Distributed Court System for intrusion detection in mobile ad hoc networks
Introduction
The characteristics of MANETs, including autonomy without infrastructure support and robustness to single point failure, lend themselves to simple and quick deployment in various scenarios, like disaster relief, battle field, and unknown space exploration. With the growing popularity of MANETs, the security problems have also gained great attention. It has been realized that standard defensive mechanisms, such as encryption and authentication, are inadequate to address security problems, especially attacks from insiders. Intrusion Detection System (IDS), serving as the second line of defence, has become an indispensable and complementary part in securing MANETs.
In this paper, we mainly focus on securing network-layer operations, or more specifically, the generation and delivery of routing information. Abundant papers (Ning and Sun, 2005, Hu et al., 2006, Hu et al., 2003, Hollick et al., 2004) have studied the generation and consequences of various attacks in the network-layer. The basic idea of these attacks is to attract data traffic by generating misleading routing information to place the attackers themselves on the optimal paths. The data packets successfully attracted can be arbitrarily or probabilistically dropped or corrupted. For example, in Optimized Link State Routing (OLSR) Protocol, attacker can include a bogus neighbor in the broadcast Topology Control (TC) message to attract data flow destined for that neighbor; In Ad hoc On-Demand Distance Vector (AODV) routing Protocol, attacker can reply to the Route Request with a route that is of smaller distance metric than its actual distance to the destination. These attacks have been proven to highly degrade the network performance with respect to flow throughput, communication overhead, etc.
Standing among the numerous related works (Kannhavong et al., 2008, Marti et al., 2000, Huang and Lee, 2003, Awerbuch et al., 2008, Zhang et al., 2003, Sun et al.,, Yang et al., 2006) that have been proposed for tackling network-layer threats, our work intends to establish a complete system to solve some key requirements of IDS using a novel and light-weight architecture. Here, we describe two of the most important requirements — decision accuracy and tolerance to malicious accusation.
First, decision accuracy is commonly measured in terms of false positive rate that is usually quite high in a mobile wireless environment. Independent detection method, which runs on each node, detects anomalies based on individual observation, is easy to implement and possesses high flexibility. However, such method usually shows its disadvantages when facing high mobility of communicating nodes and highly unreliable wireless channels, which could result in unpredictable discrepancy among nodes’ observation of network events. The possible lack of necessary information on individual node would lead to the innocent being wrongly punished, while attackers get away. The challenge is to develop an effective cooperation mechanism for information integration, in which decision accuracy is improved by integrating the necessary observations from other related nodes.
Second, accusation in network security system is a type of message used to inform the other nodes of the detection results from one monitoring entity. Adversarial nodes can disseminate malicious accusation against the innocents. The victim node would suffer isolation from using network resources. This problem can be removed if dissemination of accusation is forbidden. However, such approach has been proven to be inefficient in terms of detection delay (Buchegger and yves Le Boudec, 2003). This problem can also be solved by virtue of a central authority, who has global information, inspecting every issued accusation and suppressing invalid ones. But central authority is quite difficult to implement in mobile ad hoc networks and would also introduce many problems, like single point of failure, insecure communication route, and noticeable communication delay between the central authority and requesting node. The challenge here is how to efficiently implement such central authority in a distributed manner with low overheads and low delay.
In this paper we present a novel IDS architecture, Distributed Court System (DCS), to solve the challenges described above. The inspiration of designing DCS comes from observing court procedures in justice system. Court in real life is the centralized recourse for dispute resolution. Every citizen has the right to bring before a court his accusation against someone who is suspected of illegal behavior (we call such citizen an accuser). Similarly, those accused of a crime, or defendant, has the right to present a defence, which can also be assisted by witness, if any. The judge has the authority to make the final decision through examining the information or evidence collected. So court system is quite suitable for the two requirements mentioned before:
- (1)
decision accuracy: before final decision, the judge would hear the defence, record the statements of witnesses, and collect proof. Such procedures would lead to a comprehensive process for information integration, pushing the case much closer to the truth.
- (2)
tolerance to malicious accusation: each accusation will pass through an inspection system, including hearing the defence from the ones accused and a thorough examination from the judge. Hence malicious accusation is detrimental to the credibility of its initiator (or attackers themselves).
The main contributions of our proposed DCS are as follows:
- •
Implementing the distributed protocol utilized by the network nodes to emulate the functions and procedures of courts in real life.
- •
proposing an algorithm for accusation rate control, in order to further save the bandwidth consumed by detection system
- •
Proposing a timer-based mechanism for robust cooperative investigation and mathematically analyzing the time consumed in cooperation process.
- •
Applying the DCS to protect the routing functions of OLSR, with thorough performance evaluation in NS-2 under different movement scenarios.
The results from our simulations show that false positive rate is reduced by more than 90%, compared with independent detection method without information integration. At the same time, the detection rate is still maintained at the level around 87%, even if 20% of the nodes are malicious and the maximum node speed is 30 m/s. Delivery ratio is increased by up to 114% under the protection of DCS. The communication overhead introduced by DCS increase gracefully with the increase in mobility speed, and is quite low compared to the traffic from routing protocols and delivery of data packets. Delay introduced by cooperative investigation is also controlled under a very tiny time scale as illustrated in Section 4.
The rest of the paper is organized as follows. Section 2 briefly describes the OLSR protocol and the security threats it faces. The overview of DCS architecture and its operating modules is presented in Section 3.1. Section 3 details the design of each module in DCS. The mathematical analysis for expected delay of cooperative investigation process is shown in Section 4. Section 5 presents the simulation results in the context of OLSR. In Section 7, related works are reviewed and Section 8 concludes the paper.
Section snippets
OLSR protocol and security threats
We will use OLSR as the context to illustrate how components of DCS works in Section 3. OLSR is chosen, as opposed to other routing protocols such as AODV, due to our preliminary work on IDS (Zhang and Yeo, 2010). In this section, we briefly describe the Optimized Link State Routing Protocol (OLSR) (Clausen and Jacquet, 2003), and some security threats faced by it.
Distributed Court System design
In this part, we illustrate the design of DCS in details. The outline of system architecture is presented in Section 3.1. In Section 3.3, we describe a localized detection method in which each node detects anomalies in a distributed and localized manner. Upon detection of any anomaly, accusation is issued (only) towards the neighbours of the suspicious node. How to deal with the possibility of overwhelming accusations from malicious nodes or unnecessary accusations from good nodes are described
Expected delay in investigation stage
In the timer-based cooperative investigation, an unconfident investigator issues Investigation Message not immediately but upon expiration of its timer. This would introduce extra delay before the accused node could correctly receive that Investigation Message. Because we adopt an inaccurate and loose coordination method, such extra delay may be further exacerbated by the collision, at the accused node, of Investigation Messages from two or more nodes with successively expired timers. In
Performance evaluation
We use NS-2 simulator (T.V. Project,) to evaluate DCS under the context of OLSR. The simulation parameters are listed in Table 1. An attack generation module is added into the simulator. It helps mount link spoofing and deletion attacks in OLSR in an easily configurable way. In our simulation, we evaluate the performance metrics of DCS under a default number of 20 (20%) attackers. The targets of attacks are selected randomly by each attacker, which is randomly chosen from 100 nodes and launches
Impact of attackers on the investigation process
A node can broadcast an Accusation message towards the neighbours of a suspicious node, thus triggering an investigation process against the suspicious one. Then those neighbours serve as the investigators and together assume the logical role of judge. In reality, an attacker has no incentive to trigger investigation against another attacker, given that they know each other before being deployed. However, attackers can trigger investigation against innocent nodes, which is referred to as
Related works
The seminal work by Zhang and Lee (Zhang et al., 2003) is among the first to design intrusion detection system in wireless ad hoc networks. Then a lot of works (Kannhavong et al., 2008) (Marti et al., 2000) (Huang and Lee, 2003) (Awerbuch et al., 2008) (Yi et al.,) are proposed to deal with different security problems in such networks. However, some of the works are only focused on independent detection and give less emphasis on collaboration among nearby nodes who usually possess most
Conclusion
In this paper, we present a Distributed Court System (DCS) for intrusion detection in MANET. Inspired by the features of court procedures in justice system, DCS adopts a court-like structure that organizes a group of nodes neighbouring the suspicious node to collaboratively accept accusations, investigate their validity, and take actions against malicious nodes. Such system not only provides a way for accurate and timely detection of attacks, but also increases IDS’s capability in reducing
Da Zhang received his BEng degree in Computer Science and Engineering from Tianjin University, Tianjin, China, in 2004. He is currently a PhD candidate in the School of Computer Engineering at the Nanyang Technological University, Singapore. His research interests include Ad Hoc network security, intrusion detection system, and mobile computing.
References (28)
- et al.
CASAN: clustering algorithm for security in ad hoc networks
Computer Communications
(2008) - et al.
How to misuse AODV: a case study of insider attacks against mobile ad-hoc routing protocols
Ad Hoc Networks
(2005) - et al.
ODSBR: an on-demand secure Byzantine resilient routing protocol for wireless ad hoc networks
ACM Transactions on Information and System Security (TISSEC)
(2008) - et al.
A performance comparison of multi-hop wireless ad hoc network routing protocols
- et al.
A robust reputation system for mobile ad-hoc networks
- et al.
Coping with false accusations in misbehavior reputation systems for mobile ad-hoc networks
(2003) - et al.
Mobility helps security in ad hoc networks
- et al.
Optimized link state routing protocol (OLSR)
(2003) - et al.
Implementation & evaluation of an IDS to safeguard OLSR integrity in MANETs
- et al.
On the effect of node misbehavior in ad hoc networks
A cooperative intrusion detection system for ad hoc networks
Rushing attacks and defense in wireless ad hoc network routing protocols
Wormhole attacks in wireless networks
IEEE Journal on Selected Areas in Communications
SA-OLSR: security aware optimized link state routing for mobile ad hoc networks
Cited by (9)
Fine-Grained Analysis of Packet Loss in MANETs
2017, IEEE AccessMATF: a multi-attribute trust framework for MANETs
2016, Eurasip Journal on Wireless Communications and NetworkingIntrusion detection in mobile ad hoc networks: techniques, systems, and future challenges
2016, Security and Communication NetworksAvoidance of blackhole attack using enhanced OLSR with ABHA algorithm
2016, Asian Journal of Information TechnologyAdaptive trust threshold strategy for misbehaving node detection and isolation
2015, Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015
Da Zhang received his BEng degree in Computer Science and Engineering from Tianjin University, Tianjin, China, in 2004. He is currently a PhD candidate in the School of Computer Engineering at the Nanyang Technological University, Singapore. His research interests include Ad Hoc network security, intrusion detection system, and mobile computing.
Chai Kiat Yeo received her Bachelor of Engineering degree with first class honours and Master of Science degree in 1987 and 1991, respectively, both in electrical engineering, from the National University of Singapore. She obtained her Ph.D from the School of Electrical and Electronic Engineering, Nanyang Technological University in 2006. She is currently an Associate Professor with the Division of Computer Communications, School of Computer Engineering, Nanyang Technological University. She is currently the Associate Chair (Academic) and the Deputy Director of Centre for Multimedia and Network Technology (CeMNet). Her research interests include Ad Hoc and mobile networks, peer-to-peer systems, and speech enhancement & processing, etc.