Intrusion Detection Techniques In Mobile Networks

Published Date: 02 Nov 2017

R.A.D.K. Rupasinghe

Faculty of Information Technology

University of Moratuwa

[email protected]

Abstract: With the advancement of latest networking technologies, wireless networking has become more popular than wired networks, with the rapid development of mobile devices and technologies. Emergence of mobile ad-hoc networks (MANETs) occurs with this new era of mobile and wireless world. Mobile Ad-hoc network is established with the communication between two or more mobile devices connected through a wireless medium without using any specifically built infrastructure and that is having a rapidly changing topology. These MANETs are used in various applications in the real world which helps to create a network on the fly and communicate with each other. Though this is seems to be much cost effective, things become more and more complex due to its vulnerability to various types of attacks. An Intrusion Detection System(IDS) plays the role of a second firewall in order to protect a MANET from these vulnerabilities.

Introduction

A mobile ad hoc network can be defined as a set of nodes that are communicating with each other using a wireless medium where it’s topology can be changed dynamically on the fly as the nodes are not positioned exactly in particular position in a mobile environment and the nodes have to act as routers because they involve in multi-hop communication within the network. Therefore no other infrastructure or access-points are used in a mobile ad hoc network. With the increasing use of mobile devices and their popularity, the needs of mobile ad hoc networks (MANETs) are also increasing. There are various applications that these networks are used such as military operations – which gave birth to mobile ad hoc networks, rescue missions, data gathering, virtual classrooms and conferences and etc.

With the wide usage of MANETs, the security has become one of the main concerns in this particular subject area. Various types of active and passive attacks can be targeted on these networks. Passive attacks mainly occur with the eavesdropping and that doesn’t change or corrupt data, where active attacks try to modify or delete data. As there doesn’t exist any physical infrastructure among the devices it’s not easy to monitor the security simultaneously inside the network. Therefore traditional security mechanisms to prevent intrusions, such as authentication and data encryption will not be sufficient to protect a MANET against these attacks. Intrusion Detection Systems (IDS) [3, 4] for mobile ad hoc networks emerge to fill the gap of security to detect any malicious attacks before entering the network and avoid any damage to the data or the system. IDS can be defined as a monitoring system that takes audit data of nodes as input and detect any vulnerability through them. There are several types of IDSs [2] used in the current context and according to different mobile ad hoc networks, different IDS architectures are used.

Rest of this paper is structured as follows. Section 2 describes Intrusion Detection and Intrusion Response. In section 3 describes the Classification of IDS and in section 4, different IDS architectures are discussed. Finally, in section 5, the conclusions and future research are shown.

Intrusion Detection and Intrusion Response in MANETs

An IDS is a system that monitor s particular network with the help of a specially designed algorithm to identify any malicious attacks that can cause damage to the system or the network. Mainly an IDS takes the audit data of that network as the input for the algorithm and process that data according to various techniques to decide whether the network is facing any malicious intrusions. IDS acts automatically when an intrusion takes place and it will consequently take necessary actions to inform the network about the intrusion. Intrusion detection includes activities such as, monitoring and analyzing user and system activity, revision of system configurations and vulnerabilities, assessing the integrity of critical system files and data files, numerical analysis of the patterns of behavior corresponding to known attacks, irregular activity analysis.

According to the type of the intrusion, protocols that are used in the network and the application that is being used, intrusion response will be different in mobile ad hoc network. Some responses can be listed down as follows. Communication channels will be reinitialized among the nodes in the network. After intrusion detection, compromised nodes would be separately identified and the network will be reorganized to get rid of those compromised nodes. As the end users are involved in monitoring to administrate the network IDS will inform the users about the intrusion and actions already taken to avoid them.

Classification of IDS

There are several types of Intrusion Detection Systems that can be classified into some groups. One classification can be identified as Active IDS and Passive IDS. The responsibility of a passive IDS is limited to monitoring network traffic and analyze them to inform the user about potential threats so that the user can take some relevant action. Active IDS are named as Intrusion Detection and Prevention Systems (IDPS) where it can detect any vulnerability and take a proactive action automatically against that attack to protect the system, without the intervention of the user.

Another way of classification that takes audit data as consideration is network-based IDS and host-based IDS. Network based IDS are used in a network to monitor and analyze the network traffic and detect any malicious intrusions or attacks, whereas host-based IDS are used through software applications that are independently installed in the hosts to analyze system and log files to detect any threat.

IDS can also be divided into several categories according to the detection technique used as follows.

Specification based detection [9]: Some behaviors that are identified as correct are kept as a set of security standards and the new behaviors are compared with them to detect intrusions.

Anomaly based detection: [ 5, 6 ]Normal behaviors are saved in profiles and the data captured from the network traffic are compared with these previously identified ones. If there are any deviations, they are considered as intrusions.

Signature based detection (aka Misuse detection) [7,8]: System keeps a collection of signatures/patterns that are identified as attacks. Then they are compared with incoming data and matching data are considered as intrusions.

Different IDS Architectures

Network infrastructure in a MANET can be different from one another. Therefore the architecture that has to be used in the IDS should also be able to cope with that particular architecture. In MANETs we can identify two main architectures that are used in the real world - Flat architecture and multi-layered architecture. In flat network all the nodes participating are considered as equal and they have to perform identical functionalities, whereas in a multi-layered architecture nodes are considered to have different types of functionalities. To address vulnerabilities in these architectures, there should be a proper IDS architecture implemented in the system. We can identify several different IDS architectures that are used in mobile ad hoc networks. Mainly they can be categorized as,

Stand-Alone Architecture

Distributed and Cooperative Architecture [1]

Hierarchical Architecture and[10]

Mobile Agents for IDS[11,12]

The above architectures are discussed under the following sub-headings.

Stand Alone IDS

In this architecture each and every node in the network should have an IDS running in it, which will independently determine any intrusion that is entering the node. Each node is only aware about itself and there’s no consideration about other nodes. Therefore the collaboration among the nodes inside the network is not achieved as this doesn’t even alarm other nodes about a potential threat. This architecture can be applied basically to flat network architectures rather than multi-layered architectures. As each and every node has to implement an IDS this architecture uses resources in a higher rate. Therefore the use of stand-alone architecture is not that much encouraged in MANETs.

Distributed and Cooperative IDS

Mobile ad hoc network typically has a distributed architecture as the nodes are dynamically changing their positions across the network. Therefore the cooperation among the nodes to act as a wall against potential intrusions important in these MANETs. To achieve this type of cooperation every node in the MANET participates in intrusion detection. In this architecture, every node consist of an agent that helps in intrusion detection as well as responding to intrusions independently. Agents are consistently analyzing the network and provide necessary details to take corrective actions to avoid intrusions. But there can be incidents where the evidence is not enough to identify an intrusion as a conclusion. In this type of scenarios, neighboring agents participate in a global intrusion detection to determine whether there is an intrusion. This architecture is also much suitable for flat network infrastructures.

Hierarchical IDS

This architecture is designed as an extended version of both Stand Alone and Distributed and Cooperative architectures. Although both of the above architectures are designed for flat network infrastructure, this architecture is designed to suite for a multi-layered infrastructure. In this architecture we can identify the network divided into different areas called clusters. These clusters contain nodes that are behaving independently and the nodes in the clusters have their own equal functionalities. The difference is that there exists a cluster head which helps to communicate among the other clusters through their cluster heads. Each and every node in a cluster runs an independent intrusions detection system and they monitor intrusions and decide locally detected intrusions. Unlike the normal nodes in the cluster, cluster heads have more functionality to perform in order to maintain local and global communication. This ensures the cooperation among nodes locally and globally. When an intrusion is detected, the cluster head performs a global response to inform other clusters and nodes about the intrusion, rather than surviving the cluster itself.

Agent based IDS

In this architecture usage of mobile agents is significant rather than in other networks to perform intrusion detection. These mobile agents have the ability to move through the network. Therefore they can be assigned particular functionality in the network so that the agent is responsible only for that task. This method helps to reduce the amount of power that is consumed by the network whereas the energy is one of the scarce resources used in mobile ad hoc networks. One of the main advantages in this architecture is that its ability to provide fault tolerance which means that even though some of the agents are failed still the network can function well. In the other had this network architecture is scalable rather than the other network architectures, because the mobile agents can be distributed in large varying networks that might use different platforms. Therefore this platform independency helps lot for a mobile agent to function well without requiring any restrictions. Another advantage can be identified as that this architecture’s ability to distribute intrusion detection tasks among the mobile agents so that it increases efficiency and security.

Discussion

With the increasing usage of mobile devices, mobile ad hoc networks have become one of the main challenges that have to be achieved in order to provide secure communication among mobile devices. Therefore it has been proved that the traditional intrusion prevention techniques such as authentication and cryptography are not enough to protect mobile ad hoc networks from intrusions. Therefore it’s essential to implement a proper intrusion detection system to protect the network against malicious intrusions. Although there are various types of IDSs implemented to protect wired networks from intrusions, those architectures and techniques are not that much suitable for mobile and dynamic network infrastructure. So the prevailing techniques should be developed or new technologies should be invented.

As mobile networks are dynamic in nature, almost all IDS used in MANETs are distributed and cooperative. IDS should be able to detect attacks against the system, before they do any damage to the system. Therefore these IDS use four main types of IDS discussed in section 3. There can be intrusion to the network through attacking the network or mobile nodes and there can also be attacks to the IDS itself. These matters should be taken into consideration in order to implement a good Intrusion Detection System for a mobile ad hoc network.

Acknowledgement

I would like to express my sincere gratitude to Dr.Lochandaka Ranatunga, Senior Lecturer, Department of Information Technology for guiding me through this study. Wide knowledge he has gained through his experienced career has been a great value for me in this review paper. His understanding, encouraging and personal guidance have provided a good basis for the present review paper. Finally I would like to thank everybody who helped me to make this review paper a success.