Beruflich Dokumente
Kultur Dokumente
2
Dept. of CST, S.K.University, Anantapur, Andhra Pradesh, India.
bachalasatya@yahoo.com
3
Dept. of CSE, JNTUH College of Engineering, Hyderabad, Andhra Pradesh, India.
obvramanaiah@gmail.com
Abstract: A Mobile ad hoc network is a collection of nodes that all the participants to correctly forward routing and data
is connected through a wireless medium forming rapidly traffic. The routing protocol sets the upper limit to security
changing topologies. Mobile ad hoc network are vulnerable due in any packet network.
to its fundamental characteristics such as open medium,
dynamic topology, distributed co-operation and constrained If routing can be misdirected or modified the entire
capability. Real time Intrusion detection architecture for ad hoc network can be paralyzed [2]. Several efforts have been
networks has been proposed for detecting black hole and packet made to the design of a secure routing protocol for ad hoc
dropping attacks. The main problem with this approach is that
networks. The main problems with this approach are that it
the detection process relies on a state based misuse detection
system. In this case every node needs to run in the IDS agent.
requires changes to the underlying protocol and that manual
This approach does not make use of a distributed architecture to configuration of the initial security associations cannot be
detect attacks that require more than one hop information. In completely avoided.
this paper we propose an Efficient IDS, a novel architecture that
uses a specification based intrusion detection techniques to The Efficient Intrusion Detection Systems for mobile ad
detect active attacks such as packet dropping, black hole attacks hoc network system is based on previous research proposed
against AODV protocol. Our architecture involves the use of to detect active attacks against AODV, a routing protocol
FSM for specifying AODV routing behavior and distributed that is widely used in wireless networks [1]. We have
network monitors for detecting the attacks. Our methods can adopted the successful approach of employing distributed
detect most of the bad nodes with low false positive rate and network monitors for detecting attacks in real time and have
packet delivery ratio can also be increased with high detection
applied to the domain of ad hoc routing. Efficient Intrusion
rate. Efficient Intrusion detection system architecture for ad hoc
detection Systems for mobile ad hoc networks can be
networks does not introduce any changes to the underlying
routing protocol since it operates as an intermediate component characterized as an architecture model for Intrusion
between the network traffic and the utilized protocol with detection in ad hoc networks, while its implementation
minimum processing overhead. We have developed a prototype targets specifically AODV [9].
that was evaluated in AODV enabled networks using the network
simulator (ns-2). We clarify our system as an architecture model since it
does not perform any changes to the underlying routing
protocol but it merely intercepts traffic and acts upon
Keywords: MANET’S, Types of attacks, AODV, IDS. recognized patterns.
2. Related Work independently and detects intrusions from local traces. Only
one hop information is maintained at each node for each
Specification based intrusion detection system is used to route. If local evidence is in conclusive, the neighboring IDS
detect attacks on AODV. This approach involves the Finite agents co-operate to perform global intrusion detection. The
state machine for specifying correct AODV routing behavior author utilizes misuse detection techniques to reduce the
and distributed network monitors for detecting runtime number of false positives.
violation of the specifications [3]. Specification based
system are particularly attractive as they successfully detect A context aware detection of selfish nodes utilizes hash
both local and distributed attacks against the AODV routing chains in the route discovery phase of DSR and destination
protocol with a low number of false positives. A real time keyed hash chains and promiscuous made of link layer to
intrusion detection system for ad hoc networks model for observe malicious acts of neighboring nodes [11].This
detecting real time attacks has been developed specifically approach introduces a fear based awareness in the malicious
for AODV [2]. The model is composed of four main layers, node that their actions being watched and rated, which helps
a traffic interception module, an event generation module, in reducing mischief in the system. A potential problem of
an attack analysis module, and counter measure module. this system could be mobility of the nodes. Since the
The traffic interception module captures the incoming traffic malicious node can go out of range and again come in the
from the network and selects which of these packets should network with a different IP address. It can still take
be further processed. The event generation module is advantage of the network. Since this method uses
responsible for abstracting the essential information cryptographic mechanisms to detect malicious attacks, it
required for the attack analysis module to determine if there cannot be classified as pure intrusion detection system.
is malicious activity in the network. The event generation
and attack analysis modules are implemented using A specification based intrusion detection system for
TFSM’S. The final component of the architecture is the AODV [3]. It involves the use of Finite State Machines for
counter measure module that is responsible for taking specifying correct AODV routing behavior and distributed
appropriate actions to keep the network performance within network monitors for detecting runtime violation of the
acceptable limits. The result of this research clearly specifications. An additional field in the protocol message is
demonstrates that this approach is used to detect active proposed to enable the monitoring.
attacks in real time. In effective intrusion detection system
for mobile ad hoc networks, we use this work as a basis and 3. AODV Security Problems
apply the developed concepts in the field of ad hoc
networking environment and more specifically to the AODV In this section we present an overview of AODV ad hoc
routing protocol. routing protocol and the threat model associated with it.
The watchdog and path rater scheme has suggested two 3.1 AODV overview
extensions to the DSR ad hoc routing protocol that attempt
to detect and mitigate the effects of nodes that do not AODV can be thought as a combination of both DSR
forward packets although they have agreed to do so [7].The and DSDV [9].It borrows the basic on demand mechanism
watchdog extension is responsible for monitoring that the of Route discovery and Route maintenance from DSR and
next node in the path forwards data packets by listening in the use of hop by hop routing ,Sequence numbers from
promiscuous mode. The path rater assumes the results of the DSDV.AODV is an on demand routing protocol ,which
watchdog and select most reliable path for packet delivery. initiates a route discovery process only when desired by
As the authors of the scheme have identified, the main Source node. When a Source node S wants to send data
problem with this approach is its vulnerability to black mail packets to a destination node D but can not find a route in
attacks. its routing table, it broadcasts a Route Request (RREQ)
message to its neighbors, including the last known sequence
The intrusion detection and response model proposes number for that destination .The neighbors of the node then
a solution to attacks that are caused from a node internal to rebroad cast the RREQ message to their neighbors if they do
the ad hoc networks where the underlying protocol is not have a fresh route to the destination node .This process
AODV [8]. The intrusion detection model claims to capture continues until the RREQ Message reaches the destination
the attacks such as distributed false route requests, Denial of node or an intermediate node that has a fresh enough route.
Service, destination is compromised, impersonation, and
routing information disclosure. The intrusion response AODV uses Sequence numbers to guarantee that all
model is a counter that is incremented wherever a malicious routes are loop free and contain most recent routing
activity is encountered. When the value reaches a predefined information [9]. An Intermediate node that receives a RREQ
threshold, the malicious node is isolated. The authors have replies to it using a route reply (RREP) message only if it
provided statistics for the accuracy of the model. has a route to the destination, whose corresponding
destination Sequence numbers is greater or equal to the one
A cooperative distributed intrusion detection system contained in RREQ. Otherwise, the intermediate node
(IDS) has been proposed in [10] by Zhang and Lee. This broadcasts the RREQ packet to its neighbors until it reaches
method employs co-operative statistical anomaly detection to the destination. The destination unicasts a RREP Back to
techniques. Each intrusion detection agent runs the node that initiated route discovery by transmitting it to
(IJCNS) International Journal of Computer and Network Security, 83
Vol. 2, No. 10, 2010
It is a type of Routing attack where a malicious node The EIDS is used to successfully detect both local and
advertise it self as having the shortest path to all the nodes distributed attacks against the AODV routing protocol, with
in the environment by sending a fake route reply. By doing a low number of false positives. It uses Network monitors to
this, the malicious node can deprive the traffic from the trace RREQ and RREP messages in a request reply flow for
source node. It can be used as DOS attack, where it can drop distributed network. A Network monitor employs a FSM for
the packets later. The set up for black hole attack is similar detecting incorrect RREQ and RREP messages. The below
to routing loop attack in which attacker sends out forged fig shows the architecture of a Network monitor.
routing packets. It can set up a route to some destination via
it self and when the actual data packets get there they are
simply dropped forming a black hole where data enters but
not leaves.
In this attack, the malicious node attempt to consume Figure 2. Architecture of a Network Monitor
both the network and node resources by generating and
sending frequent un necessary routing traffic. The goal of Networks monitors are used to detect incorrect RREQ
this attack is to flood the network with false routing packets and RREP messages by listening passively to the AODV
to consume all available network bandwidth with irrelevant routing messages. A request reply flow can be uniquely
traffic and to consume energy and processing power from identified by the RREQ ID, the source and destination IP
the participating nodes. addresses. Messages are grouped based on the request-reply
flow to which they belong
There are several other similar attacks presented in the
literature [4, 5, 6]. They exploit more or less the same A network monitor employs a finite state machine
routing protocol vulnerabilities to achieve their goals. (FSM) for detecting incorrect RREQ and RREP messages. It
Sequence number attack is specific to AODV, while the maintains a Finite state machine for each branch of a
other two can be applied to any routing protocol. request-reply flow. A request flow starts at the Source state.
It transmits to the RREQ Forwarding state when a source
4. Efficient Intrusion detection system Architecture node broadcasts the first RREQ message (with a new REQ
ID). When a forwarded broadcasting RREQ is detected, it
84 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 10, 2010
When a Network Monitor compares a new packet The four metrics that were used in the evaluation of
with the old corresponding packet, the primary goal of the Sequence number attack detection and counter mechanisms
constraints is to make sure that the AODV header of the are the delivery ratio, the number of false routing attacks
forwarded control packet is not modified in an undesired sent by the attacker, false positive and detection rate.
manner. If an intermediate node responds to the request, the
Network monitor will verify this response from its
forwarding table as well as with the constraints in order to
make sure that the intermediate node is not lying. In
addition, the constraints are used to detect Packet drop and
spoofing.
5. Evaluation
References
Author’s Profile