(IJCNS) International Journal of Computer and Network Security, 81

Vol. 2, No. 10, 2010

An Efficient Intrusion Detection System for Mobile

Ad Hoc Networks
B.V. Ram Naresh Yadav1, B.Satyanarayana2, O.B.V.Ramanaiah3
1
Dept. of CSE, JNTUHCEJ, Karimnagar, Andhra Pradesh, India.
bvramnaresh@gmail.com

2
Dept. of CST, S.K.University, Anantapur, Andhra Pradesh, India.
bachalasatya@yahoo.com

3
Dept. of CSE, JNTUH College of Engineering, Hyderabad, Andhra Pradesh, India.
obvramanaiah@gmail.com

Abstract: A Mobile ad hoc network is a collection of nodes that
is connected through a wireless medium forming rapidly
changing topologies. Mobile ad hoc network are vulnerable due
to its fundamental characteristics such as open medium,
dynamic topology, distributed co-operation and constrained
capability. Real time Intrusion detection architecture for ad hoc
networks has been proposed for detecting black hole and packet
dropping attacks. The main problem with this approach is that
the detection process relies on a state based misuse detection
system. In this case every node needs to run in the IDS agent.
This approach does not make use of a distributed architecture to
detect attacks that require more than one hop information. In
this paper we propose an Efficient IDS, a novel architecture that
uses a specification based intrusion detection techniques to
detect active attacks such as packet dropping, black hole attacks
against AODV protocol. Our architecture involves the use of
FSM for specifying AODV routing behavior and distributed
network monitors for detecting the attacks. Our methods can
detect most of the bad nodes with low false positive rate and
packet delivery ratio can also be increased with high detection
rate. Efficient Intrusion detection system architecture for ad hoc
networks does not introduce any changes to the underlying
routing protocol since it operates as an intermediate component
between the network traffic and the utilized protocol with
minimum processing overhead. We have developed a prototype
that was evaluated in AODV enabled networks using the network
simulator (ns-2).
Keywords: MANET’S, Types of attacks, AODV, IDS.
all the participants to correctly forward routing and data
traffic. The routing protocol sets the upper limit to security
in any packet network.
If routing can be misdirected or modified the entire
network can be paralyzed [2]. Several efforts have been
made to the design of a secure routing protocol for ad hoc
networks. The main problems with this approach are that it
requires changes to the underlying protocol and that manual
configuration of the initial security associations cannot be
completely avoided.
The Efficient Intrusion Detection Systems for mobile ad
hoc network system is based on previous research proposed
to detect active attacks against AODV, a routing protocol
that is widely used in wireless networks [1]. We have
adopted the successful approach of employing distributed
network monitors for detecting attacks in real time and have
applied to the domain of ad hoc routing. Efficient Intrusion
detection Systems for mobile ad hoc networks can be
characterized as an architecture model for Intrusion
detection in ad hoc networks, while its implementation
targets specifically AODV [9].
We clarify our system as an architecture model since it
does not perform any changes to the underlying routing
protocol but it merely intercepts traffic and acts upon
recognized patterns.

1. Introduction In the remainder of this paper we start by briefly

Mobile Ad hoc networks are one of the recent active
fields and have received spectacular consideration because
of their self configuration and self maintenance. Early
research assumed a friendly and co-operative environment
of wireless network. In order to maintain the connectivity in
a mobile ad hoc network all participating nodes have to
perform routing of network traffic. Therefore, a network
layer protocol designed for such self organized networks
must enforce connectivity and the security requirements in
order to guarantee the undisrupted operations of higher
layer protocols, unfortunately all the widely used ad hoc
routing protocols have no security considerations and trust
presenting the related work on this area in section 2. In
section 3 we describe the AODV routing protocol and the
threat model associated with it. In section 4 we describe in
detail our proposed architecture and the design of Effective
ID for mobile ad hoc network for AODV based networks. In
the section 5 we evaluate our prototype that has been
implemented using ns-2 simulator, section 6 concludes by
describing the strengths and short coming of our proposal
identifying the directions for future work.
82
2. Related Work
Specification based intrusion detection system is used to
detect attacks on AODV. This approach involves the Finite
state machine for specifying correct AODV routing behavior
and distributed network monitors for detecting runtime
violation of the specifications [3]. Specification based
system are particularly attractive as they successfully detect
both local and distributed attacks against the AODV routing
protocol with a low number of false positives. A real time
intrusion detection system for ad hoc networks model for
detecting real time attacks has been developed specifically
for AODV [2]. The model is composed of four main layers,
a traffic interception module, an event generation module,
an attack analysis module, and counter measure module.
The traffic interception module captures the incoming traffic
from the network and selects which of these packets should
be further processed. The event generation module is
responsible for abstracting the essential information
required for the attack analysis module to determine if there
is malicious activity in the network. The event generation
and attack analysis modules are implemented using
TFSM’S. The final component of the architecture is the
counter measure module that is responsible for taking
appropriate actions to keep the network performance within
acceptable limits. The result of this research clearly
demonstrates that this approach is used to detect active
attacks in real time. In effective intrusion detection system
for mobile ad hoc networks, we use this work as a basis and
apply the developed concepts in the field of ad hoc
networking environment and more specifically to the AODV
routing protocol.
The watchdog and path rater scheme has suggested two
extensions to the DSR ad hoc routing protocol that attempt
to detect and mitigate the effects of nodes that do not
forward packets although they have agreed to do so [7].The
watchdog extension is responsible for monitoring that the
next node in the path forwards data packets by listening in
promiscuous mode. The path rater assumes the results of the
watchdog and select most reliable path for packet delivery.
As the authors of the scheme have identified, the main
problem with this approach is its vulnerability to black mail
attacks.
The intrusion detection and response model proposes
a solution to attacks that are caused from a node internal to
the ad hoc networks where the underlying protocol is
AODV [8]. The intrusion detection model claims to capture
the attacks such as distributed false route requests, Denial of
Service, destination is compromised, impersonation, and
routing information disclosure. The intrusion response
model is a counter that is incremented wherever a malicious
activity is encountered. When the value reaches a predefined
threshold, the malicious node is isolated. The authors have
provided statistics for the accuracy of the model.
A cooperative distributed intrusion detection system
(IDS) has been proposed in [10] by Zhang and Lee. This
method employs co-operative statistical anomaly detection
techniques. Each intrusion detection agent runs
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 10, 2010
independently and detects intrusions from local traces. Only
one hop information is maintained at each node for each
route. If local evidence is in conclusive, the neighboring IDS
agents co-operate to perform global intrusion detection. The
author utilizes misuse detection techniques to reduce the
number of false positives.
A context aware detection of selfish nodes utilizes hash
chains in the route discovery phase of DSR and destination
keyed hash chains and promiscuous made of link layer to
observe malicious acts of neighboring nodes [11].This
approach introduces a fear based awareness in the malicious
node that their actions being watched and rated, which helps
in reducing mischief in the system. A potential problem of
this system could be mobility of the nodes. Since the
malicious node can go out of range and again come in the
network with a different IP address. It can still take
advantage of the network. Since this method uses
cryptographic mechanisms to detect malicious attacks, it
cannot be classified as pure intrusion detection system.
A specification based intrusion detection system for
AODV [3]. It involves the use of Finite State Machines for
specifying correct AODV routing behavior and distributed
network monitors for detecting runtime violation of the
specifications. An additional field in the protocol message is
proposed to enable the monitoring.
3. AODV Security Problems
In this section we present an overview of AODV ad hoc
routing protocol and the threat model associated with it.
3.1 AODV overview
AODV can be thought as a combination of both DSR
and DSDV [9].It borrows the basic on demand mechanism
of Route discovery and Route maintenance from DSR and
the use of hop by hop routing ,Sequence numbers from
DSDV.AODV is an on demand routing protocol ,which
initiates a route discovery process only when desired by
Source node. When a Source node S wants to send data
packets to a destination node D but can not find a route in
its routing table, it broadcasts a Route Request (RREQ)
message to its neighbors, including the last known sequence
number for that destination .The neighbors of the node then
rebroad cast the RREQ message to their neighbors if they do
not have a fresh route to the destination node .This process
continues until the RREQ Message reaches the destination
node or an intermediate node that has a fresh enough route.
AODV uses Sequence numbers to guarantee that all
routes are loop free and contain most recent routing
information [9]. An Intermediate node that receives a RREQ
replies to it using a route reply (RREP) message only if it
has a route to the destination, whose corresponding
destination Sequence numbers is greater or equal to the one
contained in RREQ. Otherwise, the intermediate node
broadcasts the RREQ packet to its neighbors until it reaches
to the destination. The destination unicasts a RREP Back to
the node that initiated route discovery by transmitting it to
 (IJCNS) International Journal of Computer and Network Security, 83
the neighbor from which it received the RREQ. As RREP,
back to the node that initiated the route discovery by
transmitting it to the neighbor from which it received the
RREQ. As RREP is propagated back to the source, all
intermediate nodes set up forward route entries in their
tables. The Route maintenance process utilizes link layer
notifications, which are intercepted by neighbors are the one
that caused the error. These nodes generate and forward
route error (RERR) messages to their neighbors that have
been using routes that include the broken link. In general a
node may update the sequence numbers in its routing tables
when ever it receives RREQ, RREP, RERR and RREP-Ack
messages from its neighbors.
3.2 AODV Threat model
In this Section the most important attacks are presented
that are easily performed by an internal node against AODV
[2, 12].
3.2.1 Sequence number (black hole) Attack
It is a type of Routing attack where a malicious node
advertise it self as having the shortest path to all the nodes
in the environment by sending a fake route reply. By doing
this, the malicious node can deprive the traffic from the
source node. It can be used as DOS attack, where it can drop
the packets later. The set up for black hole attack is similar
to routing loop attack in which attacker sends out forged
routing packets. It can set up a route to some destination via
it self and when the actual data packets get there they are
simply dropped forming a black hole where data enters but
not leaves.
3.2.2 Packet dropping Attack
It is essential in ad hoc network that all nodes
participate in the routing process. How ever a node may act
selfishly and process only routing information that are
related to it self in order to conserve energy. This behavior
or attack can create network instability or even segment the
network.
3.2.3 Resource Consumption Attack
In this attack, the malicious node attempt to consume
both the network and node resources by generating and
sending frequent un necessary routing traffic. The goal of
this attack is to flood the network with false routing packets
to consume all available network bandwidth with irrelevant
traffic and to consume energy and processing power from
the participating nodes.
There are several other similar attacks presented in the
literature [4, 5, 6]. They exploit more or less the same
routing protocol vulnerabilities to achieve their goals.
Sequence number attack is specific to AODV, while the
other two can be applied to any routing protocol.
4. Efficient Intrusion detection system Architecture
Vol. 2, No. 10, 2010
The EIDS Architecture utilizes the use of Finite state
machines for Specifying AODV routing behavior and
distributed Network monitors enable the system to detect
attacks in real time rather than using statistical analysis of
captured traffic. EIDS detects attacks against the AODV
routing protocol in wireless Mobile ad hoc networks. The
Architecture of EIDS is as shown in below figure.
Intruder
S
Active
Monitor IDS
Network I
Traffic
D
Attacks
Figure 1. Architecture of an Efficient Intrusion detection
Systems
The EIDS is used to successfully detect both local and
distributed attacks against the AODV routing protocol, with
a low number of false positives. It uses Network monitors to
trace RREQ and RREP messages in a request reply flow for
distributed network. A Network monitor employs a FSM for
detecting incorrect RREQ and RREP messages. The below
fig shows the architecture of a Network monitor.
Figure 2. Architecture of a Network Monitor
Networks monitors are used to detect incorrect RREQ
and RREP messages by listening passively to the AODV
routing messages. A request reply flow can be uniquely
identified by the RREQ ID, the source and destination IP
addresses. Messages are grouped based on the request-reply
flow to which they belong
A network monitor employs a finite state machine
(FSM) for detecting incorrect RREQ and RREP messages. It
maintains a Finite state machine for each branch of a
request-reply flow. A request flow starts at the Source state.
It transmits to the RREQ Forwarding state when a source
node broadcasts the first RREQ message (with a new REQ
ID). When a forwarded broadcasting RREQ is detected, it
84 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 10, 2010

stays in RREQ Forwarding state unless a corresponding

RREP is detected. Then if a unicasting RREP is detected, it Table 1: Simulation Parameters
goes to RREP Forwarding state and stays there until it
reaches the source node and the route is set up. If any Parameter Value
suspicious fact or anomaly is detected, it goes to the
suspicious or alarm states. Simulation(Grid) area 1000*1000m

Simulation duration 900 seconds

Number of mobile hosts 30
Type of Packet Traffic CBR
Maximum Speed 20 m/sec
Node Mobility Random way point
Transmission range 250m
Routing Protocol AODV
MAC Layer 802.11,Peer to Peer
Dropped Packet time out 10 seconds
Dropped Packet Threshold 10 packets
Clear delay 100 seconds
Host Pause time 15 seconds
Modification Threshold 5 events
Figure 3. Finite State Machine Diagram Neighbor hello period 30 seconds

The following are the metrics that we chosen to evaluate

the impact of implemented attacks. (1) False Positives (2)
detection Rate (3) Packet delivery ratio (4) Routing packet
dropped ratio. These metrics were used to measure the
severity of each attack and the improvement that Effective
IDS manages to achieve during active attacks. Every point
in the produced graphs is an average value of data collected
from repeating the same experiment ten times in order to
achieve more realistic measurements.

5.1 Sequence number (black hole) Attack

Figure 4. Suspicious and Alarm State Machine Diagram
Detection

When a Network Monitor compares a new packet The four metrics that were used in the evaluation of
with the old corresponding packet, the primary goal of the Sequence number attack detection and counter mechanisms
constraints is to make sure that the AODV header of the are the delivery ratio, the number of false routing attacks
forwarded control packet is not modified in an undesired sent by the attacker, false positive and detection rate.
manner. If an intermediate node responds to the request, the
Network monitor will verify this response from its
forwarding table as well as with the constraints in order to
make sure that the intermediate node is not lying. In
addition, the constraints are used to detect Packet drop and
spoofing.

5. Evaluation

The experiments for the evaluation of effective

Intrusion detection systems for mobile ad hoc networks were
carried out using the network simulator (ns-2).we have
evaluated AODV with out any modifications, AODV with
one malicious node present and AODV with the Effective
IDS component enabled having in the network a malicious
node. The Scenarios developed to carry these tests use as
parameters the mobility of the nodes and the number of
active connections in the network. The choices of the
Figure 5. Packet Delivery ratio against Number Of
simulator parameter that are presented in Table 1 consider
connections
both the accuracy and the efficiency of the simulation.
 (IJCNS) International Journal of Computer and Network Security, 85
Figure 6. Packet Delivery ratio against Speed of Nodes
Figure 7. Percentage of False Positives Against Percentage
of bad nodes
Figure 8. Percentage of Detected bad Nodes against
Percentage of bad nodes
In figures 5 and 6 delivery ratio is plotted as the node
mobility or density increases. The normalized overhead of
AODV is 2-4 times more when the network is loaded. In the
graphs, the overhead of AODV is considered with a fully
loaded network. as it can be seen from the graph, with
EIDAODV running, delivery ratio is increased by as much
as 72%.
Vol. 2, No. 10, 2010
The second metric that was used in the evaluation of
this attack was the number of false packets sent by the
attacking node versus the number of active connections and
the node mobility. This metric was used to examine the
overhead of the sequence number attack and we considered
only the extra cost on communication imposed by the attack.
We observed that the average number of RREP sent by the
malicious node in all the experiments was 1856 and the
number of nodes that inserted the false route into their
routing table was 20 out of 30. In figure 7, false positives are
nodes incorrectly labeled as malicious. As expected, the
performance of Active response protocol improved with
respect to false positives as the density of the malicious
nodes increased.
Figure 8 shows the detection rate. In the best case, 93%
of the attacks can be detected, Where as, the worst case
detection rate is 80%. There are several reasons why a bad
node may go undetected. First, the bad node may not be in
any path in the routing cache each time when the monitors
begin to check. Since the paths are based solely on the paths
maintained by the routing cache, if a node is not contained
in any path, its forwarding function will not be monitored.
Second, there may be two consecutive bad nodes in a path
bad behavior of one node is hidden by the other bad node.
5.2 Packet Drop Attack Detection
To evaluate this attack, the metrics chosen were delivery
ratio and routing overhead ratio. The following graphs show
the Performance.
Figure 9. Packet Delivery ratio against Number of
Connections
Figure 10. Packet Delivery ratio against Speed of Nodes
86 (IJCNS) International Journal of Computer and Network Security,
Figure 11. Percentage of False Positives against
Percentage of bad nodes
Figure 9 shows that EIDAODV system improves the
delivery ratio by 51% compared to plain AODV. Figure 10
shows that the routing overhead introduced by the attack
reduces by 52%. EIDAODV reduces the routing overhead
ratio to approximately the levels that normal AODV
demonstrates. In Figure 11 we see that the performance of
active response protocol improves with respect to false
positives as the density of malicious nodes increases. Figure
12 shows that in the best case, 93% of the bad nodes can be
detected. The worst-case detection rate is 77%.
Figure 12. Percentage of Detected bad nodes against
Percentage of bad nodes
6. Conclusions
An Effective Intrusion Detection System aiming at
securing the AODV protocol has been developed using
specification-based technique. It is based on a previous work
done by Stamouli. The EIDS performance in detecting
misuse of the AODV protocol has been discussed. In all the
cases, the attack was detected as a violation to one of the
AODV protocol specifications. From the results obtained, it
can be concluded that our EIDS can effectively detect
Vol. 2, No. 10, 2010
Sequence Number Attack, Packet Dropping Attack with
Incremental Deployment. The method has been shown to
have low overheads and high detection rate.
Our Intrusion Detection and Response Protocol for
MANET’s have been demonstrated to perform better than
the ones proposed by Stamouli in terms of false positives
and percentage of packets delivered. Simulation results
validate the ability of our protocol to successfully detect both
local and distributed attacks against the AODV routing
protocol, with a low number of false positives.
References
[1] Stamouli, P.G.Argyroudis, H.Tiwari, “Real time
Intrusion detection for ad hoc networks”, Proceedings
of sixth IEEE Symposium on a world of wireless mobile
and multimedia networks, (WOWMOM), 2003.
[2] W.Wang, Y.Lu and B.K.Bhargava “on vulnerability
and protection of ad hoc on demand distance vector
protocol”, Proceedings of international conference on
telecommunications, 2003.
[3] TSENG, CHIN-YANG, et al “A specification based
Intrusion detection system” for AODV in proceedings
of 1st ACM workshop on security of ad hoc and sensor
networks. (SAS.N ’03), Fair fax, V.A 2003.
[4] HUY.C, Pevirgn.A, and Johnson, D.B.Ariadane., “A
secure on demand routing protocol for ad hoc
networks”. In eight ACM international conference on
mobile computing and networking (Mobicom2002),
September 2002.
[5] Stajanos.F and Anderson.R. “The Resurrecting
Duckling: security issues for ad hoc wireless networks,
7th international workshop Proceedings, 1999.
[6] C.Sivarama murthy, B.S Manoj, “Ad hoc wireless
networks: Architectures and protocols”, Princeton hall,
May 2004, New Jersey, USA.
[7] Seri go Marti, Thomas J.Givli, Kerenlai, Mary Baker,
“Mitigating routing Mis behavior in mobile ad hoc
networks”., Proceedings of MOBICOM, 2000.
[8] S.Bhargava, D.P.Agarwal, “security enhancement in
AODV protocol for wireless ad hoc networks” in IEEE
semi annual proceedings of vehicular technology
conference (VCT’01), 2000.
[9] Charles E.perkins, “ad hoc on demand distance vector
on (AODV) routing”, Internet draft, draft-ilet-manet-
aodv-01.txt August 1998.
[10] Y .Zhang, W.Lee, Y.Huang. “Intrusion detection for
wireless Ad hoc networks”. In Mobile Networks and
applications, ACM 2002.
[11] P.Papadimitratos, Z.J.Han, “Security routing for Mobile
Ad hoc networks”, in the proceedings of the SCS
communication Networks and Distributed systems,
Modeling and Simulating conference (CNDS’02),
January 2002.
[12] V.Madhu, A.A .Chari, “An approach for detecting
attacks in mobile ad hoc networks”, Proceedings of
journal of computer science 2008.
[13] Perkins, C.E. Rayer, E.M. Das. S, “Ad hoc on demand
distance vector routing”, RFC 3651 (2003).
 (IJCNS) International Journal of Computer and Network Security, 87
Vol. 2, No. 10, 2010

Author’s Profile

B.V.RamNaresh Yadav is working as a

Research Scholar in CSE Department of JNT
University, Hyderabad, Andhra Pradesh, India.
His Area of interests includes Network
security, Compliers, Computer Networks.

Dr B. Satya Narayana is working as a Professor

in Department of CST of S.K.University,
Anantapur, Andhra Pradesh, India. His Area of
interests include Network security, Data ware
Housing and Data Mining, Computer Networks
and Artificial Intelligence.

Dr.O.B.V.Ramanaiah is working as a Professor

in CSE Department of JNT University,
Hyderabad, Andhra Pradesh, India. His Area of
interests includes Mobile Computing,
Computer Networks and Operating Systems.