An Artificial Immune System for Misbehavior Detection in Mobile Ad-Hoc Networks with Virtual Thymus, Clustering, Danger Signal and Memory Detectors

In mobile ad-hoc networks, nodes act both as terminals and information relays, and participate in a common routing protocol, such as Dynamic Source Routing (DSR). The network is vulnerable to routing misbehavior, due to faulty or malicious nodes. Misbehavior detection systems aim at removing this vulnerability. For this purpose, we use an Artificial Immune System (AIS), a system inspired by the human immune system (HIS). Our goal is to build a system that, like its natural counterpart, automatically learns and detects new misbehavior. In this paper we build on our previous work and investigate the use of four concepts: (1

An Artificial Immune System for Misbehavior Detection in Mobile Ad-Hoc Networks with Virtual Thymus, Clustering, Danger Signal and Memory Detectors

Nodes that build a mobile ad-hoc network participate in a common routing protocol in order to provide multi-hop radio communication. Routing defines how control information is exchanged between nodes in order to find the paths between communication pairs, and how data packets are relayed. Such networks are vulnerable to routing misbehavior, due to faulty, selfish or malicious nodes. Misbehavior disrupts communication, or even makes it impossible in some cases. Misbehavior detection systems aim at removing this vulnerability. For this purpose, we use an Artificial Immune System (AIS) approach, i.e, an approach inspired by the human immune system (HIS). Our goal is to make an AIS that, analogously to its natural counterpart [16], automatically learns and detects new misbehavior, but becomes tolerant to previously unseen normal behavior. We achieve this goal by adding some new AIS concepts to those that already exist: (1) the virtual thymus, which provides a dynamic description of normal behavior in the system; (2) “clustering” is a decision making method that reduces the false-positive detection probability and minimizes the time until detection; (3) we apply the “danger signal” approach, that is recently proposed in AIS literature [5,6] as a way to obtain feedback from the protected system and use it for correct learning and finaldecisions making; (4) we use “memory detectors”, a standard AIS solution to achieve fast secondary response

Artificial immune system for the Internet

We investigate the usability of the Artificial Immune Systems (AIS) approach for solving selected problems in computer networks. Artificial immune systems are created by using the concepts and algorithms inspired by the theory of how the Human Immune System (HIS) works. We consider two applications: detection of routing misbehavior in mobile ad hoc networks, and email spam filtering. In mobile ad hoc networks the multi-hop connectivity is provided by the collaboration of independent nodes. The nodes follow a common protocol in order to build their routing tables and forward the packets of other nodes. As there is no central control, some nodes may defect to follow the common protocol, which would have a negative impact on the overall connectivity in the network. We build an AIS for the detection of routing misbehavior by directly mapping the standard concepts and algorithms used for explaining how the HIS works. The implementation and evaluation in a simulator shows that the AIS mimics well most of the effects observed in the HIS, e.g. the faster secondary reaction to the already encountered misbehavior. However, its effectiveness and practical usability are very constrained, because some particularities of the problem cannot be accounted for by the approach, and because of the computational constrains (reported also in AIS literature) of the used negative selection algorithm. For the spam filtering problem, we apply the AIS concepts and algorithms much more selectively and in a less standard way, and we obtain much better results. We build the AIS for antispam on top of a standard technique for digest-based collaborative email spam filtering. We notice un advantageous and underemphasized technological difference between AISs and the HIS, and we exploit this difference to incorporate the negative selection in an innovative and computationally efficient way. We also improve the representation of the email digests used by the standard collaborative spam filtering scheme. We show that this new representation and the negative selection, when used together, improve significantly the filtering performance of the standard scheme on top of which we build our AIS. Our complete AIS for antispam integrates various innate and adaptive AIS mechanisms, including the mentioned specific use of the negative selection and the use of innate signalling mechanisms (PAMP and danger signals). In this way the AIS takes into account users' profiles, implicit or explicit feedback from the users, and the bulkiness of spam. We show by simulations that the overall AIS is very good both in detecting spam and in avoiding misdetection of good emails. Interestingly, both the innate and adaptive mechanisms prove to be crucial for achieving the good overall performance. We develop and test (within a simulator) our AIS for collaborative spam filtering in the case of email communications. The solution however seems to be well applicable to other types of Internet communications: Internet telephony, chat/sms, forum, news, blog, or web. In all these cases, the aim is to allow the wanted communications (content) and prevent those unwanted from reaching the end users and occupying their time and communication resources. The filtering problems, faced or likely to be faced in the near future by these applications, have or are likely to have the settings similar to those that we have in the email case: need for openness to unknown senders (creators of content, initiators of the communication), bulkiness in receiving spam (many recipients are usually affected by the same spam content), tolerance of the system to a small damage (to small amounts of unfiltered spam), possibility to implicitly or explicitly and in a cheap way obtain a feedback from the recipients about the damage (about spam that they receive), need for strong tolerance to wanted (non-spam) content. Our experiments with the email spam filtering show that our AIS, i.e. the way how we build it, is well fitted to such problem settings

An Artificial Immune System Approach with Secondary Response for Misbehavior Detection in Mobile Ad-Hoc Networks

In mobile ad hoc networks, nodes act both as terminals and information relays, and they participate in a common routing protocol, such as dynamic source routing (DSR). The network is vulnerable to routing misbehavior, due to faulty or malicious nodes. Misbehavior detection systems aim at removing this vulnerability. In this paper, we investigate the use of an artificial immune system (AIS) to detect node misbehavior in a mobile ad hoc network using DSR. The system is inspired by the natural immune system (IS) of vertebrates. Our goal is to build a system that, like its natural counterpart, automatically learns, and detects new misbehavior. We describe our solution for the classification task of the AIS; it employs negative selection and clonal selection, the algorithms for learning and adaptation used by the natural IS. We define how we map the natural IS concepts such as self, antigen, and antibody to a mobile ad hoc network and give the resulting algorithm for classifying nodes as misbehaving. We implemented the system in the network simulator Glomosim; we present detection results and discuss how the system parameters affect the performance of primary and secondary response. Further steps will extend the design by using an analogy to the innate system, danger signal, and memory cells

AIS for Misbehavior Detection in Wireless Sensor Networks: Performance and Design Principles

A sensor network is a collection of wireless devices that are able to monitor physical or environmental conditions. These devices (nodes) are expected to operate autonomously, be battery powered and have very limited computational capabilities. This makes the task of protecting a sensor network against misbehavior or possible malfunction a challenging problem. In this document we discuss performance of Artificial immune systems (AIS) when used as the mechanism for detecting misbehavior. We show that (i) mechanism of the AIS have to be carefully applied in order to avoid security weaknesses, (ii) the choice of genes and their interaction have a profound influence on the performance of the AIS, (iii) randomly created detectors do not comply with limitations imposed by communications protocols and (iv) the data traffic pattern seems not to impact significantly the overall performance. We identified a specific MAC layer based gene that showed to be especially useful for detection; genes measure a network's performance from a node's viewpoint. Furthermore, we identified an interesting complementarity property of genes; this property exploits the local nature of sensor networks and moves the burden of excessive communication from normally behaving nodes to misbehaving nodes. These results have a direct impact on the design of AIS for sensor networks and on engineering of sensor networks.Comment: 16 pages, 20 figures, a full version of our IEEE CEC 2007 pape

Enhancing Bio-inspired Intrusion Response in Ad-hoc Networks

Practical applications of Ad-hoc networks are developing everyday and safeguarding their security is becoming more important. Because of their specific qualities, ad-hoc networks require an anomaly detection system that adapts to its changing behaviour quickly. Bio-inspired algorithms provide dynamic, adaptive, real-time methods of intrusion detection and particularly in initiating a response. A key component of bio-inspired response methods is the use of feedback from the network to better adapt their response to the specific attack and the type of network at hand. However, calculating an appropriate length of time at which to provide feedback is crucial - premature feedback or delayed feedback from the network can have adverse effects on the attack mitigation process. The antigen-degeneracy response selection algorithm (Schaust & Szczerbicka, 2011) is one of the few bio-inspired algorithms for selecting the appropriate response for misbehavior that considers network performance and adapts to the network. The main drawback of this algorithm is that it has no measure of the amount of time to wait before it can take performance measurements (feedback) from the network. In this thesis, we attempt to develop an understanding of the length of time required before feedback is provided in a range of types of ad-hoc network that have been subject of an attack, in order that future development of bio-inspired intrusion detection algorithms can be enhanced.Aiming toward an adaptive timer, we discuss that ad-hoc networks can be divided into Wireless Sensor Network (WSN), Wireless Personal Area Network (WPAN) and Spontaneously Networked Users (SNU). We use ns2 to simulate these three different types of ad-hoc networks, each of which is analysed for changes in its throughput after an attack is responded to, in order to calculate the corresponding feedback time. The feedback time in this case is the time it takes for the network to stabilise. Feedback time is not only essential to bio-inspired intrusion response methods, but can also be used in network applications where a stable network reading is required, e.g. security monitoring and motion tracking.Interestingly, we found that the network feedback time does not vary greatly between the different types of networks, but it was calculated to be less than half of what Schaust and Szczerbicka used in their algorith

A Generic Review on Effective Intrusion Detection in Ad hoc Networks

Ad hoc network is specifically designed for the establishment of a network anywhere and anytime, which does not have any fixed infrastructure in order to support the mobility of the users in the network. The network is established without using any access points or base stations for communication implemented in multi hop schemes. Hence we call an Ad hoc network as a collection of nodes which are mobile in nature with a dynamic network infrastructure and forms a temporary network. Because of dynamic topological changes, these networks are vulnerable at the physical link, and they can easily be manipulated. An intruder can easily attack the Ad hoc network by loading the network resources which are available, such as wireless links and energy (battery) levels of other users, and then starts disturbing all the users. This paper provides a comparative survey on the various existing intrusion detection systems for Ad hoc networks based on the various approaches applied in the intrusion detection systems for providing security to the Ad hoc network

Immune inspired approaches to fault and intrusion detection in ad hoc wireless networks

[no abstract