followed in the local detection engine is the one described below:

Select labeled audit data and perform the appropriate transformations. Compute the classifier using training data and the eSOM algorithm. Apply the classifier to test local audit data in order to classify it as Normal or Abnormal.

In HIDS [41], another approach was proposed IDS. HIDS is value-based trust or reputation or honesty value of mobile nodes. The trust value of a node is dynamically increased or decreased depending on his behavior. When a node behaves normally, it is positively rewarded; malicious activity results in negative rewards for that node. The confidence of a node is recalculated on the basis of its current rate of honesty, and the awards he won. HIDS is inherently protected against false positives. However, keeping up to date tables in different nodes, as required by HIDS, perhaps not an energy-efficient strategy. Moreover, the proposed HIDS provides only a generic architecture for detecting safe route[76].

A cooperative IDS architecture based on social network analysis Wang et al. [42] have proposed a cooperative IDS architecture, based on a detection engine that utilizes social network analysis. In this architecture, each node deploys a detection engine that performs intrusion detection by using audit data received from his "ego" of the network. A "ego" network consists of hosting node ("ego") and nodes ("change") that are directly connected. The deployed engines operate similarly to anomaly detection, but they use social relationships as parameters of interest, which require less overhead calculation compared to standard engines of anomaly detection. In addition, a training phase is also necessary to create normal profiles (ie, as in anomaly detection), and according to the authors, the detection engines monitor the Medium Access Control (MAC) and network layers.The social analysis module, then, processes the collected data in order to realize social relations between the "ego" network nodes, which represent the behavior of these nodes at a certain time. Subsequently, the realized relations are compared to the normal profile of expected behaviors, and any variation from these constitutes an intrusion. If an intrusion is detected, the response module notifies the neighboring nodes.

Bose et al. [43] proposed a cooperative, multi-layer IDS architecture that uses three parallel anomaly detection engines, designated as Detection engine MAC layer, routing detection engine, and the detection engine of the application layer, installed in each node. The use of multi-layer detection is to increase the detection accuracy, since the attacks that target upper layer protocols can be seen as events of legitimate, low-layers, and vice versa. The detection engine monitors MAC layer access control and respond to the data link layer. The detection engine routing network layer supervises and monitors the packet delivery and routing information. Finally, the engine application layer monitors the application layer. Each engine collects data that are appropriate, processes and examines the malicious behavior within them. In each node, a local integration module combines the results of three different detection engines, while a comprehensive integration module combines the results received from neighboring nodes.

A friend-assisted intrusion detection architecture for MANETs Razak et al. [44] have proposed a cooperative two-tier (i.e., one for local and one for global detection) IDS architecture for MANETs, where each tier includes two detection engines, respectively. The first level uses a detection mechanism at local level which collects audit data and local processes using a detection engine based on the signatures. If it detects suspicious activity, but can not pinpoint a specific attack, a second engine is activated (also located in the first level) that performs anomaly detection. If both engines to the first layer can not conclude that the suspicious activity is malicious, the second level of the architecture is triggered. The second level uses a detection mechanism that brings together global verification data from neighboring nodes and first performs a signature based detection, then an anomaly-based detection, even at the first layer. The second level also maintains a list of friends (each node builds and maintains a list of nodes confident), which is used to ensure that nodes sharing their audit data are confident with it.

Ramachandran et al. [45] proposed a cooperative IDS architecture, which uses lightweight modules (agents) capable of performing various tasks of detection and aim to reduce battery consumption. Each network node contains all the modules required to perform the tasks of detection and assigned a reputation value, which increases when the node successfully assists with intrusion detection tasks, and performance decreases if the node at intrusion detection is not satisfactory. The intrusion detection engine used is based on the detection of anomalies and is installed in each node. When the engine of a node detects suspicious behavior, it initiated a bidding system to select a set of nodes that are most appropriate to assist in the performance of intrusion detection [26]. Nodes with the greatest amount of resources for the farm's reputation and value are selected and the specific tasks assigned to them. These tasks include: (i) the execution of the host or network monitoring, (ii) decision making given a set of audit data, and (iii) the activation of defensive measures in case malicious behavior were detected .

Routing anomaly detection architecture Sun et al. [46] have proposed a cooperative IDS architecture that focuses on routing disruption attacks. As all nodes in a MANET participate in routing, each maintains a table that contains routing information, such as routing paths to reach other nodes and the required number of hops. Major changes in this table may be a symptom of malicious behavior that attempt to disrupt the routing process. The proposed IDS uses the following two routing functionality to discover malicious behavior: (i) the percentage change in the route entries (PCR), and (ii) the percentage change in the number of hops (PCH) . PCR is the route entries added / removed for a certain period of time, while PCH indicates the variation of the sum of hops of all route entries during the period of time.

Douligeris and Komninos [47] proposed a cooperative IDS architecture, LIDF: Layered of intrusion detection framework for ad hoc networks based on the multilayer detection to capture malicious behavior. In this architecture, each host maintains a intrusion detection unit, which is divided into three modules: (i) collecting, (ii) detecting, and (iii) the alert module. The collection module is responsible for collecting data at a time to said data link and network layer. By monitoring these two layers of the IDS has a narrow view of networking activities (ie, connectivity and routing nodes). The detection module performs anomaly-based detection on audit data collected in two stages, in order to preserve the resources of the host and the battery. First, it deals only with the most recent local audit. In case these data are not sufficient to reach a clear decision on suspicious behavior, the audit data are requested from neighboring nodes via secure communication channels. However, the authors did not specify when do nodes decide to seek the cooperation of neighbors, and how this cooperation is achieved (ie sharing of audit results or detection)[26]. Following these, the communication overhead imposed by the cooperation of nodes can not be determined. Finally, if malicious behavior is detected, the alert module has the responsibility to inform the neighboring nodes.

Deng et al. [48] ​​proposed a. Hierarchically completely distributed approach and a completely distributed intrusion detection approach . The intrusion detection approach used in both of these architectures focuses on the network layer and it is based on a Support Vector Machines (SVM) classification algorithm. They use a set of parameters from the network layer and propose a distributed hierarchical approach may be a more promising compared to an approach completely distributed intrusion detection.

Chen et al. [49] proposed an approach to distributed intrusion detection based on the Dempster-Shafer. They exploit the advantages of this theory and its ability to reflect the uncertainty or a lack of comprehensive information and practical numerical procedure for fusing together multiple pieces of data.

(iii) Hierarchical IDS architectures

Hierarchical IDS architectures have been proposed for multi-layered, wireless ad hoc networks. In a wireless network multilayer ad-hoc network, cluster head nodes centralized routing for the cluster and can support additional security mechanisms. For example, a three-layer infrastructure can be deployed in the tactical battlefield consisting of two-layered ground networks and a third layer of Unmanned Aerial Vehicles (UAVs), which provide event correlation for a theater of operations.. Neighboring ground nodes detection of this ground node V is malicious prosecution to send a message to the UAV, the UAV will determine what V node is compromised after receiving a threshold of charges K [50]. Then, the drone can answer, as the broadcast of a message to inform all nodes in the theater. In addition to the correlation of events detected by members of the cluster nodes, the nodes can also detect CH attacks against the routing infrastructure of virtual backbone made by Byzantine CH nodes. In a multi-layered wireless ad hoc network, the detection of Byzantine CH is essential. Byzantine CH nodes could reroute, modify, or drop the packets transmitted by the nodes of the cluster members, and all packets routed through the CH node on the virtual backbone.

Kachirski and Guha [51] proposed a multi-sensor intrusion detection based on mobile agent technology. The system can be divided into three main modules, each of which is a mobile agent with a certain functionality: monitoring, decision making or to launch a response. By separating the functional tasks into categories and assigning each task to another agent, the workload is distributed is appropriate for the characteristics of MANETs. In addition, the hierarchical structure of agents is also developed in the intrusion detection system.

Monitoring agent: Two functions are realized with this class of agent: network monitoring and host monitoring. A host-based monitoring agent hosting system level sensors and user-activity sensors is run on every node to monitor within the node, while a monitoring agent with a network monitoring is performed only on certain selected nodes to monitor at the packet level to capture packets through the network within its radio range.

Action agent: Since each node hosts a monitoring agent host-based, it can determine whether there are suspicious or unusual activity on the host node based on anomaly detection. When there is strong evidence supporting the anomaly detected, the agent of action may trigger a response as to terminate the process or block a user from the network.

Decision agent: the decision agent is running only on certain nodes, for most of these nodes that perform network monitoring agents. These nodes collect all packets within its radio coverage area and analyzed to determine if the network is under attack.

Sterne et al. [52] proposed a dynamic intrusion detection hierarchy that is potentially scalable to large networks by using clustering. However, it can be structured in more than two levels. Nodes labeled "1" are the first level cluster heads while nodes labeled "2" are the second level cluster heads and so on. Members of the first level of the cluster are called leaf nodes.

Every node has the responsibilities of monitoring (by accumulating counts and statistics), logging, analyzing (i.e., attack signature matching or checking on packet headers and payloads), responding to intrusions detected if there is enough evidence, and alerting or reporting to cluster heads. Cluster heads, in addition, must also perform[26]:

Data fusion/integration and data reduction: Clusterheads aggregate and correlate reports from members of the cluster and data of their own. Data reduction may be involved to avoid conflicting data, bogus data and overlapping reports. Besides, clusterheads may send the requests to their children for additional information in order to correlate reports correctly.

Intrusion detection computations: Since different attacks require different sets of detected data, data on a single node might not be able to detect the attack, e.g., DDoS attack, and thus cluster heads also analyze the consolidated data before passing to upper levels.

Security Management: The uppermost levels of the hierarchy have the authority and responsibility for managing the detection and response capabilities of the clusters and clusterheads belowthem. They may send the signatures update or directives and policies to alter the configurations for intrusion detection and response. These update and directives will flow from the top of the hierarchy to the bottom.

To form the hierarchical structure, every node uses clustering, which is typically used in MANETs to construct routes, to self-organize into local neighborhoods (first level clusters) and then select neighborhood representatives (cluster heads). These representatives then use clustering to organize themselves into the second level and select the representatives. This process continues until all nodes in the network are part of the hierarchy.

Huang and Lee [54] proposed a cluster-based IDS, in order to fight against the resource constraints faced by MANET. They use a set of statistical features that can be derived from routing tables and their application of classification decision tree induction algorithm C 4.5, to detect normal and abnormal behaviors. The proposed system is able to identify the source of the attack if the attack occurs in the identified hop.

A cluster-based architecture for intrusion detection event selection trigger adaptive hierarchical IDS architecture proposed by Ma and Fang [55] , following a modular approach based on clusters. The objective is to provide a cluster structure, where cluster heads are always hosted by nodes with the greatest power of the battery. During initialization of the network, each node publishes its battery power to its neighbors. Then, the node with the battery power as high as possible is elected as the head group. A group leader reelection process is triggered as soon as one the following event occurs: (i) a new node joins the network, (ii) the elected cluster-head leaves the network, or (iii) the power of the battery header of the cluster is less than a predefined threshold. When a new node joins the network, it must first inform all its neighboring nodes. Similarly, if a cluster head leaves the network, it broadcasts a packet to notify its members of the cluster nodes to start the cluster-head re-election procedure.

In this architecture IDS [26], each network node contains four different modules, described below: a. The detection module network that enables the monitoring of network packets in a cluster. It is activated only when the hosting node is elected as the head group.

b. The detection module that monitors the local node hosting and generates alerts if the local malicious activities are detected. This module is still active at each node.

c. The resource management module that monitors the energy of a cluster node acting as a header. When the battery is below a predefined threshold, the module notifies the first state monitoring module handle, and then triggers the cluster-head re-election procedure.

d. The state monitoring module that manages the handle if the detection module network is active (ie, the node hosting is elected as the head group).

Otrok et al. [56] proposed a Hierarchical IDS architecture that uses a game theoretical detection mechanism approach that attempts to balance the resource consumption (resulting from intrusion detection tasks) between nodes in a cluster. It encourages the network nodes to participate in the election of cluster-head and tries to prevent the elected cluster heads of misconduct. In the proposed architecture, the nodes can function as: cluster members (i), which have no responsibilities intrusion detection, (ii) the cluster-heads, who are responsible for the detection of intrusion within a cluster, or (iii) the checkers, who are members of the cluster selected randomly to monitor the cluster-head for a selfish or malicious behavior.

A cluster architecture that uses collective decision for intrusion detection Marchang and Datta [57] proposed two architectures for intrusion detection that rely on a voting system to perform intrusion detection, instead of employ an anomaly or signature-based detection engine intrusion. The difference between the two architectures is that the first, called the algorithm for detection in a clique (ADCLI), divides the network into cliques, while the second, called the algorithm for detection in a cluster (ADCLU) , divides the network into clusters. The concept of a clique is similar to a cluster with the difference that each member of a clique is a neighbor with all other members. In each cluster or a clique, where the intrusion takes place independently, a control node is elected using different schemes and is rotated periodically. Upon receipt of any suspicious message or modified from a member of his clique / cluster, the control node asks the other cliques / cluster members to initiate the process of intrusion detection [26].

A hierarchical architecture optimal intrusion detection Manousakis et al. [58] proposed a hierarchical architecture that uses an IDS based on a dynamic tree structure in which data are aggregated to the top of detection from leaf nodes to nodes authority to the root of the hierarchy (ie nodes of the upper layers), and shipping instructions last down for the former (ie, lower level nodes). The objectives of this architecture are: (i) to form a tree-based structure that is robust to changes in the network and allows aggregation of data and rapid detection, and (ii) to detect attacks at hierarchy where sufficient data are provided for detecting aggregated to reach a particular decision. The first creates the tree-based structure of the following two steps. In the first step, a network node is randomly selected to act as a cluster root and its neighbors are assigned as members of the cluster to cluster created. The selection of cluster-head is the highest level of the hierarchy based on a tree. In the second stage, a member of the cluster previously formed cluster (s) is selected as cluster head and its neighbors that have not already been assigned to another group assigned as members of the cluster. The second step is repeated until all the network nodes are members of the hierarchical structure. Intrusion detection occurs at the lowest possible level of the hierarchy, to which there is sufficient aggregate data that allow a precise decision. If the head of the cluster-head in a group is not able to accurately detect an attack, it transmits all sensor data from a cluster-head level, which in turn in attempts to detect precision attack.

Deng et al. [59] propose an IDS cluster architecture in which only the heads of ammunition to make intrusion detection. It focuses on detecting attacks that target the routing infrastructure and a network of cluster shapes using the "distributed clustering approach effectively" (DECA) protocol. In this protocol, each node votes that cluster head of its neighboring node that has the largest number of connections and the residual energy. nodes with the most votes will become cluster-heads. Cluster-heads are re-elected after a predefined time period. Each group head employs an anomaly detection engine that monitors: (i) the spread packet routing protocol specific (ie hello, error, request, response, etc.), (ii) changes in the routing tables and (iii) the transmission of data packets. These characteristics are monitored at random by selecting a cluster member that transmits its own set of features for the cluster-head, or actively by the cluster configuration to listen to the head traffic generated in the cluster[26].

TOGBAD approach was proposed in [60] to defend against an attack in league black hole in tactical MANETs, ​​in which a successful attack can lead to loss of human life.

The draft solution is designed to secure OLSR, but it is appropriate for any routing protocol based on the exchange of Hello messages. Each network node retrieves a list of neighbors from Hello messages received and sent to the supervisory node. This latter, which is the only node running the TOGBAD scheme, uses the received information to construct the network topology graph. This graph is built based on the Cluster-Based Anomaly Detector (CBAD) introduced in [61] and [62]. Then, when receiving a message from a node, the node supervisor retrieves the number of neighbors claimed by the sending node and compares it with the size of the next set as the sender computed from the topology graph. If the difference between the set according to neighbors and extracted from the graph exceeds a predefined threshold, then the supervisor concludes that it is an attempt to launch an attack and therefore an alarm is triggered. Additional messages sent by each node to the supervisor led to a huge increase in control overhead in the network. Similarly, an excessive increase in overhead calculation at the node supervisor is also observed. Therefore, this scheme is not suitable for MANET because of limited resources of energy and the calculation of wireless nodes[78].

4. INTRUSION DETECTION TECHNIQUES FOR MISBEHAVING NODES

As it has been said before, MANETs have no infrastructure, so each node is dependant on cooperation with other nodes for routing and forwarding packets. It is possible that intermediate nodes agree for packet dispatch, but if these nodes are misbehaving nodes, they can delete or alter packets.

Simulations that Marti Giuli and Baker [63] performed show that only a few misbehaving nodes can reduce entire system efficiency. A few techniques and protocols detecting and confronting misbehaving nodes are available [64],[65]. Many intrusion detection systems have been proposed and most of them are tightly related to routing protocols [79][80].

(i). Watchdag and Pathrater

These two techniques were presented by Marti, Giuli and Baker [63] and were added to the standard routing protocol in ad hoc networks. The standard is Dynamic Source Routing protocol DSR [66]. The watchdog identifies misbehaving nodes, while the path rater avoids routing packets through these nodes.

When a node forwards a packet, the node's watchdog verifies that the next node in the path also forwards the packet. The watchdog does this by listening promiscuously to the next node's transmissions. If the next node does not forward the packet, then it is considered as misbehaving. The path rater uses this knowledge of misbehaving nodes to choose the network path that is most likely to deliver packets. The nodes rely on their own watchdog exclusively and do not exchange reputation information with others.

Pathrater technique calculates path metric for every path. By keeping the ratings of each node in the network, the path metric can be calculated through combining the node rating with connection reliability which is obtained from previous experience. After calculating the path metric for all accessible paths, Pathrater will select the path with the highest metric. If such link reliable data with regards to the connection were not available, the path metrics would enable the Pathrater to select the shortest path. Thus it avoids routes that have misbehaving nodes.

(ii) CONFIDANT

Bachrgger and Leboudec [67] further developed the DSR protocol and devised a new protocol called CONFIDANT, which is similar to Watchdog and Pathrater. In this protocol, each node can observe the behavior of all its neighboring nodes that are within its radio range and learns from