node6

8/8/2019 node6

1/6

44International Journal of Research and Reviews in Computer Science (IJRRCS) Vol. 1, No. 3, September 2010

Secured Packet Transmission by implementing

Enhanced IDS in MANET1

S..Vardhaganapathy,

2

A.M.Natarajan1Department of Information Technology Kongu Engineering College [email protected]

2Department of Electronics and Communication Engineering, Bannari Amman Institute of

Technology, Sathyamangalam

Abstract: MANET is a self-configuring network of mobile routers

connected by wireless links. Routers are free to move randomly and

organize themselves arbitrarily. Topology change occurs rapidly

and unpredictably in the MANET due to mobility of nodes and due

to ad hoc criteria. MANET needs no infrastructure for

intercommunication. In ad hoc networks, misuse detection relies on

the use of unauthorized known patterns. The most concern

requirement is to detect intrusion when the transmitted trafficcontains abnormal packets based on signatures of attacks. For

deploying misuse detection, nodes should execute the sniffing and

analyze software modules. Mobility is often a problem for

providing security services in ad hoc networks. Numerous protocols

exist for forming ad hoc networks among cooperative mobile,

radio-equipped nodes. There are more possibilities of attacks by

multiple mobile intruders. Providing higher security for the mobile

users is partially possible by different algorithms like distributed

polynomial and complexity selection algorithms. The existing

solution uses an algorithm GODOM (GeOmetric DOMinated set) to

find out more number of active nodes. However geometric domains

with even spaces were carried out for the resultant intrusion

detection. The proposed work aims to provide an enhanced version

of GODOM algorithm in the uneven geometric subspaces. The

status IDS will checkout every packet using some threshold values

and if the packet transmission crosses the threshold values then that

packet is marked as an abnormal packet. The proposed system has

many advantages such as finding more number of active nodes,

improved status based IDS which detects more number of DSR

attacks with higher efficiency and lower cost of execution.

1. IntroductionThe emergence of the Mobile Ad Hoc Networking

(MANET) technology advocates self-organized wireless

interconnection of communication devices that would either

extend or operate in concert with the wired networking

infrastructure or, possibly, evolve to autonomous networks.

In either case, the proliferation of MANET-based

applications depends on a multitude of factors, with

trustworthiness being one of the primary challenges to be

met. Despite the existence of well-known security

mechanisms, additional vulnerabilities and features pertinent

to this new networking paradigm might render such

traditional solutions inapplicable. The provision of security

services in the MANET context faces a set of challenges

specific to this new technology. The insecurity of the

wireless links, energy constraints, relatively poor physical

protection of nodes in a hostile environment, and the

vulnerability of statically configured security schemes havebeen identified as such challenges. The absence of

infrastructure and the consequent absence of authorization

facilities impede the usual practice of establishing a line of

defense, separating nodes into trusted and non-trusted. Such

a distinction would have been based on a security policy, the

possession of the necessary credentials and the ability for

nodes to validate them. In the MANETcontext, there may be

no ground for an apriori classification, since all nodes are

required to cooperate in supporting the network operation,

while no prior security association can be assumed for all the

network nodes.The presence of even a small number of adversarial nodes

could result in repeatedly compromised routes, and, as a

result, the network nodes would have to rely on cycles of

time-out and new route discoveries to communicate. This

would incur arbitrary delays before the establishment of a

non-corrupted path, while successive broadcasts of route

requests would impose excessive transmission overhead. In

particular, intentionally falsified routing messages would

result in a denial-of-service (DoS) experienced by the end

nodes. The proposed scheme combats such types of

misbehavior and safeguards the acquisition of topological

information.

1.1. Secured Packet Transmission

To secure the data transmission phase, Secure Message

Transmission (SMT) provides an end-to-end secure data

forwarding protocol tailored to the MANET communication

requirements. The secure message transmission protocol

safeguards pair-wise communication across an unknown

frequently changing network, possibly in the presence of

adversaries that may exhibit arbitrary behavior. It combines

four elements, end-to-end secure and robust feedback

mechanism, dispersion of the transmitted data, simultaneous

usage of multiple paths, and adaptation to the network

changing conditions. SMT detects and tolerates

compromised transmissions, while adapting its operation to

provide secure data forwarding with low delays. The goal is

to ensure secure routing over available routes, despite of the

presence of adversaries.

1.2. Security Requirements in MANET

One way to counter security attacks would be to

cryptographically protect and authenticate all control and

data traffic. But to accomplish this, nodes would have to

have the means to establish the necessary trust relationshipswith each and every peer they are transiently associated with,

including nodes that just forward their data. Even if this were

feasible, such cryptographic protection cannot be effective

8/8/2019 node6

2/6


against denial of service attacks, with adversaries simply

discarding data packets. The security requirements in ad hoc

networks are similar to those in other networks. The goal is

to protect information transmitted and resources in the

network from malicious activities (Deng et al, 2002). These

requirements include availability of network services,

authentication of the users in order to ensure that a malicioususer cannot masquerade as a trusted user, confidentiality of

the information transmitted in the network, integrity of the

information in order to ensure that the information is not

modified by an unauthorized entity and non-repudiation in

order to ensure that a node cannot refuse the sending of a

message that it originated (Subhadrabandhu et al., 2004).

1.3 Intrusion Detection System

An Intrusion Detection System (IDS) is software and/or

hardware designed to detect unwanted attempts (Alia

Fourati, Khaldoun Al Agha, 2007) at accessing,manipulating, and/or disabling computer systems, mainly

through a network, such as the Internet. These attempts may

take the form of attacks, as examples, by crackers, malware

and/or disgruntled employees. An IDS cannot directly detect

attacks within properly encrypted traffic. An intrusion

detection system is used to detect several types of malicious

behaviors that can compromise the security and trust of a

computer system. This includes network attacks against

vulnerable services, data driven attacks on applications, host

based attacks such as privilege escalation, unauthorized

logins and access to sensitive files, and malware (viruses,

trojan horses, and worms).

An IDS can be composed of several components: Sensors

which generate security events, a console to monitor events

and alerts and control the sensors, and a central engine that

records events logged by the sensors in a database and use a

system of rules to generate alerts from security events

received. There are several ways to categorize IDS

depending on the type and location of the sensors and the

methodology used by the engine to generate alerts. In many

simple IDS implementations all three components are

combined in a single device or appliance.

2. Related Work

The classification among the proposed IDS of

MANET can be composed using the parameters discussed in

the previous sections, i.e.: architecture, attacks, and IDS

detection techniques [2]. Most of the MANET IDSs tend to

have the distributed architectures and their variants. The IDS

architecture may depend on the network infrastructure. But

the most important thing is the reasons the architecture to be

configured in distributed manner.

As the nature of MANET is so open, attacks can be

generated from any node within the MANET itself or nodes

of neighboring networks. Unfortunately, this network lacks

in central administration. It is difficult for implementingfirewall or the IDS on the strategic points. Moreover, each

node can work as client, server or router. Delivery packets

need collaboration work among the nodes participating in the

network. For these reasons, the IDS of MANET should have

characteristics that follow these natures, distributed and

collaborative. Advantage using distributed architecture is the

security accident can be detected earlier. However, this

architecture needs huge resources, which is difficult to be

implemented in small wireless devices such as PDA.

The existing MANET IDSs have various methods to detectand to respond regarding these attacks. The proposed IDSs

are designed for detecting the intrusion activities in the

routing protocol of MANET. The proposed one extends the

GODOM algorithm on MANET to detect misbehavior nodes

and reacted if they originated from outside communitys

network or inside (both the cases). The proposed IDS in DSR

has the following advantages compared to existing GODOM

a. Effective coverage of given network terrain to detect

attacks, (Uncovered subspaces)

b. Detect more number of DSR attacks, and

c. Higher efficiency and lower cost of execution

There are three main types of systems in which IDS can beused. They are network, applications and hosts. In a network-

based intrusion-detection system (NIDS), the sensors are

located at choke points in network to be monitored, often in

the demilitarized zone (DMZ) or at network borders. The

sensor captures all network traffic and analyzes the content

of individual packets for malicious traffic. In systems, PIDS

and APIDS[2] are used to monitor the transport and

protocols for illegal or inappropriate traffic or constructs of a

language. For example, forged SQL queries attempt to delete

database records, virus in emails.

In a host-based system, the sensor usually consists of a

software agent, which monitors all activity of the host on

which it is installed. For example, attempt to modify the

master boot record, key logger, file access. Depending on the

detection techniques used, IDS can be classified into three

main categories (A. Hijazi and N. Nasser 2005) signature or

misuse based IDS, anomaly based IDS, and specification

based IDS, which is a hybrid both of the signature and the

anomaly based IDS.

The signature-based IDS uses pre-known attack scenarios (or

signatures) and compare them with incoming packets traffic.

There are several approaches in the signature detection,

which they differ in representation and matching algorithm

employed to detect the intrusion patterns. The detection

approaches, such as expert system (T. F. Lunt, R.Jagannathan 1998) , pattern recognition (M. Esposito, C.

Mazzariello, 2005), colored Petri nets (S. Kumar and E.

Spafford, 1994), and state transition analysis (P.A. Porras

and R. Kemmerer, 1992) are grouped on the misuse.

Meanwhile, the anomaly-based IDSattempts (Bo Sun

And Lawrence Osborne, Yang Xiao, Sghaier Guizani, 2007)

to detect activities that differ from the normal expected

system behavior. This detection has several techniques, i.e.:

statistics (P. Porras and A. Valdes, 1998), neural networks

(H. Debar, M. Becker and D. Siboni 1992), and other

techniques such as Chi-square test utilization (N. Ye, X. Li,

2001).The specification-basedIDS monitors current behaviorof systems according to specifications that describe desired

functionality for security-critical entities (C. Ko, J. Rowe, P.

8/8/2019 node6

3/6


Brutch, K. Levitt 2001). A mismatch between current

behavior and the specifications will be reported as an attack.

In misuse detection (Signature detection) each instance in a

data set is labeled as normal or intrusive and a learning

algorithm is trained over the labeled data. These techniques

are able to automatically retrain intrusion detection models

on different input data that include new types of attacks; aslong as they have been labeled appropriately. Unlike

signature-based IDS [9], models of misuse are created

automatically and can be more sophisticated and precise than

manually created signatures. (Subhadrabandhu, D., S. Sarkar

and F. Anjum, 2004) The signature IDS [9] has high degree

of accuracy in detecting known attacks and their variants. Its

disadvantage is that it cannot detect unknown intrusions and

they rely on signatures extracted by human experts. This

method uses specifically known patterns of unauthorized

behavior to predict and detect subsequent similar attempts.

These specific patterns are called signatures.

For host based intrusion detection [10], one example of asignature is "three failed logins". For network intrusion

detection, a signature can be as simple as a specific pattern

that matches a portion of a network packet. The occurrence

of a signature might not signify an actual attempted

unauthorized access. Depending on the robustness and

seriousness of a signature that is triggered, some alarm,

response, or notification should be sent to the proper

authorities

3. Proposed System

The proposed work presents an enhanced GODOM

algorithm for secured packet transmission in DSR protocol.

It improves the effective detection coverage in the given

ad hoc network scenario. It also improvises the GODOM

algorithm to handle intrusion attacks even in undefined

geometric subspaces.

Every communicative node is able to reach the active packet

monitoring nodes. The proposed enhanced GODOM

evaluates the pre-specified number of hops the protocol

should adapt. It also identifies active nodes even in the

subspaces where its geometry is undefined. The status IDS

will checkout every packet using threshold values generated

in due course of secured transmission with enhanced

GODOM. Packets abnormality is marked when itstransmission value crosses the specified threshold values.

The scalability of the intrusion attacks in larger networks is

handled efficiently by its effective active node proposition

across the network terrain even in uneven subspaces.

The proposed solution uses the existing GODOM

(GeOmetric DOMinated set) algorithm to find out more

number of active nodes in a MANET. GODOM algorithm

helps a node to find out number of neighboring nodes present

over it and if it has more number of neighbor nodes then it is

selected as an active node. This algorithm will be installed

with DSR protocol algorithm. If the DSR protocol starts

execution then the GODOM algorithm will also executealong with it. The proposed solution uses STAT (State

Transition Analysis Technique) based IDS designed for

detecting attacks against the DSR routing protocol.

4. Geometric Dominated Set Algorithm

The GODOM algorithm uses a special technique to find the

active insider nodes called dominated set, meaning that

giving supremacy to the particular nodes in which they help

to monitor the network threats. In control flow graphs, a

node 'd' dominates a node 'n' if every path from the start nodeto 'n' must go through 'd. Every node dominates itself. The

dominators of a node 'n' are given by the maximal solution to

the following data-flow equations: Where, 'n_0' is the start

node, the dominator of the start node is the start node itself.

The set of dominators for any other node 'n' is the

intersection of the set of dominators for all predecessors 'p of

n'.

Dominated set pseudocode algorithm solution:

// Dominator of the start node is the start itself

Dom (n_0) = {n_0}

// for all other nodes, set all nodes as the dominators

for each n in N - {n_0}Dom (n) =N;

// iteratively eliminate nodes that are not dominators

While changes in any Dom (n)

for each n in N - {n_0} :

Dom (n) = {n} union with intersection over all p in

predom (n) of Dom (p)

Direct solution is quadratic in the number of nodes, or O

(n2).

This algorithm, which is almost linear, but its

implementation tends to be not much more complex and time

consuming for a graph of several 100 nodes or less. The

proposed algorithm uses geometric information to select the

IDS active insiders. This heuristic can be used in topologies

where all insiders have equal transmission ranges denoted as

'r'. Thus, 2 insiders are neighbors if and only if the distance

between them is less than or equal to 'r'. The network is

covered by the minimum possible number of circles each

with ranges 'r'. Each IDS capable insider knows or computes

the coordinates of the centers of the circles. Each insider

knows its coordinates (e.g., by using Global Positioning

System (GPS) or other existing techniques). An insider

Figure 1. Finding Active Nodes using GODOM Algorithm

8/8/2019 node6

4/6


selects an IDS capable neighbor, which is the nearest to the

center of a circle it currently resides in to execute the IDS (an

insider may select itself as well since by definition it is its

own neighbor). For this, each IDS capable insider broadcasts

its distance from the center of each circle it resides in to its

neighbors. It sends this broadcast packet when it joins thesystem and thereafter, each time it moves. GODOM detects

many IDS active insiders so as to cover the entire network.

Now GODOM is generalized so as to select fewer IDS active

insiders at the expense of obtaining lower detection rates.

Now, each insider selected by GODOM decides whether to

execute the IDS with a probability which can be selected so

as to regulate the resource consumed and detection rate. This

version is referred as Generalized Geometric Dominating set

Algorithm (GGODOM). The disadvantage of these schemes

is that they consume significant energy and computational

resource due to involvement of every node in the detection

scheme which is not efficient especially when the threat levelis too high.

5. Results and Discussion

GODOM-STATIDS using DSR is simulated using ns-2 to

validate its efficiency and ability under volatile MANETs

environment. Active Nodes, Packet Sent, Malicious Packet

detection, Packet Delivery ratio were used as metrics to

compare the performance of GODOM-STAIDS using DSR

and using AODV. Simulation results are shown below.

The Simulated parameters are

Selecting active nodes No. of Packets sent Malicious packets detected Packet Delivery Ratio without malicious packets

Simulation Environment: In the Simulation study, first 25

nodes were considered. Then two protocols were considered

by executing each. The TCL file executed first to know how

many nodes were selected as active nodes from respective

nodes and at the end of NAM (Network Animator) files is

opened to view the network movements eventually. The

nodes were increased up to 100 and performance was

calculated using C file. The Trace.cfile is used to extract

the trace file in which the Packet send, Active nodes,

malicious packet detection, Packet Delivery Ratio. The

nodes were divided into Static (without mobility) and

Dynamic (with mobility) in which their performance were

calculated using respective algorithms.

5.1 Scenario Metrics

Scenario metrics define the environment in which the ad hoc

network functions. These metrics do not contribute to the

performance evaluation of the network, but it is critical to

consider these metrics to ensure comparable results for use inany performance evaluation/comparison.

Performance Metrics: Four metrics were taken into

consideration: Selecting active nodes, Packet delivery ratio,

Malicious packet detection, packet send.

5.2 Simulation Results

5.2.1 Scenario for selecting active nodes: The simulationresult gives number of active nodes from 20,40,60,80 nodes.

Each simulation result was compared.

5.2.2 Scenario for sending Malicious Packet: The simulation

result under attacker node sends malicious packets. The

active nodes are simulated to checkout every packet and drop

if it has a signature of attack.

5.2.3 Packet sent by AODV and DSR in Dynamic nodes:

Packet sent was same with slight variations in both the

protocols in dynamic nodes. Increasing the number of nodes

by keeping all scenarios constant leads to some increase inpackets sending at the stage of hundred nodes by the

proposed algorithm. (Fig. 2).

Packets Sent

0

1000

2000

3000

4000

5000

6000

7000

8000

9000

25

50

75

100

Number of nodes

Num

berofPackets

AODV

DSR

Figure 2: GODOM: Nodes vs packet sent

5.2.4. Malicious packet detection by DSR (static vs dynamic

nodes): The DSR protocol detects more number of malicious

packets in static nodes and also the detection ratio shows

sequential increment when number of nodes has been

increased but in the case of dynamic nodes, it shows only

random detection increment ratios. The Fig. 3 gives the

malicious packet detection ratios.

5.2.5 Malicious packet detection by AODV (static vs dynamic

nodes): The AODV protocol detects more number of

malicious packets in static nodes and also the detection ratio

shows sequential increment when number of nodes has been

increased but dynamic nodes show only random detection

increment ratios. The Fig. 4 gives the malicious packet

detection ratios

5.2.6 Malicious packet detection by AODV and DSR in

Dynamic nodes: The DSR Protocol detects more number ofmalicious packets than AODV in dynamic nodes. When the

number of nodes is increased, the detection rate is also

increased in the proposed algorithm and protocol but in

8/8/2019 node6

5/6


existing system when number of nodes is increased, the

detection rate shows slight increment. The Fig. 5 gives the

malicious packet detection ratios

Malicious Packets Detected

0

100

200

300

400

500

600700

800

25

50

75

100

Number of nodes

NumberofPackets

DSR-D

DSR-S

Fig 3: DSR: Nodes vs malicious packet detected-s vs D


0

100

200

300

400

500

600

700

25

50

75

100

Number of nodes

NumberofPackets

AODV-D

AODV-S

Figure 4: AODV:Nodes vs malicious packet detected-s vs D


0

100

200

300

400

500

600

700

800

25

50

75

100

No. of Nodes

NumberofPackets

AODV

DSR

Fig 5: AODV Vs DSR : Malicious packet detected -D

5.2.7 Selecting active nodes by DSR and AODV in GODOM:

The DSR protocol detects more number of active nodes in

GODOM than compared to that of AODV protocol and the

proposed systems selection ratio shows sequential increment

when number of nodes has been increased compared to the

existing system. The Fig. 6 gives the active node selection

comparison ratios.

Selecting Active Nodes

0

1020

30

40

50

60

70

25

50

75

100

No. of Nodes

NumberofActivenode

AODV

DSR

Figure 6: DSR vs AODV: Nodes vs Selecting active nodes.

5.2.8 Packet delivery ratio by AODV and DSR in Dynamic

nodes: The delivery ratio of DSR and AODV protocol in

dynamic nodes shows that DSR protocol shows better

performance than AODV. The Fig. 7 gives delivery ratio

comparisons.

5.2.9 Packet delivery ratio by DSR (static vs Dynamic

nodes): The delivery ratio of DSR protocol in static and

dynamic nodes shows only slight variations. The Fig. 8 gives

delivery ratio comparisons.

Figure 7: DSR vs AODV: Nodes vs delivery ratio-D

Packet Delivery Ratio

86

88

90

92

94

96

98

100

25

50

75

100

Number of nodes

PacketsDelivered

DSR-D

DSR-S

Figure 8: DSR: Nodes vs delivery ratios-S vs D

Delivery Ratio

0

20

40

60

80

100

120

25

50

75

100

N u mb e r o f n o d e s

AODV

DSR

8/8/2019 node6

6/6


6. Conclusion

The proposed work enhances the GODOM algorithm and

deploys it in DSR protocol along with the security measures.

In the systemic model, every communicative node is able to

reach the active packet monitoring nodes. The improved

security algorithm evaluates the pre-specified number ofhops the protocol should adapt. The STAT-IDS checks out

every packet using threshold values. Packets abnormality is

marked when its transmission value crosses the specified

threshold values. Scalability of the intrusion attacks in larger

networks are handled. In terms of efficiency, the proposed

model shows an improvement of 13% to 16% compared to

that of the existing GODOM algorithm. The enhanced

GODOM security algorithm helps a node to find out number

of neighbor nodes to select a safety active node with a raise

of 8% higher probability.

The proposed solution uses STAT based IDS designed for

detecting attacks against the DSR routing protocol. Theactive nodes are capable of executing the STAT-IDS and

detecting 10% more of DSR attacks. The proposed work

further analyzed and presented security scheme for more

number of intruders participate in the network and

collaborate it by attack packets. It is done by improving the

performance of the GODOM algorithm and intrusion

detection systems to prevent against Sybil attack and DoS

attacks.

References

1. Belding-Royer, E.M. and C.E. Perkins, Transmission

range effects on aodv multicast communication

ACMTKluwer MONET, 7(6): 455-470.http: //alpha.ece.

ucsb.edu/~eroyer/txt/monet.ps. DOI: 10. 1023/A:

1020708701096. 2002

2. Denning, D., An intrusion detection model IEEE Trans.

Soft. Eng., IEEE Press Piscataway, NJ, USA, 13(2): 222-

223. DOI: 10.1109/TSE.1987.232894. 1987

3. Deng, H.D.P. Agrawal and W.L. Routing, Security in

wireless adhoc networks IEEE Commun. Mag., 40(10): 70-

75. DOI: 10.1109/MCOM.2002. 1039859. INSPEC:

7422917. 2002

4. Perkins, CE. and E.M. Royer, AODV: Adhoc on-

demand distance vector routing In: Proc. of the 2nd IEEE

Workshop on Mobile Computing Systems and Applications,

pp:90-100. 2002 http://www. cs. cmu. Edu /People/bumba

/filing_cabinet/./papers/perkins-aodv. ps.gz.

5. Rao, R. and G. Kesidis, Detecting of malicious packet

dropping using statistically regular traffic pattern in multihop

wireless networks that are not bandwidth limited In: Proc.

IEEE GLOBECOM, 5: 2957-2961. ISBN: 0-7803-7974-8.DOI: 10.1109/ GLOCOM.2003.1258776. INSPEC:

8330047. 2002

6. Subhadrabandhu, D., S. Sarkar and F. Anjum, a. A

framework for misuse detection in adhoc networks part I.

IEEE J. S selected Areas on Communications (Special

Issues on Security in Wireless Adhoc Networks), 24 (2):

274-289. DOI: 10.1109/JSAC. 2005.861387. INSPEC:

8765864. 2006

7. Subhadrabandhu, D., S. Sarkar and F. Anjum, A

framework for misuse detection in adhoc networks part II.

IEEE J. Selected Areas on Communications (Special issues

on security in wireless adhoc networks), 24 (2): 290-304.

DOI: 10.1109/JSAC. 2005.861388. INSPEC: 8765865. 2006

8. Subhadrabandhu, D., S. Sarkar and F. Anjum, Efficacy

of misuse detection in adhoc networks In: Proceedings of

IEEE SECON, 4-7: 97-107. DOI: 10. 1109 /SAHCN. 2004.

1381907.INSPEC: 8371304. ISBN: 0-7803-8796-1. 2004

9. Fereshteh Amini, M.,Moazzam khan, N.,Jelena Misic, K.,Signature Based Intrusion Detection in Wireless Sensor

Networks In :Proc. of the 4th

IEEE Workshop on Wireless

Sensor Networks,pp:80-86. 2008

10. David Wagner.J.,Paloo Soto. D, Mimicy attacks on Host

Based Intrusion Detection System In Proceedings of the 9th

ACM Conference on Computer and Communications

Security.pp:45-51.2005

11. Alia Fourati, Khaldoun Al Agha, An IDS First Line of

Defense for Ad Hoc Networks, Proceedings of the WCNC

2007, pg. No.2621-2626.

12. Bo Sun And Lawrence Osborne, Yang Xiao, Sghaier

Guizani, intrusion detection techniques in mobile ad hoc

and wireless sensor networks, IEEE Wireless Communi-

cations, October 2007.

Documents

node6