Intrution dection system

8/14/2019 Intrution dection system

1/44

Intrusion Detection System (IDS) for MANETs

1. Introduction

An ad-hoc (or "spontaneous") network is a local area networkor other small network,

especially one with wirelessor temporary plug-in connections, in which some of the network

devices are part of the network only for the duration of a communications session or, in the case

of mobile or portable devices, while in some close proximity to the rest of the network. n !atin,

ad hoc literally means "for this," further meaning "for this purpose only," and thus usually

temporary. he term has been applied to future office or home networks in which new devices

can be #uickly added, using, for example, the proposed $luetoothtechnology in which devices

communicate with the computer and perhaps other devices using wireless transmission. Ad hoc

networks such as $luetooth are networks designed to dynamically connect remote devices such

as cell phones, laptops, and %ersonal &igital Assistants (%&As). hese networks are termed 'ad

hoc because of their shifting network topologies. hereas !A*s use a fixed network

infrastructure, ad hoc networks maintain random network configurations, relying on a master-slave system connected by wireless links to enable devices to communicate. n a $luetooth

network, the master of the piconet controls the changing network topologies of these networks. t

also controls the flow of data between devices that are capable of supporting direct links to each

other. As devices move about in an unpredictable fashion, these networks must be reconfigured

on the fly to handle the dynamic topology. he routing that protocol $luetooth employs allows

the master to establish and maintain these shifting networks.

Figure 1: Notional Ad oc Net!or"

+igure illustrates an example of a $luetooth-enabled mobile phone connecting to a mobile

phone network, synchroniing with a %&A address book, and downloading e-mail on an

/01. !A*.

1
http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci212495,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci213380,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci213380,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci211680,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci213380,00.htmlhttp://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci211680,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci212495,00.html


2/44

Ad hoc networks are a new paradigm of wireless communication for mobile hosts (which

we call nodes). n an ad hoc network, there is no fixed infrastructure such as base stations or

mobile switching centers. 2obile nodes that are within each other3s radio range communicate

directly via wireless links, while those that are far apart rely on other nodes to relay messages as

routers. *ode mobility in an ad hoc network causes fre#uent changes of the network topology.

+igure 1 shows such an example4 initially, nodes A and & have a direct link between them.

hen & moves out of A3s radio range, the link is broken. 5owever, the network is still

connected, because A can reach & through 6, , and +.

Figure #: Dynamicity of MANETs

+igure 14 opology change in ad hoc networks4 nodes A, $, 6, &, , and + constitute an ad hoc

network. he circle represents the radio range of node A. he network initially has the topology

in (a) and when node 7&3 moves out of the radio range of 7A3, the network topology changes to

the one in (b).he following flowchart depicts the working of any general ad-hoc network

8tart

*odes send signal to find the number of other nodes within range

8ynchroni-ing between nodes

8ender node send messages to receiving node

receiving node ready

6ommunication begins

"ermination %rocess

8top

9eceiving node

8end back

9eady signal

s )ait for

sometime

*o:es

Figure $: %or"ing of a general Ad&oc Net!or"

2


3/44

Ad hoc networks are generally closed in that they do not connect to the nternetand are

typically created between participants. $ut, if one of the participants has a connection to a public

or private network, this connection can be shared among other members of the ad hoc network.

his will allow other users on the spontaneous ad hoc network to connect to the nternet as well.

2ilitary tactical operations are still the main application of ad hoc networks today. +or example,

military units (e.g., soldiers, tanks, or planes), e#uipped with wireless communication devices,

could form an ad hoc network when they roam in a battlefield. Ad hoc networks can also be used

for emergency, law enforcement, and rescue missions. 8ince an ad hoc network can be deployed

rapidly with relatively low cost, it becomes an attractive option for commercial uses such as

sensor networks or virtual classrooms. Ad hoc networks are common for portable video game

systems like the 8ony %8% or the *intendo &8 because they allow players to link to each other to

play video games wirelessly. 8ome retail stores even create networks within them to allow

customers to obtain new game demos via the store;s own ad hoc network.

1.1 Ad oc Net!or" Security 'ulnerailities

he lack of centralied control and infrastructure of an ad hoc network increases its

vulnerability and exposure to attacks.


4/44

8ince 2A*s have not been widely deployed, no actual data is currently available that

allows comprehensive attack analysis. 5uang and !ee >?@ propose an attack analysis model for

ad hoc networks that uses a taxonomy of anomalous events to detect and analye attacks. 8everal

possible attacks on 2A*s have been identified in literature >?-@. hey can be broadly

classified in to two types4 (i) 9outing-disruption attacks B (ii) 9esource-consumption attacks. A

more detailed survey and discussion on current state of secure routing protocols has been

presented by 5u B %errig >@.

Attacks can target various layers of protocol stacks. 9esource consumption attacks that

exploit vulnerabilities in the 2edium Access 6ontrol (2A6) layer and %hysical (%5:) layers to

consume bandwidth and energy in order to starve resource constrained device, are examples of

sleep-deprivation attacks. o prevent against such attacks, security mechanisms must be

provided in the 2A6 and %5: layers. hey cannot be repulsed at higher levels.

e focus only on attacks specific to networking and application layers (routing process

and data traffic). A detailed classification of the possible attacks can be found in >?@.

Figure +: Ta,onomy of Security Attac"s

*assie Attac"s: n passive attacks, an intruder monitors the channels of communications

without interfering with the normal function of the system, thereby only threatening

confidentiality of data. 8ome commonly used methods of passive attacks are browsing, leaking,

inferencing, mas#uerading and traffic analysis. %assive attacks, such as eavesdropping, can be

devastating to security critical areas as military applications.

Actie Attac"s: Active attacks, on the other hand, involve replication, modification, and

deletion of data. And since nodes without ade#uate protection in a wireless ad hoc network are

prone to being captured, compromised, or hi=acked, these networks are particularly vulnerable toattacks that come from inside. nternal attacks are far more damaging and difficult to detect. A

malicious node can disrupt the network by deleting or modifying messages or even attacking the

routing protocol by refusing to forward messages or advertising incorrect paths. his can be

difficult to detect, because false routing messages could be benign, =ust the result of an outdated

routing table. Cther active attacks include energy exhaustion attacks, referred to as sleep

deprivation torture, and denial-of-service (&o8) attacks.

4


5/44

# -ac"ground

An intrusion is defined as an action that attempts to compromise the confidentiality,

integrity, or availability of a resource >@. As the name states, an intrusion detection system (&8)

is a system that detects a network intrusion. t is often termed a second line of defense because itis only activated when the intrusion prevention system has failed. deally, such a system can

detect, identify, and e=ect an intruder before any damage is done. n this way, an &8 can also

serve as a deterrent because intruders recognie that even if they can gain access they are likely

to be expelled by the &8.

&8s for traditional networks function under the assumption that normal activity and

intrusion activity have distinct behaviour >1DE@. Additionally, to implement an &8, users and

program activities must be observable, for example, via a system auditing mechanism >F@, so that

deviations from the norm can be recognied. $ased on the type of audit data collected, an &8

can be classified as network or host-based. *etwork-based &8 operate by passively or activelymonitoring the network itself. %ackets are collected from network traffic and analyed to identify

an intrusion. *etwork-based &8 often re#uires a dedicated host or special e#uipment, which

makes them vulnerable to attack. 5ost-based &8 monitors activity on each individual node.

&ata is collected from the system3s audit trails, system and application logs, or audit data

generated by a model that intercepts system calls >?@.

&8 can be further classified on the basis of detection techni#ues. ntrusion detection

techni#ues can be categoried into misuse detection and anomaly detection. 2isuse detection

uses the signature of known attacks to identify an intrusion. he advantage of this techni#ue is

that instances of known attacks can be #uickly and accurately identified. 5owever, misusedetection lacks the ability to detect newly invented attacks leaving the network vulnerable. n

anomaly detection, a profile of normal activity is created and is used to classify any unreasonable

deviations from the established norm as a potential attack. &ata mining technology is often used

in the profile creation because it is beneficial to automatically construct models due to the large

amount of data collected. he advantage of anomaly-based detection is that no prior knowledge

of intrusions are re#uired, so novel attacks can be detected. 5owever, this techni#ue may suffer

from high false-positive rates and additionally may not be able to accurately describe the attack

that is occurring.

#.1 Tyes of Ad&oc /outing *rotocols$asically there are three types of routing protocols4

. *roactie /outing *rotocols: 5erein the nodes keep updating their routing tables by

periodical messages. his can be seen in Cptimied !ink 8tate 9outing %rotocol (C!89) and the

opology $roadcast based on 9everse %ath +orwarding %rotocol ($9%+).

5


6/44

1. /eactie or 0n Demand /outing *rotocols:5ere the routes are created only when they are

needed. he application of this protocol can be seen in the &ynamic 8ource 9outing %rotocol

(&89) and the Ad-hoc Cn-demand &istance Gector 9outing %rotocol (AC&G).

H. yrid routing rotocols:5ybrid methods combine proactive and reactive methods to find

efficient routes. I5!8 is one example of hybrid routing protocols. n I5!8, the whole network

is divided into non overlapping ones. I5!8 is proactive if the traffic destination is within the

same one of the source. t is reactive because a location search is needed to find the one & of

the destination.

+ig.E is a categoriation of existing routing protocols in 2A*s. n the figure,

solid lines represent direct descendants while dotted lines depict logical descendants. 8ince new

routing protocols are always being proposed for 2A*s, we do not expect to include all of

them here.

Figure : A 2lassification of MANET /outing *rotocols.

n today3s world the most common ad-hoc protocols are the Ad-hoc Cn-demand &istance Gector routing

protocol and the &estination-8e#uenced &istance-Gector routing protocol and the &ynamic 8ource

9outing. All these protocols are #uite insecure because attackers can easily obtain information about the

network topology. his is because in the AC&G and &89 protocols, the route discovery packets are

carried in clear text. hus a malicious node can discover the network structure =ust by analying this

kind of packets and may be able to determine the role of each node in the network. ith all thisinformation more serious attacks can be launched in order to disrupt network operations.

#.# Tyes of Attac"s Faced y /outing *rotocols:

&ue to their underlined architecture, ad-hoc networks are more easily attacked than a

wired network. he attacks prevalent on ad-hoc routing protocols can be broadly classified into

passive and active attacks.

6


7/44

A %assive Attack does not disrupt the operation of the protocol, but tries to discover

valuable information by listening to traffic. %assive attacks basically involve obtaining vital

routing information by sniffing about the network. 8uch attacks are usually difficult to detect and

hence, defending against such attacks is complicated. ven if it is not possible to identify the

exact location of a node, one may be able to discover information about the network topology,

using these attacks.

An Active Attack, however, in=ects arbitrary packets and tries to disrupt the operation of

the protocol in order to limit availability, gain authentication, or attract packets destined to other

nodes. he goal is basically to attract all packets to the attacker for analysis or to disable the

network. 8uch attacks can be detected and the nodes can be identified.

There are three more prominent attacks prevalent against ad-hoc networks, most of

which are active attacks.

1. Attacks based on modification.

his is the simplest way for a malicious node to disturb the operations of an ad-hoc network.

he only task the malicious node needs to perform, is to announce better routes (to reach othernodes or =ust a specific one) than the ones presently existing. his kind of attack is based on the

modification of the metric value for a route or by altering control message fields. here are three

ways in which this can be achieved4

9edirection by 6hanging the 9oute 8e#uence *umber.

9edirection by Altering the 5op 6ount.

&enial of 8ervice by Altering 9outing nformation.

#. mpersonation Attacks.

2ore generally known as 7spoofing3,since the malicious node hides its3 % and or 2A6

address and uses that of another node. 8ince current ad-hoc routing protocols like AC&G and

&89 do not authenticate source % address, a malicious node can launch many attacks by using

spoofing. ake for example a situation where in an attacker creates loops in the network to

isolate a node from the remainder of the network. o do this, the attacker needs to spoof the %

address of the node he wants to isolate from the network and then announce new route to the

others nodes. $y doing this, he can easily modify the network topology as he wants.

$. Attack by +abrication of nformation.

here are basically three sub categories for fabrication attacks. n any of the three cases,

detection is very difficult. +alsification of 9oute rror 2essages.

6orrupting 9outing 8tate - 9oute 6ache %oisoning.

9outing table overflow attack.

7


8/44

$. Intrusion Detection for Moile Ad oc Net!or"s

$.1 Introduction

A wireless ad hoc network provides communication between various devices (nodes) via a

shared wireless channel. 5owever, unlike a more conventional wireless network, nodes in an ad

hoc network communicate without the assistance of a fixed network infrastructure. *odes within

one another3s radio range can communicate through wireless links and dynamically form

networks >@. Additionally, nodes must cooperate by forwarding packets so that nodes not

directly connected or beyond radio ranges can communicate with each other. Cften the nodes in

an ad hoc network are mobile. hese networks are called 2A*s.

Ad hoc networks are suited for situations where rapid network deployment is re#uired or

it is prohibitively costly to deploy and manage a network infrastructure. 8ome examples include

military soldiers in the field, emergency services in a disaster area, attendees in a conference

room, sensors scattered throughout a city for biological detection, space exploration, forestry or

lumber industry, and temporary offices such as campaign head#uarters >/@.

hile there has been much work in &8 for traditional wired networks, it is difficult to apply

much of this research to wireless ad hoc networks because of key architectural differences, most

notably the lack of a fixed infrastructure. he lack of centralied audit points, such as switches,

routers, and gateways, makes it difficult to collect audit data for the entire network. &ata

collection, in a wireless ad hoc network, is limited to activities taking place with radio range, so

&8s must work with localied partial information. Also, without a centralied authority, the

algorithms used for intrusion detection must be distributed in nature, yet it must be kept in mind

that attacks may be made from nodes inside the network. his means that one of the nodes

participating in a collaborative intrusion detection algorithm may be a malevolent node.

Additionally, while misuse detection can be applied successfully in traditional networks, this is

not the case for wireless ad hoc networks. 8ince they are relatively new, not many specific

attacks have emerged for wireless ad hoc networks. herefore more emphasis should be given to

anomaly-based detection. Anomaly-based &8s detect patterns based on long-term modeling and

the classification of normal and abnormal activity. 8ince wireless ad hoc networks are very

dynamic in structure, this can be very challenging. And owing to mobility and power constraints,there is not always a clear separation between normalcy and anomaly in an ad hoc network.

6onstrained battery power also affects the detection algorithms used, since a limited power

supply re#uires that intrusion detection algorithms be highly efficient.

$.# /e3uirements for an IDS for Moile Ad oc Net!or"s

8


9/44

An &8 in a wireless ad hoc environment must be effective and efficient. An effective &8

correctly classifies normal and malicious activities. t must be fault-tolerant and resist subversion

and it cannot introduce a new weakness into the network. An efficient &8 is cost-effective and

uses little system resources, since to be effective an &8 must run continuously. An &8 in an ad

hoc environment must work collaboratively to identify intrusions. And lastly, all &8s must

initiate a proper response when an intrusion is detected. n an ad hoc environment, these

responses include reinitialiing communication channels, identifying a compromised node and

reorganiing the network to exclude that node, notifying the end user to take action, and even

launching a counterattack.

$.$ Intrusion *reention for Moile Ad 4oc Net!or"s

he prevention of intrusions in wireless ad hoc networks would re#uire the development of new

secured protocols or modification of the logic of existing protocols to enhance their security.

raditional security solutions that re#uire trusted authorities or certificate repositories are not

well suited for securing wireless ad hoc networks as these networks exhibit fre#uent partitioning

due to node mobility and disconnection. 8everal solutions have been presented to deal with these

issues using either a partially distributed certificate authority >J@ or a self-organied public-key

management system >0@. A self-organied key management system allows users to generate

publicD private key pairs, issue certificates, and to perform authentication regardless of the

network partitions and without any centralied services or trusted authority.

hile these intrusion prevention techni#ues can be used to reduce intrusions, none are

completely foolproof. 5istory has shown us that regardless of the number and types of

prevention measures that are inserted into a network, there are always some weak links through

which attackers can gain access. As a second line of a defense, an &8 can be used to identify an

intrusion and e=ect an intruder potentially before any damage is done. Kiven its inherent

weaknesses, such a system is a necessity for a wireless ad hoc network.

9


10/44

+. /elated !or"

his section, deals with an overview of the current research in intrusion detection for

wireless ad hoc networks, including architecture, data sources for detection models, and

detection algorithms.

+.1 Distriuted Intrusion Detection

Ihang et al >F@ proposed a distributed and cooperative &8 for wireless ad hoc networks.

n their system, every node participates in intrusion detection and response via an &8 agent

placed on it. he &8 agent is divided into six pieces4 data collection module, local detection

agent, cooperative detection agent, local response module, global response module, and a secure

communication module, which provide a high-confidence communication channel among nodes

in the network.

he data collection module gathers streams of audit data from various sources including

system activity within the node, communication activities by the node or observable by (within

radio range of) the node. his data can be integrated and used in a multilayer intrusion detection

method.

he data collected in the collection module is analyed by the local detection agent for signs

of an intrusion. raditional &8s use data only from the lower layer, as the application level can

be protected through application layer firewalls and application-specific modules. $ut in wireless

networks there are no firewalls to protect the application layer, so intrusion detection in this layer

becomes necessary. Also, certain attacks, for example, a &o8 attack, may be more #uickly

identified in the application layer. herefore, this &8 uses modules from the lower layer as well

as the application level. &etection at each layer can be initiated or aided by evidence from other

layers. f a node considers the evidence of the intrusion as 'strong, it can independently

determine that there is a network intrusion and initiate the proper response. 5owever, if the node

considers the evidence of intrusion as weak, it can start the cooperative detection agent by

propagating state information among neighboring nodes. his information could include only the

level of confidence of an intrusion or it could include the identity of the suspected malicious

node along with the confidence level. Cn receiving an anomaly state re#uest, each node,

including the initiator, sends its state information to its immediate neighbors. ach of the nodes

then decides whether the ma=ority of the reports received reflect an anomaly. f so, any node canconclude that the network is under attack. he node that makes such a conclusion can initiate an

appropriate response.

he intrusion response can be either local or global. n a local response, a node initiates

actions local to itself, while in a global response, a node coordinates actions among neighboring

nodes in the network. he actions taken are based on the network, applications, and confidence

10


11/44

in the evidence. 8ome possible responses include forcing a re-key or identifying the

compromised node or nodes and reorganiing the network to exclude such nodes.

his system uses anomaly-based intrusion detection by creating a model that can be used to

classify an action as normal or a potential intrusion. he model is constructed by defining a set of

features, which can be used to classify a system state. $ecause the set of features that could

potentially identify a system state is #uite large, an unsupervised method is used to determine theset to be used in classification that is called the essential feature set. A classifier is then used to

compute rules to partition the data into the two classes. ntrusion reports are created by

examining the current state of the essential feature set and using this information to classify the

system (network) state as normal or abnormal.

he system was tested by creating four separate models, using two different feature sets with

information available from the routing protocol, which collect data only from the local node.

wo different classifiers were used, 9%%9, a decision-tree-e#uivalent classifier, and 8G2

!ight that partitions the data with a hyperplane. 8imulation data was then run using three

wireless ad hoc protocols, dynamic source routing (&89), ad hoc on-demand distance vectorrouting (AC&G), and destination-se#uence distance-vector routing (&8&G). n general, good

results were obtained, particularly using the 8G2 !ight classifier and the &89 protocol, which

showed anomaly detection rates of approximately JJL and a false alarm rate of less than 0.0FL.

+.# ierarc4ical 2ooeratie Intrusion Detection

8terne et al >@ take Ihang et al.3s idea of a cooperative &8 and augment it with a dynamic

hierarchical structure. hile cooperative &8s may be successful in detecting malicious behavior

with respect to routing protocols, such systems have not shown that they are applicable to more

conventional attacks. Additionally, a hierarchical structure is traditionally more amenable togrowth. n the fully cooperative, distributed &8, such as the one discussed above,

communication overhead can rise very #uickly, in the order of the s#uare of the number of

nodes. A hierarchical model, on the other hand, allows data sharing without such a rapid increase

in communication overhead. he proposed architecture was designed for military applications

and as such mimics the structure found in such organiations in the manner in which intrusion

detection data is passed up the hierarchy while intrusion response directives flow down to the

lower levels.

Ad hoc networks typically construct routes using topology-based clustering. *odes create

neighborhoods based on proximity. 8uch clusters can then select a node to be a neighborhoodrepresentative called a cluster head. he cluster heads then organie into a second level of

clusters and select representatives who =oin in a third level of clusters and so on until all the

nodes in the network are interconnected. n a dynamic hierarchical structure, the cluster head is

selected based on a variety of attributes including connectivity, hardiness, power and storage

capacity, and bandwidth capabilities.

11


12/44

n the proposed architecture, the nodes cooperate to protect the network but remain

responsible for intrusion detection mechanisms to protect themselves. he nodes share tasks such

as monitoring, logging, analying, and reporting data at various layers of the network.

2onitoring is both promiscuous and direct. %romiscuous monitoring is monitoring the

communication of neighboring nodes even when a node is not involved in the transmission of a

message. &irect monitoring involves reporting of a node of its activity. n a fully cooperative

&8, all nodes monitor the traffic that flows through it. n the hierarchical model, monitoring

responsibilities are given to the two nodes that are the first and last hop between each pair of

nodes. he responsible nodes are automatically updated when a route changes as a node would

be aware of the path a packet is taking and what its position is in the routing of the packet. his

simple strategy can dramatically reduce the amount of communication overhead and duplicated

effort. Additionally, this sort of monitoring is suitable for detecting conventional attacks on the

network. *odes at the lowest level are responsible for collecting certain data as well as intrusion

detection and reporting. he key principle in this system is that intrusion detection should occur

at the lowest level of the hierarchy at which data is available to make an accurate decision. 8ince

leaf nodes do not aggregate data they generally do not analye intrusion information since thistypically re#uires large amount of data. his analysis is performed by the cluster heads that

collect from their cluster members and perform detection computations on the consolidated data.

A cluster head may #uery members of its clusters or its peers for additional information.

Additionally, a cluster head sends consolidated data to its superior. *odes at the top of the

hierarchy have responsibility for managing the &8 through activities such as distribution

decision rules and signatures of known attacks. A node3s authority increases as it moves toward

the top of the hierarchy, thus mimicking the structure found in many organiations.

+.$ Moile Agent&-ased Intrusion Detection SystemsMarchirski and Kuha >@ prose a distributed &8 for wireless ad hoc networks based on mobile

agent technology. 2obile agents are autonomous software entities that can halt themselves, ship

themselves to another agent-enabled host on the network, and continue execution, deciding

where to go and what to do along the way >@. Agents are dynamically updateable and have a

specific functionality.

he proposed system uses a modular architecture with several types of mobile agents that

perform functions such as network monitoring, host monitoring, decision making, and action.

Cnly certain nodes will have agents for network packet monitoring while every node in the

network will have an agent to monitor system- and application-level activities. n the cooperative

decision-making process, every node will decide on an intrusion threat level at the host level

while only those nodes containing a network monitoring agent will participate in making

decisions on a network-based intrusion. All nodes will contain an action host that is responsible

for responding to an intrusion. $y distributing the functions of the &8 into separate modules

represented by a lightweight mobile agent, the workload of intrusion detection is spread across

the nodes of the network to minimie power consumption and reduce processing time. here

12


13/44

are three agent classes4 action, decision, and monitoring. he monitoring class is further divided

into agents that monitor packet-level data, user (application) data, and system-level data.

8ince the agents that monitor network packets and make network intrusion detection decisions

are located on a subset of the nodes of the network, a distributed algorithm is used to select the

nodes to host these agents. he algorithm used logically divides a mobile network into clusters

with a single cluster head for each. he cluster head then hosts the network-monitoring sensor,which collects all packets within radio range and analyes them for known patterns of attacks.

he cluster heads monitor packets sent by every member of its cluster, while ignoring those

sent by nodes outside of its cluster. his prevents duplicate processing of packets by two

different cluster heads. he packet information is inserted into a fixed-sied #ueue, which is used

by the decision agent to analye the state of the network and its nodes. !ocal detection agents

monitor local activity looking for suspicious activities. f an anomaly is detected with strong

evidence, action is taken to terminate the suspicious activity. f an anomaly is detected with less

confidence, the node reports its status to the decision-making agent on the cluster head.

he proposed system uses a decision-making process, where individual nodes make decisions

on their local state while the global decision-making agent, located on the cluster head, collects

information from the network and all the nodes within its cluster. he agent can then conclude

with some confidence whether a node has been compromised. hen such a determination is

made the agent instructs the local node to take action. his action should result in a decreased

threat level. f that does not occur, the node can be excluded from the network. he authors

propose the use of an anomaly detection model to identify potential intrusions into the network.

he mobile agent approach creates an &8 that minimies the use of scare computational and

power resources. 5owever, at the same time, it creates points of failures that could be exploitedby an attacker. he authors recognie this limitation and propose additional research into an

effective means of defense.

+.+ 2ross&Feature Analysis for Intrusion Detection

As mentioned above, while misuse detection can be effectively used to identify intrusions in a

wired network this is not the case for ad hoc networks, given their relative infancy. herefore,

anomaly detection is currently the preferred methodology. Anomaly detection generally involves

mining historical data to detect patterns related to normal and abnormal activities and then

building a classifier based on these patterns. Cne method for building such a classifier is

suggested in 9ef. >1@, using a techni#ue for identifying anomalies called cross-feature analysis.

A basic assumption for a network of any kind is that there exists a set of features that can

unambiguously identify whether a network is in a normal or abnormal state. he set of features

can be stored in a feature vector and often there are a set of such feature vectors related to a

normal network state. 6ross-feature analysis attempts to explore the relationship between the

values in the feature vector and the state of the network.


14/44

classifier is built that predicts the value of a given feature based on the values of the other

features and a normal system state. &uring the training process a classifier is built for each of the

features, fi , in the feature vector of the form 6i 4 Nf , f1 , . . . , fiO , fiP, . . . , fn Q R fi .

his classifier contains a set of rules or a decision tree that can predict the value of a feature

given the other features. he assumption made is that if the predicted value of a feature does not

match the actual value of the feature, it can be assumed that there is anomaly. At the end of thetraining process there exists a set of classifiers, one for each of the features in the feature vector.

hese classifiers are then used to analye the network logs and identify anomalies. wo

different algorithms are suggested. he simplest one is called average match count. hen an

event is analyed, the classifiers are used to predict each of the features in the feature vector and

a count is kept of the number of matches that occur. A simple average is taken and if the average

number of matches is less than a designated threshold, the network is assumed to be in an

abnormal state. A second algorithm is suggested that uses probabilities instead of the simple

binary matching classification. 2ost classifiers can return the probability that the labeled feature

contains a certain value, given the values of the remaining features. he classifiers are used toestimate the probability of each value in the feature vector. hese probabilities are averaged and

again the network is assumed to be in an abnormal state if the average probability is less than a

given threshold.

6ross-feature analysis was tested using a feature vector designed to identify routing

anomalies.


15/44

used for a period of time, the abnormal data, outliers, can be labeled as normal or abnormal and

be used to train the model and derive a new decision boundary. his revised decision model can

then be used to classify a network state as normal or abnormal.

he proposed &8 consists of four components4 local data collection, 8G2-based intrusion

detection, local response, and global response. &ata is collected locally from various network

audit streams and is passed to the 8G2&2. he 8G2&2 classifies the network state as normalor a possible intrusion in which case it also identifies the source node. he local response module

distributes local detection results based on the data collected locally while the global response

module consolidates other nodes locally collected data and makes a decision based on this

consolidated data. he method of sharing data is dependent on the &8 architecture and this type

of detection is conducive to either a fully distributed architecture such as the system proposed by

Ihang et al >F@ or a hierarchical architecture.

he system was tested using a network simulator, which created simulations of two different

&o8 attacks against the AC&G routing protocol, black hole attacks, and fre#uent false routing

re#uesting (++99). he detection rate for 1-8G2&2 was approximately J?L for both the fullydistributed and the hierarchical system architectures, with a slightly higher false alarm rate in the

fully distributed system. -8G2&2 was able to detect both types of attacks with a detection rate

of approximately /FL but with a false alarm rate approaching 10L. hile the system was tested

on only a single routing protocol and a specific set of routing-based attacks, the authors believe

that the system can be extended to other routing protocols and attack types with the appropriate

parameter selection.

+.5 A 6ame T4eory Aroac4 to Intrusion Detection

Kame theory has been used extensively to model a variety of problems, such as routing behaviorand distributed power control, in wireless ad hoc networks. %atcha and %ark >E@ present the use

of game theory to model the interaction between an attacker and &8. his scenario is modeled

as a two- player game. he key to such a model is the interaction of the players such that the

actions of one player affect the other player in either a positive or negative way. his is

obviously the case in an &8, as an intrusion negatively impacts the node being attacked, while

stopping an intrusion has a negative impact on the attacker. Additionally, in game theory, a

player always takes actions that are in that player3s best interest. his, again, is the case with &8

in wireless ad hoc networks.

n the proposed game model, the ob=ective of the attacker is to send a malicious message withthe intention of attacking the other player, which is another node in the network. he intrusion is

considered successful if the malicious message reaches the target without being detected while

the &8 is successful if it detects the intrusion and the intruding node is blocked. n the game

theory model presented, the attacker is considered the sender and the host-based &8 is the

receiver. he host-based &8 has a prior belief regarding the probability that a node is an

15


16/44

attacker or a regular node. he &8 uses this probability to calculate the expected payoff from

blocking the sender3s transmission.

%ayoffreceiverT (sUmiss) P (tUfalseAlarm) O (st (UdetectP UfalseAlarmP Umiss)) ()

here Umissis the cost of missing an intrusion, U falseAlarmthe cost of a false alarm, U detectthe gain of

detection, s the probability that the sender is an attacker, and t the probability of detecting theintrusion.

he payoff for the attacker is found using,

%ayoffsenderT (tVcaught) P (( O t)Vintrude) (1)

here V caught is the cost of being detected and blocked and Vintrude the gain of a successful

intrusion.

he strategy for the sending node is to decide whether to send a message based on the strategy

of the &8 and to send a message if it maximies its expected payoff. he choice of strategy bythe &8 is based on the receiver3s prior belief, calculated using $ayes rules, so that it is able to

maximie the effective payoff by minimiing the cost due to false alarms and missed attacks.

8ince $ayes theorem is recursive in nature, these probabilities will be recalculated regularly and

this should reduce the number of false alarms and missed intrusions.

+.7 2omining Misuse Detection !it4 Anomaly Detection

he idea of combining anomaly detection with misuse detection is presented by *adkarni and

2ishra >/@. he idea behind this approach is that while anomaly detection leads to a high

degree of false positives and misuse detection can miss some attacks, the combination of the two

methods is superior to using either separately. Additionally, this proposed &8 is adaptive in

ad=usting its thresholds to abnormal activities, effective with an average accuracy rate of over

J0L, efficient in conserving resources and power consumption, and protocol-independent.

he proposed &8 can be broken into three stages4 initialiation, audit data analysis, and

threshold ad=ustment. &uring the initialiation phase, a node analyes network traffic and gathers

information about the normal behavior of the network.


17/44

at higher- than-normal fre#uency may signify an attack. herefore this set of counters is

maintained, one for each type of attack. A counter is incremented when a related incident occurs

and after a single incident of abnormal behavior, the suspicious status of the related node is noted

and the activity of the node is monitored for a possible intrusion. f the suspicious node continues

to display abnormal behavior that can be interpreted as some symptom of the attack, or the

variation of such an attack, during a specific time frame the &8 identifies that there is an

intrusion and initiates an appropriate response.

he adaptive properties of this &8 are noted in the threshold ad=ustment stage. After regular

time intervals without an intrusion, threshold values are ad=usted. his is to prevent the

possibility that malicious nodes are operating =ust under a threshold level. herefore the

threshold for each attack, or variation of such an attack, is increased by a fixed percentage. f an

attack does occur, the threshold is ad=usted to take into account the properties of the attack. t is

revised to the difference in the detected rate of abnormal behaviors and the 'normal rate of

abnormal behaviors multiplied by time interval of the attack.

he proposed &8 was tested using the user datagram protocol (@. hile

the goal of their proposal is to increase through-put in the network, it focuses on intrusion

prevention methods by introducing two overlays to the &89 algorithm, in which every packet

has a route path that consists of nodes that have agreed to forward the packet. he proposedsystem consists of two tools to detect and mitigate abnormal routing behavior. he atchdog

tool identifies misbehaving nodes, while %athrater aids the routing protocol in avoiding such

nodes.

Figure 5: %atc4dog 0eration

atchdog works by using promiscuous listening. ach node in a routing path verifies that its

successor appropriately forwards the message to the next node in the path. +or example, node 8

wishes to send a message to node & using the routing path 8-A-$-6-&. hen node $ forwards

packet to & through 6, A can listen to $3s transmission and verify that $ has attempted to pass

the packet to 6. Additionally, if encryption is performed separately for each link, A can also tell

if $ has tampered with the header or the message itself. 8ince failing to forward a single packet

is not indicative of a malicious node, each node maintains statistics for the routing behavior of its

17


18/44

neighbors. his is accomplished by maintaining a buffer of recently sent packets. ach time a

node monitors a message, it compares it with the packets in the buffer to see if there is a match.

f there is a match the packet is removed from the buffer. And if a packet remains in the buffer

for longer than a specified time period, the atchdog increments a failure counter for the node

responsible for forwarding the packet. After the counter exceeds a certain threshold the node is

identified as misbehaving and a message is sent to the source identifying the misbehaving node.

he information collected by atchdog can be used by the %athrater to determine an efficient

route that avoids routing packets through misbehaving nodes. ach node maintains a rating for

all other nodes in the network. A newly discovered node receives a neutral score. +or every time

interval where a node acts appropriately in forwarding a message, its score is increased.

5owever, if atchdog notes that a node failed to forward a packet, the node3s score is

decremented. f a node is designated as misbehaving it receives a high negative score. hen

computing a route, each potential path for a message receives a score, which is the average rating

of the nodes in the path. f there are multiple paths to the same node, the path with the highest

score is chosen. his guarantees that messages are routed through the most reliable nodes.

ven though the combination of atchdog and %athrater increases the overhead at a node,

testing showed that overall network throughput was increased. Additionally, simulations showed

that network throughput was not adversely affected by false detection.

.

18


19/44

. Intrusion Detection in MANETs

.1 Assumtions and 0serations

e assume that the packet drops is one of the result of intrusion which is a type of attack

may be grey-hole attack or black-hole attack. And the limit for the packet drop is also specified

and an alarm is raised when that limit is crossed. 5ere we track only grey-hole attack and black-

hole attack. he protocols used are &8&G and AC&G >F@.

.# 9niersal deloyment

An 2A* &8 should be able to function on any mobile device participating in the2A*, and not re#uire additional special or superior capabilities as compared to its peers. he

&8 must be universally deployable and should ideally be abele to dynamically adapt to existing

capabilities of a device to maximie its effectiveness and efficiency.

.$ *latform

he platform for simulation of the prototype of the hreshold based intrusion &etection

is chosen to be *81 (*etwork 8imulator Gersion 1) >F@. e are simulating for a total number of

fifteen nodes.

.+ *roosed aroac4

e detect intrusion by neighboring nodes by their deviation from known or expected

behaviour. e monitor the drops as we track only grey-hole and black-hole attack. A threshold

is fixed for the drops per second and when that threshold is crossed the &8 gives an alert saying

probable intrusion.

e have considered the threshold as maximum F packet drops per second. his is

considered F packets per second because there are drops of packets due to congestion. 5ence we

need to consider the congestion which is most of the time a non-intruder phenomenon.

he nodes are monitored every second for the drops in that second. f the drops aremore than threshold then the alert of intrusion is raised and that node is isolated from the

topology. he assumption is that , more packet drops is an anomaly which is caused due to

intrusion when the intruder introduces a grey-hole attack (where a selective type of packets are

forwarded and rest all are dropped) or a black-hole attack (where the node drops all the packets

that come to it and creating the black hole). otally F nodes are simulated in the topology and

each one is monitored using monitors >F@.

19


20/44

Figure 7: *roosed IDS Arc4itecture

. *ractical considerations

+or the &8 to be effective it has to be scalable. t may be possible in certain situations to

have a list of suspects that can be watched instead of all the nodes in the neighbourhood. Another

possibility is to monitor a random choice of neighbour nodes. e also have to account for the

buffering capacity of nodes.


21/44

(1) B (H) the movement is perpendicular and e#uidistant from A B $. rivially, 6 can hear either

A B $ or none, so there cannot be any false positives.

Figure 8: Effects of moility on IDS

.5 Imlementation

otally F nodes are simulated in the scenario. he nodes use either AC&G or &8&G. n

our implementation the malicious behaviour is implemented by the modification of AC&G i.e.

the node using the AC&G protocol behaves maliciously and represents a grey-hole attack. he

drops from each node are tracked and the node which crosses the threshold is a suspect of

intrusion.

21


22/44

5 *rototye imlementation and Analysis

5.1 Net!or" Simulation !it4 NS

he pro=ect is simulated in the ad-hoc network environment. 5ere simulation has been

chosen rather than in real wireless network because4

i. he deployment and debugging of wireless application in real network is a bit

expensive.

ii. he unavailability of hardware support.

iii. 8ince 2A*s have not yet been widely deployed, no actual data is currently

available that allows comprehensive attack analysis.

mplementation and simulation in *8-1 needs four phases >F@. hey are4

*4ase 14 mplementing the proposed scenario by combination of 6PP B 6! code to

*8-1.

*4ase #4 Analying the simulation in 6! script.

*4ase $4 9unning the simulation.

*4ase +4 Analying the generated trace files after running simulation.

22


23/44

5.1 Static simulation *arameters

*A/AMETE/S 'A9ES

6hannel capacity 12bps

6hannel model+ree space propagation

wo ray ground 2odel.

*ode placement


24/44

Figure ;: Simulation *arameters

5.# /esults from ns# simulated enironment

Figure 1


25/44

hese results were obtained when all the nodes were set with AC&G routing before it

was made malicious. e see that the channel was utilied maximum.

Figure 11: 24annel utili=ation y DSD' !it4 no malicious nodes

hese results were obtained when all the nodes were set with &8&G routing. he

network is not that well utilied as compared to AC&G.

25


26/44

A snapshot of *8-1 environment used in this pro=ect work is shown in the Figure 1#

below. he figure shows the placement of mobile nodes and the packets and their radio

transmission.

26


27/44

Figure 1#: Snas4ot of simulated enironment in NS

27

Droppe

d


28/44

Figure 1#: Snas4ot of simulated enironment in NS(cont.)

28


29/44

Figure 1$: Snas4ot of trace file of NS

+igure H, shows the format of a trace file which consists of the packet details for sender and

receiver.

7 2onclusion and Future %or"

29


30/44

7.1 2onclusion

2A*s are increasingly implemented for situations where fixed infrastructure

networks are not practical. 5owever, with this flexibility comes an additional security burden.

ntrusion prevention is not always practical, so intrusion detection becomes an important secondline of defense. $ecause of this, there has recently been a significant amount of research on this

topic. his pro=ect is such an attempt to defend the system from the intruders. Although we have

limited the detection to only grey-hole attack and black-hole attacks it can be improved to

accommodate other type of attack detections.

7.# Future !or"

5ere the detection is only prototyped for grey-hole attack and black-hole attack which

can be further enhanced to accommodate the detection other types of attacks also. here is

always modification going on to fulfill the system re#uirements. Also the current prototype may

also be improved.

he implemented prototype is simulated using *8-1 simulator. f this could be

implemented in real wireless network environment then results could be more accurate. 8ince

this is =ust a simulation, the actual implementation of the prototype for detection of intrusion in

real wireless networks may be future work pending for this prototype.

/eferences

30


31/44

> @ 8terne, &., $alasubramanyam, %., 6arman, &., ilson, $., Mo, 6., $alupari, 9., seng,

6.-:., $owen, ., !evitt, M. and 9owe, [., A general cooperative intrusion detection

architecture for 2A*s, in he Hrd nternational orkshop on nformation

Assurance, 2arch 100F.

> 1 @ 2a, !. and sai, [.[.%., 8ecurity 2odeling and Analysis of 2obile Agent 8ystems,

mperial 6ollege %ress, !ondon, 100?.

> H @ 2a, !. and sai, [.[.%., Attacks and countermeasure in software system security,

5andbook of 8oftware ngineering and Mnowledge ngineering, Gol. , orld

8cientific %ublisher, 8ingapore, 100F.

> E @ :u, I. and sai, [.[.%., An efficient intrusion detection system using a boosting-based

learning algorithm, nternational [ournal of 6omputer Applications in echnology,

1(E)411HD1H, 100?.

> F @ Ihang, :., !ee, . and 5uang, :., ntrusion detection techni#ues for mobile wireless

networks, A62 ireless *etworks, J(F)4FEFDFF?, 100H.

> ? @ $urtch, %. and Mo, 6., 6hallenges in intrusion detection for wireless ad-hoc networks,

8ymposium on Applications and the nternet orkshops (8A*30H orkshops), 100H.

> @ 2arti, 8., Kiuli, ., !ai, M. and $aker, 2., 2itigating routing misbehavior in mobile ad

hoc networks, in %roceedings of the ?th Annual nternational 6onference on 2obile

6omputing and *etworking, pp. 1FFD1?F, August 1000.

> / @ *adkarni, M. and 2ishra, A., A novel intrusion detection approach for wireless ad hoc

networks, ireless 6ommunications and *etworking 6onference, 14/HD/H?,2arch 100E.

> J @ Ihou, !. and 5ass, I.[., 8ecuring ad hoc *etworks, *etwork, H(?)4 1EDH0, JJJ.

> 0 @ 6apkun, 8., $uttyan, !. and 5ubaux, [.%., 8elf-organied public-key management for

mobile ad hoc networks, ransactions on 2obile 6omputing, 01()4F1D?E, 100H.

> @ Marchirski, C. and Kuha, 9., ffective intrusion detection using multiple sensors in

wireless ad hoc networks, in %roceedings of the H?th Annual 5awaii nternational

6onference on 8ystem 8ciences, 1(1)4F, 100H.

> 1 @ 5uang, :.A., +an, ., !ee, . and :u, %.8., 6ross-feature analysis for detecting ad-hoc

routing anomalies, in %roceedings of the 1Hrd nternational 6onference on &istributed

6omputing 8ystems, E/, 8eptember 100H.

> H @ &eng, 5., Ieng, X.A. and Agrawal, &.%., 8G2-based intrusion detection system for

wireless ad hoc networks, in %roceedings of the F/th Gehicular echnology

6onference, Gol. H, pp. 1ED1F, Cctober 100H.

31


32/44

> E @ %atcha, A. and %ark, [.2., A game theoretic approach to modeling intrusion detection in

mobile ad hoc networks, in %roceedings of the Fth Annual nformation Assurance

orkshop, pp. 1/0D1/E, [une 100E.

[ 15 ] Mevin +all (ditor) and Mannan Garadhan (ditor), he ns2anual, he G* %ro=ect, A

6ollaboration between researchers at @ :.-6. 5u, A. %errig, A survey of 8ecure wireless ad hoc routing 01 (100E).

> / @ !uke Mlein-$erndt, 'A Xuick Kuide to AC&G 9outing *8 (*ational nstitute of

8tandards and echnology).

> J @ 6. . %erkins and %. $hagwat, '5ighly &ynamic &estination 8e#uenced &istance Gector

9outing (&8&G) for 2obile 6omputers n %roceedings of 8K6C22, JJE.

32


33/44

Aendi,& I: %or"ing of A0D' >18?

33


34/44

Figure 1+: Nodes and t4eir /adio ranges

AC&G is a method of routing messages between mobile computers. t allows these mobile

computers, or nodes, to pass messages through their neighbors to nodes with which they cannotdirectly communicate. AC&G does this by discovering the routes along which messages can be

passed. AC&G makes sure these routes do not contain loops and tries to find the shortest route

possible. AC&G is also able to handle changes in routes and can create new routes if there is an

error.

he diagram above shows a set up of four nodes on a wireless network. he circles illustrate the

range of communication for each node. $ecause of the limited range, each node can only

communicate with the nodes next to it.

*odes you can communicate with directly are considered to be *eighbors. A node keeps

track of its *eighbors by listening for a 5!!C message that each node broadcast at set

intervals.

hen one node needs to send a message to another node that is not its *eighbor it

broadcasts a 9oute 9e#uest (99X) message. he 99X message contains several key bits of

information4 the source, the destination, the lifespan of the message and a 8e#uence *umber

which serves as a uni#ue &.

34


35/44

Figure 1: //E@ ac"et transmission

n the example, *ode wishes to send a message to *ode H. *ode 3s *eighbors are

*odes 1 P E. 8ince *ode can not directly communicate with *ode H, *ode sends out a

99X. he 99X is heard by *ode E and *ode 1.

35


36/44

Figure 15: //E* rely for //E@

hen *ode 3s *eighbors receive the 99X message they have two choicesW if they know a

route to the destination or if they are the destination they can send a 9oute 9eply (99%)

message back to *ode , otherwise they will rebroadcast the 99X to their set of *eighbors.

he message keeps getting rebroadcast until its lifespan is up. f *ode does not receive a reply

in a set amount of time, it will rebroadcast the re#uest except this time the 99X message will

have a longer lifespan and a new & number. All of the *odes use the 8e#uence *umber in the

99X to insure that they do not rebroadcast a 99X.

36


37/44

n the example, *ode 1 has a route to *ode H and replies to the 99X by sending out a

99%. *ode E on the other hand does not have a route to *ode H so it rebroadcasts the 99X.

Figure 17: Se3uence numering of ac"ets

8e#uence numbers serve as time stamps. hey allow nodes to compare how 'fresh their

information on other nodes is. very time a node sends out any type of message it increase its

own 8e#uence number. ach node records the 8e#uence number of all the other nodes it talks to.A higher 8e#uence numbers signifies a fresher route. his it is possible for other nodes to figure

out which one has more accurate information.

n the example, *ode is forwarding a 99% to *ode E. t notices that the route in the

99% has a better 8e#uence number than the route in it3s 9outing !ist. *ode then replaces the

route it currently has with the route in the 9oute 9eply

37


38/44

Figure 18: /E// messages

he 9oute rror 2essage (999) allows AC&G to ad=ust routes when *odes move

around.

henever a *ode receives 999 it looks at the 9outing able and removes all the routes

that contain the bad *odes.

he diagrams above illustrate the three circumstances under which a *ode would

broadcast a 999 to its neighbors.

38


39/44

n the first scenario the *ode receives a &ata packet that it is supposed to forward but it

does not have a route to the destination. he real problem is not that the *ode does not have a

routeW the problem is that some other node thinks that the correct 9oute to the &estination is

through that *ode.

n the second scenario the *ode receives a 999 that cause at least one of its 9oute to

become invalidated. f it happens, the *ode would then send out a 999 with all the new *odeswhich are now unreachable.

n the third scenario the *ode detects that it cannot communicate with one of its

*eighbors. hen this happens it looks at the route table for 9oute that use the *eighbor for a

next hop and marks them as invalid. hen it sends out a 999 with the *eighbor and the invalid

routes.

A0D' c4aracteristics4

ill find routes only as needed


40/44

Aendi, II: %or"ing of DSD' >1;?

%ackets are transmitted between the stations of the network by using routing tables which

are stored at each station oft he network. ach routing table, at each of the stations, lists all

available destinations, and the number of hops to each. ach route table entry is tagged with a

se#uence number which is originated by the destination station. o maintain the consistency of

routing tables in a dynamically varying topology, each station periodically transmits updates, and

transmits updates immediately when significant new information is available.

hese packets indicate which stations are accessible from each station and the number of

hops necessary to reach these accessible stations, as is often done in distance-vector routing

40


41/44

algorithms. he packets may be transmitted containing either layer 1 (2A6) addresses or layer H

(network) addresses.

9outing information is advertised by broadcasting or multicasting the packets which are

transmitted periodically and incrementally as topological changes are detected for instance, when

stations move within the network. &ata is also kept about the length of time between arrival of

the first and the arrival of the best route for each particular destination. $ased on this data, adecision may be made to delay advertising routes which are about to change soon, thus damping

fluctuations of the route tables. he advertisement of routes which may not have stabilied yet is

delayed in order to reduce the number of rebroadcasts of possible route entries that normally

arrive with the same se#uence number.

he &8&G protocol re#uires each mobile station to advertise, to each of its current

neighbors, its own routing table (for instance, by broadcasting its entries). he entries in this list

may change fairly dynamically over time, so the advertisement must be made often enough to

ensure that every mobile computer can almost always locate every other mobile computer of the

collection. n addition, each mobile computer agrees to relay data packets to other computersupon re#uest. his agreement places a premium on the ability to determine the shortest number

of hops for a route to a destinationW we would like to avoid unnecessarily disturbing mobile hosts

if they are in sleep mode. n this way a mobile computer may exchange data with any other

mobile computer in the group even if the target of the data is not within range for direct

communication. f the notification of which other mobile computers are accessible from any

particular computer in the collection is done at layer 1, then &8&G will work with whatever

higher layer (e.g., *etwork !ayer) protocol might be in use.

All the computers interoperating to create data paths between themselves broadcast the

necessary data periodically, say once every few seconds. n a wireless medium, it is important tokeep in mind that broadcasts are limited in range by the physical characteristics of the medium.

his is different than the situation with wired media, which usually have a much more well-

defined range of reception. he data broadcast by each mobile computer will contain its new

se#uence number and the following information for each new route4

he destination3s addressW

he number of hops re#uired to reach the destinationW and

he se#uence number of the information received regarding that destination, asoriginally stamped by the destinationW

hen a 2obile 5ost receives new routing information it is compared to the information

already available from previous routing information packets. Any route with a more recent

se#uence number is used. 9outes with older se#uence numbers are discarded. A route with a

41


42/44

se#uence number e#ual to an existing route is chosen if it has a 'better metric, and the existing

route discarded, or stored as less preferable. he metrics for routes chosen from the newly

received broadcast information are each incremented by one hop. *ewly recorded routes are

scheduled for immediate advertisement to the current 2obile 5ost3s neighbors. 9outes which

show an improved metric are scheduled for advertisement at a time which depends on the

average settling time for routes to the particular destination under consideration.

Figure 1;: Moement in an ad&4oc net!or"

42


43/44

6onsider 25Ein +igure J. able shows a possible structure of the forwarding table

which is maintained at 25E. 8uppose the address of each 2obile 5ost is represented as 25i

8uppose further that all se#uence numbers are denoted 8***]25i, where 25i specifies the

computer that created the se#uence number and 8*** is a se#uence number value. Also

suppose that there are entries for all other 2obile 5osts, with se#uence numbers 8***]25i,

before 25 moves away from 251. he install time field helps determine when to delete stale

routes. ith our protocol, the deletion of stale routes should rarely occur, since the detection of

link breakages should propagate through the ad-hoc network immediately. *evertheless, we

expect to continue to monitor for the existence of stale routes and take appropriate action.

+rom table , one could surmise, for instance, that all the computers became available to

25E at about the same time, since its install-time for most of them is about the same. Cne could

also surmise that none of the links between the computers were broken, because all of the

se#uence number fields have times with even digits in the units place. %trl]25i would all be

pointers to null structures, because there are not any routes in +igure J which are likely to be

superseded or compete with other possible routes to any particular destination.

able 1 shows the structure of the advertised route table of 25E.

*ow suppose that 25 moves into the general vicinity of 25F and 25, and away

from the others (especially 251). he new internal forwarding tables at 25E might then appear

as shown in table H.

43


44/44

Cnly the entry for 25 shows a new metric, but in the intervening time, many new

se#uence number entries have been received. he first entry thus must be advertised in

subse#uent incremental routing information updates until the next full dump occurs. hen 25

moved into the vicinity of 25F and 25, it triggered an immediate incremental routing

information update which was then broadcast to 25?. 25?, having, determined that significant

new routing information had been received, also triggered an immediate update which carried

along the new routing information for 25. 25E, upon receiving this information, would then

broadcast it at every interval until the next full routing information dump. At 25E, the

incremental advertised routing update would have the form as shown in table E.

*roerties of t4e DSD' *rotocol

At all instants, the &8&G protocol guarantees loop-free paths to each destination. o see

why this property holds, consider a collection of G mobile hosts forming an instance of an ad-

hoc style network. +urther assume that the system is in steady-state, i.e. routing tables of all

Documents

Intrution dection system