A comparative evaluation of intrusion detection architectures for mobile ad hoc networks

doi:10.1016/j.cose.2010.10.008

Computers & Security

Volume 30, Issue 1, January 2011, Pages 63-80

https://doi.org/10.1016/j.cose.2010.10.008 Get rights and content

Abstract

Mobile Ad Hoc Networks (MANETs) are susceptible to a variety of attacks that threaten their operation and the provided services. Intrusion Detection Systems (IDSs) may act as defensive mechanisms, since they monitor network activities in order to detect malicious actions performed by intruders, and then initiate the appropriate countermeasures. IDS for MANETs have attracted much attention recently and thus, there are many publications that propose new IDS solutions or improvements to the existing. This paper evaluates and compares the most prominent IDS architectures for MANETs. IDS architectures are defined as the operational structures of IDSs. For each IDS, the architecture and the related functionality are briefly presented and analyzed focusing on both the operational strengths and weaknesses. Moreover, methods/techniques that have been proposed to improve the performance and the provided security services of those are evaluated and their shortcomings or weaknesses are presented. A comparison of the studied IDS architectures is carried out using a set of critical evaluation metrics, which derive from: (i) the deployment, architectural, and operational characteristics of MANETs; (ii) the special requirements of intrusion detection in MANETs; and (iii) the carried analysis that reveals the most important strengths and weaknesses of the existing IDS architectures. The evaluation metrics of IDSs are divided into two groups: the first one is related to performance and the second to security. Finally, based on the carried evaluation and comparison a set of design features and principles are presented, which have to be addressed and satisfied in future research of designing and implementing IDSs for MANETs.

Introduction

A mobile ad hoc network (MANET) is a collection of autonomous nodes that form a dynamic, purpose-specific, multi-hop radio network in a decentralized fashion. In a MANET, the nodes themselves implement the network management in a cooperative fashion and thus, all the network members share the responsibility for this. The wireless – mobile nature of MANETs in conjunction with the absence of access points, providing access to a centralized authority, make them susceptible to a variety of attacks (Djenouri et al., 2005). An effective way to identify when an attack occurs in a MANET is the deployment of an Intrusion Detection System (IDS). The IDS is a sensoring mechanism that monitors network activity in order to detect malicious actions and, ultimately, an intruder. Upon detecting an intruder, the IDS takes an appropriate action ranging from a mere user notification to a more comprehensive defensive action against the intruder. An IDS can be divided in two main parts: (i) the architecture, which exemplifies the operational structure of the IDS; and (ii) the detection engine, which is the mechanism used to detect malicious behavior(s).

The existing IDS architectures for MANETs fall under three basic categories (Anantvalee and Wu, 2006): (a) stand-alone, (b) cooperative, and (c) hierarchical. The stand-alone architectures use an intrusion detection engine installed at each node utilizing only the node’s local audit data (Jacoby and Davis, 2007, Nadkarni and Mishra, 2004, Lauf et al., 2010). However, the fact that these solutions are relying only on local audit data to resolve malicious behaviors limits them in terms of detection accuracy and the type of attacks that they detect (Sen and Clark, 2009) (due to the distributed nature of MANETs). On the other hand, the cooperative and hierarchical architectures process each host’s audit data locally (i.e., similarly to stand-alone), but they also use collaborative techniques to detect more accurately a wider set of attacks. Thus, the majority of the most recent IDSs for MANETs is based on them (Sen and Clark, 2009). More specifically, the cooperative architectures include an intrusion detection engine installed in every node, which monitors local audit data and exchanges audit data and/or detection outcomes with neighboring nodes in order to resolve inconclusive (based on single node’s audit data) detections. The hierarchical architectures amount to a multilayer approach, by dividing the network into clusters. Specific nodes are selected (based on specific criteria) to act as cluster-heads and undertake various responsibilities and roles in intrusion detection that are usually different from those of the simple cluster members. The latter typically run a lightweight local intrusion detection engine that performs detection only on local audit data, while the cluster-heads run a more comprehensive engine that acts as a second layer of detection based on audit data from all the cluster members.

The employed intrusion detection engines are also classified into three main categories: (i) signature-based engines, which rely on a predefined set of patterns to identify attacks; (ii) anomaly-based engines, which rely on particular models of nodes’ behavior and mark nodes that deviate from these models as malicious; and (iii) specification-based engines, which rely on a set of constrains (i.e., description of the correct operation of programs/protocols) and monitor the execution of programs/protocols with respect to these constraints.

IDS for MANETs have attracted much attention recently and thus, there are many publications that propose new IDS solutions or improvements to the existing focusing on both IDS architectures and detection engines. On the other hand, little work has been done in evaluating and comparing them revealing their advantages as well as their limitations and weakness, which constitute open issues that will drive the next research steps in the area of MANET security. Towards this direction, Sun et al. (2007a) have presented a survey of IDSs for MANETs and wireless sensor networks considering on the detection engines employed. Similarly, Azer et al. (2005) briefly discuss the anomaly-based detection engines used in IDSs for MANETs. However, both works mainly focus on solutions published before 2004 (except for one (Sun et al., 2007b) in the former).

Brutch and Ko (2003) provide a brief analysis of several proposed IDSs for MANETs focusing mainly on their architectures. However, the analyzed solutions have been designed to protect the routing mechanism of the dynamic source routing protocol (DSR), operating as extensions to it, and thus, they do not address the wide area of intrusion detection in MANETs. Mishra et al. (2004) present a more detailed analysis of IDSs for MANETs following: (i) an outline of the security vulnerabilities of MANETs; (ii) some design characteristics of IDSs for MANETs; and (iii) some fundamental requirements that an IDS for MANETs should meet. The architectures of the analyzed IDSs are elaborated and briefly compared with the set of fundamental requirements introduced by the authors. Li and Wei (2004) briefly overview some IDS architectures for MANETs and compare them in terms of implementation-specific issues. Anantvalee and Wu (2006) perform a more comprehensive analysis of some IDS architectures for MANETs. Finally, Sen and Clark (2009) present the latest survey of IDSs for MANETs, revealing the weaknesses of each one. However, the studied IDS solutions in the aforementioned works have been published before 2006. Moreover, the considered architectures are hardly evaluated and compared with respect to performance and security factors, such as the consumption of processing and communication resources, the fair distribution of the workload among the network nodes, the impact of nodes’ mobility on the detection accuracy and the rate of false positives, the vulnerabilities of the architectures to attacks, etc.

This paper evaluates and compares the most prominent IDS architectures for MANETs, which represent the most recent developments in this area. For each IDS, the architecture and the related functionality are briefly presented and analyzed focusing on both the operational strengths and weaknesses. Moreover, methods/techniques that have been proposed to improve the performance and the provided security services of those are evaluated and their shortcomings or weaknesses are presented. A comparison of the studied IDS architectures is carried out using a set of critical evaluation metrics, which derive from: (i) the deployment, architectural, and operational characteristics of MANETs; (ii) the special requirements of intrusion detection in MANETs; and (iii) the carried analysis that reveals the most important strengths and weaknesses of the existing IDS architectures. The evaluation metrics of IDSs are divided into two groups: the first one is related to performance and the second to security. Finally, based on the carried evaluation and comparison a set of design features and principles are presented, which have to be addressed and satisfied in future research of designing and implementing IDSs for MANETs.

The rest of this article is organized as follows. Sections 2 Stand-alone IDS architectures, 3 Cooperative IDS architectures, 4 Hierarchical IDS architectures briefly analyze and evaluate the stand-alone, cooperative and hierarchical IDS architectures for MANETs, respectively, focusing on their advantages and limitations. Section 5 compares the studied IDS architectures, using a set of performance and security metrics. Section 6 highlights some design features and principles that are derived from the carried analysis, evaluation, and comparison. Finally, Section 7 contains the conclusions.

Section snippets

Stand-alone IDS architectures

The stand-alone IDS architectures are based on a self-contained approach for detecting malicious actions at each network node. In this section, we briefly present and evaluate the most recent stand-alone IDS architectures for MANET (i.e., battery-based, threshold-based, and two-stage IDS architecture) focusing on the strengths and weaknesses of each one, which are summarized in Table 1, allowing their comparison.

Jacoby and Davis (2007) have proposed a stand-alone architecture for detecting

Cooperative IDS architectures

In the cooperative IDS architectures an intrusion detection engine is installed in every node monitoring local audit data and providing intrusion detection. To resolve inconclusive intrusion detections and detect more accurately advanced types of attacks, detection engines may cooperate with engines of neighboring nodes through the exchange of audit data or detection outcomes.

Hierarchical IDS architectures

In the hierarchical IDS architectures the network nodes are divided into cluster-heads and cluster members. The latter typically run a lightweight local intrusion detection engine, while the formers run a comprehensive engine that processes raw or pre-processed audit data from all the cluster members.

A comparative evaluation of the IDS architectures

This section provides a comparative evaluation of the studied IDS architectures using a set of critical evaluation metrics, which are elaborated below. These metrics derive from: (i) the deployment, architectural, and operational characteristics of MANETs; (ii) the special requirements of intrusion detection in MANETs; and (iii) the carried analysis that reveals the most important strengths and weaknesses of the existing IDS architectures.

Design principles for MANET IDSs

Based on the carried evaluation and comparison, this section presents a set of features and principles, which have to be addressed and satisfied in future research of designing and implementing IDSs for MANETs. It may not be feasible for an IDS to deal with all of them, but their objective is to stimulate and drive research activities in this area.

IDSs for MANETs should consider the limited resources available in them and aim at limiting the related processing and communication overheads.

Conclusions

IDSs for MANETs have attracted much attention recently and thus, there are many publications that propose new IDS solutions or improvements to the existing, focusing on both IDS architectures and detection engines. This paper has evaluated and compared the latest and most prominent IDS architectures for MANETs, classified as: (i) stand-alone, (ii) cooperative, and (ii) hierarchical. Based on the carried analysis, it can be deduced that the existing IDS architectures for MANETs present

References (25)

N. Komninos et al.
LIDF: layered intrusion detection framework for ad-hoc networks
Ad Hoc Networks
(January 2009)
A. Lauf et al.
A distributed intrusion detection system for resource-constrained devices in ad hoc networks
Ad Hoc Networks
(May 2010)
N. Marchang et al.
Collaborative techniques for intrusion detection in mobile ad hoc networks
Ad Hoc Networks
(June 2008)
H. Otrok et al.
A game-theoretic intrusion detection model for mobile ad hoc networks
Elsevier Computer Communications
(March 2008)
C. Ramachandran et al.
FORK: a novel two-pronged strategy for an agent-based intrusion detection scheme in ad-hoc networks
Elsevier Computer Communications
(October 2008)
S.A. Razak et al.
Friend-assisted intrusion detection and response mechanisms for mobile ad hoc networks
Ad Hoc Networks
(September 2008)
T. Anantvalee et al.
A survey on intrusion detection in mobile ad hoc networks, wireless/mobile network security
(2006)
M.A. Azer et al.
A survey on anomaly detection methods for ad hoc networks
Ubiquitous Computing and Communication Journal
(2005)
S. Bose et al.
Multi-layer integrated anomaly intrusion detection system for mobile ad hoc networks
(February 2007)
Brutch P, Ko C. Challenges in intrusion detection for wireless ad-hoc networks. In: Symposium on applications and the...

Deng H, Xu R, Li J, Zhang F, Levy R, Lee W. Agent-based cooperative anomaly detection for wireless ad hoc networks. In:...

D. Djenouri et al.

A survey of security issues in mobile ad hoc networks

IEEE Communications Surveys

(2005)

Cited by (50)

On the vulnerability of the mobile ad hoc network to transmission power controlled Sybil attack: Adopting the mobility-based clustering
2022, Journal of King Saud University - Computer and Information Sciences
The large-scale deployment of Mobile Ad hoc Networks (MANETs) requires dealing with the issues like low throughput, end-to-end delay, and energy exhaustion. In order to resolve these issues, a MANET is organized into a hierarchical structure using a suitable clustering scheme. The nodes belonging to a cluster are referred to as the member nodes. One of the member nodes in each cluster is elected as the cluster head based on its characteristics like identity, residual energy, node degree, and mobility. The representative node is assigned all the cluster management responsibilities making it liable to be the main target for the attackers. After having control of a cluster, the Sybil attacker may disrupt various functions of the MANET. This paper proposes a transmission power-controlled approach by which a Sybil attack is capable of violating the functioning of the mobility-based clustering algorithm in MANETs. We have shown that the transmission power-controlled approach can be used to bias the cluster head election process by repeatedly tilting the results in favor of the Sybil attacker node. The supporting simulation results clearly indicate that the proposed Sybil attack considerably increases the probability of the Sybil attacker node becoming the cluster head.
A survey on intrusion detection and prevention in wireless ad-hoc networks
2020, Journal of Systems Architecture
Ad hoc networks have been serving us in one way or the other, for two decades, through their vast variety of applications in majority fields. Due to their features such as hostile deployments, high level of mobility, limited resources and physical insecurity, they are in front line to attackers. First line of defense (cryptographic techniques, fire walls etc.) stops these attacks. But what would happen if the attacker break through this defense system? Second of line of defense also called intrusion detection system (IDS), would stop and mitigate these threats before they harm the network or its resources. Various schemes have been proposed to provide quality IDS that could mitigate the latest threats in ad hoc networks. In this review paper, we gave a detailed overview of ad hoc networks in the start. We explored ad hoc networks security followed by description about IDS. Next, we elaborated the taxonomy of IDS, containing types of IDS based on numerous parameters. In the trailing section, we compared wide variety of IDS schemes based on different methodology/techniques, to show their importance and performance in the field of intrusion detection. Finally, we concluded the paper with informative future research directions in the state of the art research fields that would open up ways for researchers in that area.
An efficient intrusion detection in resource-constrained mobile ad-hoc networks
2018, Computers and Security
Citation Excerpt :
This activation mode enhances the ability of an IDS based on the defense coalition to reduce the false negative rates. However, the activation of both intrusion detection systems of the coalition (formed by the cluster-head and a target node) could seriously reduce the network energy over time and cause an irrational consumption of the nodes resources, leaving the network unprotected (Xenakis et al., 2011). On the other hand, the non-collaborative intrusion detection assumes that only the NIDS of the cluster-head monitors the inbound traffic intended to the target node.
We propose an efficient intrusion detection scheme for Mobile Ad-hoc Networks (MANETs). The scheme allows the reinforcing of network security while preserving the resources of the network nodes (e.g. energy). More specifically, the proposed solution provides MANETs with a distributed intrusion detection system in which activation is made according to the estimated threat. Our approach is characterized by the use of game theory for modeling interactions between a defense coalition and a potentially malicious sender node. We study these interactions in Bayesian games by considering the uncertainty about the sender node's maliciousness. Both one-shot and repeated situations are studied in this work. Particularly, in the repeated Bayesian game formulation, the defense coalition is allowed to adapt its defense strategy by exploiting the revealed information from the observations of the sender node's past actions. Furthermore, we perform a thorough analysis of equilibria emerging from game models and their conditions of existence. Finally, a series of simulations are conducted to show the effectiveness of the proposed approach.
Analyzing, quantifying, and detecting the blackhole attack in infrastructure-less networks
2017, Computer Networks
Citation Excerpt :
To this end, the attack is carried out in two steps: in the first step, during a route discovery process, the malicious node will modify a critical AODV protocol field in order to falsely advertise itself as the most up to date path to the destination (and thus win all of the received route requests); while in the second step, during the transmission of data by legitimate nodes, it will drop any data packets that are forwarded to it. To address blackhole attacks, several detection mechanisms have been proposed in the literature [8] (i.e., analyzed in sect. 2.3 of this paper). However, the majority of these mechanisms attempt to resolve if a blackhole attack takes place based on the second step of the attack (i.e., packet drop) and thus, they are effective only when the malicious node indiscriminately drops all the forwarded traffic.
The blackhole attack is one of the simplest yet effective attacks that target the AODV protocol. Blackhole attackers exploit AODV parameters in order to win route requests, and thus, attract traffic, which they subsequently capture and drop. However, the first part of the attack is often neglected in present literature, while the majority of attempts in detection focus only on the second part of the attack (i.e., packet drop). This paper provides a comprehensive analysis of the blackhole attack, focusing not only on the effects of the attack, but also on the exploitation of the route discovery process. As a result, a new critical attack parameter is identified (i.e., blackhole intensity), which quantifies the relation between AODV's sequence number parameter and the performance of blackhole attacks. In addition, a novel blackhole detection mechanism is also proposed. This mechanism utilizes a dynamic threshold cumulative sum (CUSUM) test in order to detect abrupt changes in the normal behavior of AODV's sequence number parameter. A key advantage of the proposed mechanism is its ability to accurately detect blackhole attacks with a minimal rate of false positives, even if the malicious node selectively drops packets.
Intrusion detection in Mobile Ad-hoc Networks: Bayesian game formulation
2016, Engineering Science and Technology, an International Journal
Citation Excerpt :
Therefore, nodes in MANETs must cooperate in many aspects including intrusion detection for their well being [6–8]. IDSs have been deployed with great degree of success across diverse domains like wireless Ad-hoc networks [5,9], MANETs [10–12], wireless sensor networks [13], cyber-physical system [14], cloud computing [15], large scale complex critical infrastructures [16] etc. In this paper, we focus on IDS for MANETs.
Present Intrusion Detection Systems (IDSs) for MANETs require continuous monitoring which leads to rapid depletion of a node's battery life. To address this issue, we propose a new IDS scheme comprising a novel cluster leader election process and a hybrid IDS. The cluster leader election process uses the Vickrey–Clarke–Groves mechanism to elect the cluster leader which provides the intrusion detection service. The hybrid IDS comprises a threshold based lightweight module and a powerful anomaly based heavyweight module. Initially, only the lightweight module is activated. The decision to activate the heavyweight module is taken by modeling the intrusion detection process as an incomplete information non-cooperative game between the elected leader node and the potential malicious node. Simulation results show that the proposed scheme significantly reduces the IDS traffic and overall power consumption in addition to maintaining a high detection rate and accuracy.
DEFIDNET: A framework for optimal allocation of cyberdefenses in Intrusion Detection Networks
2015, Computer Networks
Citation Excerpt :
Then, Fung reviews the main proposals for IDNs, analyzing the adversarial possibilities in terms of the proposed attacks for each proposal. Xenakis et al. [14] provide a survey of IDN for MANETs, showing weaknesses of these architectures. Each of the weaknesses proposed can be viewed as adversarial capabilities to attack the ID network.
Intrusion Detection Networks (IDN) are distributed cyberdefense systems composed of different nodes performing local detection and filtering functions, as well as sharing information with other nodes in the IDN. The security and resilience of such cyberdefense systems are paramount, since an attacker will try to evade them or render them unusable before attacking the end systems. In this paper, we introduce a system model for IDN nodes in terms of their logical components, functions, and communication channels. This allows us to model different IDN node roles (e.g., detectors, filters, aggregators, correlators, etc.) and architectures (e.g., hierarchical, centralized, fully distributed, etc.). We then introduce a threat model that considers adversarial actions executed against particular IDN nodes, and also the propagation of such actions throughout connected nodes. Based on such models, we finally introduce a countermeasure allocation model based on a multi-objective optimization algorithm to obtain optimal allocation strategies that minimize both risk and cost. Our experimental results obtained through simulation with different IDN architectures illustrate the benefit of our framework to design and reconfigure cyberdefense systems optimally.

View all citing articles on Scopus

Dr. Christos Xenakis received his B.Sc degree in computer science in 1993 and his M.Sc degree in telecommunication and computer networks in 1996, both from the Department of Informatics and Telecommunications, University of Athens, Greece. In 2004 he received his Ph.D. from the University of Athens (Department of Informatics and Telecommunications). From 1998 to 2001 he was with a Greek telecoms system development firm, where he was involved in the design and development of advanced telecommunications subsystems. From 1996 to 2007 he was a member of the Communication Networks Laboratory of the University of Athens. Currently, he is a lecturer (faculty of the Department of Digital Systems) and a member of the System Security Laboratory of the University of Piraeus, Greece. He has participated in numerous projects realized in the context of EU Programs and his research interests are in the field of system and network security.

Christoforos Panos received his B.S. degree in 2003 at Roosevelt University and his M.S. degree in 2005 at the Illinois Institute of Technology, both in Computer Science. He is currently working towards his Ph.D. at the University of Athens in the area of intrusion detection for Ad Hoc Networks. He is a member of the Franklin Honor Society (Roosevelt University), and of the Systems Security Laboratory (University of Piraeus), and he has participated in several projects realized in the context of EU Programs. His research interests are in the field of system and network security. More specifically, cross-layer security for mobile ad hoc and p2p networks, as well as the design and development of intrusion detection systems.

Ioannis Stavrakakis, IEEE Fellow: Diploma in Electrical Engineering, Aristotelian University of Thessaloniki, (Greece), 1983; Ph.D. in EE, University of Virginia (USA), 1988; Assist. Prof. in CSEE, University of Vermont (USA), 1988–1994; Assoc. Prof. of ECE, Northeastern University, Boston (USA), 1994–1999; Assoc. Prof. of Informatics and Telecommunications, University of Athens (Greece), 1999–2002 and Prof. since 2002. Teaching and research interests are focused on resource allocation protocols and traffic management for communication networks, with recent emphasis on: peer-to-peer, mobile, ad hoc, autonomic, delay tolerant and future Internet networking. His research has been published in over 180 scientific journals and conference proceedings and was funded by NSF, DARPA, GTE, BBN and Motorola (USA) as well as Greek and European Union (IST, FET, FIRE) Funding agencies. He has served repeatedly in NSF and EU-IST research proposal review panels and involved in the TPC and organization of numerous conferences sponsored by IEEE, ACM, ITC and IFIP societies, including: organizer of the 1999 IFIP WG6.3 workshop, the COST-NSF NeXtworking’03, the Workshop on Autonomic Communications (WAC2005); co-organizer of the 1996 ITC Mini-Seminar, the IEEE Autonomic Opportunistic Communications (AOC’07'08); technical program co-chair for the IFIP Networking’00, EWC’04, IFIP WiOpt’05, COST-NSF NeXtworking’07; general co-Chair for Networking’2002, IFIP MedHocNet’07. He has served as the chairman of IFIP WG6.3 and elected officer for the IEEE Technical Committee on Computer Communications (TCCC). He is an associate editor for the ACM/Kluwer Wireless Networks and Computer Communications journals and has served in the editorial board of the IEEE/ACM transactions on Networking and the Computer Networks Journals. He is currently the head of the Communications and Signal Processing Division of his Dept.

View full text

A comparative evaluation of intrusion detection architectures for mobile ad hoc networks

Abstract

Introduction

Section snippets

Stand-alone IDS architectures

Cooperative IDS architectures

Hierarchical IDS architectures

A comparative evaluation of the IDS architectures

Design principles for MANET IDSs

Conclusions

Ad Hoc Networks

Ad Hoc Networks

Ad Hoc Networks

Elsevier Computer Communications

Elsevier Computer Communications

Ad Hoc Networks

A survey on intrusion detection in mobile ad hoc networks, wireless/mobile network security

A survey on anomaly detection methods for ad hoc networks

Ubiquitous Computing and Communication Journal

Multi-layer integrated anomaly intrusion detection system for mobile ad hoc networks

A survey of security issues in mobile ad hoc networks

IEEE Communications Surveys