Upload
snehit-shanbhag
View
233
Download
0
Embed Size (px)
Citation preview
8/14/2019 Intrution dection system
1/44
Intrusion Detection System (IDS) for MANETs
1. Introduction
An ad-hoc (or "spontaneous") network is a local area networkor other small network,
especially one with wirelessor temporary plug-in connections, in which some of the network
devices are part of the network only for the duration of a communications session or, in the case
of mobile or portable devices, while in some close proximity to the rest of the network. n !atin,
ad hoc literally means "for this," further meaning "for this purpose only," and thus usually
temporary. he term has been applied to future office or home networks in which new devices
can be #uickly added, using, for example, the proposed $luetoothtechnology in which devices
communicate with the computer and perhaps other devices using wireless transmission. Ad hoc
networks such as $luetooth are networks designed to dynamically connect remote devices such
as cell phones, laptops, and %ersonal &igital Assistants (%&As). hese networks are termed 'ad
hoc because of their shifting network topologies. hereas !A*s use a fixed network
infrastructure, ad hoc networks maintain random network configurations, relying on a master-slave system connected by wireless links to enable devices to communicate. n a $luetooth
network, the master of the piconet controls the changing network topologies of these networks. t
also controls the flow of data between devices that are capable of supporting direct links to each
other. As devices move about in an unpredictable fashion, these networks must be reconfigured
on the fly to handle the dynamic topology. he routing that protocol $luetooth employs allows
the master to establish and maintain these shifting networks.
Figure 1: Notional Ad oc Net!or"
+igure illustrates an example of a $luetooth-enabled mobile phone connecting to a mobile
phone network, synchroniing with a %&A address book, and downloading e-mail on an
/01. !A*.
1
http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci212495,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci213380,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci213380,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci211680,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci213380,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci211680,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci212495,00.html8/14/2019 Intrution dection system
2/44
Ad hoc networks are a new paradigm of wireless communication for mobile hosts (which
we call nodes). n an ad hoc network, there is no fixed infrastructure such as base stations or
mobile switching centers. 2obile nodes that are within each other3s radio range communicate
directly via wireless links, while those that are far apart rely on other nodes to relay messages as
routers. *ode mobility in an ad hoc network causes fre#uent changes of the network topology.
+igure 1 shows such an example4 initially, nodes A and & have a direct link between them.
hen & moves out of A3s radio range, the link is broken. 5owever, the network is still
connected, because A can reach & through 6, , and +.
Figure #: Dynamicity of MANETs
+igure 14 opology change in ad hoc networks4 nodes A, $, 6, &, , and + constitute an ad hoc
network. he circle represents the radio range of node A. he network initially has the topology
in (a) and when node 7&3 moves out of the radio range of 7A3, the network topology changes to
the one in (b).he following flowchart depicts the working of any general ad-hoc network
8tart
*odes send signal to find the number of other nodes within range
8ynchroni-ing between nodes
8ender node send messages to receiving node
receiving node ready
6ommunication begins
"ermination %rocess
8top
9eceiving node
8end back
9eady signal
s )ait for
sometime
*o:es
Figure $: %or"ing of a general Ad&oc Net!or"
2
8/14/2019 Intrution dection system
3/44
Ad hoc networks are generally closed in that they do not connect to the nternetand are
typically created between participants. $ut, if one of the participants has a connection to a public
or private network, this connection can be shared among other members of the ad hoc network.
his will allow other users on the spontaneous ad hoc network to connect to the nternet as well.
2ilitary tactical operations are still the main application of ad hoc networks today. +or example,
military units (e.g., soldiers, tanks, or planes), e#uipped with wireless communication devices,
could form an ad hoc network when they roam in a battlefield. Ad hoc networks can also be used
for emergency, law enforcement, and rescue missions. 8ince an ad hoc network can be deployed
rapidly with relatively low cost, it becomes an attractive option for commercial uses such as
sensor networks or virtual classrooms. Ad hoc networks are common for portable video game
systems like the 8ony %8% or the *intendo &8 because they allow players to link to each other to
play video games wirelessly. 8ome retail stores even create networks within them to allow
customers to obtain new game demos via the store;s own ad hoc network.
1.1 Ad oc Net!or" Security 'ulnerailities
he lack of centralied control and infrastructure of an ad hoc network increases its
vulnerability and exposure to attacks.
8/14/2019 Intrution dection system
4/44
8ince 2A*s have not been widely deployed, no actual data is currently available that
allows comprehensive attack analysis. 5uang and !ee >?@ propose an attack analysis model for
ad hoc networks that uses a taxonomy of anomalous events to detect and analye attacks. 8everal
possible attacks on 2A*s have been identified in literature >?-@. hey can be broadly
classified in to two types4 (i) 9outing-disruption attacks B (ii) 9esource-consumption attacks. A
more detailed survey and discussion on current state of secure routing protocols has been
presented by 5u B %errig >@.
Attacks can target various layers of protocol stacks. 9esource consumption attacks that
exploit vulnerabilities in the 2edium Access 6ontrol (2A6) layer and %hysical (%5:) layers to
consume bandwidth and energy in order to starve resource constrained device, are examples of
sleep-deprivation attacks. o prevent against such attacks, security mechanisms must be
provided in the 2A6 and %5: layers. hey cannot be repulsed at higher levels.
e focus only on attacks specific to networking and application layers (routing process
and data traffic). A detailed classification of the possible attacks can be found in >?@.
Figure +: Ta,onomy of Security Attac"s
*assie Attac"s: n passive attacks, an intruder monitors the channels of communications
without interfering with the normal function of the system, thereby only threatening
confidentiality of data. 8ome commonly used methods of passive attacks are browsing, leaking,
inferencing, mas#uerading and traffic analysis. %assive attacks, such as eavesdropping, can be
devastating to security critical areas as military applications.
Actie Attac"s: Active attacks, on the other hand, involve replication, modification, and
deletion of data. And since nodes without ade#uate protection in a wireless ad hoc network are
prone to being captured, compromised, or hi=acked, these networks are particularly vulnerable toattacks that come from inside. nternal attacks are far more damaging and difficult to detect. A
malicious node can disrupt the network by deleting or modifying messages or even attacking the
routing protocol by refusing to forward messages or advertising incorrect paths. his can be
difficult to detect, because false routing messages could be benign, =ust the result of an outdated
routing table. Cther active attacks include energy exhaustion attacks, referred to as sleep
deprivation torture, and denial-of-service (&o8) attacks.
4
8/14/2019 Intrution dection system
5/44
# -ac"ground
An intrusion is defined as an action that attempts to compromise the confidentiality,
integrity, or availability of a resource >@. As the name states, an intrusion detection system (&8)
is a system that detects a network intrusion. t is often termed a second line of defense because itis only activated when the intrusion prevention system has failed. deally, such a system can
detect, identify, and e=ect an intruder before any damage is done. n this way, an &8 can also
serve as a deterrent because intruders recognie that even if they can gain access they are likely
to be expelled by the &8.
&8s for traditional networks function under the assumption that normal activity and
intrusion activity have distinct behaviour >1DE@. Additionally, to implement an &8, users and
program activities must be observable, for example, via a system auditing mechanism >F@, so that
deviations from the norm can be recognied. $ased on the type of audit data collected, an &8
can be classified as network or host-based. *etwork-based &8 operate by passively or activelymonitoring the network itself. %ackets are collected from network traffic and analyed to identify
an intrusion. *etwork-based &8 often re#uires a dedicated host or special e#uipment, which
makes them vulnerable to attack. 5ost-based &8 monitors activity on each individual node.
&ata is collected from the system3s audit trails, system and application logs, or audit data
generated by a model that intercepts system calls >?@.
&8 can be further classified on the basis of detection techni#ues. ntrusion detection
techni#ues can be categoried into misuse detection and anomaly detection. 2isuse detection
uses the signature of known attacks to identify an intrusion. he advantage of this techni#ue is
that instances of known attacks can be #uickly and accurately identified. 5owever, misusedetection lacks the ability to detect newly invented attacks leaving the network vulnerable. n
anomaly detection, a profile of normal activity is created and is used to classify any unreasonable
deviations from the established norm as a potential attack. &ata mining technology is often used
in the profile creation because it is beneficial to automatically construct models due to the large
amount of data collected. he advantage of anomaly-based detection is that no prior knowledge
of intrusions are re#uired, so novel attacks can be detected. 5owever, this techni#ue may suffer
from high false-positive rates and additionally may not be able to accurately describe the attack
that is occurring.
#.1 Tyes of Ad&oc /outing *rotocols$asically there are three types of routing protocols4
. *roactie /outing *rotocols: 5erein the nodes keep updating their routing tables by
periodical messages. his can be seen in Cptimied !ink 8tate 9outing %rotocol (C!89) and the
opology $roadcast based on 9everse %ath +orwarding %rotocol ($9%+).
5
8/14/2019 Intrution dection system
6/44
1. /eactie or 0n Demand /outing *rotocols:5ere the routes are created only when they are
needed. he application of this protocol can be seen in the &ynamic 8ource 9outing %rotocol
(&89) and the Ad-hoc Cn-demand &istance Gector 9outing %rotocol (AC&G).
H. yrid routing rotocols:5ybrid methods combine proactive and reactive methods to find
efficient routes. I5!8 is one example of hybrid routing protocols. n I5!8, the whole network
is divided into non overlapping ones. I5!8 is proactive if the traffic destination is within the
same one of the source. t is reactive because a location search is needed to find the one & of
the destination.
+ig.E is a categoriation of existing routing protocols in 2A*s. n the figure,
solid lines represent direct descendants while dotted lines depict logical descendants. 8ince new
routing protocols are always being proposed for 2A*s, we do not expect to include all of
them here.
Figure : A 2lassification of MANET /outing *rotocols.
n today3s world the most common ad-hoc protocols are the Ad-hoc Cn-demand &istance Gector routing
protocol and the &estination-8e#uenced &istance-Gector routing protocol and the &ynamic 8ource
9outing. All these protocols are #uite insecure because attackers can easily obtain information about the
network topology. his is because in the AC&G and &89 protocols, the route discovery packets are
carried in clear text. hus a malicious node can discover the network structure =ust by analying this
kind of packets and may be able to determine the role of each node in the network. ith all thisinformation more serious attacks can be launched in order to disrupt network operations.
#.# Tyes of Attac"s Faced y /outing *rotocols:
&ue to their underlined architecture, ad-hoc networks are more easily attacked than a
wired network. he attacks prevalent on ad-hoc routing protocols can be broadly classified into
passive and active attacks.
6
8/14/2019 Intrution dection system
7/44
A %assive Attack does not disrupt the operation of the protocol, but tries to discover
valuable information by listening to traffic. %assive attacks basically involve obtaining vital
routing information by sniffing about the network. 8uch attacks are usually difficult to detect and
hence, defending against such attacks is complicated. ven if it is not possible to identify the
exact location of a node, one may be able to discover information about the network topology,
using these attacks.
An Active Attack, however, in=ects arbitrary packets and tries to disrupt the operation of
the protocol in order to limit availability, gain authentication, or attract packets destined to other
nodes. he goal is basically to attract all packets to the attacker for analysis or to disable the
network. 8uch attacks can be detected and the nodes can be identified.
There are three more prominent attacks prevalent against ad-hoc networks, most of
which are active attacks.
1. Attacks based on modification.
his is the simplest way for a malicious node to disturb the operations of an ad-hoc network.
he only task the malicious node needs to perform, is to announce better routes (to reach othernodes or =ust a specific one) than the ones presently existing. his kind of attack is based on the
modification of the metric value for a route or by altering control message fields. here are three
ways in which this can be achieved4
9edirection by 6hanging the 9oute 8e#uence *umber.
9edirection by Altering the 5op 6ount.
&enial of 8ervice by Altering 9outing nformation.
#. mpersonation Attacks.
2ore generally known as 7spoofing3,since the malicious node hides its3 % and or 2A6
address and uses that of another node. 8ince current ad-hoc routing protocols like AC&G and
&89 do not authenticate source % address, a malicious node can launch many attacks by using
spoofing. ake for example a situation where in an attacker creates loops in the network to
isolate a node from the remainder of the network. o do this, the attacker needs to spoof the %
address of the node he wants to isolate from the network and then announce new route to the
others nodes. $y doing this, he can easily modify the network topology as he wants.
$. Attack by +abrication of nformation.
here are basically three sub categories for fabrication attacks. n any of the three cases,
detection is very difficult. +alsification of 9oute rror 2essages.
6orrupting 9outing 8tate - 9oute 6ache %oisoning.
9outing table overflow attack.
7
8/14/2019 Intrution dection system
8/44
$. Intrusion Detection for Moile Ad oc Net!or"s
$.1 Introduction
A wireless ad hoc network provides communication between various devices (nodes) via a
shared wireless channel. 5owever, unlike a more conventional wireless network, nodes in an ad
hoc network communicate without the assistance of a fixed network infrastructure. *odes within
one another3s radio range can communicate through wireless links and dynamically form
networks >@. Additionally, nodes must cooperate by forwarding packets so that nodes not
directly connected or beyond radio ranges can communicate with each other. Cften the nodes in
an ad hoc network are mobile. hese networks are called 2A*s.
Ad hoc networks are suited for situations where rapid network deployment is re#uired or
it is prohibitively costly to deploy and manage a network infrastructure. 8ome examples include
military soldiers in the field, emergency services in a disaster area, attendees in a conference
room, sensors scattered throughout a city for biological detection, space exploration, forestry or
lumber industry, and temporary offices such as campaign head#uarters >/@.
hile there has been much work in &8 for traditional wired networks, it is difficult to apply
much of this research to wireless ad hoc networks because of key architectural differences, most
notably the lack of a fixed infrastructure. he lack of centralied audit points, such as switches,
routers, and gateways, makes it difficult to collect audit data for the entire network. &ata
collection, in a wireless ad hoc network, is limited to activities taking place with radio range, so
&8s must work with localied partial information. Also, without a centralied authority, the
algorithms used for intrusion detection must be distributed in nature, yet it must be kept in mind
that attacks may be made from nodes inside the network. his means that one of the nodes
participating in a collaborative intrusion detection algorithm may be a malevolent node.
Additionally, while misuse detection can be applied successfully in traditional networks, this is
not the case for wireless ad hoc networks. 8ince they are relatively new, not many specific
attacks have emerged for wireless ad hoc networks. herefore more emphasis should be given to
anomaly-based detection. Anomaly-based &8s detect patterns based on long-term modeling and
the classification of normal and abnormal activity. 8ince wireless ad hoc networks are very
dynamic in structure, this can be very challenging. And owing to mobility and power constraints,there is not always a clear separation between normalcy and anomaly in an ad hoc network.
6onstrained battery power also affects the detection algorithms used, since a limited power
supply re#uires that intrusion detection algorithms be highly efficient.
$.# /e3uirements for an IDS for Moile Ad oc Net!or"s
8
8/14/2019 Intrution dection system
9/44
An &8 in a wireless ad hoc environment must be effective and efficient. An effective &8
correctly classifies normal and malicious activities. t must be fault-tolerant and resist subversion
and it cannot introduce a new weakness into the network. An efficient &8 is cost-effective and
uses little system resources, since to be effective an &8 must run continuously. An &8 in an ad
hoc environment must work collaboratively to identify intrusions. And lastly, all &8s must
initiate a proper response when an intrusion is detected. n an ad hoc environment, these
responses include reinitialiing communication channels, identifying a compromised node and
reorganiing the network to exclude that node, notifying the end user to take action, and even
launching a counterattack.
$.$ Intrusion *reention for Moile Ad 4oc Net!or"s
he prevention of intrusions in wireless ad hoc networks would re#uire the development of new
secured protocols or modification of the logic of existing protocols to enhance their security.
raditional security solutions that re#uire trusted authorities or certificate repositories are not
well suited for securing wireless ad hoc networks as these networks exhibit fre#uent partitioning
due to node mobility and disconnection. 8everal solutions have been presented to deal with these
issues using either a partially distributed certificate authority >J@ or a self-organied public-key
management system >0@. A self-organied key management system allows users to generate
publicD private key pairs, issue certificates, and to perform authentication regardless of the
network partitions and without any centralied services or trusted authority.
hile these intrusion prevention techni#ues can be used to reduce intrusions, none are
completely foolproof. 5istory has shown us that regardless of the number and types of
prevention measures that are inserted into a network, there are always some weak links through
which attackers can gain access. As a second line of a defense, an &8 can be used to identify an
intrusion and e=ect an intruder potentially before any damage is done. Kiven its inherent
weaknesses, such a system is a necessity for a wireless ad hoc network.
9
8/14/2019 Intrution dection system
10/44
+. /elated !or"
his section, deals with an overview of the current research in intrusion detection for
wireless ad hoc networks, including architecture, data sources for detection models, and
detection algorithms.
+.1 Distriuted Intrusion Detection
Ihang et al >F@ proposed a distributed and cooperative &8 for wireless ad hoc networks.
n their system, every node participates in intrusion detection and response via an &8 agent
placed on it. he &8 agent is divided into six pieces4 data collection module, local detection
agent, cooperative detection agent, local response module, global response module, and a secure
communication module, which provide a high-confidence communication channel among nodes
in the network.
he data collection module gathers streams of audit data from various sources including
system activity within the node, communication activities by the node or observable by (within
radio range of) the node. his data can be integrated and used in a multilayer intrusion detection
method.
he data collected in the collection module is analyed by the local detection agent for signs
of an intrusion. raditional &8s use data only from the lower layer, as the application level can
be protected through application layer firewalls and application-specific modules. $ut in wireless
networks there are no firewalls to protect the application layer, so intrusion detection in this layer
becomes necessary. Also, certain attacks, for example, a &o8 attack, may be more #uickly
identified in the application layer. herefore, this &8 uses modules from the lower layer as well
as the application level. &etection at each layer can be initiated or aided by evidence from other
layers. f a node considers the evidence of the intrusion as 'strong, it can independently
determine that there is a network intrusion and initiate the proper response. 5owever, if the node
considers the evidence of intrusion as weak, it can start the cooperative detection agent by
propagating state information among neighboring nodes. his information could include only the
level of confidence of an intrusion or it could include the identity of the suspected malicious
node along with the confidence level. Cn receiving an anomaly state re#uest, each node,
including the initiator, sends its state information to its immediate neighbors. ach of the nodes
then decides whether the ma=ority of the reports received reflect an anomaly. f so, any node canconclude that the network is under attack. he node that makes such a conclusion can initiate an
appropriate response.
he intrusion response can be either local or global. n a local response, a node initiates
actions local to itself, while in a global response, a node coordinates actions among neighboring
nodes in the network. he actions taken are based on the network, applications, and confidence
10
8/14/2019 Intrution dection system
11/44
in the evidence. 8ome possible responses include forcing a re-key or identifying the
compromised node or nodes and reorganiing the network to exclude such nodes.
his system uses anomaly-based intrusion detection by creating a model that can be used to
classify an action as normal or a potential intrusion. he model is constructed by defining a set of
features, which can be used to classify a system state. $ecause the set of features that could
potentially identify a system state is #uite large, an unsupervised method is used to determine theset to be used in classification that is called the essential feature set. A classifier is then used to
compute rules to partition the data into the two classes. ntrusion reports are created by
examining the current state of the essential feature set and using this information to classify the
system (network) state as normal or abnormal.
he system was tested by creating four separate models, using two different feature sets with
information available from the routing protocol, which collect data only from the local node.
wo different classifiers were used, 9%%9, a decision-tree-e#uivalent classifier, and 8G2
!ight that partitions the data with a hyperplane. 8imulation data was then run using three
wireless ad hoc protocols, dynamic source routing (&89), ad hoc on-demand distance vectorrouting (AC&G), and destination-se#uence distance-vector routing (&8&G). n general, good
results were obtained, particularly using the 8G2 !ight classifier and the &89 protocol, which
showed anomaly detection rates of approximately JJL and a false alarm rate of less than 0.0FL.
+.# ierarc4ical 2ooeratie Intrusion Detection
8terne et al >@ take Ihang et al.3s idea of a cooperative &8 and augment it with a dynamic
hierarchical structure. hile cooperative &8s may be successful in detecting malicious behavior
with respect to routing protocols, such systems have not shown that they are applicable to more
conventional attacks. Additionally, a hierarchical structure is traditionally more amenable togrowth. n the fully cooperative, distributed &8, such as the one discussed above,
communication overhead can rise very #uickly, in the order of the s#uare of the number of
nodes. A hierarchical model, on the other hand, allows data sharing without such a rapid increase
in communication overhead. he proposed architecture was designed for military applications
and as such mimics the structure found in such organiations in the manner in which intrusion
detection data is passed up the hierarchy while intrusion response directives flow down to the
lower levels.
Ad hoc networks typically construct routes using topology-based clustering. *odes create
neighborhoods based on proximity. 8uch clusters can then select a node to be a neighborhoodrepresentative called a cluster head. he cluster heads then organie into a second level of
clusters and select representatives who =oin in a third level of clusters and so on until all the
nodes in the network are interconnected. n a dynamic hierarchical structure, the cluster head is
selected based on a variety of attributes including connectivity, hardiness, power and storage
capacity, and bandwidth capabilities.
11
8/14/2019 Intrution dection system
12/44
n the proposed architecture, the nodes cooperate to protect the network but remain
responsible for intrusion detection mechanisms to protect themselves. he nodes share tasks such
as monitoring, logging, analying, and reporting data at various layers of the network.
2onitoring is both promiscuous and direct. %romiscuous monitoring is monitoring the
communication of neighboring nodes even when a node is not involved in the transmission of a
message. &irect monitoring involves reporting of a node of its activity. n a fully cooperative
&8, all nodes monitor the traffic that flows through it. n the hierarchical model, monitoring
responsibilities are given to the two nodes that are the first and last hop between each pair of
nodes. he responsible nodes are automatically updated when a route changes as a node would
be aware of the path a packet is taking and what its position is in the routing of the packet. his
simple strategy can dramatically reduce the amount of communication overhead and duplicated
effort. Additionally, this sort of monitoring is suitable for detecting conventional attacks on the
network. *odes at the lowest level are responsible for collecting certain data as well as intrusion
detection and reporting. he key principle in this system is that intrusion detection should occur
at the lowest level of the hierarchy at which data is available to make an accurate decision. 8ince
leaf nodes do not aggregate data they generally do not analye intrusion information since thistypically re#uires large amount of data. his analysis is performed by the cluster heads that
collect from their cluster members and perform detection computations on the consolidated data.
A cluster head may #uery members of its clusters or its peers for additional information.
Additionally, a cluster head sends consolidated data to its superior. *odes at the top of the
hierarchy have responsibility for managing the &8 through activities such as distribution
decision rules and signatures of known attacks. A node3s authority increases as it moves toward
the top of the hierarchy, thus mimicking the structure found in many organiations.
+.$ Moile Agent&-ased Intrusion Detection SystemsMarchirski and Kuha >@ prose a distributed &8 for wireless ad hoc networks based on mobile
agent technology. 2obile agents are autonomous software entities that can halt themselves, ship
themselves to another agent-enabled host on the network, and continue execution, deciding
where to go and what to do along the way >@. Agents are dynamically updateable and have a
specific functionality.
he proposed system uses a modular architecture with several types of mobile agents that
perform functions such as network monitoring, host monitoring, decision making, and action.
Cnly certain nodes will have agents for network packet monitoring while every node in the
network will have an agent to monitor system- and application-level activities. n the cooperative
decision-making process, every node will decide on an intrusion threat level at the host level
while only those nodes containing a network monitoring agent will participate in making
decisions on a network-based intrusion. All nodes will contain an action host that is responsible
for responding to an intrusion. $y distributing the functions of the &8 into separate modules
represented by a lightweight mobile agent, the workload of intrusion detection is spread across
the nodes of the net- work to minimie power consumption and reduce processing time. here
12
8/14/2019 Intrution dection system
13/44
are three agent classes4 action, decision, and monitoring. he monitoring class is further divided
into agents that monitor packet-level data, user (application) data, and system-level data.
8ince the agents that monitor network packets and make network intrusion detection decisions
are located on a subset of the nodes of the network, a distributed algorithm is used to select the
nodes to host these agents. he algorithm used logically divides a mobile network into clusters
with a single cluster head for each. he cluster head then hosts the network-monitoring sensor,which collects all packets within radio range and analyes them for known patterns of attacks.
he cluster heads monitor packets sent by every member of its cluster, while ignoring those
sent by nodes outside of its cluster. his prevents duplicate processing of packets by two
different cluster heads. he packet information is inserted into a fixed-sied #ueue, which is used
by the decision agent to analye the state of the network and its nodes. !ocal detection agents
monitor local activity looking for suspicious activities. f an anomaly is detected with strong
evidence, action is taken to terminate the suspicious activity. f an anomaly is detected with less
confidence, the node reports its status to the decision-making agent on the cluster head.
he proposed system uses a decision-making process, where individual nodes make decisions
on their local state while the global decision-making agent, located on the cluster head, collects
information from the network and all the nodes within its cluster. he agent can then conclude
with some confidence whether a node has been compromised. hen such a determination is
made the agent instructs the local node to take action. his action should result in a decreased
threat level. f that does not occur, the node can be excluded from the network. he authors
propose the use of an anomaly detection model to identify potential intrusions into the network.
he mobile agent approach creates an &8 that minimies the use of scare computational and
power resources. 5owever, at the same time, it creates points of failures that could be exploitedby an attacker. he authors recognie this limitation and propose additional research into an
effective means of defense.
+.+ 2ross&Feature Analysis for Intrusion Detection
As mentioned above, while misuse detection can be effectively used to identify intrusions in a
wired network this is not the case for ad hoc networks, given their relative infancy. herefore,
anomaly detection is currently the preferred methodology. Anomaly detection generally involves
mining historical data to detect patterns related to normal and abnormal activities and then
building a classifier based on these patterns. Cne method for building such a classifier is
suggested in 9ef. >1@, using a techni#ue for identifying anomalies called cross-feature analysis.
A basic assumption for a network of any kind is that there exists a set of features that can
unambiguously identify whether a network is in a normal or abnormal state. he set of features
can be stored in a feature vector and often there are a set of such feature vectors related to a
normal network state. 6ross-feature analysis attempts to explore the relationship between the
values in the feature vector and the state of the network.
8/14/2019 Intrution dection system
14/44
classifier is built that predicts the value of a given feature based on the values of the other
features and a normal system state. &uring the training process a classifier is built for each of the
features, fi , in the feature vector of the form 6i 4 Nf , f1 , . . . , fiO , fiP, . . . , fn Q R fi .
his classifier contains a set of rules or a decision tree that can predict the value of a feature
given the other features. he assumption made is that if the predicted value of a feature does not
match the actual value of the feature, it can be assumed that there is anomaly. At the end of thetraining process there exists a set of classifiers, one for each of the features in the feature vector.
hese classifiers are then used to analye the network logs and identify anomalies. wo
different algorithms are suggested. he simplest one is called average match count. hen an
event is analyed, the classifiers are used to predict each of the features in the feature vector and
a count is kept of the number of matches that occur. A simple average is taken and if the average
number of matches is less than a designated threshold, the network is assumed to be in an
abnormal state. A second algorithm is suggested that uses probabilities instead of the simple
binary matching classification. 2ost classifiers can return the probability that the labeled feature
contains a certain value, given the values of the remaining features. he classifiers are used toestimate the probability of each value in the feature vector. hese probabilities are averaged and
again the network is assumed to be in an abnormal state if the average probability is less than a
given threshold.
6ross-feature analysis was tested using a feature vector designed to identify routing
anomalies.
8/14/2019 Intrution dection system
15/44
used for a period of time, the abnormal data, outliers, can be labeled as normal or abnormal and
be used to train the model and derive a new decision boundary. his revised decision model can
then be used to classify a network state as normal or abnormal.
he proposed &8 consists of four components4 local data collection, 8G2-based intrusion
detection, local response, and global response. &ata is collected locally from various network
audit streams and is passed to the 8G2&2. he 8G2&2 classifies the network state as normalor a possible intrusion in which case it also identifies the source node. he local response module
distributes local detection results based on the data collected locally while the global response
module consolidates other nodes locally collected data and makes a decision based on this
consolidated data. he method of sharing data is dependent on the &8 architecture and this type
of detection is conducive to either a fully distributed architecture such as the system proposed by
Ihang et al >F@ or a hierarchical architecture.
he system was tested using a network simulator, which created simulations of two different
&o8 attacks against the AC&G routing protocol, black hole attacks, and fre#uent false routing
re#uesting (++99). he detection rate for 1-8G2&2 was approximately J?L for both the fullydistributed and the hierarchical system architectures, with a slightly higher false alarm rate in the
fully distributed system. -8G2&2 was able to detect both types of attacks with a detection rate
of approximately /FL but with a false alarm rate approaching 10L. hile the system was tested
on only a single routing protocol and a specific set of routing-based attacks, the authors believe
that the system can be extended to other routing protocols and attack types with the appropriate
parameter selection.
+.5 A 6ame T4eory Aroac4 to Intrusion Detection
Kame theory has been used extensively to model a variety of problems, such as routing behaviorand distributed power control, in wireless ad hoc networks. %atcha and %ark >E@ present the use
of game theory to model the interaction between an attacker and &8. his scenario is modeled
as a two- player game. he key to such a model is the interaction of the players such that the
actions of one player affect the other player in either a positive or negative way. his is
obviously the case in an &8, as an intrusion negatively impacts the node being attacked, while
stopping an intrusion has a negative impact on the attacker. Additionally, in game theory, a
player always takes actions that are in that player3s best interest. his, again, is the case with &8
in wireless ad hoc networks.
n the proposed game model, the ob=ective of the attacker is to send a malicious message withthe intention of attacking the other player, which is another node in the network. he intrusion is
considered successful if the malicious message reaches the target without being detected while
the &8 is successful if it detects the intrusion and the intruding node is blocked. n the game
theory model presented, the attacker is considered the sender and the host-based &8 is the
receiver. he host-based &8 has a prior belief regarding the probability that a node is an
15
8/14/2019 Intrution dection system
16/44
attacker or a regular node. he &8 uses this probability to calculate the expected payoff from
blocking the sender3s transmission.
%ayoffreceiverT (sUmiss) P (tUfalseAlarm) O (st (UdetectP UfalseAlarmP Umiss)) ()
here Umissis the cost of missing an intrusion, U falseAlarmthe cost of a false alarm, U detectthe gain of
detection, s the probability that the sender is an attacker, and t the probability of detecting theintrusion.
he payoff for the attacker is found using,
%ayoffsenderT (tVcaught) P (( O t)Vintrude) (1)
here V caught is the cost of being detected and blocked and Vintrude the gain of a successful
intrusion.
he strategy for the sending node is to decide whether to send a message based on the strategy
of the &8 and to send a message if it maximies its expected payoff. he choice of strategy bythe &8 is based on the receiver3s prior belief, calculated using $ayes rules, so that it is able to
maximie the effective payoff by minimiing the cost due to false alarms and missed attacks.
8ince $ayes theorem is recursive in nature, these probabilities will be recalculated regularly and
this should reduce the number of false alarms and missed intrusions.
+.7 2omining Misuse Detection !it4 Anomaly Detection
he idea of combining anomaly detection with misuse detection is presented by *adkarni and
2ishra >/@. he idea behind this approach is that while anomaly detection leads to a high
degree of false positives and misuse detection can miss some attacks, the combination of the two
methods is superior to using either separately. Additionally, this proposed &8 is adaptive in
ad=usting its thresholds to abnormal activities, effective with an average accuracy rate of over
J0L, efficient in conserving resources and power consumption, and protocol-independent.
he proposed &8 can be broken into three stages4 initialiation, audit data analysis, and
threshold ad=ustment. &uring the initialiation phase, a node analyes network traffic and gathers
information about the normal behavior of the network.
8/14/2019 Intrution dection system
17/44
at higher- than-normal fre#uency may signify an attack. herefore this set of counters is
maintained, one for each type of attack. A counter is incremented when a related incident occurs
and after a single incident of abnormal behavior, the suspicious status of the related node is noted
and the activity of the node is monitored for a possible intrusion. f the suspicious node continues
to display abnormal behavior that can be interpreted as some symptom of the attack, or the
variation of such an attack, during a specific time frame the &8 identifies that there is an
intrusion and initiates an appropriate response.
he adaptive properties of this &8 are noted in the threshold ad=ustment stage. After regular
time intervals without an intrusion, threshold values are ad=usted. his is to prevent the
possibility that malicious nodes are operating =ust under a threshold level. herefore the
threshold for each attack, or variation of such an attack, is increased by a fixed percentage. f an
attack does occur, the threshold is ad=usted to take into account the properties of the attack. t is
revised to the difference in the detected rate of abnormal behaviors and the 'normal rate of
abnormal behaviors multiplied by time interval of the attack.
he proposed &8 was tested using the user datagram protocol (@. hile
the goal of their proposal is to increase through-put in the network, it focuses on intrusion
prevention methods by introducing two overlays to the &89 algorithm, in which every packet
has a route path that consists of nodes that have agreed to forward the packet. he proposedsystem consists of two tools to detect and mitigate abnormal routing behavior. he atchdog
tool identifies misbehaving nodes, while %athrater aids the routing protocol in avoiding such
nodes.
Figure 5: %atc4dog 0eration
atchdog works by using promiscuous listening. ach node in a routing path verifies that its
successor appropriately forwards the message to the next node in the path. +or example, node 8
wishes to send a message to node & using the routing path 8-A-$-6-&. hen node $ forwards
packet to & through 6, A can listen to $3s transmission and verify that $ has attempted to pass
the packet to 6. Additionally, if encryption is performed separately for each link, A can also tell
if $ has tampered with the header or the message itself. 8ince failing to forward a single packet
is not indicative of a malicious node, each node maintains statistics for the routing behavior of its
17
8/14/2019 Intrution dection system
18/44
neighbors. his is accomplished by maintaining a buffer of recently sent packets. ach time a
node monitors a message, it compares it with the packets in the buffer to see if there is a match.
f there is a match the packet is removed from the buffer. And if a packet remains in the buffer
for longer than a specified time period, the atchdog increments a failure counter for the node
responsible for forwarding the packet. After the counter exceeds a certain threshold the node is
identified as misbehaving and a message is sent to the source identifying the misbehaving node.
he information collected by atchdog can be used by the %athrater to determine an efficient
route that avoids routing packets through misbehaving nodes. ach node maintains a rating for
all other nodes in the network. A newly discovered node receives a neutral score. +or every time
interval where a node acts appropriately in forwarding a message, its score is increased.
5owever, if atchdog notes that a node failed to forward a packet, the node3s score is
decremented. f a node is designated as misbehaving it receives a high negative score. hen
computing a route, each potential path for a message receives a score, which is the average rating
of the nodes in the path. f there are multiple paths to the same node, the path with the highest
score is chosen. his guarantees that messages are routed through the most reliable nodes.
ven though the combination of atchdog and %athrater increases the overhead at a node,
testing showed that overall network throughput was increased. Additionally, simulations showed
that network throughput was not adversely affected by false detection.
.
18
8/14/2019 Intrution dection system
19/44
. Intrusion Detection in MANETs
.1 Assumtions and 0serations
e assume that the packet drops is one of the result of intrusion which is a type of attack
may be grey-hole attack or black-hole attack. And the limit for the packet drop is also specified
and an alarm is raised when that limit is crossed. 5ere we track only grey-hole attack and black-
hole attack. he protocols used are &8&G and AC&G >F@.
.# 9niersal deloyment
An 2A* &8 should be able to function on any mobile device participating in the2A*, and not re#uire additional special or superior capabilities as compared to its peers. he
&8 must be universally deployable and should ideally be abele to dynamically adapt to existing
capabilities of a device to maximie its effectiveness and efficiency.
.$ *latform
he platform for simulation of the prototype of the hreshold based intrusion &etection
is chosen to be *81 (*etwork 8imulator Gersion 1) >F@. e are simulating for a total number of
fifteen nodes.
.+ *roosed aroac4
e detect intrusion by neighboring nodes by their deviation from known or expected
behaviour. e monitor the drops as we track only grey-hole and black-hole attack. A threshold
is fixed for the drops per second and when that threshold is crossed the &8 gives an alert saying
probable intrusion.
e have considered the threshold as maximum F packet drops per second. his is
considered F packets per second because there are drops of packets due to congestion. 5ence we
need to consider the congestion which is most of the time a non-intruder phenomenon.
he nodes are monitored every second for the drops in that second. f the drops aremore than threshold then the alert of intrusion is raised and that node is isolated from the
topology. he assumption is that , more packet drops is an anomaly which is caused due to
intrusion when the intruder introduces a grey-hole attack (where a selective type of packets are
forwarded and rest all are dropped) or a black-hole attack (where the node drops all the packets
that come to it and creating the black hole). otally F nodes are simulated in the topology and
each one is monitored using monitors >F@.
19
8/14/2019 Intrution dection system
20/44
Figure 7: *roosed IDS Arc4itecture
. *ractical considerations
+or the &8 to be effective it has to be scalable. t may be possible in certain situations to
have a list of suspects that can be watched instead of all the nodes in the neighbourhood. Another
possibility is to monitor a random choice of neighbour nodes. e also have to account for the
buffering capacity of nodes.
8/14/2019 Intrution dection system
21/44
(1) B (H) the movement is perpendicular and e#uidistant from A B $. rivially, 6 can hear either
A B $ or none, so there cannot be any false positives.
Figure 8: Effects of moility on IDS
.5 Imlementation
otally F nodes are simulated in the scenario. he nodes use either AC&G or &8&G. n
our implementation the malicious behaviour is implemented by the modification of AC&G i.e.
the node using the AC&G protocol behaves maliciously and represents a grey-hole attack. he
drops from each node are tracked and the node which crosses the threshold is a suspect of
intrusion.
21
8/14/2019 Intrution dection system
22/44
5 *rototye imlementation and Analysis
5.1 Net!or" Simulation !it4 NS
he pro=ect is simulated in the ad-hoc network environment. 5ere simulation has been
chosen rather than in real wireless network because4
i. he deployment and debugging of wireless application in real network is a bit
expensive.
ii. he unavailability of hardware support.
iii. 8ince 2A*s have not yet been widely deployed, no actual data is currently
available that allows comprehensive attack analysis.
mplementation and simulation in *8-1 needs four phases >F@. hey are4
*4ase 14 mplementing the proposed scenario by combination of 6PP B 6! code to
*8-1.
*4ase #4 Analying the simulation in 6! script.
*4ase $4 9unning the simulation.
*4ase +4 Analying the generated trace files after running simulation.
22
8/14/2019 Intrution dection system
23/44
5.1 Static simulation *arameters
*A/AMETE/S 'A9ES
6hannel capacity 12bps
6hannel model+ree space propagation
wo ray ground 2odel.
*ode placement
8/14/2019 Intrution dection system
24/44
Figure ;: Simulation *arameters
5.# /esults from ns# simulated enironment
Figure 1
8/14/2019 Intrution dection system
25/44
hese results were obtained when all the nodes were set with AC&G routing before it
was made malicious. e see that the channel was utilied maximum.
Figure 11: 24annel utili=ation y DSD' !it4 no malicious nodes
hese results were obtained when all the nodes were set with &8&G routing. he
network is not that well utilied as compared to AC&G.
25
8/14/2019 Intrution dection system
26/44
A snapshot of *8-1 environment used in this pro=ect work is shown in the Figure 1#
below. he figure shows the placement of mobile nodes and the packets and their radio
transmission.
26
8/14/2019 Intrution dection system
27/44
Figure 1#: Snas4ot of simulated enironment in NS
27
Droppe
d
8/14/2019 Intrution dection system
28/44
Figure 1#: Snas4ot of simulated enironment in NS(cont.)
28
8/14/2019 Intrution dection system
29/44
Figure 1$: Snas4ot of trace file of NS
+igure H, shows the format of a trace file which consists of the packet details for sender and
receiver.
7 2onclusion and Future %or"
29
8/14/2019 Intrution dection system
30/44
7.1 2onclusion
2A*s are increasingly implemented for situations where fixed infrastructure
networks are not practical. 5owever, with this flexibility comes an additional security burden.
ntrusion prevention is not always practical, so intrusion detection becomes an important secondline of defense. $ecause of this, there has recently been a significant amount of research on this
topic. his pro=ect is such an attempt to defend the system from the intruders. Although we have
limited the detection to only grey-hole attack and black-hole attacks it can be improved to
accommodate other type of attack detections.
7.# Future !or"
5ere the detection is only prototyped for grey-hole attack and black-hole attack which
can be further enhanced to accommodate the detection other types of attacks also. here is
always modification going on to fulfill the system re#uirements. Also the current prototype may
also be improved.
he implemented prototype is simulated using *8-1 simulator. f this could be
implemented in real wireless network environment then results could be more accurate. 8ince
this is =ust a simulation, the actual implementation of the prototype for detection of intrusion in
real wireless networks may be future work pending for this prototype.
/eferences
30
8/14/2019 Intrution dection system
31/44
> @ 8terne, &., $alasubramanyam, %., 6arman, &., ilson, $., Mo, 6., $alupari, 9., seng,
6.-:., $owen, ., !evitt, M. and 9owe, [., A general cooperative intrusion detection
architecture for 2A*s, in he Hrd nternational orkshop on nformation
Assurance, 2arch 100F.
> 1 @ 2a, !. and sai, [.[.%., 8ecurity 2odeling and Analysis of 2obile Agent 8ystems,
mperial 6ollege %ress, !ondon, 100?.
> H @ 2a, !. and sai, [.[.%., Attacks and countermeasure in software system security,
5andbook of 8oftware ngineering and Mnowledge ngineering, Gol. , orld
8cientific %ublisher, 8ingapore, 100F.
> E @ :u, I. and sai, [.[.%., An efficient intrusion detection system using a boosting-based
learning algorithm, nternational [ournal of 6omputer Applications in echnology,
1(E)411HD1H, 100?.
> F @ Ihang, :., !ee, . and 5uang, :., ntrusion detection techni#ues for mobile wireless
networks, A62 ireless *etworks, J(F)4FEFDFF?, 100H.
> ? @ $urtch, %. and Mo, 6., 6hallenges in intrusion detection for wireless ad-hoc networks,
8ymposium on Applications and the nternet orkshops (8A*30H orkshops), 100H.
> @ 2arti, 8., Kiuli, ., !ai, M. and $aker, 2., 2itigating routing misbehavior in mobile ad
hoc networks, in %roceedings of the ?th Annual nternational 6onference on 2obile
6omputing and *etworking, pp. 1FFD1?F, August 1000.
> / @ *adkarni, M. and 2ishra, A., A novel intrusion detection approach for wireless ad hoc
networks, ireless 6ommunications and *etworking 6onference, 14/HD/H?,2arch 100E.
> J @ Ihou, !. and 5ass, I.[., 8ecuring ad hoc *etworks, *etwork, H(?)4 1EDH0, JJJ.
> 0 @ 6apkun, 8., $uttyan, !. and 5ubaux, [.%., 8elf-organied public-key management for
mobile ad hoc networks, ransactions on 2obile 6omputing, 01()4F1D?E, 100H.
> @ Marchirski, C. and Kuha, 9., ffective intrusion detection using multiple sensors in
wireless ad hoc networks, in %roceedings of the H?th Annual 5awaii nternational
6onference on 8ystem 8ciences, 1(1)4F, 100H.
> 1 @ 5uang, :.A., +an, ., !ee, . and :u, %.8., 6ross-feature analysis for detecting ad-hoc
routing anomalies, in %roceedings of the 1Hrd nternational 6onference on &istributed
6omputing 8ystems, E/, 8eptember 100H.
> H @ &eng, 5., Ieng, X.A. and Agrawal, &.%., 8G2-based intrusion detection system for
wireless ad hoc networks, in %roceedings of the F/th Gehicular echnology
6onference, Gol. H, pp. 1ED1F, Cctober 100H.
31
8/14/2019 Intrution dection system
32/44
> E @ %atcha, A. and %ark, [.2., A game theoretic approach to modeling intrusion detection in
mobile ad hoc networks, in %roceedings of the Fth Annual nformation Assurance
orkshop, pp. 1/0D1/E, [une 100E.
[ 15 ] Mevin +all (ditor) and Mannan Garadhan (ditor), he ns2anual, he G* %ro=ect, A
6ollaboration between researchers at @ :.-6. 5u, A. %errig, A survey of 8ecure wireless ad hoc routing 01 (100E).
> / @ !uke Mlein-$erndt, 'A Xuick Kuide to AC&G 9outing *8 (*ational nstitute of
8tandards and echnology).
> J @ 6. . %erkins and %. $hagwat, '5ighly &ynamic &estination 8e#uenced &istance Gector
9outing (&8&G) for 2obile 6omputers n %roceedings of 8K6C22, JJE.
32
8/14/2019 Intrution dection system
33/44
Aendi,& I: %or"ing of A0D' >18?
33
8/14/2019 Intrution dection system
34/44
Figure 1+: Nodes and t4eir /adio ranges
AC&G is a method of routing messages between mobile computers. t allows these mobile
computers, or nodes, to pass messages through their neighbors to nodes with which they cannotdirectly communicate. AC&G does this by discovering the routes along which messages can be
passed. AC&G makes sure these routes do not contain loops and tries to find the shortest route
possible. AC&G is also able to handle changes in routes and can create new routes if there is an
error.
he diagram above shows a set up of four nodes on a wireless network. he circles illustrate the
range of communication for each node. $ecause of the limited range, each node can only
communicate with the nodes next to it.
*odes you can communicate with directly are considered to be *eighbors. A node keeps
track of its *eighbors by listening for a 5!!C message that each node broadcast at set
intervals.
hen one node needs to send a message to another node that is not its *eighbor it
broadcasts a 9oute 9e#uest (99X) message. he 99X message contains several key bits of
information4 the source, the destination, the lifespan of the message and a 8e#uence *umber
which serves as a uni#ue &.
34
8/14/2019 Intrution dection system
35/44
Figure 1: //E@ ac"et transmission
n the example, *ode wishes to send a message to *ode H. *ode 3s *eighbors are
*odes 1 P E. 8ince *ode can not directly communicate with *ode H, *ode sends out a
99X. he 99X is heard by *ode E and *ode 1.
35
8/14/2019 Intrution dection system
36/44
Figure 15: //E* rely for //E@
hen *ode 3s *eighbors receive the 99X message they have two choicesW if they know a
route to the destination or if they are the destination they can send a 9oute 9eply (99%)
message back to *ode , otherwise they will rebroadcast the 99X to their set of *eighbors.
he message keeps getting rebroadcast until its lifespan is up. f *ode does not receive a reply
in a set amount of time, it will rebroadcast the re#uest except this time the 99X message will
have a longer lifespan and a new & number. All of the *odes use the 8e#uence *umber in the
99X to insure that they do not rebroadcast a 99X.
36
8/14/2019 Intrution dection system
37/44
n the example, *ode 1 has a route to *ode H and replies to the 99X by sending out a
99%. *ode E on the other hand does not have a route to *ode H so it rebroadcasts the 99X.
Figure 17: Se3uence numering of ac"ets
8e#uence numbers serve as time stamps. hey allow nodes to compare how 'fresh their
information on other nodes is. very time a node sends out any type of message it increase its
own 8e#uence number. ach node records the 8e#uence number of all the other nodes it talks to.A higher 8e#uence numbers signifies a fresher route. his it is possible for other nodes to figure
out which one has more accurate information.
n the example, *ode is forwarding a 99% to *ode E. t notices that the route in the
99% has a better 8e#uence number than the route in it3s 9outing !ist. *ode then replaces the
route it currently has with the route in the 9oute 9eply
37
8/14/2019 Intrution dection system
38/44
Figure 18: /E// messages
he 9oute rror 2essage (999) allows AC&G to ad=ust routes when *odes move
around.
henever a *ode receives 999 it looks at the 9outing able and removes all the routes
that contain the bad *odes.
he diagrams above illustrate the three circumstances under which a *ode would
broadcast a 999 to its neighbors.
38
8/14/2019 Intrution dection system
39/44
n the first scenario the *ode receives a &ata packet that it is supposed to forward but it
does not have a route to the destination. he real problem is not that the *ode does not have a
routeW the problem is that some other node thinks that the correct 9oute to the &estination is
through that *ode.
n the second scenario the *ode receives a 999 that cause at least one of its 9oute to
become invalidated. f it happens, the *ode would then send out a 999 with all the new *odeswhich are now unreachable.
n the third scenario the *ode detects that it cannot communicate with one of its
*eighbors. hen this happens it looks at the route table for 9oute that use the *eighbor for a
next hop and marks them as invalid. hen it sends out a 999 with the *eighbor and the invalid
routes.
A0D' c4aracteristics4
ill find routes only as needed
8/14/2019 Intrution dection system
40/44
Aendi, II: %or"ing of DSD' >1;?
%ackets are transmitted between the stations of the network by using routing tables which
are stored at each station oft he network. ach routing table, at each of the stations, lists all
available destinations, and the number of hops to each. ach route table entry is tagged with a
se#uence number which is originated by the destination station. o maintain the consistency of
routing tables in a dynamically varying topology, each station periodically transmits updates, and
transmits updates immediately when significant new information is available.
hese packets indicate which stations are accessible from each station and the number of
hops necessary to reach these accessible stations, as is often done in distance-vector routing
40
8/14/2019 Intrution dection system
41/44
algorithms. he packets may be transmitted containing either layer 1 (2A6) addresses or layer H
(network) addresses.
9outing information is advertised by broadcasting or multicasting the packets which are
transmitted periodically and incrementally as topological changes are detected for instance, when
stations move within the network. &ata is also kept about the length of time between arrival of
the first and the arrival of the best route for each particular destination. $ased on this data, adecision may be made to delay advertising routes which are about to change soon, thus damping
fluctuations of the route tables. he advertisement of routes which may not have stabilied yet is
delayed in order to reduce the number of rebroadcasts of possible route entries that normally
arrive with the same se#uence number.
he &8&G protocol re#uires each mobile station to advertise, to each of its current
neighbors, its own routing table (for instance, by broadcasting its entries). he entries in this list
may change fairly dynamically over time, so the advertisement must be made often enough to
ensure that every mobile computer can almost always locate every other mobile computer of the
collection. n addition, each mobile computer agrees to relay data packets to other computersupon re#uest. his agreement places a premium on the ability to determine the shortest number
of hops for a route to a destinationW we would like to avoid unnecessarily disturbing mobile hosts
if they are in sleep mode. n this way a mobile computer may exchange data with any other
mobile computer in the group even if the target of the data is not within range for direct
communication. f the notification of which other mobile computers are accessible from any
particular computer in the collection is done at layer 1, then &8&G will work with whatever
higher layer (e.g., *etwork !ayer) protocol might be in use.
All the computers interoperating to create data paths between themselves broadcast the
necessary data periodically, say once every few seconds. n a wireless medium, it is important tokeep in mind that broadcasts are limited in range by the physical characteristics of the medium.
his is different than the situation with wired media, which usually have a much more well-
defined range of reception. he data broadcast by each mobile computer will contain its new
se#uence number and the following information for each new route4
he destination3s addressW
he number of hops re#uired to reach the destinationW and
he se#uence number of the information received regarding that destination, asoriginally stamped by the destinationW
hen a 2obile 5ost receives new routing information it is compared to the information
already available from previous routing information packets. Any route with a more recent
se#uence number is used. 9outes with older se#uence numbers are discarded. A route with a
41
8/14/2019 Intrution dection system
42/44
se#uence number e#ual to an existing route is chosen if it has a 'better metric, and the existing
route discarded, or stored as less preferable. he metrics for routes chosen from the newly
received broadcast information are each incremented by one hop. *ewly recorded routes are
scheduled for immediate advertisement to the current 2obile 5ost3s neighbors. 9outes which
show an improved metric are scheduled for advertisement at a time which depends on the
average settling time for routes to the particular destination under consideration.
Figure 1;: Moement in an ad&4oc net!or"
42
8/14/2019 Intrution dection system
43/44
6onsider 25Ein +igure J. able shows a possible structure of the forwarding table
which is maintained at 25E. 8uppose the address of each 2obile 5ost is represented as 25i
8uppose further that all se#uence numbers are denoted 8***]25i, where 25i specifies the
computer that created the se#uence number and 8*** is a se#uence number value. Also
suppose that there are entries for all other 2obile 5osts, with se#uence numbers 8***]25i,
before 25 moves away from 251. he install time field helps determine when to delete stale
routes. ith our protocol, the deletion of stale routes should rarely occur, since the detection of
link breakages should propagate through the ad-hoc network immediately. *evertheless, we
expect to continue to monitor for the existence of stale routes and take appropriate action.
+rom table , one could surmise, for instance, that all the computers became available to
25E at about the same time, since its install-time for most of them is about the same. Cne could
also surmise that none of the links between the computers were broken, because all of the
se#uence number fields have times with even digits in the units place. %trl]25i would all be
pointers to null structures, because there are not any routes in +igure J which are likely to be
superseded or compete with other possible routes to any particular destination.
able 1 shows the structure of the advertised route table of 25E.
*ow suppose that 25 moves into the general vicinity of 25F and 25, and away
from the others (especially 251). he new internal forwarding tables at 25E might then appear
as shown in table H.
43
8/14/2019 Intrution dection system
44/44
Cnly the entry for 25 shows a new metric, but in the intervening time, many new
se#uence number entries have been received. he first entry thus must be advertised in
subse#uent incremental routing information updates until the next full dump occurs. hen 25
moved into the vicinity of 25F and 25, it triggered an immediate incremental routing
information update which was then broadcast to 25?. 25?, having, determined that significant
new routing information had been received, also triggered an immediate update which carried
along the new routing information for 25. 25E, upon receiving this information, would then
broadcast it at every interval until the next full routing information dump. At 25E, the
incremental advertised routing update would have the form as shown in table E.
*roerties of t4e DSD' *rotocol
At all instants, the &8&G protocol guarantees loop-free paths to each destination. o see
why this property holds, consider a collection of G mobile hosts forming an instance of an ad-
hoc style network. +urther assume that the system is in steady-state, i.e. routing tables of all