In this section, we detail our proposed intrusion detection system - ZBIDS. From the system aspect, we attach an IDS agent to each mobile node. These IDS agents run independently and monitor local activities to detect abnormal behaviors. We choose to implement an anomaly detection algorithm because it is expected that more types of attacks will be launched against MANETs in the future. It is also difficult to obtain the complete trace of the attacks, which are often required in designing a misuse detection algorithm.
We logically divide the network into nonoverlapping zones to manage the locally generated alerts. By integrating the network information from a wider area, this management framework could reduce false positive ratio and improve detection ratio. Therefore, the description of ZBIDS mainly consists of two parts: the overall network framework and the internal conceptual model of each IDS agent.
1. ZBIDS Framework
We adopt a zone-based intrusion detection framework because of the following con- siderations:
• Due to the dynamic nature of MANETs, alert flooding is expected in such an
environment. Attacks are likely to generate multiple related alerts. By creating some alert concentration points, we can logically group related alerts together and reduce the false alarms generated for various reasons.
• Flat architecture is undesirable in managing the alerts. When the network
becomes very large, scalability will be a serious problem. It is also unrealistic to have a centralized console in MANETs to manage all of the alerts because of the complicated mobility management and the issue of network reliability caused by the single point of failure.
A problem with a hierarchical approach in MANETs, however, is the cost of maintaining the hierarchy in face of mobility. When mobility is high, the introduction of the message overhead to create and maintain the hierarchy is unbearable.
We thus adopt a nonoverlapping zone-based framework because the communica- tion overhead for creating and maintaining the topology is small [47]. It also requires little mobility management efforts. Actually, ZBIDS requires few extra control mes- sages propagated within the zone in order to maintain the framework. Nevertheless, the selection of the zone size is critical and depends on factors such as node mobil- ity, network density, transmission power and propagation characteristics, etc. The zone size should be neither too large nor too small. Large zone size compromises the advantage of using the hierarchical structure since the broadcast alerts may in- volve large communication overhead. Likewise, if the zone size is too small, the alert management nodes cannot collect enough information for aggregation.
The formation and the maintenance of zones are beyond the research topic in this dissertation. In a simple approach, the zones can be obtained based on geographic partitioning. Based on network connectivity, each node can be classified into one of
two categories: the interzone node (also called the gateway node) and the intrazone node. With the availability of GPS, it is possible for a mobile host to know its physical location. It can then determine its zone ID by mapping its physical location to a zone map, which has to be worked out at the design phase. By some locally broadcast mechanism (Hello messages, e.g.), each node can know the information of its neighbors. Therefore it can determine whether it is an interzone node or intrazone node. A node may change its role over time due to mobility. An example of ZBIDS is depicted in Fig. 3. 2 7 8 6 5 1 4 9 10 IDS IDS IDS IDS IDS IDS IDS IDS IDS 3 IDS ]RQH 1 9 8 7 6 2 5 4 3 IDS 11
Fig. 3. The Zone Based IDS Framework for Mobile Ad Hoc Networks.
In Fig. 3, nodes 4, 7 and 8 are the gateway nodes of zone 5. Each mobile node is attached an agent, and all of these agents collaboratively perform the intrusion detection task. Each IDS agent runs independently to monitor its system activities, such as the user behavior, system behavior, radio communication activities, etc. and perform intrusion detection tasks locally. Intrazone nodes will report their locally
generated alerts to the gateway nodes in the same zone, and the gateway nodes will aggregate and correlate the received alerts. Gateway nodes in neighboring zones can further collaborate in order to perform intrusion detection tasks in a wider area.
Zhang et al. proposed an intrusion detection architecture [1], in which, only neighboring nodes can collaboratively cooperate. When the network becomes very large, scalability will become a serious problem. In order to solve this problem, we adopt the zone-based architecture and introduce the concept of intrazone and interzone nodes in MANET IDSs. There may exist many gateway nodes in a zone, thus avoiding the issue of single point of failure.
Intrusion detection must necessarily be deployed in various layers of networks. Certain attacks may be detected much earlier in the application layer, because it contains richer semantic information than the lower layer. For example, for a denial- of-service attack, the application layer may detect very quickly that a large number of incoming service connections have no actual operations; whereas the lower layers, which rely on information about the amount of network traffic (or the number of channel requests), may take longer to recognize the unusually high volume.
This research focuses on the attacks targeted at the routing layer, thus our IDS locates in the routing layer. It obtains data from routing caches to construct the classifier. Because of the distributed nature of ZBIDS, the communications among the IDS agents may rely on the underlying routing protocols.
In this research, we do not consider the following issues:
• We do not consider attacks targeted at the physical layer and Medium Access
Control layer. We focus on the routing attack and use it as the threat model to develop our whole system. However, ZBIDS is general and can accommodate attacks targeted at other layers easily.
• We do not consider the formation and maintenance of zones. That is, we as-
sume that the network can be divided into nonoverlapping zones and the zone partitioning mechanism is accurate and safe.
• We focus on the protection of MANETs. Preventing and detecting attacks
aimed at IDS itself will be another challenging research topic and is beyond the discussion of this research. Therefore, we do not consider the security issues of IDS agent itself.
In the following sections, we describe the local detection model and aggregation algorithm used by the ZBIDS in detail.