Presented and published in International Conference and included in IEEE Digital Library Husain, S.; Gupta, S.C.

; , "A proposed model for Intrusion Detection System for mobile adhoc network," Computer and Communication Technology (ICCCT), 2010 International Conference on , pp. 99-102, 17-19 Sept. 2010, doi: 10.1109/ICCCT.2010.5640420 URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5640420&isnumber=5640373 URL for Scopus: http://www.scopus.com/inward/record.url?eid=2-s2.078650556940&partnerID=40&md5=a87b99b547c8abd7a05d04e0407e875b Citation Rate: Cited by 3

A Proposed Model for Intrusion Detection System for Mobile Adhoc Network
Husain. Shahnawaz1, Dr.S.C.Gupta2, Chand.Mukesh1, Dr. H.L.Mandoria3
1

Research Scholar, Graphic Era University, Dehradun(U.K) India 2 Prof. Emeritus IIT Roorkee (U.K.) India. 3 Prof. CoET, G.B.Pant University,India shahnawaz.husain@hotmail.com,mukesh.geu@gmail.com
Ignoring the MAC protocol Jamming the transmission channel with garbage Ignoring the bandwidth reservation scheme Malicious flooding Network Partition Sleep Derivation Drop packets Blackhole Attack Gray hole Attack Delay packet transmissions Wormhole Attack Packet dropping Routing Loop Denial of Service (DoS) Fabricated route messages False Source Route Cache Poisonings Selfishness Spoofing

Abstract An ad-hoc network is a collection of temporary nodes that are capable of dynamically forming a temporary network without the support of any centralized fixed infrastructure. These networks can be formed, merged or partitioned into separate networks on the fly, without necessarily relying on a fixed infrastructure to manage the operation. Two important properties of an ad-hoc network are that it is self-organized and adaptive. In a mobile ad hoc network (MANET) where security is a crucial issue, trust plays an important factor that could improve the number of successful data transmission process. The higher the numbers of nodes that trust each other in the network means the higher successful communication process rates could be expected. Since there is no central controller to determine the reliable & Secure communication paths in MANET, each node in the ad hoc network has to rely on each other in order to forward packets, thus highly cooperative nodes are required to ensure that the initiated data transmission process does not fail. In this paper, we provide a model & evidence through experiments on how a friendship concept could be used to minimize the number of false alarms raised in MANET Intrusion Detection System (IDS). I. INTRODUCTION Intrusion detection is a security technology that attempts to identify individuals who are trying to break into and misuse a system without authorization and those who have legitimate access to the system but are abusing their privileges [1]. The system protected is used to denote an information system being monitored by an intrusion detection system. It can be a host or a network equipment, such as a server, a firewall, a router, or a corporate network, etc [2]. An intrusion detection system (IDS) is a computer system that dynamically monitors the system and user actions in the network and computer systems in order to detect intrusions. Because an information system can pursue from various kinds of security vulnerabilities, it is both technically difficult and economically costly to build and maintain a system which is not susceptible to attacks. Experience teaches us never to rely on a single defensive line or technique. IDSs, by analyzing the system and user operations in search of activity undesirable and suspicious, can effectively monitor and protect against threats. IDSs have been widely regarded as being part of the solution to protect todays computer systems. Research on IDSs began with a
TABLE I LIST OF UTC & APF
1. Unfair use of the transmission channel (UTC) 2. Anomalies in Packet Forwarding (APF)

report by Anderson [3] followed by Dennings seminal paper [4], which lays the foundation for most of the current intrusion detection prototypes. Since then, many research e orts have been devoted to wired IDSs. Numerous detection techniques and architecture for host machines and wired networks have been proposed. A good taxonomy of wired IDSs is presented in [18]. With the rapid proliferation of wireless networks and mobile computing applications, new vulnerabilities that do not exist in wired networks have appeared. Security poses a serious challenge in deploying wireless networks in reality. However, the vast difference between wired and wireless networks make traditional intrusion detection techniques inapplicable. Wireless IDSs, emerging as a new research topic, aim at developing new architecture and mechanisms to protect the wireless networks. Attacks in Mobile Adhoc networks can be categorized as provided in Table I. In MANETs, intrusion prevention and intrusion detection techniques need to complement each other to guarantee a highly secure environment. They play different roles in different status of the network. Intrusion prevention measures, such as encryption and authentication, are more useful in preventing outside attacks. Considerable research has been done in preventing the misbehavior at the network layer. Once the node is compromised, however, intrusion prevention measures will have little effect in protecting the network. At this time, the role of intrusion detection is more important. In mobile ad hoc networks, it is much easier to gain physical possession of the node. When a node is compromised, the attacker owns all its cryptography key information. Therefore, encryption and authentication cannot defend against a trusted but malicious user. II. RELATED WORK Intrusion detection systems can be classified broadly into two classes: Reputation based schemes.

 Incentive based approaches. Reputation based schemes detect misbehaving nodes and notify other nodes of the misbehaving nodes. Incentive based approaches aims to promote positive behavior to foster cooperation instead of relying on participants to report and punish misbehaving nodes. Zhang et al. [5] [6] have developed a distributed and cooperative intrusion detection system (IDS) where individual IDS agents are placed on each and every node. Each IDS agent runs independently, detects intrusion from local traces and initiates response. The authors have detailed intrusion detection methods for the following attacks: (a) Falsifying route entry in a nodes route and (b) Random packet dropping by intermediate nodes. The random packet dropping detection scheme relies on overhearing transmissions of neighboring nodes. Bhargava and Agrawal [7] have extended the IDS model described in [5] to enhance the security in AODV (Ad-hoc on demand Distance Vector) routing protocol. Watchdog [17] proposes to monitor packet forwarding on top of source routing protocols like DSR. Watchdog has the limitations of relying on overhearing packet transmissions of neighboring nodes for detecting anomalies in packet forwarding. It assumes symmetric bidirectional connectivity: if A can hear B, B can also hear A. Since the whole path is specified, when node A forwards a packet to the next hop B, it knows Bs next hop C. It then overhears the channel for Bs transmission to C. If it does not hear the transmission after a timeout, a failure threshold associated with B is increased. If the threshold exceeds a maximum value, A sends a report packet to the source notifying Bs misbehavior. Reference [8] follows the same concept but works with distance vector protocols such as ADOV. It adds a next hop field in AODV packets so that a node can be aware of the correct next hop of its neighbors. It also considers more types of attacks, such as packet modification, packet duplication, and packet-jamming DoS attacks. Each independent detection result is signed and flooded; multiple such results from different nodes can collectively revoke a malicious node of its certificate, thus excluding it from the network. Bal Krishnan [9] has proposed a way to detect packet dropping in adhoc networks that addresses the problems of receiver collisions, limited transmission power and directional antennas discussed earlier. This scheme (TWOACK) can be added on to a source routing protocol such as DSR. In TWOACK each forwarded packet has to be acknowledged which may contribute to traffic congestion on the routing path. S-TWOACK (Selective TWOACK) reduces this extra traffic by sending a single acknowledgement for a number of packets instead to a single packet. Trust features in existing trust-based routing schemes for MANET.
TABLE II LIST OF TRUST BASED ROUTING SCHEME [16]
S.No. 1 2 Previous Work Eschenauer [10] Yan et al. [11] Trust feature 1. Encryption/Key 2. Identity 3. Location 1. Packet Precision 2. Blacklists 3. Data Value 4. Reference 5. Identity 6. Battery Power 1. Encryption/Key 2. Trust Value Metric 1. Credit History/ACK 2. Packet Precision 3. Gratuitous Route 4. Blacklists 5. Salvaging 1. Encryption/Key 2. Hardware Configuration 3. Battery Power 4. Credit History/ACK 5. Exposure 6. Organizational Hierarchy 1. Trust Value Metric

III. PROPOSED FRAME WORK: The proposed model is derived from previous research provide evidence on how a friendship mechanism could be used to improve the accuracy of IDS in MANET [16]. One of the main issues in MANET IDS is on the number of false alarms raised in the network as a result of false claims/reports made by individual nodes. This anonymity problem is a big challenge in MANET because it is difficult for nodes to distinguish between trusted and un-trusted nodes in such autonomous networks. Initially we have some assumption that each node has a list of initial trust and that will be shared with the other nodes present in the network these initial trust list can be generated on behalf of profile database shown on figure-1. These initial lists are known as Direct Friend Mechanism (DFM). TABLE III NODES INITIAL TRUST
Node ID A B C D E Initial Trust B&C C,D,E A,D,B C,B A,C

A. IDS Alarm Analysis

This provides four possible results for each traffic trace analyzed by the IDS True Positive (TP) when the attack succeeded and the IDS was able to detect it (Success ^Detection) True Negative (TN) when the attack failed and the IDS did not report it (Success ^ Detection) False Positive (FP) when the attack failed and the IDS reported on it ( Success ^ Detection) False Negative (FN) when the attack succeeded and the IDS was not able to detect it (Success ^ Detection)

B. Local IDS i) Data Collection Module

The functionality of the data collection module is to collect the security related data from various audit data sources and preprocess them to conform to the input format of the detection engines. There may exist many data collection modules in an IDS agent. Each module is responsible for collecting data from a particular data source.

ii) Detection Engine a) Unfair Use of Transmission channel based detection Engine (UDE)
Unfair Use of Transmission channel based detection techniques operate based on the known attack scenarios and system vulnerabilities shown in Table 1. Their main disadvantage is that they are only effective in detecting known attacks.

b) Anomaly Based Detection Engine (ADE)

Anomaly based detection techniques are based on Anomalies in Packet Forwarding (APF), will play a main role in the MANET environment.

iii) Feed-Back Table (FBT)

Feed back is taken from both of the detection engine if value is 0 then it is a friend.
Table 3: FBT
UDE 0 0 1 1 ADE 0 1 0 1 Value 0 1 1 1

3 4

Nekkanti et al.[12] Pirzada & McDonald [13]

Abusalah et al. [14]

iv) Profile Database

Profile database will maintain the list of trusted neighbor list on behalf of FBT.

Li & Sighal [15]

Anomaly Detection Engine (ADE) To Global Data Collection Module (GDC)

Unfair use of the transmission channel (UTC) Detection Engine (UDE)

Feed Back Table (FBT)

compromised then it will be easily find out in Local IDS, and friend list generated by Local IDS will be send to Global IDS module for checking the rest of the parameters, Global feed back table generated by Global IDS module is sent to the neighbors and stored in Global friends profile, Global Detection engine will generate the list of trusted neighbors according to their level of trust.
TABLE IV TRUST LEVEL GENERATED BY GLOBAL DETECTION ENGINE
Node Id A B C D E Trust Level 2/5 3/5 4/5 2/5 1/5

Audit Local Data (ALD)

Profile Database

Fig. I. Local IDS

IV. CONCLUSION & FUTURE WORK In this proposed model True positive will be reported very fast in Local IDS module. & Friend list generated by Local IDS module will be sent to the Global IDS module for further investigation. Global Detection Engine will generate the friend list according to trust level, higher the trust level of the node may be used for other different processes like routing, and deciding the cluster head for scalable adhoc networks. Future work include the designing the efficient algorithm for each phase so that fast response of intrusion detection and requires less consumption of battery and less computation.

C. Global IDS Module

In the Global IDS module ADE & UDE is same as in Local IDS. In this module friend list generated by Local IDS system are again on rigorous testing.
From Local IDS

Indire ct Profil e

Global Detection Engine (GDE) Global Profile

Feed Back Table (FBT) To The Neighbors (Indirect Profile) ADE & UDE

Audit Global Data (AGD)

Fig. II. Global IDS Module

i)

Global Detection Engine

In Global Detection Engine we collect the Direct Friend list and Indirect Friend Profile from the neighbors. By using mining algorithms we can make the globally trusted list for the network.

D. Validation
In the Local IDS and Global IDS we will follow the 20:80 rules for detecting the critical nodes for fast response from the system, if node is

REFERENCES [1] Y. Zhang and W. Lee, Intrusion Detection in Wireless Ad Hoc Networks, Proceedings of the 6th Annual International Conference on Mobile Computing and Networking (ACM MobiCom00), Boston, MA, pp. 275-283, Aug. 2000. [2] M. Satyanarayanan, J. J. Kistler, L. B. Mummert, M. R. Ebling, P. Kumar, and Q. Lu, Experiences with Disconnected Operation in a Mobile Environment, Proceedings of USENIX Symposium on Mobile and Location Independent Computing, Cambridge, MA, pp. 11-28, Aug. 1993. [3] J. P. Anderson, Computer Security Threat Monitoring and Surveillance, Technical Report, James P. Anderson Co., Fort Washington, PA, April, 1980. [4] D. E. Denning, An Intrusion-Detection Model, IEEE Transactions on Software Engineering, vol. 13, no. 7, pp. 222-232, Feb. 1987. [5]Y. Zhang, W. Lee, Intrusion detection in wireless ad-hoc networks, The 6th Annual International Conference on Mobile Computing and Networking, pp. 275283, 2000 [6] Satria Mandala, Md. Asri Ngadi, A. Hanan Abdullah, A Survey on MANET Intrusion Detection www.cscjournals.org/csc/manuscript/Journals/ IJCSS-24.pdf [7] S. Bhargava and D. P. Agrawal. Security Enhancements in AODV protocol for Wireless Ad Hoc Networks. In VTC, volume 4, pages 21432147, fall 2001. [8]J. Kong et al., Providing Robust and Ubiquitous Security Support for Mobile Ad-Hoc Networks, IEEE ICNP, 2001. [9]K. BAL Krishnan, J. Deng, P. K. Varhney. TWOACK: Preventing Selfishness in Mobile Ad Hoc Networks. In IEEE WCNC, Mar 2005. [10] Eschenauer, L. On Trust Establishment in Mobile Ad-Hoc Networks, Masters Thesis, Department of Electrical and Computer Engineering, University of Maryland, 2002. [11] Yan, Z., Zhang, P. and Virtanen, T. "Trust Evaluation Based Security Solution in Ad Hoc Networks". In Proceedings of the 7th Nordic Workshop on Secure IT Systems, NordSec 2003, Gjovik, Norway, pp. 1-14, 2003. [12] Nekkanti, R. K. and Lee C-W. Trust Based Adaptive on Demand Ad hoc Routing Protocol. In Proceedings of the 42nd Annual Southeast Regional Conference, Huntsville, Alabama, pp. 88-93, 2004. [13] Pirzada, A. A and McDonald, C. Establishing Trust in Pure Ad-Hoc Networks. In Proceedings of the 27th Australasian Computer Science Conference, Dunedin, New Zealand, pp. 47-54, 2004. [14] Abusalah, L., Khokhar, A., BenBrahim, G. and ElHajj, W. TARP: TrustAware Routing Protocol. In Proceedings of the 2006 International Conference on Communications and Mobile Computing (IWCMC), Vancouver, Canada, pp. 135-

140, 2006. [15] Li, H. and Singhal, M. A Secure Routing Protocol for Wireless Ad Hoc Networks, In Proceedings of the 39th Hawaii International Conference on System Sciences, pp. 1-10, 2006. [16] Razak, S.A., Furnell, S., Clarke, N. and Brooke, P., A Two-Tier Intrusion Detection System for Mobile Ad Hoc Networks--A Friend Approach, Lecture Notes In Computer Science, volume 3975, pp. 590-595, Springer, 2006. [17] Chengqi Song, Qian Zang,Suppressing selfish behavior in adhoc networks with one more hop 5th International ICST Conference on Heterogeneous Networking for Quality, Reliability, Security and Robustness, 2008, ISBN:978-963-9799-26-4 [18] H. Debar, M. Dacier, and A.Wespi, A Revised Taxonomy for Intrusion Detection Systems, Annales des Telecommunications, vol. 55, pp. 361-378, 2000.