INTRUSION DETECTION SYSTEMS IN MOBILE AD-HOC NETWORS Anas A. Al-Roubaiey Implementation and Performance Evaluation of Adaptive ACKnowledgment (AACK)

INTRUSION DETECTION SYSTEMS INTRUSION DETECTION SYSTEMS IN MOBILE AD-HOC NETWORS IN MOBILE AD-HOC NETWORS

Anas A. Al-RoubaieyAnas A. Al-Roubaiey

Implementation and Performance Evaluation of Implementation and Performance Evaluation of AAdaptive daptive ACKACKnowledgment (nowledgment (AACKAACK) )

CONTENTSCONTENTS

Background

Literature Review

Problem Statement

Misbehaving Actions in MANET

Proposed IDS

Performance Evaluation

Conclusions and Future Work

6 June 2009 2KFUPM: MS Defense

BACKGROUND BACKGROUND

Mobile Ad hoc NETwork

6 June 2009 KFUPM: MS Defense 3

Definition MANET is a collection of wireless

mobile nodes which may form a temporary network, without the use of any fixed infrastructure or centralized administration

Characteristics Multi-hop communication Dynamic topology Constrained resources Nodes work as routers

F1

F2

F3

D

S

Applications Military and Rescue operations Extend BS range


BACKGROUNDBACKGROUND

MANET Applications

Comm. Tower

v1

v3v4

v5



Routing in MANET

MANET Routing Protocols

DSR basic functions Route discovery Route maintenance

MANET Routing Protocols

Proactive (Table Driven)

Reactive (On-Demand)

Hybrid

DSDV WRP OSLR AODV TORA DSR ZRP ZHLS



Route discovery in DSR

1

1-2

1

1-3

1-3-4

1-3-4

1-3-4

1-2-5

1-3-4-6

1-3-4-7S

D52

1

3

4

6

7

8

Route Request (RREQ) Broadcasting

6 June 2009 KFUPM: MS Defense7


Route discovery in DSR

S

D52

1

3

4

6

7

8

Route Reply (RREP) Unicasting

1-2-5-81-2-5-8 1-2-5-8

7



Route Maintenance in DSR

S

D52

1

3

4

6

7

8

RERR(5,8)

RERR(5,8)

Mobility of a node can break routes passing through it

CONTENTSCONTENTS

Background

Literature Review

Problem Statement

Misbehaving Actions in MANETMisbehaving Actions in MANET

Proposed IDS





Securing DSR

DSR vulnerable to attacks Passive ( eavesdropping) Active ( dropping packets)

Proposed solutions Prevention techniques (Cryptography) Detection techniques ( Watchdog)

Detection Techniques Second wall of defense Detect and banish the misbehaving nodes


Problem: In a malicious environment, misbehaving nodes may not

cooperate. How can they misbehave? What is the effect of them on network performance ?



Nodes misbehaviour

C

M

S

Cooperative node: cooperate in both route discovery and packet

forwarding functions

Selfish node : Prevent data packet forwarding try to save their own resources (energy and

bandwidth)

Malicious node: Prevent data packet forwarding Try to disrupt the network



Nodes misbehaviour



Misbehaving model

AS D

RREQ packets from S to D

RREP packets from D to S

CBR packets from S to D

MSS

What is the effect on the Network performance as we increase the % of misbehaving nodes?

CONTENTSCONTENTS

Background

Literature ReviewLiterature Review

Problem Statement


Proposed IDS




LITERATURE REVIEWLITERATURE REVIEW

Watchdog IDS


How it works When a node forwards a packet, the node’s watchdog verifies that the next node

in the path also forwards the packet

Watchdog does this by listening promiscuously to the next node’s transmissions

Problems Ambiguous collisions, False misbehavior, Partial dropping, Collusion

Receiver collisions, Limited transmission power

Hint: Promiscuous mode means a node accepts the packets regardless of its destination

SS A B C DD

LITERATURE REVIEWLITERATURE REVIEW

Previous IDS


MechanismPublished

DateRP

DetectionFunction

MisbehavingDetected

UseWD

Problems Solved

Watchdog 2000 DSR All nodes All Packet Drop (APD) Yes None

CORE 2002 All All Selective Packet Drop (SPD) YesPartial

Dropping

CONFIDANT 2002 DSR All APD + Routing Attacks Yes None

Patcha 2003 AODV Some APD Yes Collusion

CineMA 2004 DSR Some SPD YesPartial

Dropping

Parker 2004 All Some APD Yes None

TWOACK 2005 DSR All APD No RC+TC

Routeguard 2005 DSR All SPD YesPartial

Dropping

ExWatchdog 2007 DSR All APD YesFalse

Misbehaving

Cop 2008 DSR Some APD Yes None

CONTENTSCONTENTS

Background

Literature Review

Problem StatementProblem Statement


Proposed IDS




PROBLEM STATEMENTPROBLEM STATEMENT

Receiver Collision


Node A believes that B has forwarded packet 1 on to C

However, C never received the packet due to a collision with

packet 2 being sent from D


A node could limit its transmission power limit its transmission power such that the signal

is strong enough to be overheard by the previous node but

too weak to be received by the true recipient.

B CA

PROBLEM STATEMENTPROBLEM STATEMENT

Limited Power Transmission

CONTENTSCONTENTS

Background

Literature Review

Problem Statement


Proposed IDS Proposed IDS




Study the impact of Misbehaving nodes on Network Performance

Propose a solution for the two problems, RC and LPT

Enhancing TWOACK reduce routing overhead

• Minimizing acknowledgment transmissions per one data packet

Increase detection efficiency• Node detection instead of link detection


PROPOSED IDSPROPOSED IDS

Research Objectives


AACK Mechanism DefinitionDefinition

AACK stands for Adaptive ACKnowledgment Adapts the number of acknowledgments based on network state

ComponentsComponents End to end acknowledgment E-TWOACK Switching system Response system

Node typesNode types: SSource, DDestination, FForwarder


F1S DF2

SourceSource DestinationDestinationForwardersForwarders

PROPOSED IDS PROPOSED IDS

End to end Acknowledgment




TWOACK – How it works

Disadvantage Detects ML instead of MN Misbehaving node still active in other links Specially in high mobility scenarios where links are changing

rapidly



TWOACK – Link Detection

M

M

M

M

F2-F3 is MLF2-F3 is ML

The order of three consecutive nodes has 4 probabilities :

S – F – D F – D

F – F – D F – D

• F is the misbehaving node because in the nature of the packet dropping

attacks the attackers just existing on the intermediate nodes

S – F1 – F2F1 – F2

• if S receives alarm then F2 is MN

• If S does not receive alarm then F1 is MN

F1 – F2 – F3F2 – F3

• F3 is the MN because F2 is reported by the S and F1 as well-behave node.



E-TWOACK – Node Detection



E-TWOACK – Detection Procedure


Switching Scheme


AACK modesAACK modes End to end acknowledgment ( Aack mode) E-TWOACK ( Tack mode)

Data packetsData packets AA packets ( Aack mode) TA packets (Tack mode) One bit from DSR header is used


Switching Scheme


Start with Aack mode

Regular NodeActivity

Node Mode ?

ReceiveSwitchPKT ?

Switch to Aack mode

Send TA PKTRegister

PKT id & T

Send AA PKTRegister

PKT id & TTAAA

YES

Receive Aack

Ack. ?

AATimeout ?

NO

Switch to Tack

YES

NO

YES

NO

Follow E-TWOACK Procedure

TackTackAackAack


Response System


CONTENTSCONTENTS

Background

Literature Review

Problem Statement


Proposed IDS

Performance EvaluationPerformance Evaluation




why NS-2 ?

Suitable for researchers Free and open source simulator


Simulator usage survey of simulation-based papers in MANET, 2005.

Packet Delivery Ratio

Routing Overhead

Average end to end Delay



Performance metrics

Parameter Value

Number of nodes 50 nodes

Simulation area 670 meter X 670 meter

Simulation time 900 second

Mobility model Random waypoint with pause time 0

Maximum speed 1 (low mobility) m/s 20 ( high mobility) m/s

Antenna model Omni-directional



Simulation parameters

Parameter Value

Transmission range 250 meter

MAC protocol 802.11 CSMA/CA

WD and TA timeout 0.1 and 0.2 sec

WD and TA threshold 40 packets

AACK timeout

AACK threshold 30 Packets

Misbehaving nodes varying from 0 % – 40 % (40% smart attackers)

Data traffic CBR and Video traffic6 June 2009 KFUPM: MS Defense 35


Simulation parameters



CBR: Low speed

DSR has the lowest PDR no detection

mechanism used WD has better PDR than

DSR partial detection for

MN AA outperforms TA

especially in 30 and 40 % of Misbehaving nodes

All the schemes performance decreases as MN increases

AA has lower overhead than TA Reduction of TA Ack

packets

WD has almost the same overhead as DSR No packets are used

for detection Just alarm packets

are used



CBR: Low speed

TA has the highest delay More computation More acknowledgment

packets

AA has lower value than TA The intermediate nodes

will not do the detection function all the time



CBR: Low speed

DSR and WD PDR decreases much more than in low speed, 50 % with 40% of MN High rate of broken links

With no MN, AA and TA performance is lower than DSR and WD Their overhead packets due

to detection function

TA outperforms AA in case of 40% MN Switching overhead



CBR: High speed

RoH of TA increased from 16% in LS to 40% in HS

AA and TA have larger overhead than WD and DSR Due to Ack packets

and Alarms



CBR: High speed

in average AA and TA has the same AED

AED is more than in LS Salvaged packets

increase with HS



CBR: High speed


video traffic

For our best of knowledge, this is the first attempt to evaluate IDSs

in MANETs using video traffic

Not supported by NS-2.

we use Contributions of NS-2 users, which have been used in

publications

Small experiment is conducted to choose the best video traffic type

(MPEG-4 or H.264) over DSR

5 stationary nodes, 670 X 670 flat space

30 frame / second


At sender

At receiver


Raw VideoRaw Video encoderencoder converterconverter Input Trace file

Input Trace file NS-2NS-2

Raw VideoRaw Videodecoderdecoderconverterconverteroutput Trace file

output Trace fileNS-2NS-2


video traffic



video traffic

Peak Signal to Noise Ratio PSNR measures the error between a reconstructed image and the original one



video traffic

PSNR [dB] MOS value Class

≥37 5 Excellent

31-37 4 Good

25-31 3 Fair

20-25 2 Poor

<20 1 Bad



video traffic: High Speed

notice the decreasing of PDR to 34 % High data rate up to 50

p/s More collision and

congestions

AA outperform TA and

DSR in presence of MN

RoH here is much less than in case of CBR data traffic rate is much

more than it was in CBR

TA also has a slight increase RoH more than AA




As the # hops increases, e-to-e delay increases

Also, TA has the highest e-to-e delay as in CBR results

In one hop all the schemes are almost the same No misbehaving nodes No acknowledgments




CONTENTSCONTENTS

Background

Literature Review

Problem Statement


Proposed IDS


Conclusions and Future WorkConclusions and Future Work


CONCLUSIONS AND FUTURE WORKCONCLUSIONS AND FUTURE WORK

Conclusion


In this research we continue the improvement of the existing IDSs over MANETs

A new IDS is proposed and studied for addressing packet dropping misbehaving by Solve the RC and LPT of watchdog Enhancing TWOACK Technique

Implementation of IDS over variable environments is a challenge. Timeout and threshold parameters should be dynamically

adapted to the network speed and traffic rate

CONCLUSIONS AND FUTURE WORK CONCLUSIONS AND FUTURE WORK

Future Works


Solve the other WD problems such as partial dropping and colluding attacks using AACK

Extend the AACK to work with other MANET routing protocols Study AACK IDS performance under other popular routing

protocols (both reactive and proactive).

Do more performance evaluation for AACK in terms of power consumption and memory usage

Documents

INTRUSION DETECTION SYSTEMS IN MOBILE AD-HOC NETWORS Anas A. Al-Roubaiey Implementation and Performance Evaluation of Adaptive ACKnowledgment (AACK)