[attachment=3700]
A SECURE, SCALABLE AND EFFICIENT PROTOCOL FOR
DETECTING INTRUSIONS IN WIRELESS AD-HOC NETWORKS

---

Presented By:
Dr.V.V.Rao 1
L.Jaba Sheela 2
S. Vijayendran 3
Professor & HOD, Panimalar Engg. College Chennai, Tamilnadu, India
Asst.Professor, Panimalar Engg. College, Chennai, Tamilnadu, India
PG Scholar, Panimalar Engg. College Chennai, Tamilnadu, India

---

ABSTRACT
infrastructure. Examples of these
communications, search and rescue
are
battleeld
Intrusion detection has, over the last few years, assumed
paramount importance within the broad realm of network
security, more so in the case of wireless ad hoc networks.
These are networks that do not have an underlying infra-
structure; the network topology is constantly changing.
The inherently vulnerable characteristics of wireless ad
hoc networks make them susceptible to attacks, and it may
be too late before any counter action can take effect.
Second, with so much advancement in hacking, if
attackers try hard enough they will eventually succeed in
infiltrating the system. This makes it important to
constantly (or at least periodically) monitor what is
taking place on a system and look for suspicious
behavior. In this paper, we present a secure, scalable and
efficient protocol for detecting malicious and misbehaving
nodes. The proposed protocol is distributed and
cooperative with very low false positives.
operations, university campus, sensor networks etc. The
rapid deployment of these networks has brought forward
many security vulnerabilities that need to be addressed.
Wireless ad-hoc networks are particularly exposed to
attacks due to its properties of open shared medium,
dynamically changing topology, co-operative algorithms
and lack of centralized monitoring and management
.Unlike wired networks ad-hoc networks require dynamic
trust relationships between the nodes in the network.
Though there have been attempts in designing algorithms
for detecting intrusions in literature[1] but either they are
not designed keeping in view the properties of ad-hoc
network or are insecure, inefficient and perform badly in
terms of high false positives. We utilize the redundancy,
mobility provided by the ad-hoc networks to design a
secure, efficient, adaptable protocol for intrusion
detection.

2.0 Common Attacks in Ad-hoc Networks
1.
Packet Dropping: Nodes out of range of each other
An adhoc network is a collection of autonomous nodes
that communicate with each other by forming a multi-hop
radio network and maintaining connectivity in a
decentralized manner. Wireless adhoc networks are
rapidly gaining popularity for the increase and exibility
of deployment. The main applications of these networks
are found in scenarios where it is difficult to install wired
infrastructure, where wired networks are not cost effective
or where there is insufficient time for provision of such
depend on intermediate nodes to forward their packets. A
malicious node can easily drop packets, thus affecting the
communication in the network seriously. This is
particularly easy in current systems as most allow filtering
packets depending on MAC and ip addresses. An
intelligent use of these filters can allow this attack to be
mounted practically using existing hardware. Detecting
such attack is made difficult by the legitimate dropping
due to congestion.
Masquerading/Spoofing: Protocols with insufficient
False Routing Information: In ad-hoc networks each
node acts as a router. A malicious node can easily provide
wrong routing information to an unsuspecting node and
make all the traffic to pass through it or disrupt the
communication entirely. Many security aware routing
protocols have been proposed to reduce such attacks. The
wrong routing information can be due to changing
topology or due to malicious intent. The challenge in
detecting such attack is to comp ensate for the changing
topology of the network.
Jamming: Jamming is denial of service attack aimed in
disrupting communication between nodes by capturing
the wireless medium around these nodes. The medium can
be captured by flooding packets at the same requency
used by target nodes. With this attack the targeted nodes
can be completely cut-off from the network. Again one
should prevent false alarms due to congestion
Replay attacks: If a node isn't able to forge or even
decrypt packets, it may still replay old, outdated messages
and hope to confuse the routing protocol or achieve goals
similar to forged messages. In order to replay messages,
they just need to be observed. Position any path is not
necessary, although it may be necessary to be in
transmission range of the recipient when replaying the
message.
Attacks on underlying encryption: IEEE802.11 based
networks use WEP for encryption. The pitfalls of the
algorithm are very well known and it virtually fails to
provide any cryptographic security.

3. RELATED WORK
Zhang, Lee[1] gives introduction to intrusion detection in
wireless adhoc net-works. They describe how the
characteristics of wireless affects intrusion detection and
list the differences between wired and wireless networks
that make intrusion detection in ad-hoc networks more
challenging. The authors also identify the assumption in
any intrusion detection system that the malicious /intruder
behavior is observable and can be distinguished from
normal behavior.
The authors have proposed a distributed and co-operative
intrusion detection and response system. In their proposed
architecture (Figure.1) every node participates in intrusion
detection and response. Each IDS agent is responsible for
detecting signs of intrusion locally and independently but
may cooperate with neighboring neighbors to investigate
in a broader range. The response can be congured to be
as both local and global.
authentication are vulnerable to spoofing. A node can
impersonate as a target node and can falsely implicate him
as malicious or get access to classified information. The
use of cryptographic measures can minimize such attack.
Eavesdropping: An outsider can listen to traffic and
divulge the information to others.
Sybil Attack: Many protocols employ redundancy to
counter the lack of central authority and prevent network
from malicious attacks. These protocols assume that a
malicious node cannot take multiple identities. A
malicious node assuming can easily defeat this
redundancy. A good node communicating with multiple
nodes for same information to make use of redundancy
may actually be communicating with a single node.
Insecure Protocols: Insecure protocols, i.e. protocols
without authentication, can be attacked by outsiders.
Figure 1. The IDS architecture for wireless ad-hoc
networks
The authors also present the conceptual view of an IDS
agent. Figure 2 shows the conceptual view proposed by
the authors. The data collection module is responsible for
collecting local audit traces and activity logs. Next the
local detection engine will use this data to detect local
anomaly.
Detection that need broader data sets or that require
collaboration between IDS agents use cooperative
detection engine. Intrusion response actions are provided
by both local response module and global response
module. Finally a secure communication channel provides
a high condence communication channel between nodes.
acknowledging the challenge and sending a verify
behavior message to all its neighbors.
The respondents(neighbors) respond to this message by
sending the observed value of degree of maliciousness of
the accused. The accused node calculates the group's trust
in its behavior using these received values. The calculated
group trust message is broadcasted to neighbors along
with received responses. The message contains the expiry
time and is signed by the accused. All the messages are
cryptographically secured by public key cryptography.
The messages also include timestamps to prevent replay
attacks.
Figure 2. A conceptual model for IDS agent

4. PROTOCOL
The protocol to detect malicious or misbehaving nodes
consists of following subcomponents:
Monitor, Optimizer, Trust Manager, Trust Propagator and
Whistle Blower. Trust management scheme is part of
Trust Manager and Trust Propagator.

4.1 Monitor
Figure 3. Optimizer
The Monitor observes the neighboring nodes by passively
listening to their communication and copying random
packets to verify deviations from the normal behavior. For
example for detecting packet drops and modifications, the
monitor copies the incoming packet to the neighboring
node and checks the packet send by the neighboring node
for drops and modifications. The collected data is audited
for deviation from normal behavior. The deviation from
normal behavior of a neighbor is used as indicator for the
unbiased degree of maliciousness. By unbiased we mean
that the degree of maliciousness for a neighbor in a time
interval is calculated independently of its past behavior. If
the deviation exceeds the pre-set threshold Optimizer is
called.

4.2 Optimizer

Optimizer computes the majority consensus of 1-hop
neighbors of the accused about its behavior. Figure 3
shows the Optimizer mechanism. Optimizer is optimal in
terms of communication costs. Upon being activated by a
local alarm, the accuser node challenges the offending
node to verify its behavior as observed by its neighbors.
The accused node on receiving the challenge respond by

4.2.1 Group Trust Certificate

The group trust certificate is the recommendation of a
group of nodes about the behavior of the accused during a
particular period of time to other nodes in the network. It
is the basic trust entity that is exchanged in the network.
For computing group trust value from received responses
any consensus based scheme can be used. We have used
the difference of absolute trust and average degree of
maliciousness of the majority of the respondents. Majority
is defined as the larger of the two groups obtained by
partitioning the respondents by comparing their observed
degree of maliciousness with a preset threshold. We will
later show that our protocol is secure against any possible
attack.

4.2.2 Trust Manager
Every node maintains a global trust state for maliciously
behaving nodes in the network. The trust state is updated
upon receiving a new trust certificate. Trust Manager is
responsible for verifying the consistency of the group
trust certificates received, caching them and updating the
global trust state for the issuer node. By consistency we
mean that node verifies whether every neighboring
Ad-Hoc Networks
response has been correctly considered in calculating
group responses and their messages have not been
tempered with. Note that the cryptographic security can
be used to detect any tempering. The contribution of the
trust certificate in final trust value depends on the global
trust state of the majority neighbors of the accused. If the
majority in the group observe that the node is acting
maliciously that is trust value is low then the received
certificate is propagated to neighboring nodes. If the
calculated trust value for a node dips below cut-off trust
level for non-malicious node, a global alarm is raised and
Whistle blower is pressed upon.

4.2.3 Updating Global Trust State
The global trust state is updated whenever a correct trust
certificate for a node is received. We suggest a cumulative
function for updating the trust value the node where Told,
Tnew, Tcerti ficate are the old trust state value, new trust state
value and group recommended trust value respectively.
(1 T new ) (1 T old ) (1 Tcertificat e)
where 1 2 3
Parameters a , ß are the weightage factor for the old and
new evidence respectively. Parameter d is the trust
replenishment factor over time. The weightage factor ß
depends on many parameters which counter the effect of
false alarms and wrong accusations.
The parameter a1 is given by
There are many issues in maintaining a global trust state
in ad-hoc network. First is identification of nodes which
are required to manage trust state for other nodes in the
network. This information should be available to all the
nodes in the network and require a dynamic mechanism
for querying and updating the trust state. Any such
scheme should be robust enough to work under network
partitioning, misinformation and packet dropping attacks
and should be bandwidth friendly. We solve these
problem by using a combination of redundancy and
mobility in ad-hoc network to our advantage. Trust
Propagator use mobility for propagating trust certificates.
Whenever a new trust certificate is issued it is initially
flooded to subset of nodes at least hop distance from the
accused in the network. Note that these nodes can be
multiple hops away. This scheme is coupled with dynamic
exchange of certificates between neighboring nodes after
every time threshold.
The number of elements in the subset, 'F' determines the
effective convergence time of this information among
nodes who are and would be neighbors of the accused.
Intuitively this can be understood by the fact that initial
flooding allows this certificate to be available to set of
nodes who are at least distance from the accused and are
likely to be first to be the neighbors of the accused. While
the accused move through the network, every node in the
network would have received certificates through
flooding or exchange mechanism. The number of hops
required to be flooded can be determined dynamically by
making neighbors of the accused send neighborhood
information along with observed behavior to the accused.
1
majority
i
w i t i
W
Note that certificates can be exchanged by piggy backing
on routing packets thus incurring no extra communication
cost. The exchange mechanism and flooding also allow
detection of tempering of packets and provide robustness
against packet dropping attacks.
A node can verify certificate in its local cache with
where wi, ti are weightage of a mojority node and its trust
value respectively. W is a factor of total network size.
a2 the weighatge that the new evidence gets
a3 is defined for the number of certificates (k) received
from the same group or its subset in some threshold time
interval.
neighboring nodes to detect any tempering . Note that a
node caches only unexpired certificates. The above
scheme is also robust against network partitioning and no
overhead is required for querying as every node maintains
trust state of the nodes who are behaving maliciously.
Usually the number of misbehaving or malicious nodes is
very low in the network which coupled with low false
alarm rate due to group verification allow low storage
3
0
if k 1 ;
if k 1
costs. This scheme also allows node to update its own
trust state table depending on user policy. For example a
user may want to give more weight age to certificates
about malicious behavior of a node directly observed by
the node. Note that we do not require to keep trust
information about nodes whose trust value is above some

4.3 Trust Propagator
pre-set threshold.
Ad-Hoc Networks

4.4 Whistle Blower
Whistle Blower handles the response on detecting a
global alarm about a malicious or misbehaving node in
the network. We suggest a majority voting mechanism
among the nodes who have interacted recently with the
accused node. A possible way to do is to flood global
alarm message to the entire network followed by voting
by the electorate consisting of nodes who have recently
interacted with the accused.

4.5 State Diagram
As shown in Figure 4, each node monitors the behavior of
its next hop-neighbors. If a suspicious event is detected
above a predefined threshold a local alarm is raised and a
challenge is send by the accuser to the accused. The alarm
is verified through a majority consensus by the optimizer.
The trust manager updates the trust state for the accused
on receiving a new certificate. If the new trust state value
dips below the pre-set threshold a global alarm is raised
and whistle blower is called. If the received trust value of
the certificate is significant enough but below value for
global alarm, the trust certificate is propagated to other
nodes in the network. The trust propagator selectively
floods the certificate depending on the connectivity of the
group. These certificates are also periodically exchanged
between the nodes in the network.
Figure 4. Finite State machine within each node

5. PERFORMANCE METRICS

We evaluate our algorithm on the following metrics.
False Positive Rate: This is the percentage of
non-malicious nodes, which are incorrectly identified as
malicious.
nodes detected by the algorithm which uses only local
monitoring over a given period.
Total Convergence Time: This the total time
taken for a certificate to be propagated to all non-
malicious nodes in the network.
Effective Convergence time: This is the
minimum time after which all future and past neighbors of
an accused node have received the certificate. This metric
is important as it determines the convergence time to the
set of nodes which actually participate in intrusion
detection response policy and monitor the behavior of the
malicious node.
Communication Overhead: The communication
overhead depends on number of false alarms that need to
be propagated in the network and communication protocol
used. We use a combination of controlled flooding and 1-
hop exchanges that allow lower communication costs as
compared to flooding only as exchanges can be
piggybacked on routing packets.

6. SIMULATION ENVIRONMENT

We use a version of Network Simulator ns[2] .The 802.11
mac layer implemented in ns is used for simulation. The
simulation was done for 1000 seconds on a 50 node
network in 1000m 1000m rectangular area. The traffic
consisted of nine constant bit rate flows over UDP. The
confirmed intrusion threshold is taken as 0.4. The nodes
with trust between 0.4 and 0.9 are classified as suspected
and for trust values above 0.9, the nodes are assumed to
be trusted. The certificates are exchanged every 1 minute.

REFERENCE
Yongguang Zhang and Wenkee Lee. Intrusion detection in
wireless ad-hoc networks. In Proceedings of the Sixth
Annual International Conference on Mobile Computing
and Networking, 2000.
Kevin Fall and Kannan Varadhan. The ns manual.
Huaizhi Li and Zhenliu Chen and Xiangyang Qin and
Chengdong Li and Hui Tan Secure Routing in Wired
Networks and Wireless Ad Hoc Networks
L. Zhou and Z. Haas, Securing ad hoc networks," IEEE
Network Magazine, vol. 13, November 1999.
Dorothy Denning. An intrusion-detection model. IEEE
Transactions on Software Engineering, 1987.
Success Rate: This is the ratio of number of
malicious/misbehaving nodes successfully detected by the
algorithm and the number of malicious/misbehaving
Ad-Hoc Networks