Performance Evaluation of Comprehensive Node Acknowledgement (CNA) Based IDS in MANET

(1)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 4, Issue 7, July 2014)

Performance Evaluation of Comprehensive Node

Acknowledgement (CNA) Based IDS in MANET

Deepak Chavan

1

,Charan Singh

2

1_{Research Scholar,}2_{Associate Prof., Dept. of CSE, SKSITS, Pithampur Road, Indore (M.P), India}

Abstract -MANET is a infrastructure less network with dynamically changing topologies and random communicating node. Here the mobile nodes communicate directly to other nodes without any router and hence the desired functionalities are embedded to each node. As the network is made of mobile nodes with less hardware configurations and requirements than a router, thus routing and its protocols used here is of lightweight functionalities. The protocol range of MANET is categorizes into two areas: Proactive and Reactive. This work deals with improving network security through intrusion detection for AODV reactive protocol. The nodes which are working towards making towards the degradation of the normal network performance is known as malicious or attacker nodes. The kind of traffic generated by such node is malicious and affects the network lifetime and other performance factors. Also the intruder’s nodes aim towards modification of actual information of the packets and forge them for diverting the traffic through these malicious nodes which later on dropped or delayed. Thus such intruder’s nodes needs to be identified timely for making the network communication safe and secure. During the last few years various approaches had been suggested along with several intrusion detection systems. Though there are some problems which remain unaddressed and are not resolved as required. In presence of these nodes or in delays of such detection the networks performance gets down continuously. This paper proposes a novel scheme based on CNA (Comprehensive Node Acknowledgement) for AODV in MANET. The scheme is capable of detecting the intruders node by rcontinuously analysing the networkj parameters and getting the acknowledgement counts. It also serve as a regular monitoring which access the behaviour of each nodes. Result evaluation and compariosn makes the actual assessment of the suggested appraoch and proves to be improved that traditional approahces.

Index Terms— MANET, AODV, CNA (Comprehensive Node Acknowledgement), IDS, Performance Factors;

I. INTRODUCTION

Network is getting denser and wider day by day. All it gets is continuously increasing number of users with recently updating technologies. Wireless network is one of such network having large number of devices supportive applications. These networks provide mobility aware communications within a specific range of the network. Wireless network is categorizes into various sub networks or domains supporting these technologies such as GSM, CDMA, Bluetooth, ZigBee, MANET, VANET, Cognitive, WSN etc.

Further categorization is possible on the basis of device dependencies and their range distance of communications. All of this network works on radio transmission and applies through connection less protocols and sometimes connection oriented protocols also. It guarantees the successful delivery of the data to the destination form the source.

MANET is a mobile ad-hoc network formed by group of nodes in a specific range can communicates directly with each other without any infrastructural requirements such as routers and, switches and cables. Hence it is known as infrastructure independent network. In this each node will serve as a infrastructure support for data or instruction transfer. There is no controlling or observing power for dealing with this correspondence. Rather than that every single hub will do the same. Here every hub demonstrations as a switch and takes after a topology which is static or dynamic in nature. Implies it is continue changing as the portability of hub builds. Hubs inside one another's radio extent convey specifically by means of remote connections, while those that are far separated use different hubs as transfers [1]. Hubs normally disseminate the same physical media; they transmit and secure signs at the same recurrence band from the aggregate accessible data transfer capacity though the transmission is simple and not indigent the system is defenseless against assault on the grounds that the security component is not legitimately started in such little run system. The likelihood of attack event is all the more in MANET in examination to any wired system.

(2)

International Journal of Emerging Technology and Advanced Engineering

355 The routing protocol in MANET assumes that each node in the network is a peer and not a malicious node or selfish node. Therefore, only a node that compromises with an offensive node can cause the network to fail such node is known as intruder’s node. Thus intrusion detection mechanism is used to provide the security from such malicious nodes and is used to continuously monitor the activity of attack vulnerable nodes. The mechanism that performs this task is called an Intrusion Detection System (IDS) [3]. The system architectures for MANET concerning its applications are both of level or multi layer sort. Along these lines best conceivable system structural engineering for a MANET relies on upon its framework prerequisites which ought to be assault safe.

II. RELATED STUDY

In MANET the activity which is unauthorized and not recognized with aim to make the normal performance of network down comes under the category of intrusions. Such intruder’s nodes and traffic needs to be detected in early stages of communication to make the network works normal. This action is going to be executed on malicious node in a specific range of communication. Different nodes can correspond all the while alongside their directing topology redesigns at every hub because of their portability. This framework is getting complex & weak, which prompt most security issues. Interruption recognition or intruders detection might be utilized as a second level of security barrier to ensure the system from such issues. In the event that the interruption is located, a reaction could be started to forestall or minimize mischief to the framework. Interruption recognition might be grouped focused around investigating the chronicled information as either has based or system based. A system based IDS catch and breaks down parcels from system activity while a host-based IDS utilization working framework or application logs in its dissection.

During the last few years various authors had worked towards improving the IDS structure, working and functionality to achieve better goals in terms of performance, detection rate and accuracy. This process is based on data analysis of previous transmissions and identifying the traffic and nodes which are violating the communication rules. To design an effective IDS mechanism some novel algorithms need to be developed and will serve as core components of design given by some rules and feature driven approaches [4]. Such features are the combination of facilities and output of the exacting algorithms. All the IDS have some of the common functionalities or components which are:

Monitoring: use to monitor the nodes, neighbors or it.

Database or log file: use to record event by intrusion effect, make statistics and share with other nodes.

Response: after intrusion detect, what system or node can do in reply or response.

Classification based intrusion detection mechanism is given in the paper [5] using unsupervised learning methods. Totally the approach uses five algorithms for data evaluation and to achieve its goals multiple intermediate metrics are created for effective transformations. The paper also deals with tuning the classifiers for unknown type of attack which is determined by its historical data analysis. The approach used for this is called cross validation in which the data from the same types of attacks are available in all folds. This differs from real-world employment where unknown types of attacks may be present. The identified results indicate that weighted cost matrices can be used effectively which developing an anti intruders system.

For more upgrade security a portion of the creators had centered their worries on security methods for interruption preventions. Among them most valuable is encryption and validation which diminishes the dangers of interruption procedures however not had the capacity to uproot it totally. Subsequently in the paper [6], creator proposes another quantitative technique for interruption identification which is a behavioral oddity based framework. In this work the key substance is the nearby IDS executor to every versatile hub. These operators run autonomously and screen exercises of the client and framework and correspondence exercises inside their radio extent to identify strange conduct.

In the paper [7], a novel intrusion detection technique based on Enhanced Adaptive Acknowledgment (EAACK) for MANETs is proposed with right way evaluation. The paper shows higher maliciousness detection rates in definite situations while does not greatly affect the network performances and behaviour. The suggested approach consisted of three major components: ACK, secure ACK (S-ACK), and misbehavior report authentication (MRA) scheme. In process of distinguishing the packet types in different schemes, the paper included a 2-b packet header in EAACK. At the primary level of work the approach is generating effective results with minimum load.

(3)

International Journal of Emerging Technology and Advanced Engineering

The collective effect of two anomaly mechanisms CP-KNN and DOD in a conditional succession structure gives better result and effective detections rates with higher accuracy in categorizing the traffic. A chain of tentative results shows the valuable detection of anomalies with low false positive rate and higher accuracy is served by simulations in given paper.

Some of the researchers had also focused their intensions towards the intrusion detection system with multi-functionality. The paper [9] suggests a novel cross layer IDS whose detection is more accurate with detection of attacks targeted at or from source. The suggested work gives a layered architecture for effective detection based on anomaly detection by utilizing cluster data mining technique. The proposed cross-layer based intrusion detection architecture is designed to detect DoS attacks and sink hole attack at different layers of the protocol stack. The approach is also capable to detect various types of UDP flooding attack and sink hole attack in an efficient way.

Various other approaches are proposed in last few years based on existing mechanism like watchdog in [10]. As the main advantage of it is that the watchdog only needs local information and, therefore, it becomes quite difficult for it to be badly influenced by another node. But it has two disadvantages

(i)The watchdog is vulnerable to cooperative attacks and (ii) It is not so accurate when we increase nodes

mobility.

It also proposes an improvement in this mechanism which can be used in MANET. The watchdog is a basic module for several different IDS, doing an extra effort for improving it becomes a necessity. The proposed improvements can cope up well with the watchdog weaknesses based on Kalman filters. Another improvement of the approach is avoidance of collaborative black-hole attack. A secure exchange of information among nodes allows determining whether if a node is acting as an accomplice, and also marks it as being malicious.

In the current paper [11], a comparison is made between various existing IDS based on inputs, outputs, processes, benefits and drops. After studying the various approaches and their benefits the paper also suggested some guidelines for selecting effective IDS for larger security. The paper also performs few experiments to prove the comparison results and will direct the further researches. The paper also presents a case study of a MIS/CIS/CS curriculum on the first introduction of the new technology for IDS in MANET. Similarly carrying forward the above research concern a comparative study is developed to analyze the IDS architectures proposed in the existing literatures [12].

Taking forward the traditional intrusion detection mechanism some of the authors had worked with encryptions, firewalls etc. Thus to detect the unauthorized access to the system in early phases of interactions the author introduces IDAR, a signature-based Intrusion Detector dedicated to ad hoc routing protocols. This system is going to analyze the pattern of reuse. Result evaluation shows the limited resource consumption (e.g., memory and bandwidth) and high detection rate along with reduced false positives attacks [13].

III. PROBLEM DOMAIN

The intrusion detection mechanism is a kind of analysis process which separates the loyal data from the malicious data. This difference in data and node can be calculated by measuring the behaviour of each node in a network. Sometimes the actual node which is generating the normal data can also be taken as malicious data by existing intruder’s detection systems. Thus to make the system more accurate and fast is the prime objective of this work. Due to the nodes’ lack of physical security, malicious attackers can easily capture and compromise nodes to achieve attacks [14]. Intruders can easily compromise ad-hoc network by inserting malicious or non-cooperative nodes into the net. In such scenario, it is important to develop an intrusion-detection system (IDS) due to the limitations of most MANET routing protocols, nodes in networks assume that other nodes always cooperate with each other to relay data [15]. After analysis the various research articles this work had identified following are of work which remains unsolved by existing IDS mechanisms.

(4)

International Journal of Emerging Technology and Advanced Engineering

357 IV. PROPOSED CNASOLUTION

This paper gives a scheme to detect the maliciously misbehaving nodes having regular collisions and data droppings. Such nodes are also generating the false misbehaviors report that they are behaving well in the network and in real they are harming the network by dropping the data. Thus these nodes have to be detected effectively and on time. Such detection is quite complicated task because in this the actual traffic is analyses and after which the unreliable transmission is detected by comparing it with the patters of exiting flow. This wills helps in detection of uneven losses and flows. The suggested scheme will improves the weakness of existing IDS which fails to timely detect the false misbehaviour. This work proposes a novel Comprehensive Node Acknowledgement (CNA) [16] Based IDS through AACK for AODV protocol. It works on the basis of following 4 modules. It starts with data gathering, categorization, processing and intimation. The above approach is named as CNA because in this a comprehensive node characteristic is analyzed and monitored for intruder’s identification. CNA can be measured through a threshold for behaviour preemption.

Proposed Algorithms

Starts Protocol AODV () CNA ()

{

Starts New Route

Broadcast RREQ to All Neighbours Wait for Reply Acknowledgement If Destination D = = Receives Packet ACK==True;

Revert RREP & ACK Else

ACK==False

If (Source Rcv ACK == True && TTL==Fixed) Packet Delivered Successfully;

Else

Packet Fails; IDS Execute (); {

Count ();

Performance_Based_Detection (); Exit;

}

Count ()// Definition of Function {

Node ();// Total Number of Packets Sent & Received Neighbour (); //Listen Neighbors Transmission Report (); //After fixed Period of Time Nodes Give report to CNA Node

}

CNA_Performance_Based_Detection () {

PDR (); Throughput (); Routing Overhead ()

If (PDR, Throughput, Routing Overhead < Threshold) Intrusion detected;

}

Description: According to the above suggested algorithm of CNA [16], the intruder’s behaviour in the network traffic can be analyzed by the regular monitoring of performance parameters. Initially when the network and its transmission are started the network is regularly generating the data of flow structures. The host started communicating with each other and sends and receives data packets effectively. The CNA mechanism stores this report and transfer details in form of log in its identification unit. This identification unit analyzes the packets and continuously monitors the behaviour of the each node. The identification units continuously exchange these data to map the unauthorized behavior identifications.

It maps the data and distributes it into the six categories: Hosts Counts, Behavior Analysis, and Acknowledgement count, Neighbors count, Packet sent and received. It stores the useful patterns and information into some of the local data repository. Now this data is passed on to the next module of CNA.

In this step the comprehensive acknowledgement node (CNA) starts getting the information related to maliciousness identification from analyzing the collected data. CNA works as a malicious behaviour identification unit by analyzing the patterns and information drops nodes by their generated log data. The module uses 3 steps for separating the data and predicts the intruder’s behaviour. These are response count, throughput generated analysis and packet drop ration analysis. Form the above steps the malicious behaviour is identified and intruders node is recognized. In CNA processing unit the detailed data analysis is done for each and every node participating in data transfer thus if any one of it is behaving uneven and making the data losses or drops then it has to be identified. The above module uses a threshold value termed as, below which each node is taken as malicious or intruder’s node. If the node is above a specific threshold then it is a legitimate node.

V. RESULT EVALUATION

(5)

International Journal of Emerging Technology and Advanced Engineering

Second is Routing overhead (RO) which defines the ratio of the amount of routing-related transmissions such as RREQ, RREP, ACK, 2ACK, S-ACK etc. Third is throughput which gives the effectiveness of the systems in transmitting the packets. The proposed mechanism can be able to identify the attacks based on their types. This can be prevented before any damage or packet drops. Further it can be extended to a few more parameters based upon the network density. The algorithm can also be extended to identify and prevent few more network layer attacks. To simulate proposed approach, scenario is created by writing TCL (Tool Command Language) script in which fifteen nodes are created with specified coverage and transmission power. Additional components are also defined in script file such as antenna type, routing protocol and queue type. Each node assigns hundreds percent energy.

TABLE-I: SIMULATION ENVIRONMENT

Number of nodes 19 Simulation time (seconds) 70 Radio range 300m Traffic type CBR, 3pkts/s Packet size (bytes) 512

Number of traffic connections 4, 30 Transmission energy consumption 1.0J

Packet delivery ratio (PDR) – the ratio of the number of packets received at the destination and the number of packets sent by the source. The PDR of the flow at any given time is calculated as,

PDR = (packets received/packets sent)

GRAPH 1:COMPARISON OF PDRANALYSIS FOR EXISTING AND

PROPOSED APPROACH

After analysis of the result on various factors of simulation environment it is found that the packet delivery ration of proposed approach is more than the existing approach and is shown in above graph.

It assures that after applying the suggested approach for intrusion detection the mechanism is capable of detecting the malicious behaviour on time and will able to reduce the drops.

Routing Overhead: The number of routing packets transmitted per data packet delivered at the destination.

GRAPH 2:COMPARISON OF ROUTING OVERHEAD ANALYSIS FOR

EXISTING AND PROPOSED APPROACH

While measuring the overhead associated for suggested scheme and the existing scheme for overall network it is found that the proposed mechanism is acquiring less control overhead than the existing approaches.

Throughput- It is sum of sizes (bits) or number (packets) of generated/sent/forwarded/received packets, calculated at every time interval and divided by its length. Throughput (bits) is shown in bits. Throughput (packets) shows numbers of packets in every time interval. Time interval length is equal to one second by default.

(6)

International Journal of Emerging Technology and Advanced Engineering

359 Another important fact can be considered with respect to the approach is the power consumption of the nodes in the network. When compared to other approaches, the proposed scheme presents a simple one-hop acknowledgement and one way trust certificate, termed as semantic security mechanism, greatly reduces overhead in the traffic and the transmission time. The overall transmission for sending and receiving data happens in just few milliseconds, overcoming the time constraint thereby reducing power consumption.

VI. CONCLUSION

Intruders or malicious nodes will bring great harm to the performance of MANET. Thus to make the network more secure and robust against these unwanted malicious node intrusion detection system is used. This paper will studied various existing mechanism to make some preventions regarding these intrusions. But they have some negatives also like timely analysis of misbehaving nodes, false identification, collision detection, central monitoring node, partial drops etc. Thus this work proposes an improved IDS solution for overcoming these issues using CNA. Work uses a standard centrally controlled monitoring node (CNA) which listen the transmission of other nodes also. These transmissions had a value compared with standard threshold value to classify actual & misbehaving nodes. At the evaluation point of view the paper also presents some results with performance parameters analysis and comparison with existing systems. This work had proves analytically that the suggested approach is effectively improving the network performance and is better than any of the traditional intrusion detection approach. Also the approach makes the network lives for more duration because of its less energy consumption and low overheads

VII. FUTURE WORK

Some problems and concepts that remain unaddressed can be performed in future. Such as with the help of pre-emptive approach more information can be added for exact timely analysis of intrusion & its successful detection with high accuracy. It can also be used for quantitative & qualitative analysis, rank ordering etc. We also embed source code of our proposed scheme in NS2. In our proposed scheme so as to use the benefits of approach like open source.

REFERENCES

[1] O. V. Chandure , A. P. Bakshi, S. P. Tidke and P. M. Lokhande, “Simulation of Secure AODV in Gray Hole Attack for Mobile Ad-Hoc Network”, in International Journal of Advances in Engineering & Technology, ISSN: 2231-1963, Vol. 5, Issue 1, Nov. 2012. , pp. 67-76.

[2] G. S. Mamatha1 and Dr. S. C. Sharma,”A New Combination Approach to Secure MANETS Against Attacks”, International Journal of Wireless & Mobile Networks (IJWMN), DOI: 10.5121/ijwmn.2010.2406, Vol.2, No.4, November 2010. [3] Marjan Kuchaki Rafsanjani, Ali Movaghar, and Faroukh Koroupi,

“Investigating Intrusion Detection Systems in MANET and Comparing IDSs for Detecting Misbehaving Nodes”, in World Academy of Science, Engineering and Technology, 2008. [4] M Salman Ashraf1 and Muhammad Raheel2, “RGB Technique of

Intrusion Detection in IEEE 802.11 Wireless Mesh Networks”, IJCSI International Journal of Computer Science Issues, ISSN (Online): 1694-0814, Vol. 9, Issue 2, No 2, March 2012, pp 306-313.

[5] Aikaterini Mitrokotsa and Christos Dimitrakakis, “Intrusion detection in MANET using classification algorithms: The effects of cost and model selection”, in ScienceDirect Elsevier Publication, Journal of Ad-Hoc Networks, ISSN: 1570-8705, available at http://dx.doi.org/10.1016/j.adhoc.2012.05.006, 2012.

[6] S.Mamatha and Dr A Damodaram, “Quantitative Behavior Based Intrusion Detection System for MANETS”, in Proc. of the Intl. Conf. on Advances in Computing and Communication (ICACC), ISBN: 978-981-07-6260-5 doi:10.3850/ 978-981-07-6260-5_59, April 2013.

[7] Elhadi M. Shakshuki, Nan Kang, and Tarek R. Sheltami, “EAACK—A Secure Intrusion-Detection System for MANETs”, in IEEE Transaction on Industrial Electronics, ISSN: 0278-0046, Vol. 60, No 3, March 2013.

[8] Farhan Abdel-Fattah, Zulkhairi Md. Dahalin and Shaidah Jusoh, “Dynamic Intrusion Detection Method for Mobile Ad Hoc Network Using CPDOD Algorithm”, in IJCA Special Issue on “Mobile Ad-hoc Networks” MANETs, 2010.

[9] Rakesh Shrestha, Kyong-Heon Han, Dong-You Choi and Seung-Jo Han, “A Novel Cross Layer Intrusion Detection System in MANET”, in IEEE International Conference on Advanced Information Networking and Applications, ISSN 1550-445X/10, DOI 10.1109/AINA.2010.52, 2010.

[10] Tushar Sharma, Mayank Tiwari, Prateek kumar Sharma, Manish Swaroop and Pankaj Sharma, “An Improved Watchdog Intrusion Detection Systems In Manet”, in International Journal of Engineering Research & Technology (IJERT), ISSN: 2278-0181, Vol. 2 Issue 3, March-2013.

[11] Yi Li and June Wei, “Guidelines on Selecting Intrusion Detection Methods in MANET”, in Proc. of ISECON (EDSIG), Vol.21, (Newport): §3233 (refereed), 2004.

[12] Farzneh Pakzad, Marjan Kuchaki Rafsanjani and Arsham Borumand Saeid, “The Improvement Steps of Intrusion Detection System Architectures of MANET”, in IJMAS, ISSN: 0973-7545, Vol. 22, Issue S11, 2011.

[13] Mouhannad Alattar, Françoise Sailhan and Julien Bourgeois, “Lightweight Intrusion Detection: Modeling and Detecting Intrusions Dedicated to OLSR Protocol”, in International Journal of Distributed Sensor Networks Volume 2013, Article ID 521497, 20 pages at http://dx.doi.org/10.1155/2013/521497.

[14] Charlie Obimbo and Liliana Maria Arboleda Cobo, “An Intrusion Detection System for MANET”, Communications of Information Science and Management Engineering (CISME), Vol.2 No.3, 2012. pp.1-5

[15] Umesh Prasad Rout, “A Study of Intrusion Detection Systems in MANETs”, in International Journal of Research in Computer and Communication Technology, ISSN(Online) 2278-5841, Vol 2, Issue 2, Feb-2013. Pp 86-92.