Comprehensive Node Acknowledgement and Reliability Value (CNA-RV) Based IDS for AODV in MANET

(1)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 4, Issue 2, February 2014)

Comprehensive Node Acknowledgement and Reliability

Value (CNA-RV) Based IDS for AODV in MANET

Deepak Chavan

1

, Pradeep Raghav

2

1_{Research Scholar,}2_{Assistant Prof., Dept. of CSE, SKSITS, Pithampur Road, Indore (M.P), India}

Abstract- MANET is a short term network which establishes for data transmission and then terminates. It works without the specific needs of device dependent infrastructure so called as mobile ad-hoc network. In this, mobile nodes are responsible for all the transmission and in this each mobile node behaves as a router. This routing will face all the issues related to routing. Out of these securities is the major concern which deals with all the type of attacks & data packet security. Nodes which are implicated in such type of security drops are called as malicious or misbehaving nodes. Some of these nodes is also affecting the actual processes of the system and may participate in unauthorized data modifications. Thus the mechanism used to prevent that comes under intrusion detection system. Such intrusions can be prevented by various existing security techniques like monitoring nodes, acknowledgement, data dropping & modifications analysis, delay reductions, and uneven behavior detections, etc. All the existing routing protocol assumes that the nodes within the range is behaving properly because they had not considered the mobility & network scenarios adoptions due to new nodes. So they are vulnerable to attacks launched by these misbehaving nodes & malfunctioning. However, there is not a deep study of the impact of such attacks on the performance of routing protocols through simulations. The existing static & dynamic routing protocols like ADOV, DSR, OLSR needs to be updated for providing better security against the issues. Our prime concern by proposing new updates for security is to demonstrate higher intrusion detection rates with minimized performance issues.

In this wok we are proposing new improved Comprehensive Node Acknowledgement and Reliability Value (CNA-RV) Based IDS through AACK for AODV protocol. It is a multistep process in which the node & its transmission are in control of some monitoring node. This node can generate responses on the basis of threshold. This quantity of response can be taken as major consideration for identification of intruder’s node.

Index Terms— MANET (Mobile Ad-Hoc Network); AODV (Ad-Hoc on Demand Distance Vector), CNA-RV (Comprehensive Node Acknowledgement and Reliability Value); IDS (Intrusion Detection System), TR (Total Response);

I. INTRODUCTION

MANET is a kind of network which have no central control authority and is formed a group of nodes able to communicate with each other in a specific range of transmission and is infrastructure independent. In this each node will serve as a infrastructure support for data or instruction transfer.

There is no controlling or monitoring authority for managing this communication. Instead of that each and every node will do the same. Here each node acts as a router and follows a topology which is static or dynamic in nature. Means it is keep changing as the mobility of node increases. Nodes within each other's radio range communicate directly via wireless links, while those that are far apart use other nodes as relays [1]. Nodes usually distribute the same physical media; they transmit and acquire signals at the same frequency band from the total available bandwidth Though the transmission is easy and not dependent the network is vulnerable to attack because the security mechanism is not properly initiated in such small range network. The probability of attack occurrence is more in MANET in comparison to any wired network.

There are various factors which open the loose zone for attack probability like unreliable association links of communication between the nodes, dynamically changing topology, limited power by battery etc. All this provides the vulnerable zone for different types of attacks. The mobile ad hoc networks are more prone to suffer from the malicious behaviors than the traditional wired networks [2]. Therefore, it becomes a compulsory event of handling against the security breaches which is coming day by day in wireless networks. As the uses and application of MANET is increasing in market, security mechanism will also need to be developed for each and every condition and issues. Most of the routing protocol working with MANET is short ranges and lightweight protocol because they need to be executed in mobile environment and hence its size and environment must be small.

(2)

International Journal of Emerging Technology and Advanced Engineering

II. BACKGROUND

Intrusion is a kind of unwanted activity occurs in the network causes its degradation. Hence it has to be detected at early stages of data transmission. This activity is going to be executed on malicious nodes in a range specific scenario. Multiple nodes can communicate simultaneously along with their routing topology updates at each node due to their mobility. This system is getting complex & weakness, which lead to most security problems. Intrusion detection can be used as a second wall of defense to protect the network from such problems. If the intrusion is detected, a response can be initiated to prevent or minimize harm to the system. Intrusion detection can be classified based on analyzing the historical data as either host-based or network-based. A network based IDS capture and analyses packets from network traffic while a host-based IDS uses operating system or application logs in its analysis.

Classification and Component of IDS [4]:

Normally the IDS works can be separated into two parts or components. First one is Similar Pattern Base IDS which are used to detect all those intrusions which are known or use before. The best example of this is Anomaly Base IDS that is used to detect all those intrusions which are not known or not use before in history. According to node, there are 3 types of IDS which are:

 Stand-alone IDS: It is used to operate on each node independently and monitor all events and make database.

 Cooperative and distributed IDS: It is used to operate on share information rule between all nodes and make database on all participating nodes in network and response.

 Hierarchical: It is used to operate on all child nodes or new nodes and only response in the case of intrusion Any IDS have two parts, features and algorithms.

To design an effective IDS mechanism some novel algorithms need to be developed and will serve as a core components of design given by some rules and feature driven approaches. Such features are the combination of facilities and output of the exacting algorithms. All the IDS have some of the common functionalities or components which are:

 Monitoring: use to monitor the nodes, neighbors or it.

 Database or log file: use to record event by intrusion effect, make statistics and share with other nodes.

 Response: after intrusion detect, what system or node can do in reply or response.

Among most of the responsive mechanism the famous one is Alarm signaling. In this the informative alarm signal is broadcasted to all the neighbors or these databases are flooded in log formats to entire node in the network. The type of IDS is depends upon the kind of response it is generating like flooding, monitoring updates, audits, database shares etc.

III. RELATED STUDY

Intrusion detection mechanism is a kind of data analysis mechanism which is voiding the rules for transmissions. Thus to develop a effective solution it needs to be updated with current classification and analysis mechanisms. During the last few years there are various approaches suggested regarding the intrusion systems, there guidelines, accurate detection mechanism etc. Out of those few are presented here as:

In the paper [5], the author examines the use of classification methods in intrusion detections. For that the paper had evaluated five supervised classification algorithms using several numbers of metrics. The paper is discussing the performance evaluation of intrusion detection system after using the classification mechanism. The paper also deals with tuning the classifiers for unknown type of attack which is determined by its historical data analysis. The approach used for this is called cross validation in which the data from the same types of attacks are available in all folds. This differs from real-world employment where unknown types of attacks may be present. The identified results indicate that weighted cost matrices can be used effectively which developing an anti intruders system.

For more enhance security some of the authors had focused their concerns on security techniques for intrusion preventions. Among them most useful is encryption and authentication which reduces the risks of intrusion processes but not been able to remove it completely. Thus in the paper [6], author proposes a new quantitative method for intrusion detection which is a behavioral anomaly based system. In this work the key entity is the local IDS agent to each mobile node. These agents run independently and monitor activities of the user and system as well as communication activities within their radio range to detect abnormal behavior.

(3)

International Journal of Emerging Technology and Advanced Engineering

At the primary level of work the approach is generating effective results with minimum load.

In the paper [8], a novel intrusion detection method is given by combining two anomaly methods Conformal Predictor k-nearest neighbor and Distance based Outlier Detection (CPDOD) algorithm. The combined effect of two anomaly methods CP-KNN and DOD in a conditional sequence structure gives better result and effective detections. A series of experimental results shows the effective detection of anomalies with low false positive rate and higher accuracy [8].

Some of the researchers had also focused their intensions towards the multi-functional intrusion detection system. Out of those this paper [9] gives the design of cross layer IDS which is very critical to detect. Such attacks targeted at or sourced from any layers rapidly. Hence the author gives a better intrusion detection mechanism based on anomaly detection by utilizing cluster data mining technique. The proposed cross-layer based intrusion detection architecture is designed to detect DoS attacks and sink hole attack at different layers of the protocol stack. The approach is also capable to detect various types of UDP flooding attack and sink hole attack in an efficient way [9]

Various other approaches are proposed in last few years based on existing mechanism like watchdog in [10]. As the main advantage of it is that the watchdog only needs local information and, therefore, it becomes quite difficult for it to be badly influenced by another node. But it has two disadvantages

(i) The watchdog is vulnerable to cooperative attacks and

(ii) It is not so accurate when we increase nodes mobility.

It also proposes an improvement in this mechanism which can be used in MANET. The watchdog is a basic module for several different IDS, doing an extra effort for improving it becomes a necessity. The proposed improvements can cope up well with the watchdog weaknesses based on kalman filters. Another improvement of the approach is avoidance of collaborative black-hole attack. A secure exchange of information among nodes allows determining whether if a node is acting as an accomplice, and also marks it as being malicious.

In the current paper [11], a comparison is made between various existing IDS based on inputs, outputs, processes, benefits and drops. After studying the various approaches and their benefits the paper also suggested some guidelines for selecting effective IDS for larger security. The paper also performs few experiments to prove the comparison results and will direct the further researches.

The paper also presents a case study of a MIS/CIS/CS curriculum on the first introduction of the new technology for IDS in MANET. Similarly carrying forward the above research concern a comparative study is developed to analyze the IDS architectures proposed in the existing literatures [12].

Taking forward the traditional intrusion detection mechanism some of the authors had worked with encryptions, firewalls etc. Thus to detect the unauthorized access to the system in early phases of interactions the author introduces IDAR, a signature-based Intrusion Detector dedicated to ad hoc routing protocols. This system is going to analyze the pattern of reuse. Result evaluation shows the limited resource consumption (e.g., memory and bandwidth) and high detection rate along with reduced false positives attacks [13].

IV. PROBLEM IDENTIFICATION

The intrusion detection mechanism is a kind of analysis process which separates the loyal data from the malicious data. This difference in data and node can be calculated by measuring the behaviour of each node in a network. Sometimes the actual node which is generating the normal data can also be taken as malicious data by existing intruder’s detection systems. Thus to make the system more accurate and fast is the prime objective of this work. Along with that the authors are also working with effective and accurate detections in time. As the MANET is not having any fixed infrastructure thus to provide or analyze each and every node in dynamically changing environment is very difficult. . The open medium and broad distribution of nodes make ad-hoc network vulnerable to intruders. Due to the nodes’ lack of physical security, malicious attackers can easily capture and compromise nodes to achieve attacks [14]. Intruders can easily compromise ad-hoc network by inserting malicious or non-cooperative nodes into the net. Furthermore, because of network distributed architecture and changing topology, a traditional centralized monitoring technique is no longer feasible in an ad - hoc network. In such scenario, it is important to develop an intrusion-detection system (IDS) due to the limitations of most MANET routing protocols, nodes in networks assume that other nodes always cooperate with each other to relay data [15]. This assumption leaves the attackers with the opportunities to achieve significant impact on the network with just one or two compromised nodes.

(4)

International Journal of Emerging Technology and Advanced Engineering

Working Scenarios Required: Compared with wired networks, where traffic monitoring is usually done at switches, routers and gateways, the mobile IDS must work with localized and partial data because the ad hoc environment does not have traffic concentration points where the IDS can collect audit data for the entire network.

Problem –I: With existing IDS it is very difficult to distinguish between normal traffic and intruder’s activity traffic. Thus the mechanism needs to be more predictive to preempt those data losses by malicious nodes. : In wireless network the connection is not stable and mobile nodes can join and leave the network at any time. For instance, a node which is temporarily out of synchronization may send packets that could be considered packets of attack activities

Problem-II: IDS should utilize minimum resources which are not followed in existing approaches. The wireless network does not have stable connection and physical resource of network and devices, such as bandwidth and power, are limited.

Problem–III: Current IDS mechanism is not able to detect false positive attacks and Partial drops started by intruder’s node. Thus this needs to be stopped.

Problem-IV: Lack of central monitoring points causes more affects on data losses and identity theft by maliciously behaving nodes. There are some more problems like: Ambiguous collisions, Receiver collisions, Limited transmission power (Links & Resources), false misbehavior report and Collision are the entities which are not handled by existing mechanism.

V. PROPOSED CNA-RVWORK

This paper gives a scheme to detect the maliciously misbehaving nodes having regular collisions and data droppings. Such nodes are also generating the false misbehaviors report that they are behaving well in the network and in real they are harming the network by dropping the data.

FIGURE 1:PROPOSED COMPREHENSIVE NODE ACKNOWLEDGEMENT AND RELIABILITY VALUE (CNA-RV)BASED IDS

Thus these nodes have to be detected effectively and on time. Such detection is quite complicated task because in this the actual traffic is analyses and after which the unreliable transmission is detected by comparing it with the patters of exiting flow. This wills helps in detection of uneven losses and flows. The suggested scheme will improves the weakness of existing IDS which fails to timely detect the false misbehaviour. This work proposes a novel Comprehensive Node Acknowledgement and Reliability Value (CNA-RV) Based IDS through AACK for AODV protocol. It works on the basis of following 4 modules. It starts with data gathering, categorization, processing and intimation.

The above approach is named as CNA because in this a comprehensive node characteristic is analyzed and monitored for intruder’s identification. And RV is added as a reliability value measures through a threshold for behaviour preemption.

(i) Data Analysis and Monitoring:

(5)

International Journal of Emerging Technology and Advanced Engineering

This identification unit analyzes the packets and continuously monitors the behaviour of the each node. This monitoring is applied on each node which works as a centrally monitoring proxy node. The main purpose of using such identification and monitoring node is to identify the uneven behavior of data transfer or losses which is planted by any intruder’s node. The identification units continuously exchange these data to map the unauthorized behavior identifications.

(ii) Data Categorization:

After the current network conditions and data are analyzed and captured it is further passed to data categorization module. It maps the data and distributes it into the six categories: Hosts Counts, Behavior Analysis, and Acknowledgement count, Neighbors count, Packet sent and received. It stores the useful patterns and information into some of the local data repository. Now this data is passed on to the next module of CNA-RV.

(iii) CNA-RV Processing for Intrusion Recognition: In this step the comprehensive node acknowledgement (CNA) starts getting the information related to maliciousness identification from analyzing the collected data. CNA works as a malicious behaviour identification unit by analyzing the patterns and information drops nodes by their generated log data. The module uses 3 steps for separating the data and predicts the intruder’s behaviour. These are response count, throughput generated analysis and packet drop ration analysis. Form the above steps the malicious behaviour is identified and intruders node is recognized. In CNA-RV processing unit the detailed data analysis is done for each and every node participating in data transfer thus if any one of it is behaving uneven and making the data losses or drops then it has to be identified. The above module uses a threshold value termed as reliability value (RV), below which each node is taken as malicious or intruder’s node. If the node is above a specific threshold then it is a legitimate node.

(iv) Intimation and Removal:

Later on after the intrusion is recognized the report is generated for false misbehavior measurement. This module measures the ratio of misbehaviour and the actual behavior. The detection is categorized is divided into further two types of data as a output like partial drops and collisions. Both of these entries is further transmitted to each and every node in the network as an updates. These updates contains the instructions to delete those entries form their routing information and stops any transmission form those routes.After applying all the above phases the accurate intrusion identification can be generated and gives effective results always.

VI. EXPECTED OUTCOMES

In order to measure and compare the performances of the proposed CNA-RV scheme, the work continue to adopt the two performance metrics, First is Packet delivery ratio (PDR) which defines the ratio of the number of packets received by the destination node to the number of packets sent by the source node. Second is Routing overhead (RO) which defines the ratio of the amount of routing-related transmissions such as RREQ, RREP, ACK, 2ACK, S-ACK etc. The proposed mechanism can be able to identify the attacks based on their types. This can be prevented before any damage or packet drops. In order to evaluate the effectiveness of the employed algorithms for the problem of intrusion detection following attack seems to be defended in near future.

Packet Dropping Attack: In this attack, the attacker rejects Route Error packets leading legitimate nodes to forward packets with broken links.

Flooding Attack: The malicious node broadcasts forged Route Request packets randomly to all nodes every 100 ms in order to overload the network.

Black Hole Attack: In this attack a malicious node advertises itself as having the shortest path to other nodes of the network. Nevertheless, as soon as it receives packets destined for other nodes, it drops them instead of forwarding to the final destination. In our simulation scenario, each time a malicious black hole node receives a Route Request packet it sends a Route Reply packet to the destination without checking if it really has a path towards the selected destination. Thus, the black-hole node is always the first node that responds to a Route Request packet. Moreover, the malicious node drops all Route Reply and Data packets it receives if the packets are destined to other nodes.

Forging Attack: A malicious node modifies and broadcasts to the victim node Route Error packets leading to repeated link features.

VII.CONSTRAINTS &ASSUMPTIONS

At this level of work the research is not complete. The authors are working on the real implementation and are clear that in near future the approach is quite effective while detecting intruders at very early stages of data transfer. Initially the simulation environment is considered is getting better result than existing approaches.

VIII. CONCLUSION

(6)

International Journal of Emerging Technology and Advanced Engineering

Some of these include the type of attacks which breaches its current security mechanism. Such type of networks is more vulnerable to attacks than wired networks. Since they have different characteristics, conventional security techniques are not directly applicable to them. Researchers currently focus on designing new prevention, detection and response mechanism for MANETs. In this paper, the work studied various existing mechanism to make some preventions regarding these intrusions. But they have some negatives also like timely analysis of misbehaving nodes, false identification, collision detection, central monitoring node, partial drops etc. Thus this work proposes an improved IDS solution for overcoming these issues. This work uses several exiting methodologies & suggested few modifications to them such as for AACK, AODV, @ACK- S-ACK, IDS etc. Thus this work proposes a novel Comprehensive Node Acknowledgement and Reliability Value (CNA-RV) based IDS through AACK for AODV protocol. Work uses a standard centrally controlled monitoring node (CNA) which listen the transmission of other nodes also. These transmissions had a value compared with standard threshold value to classify actual & misbehaving nodes. At the primary level of work, the approach seems to provide better results in near future.

IX.FUTURE WORK

Some problems and concepts that remain unaddressed can be performed in future. Such as with the help of pre-emptive approach more information can be added for exact timely analysis of intrusion & its successful detection with high accuracy. It can also be used for quantitative & qualitative analysis, rank ordering etc. We also embed source code of our proposed scheme in NS2. In our proposed scheme so as to use the benefits of approach like open source.

Acknowledgment

This research work is self financed but recommended from the institute so as to improve the security breaches with current techniques in MANET using IDS. Thus, the authors thank the anonymous reviewers for their valuable comments, which strengthened the paper. The authors also wish to acknowledge SKSITS administration for their support & motivation during this research. They also like to give thanks to Dr.G.D.Gidwani & Mr.Praveen Goyal for discussion regarding the situational awareness system & for producing the approach adapted for this paper.

REFERENCES

[1] O. V. Chandure , A. P. Bakshi, S. P. Tidke and P. M. Lokhande, “Simulation of Secure AODV in Gray Hole Attack for Mobile Ad-Hoc Network”, in International Journal of Advances in Engineering & Technology, ISSN: 2231-1963, Vol. 5, Issue 1, Nov. 2012. , pp. 67-76.

[2] G. S. Mamatha1 and Dr. S. C. Sharma,”A New Combination Approach to Secure MANETS Against Attacks”, International Journal of Wireless & Mobile Networks (IJWMN), DOI: 10.5121/ijwmn.2010.2406, Vol.2, No.4, November 2010. [3] Marjan Kuchaki Rafsanjani, Ali Movaghar, and Faroukh Koroupi,

“Investigating Intrusion Detection Systems in MANET and Comparing IDSs for Detecting Misbehaving Nodes”, in World Academy of Science, Engineering and Technology, 2008. [4] M Salman Ashraf1 and Muhammad Raheel2, “RGB Technique of

Intrusion Detection in IEEE 802.11 Wireless Mesh Networks”, IJCSI International Journal of Computer Science Issues, ISSN (Online): 1694-0814, Vol. 9, Issue 2, No 2, March 2012, pp 306-313.

[5] Aikaterini Mitrokotsa and Christos Dimitrakakis, “Intrusion detection in MANET using classification algorithms: The effects of cost and model selection”, in ScienceDirect Elsevier Publication, Journal of Ad-Hoc Networks, ISSN: 1570-8705, available at http://dx.doi.org/10.1016/j.adhoc.2012.05.006, 2012.

[6] S.Mamatha and Dr A Damodaram, “Quantitative Behavior Based Intrusion Detection System for MANETS”, in Proc. of the Intl. Conf. on Advances in Computing and Communication (ICACC), ISBN: 978-981-07-6260-5 doi:10.3850/ 978-981-07-6260-5_59, April 2013.

[7] Elhadi M. Shakshuki, Nan Kang, and Tarek R. Sheltami, “EAACK—A Secure Intrusion-Detection System for MANETs”, in IEEE Transaction on Industrial Electronics, ISSN: 0278-0046, Vol. 60, No 3, March 2013.

[8] Farhan Abdel-Fattah, Zulkhairi Md. Dahalin and Shaidah Jusoh, “Dynamic Intrusion Detection Method for Mobile Ad Hoc Network Using CPDOD Algorithm”, in IJCA Special Issue on “Mobile Ad-hoc Networks” MANETs, 2010.

[9] Rakesh Shrestha, Kyong-Heon Han, Dong-You Choi and Seung-Jo Han, “A Novel Cross Layer Intrusion Detection System in MANET”, in IEEE International Conference on Advanced Information Networking and Applications, ISSN 1550-445X/10, DOI 10.1109/AINA.2010.52, 2010.

[10] Tushar Sharma, Mayank Tiwari, Prateek kumar Sharma, Manish Swaroop and Pankaj Sharma, “An Improved Watchdog Intrusion Detection Systems In Manet”, in International Journal of Engineering Research & Technology (IJERT), ISSN: 2278-0181, Vol. 2 Issue 3, March-2013.

[11] Yi Li and June Wei, “Guidelines on Selecting Intrusion Detection Methods in MANET”, in Proc. of ISECON (EDSIG), Vol.21, (Newport): §3233 (refereed), 2004.

[12] Farzneh Pakzad, Marjan Kuchaki Rafsanjani and Arsham Borumand Saeid, “The Improvement Steps of Intrusion Detection System Architectures of MANET”, in IJMAS, ISSN: 0973-7545, Vol. 22, Issue S11, 2011.

[13] Mouhannad Alattar, Françoise Sailhan and Julien Bourgeois, “Lightweight Intrusion Detection: Modeling and Detecting Intrusions Dedicated to OLSR Protocol”, in International Journal of Distributed Sensor Networks Volume 2013, Article ID 521497, 20 pages at http://dx.doi.org/10.1155/2013/521497.

[14] Charlie Obimbo and Liliana Maria Arboleda Cobo, “An Intrusion Detection System for MANET”, Communications of Information Science and Management Engineering (CISME), Vol.2 No.3, 2012. pp.1-5