Intrusion Detection in Mobile Ad Hoc Networks Using Classification Algorithms

In this paper we present the design and evaluation of intrusion detection models for MANETs using supervised classification algorithms. Specifically, we evaluate the performance of the MultiLayer Perceptron (MLP), the Linear classifier, the Gaussian Mixture Model (GMM), the Naive Bayes classifier and the Support Vector Machine (SVM). The performance of the classification algorithms is evaluated under different traffic conditions and mobility patterns for the Black Hole, Forging, Packet Dropping, and Flooding attacks. The results indicate that Support Vector Machines exhibit high accuracy for almost all simulated attacks and that Packet Dropping is the hardest attack to detect.Comment: 12 pages, 7 figures, presented at MedHocNet 200

A Survey: Detection and Prevention of Wormhole Attack in Wireless Sensor Networks

Wireless Sensor Networks refers to a multi-hop packet based network that contains a set of mobile sensor nodes. Every node is free to travel separately on any route and can modify its links to other nodes. Therefore, the network is self organizing and adaptive networks which repeatedly changes its topology. The relations among nodes are restricted to their communication range, and teamwork with intermediate nodes is necessary for nodes to forward the packets to other sensor nodes beyond their communication range. The network2019;s broadcasting character and transmission medium help the attacker to interrupt network. An attacker can transform the routing protocol and interrupt the network operations through mechanisms such as selective forwarding, packet drops, and data fabrication. One of the serious routingdisruption attacks is Wormhole Attack. The main emphasis of this paper is to study wormhole attack, its detection method and the different techniques to prevent the network from these attack

Routing Misbehavior Detection in MANETs Using 2ACK, Journal of Telecommunications and Information Technology, 2010, nr 4

This paper proposes routing misbehavior detection in MANETs using 2ACK scheme. Routing protocols for MANETs are designed based on the assumption that all participating nodes are fully cooperative. However, due to the open structure and scarcely available battery-based energy, node misbehavior may exist. In the existing system, there is a possibility that when a sender chooses an intermediate link to send some message to a destination, the intermediate link may pose problems such as, the intermediate node may not forward the packets to destination, it may take very long time to send packets or it may modify the contents of the packet. In MANETs, as there is no retransmission of packets once it is sent, care must be taken not to loose packets. We have analyzed and evaluated a technique, termed 2ACK scheme to detect and mitigate the effect of such routing misbehavior in MANETs environment. It is based on a simple 2-hop acknowledgment packet that is sent back by the receiver of the next-hop link. 2ACK transmission takes place for only a fraction of data packets, but not for all. Such a selective acknowledgment is intended to reduce the additional routing overhead caused by the 2ACK scheme. Our contribution in this paper is that, we have embedded some security aspects with 2ACK to check confidentiality of the message by verifying the original hash code with the hash code generated at the destination. If 2ACK is not received within the wait time or the hash code of the message is changed then the node to next hop link of sender is declared as the misbehaving link. We simulated the routing misbehavior detection using 2ACK scheme to test the operation scheme in terms of performance parameters

Intrusion Detection in MANET Using Classification Algorithms: The Effects of Cost and Model Selection

Intrusion detection is frequently used as a second line of defense in Mobile Ad-hoc Networks (MANETs). In this paper we examine how to properly use classification methods in intrusion detection for MANETs. In order to do so we evaluate five supervised classification algorithms for intrusion detection on a number of metrics. We measure their performance on a dataset, described in this paper, which includes varied traffic conditions and mobility patterns for multiple attacks. One of our goals is to investigate how classification performance depends on the problem cost matrix. Consequently, we examine how the use of uniform versus weighted cost matrices affects classifier performance. A second goal is to examine techniques for tuning classifiers when unknown attack subtypes are expected during testing. Frequently, when classifiers are tuned using cross-validation, data from the same types of attacks are available in all folds. This differs from real-world employment where unknown types of attacks may be present. Consequently, we develop a sequential cross-validation procedure so that not all types of attacks will necessarily be present across all folds, in the hope that this would make the tuning of classifiers more robust. Our results indicate that weighted cost matrices can be used effectively with most statistical classifiers and that sequential cross-validation can have a small, but significant effect for certain types of classifiers

Securing Fisheye State Routing Algorithm Against Data Packet Dropping by Malicious Nodes in MANET.

Mobile Ad Hoc Network (MANET) is an emerging area of research in the communication network world. As the MANET is infrastructure less, it is having dynamic nature of arbitrary network topology. So, it needs set of new networking strategies to be implemented in order to provide efficient end to end communication. These (MANET) networks have immense application in various fields like disaster management, sensor networks, battle field etc. Many routing protocols have been proposed in MANET among which Fisheye State Routing (FSR) protocol scales well in large network. Security in MANET is a very difficult problem to incorporate without degrading the performance of the protocol. A performance comparison of different routing protocols has been given here and this research narrows down to security related issues associated with FSR. The attacks on the MANET can be broadly divided into 2 types as active attacks and passive attacks. The proposed scheme deals with minimizing passive attacks which causes dropping of data packets by the selfish nodes or malicious nodes. The idea is based on modifying the traditional Dijkstra’s Algorithm which computes shortest route to all destinations from a source. The actual FSR algorithm considers the link cost between two nodes as 1 if one node comes in the radio range of another. In our proposed scheme the weight has been assigned depending upon the number of times the next node has behaved maliciously or selfishly. Here we have proposed one scheme which uses a two hop time stamp method to detect a malicious node and the Dijkstra’s shortest path algorithm has been modified to re compute the optimal paths to destination and hence, to minimize the data packet dropping by malicious nodes in the network

Securing Weight-Based AODV (WBAODV) Routing Protocol in MANETs: Towards Efficient and Secure Routing Protocol

An ad hoc network is a collection of wireless mobile nodes dynamically forming a temporary network without the use of any existing network infrastructure or centralized administration. There are number of routing protocols developed by researchers. Due to the nature of ad hoc networks, secure routing is an important area of research in developing secured routing protocols. Although researchers have proposed several secure routing protocols, their resistance towards various types of security attacks and efficiency are primary points of concern in implementing these protocols. After the evaluation of these protocols the results refer that they do not give complete protection against possible attacks and have some disadvantages on their performance. In this research, we examined a new routing protocol called Weight-Based Ad hoc On-demand Distance Vector (WBAODV) routing protocol which is efficient and superior of the standard Ad hoc On-demand Distance Vector (AODV) routing protocol in performance, but is not secure. So we proposed a new secure routing protocol based on WBAODV which will be efficient and also immune against the most commonly possible routing attacks. Finally we analyzed the proposed protocol against many attacks to ensure its security and also subject it to extensive simulation tests using JiST/SWAN simulation tool with the most commonly well-known ad hoc performance metrics to ensure its efficiency

Attacks against intrusion detection networks: evasion, reverse engineering and optimal countermeasures

Intrusion Detection Networks (IDNs) constitute a primary element in current cyberdefense systems. IDNs are composed of different nodes distributed among a network infrastructure, performing functions such as local detection --mostly by Intrusion Detection Systems (IDS) --, information sharing with other nodes in the IDN, and aggregation and correlation of data from different sources. Overall, they are able to detect distributed attacks taking place at large scale or in different parts of the network simultaneously. IDNs have become themselves target of advanced cyberattacks aimed at bypassing the security barrier they offer and thus gaining control of the protected system. In order to guarantee the security and privacy of the systems being protected and the IDN itself, it is required to design resilient architectures for IDNs capable of maintaining a minimum level of functionality even when certain IDN nodes are bypassed, compromised, or rendered unusable. Research in this field has traditionally focused on designing robust detection algorithms for IDS. However, almost no attention has been paid to analyzing the security of the overall IDN and designing robust architectures for them. This Thesis provides various contributions in the research of resilient IDNs grouped into two main blocks. The first two contributions analyze the security of current proposals for IDS nodes against specific attacks, while the third and fourth contributions provide mechanisms to design IDN architectures that remain resilient in the presence of adversaries. In the first contribution, we propose evasion and reverse engineering attacks to anomaly detectors that use classification algorithms at the core of the detection engine. These algorithms have been widely studied in the anomaly detection field, as they generally are claimed to be both effective and efficient. However, such anomaly detectors do not consider potential behaviors incurred by adversaries to decrease the effectiveness and efficiency of the detection process. We demonstrate that using well-known classification algorithms for intrusion detection is vulnerable to reverse engineering and evasion attacks, which makes these algorithms inappropriate for real systems. The second contribution discusses the security of randomization as a countermeasure to evasion attacks against anomaly detectors. Recent works have proposed the use of secret (random) information to hide the detection surface, thus making evasion harder for an adversary. We propose a reverse engineering attack using a query-response analysis showing that randomization does not provide such security. We demonstrate our attack on Anagram, a popular application-layer anomaly detector based on randomized n-gram analysis. We show how an adversary can _rst discover the secret information used by the detector by querying it with carefully constructed payloads and then use this information to evade the detector. The difficulties found to properly address the security of nodes in an IDN motivate our research to protect cyberdefense systems globally, assuming the possibility of attacks against some nodes and devising ways of allocating countermeasures optimally. In order to do so, it is essential to model both IDN nodes and adversarial capabilities. In the third contribution of this Thesis, we provide a conceptual model for IDNs viewed as a network of nodes whose connections and internal components determine the architecture and functionality of the global defense network. Such a model is based on the analysis and abstraction of a number of existing proposals for IDNs. Furthermore, we also develop an adversarial model for IDNs that builds on classical attack capabilities for communication networks and allow to specify complex attacks against IDN nodes. Finally, the fourth contribution of this Thesis presents DEFIDNET, a framework to assess the vulnerabilities of IDNs, the threats to which they are exposed, and optimal countermeasures to minimize risk considering possible economic and operational constraints. The framework uses the system and adversarial models developed earlier in this Thesis, together with a risk rating procedure that evaluates the propagation of attacks against particular nodes throughout the entire IDN and estimates the impacts of such actions according to different attack strategies. This assessment is then used to search for countermeasures that are both optimal in terms of involved cost and amount of mitigated risk. This is done using multi-objective optimization algorithms, thus offering the analyst sets of solutions that could be applied in different operational scenarios. -------------------------------------------------------------Las Redes de Detección de Intrusiones (IDNs, por sus siglas en inglés) constituyen un elemento primordial de los actuales sistemas de ciberdefensa. Una IDN está compuesta por diferentes nodos distribuidos a lo largo de una infraestructura de red que realizan funciones de detección de ataques --fundamentalmente a través de Sistemas de Detección de Intrusiones, o IDS--, intercambio de información con otros nodos de la IDN, y agregación y correlación de eventos procedentes de distintas fuentes. En conjunto, una IDN es capaz de detectar ataques distribuidos y de gran escala que se manifiestan en diferentes partes de la red simultáneamente. Las IDNs se han convertido en objeto de ataques avanzados cuyo fin es evadir las funciones de seguridad que ofrecen y ganar así control sobre los sistemas protegidos. Con objeto de garantizar la seguridad y privacidad de la infraestructura de red y de la IDN, es necesario diseñar arquitecturas resilientes para IDNs que sean capaces de mantener un nivel mínimo de funcionalidad incluso cuando ciertos nodos son evadidos, comprometidos o inutilizados. La investigación en este campo se ha centrado tradicionalmente en el diseño de algoritmos de detección robustos para IDS. Sin embargo, la seguridad global de la IDN ha recibido considerablemente menos atención, lo que ha resultado en una carencia de principios de diseño para arquitecturas de IDN resilientes. Esta Tesis Doctoral proporciona varias contribuciones en la investigación de IDN resilientes. La investigación aquí presentada se agrupa en dos grandes bloques. Por un lado, las dos primeras contribuciones proporcionan técnicas de análisis de la seguridad de nodos IDS contra ataques deliberados. Por otro lado, las contribuciones tres y cuatro presentan mecanismos de diseño de arquitecturas IDS robustas frente a adversarios. En la primera contribución se proponen ataques de evasión e ingeniería inversa sobre detectores de anomalíaas que utilizan algoritmos de clasificación en el motor de detección. Estos algoritmos han sido ampliamente estudiados en el campo de la detección de anomalías y son generalmente considerados efectivos y eficientes. A pesar de esto, los detectores de anomalías no consideran el papel que un adversario puede desempeñar si persigue activamente decrementar la efectividad o la eficiencia del proceso de detección. En esta Tesis se demuestra que el uso de algoritmos de clasificación simples para la detección de anomalías es, en general, vulnerable a ataques de ingeniería inversa y evasión, lo que convierte a estos algoritmos en inapropiados para sistemas reales. La segunda contribución analiza la seguridad de la aleatorización como contramedida frente a los ataques de evasión contra detectores de anomalías. Esta contramedida ha sido propuesta recientemente como mecanismo de ocultación de la superficie de decisión, lo que supuestamente dificulta la tarea del adversario. En esta Tesis se propone un ataque de ingeniería inversa basado en un análisis consulta-respuesta que demuestra que, en general, la aleatorización no proporciona un nivel de seguridad sustancialmente superior. El ataque se demuestra contra Anagram, un detector de anomalías muy popular basado en el análisis de n-gramas que opera en la capa de aplicación. El ataque permite a un adversario descubrir la información secreta utilizada durante la aleatorización mediante la construcción de paquetes cuidadosamente diseñados. Tras la finalización de este proceso, el adversario se encuentra en disposición de lanzar un ataque de evasión. Los trabajos descritos anteriormente motivan la investigación de técnicas que permitan proteger sistemas de ciberdefensa tales como una IDN incluso cuando la seguridad de algunos de sus nodos se ve comprometida, así como soluciones para la asignación óptima de contramedidas. Para ello, resulta esencial disponer de modelos tanto de los nodos de una IDN como de las capacidades del adversario. En la tercera contribución de esta Tesis se proporcionan modelos conceptuales para ambos elementos. El modelo de sistema permite representar una IDN como una red de nodos cuyas conexiones y componentes internos determinan la arquitectura y funcionalidad de la red global de defensa. Este modelo se basa en el análisis y abstracción de diferentes arquitecturas para IDNs propuestas en los últimos años. Asimismo, se desarrolla un modelo de adversario para IDNs basado en las capacidades clásicas de un atacante en redes de comunicaciones que permite especificar ataques complejos contra nodos de una IDN. Finalmente, la cuarta y última contribución de esta Tesis Doctoral describe DEFIDNET, un marco que permite evaluar las vulnerabilidades de una IDN, las amenazas a las que están expuestas y las contramedidas que permiten minimizar el riesgo de manera óptima considerando restricciones de naturaleza económica u operacional. DEFIDNET se basa en los modelos de sistema y adversario desarrollados anteriormente en esta Tesis, junto con un procedimiento de evaluación de riesgos que permite calcular la propagación a lo largo de la IDN de ataques contra nodos individuales y estimar el impacto de acuerdo a diversas estrategias de ataque. El resultado del análisis de riesgos es utilizado para determinar contramedidas óptimas tanto en términos de coste involucrado como de cantidad de riesgo mitigado. Este proceso hace uso de algoritmos de optimización multiobjetivo y ofrece al analista varios conjuntos de soluciones que podrían aplicarse en distintos escenarios operacionales.Programa en Ciencia y Tecnología InformáticaPresidente: Andrés Marín López; Vocal: Sevil Sen; Secretario: David Camacho Fernánde

A layered security approach for cooperation enforcement in MANETs

In fully self-organized MANETs, nodes are naturally reluctant to spend their precious resources forwarding other nodes' packets and are therefore liable to exhibit selfish or sometimes malicious behaviour. This selfishness could potentially lead to network partitioning and network performance degradation. Cooperation enforcement schemes, such as reputation and trust based schemes have been proposed to counteract the issue of selfishness. The sole purpose of these schemes is to ensure selfish nodes bear the consequences of their bad actions. However, malicious nodes can exploit mobility and free identities available to breach the security of these systems and escape punishment or detection. Firstly, in the case of mobility, a malicious node can gain benefit even after having been detected by a reputation-based system, by interacting directly with its source or destination nodes. Secondly, since the lack of infrastructure in MANETs does not suit centralized identity management or centralized Trusted Third Parties, nodes can create zero-cost identities without any restrictions. As a result, a selfish node can easily escape the consequences of whatever misbehaviour it has performed by simply changing identity to clear all its bad history, known as whitewashing. Hence, this makes it difficult to hold malicious nodes accountable for their actions. Finally, a malicious node can concurrently create and control more than one virtual identity to launch an attack, called a Sybil attack. In the context of reputation-based schemes, a Sybil attacker can disrupt the detection accuracy by defaming other good nodes, self-promoting itself or exchanging bogus positive recommendations about one of its quarantined identities. This thesis explores two aspects of direct interactions (DIs), i. e. Dis as a selfish nodes' strategy and Dis produced by inappropriate simulation parameters. In the latter case DIs cause confusion in the results evaluation of reputation-based schemes. We propose a method that uses the service contribution and consumption information to discourage selfish nodes that try to increase their benefit through DIs. We also propose methods that categorize nodes' benefits in order to mitigate the confusion caused in the results evaluation. A novel layered security approach is proposed using proactive and reactive paradigms to counteract whitewashing and Sybil attacks. The proactive paradigm is aimed at removing the advantages that whitewashing can provide by enforcing a non-monetary entry fee per new identity, in the form of cooperation in the network. The results show that this method deters these attackers by reducing their benefits in the network. In the reactive case, we propose a lightweight approach to detect new identities of whitewashers and Sybil attackers on the MAC layer using the 802.11 protocol without using any extra hardware. The experiments show that a signal strength based threshold exists which can help us detect Sybil and whitewashers' identities. Through the help of extensive simulations and real-world testbed experimentations, we are able to demonstrate that our proposed solution detects Sybil or whitewashers' new identities with good accuracy and reduces the benefits of malicious activity even in the presence of mobility