research article on lightweight intrusion detection...
TRANSCRIPT
Hindawi Publishing CorporationInternational Journal of Distributed Sensor NetworksVolume 2013 Article ID 521497 20 pageshttpdxdoiorg1011552013521497
Research ArticleOn Lightweight Intrusion Detection Modeling andDetecting Intrusions Dedicated to OLSR Protocol
Mouhannad Alattar1 Franccediloise Sailhan2 and Julien Bourgeois1
1 UFCFEMTO-ST Institute UMR CNRS 6174 25201 Montbeliard France2 Cedric Laboratory CNAM 75003 Paris France
Correspondence should be addressed to Mouhannad Alattar mouhannadalattaruniv-fcomtefr
Received 1 March 2013 Accepted 23 April 2013
Academic Editor S Khan
Copyright copy 2013 Mouhannad Alattar et al This is an open access article distributed under the Creative Commons AttributionLicense which permits unrestricted use distribution and reproduction in any medium provided the original work is properlycited
Mobile ad hoc networks mostly operate over open adverse or even hostile environments and are therefore vulnerable to a largebody of threats Conventional ways of securing network relying on for example firewall and encryption should henceforth becoupled with advanced intrusion detection To meet this requirement we first identify the attacks that threaten ad hoc networksfocusing on the Optimized Link State Routing Protocol We then introduce IDAR a signature-based Intrusion Detector dedicatedto ad hoc routing protocols Contrary to existing systems that monitor the packets going through the host our system analysesthe logs so as to identify patterns of misuse This detector scopes with the resource-constraints of ad hoc devices by providingdistributed detection in particular depending on the level of suspicion and gravity in-depth cooperative diagnostic may belaunched Simulation-based evaluation shows limited resource consumption (eg memory and bandwidth) and high detectionrate along with reduced false positives
1 Introduction
Securing mobile [Ad hoc] networks (MANETs for short) isparticularly challenging because these networks often operatein adverse or even hostile environments [1 2] In additionthey are characterized by the open radio-based medium ofcommunication [3] the dynamic topology [4 5] the lackof centralized administrationsecurity enforcement points(eg switches and routers) [6] the low degree of physicalsecurity of the mobile nodes and the limited resources(eg energy bandwidth) [7] Hence MANET is much morevulnerable to attacks than the traditional infrastructure-based network [8] Conventional prevention techniques forexample firewall encryption [9] and authentication [10]cannot totally eliminate the attacks Indeed they address theoutsiders but they are less helpful for protecting against theinsiders if a legitimate node becomes compromised thenall the secrets associated with this latter would be open toattackers Moreover new attacks emerge and find usually away to penetrate the aforementioned techniques Thereforethere is a need for a reactive mechanism such as Intrusion
Detection Systems (IDSs for short) [11] which constitutes asecond line of defense
As a first step upon this goal we survey the attacksthat have been reported in the literature More specificallywe focus on the attacks targeting the Optimized Link StateRouting (OLSR for short) [12] its central role namelydetermining multi hop paths among devices designates thead hoc routing protocol as one of the favorite targets forthe attackers [13] Our attempt is not restricted to describinga bunch of attacks Instead we categorize and detail eachattack relying on a representationformalism that captures thecomplexity and temporal dependencies between each of theconstituting subtasks While describing attack we attempt tocircumvent the general form of this attack so as to keep toa minimum the detection that fails due to a varying attackBased on these modeled attacks we further implement oneattack challenge and derive appropriate intrusion detection
Recent works show that attack may be identified bydetecting a deviation to the correct behavior (anomalydetection) this correct behavior is either hand-specifiedrelying on a protocol description (typically a Request For
2 International Journal of Distributed Sensor Networks
Comment (RFC for short)) as in for example [14] orautomatically builtanalyzed using machine learning or datamining techniques for example [15] The difficulty involvedin automatically modeling the behavior of such dynamicnetwork leads to a large number of false positives thatmay be reduced by coupling automatic and specification-based anomaly detection [16] Moreover the used techniquesare mostly characterized by their intensive calculation andhenceforth the extensive consumption of resources [2] Analternative consists in describing the way an intruder pene-trates the system (by establishing intrusion signature) so asto detect any behavior that is close to this previously definedsignature Little attention has been centered on signature-enabled detection (also called misuse detection) in MANET[17] although it guarantees a high rate of detection alongwitha limited number of false alarms [18]
We propose IDAR a log- signature-based IntrusionDetector dedicated to ad hoc routing protocols IDAR doesnot necessitate sniffinginspecting the traffic as it is the casewith themajority of other IDSsThus it avoids the permanentstrain of energy bandwidth [19] and computational power[20] that accompanies traffic sniffing and analyzing Oursystem rather takes advantage of the audit logs that aregenerated by the routing protocol so as to detect evidencesof intrusion attempts In practice a sequence of events areextracted from logs so as to be matched against a set ofpredefined intrusion signaturesmdasha signature is thought of asa pattern of events that characterizes an intrusion
Main challenges stem from the need to keep to a mini-mum the number of diagnostics and the computational loadrelated to the intrusion identification while minimizing thetraffic generated when gleaning intrusion evidences Thiscalls for developing a lightweight and distributed intrusiondetection system that scopes with the cooperative natureof ad hoc networks and the device resource constraintsTowards this goal IDAR is designed to be a distributedand cooperative detection system which parses logs asclose as possible from the device that generates them so asto diminish the number of long-distant communicationsFurthermore we propose to categorize the intrusion evi-dences according to their level of gravitysuspicion Suchcategorization enables us to carefully plane the diagnostican in-depth diagnostic is initiated only when a sufficientdegree of suspicion exists and terminated as soon as a resultis obtained Thus we guarantee keeping to a minimum thenumberthe duration of diagnostics The performance ofIDAR is evaluated in a simulated MANET that is coupledwith virtual machines Such coupling permits us measuringboth the detection accuracy and the amount of consumedresources
The reminder of this paper is organized as follows Wefirst survey attacks on ad hoc network breaking downthe successive steps that characterize conquering attacks(Section 2) Grounded upon the defined intrusion signatureswe present a distributed log- and signature-based intrusiondetection system (Section 3) and evaluate its performance(Section 4) Then we conclude this paper with a sum-mary of our results along with directions for future works(Section 6)
2 Vulnerabilities
Physical data link and network layers are all subject tovulnerabilities Whereas in the physical and data link layersvulnerabilities are common to IEEE 80211 wireless networksvulnerabilities in network layer are specific to ad hoc net-worksMore specifically Zeroconf and routing protocols con-stitute the main target of attacks [13] The reason is threefoldFirst no security countermeasure is specified or implementedas a part of the drafts or RFCs (request for comments) pro-posed through the Internet Engineering Task Force MANET(httpwwwietforgdynwgchartermanet-charterhtml) orZeroconf (httpwwwzeroconforg) working groups Sec-ond the absence of a centralized infrastructure complicatesthe deployment of preventive measures for example fire-walls or keyauthentication infrastructuresThird any devicemay operate as router which facilitates the manipulationof multihops messages as well as the compromising of therouting functionality Attacks on those protocols fall into twomain categories passive versus active [21] With the formeran intruder intercepts the traffic in order to reveal usefulinformation (eg the roles played by the nodes and theirlocations) whereas with the latter an unauthorized actionis attempted [22] Active attacks are further sub-classifiedaccording to their unauthorized actions as follows [23]
(i) Drop attack consists in dropping routing message(s)(ii) Modify and forward attack modifies received routing
message(s) before forwarding it(iii) Active forge attack proactively generates deceptive
routing message(s)
Although the above attacks threaten both routing and Zero-conf protocols we hereafter concentrate on routing protocoland illustrate our presentation by exemplifying attacks on aproactive protocol called OLSR
21 Background on the OLSR Protocol OLSR aims to main-tain a constantly updated view of the network topology oneach device One fundamental is the notion of multipointrelay (MPR) each device selects a subset of the 1-hopneighbors called MPRs that is responsible for forwardingthe control traffic in the entire network The basic idea is toselect theminimumnumber ofMPRs that cover the two-hopsneighbors so as to reduce the number of nodes retransmittingcontrol messages and hence keep to a minimum the band-width overload Note that a redundant MPR may be selectedas to increase the reachability but this leads to increase theoverhead In practice a node119873 selects the MPRs among the1-hop neighbors that are announced (in addition link layerinformation provided by eg the IEEE 80211 protocol maybe used by a node to update its own routing tables) in periodicheartbeat messages termed hello messages Then a TopologyControl message (TC for short) intended to be diffused inthe entire network (the message Time To Live field (TTL forshort) can be used so as to limit message diffusion) is createdby the selected MPR(s) In TC message a MPR declares thenodes (including119873) that selected itself to act asMPRThanksto TC messages any device computes the shortest path (in
International Journal of Distributed Sensor Networks 3
term of the number of hops) to any destination such pathbeing represented as a sequence of MPRs In addition to theabove last versions of the protocol specification support anode holding several network interfaces which are declared(if many) in a so-calledMID (Multiple Interface Declaration)message This message is broadcasted on a regular basis byMPRs so that one another maps multiple interfaces of a givennode with the main address of this latter hence permittinga unique identification The aforementioned functionalitiescompose the core of OLSR Additional extensions have beendevised in compliance with the above-summarized OLSRspecification Examples include (i) dealing with the nodesthat commit (or not) to carry the traffic for others and(ii) supporting interconnection of an OLSRMANET withanother routing domain for example OSPF-enabled routingdomain With the former node advertises (in hello message)its willingness to carryforward traffic With the latter OLSRis extended to import (and resp export) the routes providedby other routing protocols (resp OLSR) For this purposeany gateway with associated host(s) andor network(s) gen-erates periodically a HNA message including those host(s)andor network(s) (ie the related network address and thenetmask) this message is further disseminated by MPRsSuch an auxiliary function is enabled by providing a basiclayout of any OLSR packet and by ignoring unknown(and hence not handled) packets Overall these core andauxiliary functionalities are together subject to a variety ofattacks
Recently a new version of OLSR (so-called OLSRv2)is specified in an Internet-draft [24] OLSRv2 distinguishesitself from its predecessor by considering the link metricrather than hop count for selecting the shortest path Itis supposed that OLSRv2 would have more modular andflexible architecture that facilitates add-ons extensions forfor example security QoS and multicast [25] It will alsopossess a simplified packet format and reduced-sizemessagesdue to address compression [26] However both OLSR andOLSRv2 retain the same basic algorithms and mechanisms
It is worth mentioning that several enhanced versionsof OLSR have been proposed Some of them tackle thesecurity issue and use signature hash chain or encryptionschemes in order to provide the security to OLSR [27 28]In general these versions aim to ensure (i) the integrity ofthe routing information that is preventing the unauthorizedmodifications of the routing messages by the intermediatenodes on the path from the source to the destination and (ii)the node-to-node authentication in order to prevent identityspoofing However they do not address for example thecase where the source node is itself compromised and henceit generates incorrect routing messages Thus they are stillincapable of preventing some types of attack [29] Thereforethere is always a need to employ a detection mechanism soas to handle the attacks that would success penetrating theprevention techniques
22 Attacks Targeting the OLSR Protocol The attacks threat-ening OLSR are hereafter detailed and classified accordingto the model introduced in [30] This model provides the
Table 1 Notations
Communication119884119872119905
997888997888rarr 119883 At 119905 119884 sends a message119872 that is received by119883119884119872119905
997888997888rarr At 119905 119884 sends a message119872119884119872119905
999424999426999456 119884 does not send a message119872 at 119905119872119905
997888997888rarr 119883 119883 receives a message119872 at 119905119872119905
999424999426999456 119883 119883 does not receive a message119872 at 119905Parameters
119905998810119905 Period of timeI Set of malicious nodes119873119878119883
Set of 1-hop neighbors of119883sq Sequence numberhc Hop count119908119883
Willingness of119883 to forward packets on behalf of othersMPR119909
MPRs of119883SelMPR119909 MPR selectors set of119883
MessagesHello Hello messageTC Topology Control messageMID Multiple Interface DeclarationHNA Host and Network AssociationCM Control MessageRM Received Control messageFM Control message intended to be forwarded
level of expressiveness necessary to specify the relation-ship between the actions and their related consequencesWe further enrich this model with temporal annotations(Table 1) As a consequence complex attacks their constitut-ing actions and consequences are temporally and successfullydepicted and categorized as drop attack (Section 221) activeforge attack (Section 222) and modify and forward attack(Section 223)
221 Drop Attack In practice a drop attack consists of anintruder that drops a control message instead of relaying itThis dropping has an impact only if the dropped control mes-sage is intended to be forwarded as illustration a suppressingof a hello message that is broadcasted over one hop hasno consequence Thus with OLSR threatened messages arerestricted to themessages that are created andor broadcastedby a MPR so as to be rediffused by other MPRs thatis Topology Control (TC) Multiple Interface Declaration(MID) and Host and Network Association (HNA)messagesMore particularly let us consider a host 119878 that sends a controlmessage which is intended to be forwarded This messagewhich is originated at 119905 (119878
FM119905
997888997888997888rarr119868) is received by 119868 that dropsit In practice 119868 drops a control message if 119868 does not forwardthis message during a period |1199051015840 minus 119905| less than the maximumallowed (any control message is characterized by an emissioninterval as well as a holding time in the routing tables Thesetwo related values participate in setting a validity time that
4 International Journal of Distributed Sensor Networks
should be herein considered in conjunction with the messagetype) period119905
119878FM119905
997888997888997888rarr 119868 119868
FM1199051015840
999424999426999456 100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816gt 119905
dArr
119868 isin I
(1)
Such a dropping is naturally applied on any packet thatis empty expired duplicated or out of order In additionrestrictive forwarding is provided meaning that in practice(only) the 1-hop neighbor(s) of 119878 that have been selectedby 119878 to act as MPR(s) forward 119878rsquos messages Apart fromthe aforementioned conditions that lead to a convenientdropping the remaining reason motivating a dropping isthreefold An intruder (or a compromised node) a selfishor a malfunctioning node disturbs the routing calculation bydropping a control message that should be forwarded Theattempt to drop any packet is termed black hole A selectivedropping (named gray hole) is detected by taking intoaccount additional fine-grained or discriminative criteriaincluding the choice of specific final1-hop-away destinationor source percentagerate of packets received or forwardedand message type Rather than dropping the traffic anoppositemisbehavior consists in introducing falsified routinginformation
222 Active Forge Attack An active forge attack comes froma node that introduces novel deceptive routing messagesAmong others the broadcast storm stems from forgingcontrol messages so as to exhaust resources (eg energy) andsaturate the communication medium For this purpose anintruder 119868 forges a large number of control messages CMwithin a short period of time 998810119905 (see Expression 2) Thisattack may be local (eg targeting a 1-hop neighborhood) orglobal (eg relying on the multihops broadcasted messages)It may also be conducted in a distributedmanner with severalcolluding nodes so as to simultaneously emit (a large numberof) control messages Note that in order to prevent a broad-cast storm resulting from the involuntary synchronization ofsome emitting nodes a delaying of the control messages isrecommended in the RFC a jitter (typically a random value)is subtracted from the interval at which control messages aregenerated (and also forwarded)
119868CM119905
997888997888997888rarr 119868CM1015840119905
997888997888997888rarr100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 998810119905
dArr
119868 isin I
(2)
A special type of broadcast storm is routing table overflowattack that threatens especially the proactive routing pro-tocols (eg OLSR) as they periodically update the routinginformation [31] Herein one or several colluding intrudersprevent the well-behaving nodes from discovering new exist-ing routes by dumping the networkwith route advertisements
to nonexisting nodes In general broadcast storm constitutesa kind of denial of service that is characterized by a high vis-ibility Therefore it is typically combined to masqueradingmdashalthough less intrusive attacks may also be preferred Inpractice masquerading lies in sending a control message CM
including a switched identification (119868CM(119868)
119905
997888997888997888997888997888rarr 119868CM(119878)
119905
997888997888997888997888997888rarr)Note that this case is distinguished from a node that holdsseveral interfaces and that advertises those later in a dedicatedMID message Apart from masquerading a denial of serviceidentity spoofing may be intended to create conflictingroute(s) and potentially routing loop(s) In this latter casespoofing the identity of a node 119878 belonging to the networkis necessary As pointed out in [32] the spoofing attack mayalso be coupled with a modification of the willingness field soas to impact the MPR selection (Expression 3) In practiceif 119868 emits a hello message including an originator address
already assigned to another node 119878 (119868hello(119878)997888997888997888997888997888997888rarr 119863) then
119868 modifies the local topology as seen by its 1- and 2-hopsneighbors In addition if 119868 modifies the willingness field1199081015840
119878of 119878 (with 1199081015840
119878= 119908119878) then the selection of 119878 as MPR is
impacted recall that MPRs are selected among the nodeswith highest willingness and in case of multiple choicesthe node which provides a reachability to the maximumnumber of nodes is primarily selected For instance a nodewhose willingness attribute set to 119908119894119897119897 119899119890V119890119903 = 0 (resp119908119894119897119897 119886119897119908119886119910119904 = 7) is never (resp always) selected as MPRthat is 1199081015840
119878= 119908119894119897119897 119899119890V119890119903 rArr 119878 notin MPR
119863(versus 1199081015840
119878=
119908119894119897119897 119886119897119908119886119910119904 rArr 119878 isin MPR119863)
119878
hello(119878119908119878)119905997888997888997888997888997888997888997888997888997888rarr 119863 119868
hello(1198781199081015840119878)1199051015840
997888997888997888997888997888997888997888997888997888rarr 119863
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905 119908
119878= 1199081015840
119878
dArr
119868 isin I
119878 is spoofed
1199081015840
119878= 119908119894119897119897 119899119890V119890119903 997904rArr 119878 notin MPR
119863
1199081015840
119878= 119908119894119897119897 119886119897119908119886119910119904 997904rArr 119878 isin MPR
119863
(3)
Active forge attacks are not restricted to identity spoofing(possibly coupled with a tampering of the willingness field)They also cover the tampering of control messages includingincorrect adjacent links (hello messages) topology informa-tion (TC messages) and network interfaces (MID and HNAmessages) In the following we detail each of those In thefirst case (Expression 4) 119868 forges a hello message whichdeclares a list of 1-hop and symmetric neighbors1198731198781015840
119868differing
from the real set 119873119878119868 A symmetric 1-hop neighbor or simply
symmetric neighbor corresponds to an adjacent node withwhich communication is bidirectional In practice it means
International Journal of Distributed Sensor Networks 5
that the hello message exchanged by two nodes is heard byboth of these later
119868
hello(1198731198781015840119868)119905997888997888997888997888997888997888997888997888997888rarr 119878119873119878
1015840
119868=119873119878119868
dArr
119868 isin I
(4)
Whenever forging the set of neighbors 1198731198781015840119868 the attacker has
three options
(1) Declaring a nonexisting node as a symmetric neigh-bor implies that 119868 (or another misbehaving node)is further selected as MPR (Expression 5) Indeedif 119868 advertises a non-existing node 119873 (119873 notin Nwith N defining the set of nodes composing theOLSR network (according to the OLSRRFC [12]messages can be flooded into the entire network (withamaximumnetwork diameter defined by themessageTime To Live field TTL for short) or flooding canbe limited to nodes within a diameter (defined interms of number of hops) from the originator ofthe message For the sake of clarity let N representthe network in both cases)) 119868 ensures that no other(well-behaving)MPR claims being a 1-hop symmetricneighbor of119873 Recall that the set of MPRs is selectedso that all the 2-hops and symmetric neighbors arecovered 119868 is hence selected as MPR
119878
hello(119873119878119878)119905997888997888997888997888997888997888997888997888997888rarr 119868
hello(1198731198781015840119868)1199051015840997888997888997888997888997888997888997888997888997888rarr 119878
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
exist119873 isin 1198731198781015840
119868ni 119873 notinN cap 119873119878
119868
dArr
119868 isin I
exist1198681015840isin I cap 119873119878
119878ni 1198681015840isin MPR
119878
Card (1198731198781015840119868 (119873119878
1015840
119868capN)) gt 0
(5)
This assertion is verified as long as no other misbe-having neighbor of 119878 is claiming the same Overallinserting at least one non-existing neighbor (exist119873 isin
1198731198781015840
119868ni 119873 notinN cap119873119878
119868) guarantees that a misbehaving
node 1198681015840 (with 1198681015840 isin I) is selected to act as MPR of119878 (exist1198681015840 isin I cap 119873119878
119878ni 1198681015840isin MPR
119878) In addition
to the above the connectivity of 119868 is also artificiallyincreased (Card(1198731198781015840
119868 (119873119878
1015840
119868capN)) gt 0)
(2) Declaring that an existing node is a symmetric 1-hopneighbor whereas that node is far away (ie is not aneighbor) or is a neighbor but that is not symmetric(exist119883 isin 119873119878
1015840
119868capN ni 119883 notin 119873119878
119868) This claiming increases
artificially the connectivity of 119868 that is Card((1198731198781015840119868
119873119878119868) capN) gt 0
119878
hello(119873119878119878)119905997888997888997888997888997888997888997888997888997888rarr 119868
hello(1198731198781015840119868)1199051015840997888997888997888997888997888997888997888997888997888rarr 119878
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
exist119883 isin 1198731198781015840
119868capN ni 119883 notin 119873119878
119868
dArr
119868 isin I
Card ((1198731198781015840119868 119873119878119868) capN) gt 0
∄119860 isinN I ni 119860 isin 119873119878119878and 119883 isin 119873119878
119860
dArr
exist1198681015840isin I ni 119868
1015840isin MPR
119878
(6)
If no (well-behaving) MPR covers 119878 (∄119860 isin N I ni
119860 isin 119873119878119878and 119883 isin 119873119878
119860) then at least one misbehaving
node (eg 119868) is selected as MPR of 119878 (exist1198681015840 isin I ni
1198681015840isin MPR
119878) Such insertion typically characterizes an
attempt to create a black hole 119868 introduces a novelpath toward119872 that whenever selected provisions theblack hole
(3) Omitting an existing 1-hop neighbor and symmetricnode 119875 (exist119875 isin 119873119878
119868ni 119875 notin 119873119878
1015840
119868) decreases artificially
the connectivity of both 119875 and 119868 (119873119878119868
sube 1198731198781015840
119868)
Note that if 119875 has no other connectivity than the oneobtained through amisbehaving node119875 gets isolated
119878
hello(119873119878119878)119905997888997888997888997888997888997888997888997888997888rarr 119868
hello(1198731198781015840119868)1199051015840997888997888997888997888997888997888997888997888997888rarr 119878
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
exist119875 isin 119873119878119868ni 119875 notin 119873119878
1015840
119868
dArr
119868 isin I
exist1198681015840isin I cap 119873119878
119878 119873119878119868sube 1198731198781015840
119868
(7)
Overall falsifying the neighboring adjacency by inserting(existing or nonexisting) neighbor(s) andor omitting realneighbors potentially perverts the local topology seen by 119878(andmore generally by one another) and impacts the selectedMPR(s) by 119878 Nevertheless note that in order to be selectedas MPR of 119878 (or to prevent its selection) there is no needfor 119868 to falsify the neighboring adjacency Recall that ina hello message a field termed willingness designates thenodersquos willingness to carry traffic on behalf of others 119868 henceprevents (resp ensures) its selection as MPR by simplysetting its willingness field to the value 119908119894119897119897 119899119890V119890119903 (resp119908119894119897119897 119886119897119908119886119910119904) On the whole the MPR selection is impactedby either falsifying the topological information included inhello message or by making use of the willingness attributeAnother (perhaps more straightforward) alternative refersto a slander node 119868 declaring (resp not declaring) itself asMPR although it has not (resp has) been selected as MPR
6 International Journal of Distributed Sensor Networks
[33] For this purpose (Expression 8) 119868 forges a TopologyControl (TC) message including an incorrect set of 1-hopsymmetric neighbors that have selected 119868 as MPR (so-calledMPR selector set) Depending on the level of redundancyrequired a MPR advertises
(1) the MPR selector(s) SelMPR119868
of 119868(2) the MPR selector(s) along with the MPR of 119868
SelMPR119868
cupMPR119868
(3) the 1-hop neighbors 119873119878119868of 119868 (hence including the
MPR selectors and the MPR of 119868)
LetA119868represent the set advertised in the TC messageA
119868=
SelMPR119868
or (SelMPR119868
cupMPR119868) or 119873119878
119868 This attack consists in 119868
advertising an incorrect setA1015840119868differing from the real oneA
119868
119868
TC(A1015840119868)119905997888997888997888997888997888997888rarr 119878A
1015840
119868=A119868
dArr
119868 isin I
(8)
In particular possible falsifications lie in either 119868 insertinga non-existing node or inserting an existing node but non-MPR selector or omitting a node belonging to A
119868 Upon
the reception of a falsified TC message routing table iscorrupted This corruption contaminates the OLSR networkand also any interconnected routing domain Indeed anode well-behaving or not acting as a gateway exports thewrong OLSR routes Symmetrically an intruder may alsoimport incorrect routes to the OLSR domain This latterattack termed sinkhole involves an intruder 119868 defining itselfas a gateway that provides an access to associated host(s)andor network(s) This gateway generates periodically aHNA message including those host(s) andor network(s)(ie the related address(es) and netmask(s)) This attackconstitutes a generalization of the previously defined forgingof corrupted TC messages a node advertises either non-existing or existing but unreachable nodes or omits advertis-ing reachable nodesThe similarity with the TC active forginglead us not detailing it hereafter
The aforementioned forge attacks (eg link or routespoofing attacks sinkhole) necessitate to tamper specificmessage fields while keeping this message syntactically cor-rect More generally bogus control messages can be forgedhence creating an implementation-dependent effect Gener-ally speaking similar tampering may be performed by anintruder that has acted as MPR prior forwarding a falsifiedcontrol message
223 Modify and Forward Attacks Modify and forwardattacks are characterized by an intermediate which capturesthe victimrsquos control message and replays modifies or dropsthis message before forwarding it In the following we depictthe two former cases ignoring the message dropping that hasbeen already described Replaying a control message includesdelaying the emission of this message by recording andforwarding it later (potentially in another area) or repeatingthis message As a consequence routing tables are updated
based on obsolete information Note that each messagecontains a field indicating the period of time during whichthis message is considered as valid and hence it is used toupdate the routing table Both attacks can be systematic (ietargeting anymultihops control traffic) or selectiveTheymayalso be performed in a distributed manner (Expression 9)with two intruders one recording the control message fromone region so as to replay it in another region (ie the oneof the colluding intruder) Without loss of generality let 119868
1
(resp 1198682) be the node that records it (resp replays it)
119878CM(119878)
119905
997888997888997888997888997888rarr 1198681 1198681
CM(119878)997888997888997888997888997888rarr
enc1198682 1198682
CM(119878)1199051015840
997888997888997888997888997888997888rarr 119884
119878 notin 119873119878119884 998810119905 le
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
dArr
119878 isin 119873119878119884
dArr
1198681 1198682isin I
(9)
In practice 1198681tunnels the control traffic by for example
encrypting the routing message andor relying on an alter-native network interface (that may be advertised or not)Then 119868
2replays it This attack leads to the creation of a
wormhole whose length depends on the distance separatingthe two intruders Note that in order to stay invisible both1198681and 1198682may keep the identification field unchanged the
source is 119878 rather than 1198681or 1198682 This possibility corresponds
to a masquerading Sequence numbers constitute a standardmechanism that provides protection against replay attacksgiven that the sequence delivery is not required by OLSRIn counterpart their usage can be hijacked so that thedestination drops the message rather than using it In prac-tice an intruder 119868 increases (a wraparound mechanism isimplemented when the sequence number reaches an extremeboundary it is reset to zero) (resp decreases) the value
of the sequence number sq (119878CM(119878)
119905sq997888997888997888997888997888997888997888rarr 119868 119868
CM(119878)1199051015840sq1015840
997888997888997888997888997888997888997888997888rarr
sq1015840 = sq) so that the destination assumes that 119878 is providingthe freshest (resp an obsolete) route and therefore ignoresthe subsequent (resp the actual) control message(s)
119878
CM(119878)119905sq
997888997888997888997888997888997888997888rarr 119868 119868
CM(119878)1199051015840sq1015840
997888997888997888997888997888997888997888997888rarr sq1015840 = sq 100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
dArr
119868 isin I
(10)
An intruder 119868 may also corrupt the routing table by mali-ciouslymodifying a received controlmessage before forward-ing it This modification consists in tampering either thecontents of themessage or the identification of its sourceTheformer case is similar to the forge attack described abovewherein the intruder tampers the MPR selector set in TCmessage theOLSR routes inHNAmessage or the interface(s)identification in MID message While in the latter case anintruder 119868 forwards the packet containing the control mes-sage without changing the source address [34] Consequently
International Journal of Distributed Sensor Networks 7
two nodes consider themselves as 1-hop neighbors whereasthey are not in the communication range of each otherAn intruder may also disrespect the flooding mechanism inOLSR This happens when the intruder retransmits a controlmessage that is received from a non-MPR selector node [32]
119868 notin MPR119878 119878
CM119905
997888997888997888rarr 119868 119868
CM1199051015840
997888997888997888997888rarr100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
dArr
119868 isin I
(11)
Overall attacks targeting OLSR protocol are classifiedinto 3 types
(i) drop attack that consists in totally or selectivelydropping the controlmessages for example droppingTC message in order to foil route calculation
(ii) active forge attack that attempts to poison OLSRrsquosfunctionalities by introducing novel deceptive controlmessage for example a hello message including anincorrect neighbor set so as to foil MPR selection
(iii) modify and forward attack lies in an intruder thatcaptures and modifies a control message before for-warding it (eg increasing the sequence number of aTC message hence the subsequent TC messages areignored)
An intruder launches the attack either in a standalonemanner or in collusion with other intruder(s) constitutingwhat so-called a Byzantine attack (eg wormhole) togetherusually coupled with masquerading Detecting these attacksis far to be a trivial task because a minor deviation on anattack makes it undetectable In addition an attack can becomposed of several subattacks In order to tackle theseissues we describemodel the attack as general as possiblehence circumventing possible deviationsWe then propose anintrusion detection system that detects composed attacks asmuch as their parties
3 Intrusion Detection
We propose a distributed log- and signature-based intrusiondetection system named IDAR In addition to providing ahigh detection accuracy IDAR aims tomaintain the availableresources in MANET For this purpose the evidences ofattack are extracted from the log and further classifiedaccording to their level of gravity Such classification helpsin planning the diagnostic and henceforth minimizing thecomputation overhead related to attack identificationDuringthe diagnostic evidences arematched to predefined intrusionsignatures The establishment of an intrusion signature andfurther the diagnostic operation are exemplified with the linkspoofing attack we purposely developed
31 Resource-Aware Evidence Gathering IDAR distinguishesitself from other IDSs by extracting the signs of attack fromthe logs instead of sniffing the traffic Thus the consumptionof energy and computational power resulting from evidence
minus600
minus400
minus200
0
200
400
600
800
0 200 400 600 800 1000Size (bytes)
Promiscuous overhearing sender and receiverPromiscuous overhearing senderPromiscuous overhearing receiverNonpromiscuous overhearing sender and receiverNonpromiscuous overhearing senderNonpromiscuous overhearing receiver
Ener
gy (u
Wlowast
s)Figure 1 Energy consumption in promiscuous and nonpromiscu-ous modes
gathering and analyzing is minimized In fact sniffing trafficnecessitates that the wireless network interface stays in modepromiscuous at all time thus the node can overhear all thepackets within its transmission range But promiscuousmodeleads to consuming more energy and hence reducing rapidlythe lifetime of the nodenetwork Indeed a nondestinationnode in the radio range of either the sender or the receiveroverhears some or all of their traffic For the IEEE 80211MAC protocol a nondestination node in discarding (ienonpromiscuous) mode can enter into a reduced energyconsumption mode and discard othersrsquo traffic [35] Suchmode requires less energy than the idle mode which is thedefault mode in ad hoc network While a nondestinationnode operating in promiscuous mode listens to all the trafficwhether or not it is the intended destination The traffic isfurther received as if it was a broadcast traffic thus additionalenergy consumption is associated with promiscuous modeoperation Figure 1 represents a part of the experimentalmeasurements realized in [19] about the energy consumptionof an IEEE 80211 2Mbps wireless card It shows the signifi-cant difference in energy consumption between promiscuousand nonpromiscuous modes Note that the consumption inthe nonpromiscuous mode is negative because it requiresless energy than the reference idle mode Besides increasingthe amount of consumed energy sniffing traffic imposes ahuge computational overhead [20] Indeed the packet-levelanalysis which is applied on the sniffed packets strainssignificantly the available resources that ismemory andCPUprocessing Moreover since all the traffic in the radio rangeis sniffed many of the analyzed packets would be redundantand add nothing to the detection In order to avoid thispermanent strain of resources IDAR does not sniff the trafficbut it rather collects periodically the local logs In particularit focuses on the portion of logs that characterizes the
8 International Journal of Distributed Sensor Networks
activities of the routing protocol (eg packet reception MPRselection) Note that additional logs for example system-security-related logs could be integrated and correlatedOnce parsed a log is used so as to detect a sign of suspiciousactivityThis consists inmatching the log against a predefinedintrusion signature An intrusion signature is thought as apartially ordered sequence of events that characterizes anintrusion Such procedure is potentially not only memorybut also bandwidth consumer Indeed it involves examininglocal logs as well as performing an in-depth diagnostic whereother nodes are requested so as to collect additional attackevidences correlate and match them against the definedintrusion signatures The in-depth diagnostic offers a globalview about the suspicious nodes and therefore it increasesthe accuracy of the detection But it is a costly operation interms of resources Thus the in-depth diagnostic must becarefully planned that is should be initiated only when asufficient degree of suspicion exists and terminated as soon asa result is obtained For this purpose we propose to classifyattack evidences so that depending on their level of gravitythe in-depth diagnostic may be performed According to ourclassification an evidence falls into one of the following fourgroups
(i) Initial-evidence group contains the evidences that leadto launch an in-depth diagnostic over the network
(ii) Suspicious-evidence group contains the evidences thatlead to identify a node as suspicious
(iii) Confirmed-evidence group contains the evidences thatconfirm the occurrence of an attack This results interminating the diagnostic and declaring the suspi-cious node as intruder
(iv) Cancel-evidence group contains the evidences thateliminate the suspicion and stop the diagnostic
These groups are populated with the evidences that areextracted from the log If an evidence belonging to the initial-evidence group is discovered then an in-depth diagnosticis launched so as to confirm (ie discovering an evidencebelonging to confirmed-evidence group) or infirm (ie dis-covering an evidence belonging to the cancel-evidence group)the intrusion both lead to the termination of the diagnosticRelying on these groups the evolution of any attack and itsrelated detection is easily followed In addition its compactform facilitates the lightweight discovering of long-termintrusions
32 Link Spoofing Attack A link spoofing attack lies infalsifying hello message(s) so as to modify the local topologyperceived by adjacent nodes This attack influences the MPRselection In particular this attack owns a global impactthe MPR position provides to the intruder the possibility toeavesdrop tamper misrelay or drop the traffic As discussedin Section 2 (and further detailed in Expression 4) anintruder realizes a link spoofing attack through one of thefollowing three cases
(1) It advertises a non-existing and symmetric nodeThus the intruder guarantees (unless another attacker
advertises the same non-existing node) being selectedas a MPR because this non-existing node is uniquelycovered by the intruder
(2) It advertises existing but nonneighboring node(s)The intruder is selected as a MPR if the advertisednode(s) is (are) not already covered by another (well-behaving or malicious) MPR
(3) It keeps under wraps neighboring and symmetricnode(s) In this case the connectivity of the intruderand consequently its chance of being selected asa MPR are both decreased Used in a standalonemanner this attack aims to decrease the connectivityof one or several nodes a complete isolation necessi-tates that no other (well-behaving) MPR covers thatnode(s)
We develop an attack (Expression 12) wherein an intruderfalsifies a hello message that contains both a non-existingnode (Case 1) and existing but non-neighboring nodes (Case2) The reason that motivates this choice is twofold First byadvertising a nonexisting node 119873 119868 ensures being selectedas a MPR by the victim 119878 (exist119873 isin 119873119878
1015840
119868ni 119873 notin N cap 119873119878
119868)
Note that with the last versions of the RFC a node (iepotentially an intruder) may dictate its selection as a MPRby advertising (in a hello message) its high willingness torelay messages Nevertheless previous versions (and theirrelated implementations) ignore this case Regardless of theversion of the protocol our intruder (as aforementionedpreviously) guarantees being selected as MPR by advertisinga nonexisting and symmetric node Second by announcingcommon neighbors with another node 119871 (Case 2) 119868 increasesthe probability that 119871 is not selected as a MPR (119868 replacing119871) and henceforth increases its proper ascendancy Note thatthe attack we developed does not consider the third casethat involves the reduction of the intruderrsquos connectivityNevertheless attack signature deals with it
119878
hello(119873119878119878)119905997888997888997888997888997888997888997888997888997888rarr 119868 119868
hello(1198731198781015840119868)1199051015840997888997888997888997888997888997888997888997888997888rarr 119878
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
exist119873 isin 1198731198781015840
119868ni 119873 notinN cap 119873119878
119868
exist119871 isin MPR119878ni [119873119878
119871 119873119878119868] sube [119873119878
1015840
119868 119873119878119868]
dArr
119868 isin I 119871 notin MPR119878
exist1198681015840isin I ni 119868
1015840isin MPR
119878
Card (1198731198781015840119868 (119873119878
1015840
119868capN)) gt 0
Card ((1198731198781015840119868 119873119878119868) capN) gt 0
(12)
Herein a key challenge stems from the need to generate ahand-coded intrusion signature that models such attack andhenceforth permits to detect it
33 Signature Establishment As mentioned before a linkspoofing attack aims to inflect the MPR selection such
International Journal of Distributed Sensor Networks 9
Table 2 Evidence characterizing a link spoofing attack
Initial-evidence group1198641 AMPR is replaced by a 1-hop neighbor or by an already selected MPR1198642 AMPR behaves maliciously for example it tampers misrelays or drops the control messages
Suspicious-evidence group1198643 AMPR is the only node that provides connectivity to one (or more) 2-hops neighbor(s)
Confirmed-evidence group1198644 AMPR advertises a partial set of 1-hop neighbors1198645 AMPR advertises nonneighboring node(s) as 1-hop neighbors(s)
Cancel-evidence group1198646 AMPR is defined as an intruderwell-behaving node
selection is triggered upon a change in the symmetric 1- and2-hops neighborhood Rather than launching an in-depthdiagnostic upon every change in the 1- or 2-hops symmet-ric neighborhood we keep to a minimum the number ofthese diagnostics and henceforth the amount of consumedcomputational power and bandwidth by initiating it onlyat the occurrence of an event related to a link spoofingattack More precisely we ignore the changes in the 1-hopneighborhood (eg apparition of 1-hop neighbor) becausethey are observed by the node itself Thus they are notsubject to the remote falsification which is the cornerstoneof a link spoofing attack In contrary changes in the 2-hopsneighborhood are considered as long as they impact theMPRselection In practice the evidences that reveal a link spoofingattack (Table 2) are broken down into
(i) a MPR replacement (Evidence 1 or 1198641 for short)that results from a change in the covering of the 1-hop neighbors one (or several) 1-hop neighbor(s)(possibly the replacing MPR) increase(s) its (their)coverage to the detriment of the replaced MPR AreplacementMPR is a 1-hop neighbor that is excludedfrom the MPRs set even though it provides the sameconnectivity in both the previous and current MPRselection rounds
(ii) No MPR replacement takes place but an alreadyselected MPR is detected as misbehaving node Forinstance a misbehaving MPR may drop falsify ormisrelay the control messages (1198642) Note that anevidence of a special interest herein refers to a nodepromoting itself as a MPR without having beenselected as a MPR Amisbehaving MPR includes alsothe case wherein a MPR continually advertises thesame 2-hops neighbors set despite being no morevalid Contrary to other cases this one is not eventdriven and should be handled based on random orperiodical checks
(iii) aMPR is the only one that covers one or several nodes(1198643)
(iv) a MPR covers partially its adjacent neighbor(s) (1198644)
(v) a MPR provides connectivity to a nonneighboringnode (1198645)
The occurrence of either 1198641 or 1198642 constitutes the startingpoint of an in-depth diagnostic 1198641 and 1198642 belong to theinitial-evidence group The act of being the only MPR thatprovides the connectivity to node(s) (1198643) is suspicious butis not sufficient to launch an in-depth diagnostic becausethis situation is typical in a sparse network Furthermoretwo nodes within the covering range of each other oftenfail in communicating due to the unpredictable nature ofwireless transmission resulting from for example obstaclesand noises Thus diagnosing 1198643 is especially difficult underno specific assumption Overall the occurrence of 1198641 or 1198642and optionally1198643 leads to an in-depth diagnostic (Expression13) In practice the 1-hop neighbor(s) of the suspicious MPRare interrogated Note that part of the interrogated nodesmayexpress a different opinion that results from malicious nodeor an obsolete routing information This calls for taking intoaccount their respective reputation (as we plan in our nearfuture work)
(1198641 or 1198642)
dArr dArr
(1198644 or 1198645) optional (1198643) (1198644 and 1198645)
dArr dArr
The suspicious MPRis an intruder
The suspicious MPRis well-behaving
(13)
If the obtained answers confirm (resp infirm) that thesuspicious MPR covers partially its neighbors (1198644) andoradvertises a distant node as 1-hop neighbor (1198645) then theMPR is declared as an intruder (resp well-behaving) andthe diagnostic is terminated (1198646) Obviously the cooperationbetween the nodes constitutes a cornerstone in our in-depthdiagnostic
34 Cooperative Diagnostic The in-depth diagnostic of a linkspoofing attack consists in verifying the existence of a sym-metric and neighboring relationship between a suspiciousMPR and its advertised 1-hop neighbors (Algorithm 1) Moreprecisely this diagnostic follows the following steps Firstthe MPRs that have been replaced by other MPR or 1-hopneighbor are identified (lines 1-2) because such replacementrepresents the initial evidence of a link spoofing attack (1198641in Table 2) For this purpose the function GetReplaced-Mpris called (Line 1) It establishes the MPRs that have been
10 International Journal of Distributed Sensor Networks
(1) OldMprs = GetReplaced-Mpr()(2) SuspiciousMprs = GetReplacing-Mpr()(3) for (suspicious isin SuspiciousMprs) do(4) InterrogatedNodes = GetCommon2HopsNeighors
(suspicious OldMprs)(5) for (2HopsNeighbor isin InterrogatedNodes) do(6) if (LinkExistence (2HopsNeighbor suspicious) ==
false) then(7) Generate-Alarm (suspicious)(8) end if(9) end for(10) Cancel-Suspicious (suspicious)(11) end for
Algorithm 1 In-depth diagnostic
replaced by comparing the currentMPRs and the penultimateMPRs Then the MPRs sharing 1-hop neighbor(s) with areplaced MPR are identified (function GetReplacing-MPRline 2) Those identified MPRs are tagged as suspicious andare subject to further analysis (lines 3ndash11) the objective is toverify whether some spoofed links have been advertised soas to replace the MPR It follows that the 1-hop neighborsthat are common to a replaced MPR and a suspicious oneare determined (GetCommon2HopsNeighors function line 4)Note that these 1-hop neighbors also correspond to the 2-hops neighbors of the node launching the diagnostic Theyare interrogated (LinkExistence function) so as to verify theexistence of links The interrogation of a 2-hops neighbordenoted by 119860119894 consists in sending a request to 119860119894 asking ifthis latter considers the suspicious MPR as a 1-hop neighborat a specific time 119905 Whenever possible this request is sentwithout going through both the suspicious MPR 119868 or anycolluding intruder 1198681015840 This eluding is necessary in order toprevent 119868 and 1198681015840 from dropping the request andor forging adeceptive answerTherefore the 1-hop neighbor(s) (primarilythe MPR(s)) that covers the interrogated 2-hops neighbors isprovided with the request Note that the suspecting node 119878 isaware of is provided with the connectivity between the nodesthat form its two-hops neighbors Thus 119878may select the one(if existing) that covers 119860119894 If no answer is obtained (iethe related time-out elapses) then the request is sequentiallytransferred through the rest of the covering 1-hop neighbors(keeping in mind that as aforementioned MPRs are pri-marily selected) However when no neighbor is left then an(multihops) alternative path is researched in the routing tableto reach 119860119894 Note that the verification related to a suspiciousMPR is performed within an independent thread hencethe diagnostic of one node (and the result waiting) is not ablocking to others If 119860119894 denies being a 1-hop neighbor of thesuspicious MPR then a countermeasure is triggered Moreprecisely an alarm that establishes the detected attacker(s)is broadcasted (Generate-Alarm function line 7) Otherwiseif no deny takes place the suspicious MPR is no longersuspected (Cancel-Suspicious function line 10) In both casesthe diagnostic terminates Note that if no answer is provided(the inconsistent answers lead also to a claim in the degree
of suspicion However this case is not included in this paperbut it is handled in our other works) then the suspiciousMPR is tagged as not verified and the degree of suspicionin this latter goes up It is worth mentioning that the currentimplementation of IDAR considers the link spoofing attackHowever considering other attacks is not complicated andrequires only specifying the evidences to be searched in thelogs and the information to be exchanged between the nodesduring the in-depth diagnostic
4 Architecture and Performance Evaluation
In this section we introduce the key architectural compo-nents of IDAR (Section 41) Then we present the evaluationof IDAR performance (Section 42) and further discuss theobtained result (Section 43)
41 IDAR Architecture In order to cope with the dynamicnature ofMANET IDAR is both distributed and cooperativeThe proposed architecture (Figure 2) requires that everydevice participates in the detection (The delegation of somedetection operations (eg logs analyzing) may be sharedamong devices But it will not be necessarily less expensive interms of resources consumption)More precisely each devicecontains an instance of IDAR which independently detectsthe signs of suspicion and cooperates with other instancesso as to conduct the diagnostic in a broader range IDAR isimplemented in Perl (httpwwwperlorg) and conceptuallystructured into 4 components
(i) Coordinator that orchestrates all the components Assuch it constitutes the hearth of IDAR In prac-tice it parses dynamically the OLSR logs so as toextract signs of suspicion and match these latteragainst predefined intrusion signaturesThe intrusionsignatures are represented as conditional rules (ifcondition then state) Furthermore it triggers thecommunication and the alarm notification in orderto launch advanced diagnostic
(ii) Communication manager that gathers informationabout for example the adjacent links as requiredby the diagnostic manager Meanwhile it answersthe diagnostic requests This component runs into aseparated thread so that other IDAR operations arenot blocked
(iii) Knowledge database includes the information thatis extirpated from the logs and is provided by thecommunication manager This database is realized inMysql (httpwwwmysqlcom) Stored informationencompasses for example the 1-hop and 2-hopsneighbors and the MPRs
(iv) Alarm notifier is responsible for alarming the networkwhen an intrusion is detected Note that we areplanning to include more countermeasures in thefuture for example eliminating the routes containingan intruder
International Journal of Distributed Sensor Networks 11
SignatureKnowledge
database
Coordinator
Communicationmanager Alarm notifier
Update
Feedback
Diagnostic requestDiagnostic answer
IDAR instance
Routing log
IDAR instanceDiagnostic requestanswer
Routing log
Feed back
Figure 2 IDAR architecture
All the above components have been developed so as tosupport intrusion detection offering a high rate of detectionalong with conserving the resources
42 Performance Evaluation In order to evaluate the perfor-mance of IDAR a mobile ad hoc network has been simulatedusing the network simulator NS3 (httpwwwnsnamorg)[36] Each node in the simulated network is furthercoupled with a Linux Container (LXC) virtual machine(httplxcsourceforgenet) [37] The reason that motivatesthis coupling is twofold First NS3 offers the possibilityto simulate a large-scale mobile ad hoc network SecondLXC an operating-system-level virtualization tool permitsto run multiple isolated machines (also called containers)on a single modified hosting kernel (up to 1024 contain-ers over a single hosting kernel) Each container owns itsproper resources (eg process tree network interface andIP address) Thus the resource consumption (eg memoryusage) can be isolated and measured In practice an instanceof IDAR is installed on each container that appears asa standaloneseparated machine Figure 3 exemplifies thecoupling between nodes in NS3 and LXC containers Fromthe IDAR perspective (as well as from any applicationinstalled on the container) the emission and reception ofpackets is done through the network interface (eth0) Whilethe container contains a simulated ethernet card (V119890119905ℎ)which is connected through an ethernet bridge towards akernel tap device (tap) Note that for each container-nodecoupling new tap and ethernet bridge should be definedin the hosting kernel The ethernet bridge implements theforwarding of link-level framesThe interface 119905119886119901119877119900119906119905119890119903 [38]is implemented in NS3 and is used to exchange packetsbetween the 119905119886119901 device and the WiFi device which enablesNS3 nodes to communicate over a IEEE 80211- and OLSR-enabled MANET Overall the outgoing packets from eth0in the container are delivered to the WiFi device at thecorresponding node in the simulated network and vice versaSimulation is carried using the aforementioned platform
wherein the hosting device is equipped with 32GB of mem-ory and 2 Intel(R) Xeon(R) (6) Core 240GHz CPUsContainers hold a Fedora 12 operating system We considera MANET (Table 3) constituted of 119873 = 30 nodes split into25 well-behaving nodes and 5 intruders While most of otherIDSs are evaluated against one intruder we show that IDARcan handle several intruders in the same time Intruderslaunch repeatedly the implemented link spoofing attack (asdescribed in Expression 12) In our experiments the numberof successful intrusions varies between 15 and 33 accordingto the parameters of simulation scenario (as described inExpression 12) Nodes communicate via IEEE 80211a andare characterized by a transmission range 119879
119909of 90m They
randomly move following the so-called RandomWalk2d [39]mobility pattern provided by NS3 each node moves accord-ing to a randomly chosen direction at a given speed that isthe same for all the nodes When a node hits the networkboundaries (unless specified the network area is defined bya squared area of 119878 = 310 times 310m2) it rebounds followinga reflexive angle Data traffic is further modeled using theV4PingHelper application in NS3 each node exchanges 56-byte ICMP (httpwwwietforgrfcrfc792txt) echo requeststo one another and waits for 1 s before sending it again Weuse OLSR as the underlying routing protocol preserving theconfiguration parameters promoted in the RFC 3626 (eghello message interval is 2 s)
For each experimental scenario the simulation islaunched 5 times each one lasts for 140 s We compare thelaunched attacks with the detected ones and present theaverage of results We aim at evaluating the performance ofIDAR in terms of
(i) intrusion detection rate that reflects the capacity ofdetecting successful intrusions (a successful intrusioncauses the replacement of a legitimate MPR of thevictim by an intruder)
(ii) false positive rate that measures how many times alegitimate node is wrongly designated as an intruder
12 International Journal of Distributed Sensor Networks
Table 3 Simulation parameters
Simulation platformSimulator NS3 + LXC virtual machinesContainer operating system Fedora 12Hosting device memory 32GBHosting device CPU 2 Intel(R) Xeon(R) (6) Core 240GHz
Simulated MANETNumber of mobile nodes 30Number of intruders 5Topology 310 times 310m2
Transmission range 90mMaximum bandwidth 1MbpsTraffic V4PingHelper 56 bytes Icmp packetsMobility model RandomWalk2dMaximum speed 8ms (or 288 kmh)Simulation time 140 s
tapRouterWiFi devicewith OLSR
LXC
cont
aine
r
Ethernet bridge
Tap
LXC
cont
aine
r
veth
Ethernet bridge
Tap
tapRouterWiFi devicewith OLSR
veth
Nod
e 1
Nod
e 119899
NS3
IDAR1 IDAR119899
eth0 eth0
Figure 3 Experiment platform
(iii) detection overhead which represents the additionalnetwork traffic that is generated because of IDARNote that further benchmarks are also provided interms of memory usage
Based on those performance indicators IDAR is furtherevaluated with regard to the network density (Section 421)and node mobility (Section 422)
421 Network Density In order to evaluate the scalingproperties of IDAR we vary the density of the networkThe density of the network corresponds to the averagenumber of neighbors which is defined as in [40] by (119873 times
120587 times 1198792
119909)119878 We selected an interval of density that ranges
from 6 up to 16 neighbors which includes the intruderthe victim and the remaining neighbors Figure 4(a) showsthat the detection rate keeps higher than 80 regardless ofthe network density This demonstrates the relatively limitedimpact of the network density on IDAR performance More
precisely the intrusion detection rate slightly rises from935up to itsmaximum 963when the density varies from6 up to 8 neighbors the greater is the number of neighborsthe higher is the visibility of the attackThen a slow diminishis observed dense networks (with a density exceeding 8) arecharacterised by a high collision rate that causes a declinein the detection rate Similarly Figure 4(b) highlights thatthe average percentage of false positives is neglectful (under59) The analysis of several cases of false positive leads usto find that a false positive occurs when two nodes own adifferent live-times for the bidirectional link that connectsthese later consequently one of the two nodes still confirmsthe existence of this link while the other one denies it Tooverride this problem the period during which those linksare considered valid should be amplified as in [41] Figure 4(c)presents the average memory usage caused by IDAR Thisusage gently fluctuates between 176MB and 222MB It is alsoworthy of mention that contrary to OLSR our system doesnot assign additional functionality toMPR (detectionmay belaunched by one another) IDAR provides an homogeneousload balancing among the nodes As illustrated in Figure 4(d)the traffic caused by IDAR is very low (under 05 for anetwork density inferior to 8) It then slowly rises to reach13 when the network density is 16 In order to understandthe slight fall when the density reaches 14 we compare theaverage number of suspicious cases with regard to a varyingdensityThis average was 708 (resp 658) with density equalsto 12 (resp 14) Consequently the number of diagnostic-related packets is smaller at a density of 14 than at a densityof 12
422 Mobility In order to isolate the influence of themobility the network density is set to 8 The detection ratefalls when the speed increases (Figure 5(a))This results fromthe ever changing topology that results in increasing thenumber of broken links and the related drops of diagnostic-related packetsHowever IDAR still provides a high detectionrate for example the average of detection rate is 707
International Journal of Distributed Sensor Networks 13
0
20
40
60
80
100
6 8 10 12 14 16
Det
ecte
d in
trus
ions
()
Density
Average detection
(a)
0
10
20
30
40
50
6 8 10 12 14 16
False
pos
itive
()
Density
Average of false positives
(b)
0
10
20
30
40
50
6 8 10 12 14 16
Mem
ory
usag
e (M
B)
Density
(c)
025 05
1
5
20
50 100
6 8 10 12 14 16Density
IDA
R ve
rsus
OLS
R tr
affic (
)
(d)
Figure 4 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network density
with a moving speed equals to 8ms (ie around 287
kilometershour equivalent to 1789mileshour) Figure 5(b)shows that the higher is the moving speed the greater it getsfalse positives mainly because of out of date feedback Infact when a node moves away some of its 1-hop neighborsare no longer neighbors but are still announced as suchand are considered as potential attackers A higher increaseof the false positive rate is observed when the node speedranges from 4ms up to 6ms because the instable nodecovering is given its transmission range which leads to anincreased update of its 1-hop neighbors The memory usage(Figure 5(c)) rises staidly from 176MB to 265MB whichis reasonable even for resource-limited devices The impactof the mobility on the bandwidth is shown in Figure 5(d)The IDAR traffic comparing to the OLSR traffic significantlygrows from 036 up to 31 for a speed ranging from 0msup to 2ms Then the bandwidth usage gradually growsand reaches almost 6 when the moving speed is equalto 8ms This is motivated by the fact that increasing thenumber of verified links leads to exchange more diagnostic-related messages in the network In order to understandthe reason behind such variable growth of IDAR trafficwe counted the number of the verified suspicious neighbor
links We found that the average number of the verified linkssignificantly grows from 452 to 2014 when the velocity risesfrom 0ms to 2ms This average then gradually grows andtakes the values 2408 3314 and 406 when the velocityequals to 4ms 6ms and 8ms respectively The limitednumber of the suspicious neighbor links when the nodesare static is justified by the fact that the attacker has alimited choice to falsify its neighbors links Instead when thevelocity is greater than 2ms there is a continuous changein the neighborhood and the attackers can attack more(diversified) targets Meanwhile the continuously changingtopology implies an increased number of investigations
43 Performance Discussion It is clear that the density of thenetwork holds less influence than the mobility on our IDSMore mobility in MANET causes more dropped diagnosticpackets and hence less diagnostic is concluded with a finalresult that is confirming or refuting the suspiciousnessHowever comparing the launched attacks to the discov-ered suspicious events shows that the majority of attacksare tagged as suspicious events and considered for furtherdiagnostic Note that the mobility has a negative influence
14 International Journal of Distributed Sensor Networks
0
20
40
60
80
100
0 2 4 6 8
Det
ecte
d in
trus
ions
()
Velocity (ms)
Average detection
(a)
0
10
20
30
40
50
0 2 4 6 8
False
pos
itive
()
Velocity (ms)
Average of false positives
(b)
0
10
20
30
40
50
0 2 4 6 8
Mem
ory
usag
e (M
B)
Velocity (ms)
(c)
025 05
1
5
20
50 100
0 2 4 6 8
IDA
R ve
rsus
OLS
R tr
affic (
)
Velocity (ms)
(d)
Figure 5 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network mobility
on all the IDSs especially the cooperative ones where thereis an exchange of evidencesalerts Table 4 provides a shortperformance comparing between IDAR and other knownIDSs that are dedicated to ad hoc routing protocol Likethe majority of these IDSs the performance of our systemis challenged against a specific attack link spoofing attackin a simulated MANET (According to [42] around 75of mobile ad hoc published papers use simulation for testissues) Two evaluation factors are common to almost all thelisted IDSs the detection ratecapacity and the positive falserate Even though it was challenged in a MANET whereinthe intruders constitute 166 (Note that this percent is the3rd highest registered percent) of the nodes IDAR providesone of the highest detection rate Regarding the positivefalse rate we can notice that several IDSs especially thosethat are dedicated to DSR protocol show better results thanour system However this latter still generates a limitednumber of false positives It is also possible to reduce thefalse positives rate by amplifying the TTL (Time To Live)parameter of a bidirectional link so as to reduce the impactof obsolete neighborhood-related information during thedetection Recall that most of the generated false positives inIDAR are generated because of the difference in the time-live
of a bidirectional link between the two ends of this link Insuch case this link will be expired in one end while the otherend will keep confirming its existence It is worthmentioningthat except our system the listed IDSs that aim to detect theattacks targeting OLSR protocol do not present neither thedetection rate nor the false positives rate But they merelyprove the capacity of detecting the addressed attack(s) Inaddition IDAR is one of the rare IDSs that are evaluated interms of resources consumption Indeed we measure boththe increment inmemory usage and traffic overhead resultingfrom detection operations IDAR triggers a small incrementin the devicesrsquomemory usage (between 176MBand 265MB)Therefore it can be tolerated by the resource-limited devicesIt further triggers the lowest traffic overhead compared to thelisted IDSs IDAR presents a good scalability and offers a highdetection rate even in the high density networks where a largeamount of routing traffic should be monitored (Figure 4(a))This scalability is reinforced by (i) the limited traffic overhead(ii) the use of routing logs so as to extract the evidencesinstead of sniffing the traffic (iii) the distributed nature ofdetection such that each node is responsible for detecting theattacks targeting it and (iv) the unnecessity of modifying theused routing protocol
International Journal of Distributed Sensor Networks 15
5 Related Work
Systems that detect intrusion targeting ad hoc routing proto-col are extremely diverse in the way they analyze intrusionThey fall into the three key categories
(i) Anomaly detection system defines the correct behav-ior of the nodenetwork so as to detect deviations tothis behavior This correct behavior is automaticallybuilt during an attackless training phase The detec-tion accuracy depends on the ability to (i) describethe correct behavior and (ii) distinguish betweenanomalous and unexpected behaviors
(ii) Specification-based detection system hand-codes thelegitimate functionoperation and then searches for aviolation to this operation
(iii) Signature-based detection system first describes theway an intruder penetrates the system by defining anintrusion signature Then any behavior that is closeto this predefined signature is flagged as intrusion
Hereafter we detail examples of each of these categoriesAnomaly-based detection constitutes the main approachused to detect attacks The IDS proposed by Zhang et al[7] constitutes a de facto standard in MANET It aims atdetecting the attempts to falsify the routes provided by theAODV [61] DSR [62] and DSDV [63] routing protocolsDuring the training phase the impact of movement on thepercentage of changes in the routing table is analyzed Notethat this movement (ie velocity direction and position)is provided by a Global Positioning System (GPS) Thenduring the operation phase an actual percentage of changesdiffering from the predicted one is defined as anomaly Inpractice the distinguishing between anomalous and normalbehaviors is provided by the Support Vector Machine (SVM)Light [64] classifier or by RIPPER [15] a rule-based engineThe hierarchical IDS proposed in [47] detects blackhole androuting request flooding attacks targeting AODV protocolHere MANET is arranged into clusters whereas the nodewith the highest residual energy and number of connectionsis elected as a cluster-head Each cluster-head monitors thetraffic inside its cluster so as to identify the abnormal valuesof (i) the percentage of changes in the routing table and (ii)the propagation of routingdata packets Such abnormalitiesare identified thanks to (1-SVM) classifier [65] a deviationof SVM that needs to be trained with either normal orabnormal scenario but not both of them In [48] (resp [66])a blackhole (and resp dropping) attack targeting AODVprotocol (resp a secured version of AODV protocol includ-ing authentication and reputation estimation) are detectedby investigating features for example the number of routerequests and route replies as well as the average difference ofsequence numbers (Largely increased sequence numbers areknown as a sign of blackhole attack) Then simple anomalydetection is applied if the distance between the actuallyobserved features and the average ones that are recorded dur-ing the training exceeds a given threshold then an intrusionis detected More sophisticated cross-features analysis (CFA)[67] is applied to detect both blackhole and packet drop-ping on AODV and DSR protocols Features including for
example the reachability between 2 nodes and the numberof delivered packets are analyzed within time windows Thisanalysis attempts to quantify the relation existing betweenone feature 119891
119894and the others 119891
1 119891
119894minus1 119891119894+1 119891
119896(with
119896 + 1 defining the number of features analyzed) During theoperation phase the probability of matching between theobserved feature 1198911015840
119894and the predicted feature 119891
119894 which is
established based on 11989110158401 119891
1015840
119894minus1 1198911015840
119894+1 119891
1015840
119896 is calculated by
a decision tree classifier named C45 [68] An anomaly refersto an average of matching probability fewer than a giventhreshold CFA and C45 are also used in [69] with traffic-related features (eg number of receivedtransferred packets)and OLSR- or AODV-related features (eg MPR updates forthe former and route discovery for the latter) A modifiedMarkov chain-based IDS is proposed in [58] so as to detectroute disruption attack targeting DSR protocol Here thedetection depends on identifying unpredicted value of twofeatures the percentage of changes in the number of routesand the percentage of changes in the number of hops Inpractice a Markov chain is based on the immediate previous119899 consecutive values of a feature as to predict the (119899 + 1)thvalue If the difference between a predicted and an observedvalue exceeds a given threshold an intrusion is concluded
Rather than establishing automatically a correct behaviorspecification-based detection system hand-codes the correctbehavior of the routing protocols based on the protocol spec-ification (IETF draft or RFC) Then the system attempts todetect a violation of constraints circumventing this behaviorFour key constraints define the correct behavior of OLSR([14 70])
(1) Neighbor relationmust be reciprocal (ie 2 neighborsmust hear the hello message sent by each other)
(2) TheMPRs and the nodes that select theMPR (ie theMPR selectors) must be adjacent
(3) A node that finds itself advertised as a MPR selectorin a TCmessage must be adjacent to the originator ofthis message
(4) Nodes receive TC messages without modificationsfromMPR(s)
Each node sniffs the traffic in its radio range so as todiscover the violations of any of the above constraints Theseconstraints are modeled by semantic properties in [70] (resprules in [14]) so as to detect link spoofing attack on TC(and resp hello messages) both experiment an ability todetect a link spoofing by observing a violation of the thirdcondition over a simulated network composed of 11 nodesFinite-state machines are used to describe similar constraintson OLSR [41] and the behavior of AODV protocol [52 71]In [41] a centralized detection of link spoofing man-in-the-middle and deny of service attack is performed While in[52 71] incorrect hop countssequence numbers are analyzedby distributed sensors which sniff and group the packets perrequest-reply flow so as to estimate the forwarding path perflow If a route requestreply is illegallymodified or forwardedvia a nonexpected path then an alarm is triggered In [60]similar FSMs are used to define constraints on both the routediscovery in AODV and the packet forwarding operations
16 International Journal of Distributed Sensor Networks
Table4Com
parin
gID
ARperfo
rmance
with
otherIDSs
IDS
Routing
protocol
Num
bero
fno
des
Intrud
ers
()
Moving
speed
Detectio
nrate
False
positives
rate
Increm
entinmem
ory
usage
Increm
entintraffi
coverhead
IDAR
OlSR
30166
0ndash8m
s707ndash963
0ndash132
176ndash
265MB
478ndash6215KB
(036
ndash597
ofOlSRtraffi
c)
[43]
OlSR
303366
10
mdashmdash
mdashmdash
6ndash12
ofOlSR
traffi
c[41]
OlSR
1010
0ms
Detectio
nispo
ssible
mdashmdash
mdash[44]
OlSR
7143
0ms
Detectio
nispo
ssible
mdashmdash
mdash[45]
OlSR
520
0ms
Detectio
nispo
ssible
mdashmdash
mdash[14
]OlSR
119
0ms
Detectio
nispo
ssible
mdashmdash
mdash[46]
AODV
3033
0ndash5m
s3067ndash90
0ndash20
mdashmdash
[47]
AODV
502
0ndash20
ms
90
5
mdashmdash
[48]
AODV
3033
1ndash20
ms
70ndash82
12ndash18
mdashmdash
[49]
AODV
2050
10
1ndash10ms
964ndash9
87
079ndash093
mdash900k
B
[50]
AODV
5238
0ndash20
ms
(Fixed
IDSs)
100
0ndash0
6
mdashmdash
[51]
AODV
521
20238
0ndash10ms
50ndash100
0ndash30
mdashmdash
[52]
AODV
30mdash
0ndash20
ms
70ndash100
05
ndash15
mdashmdash
[53]
AODV
50Ra
ndom
0ndash20
ms
79plusmn10ndash92plusmn3
5plusmn1ndash32plusmn8
mdashmdash
[54]
AODV
102050
mdash0ndash
10ms
0ndash100
0ndash≫100
02ndash06
mdash[55]
AODV
20ndash200
mdash0ndash
20ms
30ndash9
50ndash16
mdashmdash
[56]
AODV
50mdash
1ndash20
ms
998ndash100
083ndash846
mdashmdash
[7]
AODV
mdashmdash
mdash8848plusmn414ndash971plusmn032
145plusmn072ndash202plusmn627
mdashmdash
DSD
Vmdash
mdashmdash
8523plusmn328ndash9061plusmn299
537plusmn310ndash263plusmn549
mdashmdash
DSR
mdashmdash
mdash852plusmn238ndash991plusmn037
003plusmn004ndash153plusmn408
mdashmdash
[57]
DSR
5040
0ndash20
ms
mdashmdash
mdash11ndash313
of
data
traffi
c[58]
DSR
3033
3ndash5m
s60ndash100
25
ndash50
mdashmdash
[59]
DSR
30mdash
mdash75
12
mdashmdash
[60]
DSR
502
0ndash20
ms
837ndash9
74
13ndash72
mdashmdash
International Journal of Distributed Sensor Networks 17
A signature-based system distinguishes itself by model-ing the misbehavior (rather than the correct behavior) soas to identify if a sequence of observed events matchingan intrusion signature AODVSTAT [54] uses state-basedsignatures in order to detect dropping and spoofing attacksalong with network flooding Few sensors sniff the traffic andmatch it against predefined signatures They also exchangeperiodically MAC and IP addresses so as to detect an identityspoofing which is characterized by a node emitting a packetidentified by MAC and IP addresses differing from thoseregistered for this node A dropping attack refers to a nodethat fails to replay route requestreply Finally a node sendinga number of packets exceeding a given threshold is identifiedas willing to exhaust resources In [45] intrusion signaturesare specified in opposition to the legitimate behavior of OLSRdepicted in conjunction with specification rules similar tothose defined in [70] In particular a node 119873 mistrusts twoneighbors 119871 and 119872 that conform to the following rules119872 advertises 119871 as a neighbor while 119871 does not advertise119872 as a neighbor (or reciprocally) both 119871 and 119872 send TCmessages while 119871rsquos neighbors are a subset of 119872rsquos neighbors(or reciprocally) In addition 119873 mistrusts 119872 if 119873 which isnot a neighbor of 119872 finds itself as a MPR selector in a TCof 119873 (constraint 3) In [44] a FSM is employed to modelthe signature of hello message fabrication in OLSR protocolin an agent-based IDS In practice each node uses a SimpleNetworkManagement Protocol (SNMP) agent so as to collectaudit data from the Management Information Base (MIB)After that events are extracted from the collected audit dataand are matched to the attack signatureThe addressed attackaims at breaking the link between a victim node and itsneighbors and thus a DoS takes place To that end theattacker impersonates the identity of the victim and sends afake hello message advertising one of the victim symmetricneighbors with lost link status Upon receiving the fabricatedmessage the neighbor changes the status of its link withthe victim to ldquoheardrdquo and stops routing packets through thevictim
51 Synthesis and Discussion A great majority of the litera-ture is focused on anomaly detectionwhile scarce effort inves-tigates specification- and signature-based intrusion Thisnaturally calls for consolidating the effort on specification-and signature-based detection while following the habitus ofwired network which consists in coupling these detectionsystems with one another for example in [72] wherein acombination of anomaly- and signature-based detection isrealized so as to increase the detection rate Almost all ofthe IDS focuses only on the detection accuracy that isproviding a high detection rate along with limited falsealarms However they do not consider the criticality ofmaintaining the resources and henceforth extending thelifetime of the nodenetwork Our IDS takes into account thenecessity of reducing to minimum both the communicationand computation overload related to intrusion identificationThe absolute majority of the IDSs is simulated (including thesystem we are proposing) rather than being either developedor experimented on testbeds or relying on empirical data
The reason that explains this situation is twofold Firstthe deployment of critical MANET is limitednot adver-tised Second to the best of our knowledge experiences ofintrusion in MANETs are not reported intrusions are infact developedsimulated as proofs of concept Neverthelessnot only routing protocols but also the characterization ofthe intrusion together leverage on the experience gained indesigning routing protocols for wired networks and deal-ing with related misbehaviors In particular the similarityexisting between the OSPF and OLSR protocols implies thatmany threats (eg sequence numbers identity spoofing) areshared In other words intrusion may be inspired from theone targeting wired networks Meanwhile the developmentof intrusion detection and the envisioning of attacks areaccelerated
6 Conclusion
We survey and classify the attacks that target ad hoc routingprotocols focusing on theOLSRprotocol In order to facilitatethe definition of intrusion signatures we extend a descriptionmodelmdashan attack is expressed as the preconditions andthe resulting consequencesmdashand enrich it with temporalannotations Once hand-coded these signatures are utilizedby IDAR a log-based distributed intrusion detection systemdedicated to operate in mobile ad hoc networks IDARdistinguishes itself by analyzing the logs generated by arouting protocol and extracts intrusion evidences so as tocompare these latter against predefined intrusion signaturesFor this purpose evidences are categorized into four groupsaccording to their degree of suspiciongravity and hence totheir ability to activatedeactivate the diagnostic We furtherdevelop a link spoofing attack on the OLSR protocol buildthe related detection rules and evaluate the performancesof IDAR relying on the NS3 simulator coupled with LXCvirtual machines Overall the experiments figure out ahigh rate of intrusion detection and low false positivesrate even under increased mobility and density Meanwhileresource consumption and network overhead result from thediagnostic are low and adapted to the resource-constraineddevices Note that ongoing effort is provided as to evaluateIDAR in a real MANET consisting of resource-constraineddevices Still detecting intrusion is not a trivial task due tothe large number of evidences to tackle and the resource-consuming diagnostic A compromise between detectionaccuracy and resource consumption could be found For thispurpose we are working on a new statistical mechanism forgathering the evidences This mechanism aims at enhancingthe scalability of our system by restricting the interrogationto a limited subset of nodes during the diagnostic Moreoveruntil now we assume that honest parties are passive theyalarm others but do not react We are considering thecoupling with countermeasures (eg blacklisting) and theexploring of lightweight binary consensus and trust estab-lishment among the nodes that participate in the intrusiondetection
18 International Journal of Distributed Sensor Networks
References
[1] Z Zhao H Hu G Ahn and R Wu ldquoRisk-aware mitigation formanet routing attacksrdquo IEEE Transactions on Dependable andSecure Computing vol 9 no 2 pp 250ndash260 2012
[2] B Sun L Osborne Y Xiao and S Guizani ldquoIntrusion detectiontechniques in mobile ad hoc and wireless sensor networksrdquoIEEE Wireless Communications vol 14 no 5 pp 56ndash63 2007
[3] S Sesay Z Yang and J He ldquoA survey onmobile ad hoc wirelessnetworkrdquo Information Technology Journal vol 3 no 2 pp 168ndash175 2004
[4] P Brutch and C Ko ldquoChallenges in intrusion detection forwireless ad-hoc networksrdquo in Proceedings of the Symposium onApplications and the Internet Workshops (SAINT rsquo03) pp 368ndash373 2003
[5] S Khan N Alrajeh and K Loo ldquoSecure route selection inwireless mesh networksrdquo Computer Networks vol 56 no 2 pp491ndash503 2012
[6] S Corson and J Macker ldquoMobile ad hoc networking (manet)routing protocol performance issues and evaluation considera-tionsrdquo IETF RFC2501 1999
[7] Y Zhang W Lee and Y Huang ldquoIntrusion detection tech-niques for mobile wireless networksrdquoWireless Networks vol 9no 5 pp 545ndash556 2003
[8] B C Cheng and R Y Tseng ldquoA context adaptive intrusiondetection system for MANETrdquo Computer Communications vol34 no 3 pp 310ndash318 2011
[9] T Eissa S A Razak and M D A Ngadi ldquoTowards providinga new lightweight authentication and encryption scheme forMANETrdquoWireless Networks vol 17 no 4 pp 833ndash842 2011
[10] A Irshad W Noshairwan M Shafiq S Khurram E Irshadand M Usman ldquoSecurity enhancement for authentication ofnodes in MANET by checking the CRL status of serversrdquoCommunications in Computer and Information Science vol 78pp 86ndash95 2010
[11] D E Denning ldquoAn intrusion-detection modelrdquo IEEE Transac-tions on Software Engineering vol 13 no 2 pp 222ndash232 1987
[12] T Clausen and P Jacquet ldquoOptimized link state routing proto-col (OLSR)rdquo IETF Experimental RFC 3626 2003
[13] P Albers O Camp J Percher et al ldquoSecurity in ad hoc networksa general intrusion detection architecture enhancing trust basedapproachesrdquo 2002
[14] F Cuppens N Cuppens-Boulahia S Nuon and T RamardldquoProperty based intrusion detection to secure OLSRrdquo in Pro-ceedings of the 3rd International Conference on Wireless andMobile Communications (ICWMC rsquo07) Guadeloupe FranceMarch 2007
[15] W Cohen ldquoFast effective rule inductionrdquo in Proceedings of theInternational Conference onMachine Learning (ICML rsquo95) 1995
[16] S Sarafijanovic and J-Y le Boudec ldquoAn artificial immunesystem for misbehavior detection in mobile ad-hoc networkswith virtual thymus clustering danger signal and memorydetectorsrdquo in Proceedings of the 3rd International Conference onArtificial Immune Systems (ICARIS rsquo04) 2004
[17] S Sen and J Clark Intrusion Detection in Mobile Ad HocNetworks in Guide to Wireless Ad Hoc Networks SpringerLondon UK 2009
[18] D Subhadrabandhu S Sarkar and F Anjum ldquoA Framework formisuse detection in ad hoc networksmdashpart IIrdquo IEEE Journal onSelected Areas in Communications vol 24 no 2 pp 290ndash3032006
[19] L M Feeney and M Nilsson ldquoInvestigating the energyconsumption of a wireless network interface in an ad hocnetworking environmentrdquo in Proceedings of the 20th AnnualJoint Conference of the IEEE Computer and CommunicationsSocieties pp 1548ndash1557 April 2001
[20] A P Lauf R A Peters and W H Robinson ldquoA distributedintrusion detection system for resource-constrained devices inad-hoc networksrdquo Ad Hoc Networks vol 8 no 3 pp 253ndash2662010
[21] N A Alrajeh S Khan J Lloret and J Loo ldquoSecure routingprotocol using cross-layer design and energy harvesting inwireless sensor networksrdquo International Journal of DistributedSensor Networks vol 2013 Article ID 374796 11 pages 2013
[22] S Sen J Clark and J Tapiador Security Threats in MobileAd Hoc Networks I S of Self-Organizing Networks AuerbachPublications 2010
[23] P Ning and K Sun ldquoHow to misuse AODV a case study ofinsider attacks againstmobile ad-hoc routing protocolsrdquoAdHocNetworks vol 3 no 6 pp 795ndash819 2005
[24] T Clausen C Dearlove P Jacquet and U Herberg ldquoTheoptimized link state routing protocol version 2rdquo IETF ActiveInternet-Draft Draft-Ietf-Manet-Olsrv2-15 2012
[25] U Herberg and T Clausen ldquoSecurity issues in the optimizedlink state routing protocol version 2 (olsrv2)rdquo InternationalJournal of Network Security amp Its Applications vol 2 no 2 2010
[26] YOwada TMaenoH Imai andKMase ldquoOLSRv2 implemen-tation and performance evaluation with link layer feedbackrdquo inProceedings of the International Wireless Communications andMobile Computing Conference (IWCMC rsquo07) pp 67ndash72 Newyork NY USA August 2007
[27] F Hong L Hong and C Fu ldquoSecure OLSRrdquo in Proceedingsof the 19th International Conference on Advanced InformationNetworking and Applications (AINA rsquo05) pp 713ndash718 March2005
[28] LNAMHegland P Spilling andQKure ldquoHybrid protectionof olsrrdquo in Electronic Notes in Theoretical Computer Science2006
[29] P Kunwar S Sofat and D Bansal ldquoComparison of secure olsrrouting protocolrdquo International Journal of Engineering Sciencevol 3 no 6 p 5049 2011
[30] A Adnane C Bidan and R T de Sousa Junior ldquoTrust-basedcountermeasures for securing OLSR protocolrdquo in Proceedingsof the 7th IEEEIFIP International Conference on Embedded andUbiquitous Computing (EUC rsquo09) pp 745ndash752 August 2009
[31] B Wu J Chen J Chen J Wu and M Cardei ldquoA survey ofattacks and countermeasures in mobile ad hoc networksrdquo inWireless Network Security Springer New York NY USA 2007
[32] C Adjih D Raffo and P Muhlethaler ldquoAttacks against OLSRdistributed key management for securityrdquo in Proceedings of theOLSR Interop Workshop 2005
[33] G CerveraM Barbeau J Garcia-Alfaro and E Kranakis ldquoMit-igation of topology control traffic attacks in OLSR networksrdquoin Proceedings of the 5th International Conference on Risks andSecurity of Internet and Systems (CRiSIS rsquo10) October 2010
[34] P M Jawandhiya M M Ghonge M S Ali et al ldquoA surveyof mobile ad hoc network attacksrdquo International Journal ofEngineering Science and Technology vol 2 no 9 pp 4063ndash40712010
[35] L M Feeney ldquoAn energy consumption model for performanceanalysis of routing protocols for mobile ad hoc networksrdquoMobile Networks and Applications vol 6 no 3 pp 239ndash2492001
International Journal of Distributed Sensor Networks 19
[36] G Riley and T Henderson ldquoThe ns-3 network simulatorrdquo inModeling and Tools for Network Simulation Springer BerlinGermany 2010
[37] S Bhattiprolu E Biederman S Hallyn et al ldquoVirtual serversand checkpointrestart inmainstream linuxrdquo SIGOPSOperatingSystems Review vol 42 no 5 pp 104ndash113 2008
[38] J Zhang J Xing and Z Qin ldquoTaprouter an emulatingframework to run real applications on simulated mobile adhoc networkrdquo in Proceedings of the 44th Annual SimulationSymposium (ANSS rsquo11) pp 39ndash46 2011
[39] D Broyles A Jabbar and J P G Sterbenz ldquoDesign andanalysis of a 3-d gauss-markov mobility model for highly-dynamic airborne networksrdquo in Proceedings of the InternationalTelemetering Conference (ITC rsquo10) San Diego CA USA 2010
[40] J Haerri F Filali and C Bonnet ldquoPerformance comparisonof AODV and OLSR in vanets urban environments underrealistic mobility patternsrdquo in Proceedings of the IFIP Med-Hoc-Net Workshop 2006
[41] C H Tseng T Song P Balasubramanyam C Ko and K LevittldquoA specification-based intrusion detection model for OLSRrdquoRecent Advances in Intrusion Detection vol 3858 pp 330ndash3502006
[42] S Kurkowski T Camp and M Colagrosso ldquoManet simulationstudies the incrediblesrdquo SIGMOBILE Mobile Computing andCommunications Review vol 9 no 4 pp 50ndash561 2005
[43] A Abdalla I Saroit A Kotb et al ldquoMisbehavior nodesdetection and isolation for MANETs OLSR protocolrdquo ProcediaComputer Science vol 3 pp 115ndash121 2011
[44] R Puttini J Percher L Me et al ldquoA modular architecture fordistributed ids in manetrdquo in Proceedings of the InternationalConference on Computational Science and Its Applications III2003
[45] A Adnane R T de Sousa L Me and C Bidan ldquoAutonomictrust reasoning enables misbehavior detection in OLSRrdquo inProceedings of the 23rd Annual ACM Symposium on AppliedComputing (SAC rsquo08) pp 2006ndash2013 March 2008
[46] W Wang H Man and Y Liu ldquoA framework for intrusiondetection systems by social network analysis methods in ad hocnetworksrdquo Security and Communication Networks vol 2 no 6pp 669ndash685 2009
[47] H Deng R Xu J Li F Zhang R Levy and W Lee ldquoAgent-based cooperative anomaly detection for wireless ad hoc net-worksrdquo in Proceedings of the 12th International Conference onParallel and Distributed Systems (ICPADS rsquo06) pp 613ndash620 July2006
[48] S KurosawaHNakayamaN Kato et al ldquoDetecting blackholesattack on AODV-based mobile ad hoc networks by dynamiclearningmethodrdquo International Journal of Network Security vol5 no 3 pp 338ndash346 2007
[49] WWang HWang BWang et al ldquoEnergy-aware and selfadap-tive anomaly detection scheme based on network tomographyin mobile ad hoc networksrdquo Information Sciences vol 220 pp580ndash602 2013
[50] M-Y Su ldquoPrevention of selective black hole attacks on mobilead hoc networks through intrusion detection systemsrdquo Com-puter Communications vol 34 no 1 pp 107ndash117 2011
[51] N Marchang and R Datta ldquoCollaborative techniques for intru-sion detection in mobile ad-hoc networksrdquo Ad Hoc Networksvol 6 no 4 pp 508ndash523 2008
[52] B V R N Yadav B Satyanarayana and O B V RamanaiahldquoAn efficient intrusion detection system for mobile ad hoc net-worksrdquo in Emerging Trends in Computing Informatics Systems
Sciences and Engineering vol 151 Springer New York NYUSA 2013
[53] Y Huang and W Lee ldquoAttack analysis and detection for ad hocrouting protocolsrdquo in Recent Advances in Intrusion Detectionvol 3224 Springer Berlin Germany 2004
[54] G Vigna S Gwalani K Srinivasan E M Belding-Royer andR A Kemmerer ldquoAn intrusion detection tool for AODV-basedad hoc wireless networksrdquo in Proceedings of the 20th AnnualComputer SecurityApplications Conference (ACSAC rsquo04) pp 16ndash27 December 2004
[55] M Ayachi C Bidan and N Prigent ldquoA trust-based ids for theaodv protocolrdquo in Information and Communications Securityvol 6476 pp 430ndash444 2010
[56] S Sen and J A Clark ldquoA grammatical evolution approach tointrusion detection on mobile ad hoc networksrdquo in Proceedingsof the 2nd ACMConference onWireless Network Security (WiSecrsquo09) pp 95ndash102 March 2009
[57] S Marti T J Giuli K Lai and M Baker ldquoMitigating routingmisbehavior in mobile ad hoc networksrdquo in Proceedings of the6th Annual International Conference on Mobile Computing andNetworking (MOBICOM rsquo00) pp 255ndash265 August 2000
[58] B Sun K Wu and U Pooch ldquoRouting anomaly detection inmobile ad hoc networksrdquo in Proceedings of The 12th Interna-tional Conference on Computer Communications and Networks(ICCCN rsquo03) 2003
[59] S Bose S Bharathimurugan and A Kannan ldquoMulti-layerintegrated anomaly intrusion detection system for mobileadhoc networksrdquo in Proceedings of the International Conferenceon Signal Processing Communications and Networking (ICSCNrsquo07) pp 360ndash365 February 2007
[60] P Yi Y Zhong and S Zhang ldquoA novel intrusion detectionmethod for mobile ad hoc networksrdquo in Advances in GridComputing vol 3470 pp 1183ndash1192 Springer Berlin Germany2005
[61] C Perkins E Belding-Royer and S Das ldquoAd hoc on-demanddistance vector (AODV) routingrdquo IETF Experimental RFC3561 2003
[62] D Johnson and D Maltz ldquoDynamic source routing in ad hocwireless networksrdquo in Mobile Computing pp 153ndash181 KluwerAcademic 1996
[63] C Perkins and P Bhagwat ldquoHighly dynamic destinationse-quenced distance-vector routing (dsdv) for mobile computersrdquoin Proceedings of the Conference on Communications Architec-tures Protocols and Applications (SIGCOMM rsquo94) vol 24 pp234ndash244 1994
[64] T JoachimsMaking Large-Scale Support VectorMachine Learn-ing Practical MIT Press Cambridge Mass USA 1999
[65] Y Yajima and T Kuo ldquoEfficient formulations for 1-svm and theirapplication to recommendation tasksrdquo Journal of Computersvol 1 no 3 pp 27ndash34 2006
[66] L Bononi and C Tacconi ldquoIntrusion detection for secureclustering and routing inMobileMulti-hopWirelessNetworksrdquoInternational Journal of Information Security vol 6 no 6 pp379ndash392 2007
[67] Y Huang W Fan W Lee et al ldquoCross-feature analysis fordetecting ad-hoc routing anomaliesrdquo in Proceedings of the 23rdInternational Conference on Distributed Computing Systems(ICDCS rsquo03) pp 478ndash487 May 2003
[68] J Quinlan C4 5 Programs for Machine Learning MorganKaufmann Boston Mass USA 1993
20 International Journal of Distributed Sensor Networks
[69] J B D Cabrera C Gutierrez and R K Mehra ldquoEnsemblemethods for anomaly detection and distributed intrusion detec-tion in Mobile Ad-Hoc Networksrdquo Information Fusion vol 9no 1 pp 96ndash119 2008
[70] MWang L Lamont P Mason andM Gorlatova ldquoAn effectiveintrusion detection approach for OLSR MANET protocolrdquoin Proceedings of the 13th IEEE International Conference onNetwork Protocols Workshop (ICNP rsquo05) pp 55ndash60 November2005
[71] C Y Tseng P Balasubramanyam C Ko R Limprasittiporn JRowe and K Levitt ldquoA specification-based intrusion detectionsystem for AODVrdquo in Proceedings of the 1st ACM Workshop onSecurity of Ad Hoc and Sensor Networks pp 125ndash134 October2003
[72] S A Razak S M Furnell N L Clarke and P J BrookeldquoFriend-assisted intrusion detection and response mechanismsfor mobile ad hoc networksrdquo Ad Hoc Networks vol 6 no 7 pp1151ndash1167 2008
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
2 International Journal of Distributed Sensor Networks
Comment (RFC for short)) as in for example [14] orautomatically builtanalyzed using machine learning or datamining techniques for example [15] The difficulty involvedin automatically modeling the behavior of such dynamicnetwork leads to a large number of false positives thatmay be reduced by coupling automatic and specification-based anomaly detection [16] Moreover the used techniquesare mostly characterized by their intensive calculation andhenceforth the extensive consumption of resources [2] Analternative consists in describing the way an intruder pene-trates the system (by establishing intrusion signature) so asto detect any behavior that is close to this previously definedsignature Little attention has been centered on signature-enabled detection (also called misuse detection) in MANET[17] although it guarantees a high rate of detection alongwitha limited number of false alarms [18]
We propose IDAR a log- signature-based IntrusionDetector dedicated to ad hoc routing protocols IDAR doesnot necessitate sniffinginspecting the traffic as it is the casewith themajority of other IDSsThus it avoids the permanentstrain of energy bandwidth [19] and computational power[20] that accompanies traffic sniffing and analyzing Oursystem rather takes advantage of the audit logs that aregenerated by the routing protocol so as to detect evidencesof intrusion attempts In practice a sequence of events areextracted from logs so as to be matched against a set ofpredefined intrusion signaturesmdasha signature is thought of asa pattern of events that characterizes an intrusion
Main challenges stem from the need to keep to a mini-mum the number of diagnostics and the computational loadrelated to the intrusion identification while minimizing thetraffic generated when gleaning intrusion evidences Thiscalls for developing a lightweight and distributed intrusiondetection system that scopes with the cooperative natureof ad hoc networks and the device resource constraintsTowards this goal IDAR is designed to be a distributedand cooperative detection system which parses logs asclose as possible from the device that generates them so asto diminish the number of long-distant communicationsFurthermore we propose to categorize the intrusion evi-dences according to their level of gravitysuspicion Suchcategorization enables us to carefully plane the diagnostican in-depth diagnostic is initiated only when a sufficientdegree of suspicion exists and terminated as soon as a resultis obtained Thus we guarantee keeping to a minimum thenumberthe duration of diagnostics The performance ofIDAR is evaluated in a simulated MANET that is coupledwith virtual machines Such coupling permits us measuringboth the detection accuracy and the amount of consumedresources
The reminder of this paper is organized as follows Wefirst survey attacks on ad hoc network breaking downthe successive steps that characterize conquering attacks(Section 2) Grounded upon the defined intrusion signatureswe present a distributed log- and signature-based intrusiondetection system (Section 3) and evaluate its performance(Section 4) Then we conclude this paper with a sum-mary of our results along with directions for future works(Section 6)
2 Vulnerabilities
Physical data link and network layers are all subject tovulnerabilities Whereas in the physical and data link layersvulnerabilities are common to IEEE 80211 wireless networksvulnerabilities in network layer are specific to ad hoc net-worksMore specifically Zeroconf and routing protocols con-stitute the main target of attacks [13] The reason is threefoldFirst no security countermeasure is specified or implementedas a part of the drafts or RFCs (request for comments) pro-posed through the Internet Engineering Task Force MANET(httpwwwietforgdynwgchartermanet-charterhtml) orZeroconf (httpwwwzeroconforg) working groups Sec-ond the absence of a centralized infrastructure complicatesthe deployment of preventive measures for example fire-walls or keyauthentication infrastructuresThird any devicemay operate as router which facilitates the manipulationof multihops messages as well as the compromising of therouting functionality Attacks on those protocols fall into twomain categories passive versus active [21] With the formeran intruder intercepts the traffic in order to reveal usefulinformation (eg the roles played by the nodes and theirlocations) whereas with the latter an unauthorized actionis attempted [22] Active attacks are further sub-classifiedaccording to their unauthorized actions as follows [23]
(i) Drop attack consists in dropping routing message(s)(ii) Modify and forward attack modifies received routing
message(s) before forwarding it(iii) Active forge attack proactively generates deceptive
routing message(s)
Although the above attacks threaten both routing and Zero-conf protocols we hereafter concentrate on routing protocoland illustrate our presentation by exemplifying attacks on aproactive protocol called OLSR
21 Background on the OLSR Protocol OLSR aims to main-tain a constantly updated view of the network topology oneach device One fundamental is the notion of multipointrelay (MPR) each device selects a subset of the 1-hopneighbors called MPRs that is responsible for forwardingthe control traffic in the entire network The basic idea is toselect theminimumnumber ofMPRs that cover the two-hopsneighbors so as to reduce the number of nodes retransmittingcontrol messages and hence keep to a minimum the band-width overload Note that a redundant MPR may be selectedas to increase the reachability but this leads to increase theoverhead In practice a node119873 selects the MPRs among the1-hop neighbors that are announced (in addition link layerinformation provided by eg the IEEE 80211 protocol maybe used by a node to update its own routing tables) in periodicheartbeat messages termed hello messages Then a TopologyControl message (TC for short) intended to be diffused inthe entire network (the message Time To Live field (TTL forshort) can be used so as to limit message diffusion) is createdby the selected MPR(s) In TC message a MPR declares thenodes (including119873) that selected itself to act asMPRThanksto TC messages any device computes the shortest path (in
International Journal of Distributed Sensor Networks 3
term of the number of hops) to any destination such pathbeing represented as a sequence of MPRs In addition to theabove last versions of the protocol specification support anode holding several network interfaces which are declared(if many) in a so-calledMID (Multiple Interface Declaration)message This message is broadcasted on a regular basis byMPRs so that one another maps multiple interfaces of a givennode with the main address of this latter hence permittinga unique identification The aforementioned functionalitiescompose the core of OLSR Additional extensions have beendevised in compliance with the above-summarized OLSRspecification Examples include (i) dealing with the nodesthat commit (or not) to carry the traffic for others and(ii) supporting interconnection of an OLSRMANET withanother routing domain for example OSPF-enabled routingdomain With the former node advertises (in hello message)its willingness to carryforward traffic With the latter OLSRis extended to import (and resp export) the routes providedby other routing protocols (resp OLSR) For this purposeany gateway with associated host(s) andor network(s) gen-erates periodically a HNA message including those host(s)andor network(s) (ie the related network address and thenetmask) this message is further disseminated by MPRsSuch an auxiliary function is enabled by providing a basiclayout of any OLSR packet and by ignoring unknown(and hence not handled) packets Overall these core andauxiliary functionalities are together subject to a variety ofattacks
Recently a new version of OLSR (so-called OLSRv2)is specified in an Internet-draft [24] OLSRv2 distinguishesitself from its predecessor by considering the link metricrather than hop count for selecting the shortest path Itis supposed that OLSRv2 would have more modular andflexible architecture that facilitates add-ons extensions forfor example security QoS and multicast [25] It will alsopossess a simplified packet format and reduced-sizemessagesdue to address compression [26] However both OLSR andOLSRv2 retain the same basic algorithms and mechanisms
It is worth mentioning that several enhanced versionsof OLSR have been proposed Some of them tackle thesecurity issue and use signature hash chain or encryptionschemes in order to provide the security to OLSR [27 28]In general these versions aim to ensure (i) the integrity ofthe routing information that is preventing the unauthorizedmodifications of the routing messages by the intermediatenodes on the path from the source to the destination and (ii)the node-to-node authentication in order to prevent identityspoofing However they do not address for example thecase where the source node is itself compromised and henceit generates incorrect routing messages Thus they are stillincapable of preventing some types of attack [29] Thereforethere is always a need to employ a detection mechanism soas to handle the attacks that would success penetrating theprevention techniques
22 Attacks Targeting the OLSR Protocol The attacks threat-ening OLSR are hereafter detailed and classified accordingto the model introduced in [30] This model provides the
Table 1 Notations
Communication119884119872119905
997888997888rarr 119883 At 119905 119884 sends a message119872 that is received by119883119884119872119905
997888997888rarr At 119905 119884 sends a message119872119884119872119905
999424999426999456 119884 does not send a message119872 at 119905119872119905
997888997888rarr 119883 119883 receives a message119872 at 119905119872119905
999424999426999456 119883 119883 does not receive a message119872 at 119905Parameters
119905998810119905 Period of timeI Set of malicious nodes119873119878119883
Set of 1-hop neighbors of119883sq Sequence numberhc Hop count119908119883
Willingness of119883 to forward packets on behalf of othersMPR119909
MPRs of119883SelMPR119909 MPR selectors set of119883
MessagesHello Hello messageTC Topology Control messageMID Multiple Interface DeclarationHNA Host and Network AssociationCM Control MessageRM Received Control messageFM Control message intended to be forwarded
level of expressiveness necessary to specify the relation-ship between the actions and their related consequencesWe further enrich this model with temporal annotations(Table 1) As a consequence complex attacks their constitut-ing actions and consequences are temporally and successfullydepicted and categorized as drop attack (Section 221) activeforge attack (Section 222) and modify and forward attack(Section 223)
221 Drop Attack In practice a drop attack consists of anintruder that drops a control message instead of relaying itThis dropping has an impact only if the dropped control mes-sage is intended to be forwarded as illustration a suppressingof a hello message that is broadcasted over one hop hasno consequence Thus with OLSR threatened messages arerestricted to themessages that are created andor broadcastedby a MPR so as to be rediffused by other MPRs thatis Topology Control (TC) Multiple Interface Declaration(MID) and Host and Network Association (HNA)messagesMore particularly let us consider a host 119878 that sends a controlmessage which is intended to be forwarded This messagewhich is originated at 119905 (119878
FM119905
997888997888997888rarr119868) is received by 119868 that dropsit In practice 119868 drops a control message if 119868 does not forwardthis message during a period |1199051015840 minus 119905| less than the maximumallowed (any control message is characterized by an emissioninterval as well as a holding time in the routing tables Thesetwo related values participate in setting a validity time that
4 International Journal of Distributed Sensor Networks
should be herein considered in conjunction with the messagetype) period119905
119878FM119905
997888997888997888rarr 119868 119868
FM1199051015840
999424999426999456 100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816gt 119905
dArr
119868 isin I
(1)
Such a dropping is naturally applied on any packet thatis empty expired duplicated or out of order In additionrestrictive forwarding is provided meaning that in practice(only) the 1-hop neighbor(s) of 119878 that have been selectedby 119878 to act as MPR(s) forward 119878rsquos messages Apart fromthe aforementioned conditions that lead to a convenientdropping the remaining reason motivating a dropping isthreefold An intruder (or a compromised node) a selfishor a malfunctioning node disturbs the routing calculation bydropping a control message that should be forwarded Theattempt to drop any packet is termed black hole A selectivedropping (named gray hole) is detected by taking intoaccount additional fine-grained or discriminative criteriaincluding the choice of specific final1-hop-away destinationor source percentagerate of packets received or forwardedand message type Rather than dropping the traffic anoppositemisbehavior consists in introducing falsified routinginformation
222 Active Forge Attack An active forge attack comes froma node that introduces novel deceptive routing messagesAmong others the broadcast storm stems from forgingcontrol messages so as to exhaust resources (eg energy) andsaturate the communication medium For this purpose anintruder 119868 forges a large number of control messages CMwithin a short period of time 998810119905 (see Expression 2) Thisattack may be local (eg targeting a 1-hop neighborhood) orglobal (eg relying on the multihops broadcasted messages)It may also be conducted in a distributedmanner with severalcolluding nodes so as to simultaneously emit (a large numberof) control messages Note that in order to prevent a broad-cast storm resulting from the involuntary synchronization ofsome emitting nodes a delaying of the control messages isrecommended in the RFC a jitter (typically a random value)is subtracted from the interval at which control messages aregenerated (and also forwarded)
119868CM119905
997888997888997888rarr 119868CM1015840119905
997888997888997888rarr100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 998810119905
dArr
119868 isin I
(2)
A special type of broadcast storm is routing table overflowattack that threatens especially the proactive routing pro-tocols (eg OLSR) as they periodically update the routinginformation [31] Herein one or several colluding intrudersprevent the well-behaving nodes from discovering new exist-ing routes by dumping the networkwith route advertisements
to nonexisting nodes In general broadcast storm constitutesa kind of denial of service that is characterized by a high vis-ibility Therefore it is typically combined to masqueradingmdashalthough less intrusive attacks may also be preferred Inpractice masquerading lies in sending a control message CM
including a switched identification (119868CM(119868)
119905
997888997888997888997888997888rarr 119868CM(119878)
119905
997888997888997888997888997888rarr)Note that this case is distinguished from a node that holdsseveral interfaces and that advertises those later in a dedicatedMID message Apart from masquerading a denial of serviceidentity spoofing may be intended to create conflictingroute(s) and potentially routing loop(s) In this latter casespoofing the identity of a node 119878 belonging to the networkis necessary As pointed out in [32] the spoofing attack mayalso be coupled with a modification of the willingness field soas to impact the MPR selection (Expression 3) In practiceif 119868 emits a hello message including an originator address
already assigned to another node 119878 (119868hello(119878)997888997888997888997888997888997888rarr 119863) then
119868 modifies the local topology as seen by its 1- and 2-hopsneighbors In addition if 119868 modifies the willingness field1199081015840
119878of 119878 (with 1199081015840
119878= 119908119878) then the selection of 119878 as MPR is
impacted recall that MPRs are selected among the nodeswith highest willingness and in case of multiple choicesthe node which provides a reachability to the maximumnumber of nodes is primarily selected For instance a nodewhose willingness attribute set to 119908119894119897119897 119899119890V119890119903 = 0 (resp119908119894119897119897 119886119897119908119886119910119904 = 7) is never (resp always) selected as MPRthat is 1199081015840
119878= 119908119894119897119897 119899119890V119890119903 rArr 119878 notin MPR
119863(versus 1199081015840
119878=
119908119894119897119897 119886119897119908119886119910119904 rArr 119878 isin MPR119863)
119878
hello(119878119908119878)119905997888997888997888997888997888997888997888997888997888rarr 119863 119868
hello(1198781199081015840119878)1199051015840
997888997888997888997888997888997888997888997888997888rarr 119863
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905 119908
119878= 1199081015840
119878
dArr
119868 isin I
119878 is spoofed
1199081015840
119878= 119908119894119897119897 119899119890V119890119903 997904rArr 119878 notin MPR
119863
1199081015840
119878= 119908119894119897119897 119886119897119908119886119910119904 997904rArr 119878 isin MPR
119863
(3)
Active forge attacks are not restricted to identity spoofing(possibly coupled with a tampering of the willingness field)They also cover the tampering of control messages includingincorrect adjacent links (hello messages) topology informa-tion (TC messages) and network interfaces (MID and HNAmessages) In the following we detail each of those In thefirst case (Expression 4) 119868 forges a hello message whichdeclares a list of 1-hop and symmetric neighbors1198731198781015840
119868differing
from the real set 119873119878119868 A symmetric 1-hop neighbor or simply
symmetric neighbor corresponds to an adjacent node withwhich communication is bidirectional In practice it means
International Journal of Distributed Sensor Networks 5
that the hello message exchanged by two nodes is heard byboth of these later
119868
hello(1198731198781015840119868)119905997888997888997888997888997888997888997888997888997888rarr 119878119873119878
1015840
119868=119873119878119868
dArr
119868 isin I
(4)
Whenever forging the set of neighbors 1198731198781015840119868 the attacker has
three options
(1) Declaring a nonexisting node as a symmetric neigh-bor implies that 119868 (or another misbehaving node)is further selected as MPR (Expression 5) Indeedif 119868 advertises a non-existing node 119873 (119873 notin Nwith N defining the set of nodes composing theOLSR network (according to the OLSRRFC [12]messages can be flooded into the entire network (withamaximumnetwork diameter defined by themessageTime To Live field TTL for short) or flooding canbe limited to nodes within a diameter (defined interms of number of hops) from the originator ofthe message For the sake of clarity let N representthe network in both cases)) 119868 ensures that no other(well-behaving)MPR claims being a 1-hop symmetricneighbor of119873 Recall that the set of MPRs is selectedso that all the 2-hops and symmetric neighbors arecovered 119868 is hence selected as MPR
119878
hello(119873119878119878)119905997888997888997888997888997888997888997888997888997888rarr 119868
hello(1198731198781015840119868)1199051015840997888997888997888997888997888997888997888997888997888rarr 119878
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
exist119873 isin 1198731198781015840
119868ni 119873 notinN cap 119873119878
119868
dArr
119868 isin I
exist1198681015840isin I cap 119873119878
119878ni 1198681015840isin MPR
119878
Card (1198731198781015840119868 (119873119878
1015840
119868capN)) gt 0
(5)
This assertion is verified as long as no other misbe-having neighbor of 119878 is claiming the same Overallinserting at least one non-existing neighbor (exist119873 isin
1198731198781015840
119868ni 119873 notinN cap119873119878
119868) guarantees that a misbehaving
node 1198681015840 (with 1198681015840 isin I) is selected to act as MPR of119878 (exist1198681015840 isin I cap 119873119878
119878ni 1198681015840isin MPR
119878) In addition
to the above the connectivity of 119868 is also artificiallyincreased (Card(1198731198781015840
119868 (119873119878
1015840
119868capN)) gt 0)
(2) Declaring that an existing node is a symmetric 1-hopneighbor whereas that node is far away (ie is not aneighbor) or is a neighbor but that is not symmetric(exist119883 isin 119873119878
1015840
119868capN ni 119883 notin 119873119878
119868) This claiming increases
artificially the connectivity of 119868 that is Card((1198731198781015840119868
119873119878119868) capN) gt 0
119878
hello(119873119878119878)119905997888997888997888997888997888997888997888997888997888rarr 119868
hello(1198731198781015840119868)1199051015840997888997888997888997888997888997888997888997888997888rarr 119878
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
exist119883 isin 1198731198781015840
119868capN ni 119883 notin 119873119878
119868
dArr
119868 isin I
Card ((1198731198781015840119868 119873119878119868) capN) gt 0
∄119860 isinN I ni 119860 isin 119873119878119878and 119883 isin 119873119878
119860
dArr
exist1198681015840isin I ni 119868
1015840isin MPR
119878
(6)
If no (well-behaving) MPR covers 119878 (∄119860 isin N I ni
119860 isin 119873119878119878and 119883 isin 119873119878
119860) then at least one misbehaving
node (eg 119868) is selected as MPR of 119878 (exist1198681015840 isin I ni
1198681015840isin MPR
119878) Such insertion typically characterizes an
attempt to create a black hole 119868 introduces a novelpath toward119872 that whenever selected provisions theblack hole
(3) Omitting an existing 1-hop neighbor and symmetricnode 119875 (exist119875 isin 119873119878
119868ni 119875 notin 119873119878
1015840
119868) decreases artificially
the connectivity of both 119875 and 119868 (119873119878119868
sube 1198731198781015840
119868)
Note that if 119875 has no other connectivity than the oneobtained through amisbehaving node119875 gets isolated
119878
hello(119873119878119878)119905997888997888997888997888997888997888997888997888997888rarr 119868
hello(1198731198781015840119868)1199051015840997888997888997888997888997888997888997888997888997888rarr 119878
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
exist119875 isin 119873119878119868ni 119875 notin 119873119878
1015840
119868
dArr
119868 isin I
exist1198681015840isin I cap 119873119878
119878 119873119878119868sube 1198731198781015840
119868
(7)
Overall falsifying the neighboring adjacency by inserting(existing or nonexisting) neighbor(s) andor omitting realneighbors potentially perverts the local topology seen by 119878(andmore generally by one another) and impacts the selectedMPR(s) by 119878 Nevertheless note that in order to be selectedas MPR of 119878 (or to prevent its selection) there is no needfor 119868 to falsify the neighboring adjacency Recall that ina hello message a field termed willingness designates thenodersquos willingness to carry traffic on behalf of others 119868 henceprevents (resp ensures) its selection as MPR by simplysetting its willingness field to the value 119908119894119897119897 119899119890V119890119903 (resp119908119894119897119897 119886119897119908119886119910119904) On the whole the MPR selection is impactedby either falsifying the topological information included inhello message or by making use of the willingness attributeAnother (perhaps more straightforward) alternative refersto a slander node 119868 declaring (resp not declaring) itself asMPR although it has not (resp has) been selected as MPR
6 International Journal of Distributed Sensor Networks
[33] For this purpose (Expression 8) 119868 forges a TopologyControl (TC) message including an incorrect set of 1-hopsymmetric neighbors that have selected 119868 as MPR (so-calledMPR selector set) Depending on the level of redundancyrequired a MPR advertises
(1) the MPR selector(s) SelMPR119868
of 119868(2) the MPR selector(s) along with the MPR of 119868
SelMPR119868
cupMPR119868
(3) the 1-hop neighbors 119873119878119868of 119868 (hence including the
MPR selectors and the MPR of 119868)
LetA119868represent the set advertised in the TC messageA
119868=
SelMPR119868
or (SelMPR119868
cupMPR119868) or 119873119878
119868 This attack consists in 119868
advertising an incorrect setA1015840119868differing from the real oneA
119868
119868
TC(A1015840119868)119905997888997888997888997888997888997888rarr 119878A
1015840
119868=A119868
dArr
119868 isin I
(8)
In particular possible falsifications lie in either 119868 insertinga non-existing node or inserting an existing node but non-MPR selector or omitting a node belonging to A
119868 Upon
the reception of a falsified TC message routing table iscorrupted This corruption contaminates the OLSR networkand also any interconnected routing domain Indeed anode well-behaving or not acting as a gateway exports thewrong OLSR routes Symmetrically an intruder may alsoimport incorrect routes to the OLSR domain This latterattack termed sinkhole involves an intruder 119868 defining itselfas a gateway that provides an access to associated host(s)andor network(s) This gateway generates periodically aHNA message including those host(s) andor network(s)(ie the related address(es) and netmask(s)) This attackconstitutes a generalization of the previously defined forgingof corrupted TC messages a node advertises either non-existing or existing but unreachable nodes or omits advertis-ing reachable nodesThe similarity with the TC active forginglead us not detailing it hereafter
The aforementioned forge attacks (eg link or routespoofing attacks sinkhole) necessitate to tamper specificmessage fields while keeping this message syntactically cor-rect More generally bogus control messages can be forgedhence creating an implementation-dependent effect Gener-ally speaking similar tampering may be performed by anintruder that has acted as MPR prior forwarding a falsifiedcontrol message
223 Modify and Forward Attacks Modify and forwardattacks are characterized by an intermediate which capturesthe victimrsquos control message and replays modifies or dropsthis message before forwarding it In the following we depictthe two former cases ignoring the message dropping that hasbeen already described Replaying a control message includesdelaying the emission of this message by recording andforwarding it later (potentially in another area) or repeatingthis message As a consequence routing tables are updated
based on obsolete information Note that each messagecontains a field indicating the period of time during whichthis message is considered as valid and hence it is used toupdate the routing table Both attacks can be systematic (ietargeting anymultihops control traffic) or selectiveTheymayalso be performed in a distributed manner (Expression 9)with two intruders one recording the control message fromone region so as to replay it in another region (ie the oneof the colluding intruder) Without loss of generality let 119868
1
(resp 1198682) be the node that records it (resp replays it)
119878CM(119878)
119905
997888997888997888997888997888rarr 1198681 1198681
CM(119878)997888997888997888997888997888rarr
enc1198682 1198682
CM(119878)1199051015840
997888997888997888997888997888997888rarr 119884
119878 notin 119873119878119884 998810119905 le
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
dArr
119878 isin 119873119878119884
dArr
1198681 1198682isin I
(9)
In practice 1198681tunnels the control traffic by for example
encrypting the routing message andor relying on an alter-native network interface (that may be advertised or not)Then 119868
2replays it This attack leads to the creation of a
wormhole whose length depends on the distance separatingthe two intruders Note that in order to stay invisible both1198681and 1198682may keep the identification field unchanged the
source is 119878 rather than 1198681or 1198682 This possibility corresponds
to a masquerading Sequence numbers constitute a standardmechanism that provides protection against replay attacksgiven that the sequence delivery is not required by OLSRIn counterpart their usage can be hijacked so that thedestination drops the message rather than using it In prac-tice an intruder 119868 increases (a wraparound mechanism isimplemented when the sequence number reaches an extremeboundary it is reset to zero) (resp decreases) the value
of the sequence number sq (119878CM(119878)
119905sq997888997888997888997888997888997888997888rarr 119868 119868
CM(119878)1199051015840sq1015840
997888997888997888997888997888997888997888997888rarr
sq1015840 = sq) so that the destination assumes that 119878 is providingthe freshest (resp an obsolete) route and therefore ignoresthe subsequent (resp the actual) control message(s)
119878
CM(119878)119905sq
997888997888997888997888997888997888997888rarr 119868 119868
CM(119878)1199051015840sq1015840
997888997888997888997888997888997888997888997888rarr sq1015840 = sq 100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
dArr
119868 isin I
(10)
An intruder 119868 may also corrupt the routing table by mali-ciouslymodifying a received controlmessage before forward-ing it This modification consists in tampering either thecontents of themessage or the identification of its sourceTheformer case is similar to the forge attack described abovewherein the intruder tampers the MPR selector set in TCmessage theOLSR routes inHNAmessage or the interface(s)identification in MID message While in the latter case anintruder 119868 forwards the packet containing the control mes-sage without changing the source address [34] Consequently
International Journal of Distributed Sensor Networks 7
two nodes consider themselves as 1-hop neighbors whereasthey are not in the communication range of each otherAn intruder may also disrespect the flooding mechanism inOLSR This happens when the intruder retransmits a controlmessage that is received from a non-MPR selector node [32]
119868 notin MPR119878 119878
CM119905
997888997888997888rarr 119868 119868
CM1199051015840
997888997888997888997888rarr100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
dArr
119868 isin I
(11)
Overall attacks targeting OLSR protocol are classifiedinto 3 types
(i) drop attack that consists in totally or selectivelydropping the controlmessages for example droppingTC message in order to foil route calculation
(ii) active forge attack that attempts to poison OLSRrsquosfunctionalities by introducing novel deceptive controlmessage for example a hello message including anincorrect neighbor set so as to foil MPR selection
(iii) modify and forward attack lies in an intruder thatcaptures and modifies a control message before for-warding it (eg increasing the sequence number of aTC message hence the subsequent TC messages areignored)
An intruder launches the attack either in a standalonemanner or in collusion with other intruder(s) constitutingwhat so-called a Byzantine attack (eg wormhole) togetherusually coupled with masquerading Detecting these attacksis far to be a trivial task because a minor deviation on anattack makes it undetectable In addition an attack can becomposed of several subattacks In order to tackle theseissues we describemodel the attack as general as possiblehence circumventing possible deviationsWe then propose anintrusion detection system that detects composed attacks asmuch as their parties
3 Intrusion Detection
We propose a distributed log- and signature-based intrusiondetection system named IDAR In addition to providing ahigh detection accuracy IDAR aims tomaintain the availableresources in MANET For this purpose the evidences ofattack are extracted from the log and further classifiedaccording to their level of gravity Such classification helpsin planning the diagnostic and henceforth minimizing thecomputation overhead related to attack identificationDuringthe diagnostic evidences arematched to predefined intrusionsignatures The establishment of an intrusion signature andfurther the diagnostic operation are exemplified with the linkspoofing attack we purposely developed
31 Resource-Aware Evidence Gathering IDAR distinguishesitself from other IDSs by extracting the signs of attack fromthe logs instead of sniffing the traffic Thus the consumptionof energy and computational power resulting from evidence
minus600
minus400
minus200
0
200
400
600
800
0 200 400 600 800 1000Size (bytes)
Promiscuous overhearing sender and receiverPromiscuous overhearing senderPromiscuous overhearing receiverNonpromiscuous overhearing sender and receiverNonpromiscuous overhearing senderNonpromiscuous overhearing receiver
Ener
gy (u
Wlowast
s)Figure 1 Energy consumption in promiscuous and nonpromiscu-ous modes
gathering and analyzing is minimized In fact sniffing trafficnecessitates that the wireless network interface stays in modepromiscuous at all time thus the node can overhear all thepackets within its transmission range But promiscuousmodeleads to consuming more energy and hence reducing rapidlythe lifetime of the nodenetwork Indeed a nondestinationnode in the radio range of either the sender or the receiveroverhears some or all of their traffic For the IEEE 80211MAC protocol a nondestination node in discarding (ienonpromiscuous) mode can enter into a reduced energyconsumption mode and discard othersrsquo traffic [35] Suchmode requires less energy than the idle mode which is thedefault mode in ad hoc network While a nondestinationnode operating in promiscuous mode listens to all the trafficwhether or not it is the intended destination The traffic isfurther received as if it was a broadcast traffic thus additionalenergy consumption is associated with promiscuous modeoperation Figure 1 represents a part of the experimentalmeasurements realized in [19] about the energy consumptionof an IEEE 80211 2Mbps wireless card It shows the signifi-cant difference in energy consumption between promiscuousand nonpromiscuous modes Note that the consumption inthe nonpromiscuous mode is negative because it requiresless energy than the reference idle mode Besides increasingthe amount of consumed energy sniffing traffic imposes ahuge computational overhead [20] Indeed the packet-levelanalysis which is applied on the sniffed packets strainssignificantly the available resources that ismemory andCPUprocessing Moreover since all the traffic in the radio rangeis sniffed many of the analyzed packets would be redundantand add nothing to the detection In order to avoid thispermanent strain of resources IDAR does not sniff the trafficbut it rather collects periodically the local logs In particularit focuses on the portion of logs that characterizes the
8 International Journal of Distributed Sensor Networks
activities of the routing protocol (eg packet reception MPRselection) Note that additional logs for example system-security-related logs could be integrated and correlatedOnce parsed a log is used so as to detect a sign of suspiciousactivityThis consists inmatching the log against a predefinedintrusion signature An intrusion signature is thought as apartially ordered sequence of events that characterizes anintrusion Such procedure is potentially not only memorybut also bandwidth consumer Indeed it involves examininglocal logs as well as performing an in-depth diagnostic whereother nodes are requested so as to collect additional attackevidences correlate and match them against the definedintrusion signatures The in-depth diagnostic offers a globalview about the suspicious nodes and therefore it increasesthe accuracy of the detection But it is a costly operation interms of resources Thus the in-depth diagnostic must becarefully planned that is should be initiated only when asufficient degree of suspicion exists and terminated as soon asa result is obtained For this purpose we propose to classifyattack evidences so that depending on their level of gravitythe in-depth diagnostic may be performed According to ourclassification an evidence falls into one of the following fourgroups
(i) Initial-evidence group contains the evidences that leadto launch an in-depth diagnostic over the network
(ii) Suspicious-evidence group contains the evidences thatlead to identify a node as suspicious
(iii) Confirmed-evidence group contains the evidences thatconfirm the occurrence of an attack This results interminating the diagnostic and declaring the suspi-cious node as intruder
(iv) Cancel-evidence group contains the evidences thateliminate the suspicion and stop the diagnostic
These groups are populated with the evidences that areextracted from the log If an evidence belonging to the initial-evidence group is discovered then an in-depth diagnosticis launched so as to confirm (ie discovering an evidencebelonging to confirmed-evidence group) or infirm (ie dis-covering an evidence belonging to the cancel-evidence group)the intrusion both lead to the termination of the diagnosticRelying on these groups the evolution of any attack and itsrelated detection is easily followed In addition its compactform facilitates the lightweight discovering of long-termintrusions
32 Link Spoofing Attack A link spoofing attack lies infalsifying hello message(s) so as to modify the local topologyperceived by adjacent nodes This attack influences the MPRselection In particular this attack owns a global impactthe MPR position provides to the intruder the possibility toeavesdrop tamper misrelay or drop the traffic As discussedin Section 2 (and further detailed in Expression 4) anintruder realizes a link spoofing attack through one of thefollowing three cases
(1) It advertises a non-existing and symmetric nodeThus the intruder guarantees (unless another attacker
advertises the same non-existing node) being selectedas a MPR because this non-existing node is uniquelycovered by the intruder
(2) It advertises existing but nonneighboring node(s)The intruder is selected as a MPR if the advertisednode(s) is (are) not already covered by another (well-behaving or malicious) MPR
(3) It keeps under wraps neighboring and symmetricnode(s) In this case the connectivity of the intruderand consequently its chance of being selected asa MPR are both decreased Used in a standalonemanner this attack aims to decrease the connectivityof one or several nodes a complete isolation necessi-tates that no other (well-behaving) MPR covers thatnode(s)
We develop an attack (Expression 12) wherein an intruderfalsifies a hello message that contains both a non-existingnode (Case 1) and existing but non-neighboring nodes (Case2) The reason that motivates this choice is twofold First byadvertising a nonexisting node 119873 119868 ensures being selectedas a MPR by the victim 119878 (exist119873 isin 119873119878
1015840
119868ni 119873 notin N cap 119873119878
119868)
Note that with the last versions of the RFC a node (iepotentially an intruder) may dictate its selection as a MPRby advertising (in a hello message) its high willingness torelay messages Nevertheless previous versions (and theirrelated implementations) ignore this case Regardless of theversion of the protocol our intruder (as aforementionedpreviously) guarantees being selected as MPR by advertisinga nonexisting and symmetric node Second by announcingcommon neighbors with another node 119871 (Case 2) 119868 increasesthe probability that 119871 is not selected as a MPR (119868 replacing119871) and henceforth increases its proper ascendancy Note thatthe attack we developed does not consider the third casethat involves the reduction of the intruderrsquos connectivityNevertheless attack signature deals with it
119878
hello(119873119878119878)119905997888997888997888997888997888997888997888997888997888rarr 119868 119868
hello(1198731198781015840119868)1199051015840997888997888997888997888997888997888997888997888997888rarr 119878
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
exist119873 isin 1198731198781015840
119868ni 119873 notinN cap 119873119878
119868
exist119871 isin MPR119878ni [119873119878
119871 119873119878119868] sube [119873119878
1015840
119868 119873119878119868]
dArr
119868 isin I 119871 notin MPR119878
exist1198681015840isin I ni 119868
1015840isin MPR
119878
Card (1198731198781015840119868 (119873119878
1015840
119868capN)) gt 0
Card ((1198731198781015840119868 119873119878119868) capN) gt 0
(12)
Herein a key challenge stems from the need to generate ahand-coded intrusion signature that models such attack andhenceforth permits to detect it
33 Signature Establishment As mentioned before a linkspoofing attack aims to inflect the MPR selection such
International Journal of Distributed Sensor Networks 9
Table 2 Evidence characterizing a link spoofing attack
Initial-evidence group1198641 AMPR is replaced by a 1-hop neighbor or by an already selected MPR1198642 AMPR behaves maliciously for example it tampers misrelays or drops the control messages
Suspicious-evidence group1198643 AMPR is the only node that provides connectivity to one (or more) 2-hops neighbor(s)
Confirmed-evidence group1198644 AMPR advertises a partial set of 1-hop neighbors1198645 AMPR advertises nonneighboring node(s) as 1-hop neighbors(s)
Cancel-evidence group1198646 AMPR is defined as an intruderwell-behaving node
selection is triggered upon a change in the symmetric 1- and2-hops neighborhood Rather than launching an in-depthdiagnostic upon every change in the 1- or 2-hops symmet-ric neighborhood we keep to a minimum the number ofthese diagnostics and henceforth the amount of consumedcomputational power and bandwidth by initiating it onlyat the occurrence of an event related to a link spoofingattack More precisely we ignore the changes in the 1-hopneighborhood (eg apparition of 1-hop neighbor) becausethey are observed by the node itself Thus they are notsubject to the remote falsification which is the cornerstoneof a link spoofing attack In contrary changes in the 2-hopsneighborhood are considered as long as they impact theMPRselection In practice the evidences that reveal a link spoofingattack (Table 2) are broken down into
(i) a MPR replacement (Evidence 1 or 1198641 for short)that results from a change in the covering of the 1-hop neighbors one (or several) 1-hop neighbor(s)(possibly the replacing MPR) increase(s) its (their)coverage to the detriment of the replaced MPR AreplacementMPR is a 1-hop neighbor that is excludedfrom the MPRs set even though it provides the sameconnectivity in both the previous and current MPRselection rounds
(ii) No MPR replacement takes place but an alreadyselected MPR is detected as misbehaving node Forinstance a misbehaving MPR may drop falsify ormisrelay the control messages (1198642) Note that anevidence of a special interest herein refers to a nodepromoting itself as a MPR without having beenselected as a MPR Amisbehaving MPR includes alsothe case wherein a MPR continually advertises thesame 2-hops neighbors set despite being no morevalid Contrary to other cases this one is not eventdriven and should be handled based on random orperiodical checks
(iii) aMPR is the only one that covers one or several nodes(1198643)
(iv) a MPR covers partially its adjacent neighbor(s) (1198644)
(v) a MPR provides connectivity to a nonneighboringnode (1198645)
The occurrence of either 1198641 or 1198642 constitutes the startingpoint of an in-depth diagnostic 1198641 and 1198642 belong to theinitial-evidence group The act of being the only MPR thatprovides the connectivity to node(s) (1198643) is suspicious butis not sufficient to launch an in-depth diagnostic becausethis situation is typical in a sparse network Furthermoretwo nodes within the covering range of each other oftenfail in communicating due to the unpredictable nature ofwireless transmission resulting from for example obstaclesand noises Thus diagnosing 1198643 is especially difficult underno specific assumption Overall the occurrence of 1198641 or 1198642and optionally1198643 leads to an in-depth diagnostic (Expression13) In practice the 1-hop neighbor(s) of the suspicious MPRare interrogated Note that part of the interrogated nodesmayexpress a different opinion that results from malicious nodeor an obsolete routing information This calls for taking intoaccount their respective reputation (as we plan in our nearfuture work)
(1198641 or 1198642)
dArr dArr
(1198644 or 1198645) optional (1198643) (1198644 and 1198645)
dArr dArr
The suspicious MPRis an intruder
The suspicious MPRis well-behaving
(13)
If the obtained answers confirm (resp infirm) that thesuspicious MPR covers partially its neighbors (1198644) andoradvertises a distant node as 1-hop neighbor (1198645) then theMPR is declared as an intruder (resp well-behaving) andthe diagnostic is terminated (1198646) Obviously the cooperationbetween the nodes constitutes a cornerstone in our in-depthdiagnostic
34 Cooperative Diagnostic The in-depth diagnostic of a linkspoofing attack consists in verifying the existence of a sym-metric and neighboring relationship between a suspiciousMPR and its advertised 1-hop neighbors (Algorithm 1) Moreprecisely this diagnostic follows the following steps Firstthe MPRs that have been replaced by other MPR or 1-hopneighbor are identified (lines 1-2) because such replacementrepresents the initial evidence of a link spoofing attack (1198641in Table 2) For this purpose the function GetReplaced-Mpris called (Line 1) It establishes the MPRs that have been
10 International Journal of Distributed Sensor Networks
(1) OldMprs = GetReplaced-Mpr()(2) SuspiciousMprs = GetReplacing-Mpr()(3) for (suspicious isin SuspiciousMprs) do(4) InterrogatedNodes = GetCommon2HopsNeighors
(suspicious OldMprs)(5) for (2HopsNeighbor isin InterrogatedNodes) do(6) if (LinkExistence (2HopsNeighbor suspicious) ==
false) then(7) Generate-Alarm (suspicious)(8) end if(9) end for(10) Cancel-Suspicious (suspicious)(11) end for
Algorithm 1 In-depth diagnostic
replaced by comparing the currentMPRs and the penultimateMPRs Then the MPRs sharing 1-hop neighbor(s) with areplaced MPR are identified (function GetReplacing-MPRline 2) Those identified MPRs are tagged as suspicious andare subject to further analysis (lines 3ndash11) the objective is toverify whether some spoofed links have been advertised soas to replace the MPR It follows that the 1-hop neighborsthat are common to a replaced MPR and a suspicious oneare determined (GetCommon2HopsNeighors function line 4)Note that these 1-hop neighbors also correspond to the 2-hops neighbors of the node launching the diagnostic Theyare interrogated (LinkExistence function) so as to verify theexistence of links The interrogation of a 2-hops neighbordenoted by 119860119894 consists in sending a request to 119860119894 asking ifthis latter considers the suspicious MPR as a 1-hop neighborat a specific time 119905 Whenever possible this request is sentwithout going through both the suspicious MPR 119868 or anycolluding intruder 1198681015840 This eluding is necessary in order toprevent 119868 and 1198681015840 from dropping the request andor forging adeceptive answerTherefore the 1-hop neighbor(s) (primarilythe MPR(s)) that covers the interrogated 2-hops neighbors isprovided with the request Note that the suspecting node 119878 isaware of is provided with the connectivity between the nodesthat form its two-hops neighbors Thus 119878may select the one(if existing) that covers 119860119894 If no answer is obtained (iethe related time-out elapses) then the request is sequentiallytransferred through the rest of the covering 1-hop neighbors(keeping in mind that as aforementioned MPRs are pri-marily selected) However when no neighbor is left then an(multihops) alternative path is researched in the routing tableto reach 119860119894 Note that the verification related to a suspiciousMPR is performed within an independent thread hencethe diagnostic of one node (and the result waiting) is not ablocking to others If 119860119894 denies being a 1-hop neighbor of thesuspicious MPR then a countermeasure is triggered Moreprecisely an alarm that establishes the detected attacker(s)is broadcasted (Generate-Alarm function line 7) Otherwiseif no deny takes place the suspicious MPR is no longersuspected (Cancel-Suspicious function line 10) In both casesthe diagnostic terminates Note that if no answer is provided(the inconsistent answers lead also to a claim in the degree
of suspicion However this case is not included in this paperbut it is handled in our other works) then the suspiciousMPR is tagged as not verified and the degree of suspicionin this latter goes up It is worth mentioning that the currentimplementation of IDAR considers the link spoofing attackHowever considering other attacks is not complicated andrequires only specifying the evidences to be searched in thelogs and the information to be exchanged between the nodesduring the in-depth diagnostic
4 Architecture and Performance Evaluation
In this section we introduce the key architectural compo-nents of IDAR (Section 41) Then we present the evaluationof IDAR performance (Section 42) and further discuss theobtained result (Section 43)
41 IDAR Architecture In order to cope with the dynamicnature ofMANET IDAR is both distributed and cooperativeThe proposed architecture (Figure 2) requires that everydevice participates in the detection (The delegation of somedetection operations (eg logs analyzing) may be sharedamong devices But it will not be necessarily less expensive interms of resources consumption)More precisely each devicecontains an instance of IDAR which independently detectsthe signs of suspicion and cooperates with other instancesso as to conduct the diagnostic in a broader range IDAR isimplemented in Perl (httpwwwperlorg) and conceptuallystructured into 4 components
(i) Coordinator that orchestrates all the components Assuch it constitutes the hearth of IDAR In prac-tice it parses dynamically the OLSR logs so as toextract signs of suspicion and match these latteragainst predefined intrusion signaturesThe intrusionsignatures are represented as conditional rules (ifcondition then state) Furthermore it triggers thecommunication and the alarm notification in orderto launch advanced diagnostic
(ii) Communication manager that gathers informationabout for example the adjacent links as requiredby the diagnostic manager Meanwhile it answersthe diagnostic requests This component runs into aseparated thread so that other IDAR operations arenot blocked
(iii) Knowledge database includes the information thatis extirpated from the logs and is provided by thecommunication manager This database is realized inMysql (httpwwwmysqlcom) Stored informationencompasses for example the 1-hop and 2-hopsneighbors and the MPRs
(iv) Alarm notifier is responsible for alarming the networkwhen an intrusion is detected Note that we areplanning to include more countermeasures in thefuture for example eliminating the routes containingan intruder
International Journal of Distributed Sensor Networks 11
SignatureKnowledge
database
Coordinator
Communicationmanager Alarm notifier
Update
Feedback
Diagnostic requestDiagnostic answer
IDAR instance
Routing log
IDAR instanceDiagnostic requestanswer
Routing log
Feed back
Figure 2 IDAR architecture
All the above components have been developed so as tosupport intrusion detection offering a high rate of detectionalong with conserving the resources
42 Performance Evaluation In order to evaluate the perfor-mance of IDAR a mobile ad hoc network has been simulatedusing the network simulator NS3 (httpwwwnsnamorg)[36] Each node in the simulated network is furthercoupled with a Linux Container (LXC) virtual machine(httplxcsourceforgenet) [37] The reason that motivatesthis coupling is twofold First NS3 offers the possibilityto simulate a large-scale mobile ad hoc network SecondLXC an operating-system-level virtualization tool permitsto run multiple isolated machines (also called containers)on a single modified hosting kernel (up to 1024 contain-ers over a single hosting kernel) Each container owns itsproper resources (eg process tree network interface andIP address) Thus the resource consumption (eg memoryusage) can be isolated and measured In practice an instanceof IDAR is installed on each container that appears asa standaloneseparated machine Figure 3 exemplifies thecoupling between nodes in NS3 and LXC containers Fromthe IDAR perspective (as well as from any applicationinstalled on the container) the emission and reception ofpackets is done through the network interface (eth0) Whilethe container contains a simulated ethernet card (V119890119905ℎ)which is connected through an ethernet bridge towards akernel tap device (tap) Note that for each container-nodecoupling new tap and ethernet bridge should be definedin the hosting kernel The ethernet bridge implements theforwarding of link-level framesThe interface 119905119886119901119877119900119906119905119890119903 [38]is implemented in NS3 and is used to exchange packetsbetween the 119905119886119901 device and the WiFi device which enablesNS3 nodes to communicate over a IEEE 80211- and OLSR-enabled MANET Overall the outgoing packets from eth0in the container are delivered to the WiFi device at thecorresponding node in the simulated network and vice versaSimulation is carried using the aforementioned platform
wherein the hosting device is equipped with 32GB of mem-ory and 2 Intel(R) Xeon(R) (6) Core 240GHz CPUsContainers hold a Fedora 12 operating system We considera MANET (Table 3) constituted of 119873 = 30 nodes split into25 well-behaving nodes and 5 intruders While most of otherIDSs are evaluated against one intruder we show that IDARcan handle several intruders in the same time Intruderslaunch repeatedly the implemented link spoofing attack (asdescribed in Expression 12) In our experiments the numberof successful intrusions varies between 15 and 33 accordingto the parameters of simulation scenario (as described inExpression 12) Nodes communicate via IEEE 80211a andare characterized by a transmission range 119879
119909of 90m They
randomly move following the so-called RandomWalk2d [39]mobility pattern provided by NS3 each node moves accord-ing to a randomly chosen direction at a given speed that isthe same for all the nodes When a node hits the networkboundaries (unless specified the network area is defined bya squared area of 119878 = 310 times 310m2) it rebounds followinga reflexive angle Data traffic is further modeled using theV4PingHelper application in NS3 each node exchanges 56-byte ICMP (httpwwwietforgrfcrfc792txt) echo requeststo one another and waits for 1 s before sending it again Weuse OLSR as the underlying routing protocol preserving theconfiguration parameters promoted in the RFC 3626 (eghello message interval is 2 s)
For each experimental scenario the simulation islaunched 5 times each one lasts for 140 s We compare thelaunched attacks with the detected ones and present theaverage of results We aim at evaluating the performance ofIDAR in terms of
(i) intrusion detection rate that reflects the capacity ofdetecting successful intrusions (a successful intrusioncauses the replacement of a legitimate MPR of thevictim by an intruder)
(ii) false positive rate that measures how many times alegitimate node is wrongly designated as an intruder
12 International Journal of Distributed Sensor Networks
Table 3 Simulation parameters
Simulation platformSimulator NS3 + LXC virtual machinesContainer operating system Fedora 12Hosting device memory 32GBHosting device CPU 2 Intel(R) Xeon(R) (6) Core 240GHz
Simulated MANETNumber of mobile nodes 30Number of intruders 5Topology 310 times 310m2
Transmission range 90mMaximum bandwidth 1MbpsTraffic V4PingHelper 56 bytes Icmp packetsMobility model RandomWalk2dMaximum speed 8ms (or 288 kmh)Simulation time 140 s
tapRouterWiFi devicewith OLSR
LXC
cont
aine
r
Ethernet bridge
Tap
LXC
cont
aine
r
veth
Ethernet bridge
Tap
tapRouterWiFi devicewith OLSR
veth
Nod
e 1
Nod
e 119899
NS3
IDAR1 IDAR119899
eth0 eth0
Figure 3 Experiment platform
(iii) detection overhead which represents the additionalnetwork traffic that is generated because of IDARNote that further benchmarks are also provided interms of memory usage
Based on those performance indicators IDAR is furtherevaluated with regard to the network density (Section 421)and node mobility (Section 422)
421 Network Density In order to evaluate the scalingproperties of IDAR we vary the density of the networkThe density of the network corresponds to the averagenumber of neighbors which is defined as in [40] by (119873 times
120587 times 1198792
119909)119878 We selected an interval of density that ranges
from 6 up to 16 neighbors which includes the intruderthe victim and the remaining neighbors Figure 4(a) showsthat the detection rate keeps higher than 80 regardless ofthe network density This demonstrates the relatively limitedimpact of the network density on IDAR performance More
precisely the intrusion detection rate slightly rises from935up to itsmaximum 963when the density varies from6 up to 8 neighbors the greater is the number of neighborsthe higher is the visibility of the attackThen a slow diminishis observed dense networks (with a density exceeding 8) arecharacterised by a high collision rate that causes a declinein the detection rate Similarly Figure 4(b) highlights thatthe average percentage of false positives is neglectful (under59) The analysis of several cases of false positive leads usto find that a false positive occurs when two nodes own adifferent live-times for the bidirectional link that connectsthese later consequently one of the two nodes still confirmsthe existence of this link while the other one denies it Tooverride this problem the period during which those linksare considered valid should be amplified as in [41] Figure 4(c)presents the average memory usage caused by IDAR Thisusage gently fluctuates between 176MB and 222MB It is alsoworthy of mention that contrary to OLSR our system doesnot assign additional functionality toMPR (detectionmay belaunched by one another) IDAR provides an homogeneousload balancing among the nodes As illustrated in Figure 4(d)the traffic caused by IDAR is very low (under 05 for anetwork density inferior to 8) It then slowly rises to reach13 when the network density is 16 In order to understandthe slight fall when the density reaches 14 we compare theaverage number of suspicious cases with regard to a varyingdensityThis average was 708 (resp 658) with density equalsto 12 (resp 14) Consequently the number of diagnostic-related packets is smaller at a density of 14 than at a densityof 12
422 Mobility In order to isolate the influence of themobility the network density is set to 8 The detection ratefalls when the speed increases (Figure 5(a))This results fromthe ever changing topology that results in increasing thenumber of broken links and the related drops of diagnostic-related packetsHowever IDAR still provides a high detectionrate for example the average of detection rate is 707
International Journal of Distributed Sensor Networks 13
0
20
40
60
80
100
6 8 10 12 14 16
Det
ecte
d in
trus
ions
()
Density
Average detection
(a)
0
10
20
30
40
50
6 8 10 12 14 16
False
pos
itive
()
Density
Average of false positives
(b)
0
10
20
30
40
50
6 8 10 12 14 16
Mem
ory
usag
e (M
B)
Density
(c)
025 05
1
5
20
50 100
6 8 10 12 14 16Density
IDA
R ve
rsus
OLS
R tr
affic (
)
(d)
Figure 4 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network density
with a moving speed equals to 8ms (ie around 287
kilometershour equivalent to 1789mileshour) Figure 5(b)shows that the higher is the moving speed the greater it getsfalse positives mainly because of out of date feedback Infact when a node moves away some of its 1-hop neighborsare no longer neighbors but are still announced as suchand are considered as potential attackers A higher increaseof the false positive rate is observed when the node speedranges from 4ms up to 6ms because the instable nodecovering is given its transmission range which leads to anincreased update of its 1-hop neighbors The memory usage(Figure 5(c)) rises staidly from 176MB to 265MB whichis reasonable even for resource-limited devices The impactof the mobility on the bandwidth is shown in Figure 5(d)The IDAR traffic comparing to the OLSR traffic significantlygrows from 036 up to 31 for a speed ranging from 0msup to 2ms Then the bandwidth usage gradually growsand reaches almost 6 when the moving speed is equalto 8ms This is motivated by the fact that increasing thenumber of verified links leads to exchange more diagnostic-related messages in the network In order to understandthe reason behind such variable growth of IDAR trafficwe counted the number of the verified suspicious neighbor
links We found that the average number of the verified linkssignificantly grows from 452 to 2014 when the velocity risesfrom 0ms to 2ms This average then gradually grows andtakes the values 2408 3314 and 406 when the velocityequals to 4ms 6ms and 8ms respectively The limitednumber of the suspicious neighbor links when the nodesare static is justified by the fact that the attacker has alimited choice to falsify its neighbors links Instead when thevelocity is greater than 2ms there is a continuous changein the neighborhood and the attackers can attack more(diversified) targets Meanwhile the continuously changingtopology implies an increased number of investigations
43 Performance Discussion It is clear that the density of thenetwork holds less influence than the mobility on our IDSMore mobility in MANET causes more dropped diagnosticpackets and hence less diagnostic is concluded with a finalresult that is confirming or refuting the suspiciousnessHowever comparing the launched attacks to the discov-ered suspicious events shows that the majority of attacksare tagged as suspicious events and considered for furtherdiagnostic Note that the mobility has a negative influence
14 International Journal of Distributed Sensor Networks
0
20
40
60
80
100
0 2 4 6 8
Det
ecte
d in
trus
ions
()
Velocity (ms)
Average detection
(a)
0
10
20
30
40
50
0 2 4 6 8
False
pos
itive
()
Velocity (ms)
Average of false positives
(b)
0
10
20
30
40
50
0 2 4 6 8
Mem
ory
usag
e (M
B)
Velocity (ms)
(c)
025 05
1
5
20
50 100
0 2 4 6 8
IDA
R ve
rsus
OLS
R tr
affic (
)
Velocity (ms)
(d)
Figure 5 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network mobility
on all the IDSs especially the cooperative ones where thereis an exchange of evidencesalerts Table 4 provides a shortperformance comparing between IDAR and other knownIDSs that are dedicated to ad hoc routing protocol Likethe majority of these IDSs the performance of our systemis challenged against a specific attack link spoofing attackin a simulated MANET (According to [42] around 75of mobile ad hoc published papers use simulation for testissues) Two evaluation factors are common to almost all thelisted IDSs the detection ratecapacity and the positive falserate Even though it was challenged in a MANET whereinthe intruders constitute 166 (Note that this percent is the3rd highest registered percent) of the nodes IDAR providesone of the highest detection rate Regarding the positivefalse rate we can notice that several IDSs especially thosethat are dedicated to DSR protocol show better results thanour system However this latter still generates a limitednumber of false positives It is also possible to reduce thefalse positives rate by amplifying the TTL (Time To Live)parameter of a bidirectional link so as to reduce the impactof obsolete neighborhood-related information during thedetection Recall that most of the generated false positives inIDAR are generated because of the difference in the time-live
of a bidirectional link between the two ends of this link Insuch case this link will be expired in one end while the otherend will keep confirming its existence It is worthmentioningthat except our system the listed IDSs that aim to detect theattacks targeting OLSR protocol do not present neither thedetection rate nor the false positives rate But they merelyprove the capacity of detecting the addressed attack(s) Inaddition IDAR is one of the rare IDSs that are evaluated interms of resources consumption Indeed we measure boththe increment inmemory usage and traffic overhead resultingfrom detection operations IDAR triggers a small incrementin the devicesrsquomemory usage (between 176MBand 265MB)Therefore it can be tolerated by the resource-limited devicesIt further triggers the lowest traffic overhead compared to thelisted IDSs IDAR presents a good scalability and offers a highdetection rate even in the high density networks where a largeamount of routing traffic should be monitored (Figure 4(a))This scalability is reinforced by (i) the limited traffic overhead(ii) the use of routing logs so as to extract the evidencesinstead of sniffing the traffic (iii) the distributed nature ofdetection such that each node is responsible for detecting theattacks targeting it and (iv) the unnecessity of modifying theused routing protocol
International Journal of Distributed Sensor Networks 15
5 Related Work
Systems that detect intrusion targeting ad hoc routing proto-col are extremely diverse in the way they analyze intrusionThey fall into the three key categories
(i) Anomaly detection system defines the correct behav-ior of the nodenetwork so as to detect deviations tothis behavior This correct behavior is automaticallybuilt during an attackless training phase The detec-tion accuracy depends on the ability to (i) describethe correct behavior and (ii) distinguish betweenanomalous and unexpected behaviors
(ii) Specification-based detection system hand-codes thelegitimate functionoperation and then searches for aviolation to this operation
(iii) Signature-based detection system first describes theway an intruder penetrates the system by defining anintrusion signature Then any behavior that is closeto this predefined signature is flagged as intrusion
Hereafter we detail examples of each of these categoriesAnomaly-based detection constitutes the main approachused to detect attacks The IDS proposed by Zhang et al[7] constitutes a de facto standard in MANET It aims atdetecting the attempts to falsify the routes provided by theAODV [61] DSR [62] and DSDV [63] routing protocolsDuring the training phase the impact of movement on thepercentage of changes in the routing table is analyzed Notethat this movement (ie velocity direction and position)is provided by a Global Positioning System (GPS) Thenduring the operation phase an actual percentage of changesdiffering from the predicted one is defined as anomaly Inpractice the distinguishing between anomalous and normalbehaviors is provided by the Support Vector Machine (SVM)Light [64] classifier or by RIPPER [15] a rule-based engineThe hierarchical IDS proposed in [47] detects blackhole androuting request flooding attacks targeting AODV protocolHere MANET is arranged into clusters whereas the nodewith the highest residual energy and number of connectionsis elected as a cluster-head Each cluster-head monitors thetraffic inside its cluster so as to identify the abnormal valuesof (i) the percentage of changes in the routing table and (ii)the propagation of routingdata packets Such abnormalitiesare identified thanks to (1-SVM) classifier [65] a deviationof SVM that needs to be trained with either normal orabnormal scenario but not both of them In [48] (resp [66])a blackhole (and resp dropping) attack targeting AODVprotocol (resp a secured version of AODV protocol includ-ing authentication and reputation estimation) are detectedby investigating features for example the number of routerequests and route replies as well as the average difference ofsequence numbers (Largely increased sequence numbers areknown as a sign of blackhole attack) Then simple anomalydetection is applied if the distance between the actuallyobserved features and the average ones that are recorded dur-ing the training exceeds a given threshold then an intrusionis detected More sophisticated cross-features analysis (CFA)[67] is applied to detect both blackhole and packet drop-ping on AODV and DSR protocols Features including for
example the reachability between 2 nodes and the numberof delivered packets are analyzed within time windows Thisanalysis attempts to quantify the relation existing betweenone feature 119891
119894and the others 119891
1 119891
119894minus1 119891119894+1 119891
119896(with
119896 + 1 defining the number of features analyzed) During theoperation phase the probability of matching between theobserved feature 1198911015840
119894and the predicted feature 119891
119894 which is
established based on 11989110158401 119891
1015840
119894minus1 1198911015840
119894+1 119891
1015840
119896 is calculated by
a decision tree classifier named C45 [68] An anomaly refersto an average of matching probability fewer than a giventhreshold CFA and C45 are also used in [69] with traffic-related features (eg number of receivedtransferred packets)and OLSR- or AODV-related features (eg MPR updates forthe former and route discovery for the latter) A modifiedMarkov chain-based IDS is proposed in [58] so as to detectroute disruption attack targeting DSR protocol Here thedetection depends on identifying unpredicted value of twofeatures the percentage of changes in the number of routesand the percentage of changes in the number of hops Inpractice a Markov chain is based on the immediate previous119899 consecutive values of a feature as to predict the (119899 + 1)thvalue If the difference between a predicted and an observedvalue exceeds a given threshold an intrusion is concluded
Rather than establishing automatically a correct behaviorspecification-based detection system hand-codes the correctbehavior of the routing protocols based on the protocol spec-ification (IETF draft or RFC) Then the system attempts todetect a violation of constraints circumventing this behaviorFour key constraints define the correct behavior of OLSR([14 70])
(1) Neighbor relationmust be reciprocal (ie 2 neighborsmust hear the hello message sent by each other)
(2) TheMPRs and the nodes that select theMPR (ie theMPR selectors) must be adjacent
(3) A node that finds itself advertised as a MPR selectorin a TCmessage must be adjacent to the originator ofthis message
(4) Nodes receive TC messages without modificationsfromMPR(s)
Each node sniffs the traffic in its radio range so as todiscover the violations of any of the above constraints Theseconstraints are modeled by semantic properties in [70] (resprules in [14]) so as to detect link spoofing attack on TC(and resp hello messages) both experiment an ability todetect a link spoofing by observing a violation of the thirdcondition over a simulated network composed of 11 nodesFinite-state machines are used to describe similar constraintson OLSR [41] and the behavior of AODV protocol [52 71]In [41] a centralized detection of link spoofing man-in-the-middle and deny of service attack is performed While in[52 71] incorrect hop countssequence numbers are analyzedby distributed sensors which sniff and group the packets perrequest-reply flow so as to estimate the forwarding path perflow If a route requestreply is illegallymodified or forwardedvia a nonexpected path then an alarm is triggered In [60]similar FSMs are used to define constraints on both the routediscovery in AODV and the packet forwarding operations
16 International Journal of Distributed Sensor Networks
Table4Com
parin
gID
ARperfo
rmance
with
otherIDSs
IDS
Routing
protocol
Num
bero
fno
des
Intrud
ers
()
Moving
speed
Detectio
nrate
False
positives
rate
Increm
entinmem
ory
usage
Increm
entintraffi
coverhead
IDAR
OlSR
30166
0ndash8m
s707ndash963
0ndash132
176ndash
265MB
478ndash6215KB
(036
ndash597
ofOlSRtraffi
c)
[43]
OlSR
303366
10
mdashmdash
mdashmdash
6ndash12
ofOlSR
traffi
c[41]
OlSR
1010
0ms
Detectio
nispo
ssible
mdashmdash
mdash[44]
OlSR
7143
0ms
Detectio
nispo
ssible
mdashmdash
mdash[45]
OlSR
520
0ms
Detectio
nispo
ssible
mdashmdash
mdash[14
]OlSR
119
0ms
Detectio
nispo
ssible
mdashmdash
mdash[46]
AODV
3033
0ndash5m
s3067ndash90
0ndash20
mdashmdash
[47]
AODV
502
0ndash20
ms
90
5
mdashmdash
[48]
AODV
3033
1ndash20
ms
70ndash82
12ndash18
mdashmdash
[49]
AODV
2050
10
1ndash10ms
964ndash9
87
079ndash093
mdash900k
B
[50]
AODV
5238
0ndash20
ms
(Fixed
IDSs)
100
0ndash0
6
mdashmdash
[51]
AODV
521
20238
0ndash10ms
50ndash100
0ndash30
mdashmdash
[52]
AODV
30mdash
0ndash20
ms
70ndash100
05
ndash15
mdashmdash
[53]
AODV
50Ra
ndom
0ndash20
ms
79plusmn10ndash92plusmn3
5plusmn1ndash32plusmn8
mdashmdash
[54]
AODV
102050
mdash0ndash
10ms
0ndash100
0ndash≫100
02ndash06
mdash[55]
AODV
20ndash200
mdash0ndash
20ms
30ndash9
50ndash16
mdashmdash
[56]
AODV
50mdash
1ndash20
ms
998ndash100
083ndash846
mdashmdash
[7]
AODV
mdashmdash
mdash8848plusmn414ndash971plusmn032
145plusmn072ndash202plusmn627
mdashmdash
DSD
Vmdash
mdashmdash
8523plusmn328ndash9061plusmn299
537plusmn310ndash263plusmn549
mdashmdash
DSR
mdashmdash
mdash852plusmn238ndash991plusmn037
003plusmn004ndash153plusmn408
mdashmdash
[57]
DSR
5040
0ndash20
ms
mdashmdash
mdash11ndash313
of
data
traffi
c[58]
DSR
3033
3ndash5m
s60ndash100
25
ndash50
mdashmdash
[59]
DSR
30mdash
mdash75
12
mdashmdash
[60]
DSR
502
0ndash20
ms
837ndash9
74
13ndash72
mdashmdash
International Journal of Distributed Sensor Networks 17
A signature-based system distinguishes itself by model-ing the misbehavior (rather than the correct behavior) soas to identify if a sequence of observed events matchingan intrusion signature AODVSTAT [54] uses state-basedsignatures in order to detect dropping and spoofing attacksalong with network flooding Few sensors sniff the traffic andmatch it against predefined signatures They also exchangeperiodically MAC and IP addresses so as to detect an identityspoofing which is characterized by a node emitting a packetidentified by MAC and IP addresses differing from thoseregistered for this node A dropping attack refers to a nodethat fails to replay route requestreply Finally a node sendinga number of packets exceeding a given threshold is identifiedas willing to exhaust resources In [45] intrusion signaturesare specified in opposition to the legitimate behavior of OLSRdepicted in conjunction with specification rules similar tothose defined in [70] In particular a node 119873 mistrusts twoneighbors 119871 and 119872 that conform to the following rules119872 advertises 119871 as a neighbor while 119871 does not advertise119872 as a neighbor (or reciprocally) both 119871 and 119872 send TCmessages while 119871rsquos neighbors are a subset of 119872rsquos neighbors(or reciprocally) In addition 119873 mistrusts 119872 if 119873 which isnot a neighbor of 119872 finds itself as a MPR selector in a TCof 119873 (constraint 3) In [44] a FSM is employed to modelthe signature of hello message fabrication in OLSR protocolin an agent-based IDS In practice each node uses a SimpleNetworkManagement Protocol (SNMP) agent so as to collectaudit data from the Management Information Base (MIB)After that events are extracted from the collected audit dataand are matched to the attack signatureThe addressed attackaims at breaking the link between a victim node and itsneighbors and thus a DoS takes place To that end theattacker impersonates the identity of the victim and sends afake hello message advertising one of the victim symmetricneighbors with lost link status Upon receiving the fabricatedmessage the neighbor changes the status of its link withthe victim to ldquoheardrdquo and stops routing packets through thevictim
51 Synthesis and Discussion A great majority of the litera-ture is focused on anomaly detectionwhile scarce effort inves-tigates specification- and signature-based intrusion Thisnaturally calls for consolidating the effort on specification-and signature-based detection while following the habitus ofwired network which consists in coupling these detectionsystems with one another for example in [72] wherein acombination of anomaly- and signature-based detection isrealized so as to increase the detection rate Almost all ofthe IDS focuses only on the detection accuracy that isproviding a high detection rate along with limited falsealarms However they do not consider the criticality ofmaintaining the resources and henceforth extending thelifetime of the nodenetwork Our IDS takes into account thenecessity of reducing to minimum both the communicationand computation overload related to intrusion identificationThe absolute majority of the IDSs is simulated (including thesystem we are proposing) rather than being either developedor experimented on testbeds or relying on empirical data
The reason that explains this situation is twofold Firstthe deployment of critical MANET is limitednot adver-tised Second to the best of our knowledge experiences ofintrusion in MANETs are not reported intrusions are infact developedsimulated as proofs of concept Neverthelessnot only routing protocols but also the characterization ofthe intrusion together leverage on the experience gained indesigning routing protocols for wired networks and deal-ing with related misbehaviors In particular the similarityexisting between the OSPF and OLSR protocols implies thatmany threats (eg sequence numbers identity spoofing) areshared In other words intrusion may be inspired from theone targeting wired networks Meanwhile the developmentof intrusion detection and the envisioning of attacks areaccelerated
6 Conclusion
We survey and classify the attacks that target ad hoc routingprotocols focusing on theOLSRprotocol In order to facilitatethe definition of intrusion signatures we extend a descriptionmodelmdashan attack is expressed as the preconditions andthe resulting consequencesmdashand enrich it with temporalannotations Once hand-coded these signatures are utilizedby IDAR a log-based distributed intrusion detection systemdedicated to operate in mobile ad hoc networks IDARdistinguishes itself by analyzing the logs generated by arouting protocol and extracts intrusion evidences so as tocompare these latter against predefined intrusion signaturesFor this purpose evidences are categorized into four groupsaccording to their degree of suspiciongravity and hence totheir ability to activatedeactivate the diagnostic We furtherdevelop a link spoofing attack on the OLSR protocol buildthe related detection rules and evaluate the performancesof IDAR relying on the NS3 simulator coupled with LXCvirtual machines Overall the experiments figure out ahigh rate of intrusion detection and low false positivesrate even under increased mobility and density Meanwhileresource consumption and network overhead result from thediagnostic are low and adapted to the resource-constraineddevices Note that ongoing effort is provided as to evaluateIDAR in a real MANET consisting of resource-constraineddevices Still detecting intrusion is not a trivial task due tothe large number of evidences to tackle and the resource-consuming diagnostic A compromise between detectionaccuracy and resource consumption could be found For thispurpose we are working on a new statistical mechanism forgathering the evidences This mechanism aims at enhancingthe scalability of our system by restricting the interrogationto a limited subset of nodes during the diagnostic Moreoveruntil now we assume that honest parties are passive theyalarm others but do not react We are considering thecoupling with countermeasures (eg blacklisting) and theexploring of lightweight binary consensus and trust estab-lishment among the nodes that participate in the intrusiondetection
18 International Journal of Distributed Sensor Networks
References
[1] Z Zhao H Hu G Ahn and R Wu ldquoRisk-aware mitigation formanet routing attacksrdquo IEEE Transactions on Dependable andSecure Computing vol 9 no 2 pp 250ndash260 2012
[2] B Sun L Osborne Y Xiao and S Guizani ldquoIntrusion detectiontechniques in mobile ad hoc and wireless sensor networksrdquoIEEE Wireless Communications vol 14 no 5 pp 56ndash63 2007
[3] S Sesay Z Yang and J He ldquoA survey onmobile ad hoc wirelessnetworkrdquo Information Technology Journal vol 3 no 2 pp 168ndash175 2004
[4] P Brutch and C Ko ldquoChallenges in intrusion detection forwireless ad-hoc networksrdquo in Proceedings of the Symposium onApplications and the Internet Workshops (SAINT rsquo03) pp 368ndash373 2003
[5] S Khan N Alrajeh and K Loo ldquoSecure route selection inwireless mesh networksrdquo Computer Networks vol 56 no 2 pp491ndash503 2012
[6] S Corson and J Macker ldquoMobile ad hoc networking (manet)routing protocol performance issues and evaluation considera-tionsrdquo IETF RFC2501 1999
[7] Y Zhang W Lee and Y Huang ldquoIntrusion detection tech-niques for mobile wireless networksrdquoWireless Networks vol 9no 5 pp 545ndash556 2003
[8] B C Cheng and R Y Tseng ldquoA context adaptive intrusiondetection system for MANETrdquo Computer Communications vol34 no 3 pp 310ndash318 2011
[9] T Eissa S A Razak and M D A Ngadi ldquoTowards providinga new lightweight authentication and encryption scheme forMANETrdquoWireless Networks vol 17 no 4 pp 833ndash842 2011
[10] A Irshad W Noshairwan M Shafiq S Khurram E Irshadand M Usman ldquoSecurity enhancement for authentication ofnodes in MANET by checking the CRL status of serversrdquoCommunications in Computer and Information Science vol 78pp 86ndash95 2010
[11] D E Denning ldquoAn intrusion-detection modelrdquo IEEE Transac-tions on Software Engineering vol 13 no 2 pp 222ndash232 1987
[12] T Clausen and P Jacquet ldquoOptimized link state routing proto-col (OLSR)rdquo IETF Experimental RFC 3626 2003
[13] P Albers O Camp J Percher et al ldquoSecurity in ad hoc networksa general intrusion detection architecture enhancing trust basedapproachesrdquo 2002
[14] F Cuppens N Cuppens-Boulahia S Nuon and T RamardldquoProperty based intrusion detection to secure OLSRrdquo in Pro-ceedings of the 3rd International Conference on Wireless andMobile Communications (ICWMC rsquo07) Guadeloupe FranceMarch 2007
[15] W Cohen ldquoFast effective rule inductionrdquo in Proceedings of theInternational Conference onMachine Learning (ICML rsquo95) 1995
[16] S Sarafijanovic and J-Y le Boudec ldquoAn artificial immunesystem for misbehavior detection in mobile ad-hoc networkswith virtual thymus clustering danger signal and memorydetectorsrdquo in Proceedings of the 3rd International Conference onArtificial Immune Systems (ICARIS rsquo04) 2004
[17] S Sen and J Clark Intrusion Detection in Mobile Ad HocNetworks in Guide to Wireless Ad Hoc Networks SpringerLondon UK 2009
[18] D Subhadrabandhu S Sarkar and F Anjum ldquoA Framework formisuse detection in ad hoc networksmdashpart IIrdquo IEEE Journal onSelected Areas in Communications vol 24 no 2 pp 290ndash3032006
[19] L M Feeney and M Nilsson ldquoInvestigating the energyconsumption of a wireless network interface in an ad hocnetworking environmentrdquo in Proceedings of the 20th AnnualJoint Conference of the IEEE Computer and CommunicationsSocieties pp 1548ndash1557 April 2001
[20] A P Lauf R A Peters and W H Robinson ldquoA distributedintrusion detection system for resource-constrained devices inad-hoc networksrdquo Ad Hoc Networks vol 8 no 3 pp 253ndash2662010
[21] N A Alrajeh S Khan J Lloret and J Loo ldquoSecure routingprotocol using cross-layer design and energy harvesting inwireless sensor networksrdquo International Journal of DistributedSensor Networks vol 2013 Article ID 374796 11 pages 2013
[22] S Sen J Clark and J Tapiador Security Threats in MobileAd Hoc Networks I S of Self-Organizing Networks AuerbachPublications 2010
[23] P Ning and K Sun ldquoHow to misuse AODV a case study ofinsider attacks againstmobile ad-hoc routing protocolsrdquoAdHocNetworks vol 3 no 6 pp 795ndash819 2005
[24] T Clausen C Dearlove P Jacquet and U Herberg ldquoTheoptimized link state routing protocol version 2rdquo IETF ActiveInternet-Draft Draft-Ietf-Manet-Olsrv2-15 2012
[25] U Herberg and T Clausen ldquoSecurity issues in the optimizedlink state routing protocol version 2 (olsrv2)rdquo InternationalJournal of Network Security amp Its Applications vol 2 no 2 2010
[26] YOwada TMaenoH Imai andKMase ldquoOLSRv2 implemen-tation and performance evaluation with link layer feedbackrdquo inProceedings of the International Wireless Communications andMobile Computing Conference (IWCMC rsquo07) pp 67ndash72 Newyork NY USA August 2007
[27] F Hong L Hong and C Fu ldquoSecure OLSRrdquo in Proceedingsof the 19th International Conference on Advanced InformationNetworking and Applications (AINA rsquo05) pp 713ndash718 March2005
[28] LNAMHegland P Spilling andQKure ldquoHybrid protectionof olsrrdquo in Electronic Notes in Theoretical Computer Science2006
[29] P Kunwar S Sofat and D Bansal ldquoComparison of secure olsrrouting protocolrdquo International Journal of Engineering Sciencevol 3 no 6 p 5049 2011
[30] A Adnane C Bidan and R T de Sousa Junior ldquoTrust-basedcountermeasures for securing OLSR protocolrdquo in Proceedingsof the 7th IEEEIFIP International Conference on Embedded andUbiquitous Computing (EUC rsquo09) pp 745ndash752 August 2009
[31] B Wu J Chen J Chen J Wu and M Cardei ldquoA survey ofattacks and countermeasures in mobile ad hoc networksrdquo inWireless Network Security Springer New York NY USA 2007
[32] C Adjih D Raffo and P Muhlethaler ldquoAttacks against OLSRdistributed key management for securityrdquo in Proceedings of theOLSR Interop Workshop 2005
[33] G CerveraM Barbeau J Garcia-Alfaro and E Kranakis ldquoMit-igation of topology control traffic attacks in OLSR networksrdquoin Proceedings of the 5th International Conference on Risks andSecurity of Internet and Systems (CRiSIS rsquo10) October 2010
[34] P M Jawandhiya M M Ghonge M S Ali et al ldquoA surveyof mobile ad hoc network attacksrdquo International Journal ofEngineering Science and Technology vol 2 no 9 pp 4063ndash40712010
[35] L M Feeney ldquoAn energy consumption model for performanceanalysis of routing protocols for mobile ad hoc networksrdquoMobile Networks and Applications vol 6 no 3 pp 239ndash2492001
International Journal of Distributed Sensor Networks 19
[36] G Riley and T Henderson ldquoThe ns-3 network simulatorrdquo inModeling and Tools for Network Simulation Springer BerlinGermany 2010
[37] S Bhattiprolu E Biederman S Hallyn et al ldquoVirtual serversand checkpointrestart inmainstream linuxrdquo SIGOPSOperatingSystems Review vol 42 no 5 pp 104ndash113 2008
[38] J Zhang J Xing and Z Qin ldquoTaprouter an emulatingframework to run real applications on simulated mobile adhoc networkrdquo in Proceedings of the 44th Annual SimulationSymposium (ANSS rsquo11) pp 39ndash46 2011
[39] D Broyles A Jabbar and J P G Sterbenz ldquoDesign andanalysis of a 3-d gauss-markov mobility model for highly-dynamic airborne networksrdquo in Proceedings of the InternationalTelemetering Conference (ITC rsquo10) San Diego CA USA 2010
[40] J Haerri F Filali and C Bonnet ldquoPerformance comparisonof AODV and OLSR in vanets urban environments underrealistic mobility patternsrdquo in Proceedings of the IFIP Med-Hoc-Net Workshop 2006
[41] C H Tseng T Song P Balasubramanyam C Ko and K LevittldquoA specification-based intrusion detection model for OLSRrdquoRecent Advances in Intrusion Detection vol 3858 pp 330ndash3502006
[42] S Kurkowski T Camp and M Colagrosso ldquoManet simulationstudies the incrediblesrdquo SIGMOBILE Mobile Computing andCommunications Review vol 9 no 4 pp 50ndash561 2005
[43] A Abdalla I Saroit A Kotb et al ldquoMisbehavior nodesdetection and isolation for MANETs OLSR protocolrdquo ProcediaComputer Science vol 3 pp 115ndash121 2011
[44] R Puttini J Percher L Me et al ldquoA modular architecture fordistributed ids in manetrdquo in Proceedings of the InternationalConference on Computational Science and Its Applications III2003
[45] A Adnane R T de Sousa L Me and C Bidan ldquoAutonomictrust reasoning enables misbehavior detection in OLSRrdquo inProceedings of the 23rd Annual ACM Symposium on AppliedComputing (SAC rsquo08) pp 2006ndash2013 March 2008
[46] W Wang H Man and Y Liu ldquoA framework for intrusiondetection systems by social network analysis methods in ad hocnetworksrdquo Security and Communication Networks vol 2 no 6pp 669ndash685 2009
[47] H Deng R Xu J Li F Zhang R Levy and W Lee ldquoAgent-based cooperative anomaly detection for wireless ad hoc net-worksrdquo in Proceedings of the 12th International Conference onParallel and Distributed Systems (ICPADS rsquo06) pp 613ndash620 July2006
[48] S KurosawaHNakayamaN Kato et al ldquoDetecting blackholesattack on AODV-based mobile ad hoc networks by dynamiclearningmethodrdquo International Journal of Network Security vol5 no 3 pp 338ndash346 2007
[49] WWang HWang BWang et al ldquoEnergy-aware and selfadap-tive anomaly detection scheme based on network tomographyin mobile ad hoc networksrdquo Information Sciences vol 220 pp580ndash602 2013
[50] M-Y Su ldquoPrevention of selective black hole attacks on mobilead hoc networks through intrusion detection systemsrdquo Com-puter Communications vol 34 no 1 pp 107ndash117 2011
[51] N Marchang and R Datta ldquoCollaborative techniques for intru-sion detection in mobile ad-hoc networksrdquo Ad Hoc Networksvol 6 no 4 pp 508ndash523 2008
[52] B V R N Yadav B Satyanarayana and O B V RamanaiahldquoAn efficient intrusion detection system for mobile ad hoc net-worksrdquo in Emerging Trends in Computing Informatics Systems
Sciences and Engineering vol 151 Springer New York NYUSA 2013
[53] Y Huang and W Lee ldquoAttack analysis and detection for ad hocrouting protocolsrdquo in Recent Advances in Intrusion Detectionvol 3224 Springer Berlin Germany 2004
[54] G Vigna S Gwalani K Srinivasan E M Belding-Royer andR A Kemmerer ldquoAn intrusion detection tool for AODV-basedad hoc wireless networksrdquo in Proceedings of the 20th AnnualComputer SecurityApplications Conference (ACSAC rsquo04) pp 16ndash27 December 2004
[55] M Ayachi C Bidan and N Prigent ldquoA trust-based ids for theaodv protocolrdquo in Information and Communications Securityvol 6476 pp 430ndash444 2010
[56] S Sen and J A Clark ldquoA grammatical evolution approach tointrusion detection on mobile ad hoc networksrdquo in Proceedingsof the 2nd ACMConference onWireless Network Security (WiSecrsquo09) pp 95ndash102 March 2009
[57] S Marti T J Giuli K Lai and M Baker ldquoMitigating routingmisbehavior in mobile ad hoc networksrdquo in Proceedings of the6th Annual International Conference on Mobile Computing andNetworking (MOBICOM rsquo00) pp 255ndash265 August 2000
[58] B Sun K Wu and U Pooch ldquoRouting anomaly detection inmobile ad hoc networksrdquo in Proceedings of The 12th Interna-tional Conference on Computer Communications and Networks(ICCCN rsquo03) 2003
[59] S Bose S Bharathimurugan and A Kannan ldquoMulti-layerintegrated anomaly intrusion detection system for mobileadhoc networksrdquo in Proceedings of the International Conferenceon Signal Processing Communications and Networking (ICSCNrsquo07) pp 360ndash365 February 2007
[60] P Yi Y Zhong and S Zhang ldquoA novel intrusion detectionmethod for mobile ad hoc networksrdquo in Advances in GridComputing vol 3470 pp 1183ndash1192 Springer Berlin Germany2005
[61] C Perkins E Belding-Royer and S Das ldquoAd hoc on-demanddistance vector (AODV) routingrdquo IETF Experimental RFC3561 2003
[62] D Johnson and D Maltz ldquoDynamic source routing in ad hocwireless networksrdquo in Mobile Computing pp 153ndash181 KluwerAcademic 1996
[63] C Perkins and P Bhagwat ldquoHighly dynamic destinationse-quenced distance-vector routing (dsdv) for mobile computersrdquoin Proceedings of the Conference on Communications Architec-tures Protocols and Applications (SIGCOMM rsquo94) vol 24 pp234ndash244 1994
[64] T JoachimsMaking Large-Scale Support VectorMachine Learn-ing Practical MIT Press Cambridge Mass USA 1999
[65] Y Yajima and T Kuo ldquoEfficient formulations for 1-svm and theirapplication to recommendation tasksrdquo Journal of Computersvol 1 no 3 pp 27ndash34 2006
[66] L Bononi and C Tacconi ldquoIntrusion detection for secureclustering and routing inMobileMulti-hopWirelessNetworksrdquoInternational Journal of Information Security vol 6 no 6 pp379ndash392 2007
[67] Y Huang W Fan W Lee et al ldquoCross-feature analysis fordetecting ad-hoc routing anomaliesrdquo in Proceedings of the 23rdInternational Conference on Distributed Computing Systems(ICDCS rsquo03) pp 478ndash487 May 2003
[68] J Quinlan C4 5 Programs for Machine Learning MorganKaufmann Boston Mass USA 1993
20 International Journal of Distributed Sensor Networks
[69] J B D Cabrera C Gutierrez and R K Mehra ldquoEnsemblemethods for anomaly detection and distributed intrusion detec-tion in Mobile Ad-Hoc Networksrdquo Information Fusion vol 9no 1 pp 96ndash119 2008
[70] MWang L Lamont P Mason andM Gorlatova ldquoAn effectiveintrusion detection approach for OLSR MANET protocolrdquoin Proceedings of the 13th IEEE International Conference onNetwork Protocols Workshop (ICNP rsquo05) pp 55ndash60 November2005
[71] C Y Tseng P Balasubramanyam C Ko R Limprasittiporn JRowe and K Levitt ldquoA specification-based intrusion detectionsystem for AODVrdquo in Proceedings of the 1st ACM Workshop onSecurity of Ad Hoc and Sensor Networks pp 125ndash134 October2003
[72] S A Razak S M Furnell N L Clarke and P J BrookeldquoFriend-assisted intrusion detection and response mechanismsfor mobile ad hoc networksrdquo Ad Hoc Networks vol 6 no 7 pp1151ndash1167 2008
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 3
term of the number of hops) to any destination such pathbeing represented as a sequence of MPRs In addition to theabove last versions of the protocol specification support anode holding several network interfaces which are declared(if many) in a so-calledMID (Multiple Interface Declaration)message This message is broadcasted on a regular basis byMPRs so that one another maps multiple interfaces of a givennode with the main address of this latter hence permittinga unique identification The aforementioned functionalitiescompose the core of OLSR Additional extensions have beendevised in compliance with the above-summarized OLSRspecification Examples include (i) dealing with the nodesthat commit (or not) to carry the traffic for others and(ii) supporting interconnection of an OLSRMANET withanother routing domain for example OSPF-enabled routingdomain With the former node advertises (in hello message)its willingness to carryforward traffic With the latter OLSRis extended to import (and resp export) the routes providedby other routing protocols (resp OLSR) For this purposeany gateway with associated host(s) andor network(s) gen-erates periodically a HNA message including those host(s)andor network(s) (ie the related network address and thenetmask) this message is further disseminated by MPRsSuch an auxiliary function is enabled by providing a basiclayout of any OLSR packet and by ignoring unknown(and hence not handled) packets Overall these core andauxiliary functionalities are together subject to a variety ofattacks
Recently a new version of OLSR (so-called OLSRv2)is specified in an Internet-draft [24] OLSRv2 distinguishesitself from its predecessor by considering the link metricrather than hop count for selecting the shortest path Itis supposed that OLSRv2 would have more modular andflexible architecture that facilitates add-ons extensions forfor example security QoS and multicast [25] It will alsopossess a simplified packet format and reduced-sizemessagesdue to address compression [26] However both OLSR andOLSRv2 retain the same basic algorithms and mechanisms
It is worth mentioning that several enhanced versionsof OLSR have been proposed Some of them tackle thesecurity issue and use signature hash chain or encryptionschemes in order to provide the security to OLSR [27 28]In general these versions aim to ensure (i) the integrity ofthe routing information that is preventing the unauthorizedmodifications of the routing messages by the intermediatenodes on the path from the source to the destination and (ii)the node-to-node authentication in order to prevent identityspoofing However they do not address for example thecase where the source node is itself compromised and henceit generates incorrect routing messages Thus they are stillincapable of preventing some types of attack [29] Thereforethere is always a need to employ a detection mechanism soas to handle the attacks that would success penetrating theprevention techniques
22 Attacks Targeting the OLSR Protocol The attacks threat-ening OLSR are hereafter detailed and classified accordingto the model introduced in [30] This model provides the
Table 1 Notations
Communication119884119872119905
997888997888rarr 119883 At 119905 119884 sends a message119872 that is received by119883119884119872119905
997888997888rarr At 119905 119884 sends a message119872119884119872119905
999424999426999456 119884 does not send a message119872 at 119905119872119905
997888997888rarr 119883 119883 receives a message119872 at 119905119872119905
999424999426999456 119883 119883 does not receive a message119872 at 119905Parameters
119905998810119905 Period of timeI Set of malicious nodes119873119878119883
Set of 1-hop neighbors of119883sq Sequence numberhc Hop count119908119883
Willingness of119883 to forward packets on behalf of othersMPR119909
MPRs of119883SelMPR119909 MPR selectors set of119883
MessagesHello Hello messageTC Topology Control messageMID Multiple Interface DeclarationHNA Host and Network AssociationCM Control MessageRM Received Control messageFM Control message intended to be forwarded
level of expressiveness necessary to specify the relation-ship between the actions and their related consequencesWe further enrich this model with temporal annotations(Table 1) As a consequence complex attacks their constitut-ing actions and consequences are temporally and successfullydepicted and categorized as drop attack (Section 221) activeforge attack (Section 222) and modify and forward attack(Section 223)
221 Drop Attack In practice a drop attack consists of anintruder that drops a control message instead of relaying itThis dropping has an impact only if the dropped control mes-sage is intended to be forwarded as illustration a suppressingof a hello message that is broadcasted over one hop hasno consequence Thus with OLSR threatened messages arerestricted to themessages that are created andor broadcastedby a MPR so as to be rediffused by other MPRs thatis Topology Control (TC) Multiple Interface Declaration(MID) and Host and Network Association (HNA)messagesMore particularly let us consider a host 119878 that sends a controlmessage which is intended to be forwarded This messagewhich is originated at 119905 (119878
FM119905
997888997888997888rarr119868) is received by 119868 that dropsit In practice 119868 drops a control message if 119868 does not forwardthis message during a period |1199051015840 minus 119905| less than the maximumallowed (any control message is characterized by an emissioninterval as well as a holding time in the routing tables Thesetwo related values participate in setting a validity time that
4 International Journal of Distributed Sensor Networks
should be herein considered in conjunction with the messagetype) period119905
119878FM119905
997888997888997888rarr 119868 119868
FM1199051015840
999424999426999456 100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816gt 119905
dArr
119868 isin I
(1)
Such a dropping is naturally applied on any packet thatis empty expired duplicated or out of order In additionrestrictive forwarding is provided meaning that in practice(only) the 1-hop neighbor(s) of 119878 that have been selectedby 119878 to act as MPR(s) forward 119878rsquos messages Apart fromthe aforementioned conditions that lead to a convenientdropping the remaining reason motivating a dropping isthreefold An intruder (or a compromised node) a selfishor a malfunctioning node disturbs the routing calculation bydropping a control message that should be forwarded Theattempt to drop any packet is termed black hole A selectivedropping (named gray hole) is detected by taking intoaccount additional fine-grained or discriminative criteriaincluding the choice of specific final1-hop-away destinationor source percentagerate of packets received or forwardedand message type Rather than dropping the traffic anoppositemisbehavior consists in introducing falsified routinginformation
222 Active Forge Attack An active forge attack comes froma node that introduces novel deceptive routing messagesAmong others the broadcast storm stems from forgingcontrol messages so as to exhaust resources (eg energy) andsaturate the communication medium For this purpose anintruder 119868 forges a large number of control messages CMwithin a short period of time 998810119905 (see Expression 2) Thisattack may be local (eg targeting a 1-hop neighborhood) orglobal (eg relying on the multihops broadcasted messages)It may also be conducted in a distributedmanner with severalcolluding nodes so as to simultaneously emit (a large numberof) control messages Note that in order to prevent a broad-cast storm resulting from the involuntary synchronization ofsome emitting nodes a delaying of the control messages isrecommended in the RFC a jitter (typically a random value)is subtracted from the interval at which control messages aregenerated (and also forwarded)
119868CM119905
997888997888997888rarr 119868CM1015840119905
997888997888997888rarr100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 998810119905
dArr
119868 isin I
(2)
A special type of broadcast storm is routing table overflowattack that threatens especially the proactive routing pro-tocols (eg OLSR) as they periodically update the routinginformation [31] Herein one or several colluding intrudersprevent the well-behaving nodes from discovering new exist-ing routes by dumping the networkwith route advertisements
to nonexisting nodes In general broadcast storm constitutesa kind of denial of service that is characterized by a high vis-ibility Therefore it is typically combined to masqueradingmdashalthough less intrusive attacks may also be preferred Inpractice masquerading lies in sending a control message CM
including a switched identification (119868CM(119868)
119905
997888997888997888997888997888rarr 119868CM(119878)
119905
997888997888997888997888997888rarr)Note that this case is distinguished from a node that holdsseveral interfaces and that advertises those later in a dedicatedMID message Apart from masquerading a denial of serviceidentity spoofing may be intended to create conflictingroute(s) and potentially routing loop(s) In this latter casespoofing the identity of a node 119878 belonging to the networkis necessary As pointed out in [32] the spoofing attack mayalso be coupled with a modification of the willingness field soas to impact the MPR selection (Expression 3) In practiceif 119868 emits a hello message including an originator address
already assigned to another node 119878 (119868hello(119878)997888997888997888997888997888997888rarr 119863) then
119868 modifies the local topology as seen by its 1- and 2-hopsneighbors In addition if 119868 modifies the willingness field1199081015840
119878of 119878 (with 1199081015840
119878= 119908119878) then the selection of 119878 as MPR is
impacted recall that MPRs are selected among the nodeswith highest willingness and in case of multiple choicesthe node which provides a reachability to the maximumnumber of nodes is primarily selected For instance a nodewhose willingness attribute set to 119908119894119897119897 119899119890V119890119903 = 0 (resp119908119894119897119897 119886119897119908119886119910119904 = 7) is never (resp always) selected as MPRthat is 1199081015840
119878= 119908119894119897119897 119899119890V119890119903 rArr 119878 notin MPR
119863(versus 1199081015840
119878=
119908119894119897119897 119886119897119908119886119910119904 rArr 119878 isin MPR119863)
119878
hello(119878119908119878)119905997888997888997888997888997888997888997888997888997888rarr 119863 119868
hello(1198781199081015840119878)1199051015840
997888997888997888997888997888997888997888997888997888rarr 119863
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905 119908
119878= 1199081015840
119878
dArr
119868 isin I
119878 is spoofed
1199081015840
119878= 119908119894119897119897 119899119890V119890119903 997904rArr 119878 notin MPR
119863
1199081015840
119878= 119908119894119897119897 119886119897119908119886119910119904 997904rArr 119878 isin MPR
119863
(3)
Active forge attacks are not restricted to identity spoofing(possibly coupled with a tampering of the willingness field)They also cover the tampering of control messages includingincorrect adjacent links (hello messages) topology informa-tion (TC messages) and network interfaces (MID and HNAmessages) In the following we detail each of those In thefirst case (Expression 4) 119868 forges a hello message whichdeclares a list of 1-hop and symmetric neighbors1198731198781015840
119868differing
from the real set 119873119878119868 A symmetric 1-hop neighbor or simply
symmetric neighbor corresponds to an adjacent node withwhich communication is bidirectional In practice it means
International Journal of Distributed Sensor Networks 5
that the hello message exchanged by two nodes is heard byboth of these later
119868
hello(1198731198781015840119868)119905997888997888997888997888997888997888997888997888997888rarr 119878119873119878
1015840
119868=119873119878119868
dArr
119868 isin I
(4)
Whenever forging the set of neighbors 1198731198781015840119868 the attacker has
three options
(1) Declaring a nonexisting node as a symmetric neigh-bor implies that 119868 (or another misbehaving node)is further selected as MPR (Expression 5) Indeedif 119868 advertises a non-existing node 119873 (119873 notin Nwith N defining the set of nodes composing theOLSR network (according to the OLSRRFC [12]messages can be flooded into the entire network (withamaximumnetwork diameter defined by themessageTime To Live field TTL for short) or flooding canbe limited to nodes within a diameter (defined interms of number of hops) from the originator ofthe message For the sake of clarity let N representthe network in both cases)) 119868 ensures that no other(well-behaving)MPR claims being a 1-hop symmetricneighbor of119873 Recall that the set of MPRs is selectedso that all the 2-hops and symmetric neighbors arecovered 119868 is hence selected as MPR
119878
hello(119873119878119878)119905997888997888997888997888997888997888997888997888997888rarr 119868
hello(1198731198781015840119868)1199051015840997888997888997888997888997888997888997888997888997888rarr 119878
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
exist119873 isin 1198731198781015840
119868ni 119873 notinN cap 119873119878
119868
dArr
119868 isin I
exist1198681015840isin I cap 119873119878
119878ni 1198681015840isin MPR
119878
Card (1198731198781015840119868 (119873119878
1015840
119868capN)) gt 0
(5)
This assertion is verified as long as no other misbe-having neighbor of 119878 is claiming the same Overallinserting at least one non-existing neighbor (exist119873 isin
1198731198781015840
119868ni 119873 notinN cap119873119878
119868) guarantees that a misbehaving
node 1198681015840 (with 1198681015840 isin I) is selected to act as MPR of119878 (exist1198681015840 isin I cap 119873119878
119878ni 1198681015840isin MPR
119878) In addition
to the above the connectivity of 119868 is also artificiallyincreased (Card(1198731198781015840
119868 (119873119878
1015840
119868capN)) gt 0)
(2) Declaring that an existing node is a symmetric 1-hopneighbor whereas that node is far away (ie is not aneighbor) or is a neighbor but that is not symmetric(exist119883 isin 119873119878
1015840
119868capN ni 119883 notin 119873119878
119868) This claiming increases
artificially the connectivity of 119868 that is Card((1198731198781015840119868
119873119878119868) capN) gt 0
119878
hello(119873119878119878)119905997888997888997888997888997888997888997888997888997888rarr 119868
hello(1198731198781015840119868)1199051015840997888997888997888997888997888997888997888997888997888rarr 119878
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
exist119883 isin 1198731198781015840
119868capN ni 119883 notin 119873119878
119868
dArr
119868 isin I
Card ((1198731198781015840119868 119873119878119868) capN) gt 0
∄119860 isinN I ni 119860 isin 119873119878119878and 119883 isin 119873119878
119860
dArr
exist1198681015840isin I ni 119868
1015840isin MPR
119878
(6)
If no (well-behaving) MPR covers 119878 (∄119860 isin N I ni
119860 isin 119873119878119878and 119883 isin 119873119878
119860) then at least one misbehaving
node (eg 119868) is selected as MPR of 119878 (exist1198681015840 isin I ni
1198681015840isin MPR
119878) Such insertion typically characterizes an
attempt to create a black hole 119868 introduces a novelpath toward119872 that whenever selected provisions theblack hole
(3) Omitting an existing 1-hop neighbor and symmetricnode 119875 (exist119875 isin 119873119878
119868ni 119875 notin 119873119878
1015840
119868) decreases artificially
the connectivity of both 119875 and 119868 (119873119878119868
sube 1198731198781015840
119868)
Note that if 119875 has no other connectivity than the oneobtained through amisbehaving node119875 gets isolated
119878
hello(119873119878119878)119905997888997888997888997888997888997888997888997888997888rarr 119868
hello(1198731198781015840119868)1199051015840997888997888997888997888997888997888997888997888997888rarr 119878
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
exist119875 isin 119873119878119868ni 119875 notin 119873119878
1015840
119868
dArr
119868 isin I
exist1198681015840isin I cap 119873119878
119878 119873119878119868sube 1198731198781015840
119868
(7)
Overall falsifying the neighboring adjacency by inserting(existing or nonexisting) neighbor(s) andor omitting realneighbors potentially perverts the local topology seen by 119878(andmore generally by one another) and impacts the selectedMPR(s) by 119878 Nevertheless note that in order to be selectedas MPR of 119878 (or to prevent its selection) there is no needfor 119868 to falsify the neighboring adjacency Recall that ina hello message a field termed willingness designates thenodersquos willingness to carry traffic on behalf of others 119868 henceprevents (resp ensures) its selection as MPR by simplysetting its willingness field to the value 119908119894119897119897 119899119890V119890119903 (resp119908119894119897119897 119886119897119908119886119910119904) On the whole the MPR selection is impactedby either falsifying the topological information included inhello message or by making use of the willingness attributeAnother (perhaps more straightforward) alternative refersto a slander node 119868 declaring (resp not declaring) itself asMPR although it has not (resp has) been selected as MPR
6 International Journal of Distributed Sensor Networks
[33] For this purpose (Expression 8) 119868 forges a TopologyControl (TC) message including an incorrect set of 1-hopsymmetric neighbors that have selected 119868 as MPR (so-calledMPR selector set) Depending on the level of redundancyrequired a MPR advertises
(1) the MPR selector(s) SelMPR119868
of 119868(2) the MPR selector(s) along with the MPR of 119868
SelMPR119868
cupMPR119868
(3) the 1-hop neighbors 119873119878119868of 119868 (hence including the
MPR selectors and the MPR of 119868)
LetA119868represent the set advertised in the TC messageA
119868=
SelMPR119868
or (SelMPR119868
cupMPR119868) or 119873119878
119868 This attack consists in 119868
advertising an incorrect setA1015840119868differing from the real oneA
119868
119868
TC(A1015840119868)119905997888997888997888997888997888997888rarr 119878A
1015840
119868=A119868
dArr
119868 isin I
(8)
In particular possible falsifications lie in either 119868 insertinga non-existing node or inserting an existing node but non-MPR selector or omitting a node belonging to A
119868 Upon
the reception of a falsified TC message routing table iscorrupted This corruption contaminates the OLSR networkand also any interconnected routing domain Indeed anode well-behaving or not acting as a gateway exports thewrong OLSR routes Symmetrically an intruder may alsoimport incorrect routes to the OLSR domain This latterattack termed sinkhole involves an intruder 119868 defining itselfas a gateway that provides an access to associated host(s)andor network(s) This gateway generates periodically aHNA message including those host(s) andor network(s)(ie the related address(es) and netmask(s)) This attackconstitutes a generalization of the previously defined forgingof corrupted TC messages a node advertises either non-existing or existing but unreachable nodes or omits advertis-ing reachable nodesThe similarity with the TC active forginglead us not detailing it hereafter
The aforementioned forge attacks (eg link or routespoofing attacks sinkhole) necessitate to tamper specificmessage fields while keeping this message syntactically cor-rect More generally bogus control messages can be forgedhence creating an implementation-dependent effect Gener-ally speaking similar tampering may be performed by anintruder that has acted as MPR prior forwarding a falsifiedcontrol message
223 Modify and Forward Attacks Modify and forwardattacks are characterized by an intermediate which capturesthe victimrsquos control message and replays modifies or dropsthis message before forwarding it In the following we depictthe two former cases ignoring the message dropping that hasbeen already described Replaying a control message includesdelaying the emission of this message by recording andforwarding it later (potentially in another area) or repeatingthis message As a consequence routing tables are updated
based on obsolete information Note that each messagecontains a field indicating the period of time during whichthis message is considered as valid and hence it is used toupdate the routing table Both attacks can be systematic (ietargeting anymultihops control traffic) or selectiveTheymayalso be performed in a distributed manner (Expression 9)with two intruders one recording the control message fromone region so as to replay it in another region (ie the oneof the colluding intruder) Without loss of generality let 119868
1
(resp 1198682) be the node that records it (resp replays it)
119878CM(119878)
119905
997888997888997888997888997888rarr 1198681 1198681
CM(119878)997888997888997888997888997888rarr
enc1198682 1198682
CM(119878)1199051015840
997888997888997888997888997888997888rarr 119884
119878 notin 119873119878119884 998810119905 le
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
dArr
119878 isin 119873119878119884
dArr
1198681 1198682isin I
(9)
In practice 1198681tunnels the control traffic by for example
encrypting the routing message andor relying on an alter-native network interface (that may be advertised or not)Then 119868
2replays it This attack leads to the creation of a
wormhole whose length depends on the distance separatingthe two intruders Note that in order to stay invisible both1198681and 1198682may keep the identification field unchanged the
source is 119878 rather than 1198681or 1198682 This possibility corresponds
to a masquerading Sequence numbers constitute a standardmechanism that provides protection against replay attacksgiven that the sequence delivery is not required by OLSRIn counterpart their usage can be hijacked so that thedestination drops the message rather than using it In prac-tice an intruder 119868 increases (a wraparound mechanism isimplemented when the sequence number reaches an extremeboundary it is reset to zero) (resp decreases) the value
of the sequence number sq (119878CM(119878)
119905sq997888997888997888997888997888997888997888rarr 119868 119868
CM(119878)1199051015840sq1015840
997888997888997888997888997888997888997888997888rarr
sq1015840 = sq) so that the destination assumes that 119878 is providingthe freshest (resp an obsolete) route and therefore ignoresthe subsequent (resp the actual) control message(s)
119878
CM(119878)119905sq
997888997888997888997888997888997888997888rarr 119868 119868
CM(119878)1199051015840sq1015840
997888997888997888997888997888997888997888997888rarr sq1015840 = sq 100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
dArr
119868 isin I
(10)
An intruder 119868 may also corrupt the routing table by mali-ciouslymodifying a received controlmessage before forward-ing it This modification consists in tampering either thecontents of themessage or the identification of its sourceTheformer case is similar to the forge attack described abovewherein the intruder tampers the MPR selector set in TCmessage theOLSR routes inHNAmessage or the interface(s)identification in MID message While in the latter case anintruder 119868 forwards the packet containing the control mes-sage without changing the source address [34] Consequently
International Journal of Distributed Sensor Networks 7
two nodes consider themselves as 1-hop neighbors whereasthey are not in the communication range of each otherAn intruder may also disrespect the flooding mechanism inOLSR This happens when the intruder retransmits a controlmessage that is received from a non-MPR selector node [32]
119868 notin MPR119878 119878
CM119905
997888997888997888rarr 119868 119868
CM1199051015840
997888997888997888997888rarr100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
dArr
119868 isin I
(11)
Overall attacks targeting OLSR protocol are classifiedinto 3 types
(i) drop attack that consists in totally or selectivelydropping the controlmessages for example droppingTC message in order to foil route calculation
(ii) active forge attack that attempts to poison OLSRrsquosfunctionalities by introducing novel deceptive controlmessage for example a hello message including anincorrect neighbor set so as to foil MPR selection
(iii) modify and forward attack lies in an intruder thatcaptures and modifies a control message before for-warding it (eg increasing the sequence number of aTC message hence the subsequent TC messages areignored)
An intruder launches the attack either in a standalonemanner or in collusion with other intruder(s) constitutingwhat so-called a Byzantine attack (eg wormhole) togetherusually coupled with masquerading Detecting these attacksis far to be a trivial task because a minor deviation on anattack makes it undetectable In addition an attack can becomposed of several subattacks In order to tackle theseissues we describemodel the attack as general as possiblehence circumventing possible deviationsWe then propose anintrusion detection system that detects composed attacks asmuch as their parties
3 Intrusion Detection
We propose a distributed log- and signature-based intrusiondetection system named IDAR In addition to providing ahigh detection accuracy IDAR aims tomaintain the availableresources in MANET For this purpose the evidences ofattack are extracted from the log and further classifiedaccording to their level of gravity Such classification helpsin planning the diagnostic and henceforth minimizing thecomputation overhead related to attack identificationDuringthe diagnostic evidences arematched to predefined intrusionsignatures The establishment of an intrusion signature andfurther the diagnostic operation are exemplified with the linkspoofing attack we purposely developed
31 Resource-Aware Evidence Gathering IDAR distinguishesitself from other IDSs by extracting the signs of attack fromthe logs instead of sniffing the traffic Thus the consumptionof energy and computational power resulting from evidence
minus600
minus400
minus200
0
200
400
600
800
0 200 400 600 800 1000Size (bytes)
Promiscuous overhearing sender and receiverPromiscuous overhearing senderPromiscuous overhearing receiverNonpromiscuous overhearing sender and receiverNonpromiscuous overhearing senderNonpromiscuous overhearing receiver
Ener
gy (u
Wlowast
s)Figure 1 Energy consumption in promiscuous and nonpromiscu-ous modes
gathering and analyzing is minimized In fact sniffing trafficnecessitates that the wireless network interface stays in modepromiscuous at all time thus the node can overhear all thepackets within its transmission range But promiscuousmodeleads to consuming more energy and hence reducing rapidlythe lifetime of the nodenetwork Indeed a nondestinationnode in the radio range of either the sender or the receiveroverhears some or all of their traffic For the IEEE 80211MAC protocol a nondestination node in discarding (ienonpromiscuous) mode can enter into a reduced energyconsumption mode and discard othersrsquo traffic [35] Suchmode requires less energy than the idle mode which is thedefault mode in ad hoc network While a nondestinationnode operating in promiscuous mode listens to all the trafficwhether or not it is the intended destination The traffic isfurther received as if it was a broadcast traffic thus additionalenergy consumption is associated with promiscuous modeoperation Figure 1 represents a part of the experimentalmeasurements realized in [19] about the energy consumptionof an IEEE 80211 2Mbps wireless card It shows the signifi-cant difference in energy consumption between promiscuousand nonpromiscuous modes Note that the consumption inthe nonpromiscuous mode is negative because it requiresless energy than the reference idle mode Besides increasingthe amount of consumed energy sniffing traffic imposes ahuge computational overhead [20] Indeed the packet-levelanalysis which is applied on the sniffed packets strainssignificantly the available resources that ismemory andCPUprocessing Moreover since all the traffic in the radio rangeis sniffed many of the analyzed packets would be redundantand add nothing to the detection In order to avoid thispermanent strain of resources IDAR does not sniff the trafficbut it rather collects periodically the local logs In particularit focuses on the portion of logs that characterizes the
8 International Journal of Distributed Sensor Networks
activities of the routing protocol (eg packet reception MPRselection) Note that additional logs for example system-security-related logs could be integrated and correlatedOnce parsed a log is used so as to detect a sign of suspiciousactivityThis consists inmatching the log against a predefinedintrusion signature An intrusion signature is thought as apartially ordered sequence of events that characterizes anintrusion Such procedure is potentially not only memorybut also bandwidth consumer Indeed it involves examininglocal logs as well as performing an in-depth diagnostic whereother nodes are requested so as to collect additional attackevidences correlate and match them against the definedintrusion signatures The in-depth diagnostic offers a globalview about the suspicious nodes and therefore it increasesthe accuracy of the detection But it is a costly operation interms of resources Thus the in-depth diagnostic must becarefully planned that is should be initiated only when asufficient degree of suspicion exists and terminated as soon asa result is obtained For this purpose we propose to classifyattack evidences so that depending on their level of gravitythe in-depth diagnostic may be performed According to ourclassification an evidence falls into one of the following fourgroups
(i) Initial-evidence group contains the evidences that leadto launch an in-depth diagnostic over the network
(ii) Suspicious-evidence group contains the evidences thatlead to identify a node as suspicious
(iii) Confirmed-evidence group contains the evidences thatconfirm the occurrence of an attack This results interminating the diagnostic and declaring the suspi-cious node as intruder
(iv) Cancel-evidence group contains the evidences thateliminate the suspicion and stop the diagnostic
These groups are populated with the evidences that areextracted from the log If an evidence belonging to the initial-evidence group is discovered then an in-depth diagnosticis launched so as to confirm (ie discovering an evidencebelonging to confirmed-evidence group) or infirm (ie dis-covering an evidence belonging to the cancel-evidence group)the intrusion both lead to the termination of the diagnosticRelying on these groups the evolution of any attack and itsrelated detection is easily followed In addition its compactform facilitates the lightweight discovering of long-termintrusions
32 Link Spoofing Attack A link spoofing attack lies infalsifying hello message(s) so as to modify the local topologyperceived by adjacent nodes This attack influences the MPRselection In particular this attack owns a global impactthe MPR position provides to the intruder the possibility toeavesdrop tamper misrelay or drop the traffic As discussedin Section 2 (and further detailed in Expression 4) anintruder realizes a link spoofing attack through one of thefollowing three cases
(1) It advertises a non-existing and symmetric nodeThus the intruder guarantees (unless another attacker
advertises the same non-existing node) being selectedas a MPR because this non-existing node is uniquelycovered by the intruder
(2) It advertises existing but nonneighboring node(s)The intruder is selected as a MPR if the advertisednode(s) is (are) not already covered by another (well-behaving or malicious) MPR
(3) It keeps under wraps neighboring and symmetricnode(s) In this case the connectivity of the intruderand consequently its chance of being selected asa MPR are both decreased Used in a standalonemanner this attack aims to decrease the connectivityof one or several nodes a complete isolation necessi-tates that no other (well-behaving) MPR covers thatnode(s)
We develop an attack (Expression 12) wherein an intruderfalsifies a hello message that contains both a non-existingnode (Case 1) and existing but non-neighboring nodes (Case2) The reason that motivates this choice is twofold First byadvertising a nonexisting node 119873 119868 ensures being selectedas a MPR by the victim 119878 (exist119873 isin 119873119878
1015840
119868ni 119873 notin N cap 119873119878
119868)
Note that with the last versions of the RFC a node (iepotentially an intruder) may dictate its selection as a MPRby advertising (in a hello message) its high willingness torelay messages Nevertheless previous versions (and theirrelated implementations) ignore this case Regardless of theversion of the protocol our intruder (as aforementionedpreviously) guarantees being selected as MPR by advertisinga nonexisting and symmetric node Second by announcingcommon neighbors with another node 119871 (Case 2) 119868 increasesthe probability that 119871 is not selected as a MPR (119868 replacing119871) and henceforth increases its proper ascendancy Note thatthe attack we developed does not consider the third casethat involves the reduction of the intruderrsquos connectivityNevertheless attack signature deals with it
119878
hello(119873119878119878)119905997888997888997888997888997888997888997888997888997888rarr 119868 119868
hello(1198731198781015840119868)1199051015840997888997888997888997888997888997888997888997888997888rarr 119878
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
exist119873 isin 1198731198781015840
119868ni 119873 notinN cap 119873119878
119868
exist119871 isin MPR119878ni [119873119878
119871 119873119878119868] sube [119873119878
1015840
119868 119873119878119868]
dArr
119868 isin I 119871 notin MPR119878
exist1198681015840isin I ni 119868
1015840isin MPR
119878
Card (1198731198781015840119868 (119873119878
1015840
119868capN)) gt 0
Card ((1198731198781015840119868 119873119878119868) capN) gt 0
(12)
Herein a key challenge stems from the need to generate ahand-coded intrusion signature that models such attack andhenceforth permits to detect it
33 Signature Establishment As mentioned before a linkspoofing attack aims to inflect the MPR selection such
International Journal of Distributed Sensor Networks 9
Table 2 Evidence characterizing a link spoofing attack
Initial-evidence group1198641 AMPR is replaced by a 1-hop neighbor or by an already selected MPR1198642 AMPR behaves maliciously for example it tampers misrelays or drops the control messages
Suspicious-evidence group1198643 AMPR is the only node that provides connectivity to one (or more) 2-hops neighbor(s)
Confirmed-evidence group1198644 AMPR advertises a partial set of 1-hop neighbors1198645 AMPR advertises nonneighboring node(s) as 1-hop neighbors(s)
Cancel-evidence group1198646 AMPR is defined as an intruderwell-behaving node
selection is triggered upon a change in the symmetric 1- and2-hops neighborhood Rather than launching an in-depthdiagnostic upon every change in the 1- or 2-hops symmet-ric neighborhood we keep to a minimum the number ofthese diagnostics and henceforth the amount of consumedcomputational power and bandwidth by initiating it onlyat the occurrence of an event related to a link spoofingattack More precisely we ignore the changes in the 1-hopneighborhood (eg apparition of 1-hop neighbor) becausethey are observed by the node itself Thus they are notsubject to the remote falsification which is the cornerstoneof a link spoofing attack In contrary changes in the 2-hopsneighborhood are considered as long as they impact theMPRselection In practice the evidences that reveal a link spoofingattack (Table 2) are broken down into
(i) a MPR replacement (Evidence 1 or 1198641 for short)that results from a change in the covering of the 1-hop neighbors one (or several) 1-hop neighbor(s)(possibly the replacing MPR) increase(s) its (their)coverage to the detriment of the replaced MPR AreplacementMPR is a 1-hop neighbor that is excludedfrom the MPRs set even though it provides the sameconnectivity in both the previous and current MPRselection rounds
(ii) No MPR replacement takes place but an alreadyselected MPR is detected as misbehaving node Forinstance a misbehaving MPR may drop falsify ormisrelay the control messages (1198642) Note that anevidence of a special interest herein refers to a nodepromoting itself as a MPR without having beenselected as a MPR Amisbehaving MPR includes alsothe case wherein a MPR continually advertises thesame 2-hops neighbors set despite being no morevalid Contrary to other cases this one is not eventdriven and should be handled based on random orperiodical checks
(iii) aMPR is the only one that covers one or several nodes(1198643)
(iv) a MPR covers partially its adjacent neighbor(s) (1198644)
(v) a MPR provides connectivity to a nonneighboringnode (1198645)
The occurrence of either 1198641 or 1198642 constitutes the startingpoint of an in-depth diagnostic 1198641 and 1198642 belong to theinitial-evidence group The act of being the only MPR thatprovides the connectivity to node(s) (1198643) is suspicious butis not sufficient to launch an in-depth diagnostic becausethis situation is typical in a sparse network Furthermoretwo nodes within the covering range of each other oftenfail in communicating due to the unpredictable nature ofwireless transmission resulting from for example obstaclesand noises Thus diagnosing 1198643 is especially difficult underno specific assumption Overall the occurrence of 1198641 or 1198642and optionally1198643 leads to an in-depth diagnostic (Expression13) In practice the 1-hop neighbor(s) of the suspicious MPRare interrogated Note that part of the interrogated nodesmayexpress a different opinion that results from malicious nodeor an obsolete routing information This calls for taking intoaccount their respective reputation (as we plan in our nearfuture work)
(1198641 or 1198642)
dArr dArr
(1198644 or 1198645) optional (1198643) (1198644 and 1198645)
dArr dArr
The suspicious MPRis an intruder
The suspicious MPRis well-behaving
(13)
If the obtained answers confirm (resp infirm) that thesuspicious MPR covers partially its neighbors (1198644) andoradvertises a distant node as 1-hop neighbor (1198645) then theMPR is declared as an intruder (resp well-behaving) andthe diagnostic is terminated (1198646) Obviously the cooperationbetween the nodes constitutes a cornerstone in our in-depthdiagnostic
34 Cooperative Diagnostic The in-depth diagnostic of a linkspoofing attack consists in verifying the existence of a sym-metric and neighboring relationship between a suspiciousMPR and its advertised 1-hop neighbors (Algorithm 1) Moreprecisely this diagnostic follows the following steps Firstthe MPRs that have been replaced by other MPR or 1-hopneighbor are identified (lines 1-2) because such replacementrepresents the initial evidence of a link spoofing attack (1198641in Table 2) For this purpose the function GetReplaced-Mpris called (Line 1) It establishes the MPRs that have been
10 International Journal of Distributed Sensor Networks
(1) OldMprs = GetReplaced-Mpr()(2) SuspiciousMprs = GetReplacing-Mpr()(3) for (suspicious isin SuspiciousMprs) do(4) InterrogatedNodes = GetCommon2HopsNeighors
(suspicious OldMprs)(5) for (2HopsNeighbor isin InterrogatedNodes) do(6) if (LinkExistence (2HopsNeighbor suspicious) ==
false) then(7) Generate-Alarm (suspicious)(8) end if(9) end for(10) Cancel-Suspicious (suspicious)(11) end for
Algorithm 1 In-depth diagnostic
replaced by comparing the currentMPRs and the penultimateMPRs Then the MPRs sharing 1-hop neighbor(s) with areplaced MPR are identified (function GetReplacing-MPRline 2) Those identified MPRs are tagged as suspicious andare subject to further analysis (lines 3ndash11) the objective is toverify whether some spoofed links have been advertised soas to replace the MPR It follows that the 1-hop neighborsthat are common to a replaced MPR and a suspicious oneare determined (GetCommon2HopsNeighors function line 4)Note that these 1-hop neighbors also correspond to the 2-hops neighbors of the node launching the diagnostic Theyare interrogated (LinkExistence function) so as to verify theexistence of links The interrogation of a 2-hops neighbordenoted by 119860119894 consists in sending a request to 119860119894 asking ifthis latter considers the suspicious MPR as a 1-hop neighborat a specific time 119905 Whenever possible this request is sentwithout going through both the suspicious MPR 119868 or anycolluding intruder 1198681015840 This eluding is necessary in order toprevent 119868 and 1198681015840 from dropping the request andor forging adeceptive answerTherefore the 1-hop neighbor(s) (primarilythe MPR(s)) that covers the interrogated 2-hops neighbors isprovided with the request Note that the suspecting node 119878 isaware of is provided with the connectivity between the nodesthat form its two-hops neighbors Thus 119878may select the one(if existing) that covers 119860119894 If no answer is obtained (iethe related time-out elapses) then the request is sequentiallytransferred through the rest of the covering 1-hop neighbors(keeping in mind that as aforementioned MPRs are pri-marily selected) However when no neighbor is left then an(multihops) alternative path is researched in the routing tableto reach 119860119894 Note that the verification related to a suspiciousMPR is performed within an independent thread hencethe diagnostic of one node (and the result waiting) is not ablocking to others If 119860119894 denies being a 1-hop neighbor of thesuspicious MPR then a countermeasure is triggered Moreprecisely an alarm that establishes the detected attacker(s)is broadcasted (Generate-Alarm function line 7) Otherwiseif no deny takes place the suspicious MPR is no longersuspected (Cancel-Suspicious function line 10) In both casesthe diagnostic terminates Note that if no answer is provided(the inconsistent answers lead also to a claim in the degree
of suspicion However this case is not included in this paperbut it is handled in our other works) then the suspiciousMPR is tagged as not verified and the degree of suspicionin this latter goes up It is worth mentioning that the currentimplementation of IDAR considers the link spoofing attackHowever considering other attacks is not complicated andrequires only specifying the evidences to be searched in thelogs and the information to be exchanged between the nodesduring the in-depth diagnostic
4 Architecture and Performance Evaluation
In this section we introduce the key architectural compo-nents of IDAR (Section 41) Then we present the evaluationof IDAR performance (Section 42) and further discuss theobtained result (Section 43)
41 IDAR Architecture In order to cope with the dynamicnature ofMANET IDAR is both distributed and cooperativeThe proposed architecture (Figure 2) requires that everydevice participates in the detection (The delegation of somedetection operations (eg logs analyzing) may be sharedamong devices But it will not be necessarily less expensive interms of resources consumption)More precisely each devicecontains an instance of IDAR which independently detectsthe signs of suspicion and cooperates with other instancesso as to conduct the diagnostic in a broader range IDAR isimplemented in Perl (httpwwwperlorg) and conceptuallystructured into 4 components
(i) Coordinator that orchestrates all the components Assuch it constitutes the hearth of IDAR In prac-tice it parses dynamically the OLSR logs so as toextract signs of suspicion and match these latteragainst predefined intrusion signaturesThe intrusionsignatures are represented as conditional rules (ifcondition then state) Furthermore it triggers thecommunication and the alarm notification in orderto launch advanced diagnostic
(ii) Communication manager that gathers informationabout for example the adjacent links as requiredby the diagnostic manager Meanwhile it answersthe diagnostic requests This component runs into aseparated thread so that other IDAR operations arenot blocked
(iii) Knowledge database includes the information thatis extirpated from the logs and is provided by thecommunication manager This database is realized inMysql (httpwwwmysqlcom) Stored informationencompasses for example the 1-hop and 2-hopsneighbors and the MPRs
(iv) Alarm notifier is responsible for alarming the networkwhen an intrusion is detected Note that we areplanning to include more countermeasures in thefuture for example eliminating the routes containingan intruder
International Journal of Distributed Sensor Networks 11
SignatureKnowledge
database
Coordinator
Communicationmanager Alarm notifier
Update
Feedback
Diagnostic requestDiagnostic answer
IDAR instance
Routing log
IDAR instanceDiagnostic requestanswer
Routing log
Feed back
Figure 2 IDAR architecture
All the above components have been developed so as tosupport intrusion detection offering a high rate of detectionalong with conserving the resources
42 Performance Evaluation In order to evaluate the perfor-mance of IDAR a mobile ad hoc network has been simulatedusing the network simulator NS3 (httpwwwnsnamorg)[36] Each node in the simulated network is furthercoupled with a Linux Container (LXC) virtual machine(httplxcsourceforgenet) [37] The reason that motivatesthis coupling is twofold First NS3 offers the possibilityto simulate a large-scale mobile ad hoc network SecondLXC an operating-system-level virtualization tool permitsto run multiple isolated machines (also called containers)on a single modified hosting kernel (up to 1024 contain-ers over a single hosting kernel) Each container owns itsproper resources (eg process tree network interface andIP address) Thus the resource consumption (eg memoryusage) can be isolated and measured In practice an instanceof IDAR is installed on each container that appears asa standaloneseparated machine Figure 3 exemplifies thecoupling between nodes in NS3 and LXC containers Fromthe IDAR perspective (as well as from any applicationinstalled on the container) the emission and reception ofpackets is done through the network interface (eth0) Whilethe container contains a simulated ethernet card (V119890119905ℎ)which is connected through an ethernet bridge towards akernel tap device (tap) Note that for each container-nodecoupling new tap and ethernet bridge should be definedin the hosting kernel The ethernet bridge implements theforwarding of link-level framesThe interface 119905119886119901119877119900119906119905119890119903 [38]is implemented in NS3 and is used to exchange packetsbetween the 119905119886119901 device and the WiFi device which enablesNS3 nodes to communicate over a IEEE 80211- and OLSR-enabled MANET Overall the outgoing packets from eth0in the container are delivered to the WiFi device at thecorresponding node in the simulated network and vice versaSimulation is carried using the aforementioned platform
wherein the hosting device is equipped with 32GB of mem-ory and 2 Intel(R) Xeon(R) (6) Core 240GHz CPUsContainers hold a Fedora 12 operating system We considera MANET (Table 3) constituted of 119873 = 30 nodes split into25 well-behaving nodes and 5 intruders While most of otherIDSs are evaluated against one intruder we show that IDARcan handle several intruders in the same time Intruderslaunch repeatedly the implemented link spoofing attack (asdescribed in Expression 12) In our experiments the numberof successful intrusions varies between 15 and 33 accordingto the parameters of simulation scenario (as described inExpression 12) Nodes communicate via IEEE 80211a andare characterized by a transmission range 119879
119909of 90m They
randomly move following the so-called RandomWalk2d [39]mobility pattern provided by NS3 each node moves accord-ing to a randomly chosen direction at a given speed that isthe same for all the nodes When a node hits the networkboundaries (unless specified the network area is defined bya squared area of 119878 = 310 times 310m2) it rebounds followinga reflexive angle Data traffic is further modeled using theV4PingHelper application in NS3 each node exchanges 56-byte ICMP (httpwwwietforgrfcrfc792txt) echo requeststo one another and waits for 1 s before sending it again Weuse OLSR as the underlying routing protocol preserving theconfiguration parameters promoted in the RFC 3626 (eghello message interval is 2 s)
For each experimental scenario the simulation islaunched 5 times each one lasts for 140 s We compare thelaunched attacks with the detected ones and present theaverage of results We aim at evaluating the performance ofIDAR in terms of
(i) intrusion detection rate that reflects the capacity ofdetecting successful intrusions (a successful intrusioncauses the replacement of a legitimate MPR of thevictim by an intruder)
(ii) false positive rate that measures how many times alegitimate node is wrongly designated as an intruder
12 International Journal of Distributed Sensor Networks
Table 3 Simulation parameters
Simulation platformSimulator NS3 + LXC virtual machinesContainer operating system Fedora 12Hosting device memory 32GBHosting device CPU 2 Intel(R) Xeon(R) (6) Core 240GHz
Simulated MANETNumber of mobile nodes 30Number of intruders 5Topology 310 times 310m2
Transmission range 90mMaximum bandwidth 1MbpsTraffic V4PingHelper 56 bytes Icmp packetsMobility model RandomWalk2dMaximum speed 8ms (or 288 kmh)Simulation time 140 s
tapRouterWiFi devicewith OLSR
LXC
cont
aine
r
Ethernet bridge
Tap
LXC
cont
aine
r
veth
Ethernet bridge
Tap
tapRouterWiFi devicewith OLSR
veth
Nod
e 1
Nod
e 119899
NS3
IDAR1 IDAR119899
eth0 eth0
Figure 3 Experiment platform
(iii) detection overhead which represents the additionalnetwork traffic that is generated because of IDARNote that further benchmarks are also provided interms of memory usage
Based on those performance indicators IDAR is furtherevaluated with regard to the network density (Section 421)and node mobility (Section 422)
421 Network Density In order to evaluate the scalingproperties of IDAR we vary the density of the networkThe density of the network corresponds to the averagenumber of neighbors which is defined as in [40] by (119873 times
120587 times 1198792
119909)119878 We selected an interval of density that ranges
from 6 up to 16 neighbors which includes the intruderthe victim and the remaining neighbors Figure 4(a) showsthat the detection rate keeps higher than 80 regardless ofthe network density This demonstrates the relatively limitedimpact of the network density on IDAR performance More
precisely the intrusion detection rate slightly rises from935up to itsmaximum 963when the density varies from6 up to 8 neighbors the greater is the number of neighborsthe higher is the visibility of the attackThen a slow diminishis observed dense networks (with a density exceeding 8) arecharacterised by a high collision rate that causes a declinein the detection rate Similarly Figure 4(b) highlights thatthe average percentage of false positives is neglectful (under59) The analysis of several cases of false positive leads usto find that a false positive occurs when two nodes own adifferent live-times for the bidirectional link that connectsthese later consequently one of the two nodes still confirmsthe existence of this link while the other one denies it Tooverride this problem the period during which those linksare considered valid should be amplified as in [41] Figure 4(c)presents the average memory usage caused by IDAR Thisusage gently fluctuates between 176MB and 222MB It is alsoworthy of mention that contrary to OLSR our system doesnot assign additional functionality toMPR (detectionmay belaunched by one another) IDAR provides an homogeneousload balancing among the nodes As illustrated in Figure 4(d)the traffic caused by IDAR is very low (under 05 for anetwork density inferior to 8) It then slowly rises to reach13 when the network density is 16 In order to understandthe slight fall when the density reaches 14 we compare theaverage number of suspicious cases with regard to a varyingdensityThis average was 708 (resp 658) with density equalsto 12 (resp 14) Consequently the number of diagnostic-related packets is smaller at a density of 14 than at a densityof 12
422 Mobility In order to isolate the influence of themobility the network density is set to 8 The detection ratefalls when the speed increases (Figure 5(a))This results fromthe ever changing topology that results in increasing thenumber of broken links and the related drops of diagnostic-related packetsHowever IDAR still provides a high detectionrate for example the average of detection rate is 707
International Journal of Distributed Sensor Networks 13
0
20
40
60
80
100
6 8 10 12 14 16
Det
ecte
d in
trus
ions
()
Density
Average detection
(a)
0
10
20
30
40
50
6 8 10 12 14 16
False
pos
itive
()
Density
Average of false positives
(b)
0
10
20
30
40
50
6 8 10 12 14 16
Mem
ory
usag
e (M
B)
Density
(c)
025 05
1
5
20
50 100
6 8 10 12 14 16Density
IDA
R ve
rsus
OLS
R tr
affic (
)
(d)
Figure 4 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network density
with a moving speed equals to 8ms (ie around 287
kilometershour equivalent to 1789mileshour) Figure 5(b)shows that the higher is the moving speed the greater it getsfalse positives mainly because of out of date feedback Infact when a node moves away some of its 1-hop neighborsare no longer neighbors but are still announced as suchand are considered as potential attackers A higher increaseof the false positive rate is observed when the node speedranges from 4ms up to 6ms because the instable nodecovering is given its transmission range which leads to anincreased update of its 1-hop neighbors The memory usage(Figure 5(c)) rises staidly from 176MB to 265MB whichis reasonable even for resource-limited devices The impactof the mobility on the bandwidth is shown in Figure 5(d)The IDAR traffic comparing to the OLSR traffic significantlygrows from 036 up to 31 for a speed ranging from 0msup to 2ms Then the bandwidth usage gradually growsand reaches almost 6 when the moving speed is equalto 8ms This is motivated by the fact that increasing thenumber of verified links leads to exchange more diagnostic-related messages in the network In order to understandthe reason behind such variable growth of IDAR trafficwe counted the number of the verified suspicious neighbor
links We found that the average number of the verified linkssignificantly grows from 452 to 2014 when the velocity risesfrom 0ms to 2ms This average then gradually grows andtakes the values 2408 3314 and 406 when the velocityequals to 4ms 6ms and 8ms respectively The limitednumber of the suspicious neighbor links when the nodesare static is justified by the fact that the attacker has alimited choice to falsify its neighbors links Instead when thevelocity is greater than 2ms there is a continuous changein the neighborhood and the attackers can attack more(diversified) targets Meanwhile the continuously changingtopology implies an increased number of investigations
43 Performance Discussion It is clear that the density of thenetwork holds less influence than the mobility on our IDSMore mobility in MANET causes more dropped diagnosticpackets and hence less diagnostic is concluded with a finalresult that is confirming or refuting the suspiciousnessHowever comparing the launched attacks to the discov-ered suspicious events shows that the majority of attacksare tagged as suspicious events and considered for furtherdiagnostic Note that the mobility has a negative influence
14 International Journal of Distributed Sensor Networks
0
20
40
60
80
100
0 2 4 6 8
Det
ecte
d in
trus
ions
()
Velocity (ms)
Average detection
(a)
0
10
20
30
40
50
0 2 4 6 8
False
pos
itive
()
Velocity (ms)
Average of false positives
(b)
0
10
20
30
40
50
0 2 4 6 8
Mem
ory
usag
e (M
B)
Velocity (ms)
(c)
025 05
1
5
20
50 100
0 2 4 6 8
IDA
R ve
rsus
OLS
R tr
affic (
)
Velocity (ms)
(d)
Figure 5 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network mobility
on all the IDSs especially the cooperative ones where thereis an exchange of evidencesalerts Table 4 provides a shortperformance comparing between IDAR and other knownIDSs that are dedicated to ad hoc routing protocol Likethe majority of these IDSs the performance of our systemis challenged against a specific attack link spoofing attackin a simulated MANET (According to [42] around 75of mobile ad hoc published papers use simulation for testissues) Two evaluation factors are common to almost all thelisted IDSs the detection ratecapacity and the positive falserate Even though it was challenged in a MANET whereinthe intruders constitute 166 (Note that this percent is the3rd highest registered percent) of the nodes IDAR providesone of the highest detection rate Regarding the positivefalse rate we can notice that several IDSs especially thosethat are dedicated to DSR protocol show better results thanour system However this latter still generates a limitednumber of false positives It is also possible to reduce thefalse positives rate by amplifying the TTL (Time To Live)parameter of a bidirectional link so as to reduce the impactof obsolete neighborhood-related information during thedetection Recall that most of the generated false positives inIDAR are generated because of the difference in the time-live
of a bidirectional link between the two ends of this link Insuch case this link will be expired in one end while the otherend will keep confirming its existence It is worthmentioningthat except our system the listed IDSs that aim to detect theattacks targeting OLSR protocol do not present neither thedetection rate nor the false positives rate But they merelyprove the capacity of detecting the addressed attack(s) Inaddition IDAR is one of the rare IDSs that are evaluated interms of resources consumption Indeed we measure boththe increment inmemory usage and traffic overhead resultingfrom detection operations IDAR triggers a small incrementin the devicesrsquomemory usage (between 176MBand 265MB)Therefore it can be tolerated by the resource-limited devicesIt further triggers the lowest traffic overhead compared to thelisted IDSs IDAR presents a good scalability and offers a highdetection rate even in the high density networks where a largeamount of routing traffic should be monitored (Figure 4(a))This scalability is reinforced by (i) the limited traffic overhead(ii) the use of routing logs so as to extract the evidencesinstead of sniffing the traffic (iii) the distributed nature ofdetection such that each node is responsible for detecting theattacks targeting it and (iv) the unnecessity of modifying theused routing protocol
International Journal of Distributed Sensor Networks 15
5 Related Work
Systems that detect intrusion targeting ad hoc routing proto-col are extremely diverse in the way they analyze intrusionThey fall into the three key categories
(i) Anomaly detection system defines the correct behav-ior of the nodenetwork so as to detect deviations tothis behavior This correct behavior is automaticallybuilt during an attackless training phase The detec-tion accuracy depends on the ability to (i) describethe correct behavior and (ii) distinguish betweenanomalous and unexpected behaviors
(ii) Specification-based detection system hand-codes thelegitimate functionoperation and then searches for aviolation to this operation
(iii) Signature-based detection system first describes theway an intruder penetrates the system by defining anintrusion signature Then any behavior that is closeto this predefined signature is flagged as intrusion
Hereafter we detail examples of each of these categoriesAnomaly-based detection constitutes the main approachused to detect attacks The IDS proposed by Zhang et al[7] constitutes a de facto standard in MANET It aims atdetecting the attempts to falsify the routes provided by theAODV [61] DSR [62] and DSDV [63] routing protocolsDuring the training phase the impact of movement on thepercentage of changes in the routing table is analyzed Notethat this movement (ie velocity direction and position)is provided by a Global Positioning System (GPS) Thenduring the operation phase an actual percentage of changesdiffering from the predicted one is defined as anomaly Inpractice the distinguishing between anomalous and normalbehaviors is provided by the Support Vector Machine (SVM)Light [64] classifier or by RIPPER [15] a rule-based engineThe hierarchical IDS proposed in [47] detects blackhole androuting request flooding attacks targeting AODV protocolHere MANET is arranged into clusters whereas the nodewith the highest residual energy and number of connectionsis elected as a cluster-head Each cluster-head monitors thetraffic inside its cluster so as to identify the abnormal valuesof (i) the percentage of changes in the routing table and (ii)the propagation of routingdata packets Such abnormalitiesare identified thanks to (1-SVM) classifier [65] a deviationof SVM that needs to be trained with either normal orabnormal scenario but not both of them In [48] (resp [66])a blackhole (and resp dropping) attack targeting AODVprotocol (resp a secured version of AODV protocol includ-ing authentication and reputation estimation) are detectedby investigating features for example the number of routerequests and route replies as well as the average difference ofsequence numbers (Largely increased sequence numbers areknown as a sign of blackhole attack) Then simple anomalydetection is applied if the distance between the actuallyobserved features and the average ones that are recorded dur-ing the training exceeds a given threshold then an intrusionis detected More sophisticated cross-features analysis (CFA)[67] is applied to detect both blackhole and packet drop-ping on AODV and DSR protocols Features including for
example the reachability between 2 nodes and the numberof delivered packets are analyzed within time windows Thisanalysis attempts to quantify the relation existing betweenone feature 119891
119894and the others 119891
1 119891
119894minus1 119891119894+1 119891
119896(with
119896 + 1 defining the number of features analyzed) During theoperation phase the probability of matching between theobserved feature 1198911015840
119894and the predicted feature 119891
119894 which is
established based on 11989110158401 119891
1015840
119894minus1 1198911015840
119894+1 119891
1015840
119896 is calculated by
a decision tree classifier named C45 [68] An anomaly refersto an average of matching probability fewer than a giventhreshold CFA and C45 are also used in [69] with traffic-related features (eg number of receivedtransferred packets)and OLSR- or AODV-related features (eg MPR updates forthe former and route discovery for the latter) A modifiedMarkov chain-based IDS is proposed in [58] so as to detectroute disruption attack targeting DSR protocol Here thedetection depends on identifying unpredicted value of twofeatures the percentage of changes in the number of routesand the percentage of changes in the number of hops Inpractice a Markov chain is based on the immediate previous119899 consecutive values of a feature as to predict the (119899 + 1)thvalue If the difference between a predicted and an observedvalue exceeds a given threshold an intrusion is concluded
Rather than establishing automatically a correct behaviorspecification-based detection system hand-codes the correctbehavior of the routing protocols based on the protocol spec-ification (IETF draft or RFC) Then the system attempts todetect a violation of constraints circumventing this behaviorFour key constraints define the correct behavior of OLSR([14 70])
(1) Neighbor relationmust be reciprocal (ie 2 neighborsmust hear the hello message sent by each other)
(2) TheMPRs and the nodes that select theMPR (ie theMPR selectors) must be adjacent
(3) A node that finds itself advertised as a MPR selectorin a TCmessage must be adjacent to the originator ofthis message
(4) Nodes receive TC messages without modificationsfromMPR(s)
Each node sniffs the traffic in its radio range so as todiscover the violations of any of the above constraints Theseconstraints are modeled by semantic properties in [70] (resprules in [14]) so as to detect link spoofing attack on TC(and resp hello messages) both experiment an ability todetect a link spoofing by observing a violation of the thirdcondition over a simulated network composed of 11 nodesFinite-state machines are used to describe similar constraintson OLSR [41] and the behavior of AODV protocol [52 71]In [41] a centralized detection of link spoofing man-in-the-middle and deny of service attack is performed While in[52 71] incorrect hop countssequence numbers are analyzedby distributed sensors which sniff and group the packets perrequest-reply flow so as to estimate the forwarding path perflow If a route requestreply is illegallymodified or forwardedvia a nonexpected path then an alarm is triggered In [60]similar FSMs are used to define constraints on both the routediscovery in AODV and the packet forwarding operations
16 International Journal of Distributed Sensor Networks
Table4Com
parin
gID
ARperfo
rmance
with
otherIDSs
IDS
Routing
protocol
Num
bero
fno
des
Intrud
ers
()
Moving
speed
Detectio
nrate
False
positives
rate
Increm
entinmem
ory
usage
Increm
entintraffi
coverhead
IDAR
OlSR
30166
0ndash8m
s707ndash963
0ndash132
176ndash
265MB
478ndash6215KB
(036
ndash597
ofOlSRtraffi
c)
[43]
OlSR
303366
10
mdashmdash
mdashmdash
6ndash12
ofOlSR
traffi
c[41]
OlSR
1010
0ms
Detectio
nispo
ssible
mdashmdash
mdash[44]
OlSR
7143
0ms
Detectio
nispo
ssible
mdashmdash
mdash[45]
OlSR
520
0ms
Detectio
nispo
ssible
mdashmdash
mdash[14
]OlSR
119
0ms
Detectio
nispo
ssible
mdashmdash
mdash[46]
AODV
3033
0ndash5m
s3067ndash90
0ndash20
mdashmdash
[47]
AODV
502
0ndash20
ms
90
5
mdashmdash
[48]
AODV
3033
1ndash20
ms
70ndash82
12ndash18
mdashmdash
[49]
AODV
2050
10
1ndash10ms
964ndash9
87
079ndash093
mdash900k
B
[50]
AODV
5238
0ndash20
ms
(Fixed
IDSs)
100
0ndash0
6
mdashmdash
[51]
AODV
521
20238
0ndash10ms
50ndash100
0ndash30
mdashmdash
[52]
AODV
30mdash
0ndash20
ms
70ndash100
05
ndash15
mdashmdash
[53]
AODV
50Ra
ndom
0ndash20
ms
79plusmn10ndash92plusmn3
5plusmn1ndash32plusmn8
mdashmdash
[54]
AODV
102050
mdash0ndash
10ms
0ndash100
0ndash≫100
02ndash06
mdash[55]
AODV
20ndash200
mdash0ndash
20ms
30ndash9
50ndash16
mdashmdash
[56]
AODV
50mdash
1ndash20
ms
998ndash100
083ndash846
mdashmdash
[7]
AODV
mdashmdash
mdash8848plusmn414ndash971plusmn032
145plusmn072ndash202plusmn627
mdashmdash
DSD
Vmdash
mdashmdash
8523plusmn328ndash9061plusmn299
537plusmn310ndash263plusmn549
mdashmdash
DSR
mdashmdash
mdash852plusmn238ndash991plusmn037
003plusmn004ndash153plusmn408
mdashmdash
[57]
DSR
5040
0ndash20
ms
mdashmdash
mdash11ndash313
of
data
traffi
c[58]
DSR
3033
3ndash5m
s60ndash100
25
ndash50
mdashmdash
[59]
DSR
30mdash
mdash75
12
mdashmdash
[60]
DSR
502
0ndash20
ms
837ndash9
74
13ndash72
mdashmdash
International Journal of Distributed Sensor Networks 17
A signature-based system distinguishes itself by model-ing the misbehavior (rather than the correct behavior) soas to identify if a sequence of observed events matchingan intrusion signature AODVSTAT [54] uses state-basedsignatures in order to detect dropping and spoofing attacksalong with network flooding Few sensors sniff the traffic andmatch it against predefined signatures They also exchangeperiodically MAC and IP addresses so as to detect an identityspoofing which is characterized by a node emitting a packetidentified by MAC and IP addresses differing from thoseregistered for this node A dropping attack refers to a nodethat fails to replay route requestreply Finally a node sendinga number of packets exceeding a given threshold is identifiedas willing to exhaust resources In [45] intrusion signaturesare specified in opposition to the legitimate behavior of OLSRdepicted in conjunction with specification rules similar tothose defined in [70] In particular a node 119873 mistrusts twoneighbors 119871 and 119872 that conform to the following rules119872 advertises 119871 as a neighbor while 119871 does not advertise119872 as a neighbor (or reciprocally) both 119871 and 119872 send TCmessages while 119871rsquos neighbors are a subset of 119872rsquos neighbors(or reciprocally) In addition 119873 mistrusts 119872 if 119873 which isnot a neighbor of 119872 finds itself as a MPR selector in a TCof 119873 (constraint 3) In [44] a FSM is employed to modelthe signature of hello message fabrication in OLSR protocolin an agent-based IDS In practice each node uses a SimpleNetworkManagement Protocol (SNMP) agent so as to collectaudit data from the Management Information Base (MIB)After that events are extracted from the collected audit dataand are matched to the attack signatureThe addressed attackaims at breaking the link between a victim node and itsneighbors and thus a DoS takes place To that end theattacker impersonates the identity of the victim and sends afake hello message advertising one of the victim symmetricneighbors with lost link status Upon receiving the fabricatedmessage the neighbor changes the status of its link withthe victim to ldquoheardrdquo and stops routing packets through thevictim
51 Synthesis and Discussion A great majority of the litera-ture is focused on anomaly detectionwhile scarce effort inves-tigates specification- and signature-based intrusion Thisnaturally calls for consolidating the effort on specification-and signature-based detection while following the habitus ofwired network which consists in coupling these detectionsystems with one another for example in [72] wherein acombination of anomaly- and signature-based detection isrealized so as to increase the detection rate Almost all ofthe IDS focuses only on the detection accuracy that isproviding a high detection rate along with limited falsealarms However they do not consider the criticality ofmaintaining the resources and henceforth extending thelifetime of the nodenetwork Our IDS takes into account thenecessity of reducing to minimum both the communicationand computation overload related to intrusion identificationThe absolute majority of the IDSs is simulated (including thesystem we are proposing) rather than being either developedor experimented on testbeds or relying on empirical data
The reason that explains this situation is twofold Firstthe deployment of critical MANET is limitednot adver-tised Second to the best of our knowledge experiences ofintrusion in MANETs are not reported intrusions are infact developedsimulated as proofs of concept Neverthelessnot only routing protocols but also the characterization ofthe intrusion together leverage on the experience gained indesigning routing protocols for wired networks and deal-ing with related misbehaviors In particular the similarityexisting between the OSPF and OLSR protocols implies thatmany threats (eg sequence numbers identity spoofing) areshared In other words intrusion may be inspired from theone targeting wired networks Meanwhile the developmentof intrusion detection and the envisioning of attacks areaccelerated
6 Conclusion
We survey and classify the attacks that target ad hoc routingprotocols focusing on theOLSRprotocol In order to facilitatethe definition of intrusion signatures we extend a descriptionmodelmdashan attack is expressed as the preconditions andthe resulting consequencesmdashand enrich it with temporalannotations Once hand-coded these signatures are utilizedby IDAR a log-based distributed intrusion detection systemdedicated to operate in mobile ad hoc networks IDARdistinguishes itself by analyzing the logs generated by arouting protocol and extracts intrusion evidences so as tocompare these latter against predefined intrusion signaturesFor this purpose evidences are categorized into four groupsaccording to their degree of suspiciongravity and hence totheir ability to activatedeactivate the diagnostic We furtherdevelop a link spoofing attack on the OLSR protocol buildthe related detection rules and evaluate the performancesof IDAR relying on the NS3 simulator coupled with LXCvirtual machines Overall the experiments figure out ahigh rate of intrusion detection and low false positivesrate even under increased mobility and density Meanwhileresource consumption and network overhead result from thediagnostic are low and adapted to the resource-constraineddevices Note that ongoing effort is provided as to evaluateIDAR in a real MANET consisting of resource-constraineddevices Still detecting intrusion is not a trivial task due tothe large number of evidences to tackle and the resource-consuming diagnostic A compromise between detectionaccuracy and resource consumption could be found For thispurpose we are working on a new statistical mechanism forgathering the evidences This mechanism aims at enhancingthe scalability of our system by restricting the interrogationto a limited subset of nodes during the diagnostic Moreoveruntil now we assume that honest parties are passive theyalarm others but do not react We are considering thecoupling with countermeasures (eg blacklisting) and theexploring of lightweight binary consensus and trust estab-lishment among the nodes that participate in the intrusiondetection
18 International Journal of Distributed Sensor Networks
References
[1] Z Zhao H Hu G Ahn and R Wu ldquoRisk-aware mitigation formanet routing attacksrdquo IEEE Transactions on Dependable andSecure Computing vol 9 no 2 pp 250ndash260 2012
[2] B Sun L Osborne Y Xiao and S Guizani ldquoIntrusion detectiontechniques in mobile ad hoc and wireless sensor networksrdquoIEEE Wireless Communications vol 14 no 5 pp 56ndash63 2007
[3] S Sesay Z Yang and J He ldquoA survey onmobile ad hoc wirelessnetworkrdquo Information Technology Journal vol 3 no 2 pp 168ndash175 2004
[4] P Brutch and C Ko ldquoChallenges in intrusion detection forwireless ad-hoc networksrdquo in Proceedings of the Symposium onApplications and the Internet Workshops (SAINT rsquo03) pp 368ndash373 2003
[5] S Khan N Alrajeh and K Loo ldquoSecure route selection inwireless mesh networksrdquo Computer Networks vol 56 no 2 pp491ndash503 2012
[6] S Corson and J Macker ldquoMobile ad hoc networking (manet)routing protocol performance issues and evaluation considera-tionsrdquo IETF RFC2501 1999
[7] Y Zhang W Lee and Y Huang ldquoIntrusion detection tech-niques for mobile wireless networksrdquoWireless Networks vol 9no 5 pp 545ndash556 2003
[8] B C Cheng and R Y Tseng ldquoA context adaptive intrusiondetection system for MANETrdquo Computer Communications vol34 no 3 pp 310ndash318 2011
[9] T Eissa S A Razak and M D A Ngadi ldquoTowards providinga new lightweight authentication and encryption scheme forMANETrdquoWireless Networks vol 17 no 4 pp 833ndash842 2011
[10] A Irshad W Noshairwan M Shafiq S Khurram E Irshadand M Usman ldquoSecurity enhancement for authentication ofnodes in MANET by checking the CRL status of serversrdquoCommunications in Computer and Information Science vol 78pp 86ndash95 2010
[11] D E Denning ldquoAn intrusion-detection modelrdquo IEEE Transac-tions on Software Engineering vol 13 no 2 pp 222ndash232 1987
[12] T Clausen and P Jacquet ldquoOptimized link state routing proto-col (OLSR)rdquo IETF Experimental RFC 3626 2003
[13] P Albers O Camp J Percher et al ldquoSecurity in ad hoc networksa general intrusion detection architecture enhancing trust basedapproachesrdquo 2002
[14] F Cuppens N Cuppens-Boulahia S Nuon and T RamardldquoProperty based intrusion detection to secure OLSRrdquo in Pro-ceedings of the 3rd International Conference on Wireless andMobile Communications (ICWMC rsquo07) Guadeloupe FranceMarch 2007
[15] W Cohen ldquoFast effective rule inductionrdquo in Proceedings of theInternational Conference onMachine Learning (ICML rsquo95) 1995
[16] S Sarafijanovic and J-Y le Boudec ldquoAn artificial immunesystem for misbehavior detection in mobile ad-hoc networkswith virtual thymus clustering danger signal and memorydetectorsrdquo in Proceedings of the 3rd International Conference onArtificial Immune Systems (ICARIS rsquo04) 2004
[17] S Sen and J Clark Intrusion Detection in Mobile Ad HocNetworks in Guide to Wireless Ad Hoc Networks SpringerLondon UK 2009
[18] D Subhadrabandhu S Sarkar and F Anjum ldquoA Framework formisuse detection in ad hoc networksmdashpart IIrdquo IEEE Journal onSelected Areas in Communications vol 24 no 2 pp 290ndash3032006
[19] L M Feeney and M Nilsson ldquoInvestigating the energyconsumption of a wireless network interface in an ad hocnetworking environmentrdquo in Proceedings of the 20th AnnualJoint Conference of the IEEE Computer and CommunicationsSocieties pp 1548ndash1557 April 2001
[20] A P Lauf R A Peters and W H Robinson ldquoA distributedintrusion detection system for resource-constrained devices inad-hoc networksrdquo Ad Hoc Networks vol 8 no 3 pp 253ndash2662010
[21] N A Alrajeh S Khan J Lloret and J Loo ldquoSecure routingprotocol using cross-layer design and energy harvesting inwireless sensor networksrdquo International Journal of DistributedSensor Networks vol 2013 Article ID 374796 11 pages 2013
[22] S Sen J Clark and J Tapiador Security Threats in MobileAd Hoc Networks I S of Self-Organizing Networks AuerbachPublications 2010
[23] P Ning and K Sun ldquoHow to misuse AODV a case study ofinsider attacks againstmobile ad-hoc routing protocolsrdquoAdHocNetworks vol 3 no 6 pp 795ndash819 2005
[24] T Clausen C Dearlove P Jacquet and U Herberg ldquoTheoptimized link state routing protocol version 2rdquo IETF ActiveInternet-Draft Draft-Ietf-Manet-Olsrv2-15 2012
[25] U Herberg and T Clausen ldquoSecurity issues in the optimizedlink state routing protocol version 2 (olsrv2)rdquo InternationalJournal of Network Security amp Its Applications vol 2 no 2 2010
[26] YOwada TMaenoH Imai andKMase ldquoOLSRv2 implemen-tation and performance evaluation with link layer feedbackrdquo inProceedings of the International Wireless Communications andMobile Computing Conference (IWCMC rsquo07) pp 67ndash72 Newyork NY USA August 2007
[27] F Hong L Hong and C Fu ldquoSecure OLSRrdquo in Proceedingsof the 19th International Conference on Advanced InformationNetworking and Applications (AINA rsquo05) pp 713ndash718 March2005
[28] LNAMHegland P Spilling andQKure ldquoHybrid protectionof olsrrdquo in Electronic Notes in Theoretical Computer Science2006
[29] P Kunwar S Sofat and D Bansal ldquoComparison of secure olsrrouting protocolrdquo International Journal of Engineering Sciencevol 3 no 6 p 5049 2011
[30] A Adnane C Bidan and R T de Sousa Junior ldquoTrust-basedcountermeasures for securing OLSR protocolrdquo in Proceedingsof the 7th IEEEIFIP International Conference on Embedded andUbiquitous Computing (EUC rsquo09) pp 745ndash752 August 2009
[31] B Wu J Chen J Chen J Wu and M Cardei ldquoA survey ofattacks and countermeasures in mobile ad hoc networksrdquo inWireless Network Security Springer New York NY USA 2007
[32] C Adjih D Raffo and P Muhlethaler ldquoAttacks against OLSRdistributed key management for securityrdquo in Proceedings of theOLSR Interop Workshop 2005
[33] G CerveraM Barbeau J Garcia-Alfaro and E Kranakis ldquoMit-igation of topology control traffic attacks in OLSR networksrdquoin Proceedings of the 5th International Conference on Risks andSecurity of Internet and Systems (CRiSIS rsquo10) October 2010
[34] P M Jawandhiya M M Ghonge M S Ali et al ldquoA surveyof mobile ad hoc network attacksrdquo International Journal ofEngineering Science and Technology vol 2 no 9 pp 4063ndash40712010
[35] L M Feeney ldquoAn energy consumption model for performanceanalysis of routing protocols for mobile ad hoc networksrdquoMobile Networks and Applications vol 6 no 3 pp 239ndash2492001
International Journal of Distributed Sensor Networks 19
[36] G Riley and T Henderson ldquoThe ns-3 network simulatorrdquo inModeling and Tools for Network Simulation Springer BerlinGermany 2010
[37] S Bhattiprolu E Biederman S Hallyn et al ldquoVirtual serversand checkpointrestart inmainstream linuxrdquo SIGOPSOperatingSystems Review vol 42 no 5 pp 104ndash113 2008
[38] J Zhang J Xing and Z Qin ldquoTaprouter an emulatingframework to run real applications on simulated mobile adhoc networkrdquo in Proceedings of the 44th Annual SimulationSymposium (ANSS rsquo11) pp 39ndash46 2011
[39] D Broyles A Jabbar and J P G Sterbenz ldquoDesign andanalysis of a 3-d gauss-markov mobility model for highly-dynamic airborne networksrdquo in Proceedings of the InternationalTelemetering Conference (ITC rsquo10) San Diego CA USA 2010
[40] J Haerri F Filali and C Bonnet ldquoPerformance comparisonof AODV and OLSR in vanets urban environments underrealistic mobility patternsrdquo in Proceedings of the IFIP Med-Hoc-Net Workshop 2006
[41] C H Tseng T Song P Balasubramanyam C Ko and K LevittldquoA specification-based intrusion detection model for OLSRrdquoRecent Advances in Intrusion Detection vol 3858 pp 330ndash3502006
[42] S Kurkowski T Camp and M Colagrosso ldquoManet simulationstudies the incrediblesrdquo SIGMOBILE Mobile Computing andCommunications Review vol 9 no 4 pp 50ndash561 2005
[43] A Abdalla I Saroit A Kotb et al ldquoMisbehavior nodesdetection and isolation for MANETs OLSR protocolrdquo ProcediaComputer Science vol 3 pp 115ndash121 2011
[44] R Puttini J Percher L Me et al ldquoA modular architecture fordistributed ids in manetrdquo in Proceedings of the InternationalConference on Computational Science and Its Applications III2003
[45] A Adnane R T de Sousa L Me and C Bidan ldquoAutonomictrust reasoning enables misbehavior detection in OLSRrdquo inProceedings of the 23rd Annual ACM Symposium on AppliedComputing (SAC rsquo08) pp 2006ndash2013 March 2008
[46] W Wang H Man and Y Liu ldquoA framework for intrusiondetection systems by social network analysis methods in ad hocnetworksrdquo Security and Communication Networks vol 2 no 6pp 669ndash685 2009
[47] H Deng R Xu J Li F Zhang R Levy and W Lee ldquoAgent-based cooperative anomaly detection for wireless ad hoc net-worksrdquo in Proceedings of the 12th International Conference onParallel and Distributed Systems (ICPADS rsquo06) pp 613ndash620 July2006
[48] S KurosawaHNakayamaN Kato et al ldquoDetecting blackholesattack on AODV-based mobile ad hoc networks by dynamiclearningmethodrdquo International Journal of Network Security vol5 no 3 pp 338ndash346 2007
[49] WWang HWang BWang et al ldquoEnergy-aware and selfadap-tive anomaly detection scheme based on network tomographyin mobile ad hoc networksrdquo Information Sciences vol 220 pp580ndash602 2013
[50] M-Y Su ldquoPrevention of selective black hole attacks on mobilead hoc networks through intrusion detection systemsrdquo Com-puter Communications vol 34 no 1 pp 107ndash117 2011
[51] N Marchang and R Datta ldquoCollaborative techniques for intru-sion detection in mobile ad-hoc networksrdquo Ad Hoc Networksvol 6 no 4 pp 508ndash523 2008
[52] B V R N Yadav B Satyanarayana and O B V RamanaiahldquoAn efficient intrusion detection system for mobile ad hoc net-worksrdquo in Emerging Trends in Computing Informatics Systems
Sciences and Engineering vol 151 Springer New York NYUSA 2013
[53] Y Huang and W Lee ldquoAttack analysis and detection for ad hocrouting protocolsrdquo in Recent Advances in Intrusion Detectionvol 3224 Springer Berlin Germany 2004
[54] G Vigna S Gwalani K Srinivasan E M Belding-Royer andR A Kemmerer ldquoAn intrusion detection tool for AODV-basedad hoc wireless networksrdquo in Proceedings of the 20th AnnualComputer SecurityApplications Conference (ACSAC rsquo04) pp 16ndash27 December 2004
[55] M Ayachi C Bidan and N Prigent ldquoA trust-based ids for theaodv protocolrdquo in Information and Communications Securityvol 6476 pp 430ndash444 2010
[56] S Sen and J A Clark ldquoA grammatical evolution approach tointrusion detection on mobile ad hoc networksrdquo in Proceedingsof the 2nd ACMConference onWireless Network Security (WiSecrsquo09) pp 95ndash102 March 2009
[57] S Marti T J Giuli K Lai and M Baker ldquoMitigating routingmisbehavior in mobile ad hoc networksrdquo in Proceedings of the6th Annual International Conference on Mobile Computing andNetworking (MOBICOM rsquo00) pp 255ndash265 August 2000
[58] B Sun K Wu and U Pooch ldquoRouting anomaly detection inmobile ad hoc networksrdquo in Proceedings of The 12th Interna-tional Conference on Computer Communications and Networks(ICCCN rsquo03) 2003
[59] S Bose S Bharathimurugan and A Kannan ldquoMulti-layerintegrated anomaly intrusion detection system for mobileadhoc networksrdquo in Proceedings of the International Conferenceon Signal Processing Communications and Networking (ICSCNrsquo07) pp 360ndash365 February 2007
[60] P Yi Y Zhong and S Zhang ldquoA novel intrusion detectionmethod for mobile ad hoc networksrdquo in Advances in GridComputing vol 3470 pp 1183ndash1192 Springer Berlin Germany2005
[61] C Perkins E Belding-Royer and S Das ldquoAd hoc on-demanddistance vector (AODV) routingrdquo IETF Experimental RFC3561 2003
[62] D Johnson and D Maltz ldquoDynamic source routing in ad hocwireless networksrdquo in Mobile Computing pp 153ndash181 KluwerAcademic 1996
[63] C Perkins and P Bhagwat ldquoHighly dynamic destinationse-quenced distance-vector routing (dsdv) for mobile computersrdquoin Proceedings of the Conference on Communications Architec-tures Protocols and Applications (SIGCOMM rsquo94) vol 24 pp234ndash244 1994
[64] T JoachimsMaking Large-Scale Support VectorMachine Learn-ing Practical MIT Press Cambridge Mass USA 1999
[65] Y Yajima and T Kuo ldquoEfficient formulations for 1-svm and theirapplication to recommendation tasksrdquo Journal of Computersvol 1 no 3 pp 27ndash34 2006
[66] L Bononi and C Tacconi ldquoIntrusion detection for secureclustering and routing inMobileMulti-hopWirelessNetworksrdquoInternational Journal of Information Security vol 6 no 6 pp379ndash392 2007
[67] Y Huang W Fan W Lee et al ldquoCross-feature analysis fordetecting ad-hoc routing anomaliesrdquo in Proceedings of the 23rdInternational Conference on Distributed Computing Systems(ICDCS rsquo03) pp 478ndash487 May 2003
[68] J Quinlan C4 5 Programs for Machine Learning MorganKaufmann Boston Mass USA 1993
20 International Journal of Distributed Sensor Networks
[69] J B D Cabrera C Gutierrez and R K Mehra ldquoEnsemblemethods for anomaly detection and distributed intrusion detec-tion in Mobile Ad-Hoc Networksrdquo Information Fusion vol 9no 1 pp 96ndash119 2008
[70] MWang L Lamont P Mason andM Gorlatova ldquoAn effectiveintrusion detection approach for OLSR MANET protocolrdquoin Proceedings of the 13th IEEE International Conference onNetwork Protocols Workshop (ICNP rsquo05) pp 55ndash60 November2005
[71] C Y Tseng P Balasubramanyam C Ko R Limprasittiporn JRowe and K Levitt ldquoA specification-based intrusion detectionsystem for AODVrdquo in Proceedings of the 1st ACM Workshop onSecurity of Ad Hoc and Sensor Networks pp 125ndash134 October2003
[72] S A Razak S M Furnell N L Clarke and P J BrookeldquoFriend-assisted intrusion detection and response mechanismsfor mobile ad hoc networksrdquo Ad Hoc Networks vol 6 no 7 pp1151ndash1167 2008
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
4 International Journal of Distributed Sensor Networks
should be herein considered in conjunction with the messagetype) period119905
119878FM119905
997888997888997888rarr 119868 119868
FM1199051015840
999424999426999456 100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816gt 119905
dArr
119868 isin I
(1)
Such a dropping is naturally applied on any packet thatis empty expired duplicated or out of order In additionrestrictive forwarding is provided meaning that in practice(only) the 1-hop neighbor(s) of 119878 that have been selectedby 119878 to act as MPR(s) forward 119878rsquos messages Apart fromthe aforementioned conditions that lead to a convenientdropping the remaining reason motivating a dropping isthreefold An intruder (or a compromised node) a selfishor a malfunctioning node disturbs the routing calculation bydropping a control message that should be forwarded Theattempt to drop any packet is termed black hole A selectivedropping (named gray hole) is detected by taking intoaccount additional fine-grained or discriminative criteriaincluding the choice of specific final1-hop-away destinationor source percentagerate of packets received or forwardedand message type Rather than dropping the traffic anoppositemisbehavior consists in introducing falsified routinginformation
222 Active Forge Attack An active forge attack comes froma node that introduces novel deceptive routing messagesAmong others the broadcast storm stems from forgingcontrol messages so as to exhaust resources (eg energy) andsaturate the communication medium For this purpose anintruder 119868 forges a large number of control messages CMwithin a short period of time 998810119905 (see Expression 2) Thisattack may be local (eg targeting a 1-hop neighborhood) orglobal (eg relying on the multihops broadcasted messages)It may also be conducted in a distributedmanner with severalcolluding nodes so as to simultaneously emit (a large numberof) control messages Note that in order to prevent a broad-cast storm resulting from the involuntary synchronization ofsome emitting nodes a delaying of the control messages isrecommended in the RFC a jitter (typically a random value)is subtracted from the interval at which control messages aregenerated (and also forwarded)
119868CM119905
997888997888997888rarr 119868CM1015840119905
997888997888997888rarr100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 998810119905
dArr
119868 isin I
(2)
A special type of broadcast storm is routing table overflowattack that threatens especially the proactive routing pro-tocols (eg OLSR) as they periodically update the routinginformation [31] Herein one or several colluding intrudersprevent the well-behaving nodes from discovering new exist-ing routes by dumping the networkwith route advertisements
to nonexisting nodes In general broadcast storm constitutesa kind of denial of service that is characterized by a high vis-ibility Therefore it is typically combined to masqueradingmdashalthough less intrusive attacks may also be preferred Inpractice masquerading lies in sending a control message CM
including a switched identification (119868CM(119868)
119905
997888997888997888997888997888rarr 119868CM(119878)
119905
997888997888997888997888997888rarr)Note that this case is distinguished from a node that holdsseveral interfaces and that advertises those later in a dedicatedMID message Apart from masquerading a denial of serviceidentity spoofing may be intended to create conflictingroute(s) and potentially routing loop(s) In this latter casespoofing the identity of a node 119878 belonging to the networkis necessary As pointed out in [32] the spoofing attack mayalso be coupled with a modification of the willingness field soas to impact the MPR selection (Expression 3) In practiceif 119868 emits a hello message including an originator address
already assigned to another node 119878 (119868hello(119878)997888997888997888997888997888997888rarr 119863) then
119868 modifies the local topology as seen by its 1- and 2-hopsneighbors In addition if 119868 modifies the willingness field1199081015840
119878of 119878 (with 1199081015840
119878= 119908119878) then the selection of 119878 as MPR is
impacted recall that MPRs are selected among the nodeswith highest willingness and in case of multiple choicesthe node which provides a reachability to the maximumnumber of nodes is primarily selected For instance a nodewhose willingness attribute set to 119908119894119897119897 119899119890V119890119903 = 0 (resp119908119894119897119897 119886119897119908119886119910119904 = 7) is never (resp always) selected as MPRthat is 1199081015840
119878= 119908119894119897119897 119899119890V119890119903 rArr 119878 notin MPR
119863(versus 1199081015840
119878=
119908119894119897119897 119886119897119908119886119910119904 rArr 119878 isin MPR119863)
119878
hello(119878119908119878)119905997888997888997888997888997888997888997888997888997888rarr 119863 119868
hello(1198781199081015840119878)1199051015840
997888997888997888997888997888997888997888997888997888rarr 119863
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905 119908
119878= 1199081015840
119878
dArr
119868 isin I
119878 is spoofed
1199081015840
119878= 119908119894119897119897 119899119890V119890119903 997904rArr 119878 notin MPR
119863
1199081015840
119878= 119908119894119897119897 119886119897119908119886119910119904 997904rArr 119878 isin MPR
119863
(3)
Active forge attacks are not restricted to identity spoofing(possibly coupled with a tampering of the willingness field)They also cover the tampering of control messages includingincorrect adjacent links (hello messages) topology informa-tion (TC messages) and network interfaces (MID and HNAmessages) In the following we detail each of those In thefirst case (Expression 4) 119868 forges a hello message whichdeclares a list of 1-hop and symmetric neighbors1198731198781015840
119868differing
from the real set 119873119878119868 A symmetric 1-hop neighbor or simply
symmetric neighbor corresponds to an adjacent node withwhich communication is bidirectional In practice it means
International Journal of Distributed Sensor Networks 5
that the hello message exchanged by two nodes is heard byboth of these later
119868
hello(1198731198781015840119868)119905997888997888997888997888997888997888997888997888997888rarr 119878119873119878
1015840
119868=119873119878119868
dArr
119868 isin I
(4)
Whenever forging the set of neighbors 1198731198781015840119868 the attacker has
three options
(1) Declaring a nonexisting node as a symmetric neigh-bor implies that 119868 (or another misbehaving node)is further selected as MPR (Expression 5) Indeedif 119868 advertises a non-existing node 119873 (119873 notin Nwith N defining the set of nodes composing theOLSR network (according to the OLSRRFC [12]messages can be flooded into the entire network (withamaximumnetwork diameter defined by themessageTime To Live field TTL for short) or flooding canbe limited to nodes within a diameter (defined interms of number of hops) from the originator ofthe message For the sake of clarity let N representthe network in both cases)) 119868 ensures that no other(well-behaving)MPR claims being a 1-hop symmetricneighbor of119873 Recall that the set of MPRs is selectedso that all the 2-hops and symmetric neighbors arecovered 119868 is hence selected as MPR
119878
hello(119873119878119878)119905997888997888997888997888997888997888997888997888997888rarr 119868
hello(1198731198781015840119868)1199051015840997888997888997888997888997888997888997888997888997888rarr 119878
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
exist119873 isin 1198731198781015840
119868ni 119873 notinN cap 119873119878
119868
dArr
119868 isin I
exist1198681015840isin I cap 119873119878
119878ni 1198681015840isin MPR
119878
Card (1198731198781015840119868 (119873119878
1015840
119868capN)) gt 0
(5)
This assertion is verified as long as no other misbe-having neighbor of 119878 is claiming the same Overallinserting at least one non-existing neighbor (exist119873 isin
1198731198781015840
119868ni 119873 notinN cap119873119878
119868) guarantees that a misbehaving
node 1198681015840 (with 1198681015840 isin I) is selected to act as MPR of119878 (exist1198681015840 isin I cap 119873119878
119878ni 1198681015840isin MPR
119878) In addition
to the above the connectivity of 119868 is also artificiallyincreased (Card(1198731198781015840
119868 (119873119878
1015840
119868capN)) gt 0)
(2) Declaring that an existing node is a symmetric 1-hopneighbor whereas that node is far away (ie is not aneighbor) or is a neighbor but that is not symmetric(exist119883 isin 119873119878
1015840
119868capN ni 119883 notin 119873119878
119868) This claiming increases
artificially the connectivity of 119868 that is Card((1198731198781015840119868
119873119878119868) capN) gt 0
119878
hello(119873119878119878)119905997888997888997888997888997888997888997888997888997888rarr 119868
hello(1198731198781015840119868)1199051015840997888997888997888997888997888997888997888997888997888rarr 119878
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
exist119883 isin 1198731198781015840
119868capN ni 119883 notin 119873119878
119868
dArr
119868 isin I
Card ((1198731198781015840119868 119873119878119868) capN) gt 0
∄119860 isinN I ni 119860 isin 119873119878119878and 119883 isin 119873119878
119860
dArr
exist1198681015840isin I ni 119868
1015840isin MPR
119878
(6)
If no (well-behaving) MPR covers 119878 (∄119860 isin N I ni
119860 isin 119873119878119878and 119883 isin 119873119878
119860) then at least one misbehaving
node (eg 119868) is selected as MPR of 119878 (exist1198681015840 isin I ni
1198681015840isin MPR
119878) Such insertion typically characterizes an
attempt to create a black hole 119868 introduces a novelpath toward119872 that whenever selected provisions theblack hole
(3) Omitting an existing 1-hop neighbor and symmetricnode 119875 (exist119875 isin 119873119878
119868ni 119875 notin 119873119878
1015840
119868) decreases artificially
the connectivity of both 119875 and 119868 (119873119878119868
sube 1198731198781015840
119868)
Note that if 119875 has no other connectivity than the oneobtained through amisbehaving node119875 gets isolated
119878
hello(119873119878119878)119905997888997888997888997888997888997888997888997888997888rarr 119868
hello(1198731198781015840119868)1199051015840997888997888997888997888997888997888997888997888997888rarr 119878
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
exist119875 isin 119873119878119868ni 119875 notin 119873119878
1015840
119868
dArr
119868 isin I
exist1198681015840isin I cap 119873119878
119878 119873119878119868sube 1198731198781015840
119868
(7)
Overall falsifying the neighboring adjacency by inserting(existing or nonexisting) neighbor(s) andor omitting realneighbors potentially perverts the local topology seen by 119878(andmore generally by one another) and impacts the selectedMPR(s) by 119878 Nevertheless note that in order to be selectedas MPR of 119878 (or to prevent its selection) there is no needfor 119868 to falsify the neighboring adjacency Recall that ina hello message a field termed willingness designates thenodersquos willingness to carry traffic on behalf of others 119868 henceprevents (resp ensures) its selection as MPR by simplysetting its willingness field to the value 119908119894119897119897 119899119890V119890119903 (resp119908119894119897119897 119886119897119908119886119910119904) On the whole the MPR selection is impactedby either falsifying the topological information included inhello message or by making use of the willingness attributeAnother (perhaps more straightforward) alternative refersto a slander node 119868 declaring (resp not declaring) itself asMPR although it has not (resp has) been selected as MPR
6 International Journal of Distributed Sensor Networks
[33] For this purpose (Expression 8) 119868 forges a TopologyControl (TC) message including an incorrect set of 1-hopsymmetric neighbors that have selected 119868 as MPR (so-calledMPR selector set) Depending on the level of redundancyrequired a MPR advertises
(1) the MPR selector(s) SelMPR119868
of 119868(2) the MPR selector(s) along with the MPR of 119868
SelMPR119868
cupMPR119868
(3) the 1-hop neighbors 119873119878119868of 119868 (hence including the
MPR selectors and the MPR of 119868)
LetA119868represent the set advertised in the TC messageA
119868=
SelMPR119868
or (SelMPR119868
cupMPR119868) or 119873119878
119868 This attack consists in 119868
advertising an incorrect setA1015840119868differing from the real oneA
119868
119868
TC(A1015840119868)119905997888997888997888997888997888997888rarr 119878A
1015840
119868=A119868
dArr
119868 isin I
(8)
In particular possible falsifications lie in either 119868 insertinga non-existing node or inserting an existing node but non-MPR selector or omitting a node belonging to A
119868 Upon
the reception of a falsified TC message routing table iscorrupted This corruption contaminates the OLSR networkand also any interconnected routing domain Indeed anode well-behaving or not acting as a gateway exports thewrong OLSR routes Symmetrically an intruder may alsoimport incorrect routes to the OLSR domain This latterattack termed sinkhole involves an intruder 119868 defining itselfas a gateway that provides an access to associated host(s)andor network(s) This gateway generates periodically aHNA message including those host(s) andor network(s)(ie the related address(es) and netmask(s)) This attackconstitutes a generalization of the previously defined forgingof corrupted TC messages a node advertises either non-existing or existing but unreachable nodes or omits advertis-ing reachable nodesThe similarity with the TC active forginglead us not detailing it hereafter
The aforementioned forge attacks (eg link or routespoofing attacks sinkhole) necessitate to tamper specificmessage fields while keeping this message syntactically cor-rect More generally bogus control messages can be forgedhence creating an implementation-dependent effect Gener-ally speaking similar tampering may be performed by anintruder that has acted as MPR prior forwarding a falsifiedcontrol message
223 Modify and Forward Attacks Modify and forwardattacks are characterized by an intermediate which capturesthe victimrsquos control message and replays modifies or dropsthis message before forwarding it In the following we depictthe two former cases ignoring the message dropping that hasbeen already described Replaying a control message includesdelaying the emission of this message by recording andforwarding it later (potentially in another area) or repeatingthis message As a consequence routing tables are updated
based on obsolete information Note that each messagecontains a field indicating the period of time during whichthis message is considered as valid and hence it is used toupdate the routing table Both attacks can be systematic (ietargeting anymultihops control traffic) or selectiveTheymayalso be performed in a distributed manner (Expression 9)with two intruders one recording the control message fromone region so as to replay it in another region (ie the oneof the colluding intruder) Without loss of generality let 119868
1
(resp 1198682) be the node that records it (resp replays it)
119878CM(119878)
119905
997888997888997888997888997888rarr 1198681 1198681
CM(119878)997888997888997888997888997888rarr
enc1198682 1198682
CM(119878)1199051015840
997888997888997888997888997888997888rarr 119884
119878 notin 119873119878119884 998810119905 le
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
dArr
119878 isin 119873119878119884
dArr
1198681 1198682isin I
(9)
In practice 1198681tunnels the control traffic by for example
encrypting the routing message andor relying on an alter-native network interface (that may be advertised or not)Then 119868
2replays it This attack leads to the creation of a
wormhole whose length depends on the distance separatingthe two intruders Note that in order to stay invisible both1198681and 1198682may keep the identification field unchanged the
source is 119878 rather than 1198681or 1198682 This possibility corresponds
to a masquerading Sequence numbers constitute a standardmechanism that provides protection against replay attacksgiven that the sequence delivery is not required by OLSRIn counterpart their usage can be hijacked so that thedestination drops the message rather than using it In prac-tice an intruder 119868 increases (a wraparound mechanism isimplemented when the sequence number reaches an extremeboundary it is reset to zero) (resp decreases) the value
of the sequence number sq (119878CM(119878)
119905sq997888997888997888997888997888997888997888rarr 119868 119868
CM(119878)1199051015840sq1015840
997888997888997888997888997888997888997888997888rarr
sq1015840 = sq) so that the destination assumes that 119878 is providingthe freshest (resp an obsolete) route and therefore ignoresthe subsequent (resp the actual) control message(s)
119878
CM(119878)119905sq
997888997888997888997888997888997888997888rarr 119868 119868
CM(119878)1199051015840sq1015840
997888997888997888997888997888997888997888997888rarr sq1015840 = sq 100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
dArr
119868 isin I
(10)
An intruder 119868 may also corrupt the routing table by mali-ciouslymodifying a received controlmessage before forward-ing it This modification consists in tampering either thecontents of themessage or the identification of its sourceTheformer case is similar to the forge attack described abovewherein the intruder tampers the MPR selector set in TCmessage theOLSR routes inHNAmessage or the interface(s)identification in MID message While in the latter case anintruder 119868 forwards the packet containing the control mes-sage without changing the source address [34] Consequently
International Journal of Distributed Sensor Networks 7
two nodes consider themselves as 1-hop neighbors whereasthey are not in the communication range of each otherAn intruder may also disrespect the flooding mechanism inOLSR This happens when the intruder retransmits a controlmessage that is received from a non-MPR selector node [32]
119868 notin MPR119878 119878
CM119905
997888997888997888rarr 119868 119868
CM1199051015840
997888997888997888997888rarr100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
dArr
119868 isin I
(11)
Overall attacks targeting OLSR protocol are classifiedinto 3 types
(i) drop attack that consists in totally or selectivelydropping the controlmessages for example droppingTC message in order to foil route calculation
(ii) active forge attack that attempts to poison OLSRrsquosfunctionalities by introducing novel deceptive controlmessage for example a hello message including anincorrect neighbor set so as to foil MPR selection
(iii) modify and forward attack lies in an intruder thatcaptures and modifies a control message before for-warding it (eg increasing the sequence number of aTC message hence the subsequent TC messages areignored)
An intruder launches the attack either in a standalonemanner or in collusion with other intruder(s) constitutingwhat so-called a Byzantine attack (eg wormhole) togetherusually coupled with masquerading Detecting these attacksis far to be a trivial task because a minor deviation on anattack makes it undetectable In addition an attack can becomposed of several subattacks In order to tackle theseissues we describemodel the attack as general as possiblehence circumventing possible deviationsWe then propose anintrusion detection system that detects composed attacks asmuch as their parties
3 Intrusion Detection
We propose a distributed log- and signature-based intrusiondetection system named IDAR In addition to providing ahigh detection accuracy IDAR aims tomaintain the availableresources in MANET For this purpose the evidences ofattack are extracted from the log and further classifiedaccording to their level of gravity Such classification helpsin planning the diagnostic and henceforth minimizing thecomputation overhead related to attack identificationDuringthe diagnostic evidences arematched to predefined intrusionsignatures The establishment of an intrusion signature andfurther the diagnostic operation are exemplified with the linkspoofing attack we purposely developed
31 Resource-Aware Evidence Gathering IDAR distinguishesitself from other IDSs by extracting the signs of attack fromthe logs instead of sniffing the traffic Thus the consumptionof energy and computational power resulting from evidence
minus600
minus400
minus200
0
200
400
600
800
0 200 400 600 800 1000Size (bytes)
Promiscuous overhearing sender and receiverPromiscuous overhearing senderPromiscuous overhearing receiverNonpromiscuous overhearing sender and receiverNonpromiscuous overhearing senderNonpromiscuous overhearing receiver
Ener
gy (u
Wlowast
s)Figure 1 Energy consumption in promiscuous and nonpromiscu-ous modes
gathering and analyzing is minimized In fact sniffing trafficnecessitates that the wireless network interface stays in modepromiscuous at all time thus the node can overhear all thepackets within its transmission range But promiscuousmodeleads to consuming more energy and hence reducing rapidlythe lifetime of the nodenetwork Indeed a nondestinationnode in the radio range of either the sender or the receiveroverhears some or all of their traffic For the IEEE 80211MAC protocol a nondestination node in discarding (ienonpromiscuous) mode can enter into a reduced energyconsumption mode and discard othersrsquo traffic [35] Suchmode requires less energy than the idle mode which is thedefault mode in ad hoc network While a nondestinationnode operating in promiscuous mode listens to all the trafficwhether or not it is the intended destination The traffic isfurther received as if it was a broadcast traffic thus additionalenergy consumption is associated with promiscuous modeoperation Figure 1 represents a part of the experimentalmeasurements realized in [19] about the energy consumptionof an IEEE 80211 2Mbps wireless card It shows the signifi-cant difference in energy consumption between promiscuousand nonpromiscuous modes Note that the consumption inthe nonpromiscuous mode is negative because it requiresless energy than the reference idle mode Besides increasingthe amount of consumed energy sniffing traffic imposes ahuge computational overhead [20] Indeed the packet-levelanalysis which is applied on the sniffed packets strainssignificantly the available resources that ismemory andCPUprocessing Moreover since all the traffic in the radio rangeis sniffed many of the analyzed packets would be redundantand add nothing to the detection In order to avoid thispermanent strain of resources IDAR does not sniff the trafficbut it rather collects periodically the local logs In particularit focuses on the portion of logs that characterizes the
8 International Journal of Distributed Sensor Networks
activities of the routing protocol (eg packet reception MPRselection) Note that additional logs for example system-security-related logs could be integrated and correlatedOnce parsed a log is used so as to detect a sign of suspiciousactivityThis consists inmatching the log against a predefinedintrusion signature An intrusion signature is thought as apartially ordered sequence of events that characterizes anintrusion Such procedure is potentially not only memorybut also bandwidth consumer Indeed it involves examininglocal logs as well as performing an in-depth diagnostic whereother nodes are requested so as to collect additional attackevidences correlate and match them against the definedintrusion signatures The in-depth diagnostic offers a globalview about the suspicious nodes and therefore it increasesthe accuracy of the detection But it is a costly operation interms of resources Thus the in-depth diagnostic must becarefully planned that is should be initiated only when asufficient degree of suspicion exists and terminated as soon asa result is obtained For this purpose we propose to classifyattack evidences so that depending on their level of gravitythe in-depth diagnostic may be performed According to ourclassification an evidence falls into one of the following fourgroups
(i) Initial-evidence group contains the evidences that leadto launch an in-depth diagnostic over the network
(ii) Suspicious-evidence group contains the evidences thatlead to identify a node as suspicious
(iii) Confirmed-evidence group contains the evidences thatconfirm the occurrence of an attack This results interminating the diagnostic and declaring the suspi-cious node as intruder
(iv) Cancel-evidence group contains the evidences thateliminate the suspicion and stop the diagnostic
These groups are populated with the evidences that areextracted from the log If an evidence belonging to the initial-evidence group is discovered then an in-depth diagnosticis launched so as to confirm (ie discovering an evidencebelonging to confirmed-evidence group) or infirm (ie dis-covering an evidence belonging to the cancel-evidence group)the intrusion both lead to the termination of the diagnosticRelying on these groups the evolution of any attack and itsrelated detection is easily followed In addition its compactform facilitates the lightweight discovering of long-termintrusions
32 Link Spoofing Attack A link spoofing attack lies infalsifying hello message(s) so as to modify the local topologyperceived by adjacent nodes This attack influences the MPRselection In particular this attack owns a global impactthe MPR position provides to the intruder the possibility toeavesdrop tamper misrelay or drop the traffic As discussedin Section 2 (and further detailed in Expression 4) anintruder realizes a link spoofing attack through one of thefollowing three cases
(1) It advertises a non-existing and symmetric nodeThus the intruder guarantees (unless another attacker
advertises the same non-existing node) being selectedas a MPR because this non-existing node is uniquelycovered by the intruder
(2) It advertises existing but nonneighboring node(s)The intruder is selected as a MPR if the advertisednode(s) is (are) not already covered by another (well-behaving or malicious) MPR
(3) It keeps under wraps neighboring and symmetricnode(s) In this case the connectivity of the intruderand consequently its chance of being selected asa MPR are both decreased Used in a standalonemanner this attack aims to decrease the connectivityof one or several nodes a complete isolation necessi-tates that no other (well-behaving) MPR covers thatnode(s)
We develop an attack (Expression 12) wherein an intruderfalsifies a hello message that contains both a non-existingnode (Case 1) and existing but non-neighboring nodes (Case2) The reason that motivates this choice is twofold First byadvertising a nonexisting node 119873 119868 ensures being selectedas a MPR by the victim 119878 (exist119873 isin 119873119878
1015840
119868ni 119873 notin N cap 119873119878
119868)
Note that with the last versions of the RFC a node (iepotentially an intruder) may dictate its selection as a MPRby advertising (in a hello message) its high willingness torelay messages Nevertheless previous versions (and theirrelated implementations) ignore this case Regardless of theversion of the protocol our intruder (as aforementionedpreviously) guarantees being selected as MPR by advertisinga nonexisting and symmetric node Second by announcingcommon neighbors with another node 119871 (Case 2) 119868 increasesthe probability that 119871 is not selected as a MPR (119868 replacing119871) and henceforth increases its proper ascendancy Note thatthe attack we developed does not consider the third casethat involves the reduction of the intruderrsquos connectivityNevertheless attack signature deals with it
119878
hello(119873119878119878)119905997888997888997888997888997888997888997888997888997888rarr 119868 119868
hello(1198731198781015840119868)1199051015840997888997888997888997888997888997888997888997888997888rarr 119878
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
exist119873 isin 1198731198781015840
119868ni 119873 notinN cap 119873119878
119868
exist119871 isin MPR119878ni [119873119878
119871 119873119878119868] sube [119873119878
1015840
119868 119873119878119868]
dArr
119868 isin I 119871 notin MPR119878
exist1198681015840isin I ni 119868
1015840isin MPR
119878
Card (1198731198781015840119868 (119873119878
1015840
119868capN)) gt 0
Card ((1198731198781015840119868 119873119878119868) capN) gt 0
(12)
Herein a key challenge stems from the need to generate ahand-coded intrusion signature that models such attack andhenceforth permits to detect it
33 Signature Establishment As mentioned before a linkspoofing attack aims to inflect the MPR selection such
International Journal of Distributed Sensor Networks 9
Table 2 Evidence characterizing a link spoofing attack
Initial-evidence group1198641 AMPR is replaced by a 1-hop neighbor or by an already selected MPR1198642 AMPR behaves maliciously for example it tampers misrelays or drops the control messages
Suspicious-evidence group1198643 AMPR is the only node that provides connectivity to one (or more) 2-hops neighbor(s)
Confirmed-evidence group1198644 AMPR advertises a partial set of 1-hop neighbors1198645 AMPR advertises nonneighboring node(s) as 1-hop neighbors(s)
Cancel-evidence group1198646 AMPR is defined as an intruderwell-behaving node
selection is triggered upon a change in the symmetric 1- and2-hops neighborhood Rather than launching an in-depthdiagnostic upon every change in the 1- or 2-hops symmet-ric neighborhood we keep to a minimum the number ofthese diagnostics and henceforth the amount of consumedcomputational power and bandwidth by initiating it onlyat the occurrence of an event related to a link spoofingattack More precisely we ignore the changes in the 1-hopneighborhood (eg apparition of 1-hop neighbor) becausethey are observed by the node itself Thus they are notsubject to the remote falsification which is the cornerstoneof a link spoofing attack In contrary changes in the 2-hopsneighborhood are considered as long as they impact theMPRselection In practice the evidences that reveal a link spoofingattack (Table 2) are broken down into
(i) a MPR replacement (Evidence 1 or 1198641 for short)that results from a change in the covering of the 1-hop neighbors one (or several) 1-hop neighbor(s)(possibly the replacing MPR) increase(s) its (their)coverage to the detriment of the replaced MPR AreplacementMPR is a 1-hop neighbor that is excludedfrom the MPRs set even though it provides the sameconnectivity in both the previous and current MPRselection rounds
(ii) No MPR replacement takes place but an alreadyselected MPR is detected as misbehaving node Forinstance a misbehaving MPR may drop falsify ormisrelay the control messages (1198642) Note that anevidence of a special interest herein refers to a nodepromoting itself as a MPR without having beenselected as a MPR Amisbehaving MPR includes alsothe case wherein a MPR continually advertises thesame 2-hops neighbors set despite being no morevalid Contrary to other cases this one is not eventdriven and should be handled based on random orperiodical checks
(iii) aMPR is the only one that covers one or several nodes(1198643)
(iv) a MPR covers partially its adjacent neighbor(s) (1198644)
(v) a MPR provides connectivity to a nonneighboringnode (1198645)
The occurrence of either 1198641 or 1198642 constitutes the startingpoint of an in-depth diagnostic 1198641 and 1198642 belong to theinitial-evidence group The act of being the only MPR thatprovides the connectivity to node(s) (1198643) is suspicious butis not sufficient to launch an in-depth diagnostic becausethis situation is typical in a sparse network Furthermoretwo nodes within the covering range of each other oftenfail in communicating due to the unpredictable nature ofwireless transmission resulting from for example obstaclesand noises Thus diagnosing 1198643 is especially difficult underno specific assumption Overall the occurrence of 1198641 or 1198642and optionally1198643 leads to an in-depth diagnostic (Expression13) In practice the 1-hop neighbor(s) of the suspicious MPRare interrogated Note that part of the interrogated nodesmayexpress a different opinion that results from malicious nodeor an obsolete routing information This calls for taking intoaccount their respective reputation (as we plan in our nearfuture work)
(1198641 or 1198642)
dArr dArr
(1198644 or 1198645) optional (1198643) (1198644 and 1198645)
dArr dArr
The suspicious MPRis an intruder
The suspicious MPRis well-behaving
(13)
If the obtained answers confirm (resp infirm) that thesuspicious MPR covers partially its neighbors (1198644) andoradvertises a distant node as 1-hop neighbor (1198645) then theMPR is declared as an intruder (resp well-behaving) andthe diagnostic is terminated (1198646) Obviously the cooperationbetween the nodes constitutes a cornerstone in our in-depthdiagnostic
34 Cooperative Diagnostic The in-depth diagnostic of a linkspoofing attack consists in verifying the existence of a sym-metric and neighboring relationship between a suspiciousMPR and its advertised 1-hop neighbors (Algorithm 1) Moreprecisely this diagnostic follows the following steps Firstthe MPRs that have been replaced by other MPR or 1-hopneighbor are identified (lines 1-2) because such replacementrepresents the initial evidence of a link spoofing attack (1198641in Table 2) For this purpose the function GetReplaced-Mpris called (Line 1) It establishes the MPRs that have been
10 International Journal of Distributed Sensor Networks
(1) OldMprs = GetReplaced-Mpr()(2) SuspiciousMprs = GetReplacing-Mpr()(3) for (suspicious isin SuspiciousMprs) do(4) InterrogatedNodes = GetCommon2HopsNeighors
(suspicious OldMprs)(5) for (2HopsNeighbor isin InterrogatedNodes) do(6) if (LinkExistence (2HopsNeighbor suspicious) ==
false) then(7) Generate-Alarm (suspicious)(8) end if(9) end for(10) Cancel-Suspicious (suspicious)(11) end for
Algorithm 1 In-depth diagnostic
replaced by comparing the currentMPRs and the penultimateMPRs Then the MPRs sharing 1-hop neighbor(s) with areplaced MPR are identified (function GetReplacing-MPRline 2) Those identified MPRs are tagged as suspicious andare subject to further analysis (lines 3ndash11) the objective is toverify whether some spoofed links have been advertised soas to replace the MPR It follows that the 1-hop neighborsthat are common to a replaced MPR and a suspicious oneare determined (GetCommon2HopsNeighors function line 4)Note that these 1-hop neighbors also correspond to the 2-hops neighbors of the node launching the diagnostic Theyare interrogated (LinkExistence function) so as to verify theexistence of links The interrogation of a 2-hops neighbordenoted by 119860119894 consists in sending a request to 119860119894 asking ifthis latter considers the suspicious MPR as a 1-hop neighborat a specific time 119905 Whenever possible this request is sentwithout going through both the suspicious MPR 119868 or anycolluding intruder 1198681015840 This eluding is necessary in order toprevent 119868 and 1198681015840 from dropping the request andor forging adeceptive answerTherefore the 1-hop neighbor(s) (primarilythe MPR(s)) that covers the interrogated 2-hops neighbors isprovided with the request Note that the suspecting node 119878 isaware of is provided with the connectivity between the nodesthat form its two-hops neighbors Thus 119878may select the one(if existing) that covers 119860119894 If no answer is obtained (iethe related time-out elapses) then the request is sequentiallytransferred through the rest of the covering 1-hop neighbors(keeping in mind that as aforementioned MPRs are pri-marily selected) However when no neighbor is left then an(multihops) alternative path is researched in the routing tableto reach 119860119894 Note that the verification related to a suspiciousMPR is performed within an independent thread hencethe diagnostic of one node (and the result waiting) is not ablocking to others If 119860119894 denies being a 1-hop neighbor of thesuspicious MPR then a countermeasure is triggered Moreprecisely an alarm that establishes the detected attacker(s)is broadcasted (Generate-Alarm function line 7) Otherwiseif no deny takes place the suspicious MPR is no longersuspected (Cancel-Suspicious function line 10) In both casesthe diagnostic terminates Note that if no answer is provided(the inconsistent answers lead also to a claim in the degree
of suspicion However this case is not included in this paperbut it is handled in our other works) then the suspiciousMPR is tagged as not verified and the degree of suspicionin this latter goes up It is worth mentioning that the currentimplementation of IDAR considers the link spoofing attackHowever considering other attacks is not complicated andrequires only specifying the evidences to be searched in thelogs and the information to be exchanged between the nodesduring the in-depth diagnostic
4 Architecture and Performance Evaluation
In this section we introduce the key architectural compo-nents of IDAR (Section 41) Then we present the evaluationof IDAR performance (Section 42) and further discuss theobtained result (Section 43)
41 IDAR Architecture In order to cope with the dynamicnature ofMANET IDAR is both distributed and cooperativeThe proposed architecture (Figure 2) requires that everydevice participates in the detection (The delegation of somedetection operations (eg logs analyzing) may be sharedamong devices But it will not be necessarily less expensive interms of resources consumption)More precisely each devicecontains an instance of IDAR which independently detectsthe signs of suspicion and cooperates with other instancesso as to conduct the diagnostic in a broader range IDAR isimplemented in Perl (httpwwwperlorg) and conceptuallystructured into 4 components
(i) Coordinator that orchestrates all the components Assuch it constitutes the hearth of IDAR In prac-tice it parses dynamically the OLSR logs so as toextract signs of suspicion and match these latteragainst predefined intrusion signaturesThe intrusionsignatures are represented as conditional rules (ifcondition then state) Furthermore it triggers thecommunication and the alarm notification in orderto launch advanced diagnostic
(ii) Communication manager that gathers informationabout for example the adjacent links as requiredby the diagnostic manager Meanwhile it answersthe diagnostic requests This component runs into aseparated thread so that other IDAR operations arenot blocked
(iii) Knowledge database includes the information thatis extirpated from the logs and is provided by thecommunication manager This database is realized inMysql (httpwwwmysqlcom) Stored informationencompasses for example the 1-hop and 2-hopsneighbors and the MPRs
(iv) Alarm notifier is responsible for alarming the networkwhen an intrusion is detected Note that we areplanning to include more countermeasures in thefuture for example eliminating the routes containingan intruder
International Journal of Distributed Sensor Networks 11
SignatureKnowledge
database
Coordinator
Communicationmanager Alarm notifier
Update
Feedback
Diagnostic requestDiagnostic answer
IDAR instance
Routing log
IDAR instanceDiagnostic requestanswer
Routing log
Feed back
Figure 2 IDAR architecture
All the above components have been developed so as tosupport intrusion detection offering a high rate of detectionalong with conserving the resources
42 Performance Evaluation In order to evaluate the perfor-mance of IDAR a mobile ad hoc network has been simulatedusing the network simulator NS3 (httpwwwnsnamorg)[36] Each node in the simulated network is furthercoupled with a Linux Container (LXC) virtual machine(httplxcsourceforgenet) [37] The reason that motivatesthis coupling is twofold First NS3 offers the possibilityto simulate a large-scale mobile ad hoc network SecondLXC an operating-system-level virtualization tool permitsto run multiple isolated machines (also called containers)on a single modified hosting kernel (up to 1024 contain-ers over a single hosting kernel) Each container owns itsproper resources (eg process tree network interface andIP address) Thus the resource consumption (eg memoryusage) can be isolated and measured In practice an instanceof IDAR is installed on each container that appears asa standaloneseparated machine Figure 3 exemplifies thecoupling between nodes in NS3 and LXC containers Fromthe IDAR perspective (as well as from any applicationinstalled on the container) the emission and reception ofpackets is done through the network interface (eth0) Whilethe container contains a simulated ethernet card (V119890119905ℎ)which is connected through an ethernet bridge towards akernel tap device (tap) Note that for each container-nodecoupling new tap and ethernet bridge should be definedin the hosting kernel The ethernet bridge implements theforwarding of link-level framesThe interface 119905119886119901119877119900119906119905119890119903 [38]is implemented in NS3 and is used to exchange packetsbetween the 119905119886119901 device and the WiFi device which enablesNS3 nodes to communicate over a IEEE 80211- and OLSR-enabled MANET Overall the outgoing packets from eth0in the container are delivered to the WiFi device at thecorresponding node in the simulated network and vice versaSimulation is carried using the aforementioned platform
wherein the hosting device is equipped with 32GB of mem-ory and 2 Intel(R) Xeon(R) (6) Core 240GHz CPUsContainers hold a Fedora 12 operating system We considera MANET (Table 3) constituted of 119873 = 30 nodes split into25 well-behaving nodes and 5 intruders While most of otherIDSs are evaluated against one intruder we show that IDARcan handle several intruders in the same time Intruderslaunch repeatedly the implemented link spoofing attack (asdescribed in Expression 12) In our experiments the numberof successful intrusions varies between 15 and 33 accordingto the parameters of simulation scenario (as described inExpression 12) Nodes communicate via IEEE 80211a andare characterized by a transmission range 119879
119909of 90m They
randomly move following the so-called RandomWalk2d [39]mobility pattern provided by NS3 each node moves accord-ing to a randomly chosen direction at a given speed that isthe same for all the nodes When a node hits the networkboundaries (unless specified the network area is defined bya squared area of 119878 = 310 times 310m2) it rebounds followinga reflexive angle Data traffic is further modeled using theV4PingHelper application in NS3 each node exchanges 56-byte ICMP (httpwwwietforgrfcrfc792txt) echo requeststo one another and waits for 1 s before sending it again Weuse OLSR as the underlying routing protocol preserving theconfiguration parameters promoted in the RFC 3626 (eghello message interval is 2 s)
For each experimental scenario the simulation islaunched 5 times each one lasts for 140 s We compare thelaunched attacks with the detected ones and present theaverage of results We aim at evaluating the performance ofIDAR in terms of
(i) intrusion detection rate that reflects the capacity ofdetecting successful intrusions (a successful intrusioncauses the replacement of a legitimate MPR of thevictim by an intruder)
(ii) false positive rate that measures how many times alegitimate node is wrongly designated as an intruder
12 International Journal of Distributed Sensor Networks
Table 3 Simulation parameters
Simulation platformSimulator NS3 + LXC virtual machinesContainer operating system Fedora 12Hosting device memory 32GBHosting device CPU 2 Intel(R) Xeon(R) (6) Core 240GHz
Simulated MANETNumber of mobile nodes 30Number of intruders 5Topology 310 times 310m2
Transmission range 90mMaximum bandwidth 1MbpsTraffic V4PingHelper 56 bytes Icmp packetsMobility model RandomWalk2dMaximum speed 8ms (or 288 kmh)Simulation time 140 s
tapRouterWiFi devicewith OLSR
LXC
cont
aine
r
Ethernet bridge
Tap
LXC
cont
aine
r
veth
Ethernet bridge
Tap
tapRouterWiFi devicewith OLSR
veth
Nod
e 1
Nod
e 119899
NS3
IDAR1 IDAR119899
eth0 eth0
Figure 3 Experiment platform
(iii) detection overhead which represents the additionalnetwork traffic that is generated because of IDARNote that further benchmarks are also provided interms of memory usage
Based on those performance indicators IDAR is furtherevaluated with regard to the network density (Section 421)and node mobility (Section 422)
421 Network Density In order to evaluate the scalingproperties of IDAR we vary the density of the networkThe density of the network corresponds to the averagenumber of neighbors which is defined as in [40] by (119873 times
120587 times 1198792
119909)119878 We selected an interval of density that ranges
from 6 up to 16 neighbors which includes the intruderthe victim and the remaining neighbors Figure 4(a) showsthat the detection rate keeps higher than 80 regardless ofthe network density This demonstrates the relatively limitedimpact of the network density on IDAR performance More
precisely the intrusion detection rate slightly rises from935up to itsmaximum 963when the density varies from6 up to 8 neighbors the greater is the number of neighborsthe higher is the visibility of the attackThen a slow diminishis observed dense networks (with a density exceeding 8) arecharacterised by a high collision rate that causes a declinein the detection rate Similarly Figure 4(b) highlights thatthe average percentage of false positives is neglectful (under59) The analysis of several cases of false positive leads usto find that a false positive occurs when two nodes own adifferent live-times for the bidirectional link that connectsthese later consequently one of the two nodes still confirmsthe existence of this link while the other one denies it Tooverride this problem the period during which those linksare considered valid should be amplified as in [41] Figure 4(c)presents the average memory usage caused by IDAR Thisusage gently fluctuates between 176MB and 222MB It is alsoworthy of mention that contrary to OLSR our system doesnot assign additional functionality toMPR (detectionmay belaunched by one another) IDAR provides an homogeneousload balancing among the nodes As illustrated in Figure 4(d)the traffic caused by IDAR is very low (under 05 for anetwork density inferior to 8) It then slowly rises to reach13 when the network density is 16 In order to understandthe slight fall when the density reaches 14 we compare theaverage number of suspicious cases with regard to a varyingdensityThis average was 708 (resp 658) with density equalsto 12 (resp 14) Consequently the number of diagnostic-related packets is smaller at a density of 14 than at a densityof 12
422 Mobility In order to isolate the influence of themobility the network density is set to 8 The detection ratefalls when the speed increases (Figure 5(a))This results fromthe ever changing topology that results in increasing thenumber of broken links and the related drops of diagnostic-related packetsHowever IDAR still provides a high detectionrate for example the average of detection rate is 707
International Journal of Distributed Sensor Networks 13
0
20
40
60
80
100
6 8 10 12 14 16
Det
ecte
d in
trus
ions
()
Density
Average detection
(a)
0
10
20
30
40
50
6 8 10 12 14 16
False
pos
itive
()
Density
Average of false positives
(b)
0
10
20
30
40
50
6 8 10 12 14 16
Mem
ory
usag
e (M
B)
Density
(c)
025 05
1
5
20
50 100
6 8 10 12 14 16Density
IDA
R ve
rsus
OLS
R tr
affic (
)
(d)
Figure 4 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network density
with a moving speed equals to 8ms (ie around 287
kilometershour equivalent to 1789mileshour) Figure 5(b)shows that the higher is the moving speed the greater it getsfalse positives mainly because of out of date feedback Infact when a node moves away some of its 1-hop neighborsare no longer neighbors but are still announced as suchand are considered as potential attackers A higher increaseof the false positive rate is observed when the node speedranges from 4ms up to 6ms because the instable nodecovering is given its transmission range which leads to anincreased update of its 1-hop neighbors The memory usage(Figure 5(c)) rises staidly from 176MB to 265MB whichis reasonable even for resource-limited devices The impactof the mobility on the bandwidth is shown in Figure 5(d)The IDAR traffic comparing to the OLSR traffic significantlygrows from 036 up to 31 for a speed ranging from 0msup to 2ms Then the bandwidth usage gradually growsand reaches almost 6 when the moving speed is equalto 8ms This is motivated by the fact that increasing thenumber of verified links leads to exchange more diagnostic-related messages in the network In order to understandthe reason behind such variable growth of IDAR trafficwe counted the number of the verified suspicious neighbor
links We found that the average number of the verified linkssignificantly grows from 452 to 2014 when the velocity risesfrom 0ms to 2ms This average then gradually grows andtakes the values 2408 3314 and 406 when the velocityequals to 4ms 6ms and 8ms respectively The limitednumber of the suspicious neighbor links when the nodesare static is justified by the fact that the attacker has alimited choice to falsify its neighbors links Instead when thevelocity is greater than 2ms there is a continuous changein the neighborhood and the attackers can attack more(diversified) targets Meanwhile the continuously changingtopology implies an increased number of investigations
43 Performance Discussion It is clear that the density of thenetwork holds less influence than the mobility on our IDSMore mobility in MANET causes more dropped diagnosticpackets and hence less diagnostic is concluded with a finalresult that is confirming or refuting the suspiciousnessHowever comparing the launched attacks to the discov-ered suspicious events shows that the majority of attacksare tagged as suspicious events and considered for furtherdiagnostic Note that the mobility has a negative influence
14 International Journal of Distributed Sensor Networks
0
20
40
60
80
100
0 2 4 6 8
Det
ecte
d in
trus
ions
()
Velocity (ms)
Average detection
(a)
0
10
20
30
40
50
0 2 4 6 8
False
pos
itive
()
Velocity (ms)
Average of false positives
(b)
0
10
20
30
40
50
0 2 4 6 8
Mem
ory
usag
e (M
B)
Velocity (ms)
(c)
025 05
1
5
20
50 100
0 2 4 6 8
IDA
R ve
rsus
OLS
R tr
affic (
)
Velocity (ms)
(d)
Figure 5 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network mobility
on all the IDSs especially the cooperative ones where thereis an exchange of evidencesalerts Table 4 provides a shortperformance comparing between IDAR and other knownIDSs that are dedicated to ad hoc routing protocol Likethe majority of these IDSs the performance of our systemis challenged against a specific attack link spoofing attackin a simulated MANET (According to [42] around 75of mobile ad hoc published papers use simulation for testissues) Two evaluation factors are common to almost all thelisted IDSs the detection ratecapacity and the positive falserate Even though it was challenged in a MANET whereinthe intruders constitute 166 (Note that this percent is the3rd highest registered percent) of the nodes IDAR providesone of the highest detection rate Regarding the positivefalse rate we can notice that several IDSs especially thosethat are dedicated to DSR protocol show better results thanour system However this latter still generates a limitednumber of false positives It is also possible to reduce thefalse positives rate by amplifying the TTL (Time To Live)parameter of a bidirectional link so as to reduce the impactof obsolete neighborhood-related information during thedetection Recall that most of the generated false positives inIDAR are generated because of the difference in the time-live
of a bidirectional link between the two ends of this link Insuch case this link will be expired in one end while the otherend will keep confirming its existence It is worthmentioningthat except our system the listed IDSs that aim to detect theattacks targeting OLSR protocol do not present neither thedetection rate nor the false positives rate But they merelyprove the capacity of detecting the addressed attack(s) Inaddition IDAR is one of the rare IDSs that are evaluated interms of resources consumption Indeed we measure boththe increment inmemory usage and traffic overhead resultingfrom detection operations IDAR triggers a small incrementin the devicesrsquomemory usage (between 176MBand 265MB)Therefore it can be tolerated by the resource-limited devicesIt further triggers the lowest traffic overhead compared to thelisted IDSs IDAR presents a good scalability and offers a highdetection rate even in the high density networks where a largeamount of routing traffic should be monitored (Figure 4(a))This scalability is reinforced by (i) the limited traffic overhead(ii) the use of routing logs so as to extract the evidencesinstead of sniffing the traffic (iii) the distributed nature ofdetection such that each node is responsible for detecting theattacks targeting it and (iv) the unnecessity of modifying theused routing protocol
International Journal of Distributed Sensor Networks 15
5 Related Work
Systems that detect intrusion targeting ad hoc routing proto-col are extremely diverse in the way they analyze intrusionThey fall into the three key categories
(i) Anomaly detection system defines the correct behav-ior of the nodenetwork so as to detect deviations tothis behavior This correct behavior is automaticallybuilt during an attackless training phase The detec-tion accuracy depends on the ability to (i) describethe correct behavior and (ii) distinguish betweenanomalous and unexpected behaviors
(ii) Specification-based detection system hand-codes thelegitimate functionoperation and then searches for aviolation to this operation
(iii) Signature-based detection system first describes theway an intruder penetrates the system by defining anintrusion signature Then any behavior that is closeto this predefined signature is flagged as intrusion
Hereafter we detail examples of each of these categoriesAnomaly-based detection constitutes the main approachused to detect attacks The IDS proposed by Zhang et al[7] constitutes a de facto standard in MANET It aims atdetecting the attempts to falsify the routes provided by theAODV [61] DSR [62] and DSDV [63] routing protocolsDuring the training phase the impact of movement on thepercentage of changes in the routing table is analyzed Notethat this movement (ie velocity direction and position)is provided by a Global Positioning System (GPS) Thenduring the operation phase an actual percentage of changesdiffering from the predicted one is defined as anomaly Inpractice the distinguishing between anomalous and normalbehaviors is provided by the Support Vector Machine (SVM)Light [64] classifier or by RIPPER [15] a rule-based engineThe hierarchical IDS proposed in [47] detects blackhole androuting request flooding attacks targeting AODV protocolHere MANET is arranged into clusters whereas the nodewith the highest residual energy and number of connectionsis elected as a cluster-head Each cluster-head monitors thetraffic inside its cluster so as to identify the abnormal valuesof (i) the percentage of changes in the routing table and (ii)the propagation of routingdata packets Such abnormalitiesare identified thanks to (1-SVM) classifier [65] a deviationof SVM that needs to be trained with either normal orabnormal scenario but not both of them In [48] (resp [66])a blackhole (and resp dropping) attack targeting AODVprotocol (resp a secured version of AODV protocol includ-ing authentication and reputation estimation) are detectedby investigating features for example the number of routerequests and route replies as well as the average difference ofsequence numbers (Largely increased sequence numbers areknown as a sign of blackhole attack) Then simple anomalydetection is applied if the distance between the actuallyobserved features and the average ones that are recorded dur-ing the training exceeds a given threshold then an intrusionis detected More sophisticated cross-features analysis (CFA)[67] is applied to detect both blackhole and packet drop-ping on AODV and DSR protocols Features including for
example the reachability between 2 nodes and the numberof delivered packets are analyzed within time windows Thisanalysis attempts to quantify the relation existing betweenone feature 119891
119894and the others 119891
1 119891
119894minus1 119891119894+1 119891
119896(with
119896 + 1 defining the number of features analyzed) During theoperation phase the probability of matching between theobserved feature 1198911015840
119894and the predicted feature 119891
119894 which is
established based on 11989110158401 119891
1015840
119894minus1 1198911015840
119894+1 119891
1015840
119896 is calculated by
a decision tree classifier named C45 [68] An anomaly refersto an average of matching probability fewer than a giventhreshold CFA and C45 are also used in [69] with traffic-related features (eg number of receivedtransferred packets)and OLSR- or AODV-related features (eg MPR updates forthe former and route discovery for the latter) A modifiedMarkov chain-based IDS is proposed in [58] so as to detectroute disruption attack targeting DSR protocol Here thedetection depends on identifying unpredicted value of twofeatures the percentage of changes in the number of routesand the percentage of changes in the number of hops Inpractice a Markov chain is based on the immediate previous119899 consecutive values of a feature as to predict the (119899 + 1)thvalue If the difference between a predicted and an observedvalue exceeds a given threshold an intrusion is concluded
Rather than establishing automatically a correct behaviorspecification-based detection system hand-codes the correctbehavior of the routing protocols based on the protocol spec-ification (IETF draft or RFC) Then the system attempts todetect a violation of constraints circumventing this behaviorFour key constraints define the correct behavior of OLSR([14 70])
(1) Neighbor relationmust be reciprocal (ie 2 neighborsmust hear the hello message sent by each other)
(2) TheMPRs and the nodes that select theMPR (ie theMPR selectors) must be adjacent
(3) A node that finds itself advertised as a MPR selectorin a TCmessage must be adjacent to the originator ofthis message
(4) Nodes receive TC messages without modificationsfromMPR(s)
Each node sniffs the traffic in its radio range so as todiscover the violations of any of the above constraints Theseconstraints are modeled by semantic properties in [70] (resprules in [14]) so as to detect link spoofing attack on TC(and resp hello messages) both experiment an ability todetect a link spoofing by observing a violation of the thirdcondition over a simulated network composed of 11 nodesFinite-state machines are used to describe similar constraintson OLSR [41] and the behavior of AODV protocol [52 71]In [41] a centralized detection of link spoofing man-in-the-middle and deny of service attack is performed While in[52 71] incorrect hop countssequence numbers are analyzedby distributed sensors which sniff and group the packets perrequest-reply flow so as to estimate the forwarding path perflow If a route requestreply is illegallymodified or forwardedvia a nonexpected path then an alarm is triggered In [60]similar FSMs are used to define constraints on both the routediscovery in AODV and the packet forwarding operations
16 International Journal of Distributed Sensor Networks
Table4Com
parin
gID
ARperfo
rmance
with
otherIDSs
IDS
Routing
protocol
Num
bero
fno
des
Intrud
ers
()
Moving
speed
Detectio
nrate
False
positives
rate
Increm
entinmem
ory
usage
Increm
entintraffi
coverhead
IDAR
OlSR
30166
0ndash8m
s707ndash963
0ndash132
176ndash
265MB
478ndash6215KB
(036
ndash597
ofOlSRtraffi
c)
[43]
OlSR
303366
10
mdashmdash
mdashmdash
6ndash12
ofOlSR
traffi
c[41]
OlSR
1010
0ms
Detectio
nispo
ssible
mdashmdash
mdash[44]
OlSR
7143
0ms
Detectio
nispo
ssible
mdashmdash
mdash[45]
OlSR
520
0ms
Detectio
nispo
ssible
mdashmdash
mdash[14
]OlSR
119
0ms
Detectio
nispo
ssible
mdashmdash
mdash[46]
AODV
3033
0ndash5m
s3067ndash90
0ndash20
mdashmdash
[47]
AODV
502
0ndash20
ms
90
5
mdashmdash
[48]
AODV
3033
1ndash20
ms
70ndash82
12ndash18
mdashmdash
[49]
AODV
2050
10
1ndash10ms
964ndash9
87
079ndash093
mdash900k
B
[50]
AODV
5238
0ndash20
ms
(Fixed
IDSs)
100
0ndash0
6
mdashmdash
[51]
AODV
521
20238
0ndash10ms
50ndash100
0ndash30
mdashmdash
[52]
AODV
30mdash
0ndash20
ms
70ndash100
05
ndash15
mdashmdash
[53]
AODV
50Ra
ndom
0ndash20
ms
79plusmn10ndash92plusmn3
5plusmn1ndash32plusmn8
mdashmdash
[54]
AODV
102050
mdash0ndash
10ms
0ndash100
0ndash≫100
02ndash06
mdash[55]
AODV
20ndash200
mdash0ndash
20ms
30ndash9
50ndash16
mdashmdash
[56]
AODV
50mdash
1ndash20
ms
998ndash100
083ndash846
mdashmdash
[7]
AODV
mdashmdash
mdash8848plusmn414ndash971plusmn032
145plusmn072ndash202plusmn627
mdashmdash
DSD
Vmdash
mdashmdash
8523plusmn328ndash9061plusmn299
537plusmn310ndash263plusmn549
mdashmdash
DSR
mdashmdash
mdash852plusmn238ndash991plusmn037
003plusmn004ndash153plusmn408
mdashmdash
[57]
DSR
5040
0ndash20
ms
mdashmdash
mdash11ndash313
of
data
traffi
c[58]
DSR
3033
3ndash5m
s60ndash100
25
ndash50
mdashmdash
[59]
DSR
30mdash
mdash75
12
mdashmdash
[60]
DSR
502
0ndash20
ms
837ndash9
74
13ndash72
mdashmdash
International Journal of Distributed Sensor Networks 17
A signature-based system distinguishes itself by model-ing the misbehavior (rather than the correct behavior) soas to identify if a sequence of observed events matchingan intrusion signature AODVSTAT [54] uses state-basedsignatures in order to detect dropping and spoofing attacksalong with network flooding Few sensors sniff the traffic andmatch it against predefined signatures They also exchangeperiodically MAC and IP addresses so as to detect an identityspoofing which is characterized by a node emitting a packetidentified by MAC and IP addresses differing from thoseregistered for this node A dropping attack refers to a nodethat fails to replay route requestreply Finally a node sendinga number of packets exceeding a given threshold is identifiedas willing to exhaust resources In [45] intrusion signaturesare specified in opposition to the legitimate behavior of OLSRdepicted in conjunction with specification rules similar tothose defined in [70] In particular a node 119873 mistrusts twoneighbors 119871 and 119872 that conform to the following rules119872 advertises 119871 as a neighbor while 119871 does not advertise119872 as a neighbor (or reciprocally) both 119871 and 119872 send TCmessages while 119871rsquos neighbors are a subset of 119872rsquos neighbors(or reciprocally) In addition 119873 mistrusts 119872 if 119873 which isnot a neighbor of 119872 finds itself as a MPR selector in a TCof 119873 (constraint 3) In [44] a FSM is employed to modelthe signature of hello message fabrication in OLSR protocolin an agent-based IDS In practice each node uses a SimpleNetworkManagement Protocol (SNMP) agent so as to collectaudit data from the Management Information Base (MIB)After that events are extracted from the collected audit dataand are matched to the attack signatureThe addressed attackaims at breaking the link between a victim node and itsneighbors and thus a DoS takes place To that end theattacker impersonates the identity of the victim and sends afake hello message advertising one of the victim symmetricneighbors with lost link status Upon receiving the fabricatedmessage the neighbor changes the status of its link withthe victim to ldquoheardrdquo and stops routing packets through thevictim
51 Synthesis and Discussion A great majority of the litera-ture is focused on anomaly detectionwhile scarce effort inves-tigates specification- and signature-based intrusion Thisnaturally calls for consolidating the effort on specification-and signature-based detection while following the habitus ofwired network which consists in coupling these detectionsystems with one another for example in [72] wherein acombination of anomaly- and signature-based detection isrealized so as to increase the detection rate Almost all ofthe IDS focuses only on the detection accuracy that isproviding a high detection rate along with limited falsealarms However they do not consider the criticality ofmaintaining the resources and henceforth extending thelifetime of the nodenetwork Our IDS takes into account thenecessity of reducing to minimum both the communicationand computation overload related to intrusion identificationThe absolute majority of the IDSs is simulated (including thesystem we are proposing) rather than being either developedor experimented on testbeds or relying on empirical data
The reason that explains this situation is twofold Firstthe deployment of critical MANET is limitednot adver-tised Second to the best of our knowledge experiences ofintrusion in MANETs are not reported intrusions are infact developedsimulated as proofs of concept Neverthelessnot only routing protocols but also the characterization ofthe intrusion together leverage on the experience gained indesigning routing protocols for wired networks and deal-ing with related misbehaviors In particular the similarityexisting between the OSPF and OLSR protocols implies thatmany threats (eg sequence numbers identity spoofing) areshared In other words intrusion may be inspired from theone targeting wired networks Meanwhile the developmentof intrusion detection and the envisioning of attacks areaccelerated
6 Conclusion
We survey and classify the attacks that target ad hoc routingprotocols focusing on theOLSRprotocol In order to facilitatethe definition of intrusion signatures we extend a descriptionmodelmdashan attack is expressed as the preconditions andthe resulting consequencesmdashand enrich it with temporalannotations Once hand-coded these signatures are utilizedby IDAR a log-based distributed intrusion detection systemdedicated to operate in mobile ad hoc networks IDARdistinguishes itself by analyzing the logs generated by arouting protocol and extracts intrusion evidences so as tocompare these latter against predefined intrusion signaturesFor this purpose evidences are categorized into four groupsaccording to their degree of suspiciongravity and hence totheir ability to activatedeactivate the diagnostic We furtherdevelop a link spoofing attack on the OLSR protocol buildthe related detection rules and evaluate the performancesof IDAR relying on the NS3 simulator coupled with LXCvirtual machines Overall the experiments figure out ahigh rate of intrusion detection and low false positivesrate even under increased mobility and density Meanwhileresource consumption and network overhead result from thediagnostic are low and adapted to the resource-constraineddevices Note that ongoing effort is provided as to evaluateIDAR in a real MANET consisting of resource-constraineddevices Still detecting intrusion is not a trivial task due tothe large number of evidences to tackle and the resource-consuming diagnostic A compromise between detectionaccuracy and resource consumption could be found For thispurpose we are working on a new statistical mechanism forgathering the evidences This mechanism aims at enhancingthe scalability of our system by restricting the interrogationto a limited subset of nodes during the diagnostic Moreoveruntil now we assume that honest parties are passive theyalarm others but do not react We are considering thecoupling with countermeasures (eg blacklisting) and theexploring of lightweight binary consensus and trust estab-lishment among the nodes that participate in the intrusiondetection
18 International Journal of Distributed Sensor Networks
References
[1] Z Zhao H Hu G Ahn and R Wu ldquoRisk-aware mitigation formanet routing attacksrdquo IEEE Transactions on Dependable andSecure Computing vol 9 no 2 pp 250ndash260 2012
[2] B Sun L Osborne Y Xiao and S Guizani ldquoIntrusion detectiontechniques in mobile ad hoc and wireless sensor networksrdquoIEEE Wireless Communications vol 14 no 5 pp 56ndash63 2007
[3] S Sesay Z Yang and J He ldquoA survey onmobile ad hoc wirelessnetworkrdquo Information Technology Journal vol 3 no 2 pp 168ndash175 2004
[4] P Brutch and C Ko ldquoChallenges in intrusion detection forwireless ad-hoc networksrdquo in Proceedings of the Symposium onApplications and the Internet Workshops (SAINT rsquo03) pp 368ndash373 2003
[5] S Khan N Alrajeh and K Loo ldquoSecure route selection inwireless mesh networksrdquo Computer Networks vol 56 no 2 pp491ndash503 2012
[6] S Corson and J Macker ldquoMobile ad hoc networking (manet)routing protocol performance issues and evaluation considera-tionsrdquo IETF RFC2501 1999
[7] Y Zhang W Lee and Y Huang ldquoIntrusion detection tech-niques for mobile wireless networksrdquoWireless Networks vol 9no 5 pp 545ndash556 2003
[8] B C Cheng and R Y Tseng ldquoA context adaptive intrusiondetection system for MANETrdquo Computer Communications vol34 no 3 pp 310ndash318 2011
[9] T Eissa S A Razak and M D A Ngadi ldquoTowards providinga new lightweight authentication and encryption scheme forMANETrdquoWireless Networks vol 17 no 4 pp 833ndash842 2011
[10] A Irshad W Noshairwan M Shafiq S Khurram E Irshadand M Usman ldquoSecurity enhancement for authentication ofnodes in MANET by checking the CRL status of serversrdquoCommunications in Computer and Information Science vol 78pp 86ndash95 2010
[11] D E Denning ldquoAn intrusion-detection modelrdquo IEEE Transac-tions on Software Engineering vol 13 no 2 pp 222ndash232 1987
[12] T Clausen and P Jacquet ldquoOptimized link state routing proto-col (OLSR)rdquo IETF Experimental RFC 3626 2003
[13] P Albers O Camp J Percher et al ldquoSecurity in ad hoc networksa general intrusion detection architecture enhancing trust basedapproachesrdquo 2002
[14] F Cuppens N Cuppens-Boulahia S Nuon and T RamardldquoProperty based intrusion detection to secure OLSRrdquo in Pro-ceedings of the 3rd International Conference on Wireless andMobile Communications (ICWMC rsquo07) Guadeloupe FranceMarch 2007
[15] W Cohen ldquoFast effective rule inductionrdquo in Proceedings of theInternational Conference onMachine Learning (ICML rsquo95) 1995
[16] S Sarafijanovic and J-Y le Boudec ldquoAn artificial immunesystem for misbehavior detection in mobile ad-hoc networkswith virtual thymus clustering danger signal and memorydetectorsrdquo in Proceedings of the 3rd International Conference onArtificial Immune Systems (ICARIS rsquo04) 2004
[17] S Sen and J Clark Intrusion Detection in Mobile Ad HocNetworks in Guide to Wireless Ad Hoc Networks SpringerLondon UK 2009
[18] D Subhadrabandhu S Sarkar and F Anjum ldquoA Framework formisuse detection in ad hoc networksmdashpart IIrdquo IEEE Journal onSelected Areas in Communications vol 24 no 2 pp 290ndash3032006
[19] L M Feeney and M Nilsson ldquoInvestigating the energyconsumption of a wireless network interface in an ad hocnetworking environmentrdquo in Proceedings of the 20th AnnualJoint Conference of the IEEE Computer and CommunicationsSocieties pp 1548ndash1557 April 2001
[20] A P Lauf R A Peters and W H Robinson ldquoA distributedintrusion detection system for resource-constrained devices inad-hoc networksrdquo Ad Hoc Networks vol 8 no 3 pp 253ndash2662010
[21] N A Alrajeh S Khan J Lloret and J Loo ldquoSecure routingprotocol using cross-layer design and energy harvesting inwireless sensor networksrdquo International Journal of DistributedSensor Networks vol 2013 Article ID 374796 11 pages 2013
[22] S Sen J Clark and J Tapiador Security Threats in MobileAd Hoc Networks I S of Self-Organizing Networks AuerbachPublications 2010
[23] P Ning and K Sun ldquoHow to misuse AODV a case study ofinsider attacks againstmobile ad-hoc routing protocolsrdquoAdHocNetworks vol 3 no 6 pp 795ndash819 2005
[24] T Clausen C Dearlove P Jacquet and U Herberg ldquoTheoptimized link state routing protocol version 2rdquo IETF ActiveInternet-Draft Draft-Ietf-Manet-Olsrv2-15 2012
[25] U Herberg and T Clausen ldquoSecurity issues in the optimizedlink state routing protocol version 2 (olsrv2)rdquo InternationalJournal of Network Security amp Its Applications vol 2 no 2 2010
[26] YOwada TMaenoH Imai andKMase ldquoOLSRv2 implemen-tation and performance evaluation with link layer feedbackrdquo inProceedings of the International Wireless Communications andMobile Computing Conference (IWCMC rsquo07) pp 67ndash72 Newyork NY USA August 2007
[27] F Hong L Hong and C Fu ldquoSecure OLSRrdquo in Proceedingsof the 19th International Conference on Advanced InformationNetworking and Applications (AINA rsquo05) pp 713ndash718 March2005
[28] LNAMHegland P Spilling andQKure ldquoHybrid protectionof olsrrdquo in Electronic Notes in Theoretical Computer Science2006
[29] P Kunwar S Sofat and D Bansal ldquoComparison of secure olsrrouting protocolrdquo International Journal of Engineering Sciencevol 3 no 6 p 5049 2011
[30] A Adnane C Bidan and R T de Sousa Junior ldquoTrust-basedcountermeasures for securing OLSR protocolrdquo in Proceedingsof the 7th IEEEIFIP International Conference on Embedded andUbiquitous Computing (EUC rsquo09) pp 745ndash752 August 2009
[31] B Wu J Chen J Chen J Wu and M Cardei ldquoA survey ofattacks and countermeasures in mobile ad hoc networksrdquo inWireless Network Security Springer New York NY USA 2007
[32] C Adjih D Raffo and P Muhlethaler ldquoAttacks against OLSRdistributed key management for securityrdquo in Proceedings of theOLSR Interop Workshop 2005
[33] G CerveraM Barbeau J Garcia-Alfaro and E Kranakis ldquoMit-igation of topology control traffic attacks in OLSR networksrdquoin Proceedings of the 5th International Conference on Risks andSecurity of Internet and Systems (CRiSIS rsquo10) October 2010
[34] P M Jawandhiya M M Ghonge M S Ali et al ldquoA surveyof mobile ad hoc network attacksrdquo International Journal ofEngineering Science and Technology vol 2 no 9 pp 4063ndash40712010
[35] L M Feeney ldquoAn energy consumption model for performanceanalysis of routing protocols for mobile ad hoc networksrdquoMobile Networks and Applications vol 6 no 3 pp 239ndash2492001
International Journal of Distributed Sensor Networks 19
[36] G Riley and T Henderson ldquoThe ns-3 network simulatorrdquo inModeling and Tools for Network Simulation Springer BerlinGermany 2010
[37] S Bhattiprolu E Biederman S Hallyn et al ldquoVirtual serversand checkpointrestart inmainstream linuxrdquo SIGOPSOperatingSystems Review vol 42 no 5 pp 104ndash113 2008
[38] J Zhang J Xing and Z Qin ldquoTaprouter an emulatingframework to run real applications on simulated mobile adhoc networkrdquo in Proceedings of the 44th Annual SimulationSymposium (ANSS rsquo11) pp 39ndash46 2011
[39] D Broyles A Jabbar and J P G Sterbenz ldquoDesign andanalysis of a 3-d gauss-markov mobility model for highly-dynamic airborne networksrdquo in Proceedings of the InternationalTelemetering Conference (ITC rsquo10) San Diego CA USA 2010
[40] J Haerri F Filali and C Bonnet ldquoPerformance comparisonof AODV and OLSR in vanets urban environments underrealistic mobility patternsrdquo in Proceedings of the IFIP Med-Hoc-Net Workshop 2006
[41] C H Tseng T Song P Balasubramanyam C Ko and K LevittldquoA specification-based intrusion detection model for OLSRrdquoRecent Advances in Intrusion Detection vol 3858 pp 330ndash3502006
[42] S Kurkowski T Camp and M Colagrosso ldquoManet simulationstudies the incrediblesrdquo SIGMOBILE Mobile Computing andCommunications Review vol 9 no 4 pp 50ndash561 2005
[43] A Abdalla I Saroit A Kotb et al ldquoMisbehavior nodesdetection and isolation for MANETs OLSR protocolrdquo ProcediaComputer Science vol 3 pp 115ndash121 2011
[44] R Puttini J Percher L Me et al ldquoA modular architecture fordistributed ids in manetrdquo in Proceedings of the InternationalConference on Computational Science and Its Applications III2003
[45] A Adnane R T de Sousa L Me and C Bidan ldquoAutonomictrust reasoning enables misbehavior detection in OLSRrdquo inProceedings of the 23rd Annual ACM Symposium on AppliedComputing (SAC rsquo08) pp 2006ndash2013 March 2008
[46] W Wang H Man and Y Liu ldquoA framework for intrusiondetection systems by social network analysis methods in ad hocnetworksrdquo Security and Communication Networks vol 2 no 6pp 669ndash685 2009
[47] H Deng R Xu J Li F Zhang R Levy and W Lee ldquoAgent-based cooperative anomaly detection for wireless ad hoc net-worksrdquo in Proceedings of the 12th International Conference onParallel and Distributed Systems (ICPADS rsquo06) pp 613ndash620 July2006
[48] S KurosawaHNakayamaN Kato et al ldquoDetecting blackholesattack on AODV-based mobile ad hoc networks by dynamiclearningmethodrdquo International Journal of Network Security vol5 no 3 pp 338ndash346 2007
[49] WWang HWang BWang et al ldquoEnergy-aware and selfadap-tive anomaly detection scheme based on network tomographyin mobile ad hoc networksrdquo Information Sciences vol 220 pp580ndash602 2013
[50] M-Y Su ldquoPrevention of selective black hole attacks on mobilead hoc networks through intrusion detection systemsrdquo Com-puter Communications vol 34 no 1 pp 107ndash117 2011
[51] N Marchang and R Datta ldquoCollaborative techniques for intru-sion detection in mobile ad-hoc networksrdquo Ad Hoc Networksvol 6 no 4 pp 508ndash523 2008
[52] B V R N Yadav B Satyanarayana and O B V RamanaiahldquoAn efficient intrusion detection system for mobile ad hoc net-worksrdquo in Emerging Trends in Computing Informatics Systems
Sciences and Engineering vol 151 Springer New York NYUSA 2013
[53] Y Huang and W Lee ldquoAttack analysis and detection for ad hocrouting protocolsrdquo in Recent Advances in Intrusion Detectionvol 3224 Springer Berlin Germany 2004
[54] G Vigna S Gwalani K Srinivasan E M Belding-Royer andR A Kemmerer ldquoAn intrusion detection tool for AODV-basedad hoc wireless networksrdquo in Proceedings of the 20th AnnualComputer SecurityApplications Conference (ACSAC rsquo04) pp 16ndash27 December 2004
[55] M Ayachi C Bidan and N Prigent ldquoA trust-based ids for theaodv protocolrdquo in Information and Communications Securityvol 6476 pp 430ndash444 2010
[56] S Sen and J A Clark ldquoA grammatical evolution approach tointrusion detection on mobile ad hoc networksrdquo in Proceedingsof the 2nd ACMConference onWireless Network Security (WiSecrsquo09) pp 95ndash102 March 2009
[57] S Marti T J Giuli K Lai and M Baker ldquoMitigating routingmisbehavior in mobile ad hoc networksrdquo in Proceedings of the6th Annual International Conference on Mobile Computing andNetworking (MOBICOM rsquo00) pp 255ndash265 August 2000
[58] B Sun K Wu and U Pooch ldquoRouting anomaly detection inmobile ad hoc networksrdquo in Proceedings of The 12th Interna-tional Conference on Computer Communications and Networks(ICCCN rsquo03) 2003
[59] S Bose S Bharathimurugan and A Kannan ldquoMulti-layerintegrated anomaly intrusion detection system for mobileadhoc networksrdquo in Proceedings of the International Conferenceon Signal Processing Communications and Networking (ICSCNrsquo07) pp 360ndash365 February 2007
[60] P Yi Y Zhong and S Zhang ldquoA novel intrusion detectionmethod for mobile ad hoc networksrdquo in Advances in GridComputing vol 3470 pp 1183ndash1192 Springer Berlin Germany2005
[61] C Perkins E Belding-Royer and S Das ldquoAd hoc on-demanddistance vector (AODV) routingrdquo IETF Experimental RFC3561 2003
[62] D Johnson and D Maltz ldquoDynamic source routing in ad hocwireless networksrdquo in Mobile Computing pp 153ndash181 KluwerAcademic 1996
[63] C Perkins and P Bhagwat ldquoHighly dynamic destinationse-quenced distance-vector routing (dsdv) for mobile computersrdquoin Proceedings of the Conference on Communications Architec-tures Protocols and Applications (SIGCOMM rsquo94) vol 24 pp234ndash244 1994
[64] T JoachimsMaking Large-Scale Support VectorMachine Learn-ing Practical MIT Press Cambridge Mass USA 1999
[65] Y Yajima and T Kuo ldquoEfficient formulations for 1-svm and theirapplication to recommendation tasksrdquo Journal of Computersvol 1 no 3 pp 27ndash34 2006
[66] L Bononi and C Tacconi ldquoIntrusion detection for secureclustering and routing inMobileMulti-hopWirelessNetworksrdquoInternational Journal of Information Security vol 6 no 6 pp379ndash392 2007
[67] Y Huang W Fan W Lee et al ldquoCross-feature analysis fordetecting ad-hoc routing anomaliesrdquo in Proceedings of the 23rdInternational Conference on Distributed Computing Systems(ICDCS rsquo03) pp 478ndash487 May 2003
[68] J Quinlan C4 5 Programs for Machine Learning MorganKaufmann Boston Mass USA 1993
20 International Journal of Distributed Sensor Networks
[69] J B D Cabrera C Gutierrez and R K Mehra ldquoEnsemblemethods for anomaly detection and distributed intrusion detec-tion in Mobile Ad-Hoc Networksrdquo Information Fusion vol 9no 1 pp 96ndash119 2008
[70] MWang L Lamont P Mason andM Gorlatova ldquoAn effectiveintrusion detection approach for OLSR MANET protocolrdquoin Proceedings of the 13th IEEE International Conference onNetwork Protocols Workshop (ICNP rsquo05) pp 55ndash60 November2005
[71] C Y Tseng P Balasubramanyam C Ko R Limprasittiporn JRowe and K Levitt ldquoA specification-based intrusion detectionsystem for AODVrdquo in Proceedings of the 1st ACM Workshop onSecurity of Ad Hoc and Sensor Networks pp 125ndash134 October2003
[72] S A Razak S M Furnell N L Clarke and P J BrookeldquoFriend-assisted intrusion detection and response mechanismsfor mobile ad hoc networksrdquo Ad Hoc Networks vol 6 no 7 pp1151ndash1167 2008
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 5
that the hello message exchanged by two nodes is heard byboth of these later
119868
hello(1198731198781015840119868)119905997888997888997888997888997888997888997888997888997888rarr 119878119873119878
1015840
119868=119873119878119868
dArr
119868 isin I
(4)
Whenever forging the set of neighbors 1198731198781015840119868 the attacker has
three options
(1) Declaring a nonexisting node as a symmetric neigh-bor implies that 119868 (or another misbehaving node)is further selected as MPR (Expression 5) Indeedif 119868 advertises a non-existing node 119873 (119873 notin Nwith N defining the set of nodes composing theOLSR network (according to the OLSRRFC [12]messages can be flooded into the entire network (withamaximumnetwork diameter defined by themessageTime To Live field TTL for short) or flooding canbe limited to nodes within a diameter (defined interms of number of hops) from the originator ofthe message For the sake of clarity let N representthe network in both cases)) 119868 ensures that no other(well-behaving)MPR claims being a 1-hop symmetricneighbor of119873 Recall that the set of MPRs is selectedso that all the 2-hops and symmetric neighbors arecovered 119868 is hence selected as MPR
119878
hello(119873119878119878)119905997888997888997888997888997888997888997888997888997888rarr 119868
hello(1198731198781015840119868)1199051015840997888997888997888997888997888997888997888997888997888rarr 119878
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
exist119873 isin 1198731198781015840
119868ni 119873 notinN cap 119873119878
119868
dArr
119868 isin I
exist1198681015840isin I cap 119873119878
119878ni 1198681015840isin MPR
119878
Card (1198731198781015840119868 (119873119878
1015840
119868capN)) gt 0
(5)
This assertion is verified as long as no other misbe-having neighbor of 119878 is claiming the same Overallinserting at least one non-existing neighbor (exist119873 isin
1198731198781015840
119868ni 119873 notinN cap119873119878
119868) guarantees that a misbehaving
node 1198681015840 (with 1198681015840 isin I) is selected to act as MPR of119878 (exist1198681015840 isin I cap 119873119878
119878ni 1198681015840isin MPR
119878) In addition
to the above the connectivity of 119868 is also artificiallyincreased (Card(1198731198781015840
119868 (119873119878
1015840
119868capN)) gt 0)
(2) Declaring that an existing node is a symmetric 1-hopneighbor whereas that node is far away (ie is not aneighbor) or is a neighbor but that is not symmetric(exist119883 isin 119873119878
1015840
119868capN ni 119883 notin 119873119878
119868) This claiming increases
artificially the connectivity of 119868 that is Card((1198731198781015840119868
119873119878119868) capN) gt 0
119878
hello(119873119878119878)119905997888997888997888997888997888997888997888997888997888rarr 119868
hello(1198731198781015840119868)1199051015840997888997888997888997888997888997888997888997888997888rarr 119878
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
exist119883 isin 1198731198781015840
119868capN ni 119883 notin 119873119878
119868
dArr
119868 isin I
Card ((1198731198781015840119868 119873119878119868) capN) gt 0
∄119860 isinN I ni 119860 isin 119873119878119878and 119883 isin 119873119878
119860
dArr
exist1198681015840isin I ni 119868
1015840isin MPR
119878
(6)
If no (well-behaving) MPR covers 119878 (∄119860 isin N I ni
119860 isin 119873119878119878and 119883 isin 119873119878
119860) then at least one misbehaving
node (eg 119868) is selected as MPR of 119878 (exist1198681015840 isin I ni
1198681015840isin MPR
119878) Such insertion typically characterizes an
attempt to create a black hole 119868 introduces a novelpath toward119872 that whenever selected provisions theblack hole
(3) Omitting an existing 1-hop neighbor and symmetricnode 119875 (exist119875 isin 119873119878
119868ni 119875 notin 119873119878
1015840
119868) decreases artificially
the connectivity of both 119875 and 119868 (119873119878119868
sube 1198731198781015840
119868)
Note that if 119875 has no other connectivity than the oneobtained through amisbehaving node119875 gets isolated
119878
hello(119873119878119878)119905997888997888997888997888997888997888997888997888997888rarr 119868
hello(1198731198781015840119868)1199051015840997888997888997888997888997888997888997888997888997888rarr 119878
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
exist119875 isin 119873119878119868ni 119875 notin 119873119878
1015840
119868
dArr
119868 isin I
exist1198681015840isin I cap 119873119878
119878 119873119878119868sube 1198731198781015840
119868
(7)
Overall falsifying the neighboring adjacency by inserting(existing or nonexisting) neighbor(s) andor omitting realneighbors potentially perverts the local topology seen by 119878(andmore generally by one another) and impacts the selectedMPR(s) by 119878 Nevertheless note that in order to be selectedas MPR of 119878 (or to prevent its selection) there is no needfor 119868 to falsify the neighboring adjacency Recall that ina hello message a field termed willingness designates thenodersquos willingness to carry traffic on behalf of others 119868 henceprevents (resp ensures) its selection as MPR by simplysetting its willingness field to the value 119908119894119897119897 119899119890V119890119903 (resp119908119894119897119897 119886119897119908119886119910119904) On the whole the MPR selection is impactedby either falsifying the topological information included inhello message or by making use of the willingness attributeAnother (perhaps more straightforward) alternative refersto a slander node 119868 declaring (resp not declaring) itself asMPR although it has not (resp has) been selected as MPR
6 International Journal of Distributed Sensor Networks
[33] For this purpose (Expression 8) 119868 forges a TopologyControl (TC) message including an incorrect set of 1-hopsymmetric neighbors that have selected 119868 as MPR (so-calledMPR selector set) Depending on the level of redundancyrequired a MPR advertises
(1) the MPR selector(s) SelMPR119868
of 119868(2) the MPR selector(s) along with the MPR of 119868
SelMPR119868
cupMPR119868
(3) the 1-hop neighbors 119873119878119868of 119868 (hence including the
MPR selectors and the MPR of 119868)
LetA119868represent the set advertised in the TC messageA
119868=
SelMPR119868
or (SelMPR119868
cupMPR119868) or 119873119878
119868 This attack consists in 119868
advertising an incorrect setA1015840119868differing from the real oneA
119868
119868
TC(A1015840119868)119905997888997888997888997888997888997888rarr 119878A
1015840
119868=A119868
dArr
119868 isin I
(8)
In particular possible falsifications lie in either 119868 insertinga non-existing node or inserting an existing node but non-MPR selector or omitting a node belonging to A
119868 Upon
the reception of a falsified TC message routing table iscorrupted This corruption contaminates the OLSR networkand also any interconnected routing domain Indeed anode well-behaving or not acting as a gateway exports thewrong OLSR routes Symmetrically an intruder may alsoimport incorrect routes to the OLSR domain This latterattack termed sinkhole involves an intruder 119868 defining itselfas a gateway that provides an access to associated host(s)andor network(s) This gateway generates periodically aHNA message including those host(s) andor network(s)(ie the related address(es) and netmask(s)) This attackconstitutes a generalization of the previously defined forgingof corrupted TC messages a node advertises either non-existing or existing but unreachable nodes or omits advertis-ing reachable nodesThe similarity with the TC active forginglead us not detailing it hereafter
The aforementioned forge attacks (eg link or routespoofing attacks sinkhole) necessitate to tamper specificmessage fields while keeping this message syntactically cor-rect More generally bogus control messages can be forgedhence creating an implementation-dependent effect Gener-ally speaking similar tampering may be performed by anintruder that has acted as MPR prior forwarding a falsifiedcontrol message
223 Modify and Forward Attacks Modify and forwardattacks are characterized by an intermediate which capturesthe victimrsquos control message and replays modifies or dropsthis message before forwarding it In the following we depictthe two former cases ignoring the message dropping that hasbeen already described Replaying a control message includesdelaying the emission of this message by recording andforwarding it later (potentially in another area) or repeatingthis message As a consequence routing tables are updated
based on obsolete information Note that each messagecontains a field indicating the period of time during whichthis message is considered as valid and hence it is used toupdate the routing table Both attacks can be systematic (ietargeting anymultihops control traffic) or selectiveTheymayalso be performed in a distributed manner (Expression 9)with two intruders one recording the control message fromone region so as to replay it in another region (ie the oneof the colluding intruder) Without loss of generality let 119868
1
(resp 1198682) be the node that records it (resp replays it)
119878CM(119878)
119905
997888997888997888997888997888rarr 1198681 1198681
CM(119878)997888997888997888997888997888rarr
enc1198682 1198682
CM(119878)1199051015840
997888997888997888997888997888997888rarr 119884
119878 notin 119873119878119884 998810119905 le
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
dArr
119878 isin 119873119878119884
dArr
1198681 1198682isin I
(9)
In practice 1198681tunnels the control traffic by for example
encrypting the routing message andor relying on an alter-native network interface (that may be advertised or not)Then 119868
2replays it This attack leads to the creation of a
wormhole whose length depends on the distance separatingthe two intruders Note that in order to stay invisible both1198681and 1198682may keep the identification field unchanged the
source is 119878 rather than 1198681or 1198682 This possibility corresponds
to a masquerading Sequence numbers constitute a standardmechanism that provides protection against replay attacksgiven that the sequence delivery is not required by OLSRIn counterpart their usage can be hijacked so that thedestination drops the message rather than using it In prac-tice an intruder 119868 increases (a wraparound mechanism isimplemented when the sequence number reaches an extremeboundary it is reset to zero) (resp decreases) the value
of the sequence number sq (119878CM(119878)
119905sq997888997888997888997888997888997888997888rarr 119868 119868
CM(119878)1199051015840sq1015840
997888997888997888997888997888997888997888997888rarr
sq1015840 = sq) so that the destination assumes that 119878 is providingthe freshest (resp an obsolete) route and therefore ignoresthe subsequent (resp the actual) control message(s)
119878
CM(119878)119905sq
997888997888997888997888997888997888997888rarr 119868 119868
CM(119878)1199051015840sq1015840
997888997888997888997888997888997888997888997888rarr sq1015840 = sq 100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
dArr
119868 isin I
(10)
An intruder 119868 may also corrupt the routing table by mali-ciouslymodifying a received controlmessage before forward-ing it This modification consists in tampering either thecontents of themessage or the identification of its sourceTheformer case is similar to the forge attack described abovewherein the intruder tampers the MPR selector set in TCmessage theOLSR routes inHNAmessage or the interface(s)identification in MID message While in the latter case anintruder 119868 forwards the packet containing the control mes-sage without changing the source address [34] Consequently
International Journal of Distributed Sensor Networks 7
two nodes consider themselves as 1-hop neighbors whereasthey are not in the communication range of each otherAn intruder may also disrespect the flooding mechanism inOLSR This happens when the intruder retransmits a controlmessage that is received from a non-MPR selector node [32]
119868 notin MPR119878 119878
CM119905
997888997888997888rarr 119868 119868
CM1199051015840
997888997888997888997888rarr100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
dArr
119868 isin I
(11)
Overall attacks targeting OLSR protocol are classifiedinto 3 types
(i) drop attack that consists in totally or selectivelydropping the controlmessages for example droppingTC message in order to foil route calculation
(ii) active forge attack that attempts to poison OLSRrsquosfunctionalities by introducing novel deceptive controlmessage for example a hello message including anincorrect neighbor set so as to foil MPR selection
(iii) modify and forward attack lies in an intruder thatcaptures and modifies a control message before for-warding it (eg increasing the sequence number of aTC message hence the subsequent TC messages areignored)
An intruder launches the attack either in a standalonemanner or in collusion with other intruder(s) constitutingwhat so-called a Byzantine attack (eg wormhole) togetherusually coupled with masquerading Detecting these attacksis far to be a trivial task because a minor deviation on anattack makes it undetectable In addition an attack can becomposed of several subattacks In order to tackle theseissues we describemodel the attack as general as possiblehence circumventing possible deviationsWe then propose anintrusion detection system that detects composed attacks asmuch as their parties
3 Intrusion Detection
We propose a distributed log- and signature-based intrusiondetection system named IDAR In addition to providing ahigh detection accuracy IDAR aims tomaintain the availableresources in MANET For this purpose the evidences ofattack are extracted from the log and further classifiedaccording to their level of gravity Such classification helpsin planning the diagnostic and henceforth minimizing thecomputation overhead related to attack identificationDuringthe diagnostic evidences arematched to predefined intrusionsignatures The establishment of an intrusion signature andfurther the diagnostic operation are exemplified with the linkspoofing attack we purposely developed
31 Resource-Aware Evidence Gathering IDAR distinguishesitself from other IDSs by extracting the signs of attack fromthe logs instead of sniffing the traffic Thus the consumptionof energy and computational power resulting from evidence
minus600
minus400
minus200
0
200
400
600
800
0 200 400 600 800 1000Size (bytes)
Promiscuous overhearing sender and receiverPromiscuous overhearing senderPromiscuous overhearing receiverNonpromiscuous overhearing sender and receiverNonpromiscuous overhearing senderNonpromiscuous overhearing receiver
Ener
gy (u
Wlowast
s)Figure 1 Energy consumption in promiscuous and nonpromiscu-ous modes
gathering and analyzing is minimized In fact sniffing trafficnecessitates that the wireless network interface stays in modepromiscuous at all time thus the node can overhear all thepackets within its transmission range But promiscuousmodeleads to consuming more energy and hence reducing rapidlythe lifetime of the nodenetwork Indeed a nondestinationnode in the radio range of either the sender or the receiveroverhears some or all of their traffic For the IEEE 80211MAC protocol a nondestination node in discarding (ienonpromiscuous) mode can enter into a reduced energyconsumption mode and discard othersrsquo traffic [35] Suchmode requires less energy than the idle mode which is thedefault mode in ad hoc network While a nondestinationnode operating in promiscuous mode listens to all the trafficwhether or not it is the intended destination The traffic isfurther received as if it was a broadcast traffic thus additionalenergy consumption is associated with promiscuous modeoperation Figure 1 represents a part of the experimentalmeasurements realized in [19] about the energy consumptionof an IEEE 80211 2Mbps wireless card It shows the signifi-cant difference in energy consumption between promiscuousand nonpromiscuous modes Note that the consumption inthe nonpromiscuous mode is negative because it requiresless energy than the reference idle mode Besides increasingthe amount of consumed energy sniffing traffic imposes ahuge computational overhead [20] Indeed the packet-levelanalysis which is applied on the sniffed packets strainssignificantly the available resources that ismemory andCPUprocessing Moreover since all the traffic in the radio rangeis sniffed many of the analyzed packets would be redundantand add nothing to the detection In order to avoid thispermanent strain of resources IDAR does not sniff the trafficbut it rather collects periodically the local logs In particularit focuses on the portion of logs that characterizes the
8 International Journal of Distributed Sensor Networks
activities of the routing protocol (eg packet reception MPRselection) Note that additional logs for example system-security-related logs could be integrated and correlatedOnce parsed a log is used so as to detect a sign of suspiciousactivityThis consists inmatching the log against a predefinedintrusion signature An intrusion signature is thought as apartially ordered sequence of events that characterizes anintrusion Such procedure is potentially not only memorybut also bandwidth consumer Indeed it involves examininglocal logs as well as performing an in-depth diagnostic whereother nodes are requested so as to collect additional attackevidences correlate and match them against the definedintrusion signatures The in-depth diagnostic offers a globalview about the suspicious nodes and therefore it increasesthe accuracy of the detection But it is a costly operation interms of resources Thus the in-depth diagnostic must becarefully planned that is should be initiated only when asufficient degree of suspicion exists and terminated as soon asa result is obtained For this purpose we propose to classifyattack evidences so that depending on their level of gravitythe in-depth diagnostic may be performed According to ourclassification an evidence falls into one of the following fourgroups
(i) Initial-evidence group contains the evidences that leadto launch an in-depth diagnostic over the network
(ii) Suspicious-evidence group contains the evidences thatlead to identify a node as suspicious
(iii) Confirmed-evidence group contains the evidences thatconfirm the occurrence of an attack This results interminating the diagnostic and declaring the suspi-cious node as intruder
(iv) Cancel-evidence group contains the evidences thateliminate the suspicion and stop the diagnostic
These groups are populated with the evidences that areextracted from the log If an evidence belonging to the initial-evidence group is discovered then an in-depth diagnosticis launched so as to confirm (ie discovering an evidencebelonging to confirmed-evidence group) or infirm (ie dis-covering an evidence belonging to the cancel-evidence group)the intrusion both lead to the termination of the diagnosticRelying on these groups the evolution of any attack and itsrelated detection is easily followed In addition its compactform facilitates the lightweight discovering of long-termintrusions
32 Link Spoofing Attack A link spoofing attack lies infalsifying hello message(s) so as to modify the local topologyperceived by adjacent nodes This attack influences the MPRselection In particular this attack owns a global impactthe MPR position provides to the intruder the possibility toeavesdrop tamper misrelay or drop the traffic As discussedin Section 2 (and further detailed in Expression 4) anintruder realizes a link spoofing attack through one of thefollowing three cases
(1) It advertises a non-existing and symmetric nodeThus the intruder guarantees (unless another attacker
advertises the same non-existing node) being selectedas a MPR because this non-existing node is uniquelycovered by the intruder
(2) It advertises existing but nonneighboring node(s)The intruder is selected as a MPR if the advertisednode(s) is (are) not already covered by another (well-behaving or malicious) MPR
(3) It keeps under wraps neighboring and symmetricnode(s) In this case the connectivity of the intruderand consequently its chance of being selected asa MPR are both decreased Used in a standalonemanner this attack aims to decrease the connectivityof one or several nodes a complete isolation necessi-tates that no other (well-behaving) MPR covers thatnode(s)
We develop an attack (Expression 12) wherein an intruderfalsifies a hello message that contains both a non-existingnode (Case 1) and existing but non-neighboring nodes (Case2) The reason that motivates this choice is twofold First byadvertising a nonexisting node 119873 119868 ensures being selectedas a MPR by the victim 119878 (exist119873 isin 119873119878
1015840
119868ni 119873 notin N cap 119873119878
119868)
Note that with the last versions of the RFC a node (iepotentially an intruder) may dictate its selection as a MPRby advertising (in a hello message) its high willingness torelay messages Nevertheless previous versions (and theirrelated implementations) ignore this case Regardless of theversion of the protocol our intruder (as aforementionedpreviously) guarantees being selected as MPR by advertisinga nonexisting and symmetric node Second by announcingcommon neighbors with another node 119871 (Case 2) 119868 increasesthe probability that 119871 is not selected as a MPR (119868 replacing119871) and henceforth increases its proper ascendancy Note thatthe attack we developed does not consider the third casethat involves the reduction of the intruderrsquos connectivityNevertheless attack signature deals with it
119878
hello(119873119878119878)119905997888997888997888997888997888997888997888997888997888rarr 119868 119868
hello(1198731198781015840119868)1199051015840997888997888997888997888997888997888997888997888997888rarr 119878
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
exist119873 isin 1198731198781015840
119868ni 119873 notinN cap 119873119878
119868
exist119871 isin MPR119878ni [119873119878
119871 119873119878119868] sube [119873119878
1015840
119868 119873119878119868]
dArr
119868 isin I 119871 notin MPR119878
exist1198681015840isin I ni 119868
1015840isin MPR
119878
Card (1198731198781015840119868 (119873119878
1015840
119868capN)) gt 0
Card ((1198731198781015840119868 119873119878119868) capN) gt 0
(12)
Herein a key challenge stems from the need to generate ahand-coded intrusion signature that models such attack andhenceforth permits to detect it
33 Signature Establishment As mentioned before a linkspoofing attack aims to inflect the MPR selection such
International Journal of Distributed Sensor Networks 9
Table 2 Evidence characterizing a link spoofing attack
Initial-evidence group1198641 AMPR is replaced by a 1-hop neighbor or by an already selected MPR1198642 AMPR behaves maliciously for example it tampers misrelays or drops the control messages
Suspicious-evidence group1198643 AMPR is the only node that provides connectivity to one (or more) 2-hops neighbor(s)
Confirmed-evidence group1198644 AMPR advertises a partial set of 1-hop neighbors1198645 AMPR advertises nonneighboring node(s) as 1-hop neighbors(s)
Cancel-evidence group1198646 AMPR is defined as an intruderwell-behaving node
selection is triggered upon a change in the symmetric 1- and2-hops neighborhood Rather than launching an in-depthdiagnostic upon every change in the 1- or 2-hops symmet-ric neighborhood we keep to a minimum the number ofthese diagnostics and henceforth the amount of consumedcomputational power and bandwidth by initiating it onlyat the occurrence of an event related to a link spoofingattack More precisely we ignore the changes in the 1-hopneighborhood (eg apparition of 1-hop neighbor) becausethey are observed by the node itself Thus they are notsubject to the remote falsification which is the cornerstoneof a link spoofing attack In contrary changes in the 2-hopsneighborhood are considered as long as they impact theMPRselection In practice the evidences that reveal a link spoofingattack (Table 2) are broken down into
(i) a MPR replacement (Evidence 1 or 1198641 for short)that results from a change in the covering of the 1-hop neighbors one (or several) 1-hop neighbor(s)(possibly the replacing MPR) increase(s) its (their)coverage to the detriment of the replaced MPR AreplacementMPR is a 1-hop neighbor that is excludedfrom the MPRs set even though it provides the sameconnectivity in both the previous and current MPRselection rounds
(ii) No MPR replacement takes place but an alreadyselected MPR is detected as misbehaving node Forinstance a misbehaving MPR may drop falsify ormisrelay the control messages (1198642) Note that anevidence of a special interest herein refers to a nodepromoting itself as a MPR without having beenselected as a MPR Amisbehaving MPR includes alsothe case wherein a MPR continually advertises thesame 2-hops neighbors set despite being no morevalid Contrary to other cases this one is not eventdriven and should be handled based on random orperiodical checks
(iii) aMPR is the only one that covers one or several nodes(1198643)
(iv) a MPR covers partially its adjacent neighbor(s) (1198644)
(v) a MPR provides connectivity to a nonneighboringnode (1198645)
The occurrence of either 1198641 or 1198642 constitutes the startingpoint of an in-depth diagnostic 1198641 and 1198642 belong to theinitial-evidence group The act of being the only MPR thatprovides the connectivity to node(s) (1198643) is suspicious butis not sufficient to launch an in-depth diagnostic becausethis situation is typical in a sparse network Furthermoretwo nodes within the covering range of each other oftenfail in communicating due to the unpredictable nature ofwireless transmission resulting from for example obstaclesand noises Thus diagnosing 1198643 is especially difficult underno specific assumption Overall the occurrence of 1198641 or 1198642and optionally1198643 leads to an in-depth diagnostic (Expression13) In practice the 1-hop neighbor(s) of the suspicious MPRare interrogated Note that part of the interrogated nodesmayexpress a different opinion that results from malicious nodeor an obsolete routing information This calls for taking intoaccount their respective reputation (as we plan in our nearfuture work)
(1198641 or 1198642)
dArr dArr
(1198644 or 1198645) optional (1198643) (1198644 and 1198645)
dArr dArr
The suspicious MPRis an intruder
The suspicious MPRis well-behaving
(13)
If the obtained answers confirm (resp infirm) that thesuspicious MPR covers partially its neighbors (1198644) andoradvertises a distant node as 1-hop neighbor (1198645) then theMPR is declared as an intruder (resp well-behaving) andthe diagnostic is terminated (1198646) Obviously the cooperationbetween the nodes constitutes a cornerstone in our in-depthdiagnostic
34 Cooperative Diagnostic The in-depth diagnostic of a linkspoofing attack consists in verifying the existence of a sym-metric and neighboring relationship between a suspiciousMPR and its advertised 1-hop neighbors (Algorithm 1) Moreprecisely this diagnostic follows the following steps Firstthe MPRs that have been replaced by other MPR or 1-hopneighbor are identified (lines 1-2) because such replacementrepresents the initial evidence of a link spoofing attack (1198641in Table 2) For this purpose the function GetReplaced-Mpris called (Line 1) It establishes the MPRs that have been
10 International Journal of Distributed Sensor Networks
(1) OldMprs = GetReplaced-Mpr()(2) SuspiciousMprs = GetReplacing-Mpr()(3) for (suspicious isin SuspiciousMprs) do(4) InterrogatedNodes = GetCommon2HopsNeighors
(suspicious OldMprs)(5) for (2HopsNeighbor isin InterrogatedNodes) do(6) if (LinkExistence (2HopsNeighbor suspicious) ==
false) then(7) Generate-Alarm (suspicious)(8) end if(9) end for(10) Cancel-Suspicious (suspicious)(11) end for
Algorithm 1 In-depth diagnostic
replaced by comparing the currentMPRs and the penultimateMPRs Then the MPRs sharing 1-hop neighbor(s) with areplaced MPR are identified (function GetReplacing-MPRline 2) Those identified MPRs are tagged as suspicious andare subject to further analysis (lines 3ndash11) the objective is toverify whether some spoofed links have been advertised soas to replace the MPR It follows that the 1-hop neighborsthat are common to a replaced MPR and a suspicious oneare determined (GetCommon2HopsNeighors function line 4)Note that these 1-hop neighbors also correspond to the 2-hops neighbors of the node launching the diagnostic Theyare interrogated (LinkExistence function) so as to verify theexistence of links The interrogation of a 2-hops neighbordenoted by 119860119894 consists in sending a request to 119860119894 asking ifthis latter considers the suspicious MPR as a 1-hop neighborat a specific time 119905 Whenever possible this request is sentwithout going through both the suspicious MPR 119868 or anycolluding intruder 1198681015840 This eluding is necessary in order toprevent 119868 and 1198681015840 from dropping the request andor forging adeceptive answerTherefore the 1-hop neighbor(s) (primarilythe MPR(s)) that covers the interrogated 2-hops neighbors isprovided with the request Note that the suspecting node 119878 isaware of is provided with the connectivity between the nodesthat form its two-hops neighbors Thus 119878may select the one(if existing) that covers 119860119894 If no answer is obtained (iethe related time-out elapses) then the request is sequentiallytransferred through the rest of the covering 1-hop neighbors(keeping in mind that as aforementioned MPRs are pri-marily selected) However when no neighbor is left then an(multihops) alternative path is researched in the routing tableto reach 119860119894 Note that the verification related to a suspiciousMPR is performed within an independent thread hencethe diagnostic of one node (and the result waiting) is not ablocking to others If 119860119894 denies being a 1-hop neighbor of thesuspicious MPR then a countermeasure is triggered Moreprecisely an alarm that establishes the detected attacker(s)is broadcasted (Generate-Alarm function line 7) Otherwiseif no deny takes place the suspicious MPR is no longersuspected (Cancel-Suspicious function line 10) In both casesthe diagnostic terminates Note that if no answer is provided(the inconsistent answers lead also to a claim in the degree
of suspicion However this case is not included in this paperbut it is handled in our other works) then the suspiciousMPR is tagged as not verified and the degree of suspicionin this latter goes up It is worth mentioning that the currentimplementation of IDAR considers the link spoofing attackHowever considering other attacks is not complicated andrequires only specifying the evidences to be searched in thelogs and the information to be exchanged between the nodesduring the in-depth diagnostic
4 Architecture and Performance Evaluation
In this section we introduce the key architectural compo-nents of IDAR (Section 41) Then we present the evaluationof IDAR performance (Section 42) and further discuss theobtained result (Section 43)
41 IDAR Architecture In order to cope with the dynamicnature ofMANET IDAR is both distributed and cooperativeThe proposed architecture (Figure 2) requires that everydevice participates in the detection (The delegation of somedetection operations (eg logs analyzing) may be sharedamong devices But it will not be necessarily less expensive interms of resources consumption)More precisely each devicecontains an instance of IDAR which independently detectsthe signs of suspicion and cooperates with other instancesso as to conduct the diagnostic in a broader range IDAR isimplemented in Perl (httpwwwperlorg) and conceptuallystructured into 4 components
(i) Coordinator that orchestrates all the components Assuch it constitutes the hearth of IDAR In prac-tice it parses dynamically the OLSR logs so as toextract signs of suspicion and match these latteragainst predefined intrusion signaturesThe intrusionsignatures are represented as conditional rules (ifcondition then state) Furthermore it triggers thecommunication and the alarm notification in orderto launch advanced diagnostic
(ii) Communication manager that gathers informationabout for example the adjacent links as requiredby the diagnostic manager Meanwhile it answersthe diagnostic requests This component runs into aseparated thread so that other IDAR operations arenot blocked
(iii) Knowledge database includes the information thatis extirpated from the logs and is provided by thecommunication manager This database is realized inMysql (httpwwwmysqlcom) Stored informationencompasses for example the 1-hop and 2-hopsneighbors and the MPRs
(iv) Alarm notifier is responsible for alarming the networkwhen an intrusion is detected Note that we areplanning to include more countermeasures in thefuture for example eliminating the routes containingan intruder
International Journal of Distributed Sensor Networks 11
SignatureKnowledge
database
Coordinator
Communicationmanager Alarm notifier
Update
Feedback
Diagnostic requestDiagnostic answer
IDAR instance
Routing log
IDAR instanceDiagnostic requestanswer
Routing log
Feed back
Figure 2 IDAR architecture
All the above components have been developed so as tosupport intrusion detection offering a high rate of detectionalong with conserving the resources
42 Performance Evaluation In order to evaluate the perfor-mance of IDAR a mobile ad hoc network has been simulatedusing the network simulator NS3 (httpwwwnsnamorg)[36] Each node in the simulated network is furthercoupled with a Linux Container (LXC) virtual machine(httplxcsourceforgenet) [37] The reason that motivatesthis coupling is twofold First NS3 offers the possibilityto simulate a large-scale mobile ad hoc network SecondLXC an operating-system-level virtualization tool permitsto run multiple isolated machines (also called containers)on a single modified hosting kernel (up to 1024 contain-ers over a single hosting kernel) Each container owns itsproper resources (eg process tree network interface andIP address) Thus the resource consumption (eg memoryusage) can be isolated and measured In practice an instanceof IDAR is installed on each container that appears asa standaloneseparated machine Figure 3 exemplifies thecoupling between nodes in NS3 and LXC containers Fromthe IDAR perspective (as well as from any applicationinstalled on the container) the emission and reception ofpackets is done through the network interface (eth0) Whilethe container contains a simulated ethernet card (V119890119905ℎ)which is connected through an ethernet bridge towards akernel tap device (tap) Note that for each container-nodecoupling new tap and ethernet bridge should be definedin the hosting kernel The ethernet bridge implements theforwarding of link-level framesThe interface 119905119886119901119877119900119906119905119890119903 [38]is implemented in NS3 and is used to exchange packetsbetween the 119905119886119901 device and the WiFi device which enablesNS3 nodes to communicate over a IEEE 80211- and OLSR-enabled MANET Overall the outgoing packets from eth0in the container are delivered to the WiFi device at thecorresponding node in the simulated network and vice versaSimulation is carried using the aforementioned platform
wherein the hosting device is equipped with 32GB of mem-ory and 2 Intel(R) Xeon(R) (6) Core 240GHz CPUsContainers hold a Fedora 12 operating system We considera MANET (Table 3) constituted of 119873 = 30 nodes split into25 well-behaving nodes and 5 intruders While most of otherIDSs are evaluated against one intruder we show that IDARcan handle several intruders in the same time Intruderslaunch repeatedly the implemented link spoofing attack (asdescribed in Expression 12) In our experiments the numberof successful intrusions varies between 15 and 33 accordingto the parameters of simulation scenario (as described inExpression 12) Nodes communicate via IEEE 80211a andare characterized by a transmission range 119879
119909of 90m They
randomly move following the so-called RandomWalk2d [39]mobility pattern provided by NS3 each node moves accord-ing to a randomly chosen direction at a given speed that isthe same for all the nodes When a node hits the networkboundaries (unless specified the network area is defined bya squared area of 119878 = 310 times 310m2) it rebounds followinga reflexive angle Data traffic is further modeled using theV4PingHelper application in NS3 each node exchanges 56-byte ICMP (httpwwwietforgrfcrfc792txt) echo requeststo one another and waits for 1 s before sending it again Weuse OLSR as the underlying routing protocol preserving theconfiguration parameters promoted in the RFC 3626 (eghello message interval is 2 s)
For each experimental scenario the simulation islaunched 5 times each one lasts for 140 s We compare thelaunched attacks with the detected ones and present theaverage of results We aim at evaluating the performance ofIDAR in terms of
(i) intrusion detection rate that reflects the capacity ofdetecting successful intrusions (a successful intrusioncauses the replacement of a legitimate MPR of thevictim by an intruder)
(ii) false positive rate that measures how many times alegitimate node is wrongly designated as an intruder
12 International Journal of Distributed Sensor Networks
Table 3 Simulation parameters
Simulation platformSimulator NS3 + LXC virtual machinesContainer operating system Fedora 12Hosting device memory 32GBHosting device CPU 2 Intel(R) Xeon(R) (6) Core 240GHz
Simulated MANETNumber of mobile nodes 30Number of intruders 5Topology 310 times 310m2
Transmission range 90mMaximum bandwidth 1MbpsTraffic V4PingHelper 56 bytes Icmp packetsMobility model RandomWalk2dMaximum speed 8ms (or 288 kmh)Simulation time 140 s
tapRouterWiFi devicewith OLSR
LXC
cont
aine
r
Ethernet bridge
Tap
LXC
cont
aine
r
veth
Ethernet bridge
Tap
tapRouterWiFi devicewith OLSR
veth
Nod
e 1
Nod
e 119899
NS3
IDAR1 IDAR119899
eth0 eth0
Figure 3 Experiment platform
(iii) detection overhead which represents the additionalnetwork traffic that is generated because of IDARNote that further benchmarks are also provided interms of memory usage
Based on those performance indicators IDAR is furtherevaluated with regard to the network density (Section 421)and node mobility (Section 422)
421 Network Density In order to evaluate the scalingproperties of IDAR we vary the density of the networkThe density of the network corresponds to the averagenumber of neighbors which is defined as in [40] by (119873 times
120587 times 1198792
119909)119878 We selected an interval of density that ranges
from 6 up to 16 neighbors which includes the intruderthe victim and the remaining neighbors Figure 4(a) showsthat the detection rate keeps higher than 80 regardless ofthe network density This demonstrates the relatively limitedimpact of the network density on IDAR performance More
precisely the intrusion detection rate slightly rises from935up to itsmaximum 963when the density varies from6 up to 8 neighbors the greater is the number of neighborsthe higher is the visibility of the attackThen a slow diminishis observed dense networks (with a density exceeding 8) arecharacterised by a high collision rate that causes a declinein the detection rate Similarly Figure 4(b) highlights thatthe average percentage of false positives is neglectful (under59) The analysis of several cases of false positive leads usto find that a false positive occurs when two nodes own adifferent live-times for the bidirectional link that connectsthese later consequently one of the two nodes still confirmsthe existence of this link while the other one denies it Tooverride this problem the period during which those linksare considered valid should be amplified as in [41] Figure 4(c)presents the average memory usage caused by IDAR Thisusage gently fluctuates between 176MB and 222MB It is alsoworthy of mention that contrary to OLSR our system doesnot assign additional functionality toMPR (detectionmay belaunched by one another) IDAR provides an homogeneousload balancing among the nodes As illustrated in Figure 4(d)the traffic caused by IDAR is very low (under 05 for anetwork density inferior to 8) It then slowly rises to reach13 when the network density is 16 In order to understandthe slight fall when the density reaches 14 we compare theaverage number of suspicious cases with regard to a varyingdensityThis average was 708 (resp 658) with density equalsto 12 (resp 14) Consequently the number of diagnostic-related packets is smaller at a density of 14 than at a densityof 12
422 Mobility In order to isolate the influence of themobility the network density is set to 8 The detection ratefalls when the speed increases (Figure 5(a))This results fromthe ever changing topology that results in increasing thenumber of broken links and the related drops of diagnostic-related packetsHowever IDAR still provides a high detectionrate for example the average of detection rate is 707
International Journal of Distributed Sensor Networks 13
0
20
40
60
80
100
6 8 10 12 14 16
Det
ecte
d in
trus
ions
()
Density
Average detection
(a)
0
10
20
30
40
50
6 8 10 12 14 16
False
pos
itive
()
Density
Average of false positives
(b)
0
10
20
30
40
50
6 8 10 12 14 16
Mem
ory
usag
e (M
B)
Density
(c)
025 05
1
5
20
50 100
6 8 10 12 14 16Density
IDA
R ve
rsus
OLS
R tr
affic (
)
(d)
Figure 4 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network density
with a moving speed equals to 8ms (ie around 287
kilometershour equivalent to 1789mileshour) Figure 5(b)shows that the higher is the moving speed the greater it getsfalse positives mainly because of out of date feedback Infact when a node moves away some of its 1-hop neighborsare no longer neighbors but are still announced as suchand are considered as potential attackers A higher increaseof the false positive rate is observed when the node speedranges from 4ms up to 6ms because the instable nodecovering is given its transmission range which leads to anincreased update of its 1-hop neighbors The memory usage(Figure 5(c)) rises staidly from 176MB to 265MB whichis reasonable even for resource-limited devices The impactof the mobility on the bandwidth is shown in Figure 5(d)The IDAR traffic comparing to the OLSR traffic significantlygrows from 036 up to 31 for a speed ranging from 0msup to 2ms Then the bandwidth usage gradually growsand reaches almost 6 when the moving speed is equalto 8ms This is motivated by the fact that increasing thenumber of verified links leads to exchange more diagnostic-related messages in the network In order to understandthe reason behind such variable growth of IDAR trafficwe counted the number of the verified suspicious neighbor
links We found that the average number of the verified linkssignificantly grows from 452 to 2014 when the velocity risesfrom 0ms to 2ms This average then gradually grows andtakes the values 2408 3314 and 406 when the velocityequals to 4ms 6ms and 8ms respectively The limitednumber of the suspicious neighbor links when the nodesare static is justified by the fact that the attacker has alimited choice to falsify its neighbors links Instead when thevelocity is greater than 2ms there is a continuous changein the neighborhood and the attackers can attack more(diversified) targets Meanwhile the continuously changingtopology implies an increased number of investigations
43 Performance Discussion It is clear that the density of thenetwork holds less influence than the mobility on our IDSMore mobility in MANET causes more dropped diagnosticpackets and hence less diagnostic is concluded with a finalresult that is confirming or refuting the suspiciousnessHowever comparing the launched attacks to the discov-ered suspicious events shows that the majority of attacksare tagged as suspicious events and considered for furtherdiagnostic Note that the mobility has a negative influence
14 International Journal of Distributed Sensor Networks
0
20
40
60
80
100
0 2 4 6 8
Det
ecte
d in
trus
ions
()
Velocity (ms)
Average detection
(a)
0
10
20
30
40
50
0 2 4 6 8
False
pos
itive
()
Velocity (ms)
Average of false positives
(b)
0
10
20
30
40
50
0 2 4 6 8
Mem
ory
usag
e (M
B)
Velocity (ms)
(c)
025 05
1
5
20
50 100
0 2 4 6 8
IDA
R ve
rsus
OLS
R tr
affic (
)
Velocity (ms)
(d)
Figure 5 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network mobility
on all the IDSs especially the cooperative ones where thereis an exchange of evidencesalerts Table 4 provides a shortperformance comparing between IDAR and other knownIDSs that are dedicated to ad hoc routing protocol Likethe majority of these IDSs the performance of our systemis challenged against a specific attack link spoofing attackin a simulated MANET (According to [42] around 75of mobile ad hoc published papers use simulation for testissues) Two evaluation factors are common to almost all thelisted IDSs the detection ratecapacity and the positive falserate Even though it was challenged in a MANET whereinthe intruders constitute 166 (Note that this percent is the3rd highest registered percent) of the nodes IDAR providesone of the highest detection rate Regarding the positivefalse rate we can notice that several IDSs especially thosethat are dedicated to DSR protocol show better results thanour system However this latter still generates a limitednumber of false positives It is also possible to reduce thefalse positives rate by amplifying the TTL (Time To Live)parameter of a bidirectional link so as to reduce the impactof obsolete neighborhood-related information during thedetection Recall that most of the generated false positives inIDAR are generated because of the difference in the time-live
of a bidirectional link between the two ends of this link Insuch case this link will be expired in one end while the otherend will keep confirming its existence It is worthmentioningthat except our system the listed IDSs that aim to detect theattacks targeting OLSR protocol do not present neither thedetection rate nor the false positives rate But they merelyprove the capacity of detecting the addressed attack(s) Inaddition IDAR is one of the rare IDSs that are evaluated interms of resources consumption Indeed we measure boththe increment inmemory usage and traffic overhead resultingfrom detection operations IDAR triggers a small incrementin the devicesrsquomemory usage (between 176MBand 265MB)Therefore it can be tolerated by the resource-limited devicesIt further triggers the lowest traffic overhead compared to thelisted IDSs IDAR presents a good scalability and offers a highdetection rate even in the high density networks where a largeamount of routing traffic should be monitored (Figure 4(a))This scalability is reinforced by (i) the limited traffic overhead(ii) the use of routing logs so as to extract the evidencesinstead of sniffing the traffic (iii) the distributed nature ofdetection such that each node is responsible for detecting theattacks targeting it and (iv) the unnecessity of modifying theused routing protocol
International Journal of Distributed Sensor Networks 15
5 Related Work
Systems that detect intrusion targeting ad hoc routing proto-col are extremely diverse in the way they analyze intrusionThey fall into the three key categories
(i) Anomaly detection system defines the correct behav-ior of the nodenetwork so as to detect deviations tothis behavior This correct behavior is automaticallybuilt during an attackless training phase The detec-tion accuracy depends on the ability to (i) describethe correct behavior and (ii) distinguish betweenanomalous and unexpected behaviors
(ii) Specification-based detection system hand-codes thelegitimate functionoperation and then searches for aviolation to this operation
(iii) Signature-based detection system first describes theway an intruder penetrates the system by defining anintrusion signature Then any behavior that is closeto this predefined signature is flagged as intrusion
Hereafter we detail examples of each of these categoriesAnomaly-based detection constitutes the main approachused to detect attacks The IDS proposed by Zhang et al[7] constitutes a de facto standard in MANET It aims atdetecting the attempts to falsify the routes provided by theAODV [61] DSR [62] and DSDV [63] routing protocolsDuring the training phase the impact of movement on thepercentage of changes in the routing table is analyzed Notethat this movement (ie velocity direction and position)is provided by a Global Positioning System (GPS) Thenduring the operation phase an actual percentage of changesdiffering from the predicted one is defined as anomaly Inpractice the distinguishing between anomalous and normalbehaviors is provided by the Support Vector Machine (SVM)Light [64] classifier or by RIPPER [15] a rule-based engineThe hierarchical IDS proposed in [47] detects blackhole androuting request flooding attacks targeting AODV protocolHere MANET is arranged into clusters whereas the nodewith the highest residual energy and number of connectionsis elected as a cluster-head Each cluster-head monitors thetraffic inside its cluster so as to identify the abnormal valuesof (i) the percentage of changes in the routing table and (ii)the propagation of routingdata packets Such abnormalitiesare identified thanks to (1-SVM) classifier [65] a deviationof SVM that needs to be trained with either normal orabnormal scenario but not both of them In [48] (resp [66])a blackhole (and resp dropping) attack targeting AODVprotocol (resp a secured version of AODV protocol includ-ing authentication and reputation estimation) are detectedby investigating features for example the number of routerequests and route replies as well as the average difference ofsequence numbers (Largely increased sequence numbers areknown as a sign of blackhole attack) Then simple anomalydetection is applied if the distance between the actuallyobserved features and the average ones that are recorded dur-ing the training exceeds a given threshold then an intrusionis detected More sophisticated cross-features analysis (CFA)[67] is applied to detect both blackhole and packet drop-ping on AODV and DSR protocols Features including for
example the reachability between 2 nodes and the numberof delivered packets are analyzed within time windows Thisanalysis attempts to quantify the relation existing betweenone feature 119891
119894and the others 119891
1 119891
119894minus1 119891119894+1 119891
119896(with
119896 + 1 defining the number of features analyzed) During theoperation phase the probability of matching between theobserved feature 1198911015840
119894and the predicted feature 119891
119894 which is
established based on 11989110158401 119891
1015840
119894minus1 1198911015840
119894+1 119891
1015840
119896 is calculated by
a decision tree classifier named C45 [68] An anomaly refersto an average of matching probability fewer than a giventhreshold CFA and C45 are also used in [69] with traffic-related features (eg number of receivedtransferred packets)and OLSR- or AODV-related features (eg MPR updates forthe former and route discovery for the latter) A modifiedMarkov chain-based IDS is proposed in [58] so as to detectroute disruption attack targeting DSR protocol Here thedetection depends on identifying unpredicted value of twofeatures the percentage of changes in the number of routesand the percentage of changes in the number of hops Inpractice a Markov chain is based on the immediate previous119899 consecutive values of a feature as to predict the (119899 + 1)thvalue If the difference between a predicted and an observedvalue exceeds a given threshold an intrusion is concluded
Rather than establishing automatically a correct behaviorspecification-based detection system hand-codes the correctbehavior of the routing protocols based on the protocol spec-ification (IETF draft or RFC) Then the system attempts todetect a violation of constraints circumventing this behaviorFour key constraints define the correct behavior of OLSR([14 70])
(1) Neighbor relationmust be reciprocal (ie 2 neighborsmust hear the hello message sent by each other)
(2) TheMPRs and the nodes that select theMPR (ie theMPR selectors) must be adjacent
(3) A node that finds itself advertised as a MPR selectorin a TCmessage must be adjacent to the originator ofthis message
(4) Nodes receive TC messages without modificationsfromMPR(s)
Each node sniffs the traffic in its radio range so as todiscover the violations of any of the above constraints Theseconstraints are modeled by semantic properties in [70] (resprules in [14]) so as to detect link spoofing attack on TC(and resp hello messages) both experiment an ability todetect a link spoofing by observing a violation of the thirdcondition over a simulated network composed of 11 nodesFinite-state machines are used to describe similar constraintson OLSR [41] and the behavior of AODV protocol [52 71]In [41] a centralized detection of link spoofing man-in-the-middle and deny of service attack is performed While in[52 71] incorrect hop countssequence numbers are analyzedby distributed sensors which sniff and group the packets perrequest-reply flow so as to estimate the forwarding path perflow If a route requestreply is illegallymodified or forwardedvia a nonexpected path then an alarm is triggered In [60]similar FSMs are used to define constraints on both the routediscovery in AODV and the packet forwarding operations
16 International Journal of Distributed Sensor Networks
Table4Com
parin
gID
ARperfo
rmance
with
otherIDSs
IDS
Routing
protocol
Num
bero
fno
des
Intrud
ers
()
Moving
speed
Detectio
nrate
False
positives
rate
Increm
entinmem
ory
usage
Increm
entintraffi
coverhead
IDAR
OlSR
30166
0ndash8m
s707ndash963
0ndash132
176ndash
265MB
478ndash6215KB
(036
ndash597
ofOlSRtraffi
c)
[43]
OlSR
303366
10
mdashmdash
mdashmdash
6ndash12
ofOlSR
traffi
c[41]
OlSR
1010
0ms
Detectio
nispo
ssible
mdashmdash
mdash[44]
OlSR
7143
0ms
Detectio
nispo
ssible
mdashmdash
mdash[45]
OlSR
520
0ms
Detectio
nispo
ssible
mdashmdash
mdash[14
]OlSR
119
0ms
Detectio
nispo
ssible
mdashmdash
mdash[46]
AODV
3033
0ndash5m
s3067ndash90
0ndash20
mdashmdash
[47]
AODV
502
0ndash20
ms
90
5
mdashmdash
[48]
AODV
3033
1ndash20
ms
70ndash82
12ndash18
mdashmdash
[49]
AODV
2050
10
1ndash10ms
964ndash9
87
079ndash093
mdash900k
B
[50]
AODV
5238
0ndash20
ms
(Fixed
IDSs)
100
0ndash0
6
mdashmdash
[51]
AODV
521
20238
0ndash10ms
50ndash100
0ndash30
mdashmdash
[52]
AODV
30mdash
0ndash20
ms
70ndash100
05
ndash15
mdashmdash
[53]
AODV
50Ra
ndom
0ndash20
ms
79plusmn10ndash92plusmn3
5plusmn1ndash32plusmn8
mdashmdash
[54]
AODV
102050
mdash0ndash
10ms
0ndash100
0ndash≫100
02ndash06
mdash[55]
AODV
20ndash200
mdash0ndash
20ms
30ndash9
50ndash16
mdashmdash
[56]
AODV
50mdash
1ndash20
ms
998ndash100
083ndash846
mdashmdash
[7]
AODV
mdashmdash
mdash8848plusmn414ndash971plusmn032
145plusmn072ndash202plusmn627
mdashmdash
DSD
Vmdash
mdashmdash
8523plusmn328ndash9061plusmn299
537plusmn310ndash263plusmn549
mdashmdash
DSR
mdashmdash
mdash852plusmn238ndash991plusmn037
003plusmn004ndash153plusmn408
mdashmdash
[57]
DSR
5040
0ndash20
ms
mdashmdash
mdash11ndash313
of
data
traffi
c[58]
DSR
3033
3ndash5m
s60ndash100
25
ndash50
mdashmdash
[59]
DSR
30mdash
mdash75
12
mdashmdash
[60]
DSR
502
0ndash20
ms
837ndash9
74
13ndash72
mdashmdash
International Journal of Distributed Sensor Networks 17
A signature-based system distinguishes itself by model-ing the misbehavior (rather than the correct behavior) soas to identify if a sequence of observed events matchingan intrusion signature AODVSTAT [54] uses state-basedsignatures in order to detect dropping and spoofing attacksalong with network flooding Few sensors sniff the traffic andmatch it against predefined signatures They also exchangeperiodically MAC and IP addresses so as to detect an identityspoofing which is characterized by a node emitting a packetidentified by MAC and IP addresses differing from thoseregistered for this node A dropping attack refers to a nodethat fails to replay route requestreply Finally a node sendinga number of packets exceeding a given threshold is identifiedas willing to exhaust resources In [45] intrusion signaturesare specified in opposition to the legitimate behavior of OLSRdepicted in conjunction with specification rules similar tothose defined in [70] In particular a node 119873 mistrusts twoneighbors 119871 and 119872 that conform to the following rules119872 advertises 119871 as a neighbor while 119871 does not advertise119872 as a neighbor (or reciprocally) both 119871 and 119872 send TCmessages while 119871rsquos neighbors are a subset of 119872rsquos neighbors(or reciprocally) In addition 119873 mistrusts 119872 if 119873 which isnot a neighbor of 119872 finds itself as a MPR selector in a TCof 119873 (constraint 3) In [44] a FSM is employed to modelthe signature of hello message fabrication in OLSR protocolin an agent-based IDS In practice each node uses a SimpleNetworkManagement Protocol (SNMP) agent so as to collectaudit data from the Management Information Base (MIB)After that events are extracted from the collected audit dataand are matched to the attack signatureThe addressed attackaims at breaking the link between a victim node and itsneighbors and thus a DoS takes place To that end theattacker impersonates the identity of the victim and sends afake hello message advertising one of the victim symmetricneighbors with lost link status Upon receiving the fabricatedmessage the neighbor changes the status of its link withthe victim to ldquoheardrdquo and stops routing packets through thevictim
51 Synthesis and Discussion A great majority of the litera-ture is focused on anomaly detectionwhile scarce effort inves-tigates specification- and signature-based intrusion Thisnaturally calls for consolidating the effort on specification-and signature-based detection while following the habitus ofwired network which consists in coupling these detectionsystems with one another for example in [72] wherein acombination of anomaly- and signature-based detection isrealized so as to increase the detection rate Almost all ofthe IDS focuses only on the detection accuracy that isproviding a high detection rate along with limited falsealarms However they do not consider the criticality ofmaintaining the resources and henceforth extending thelifetime of the nodenetwork Our IDS takes into account thenecessity of reducing to minimum both the communicationand computation overload related to intrusion identificationThe absolute majority of the IDSs is simulated (including thesystem we are proposing) rather than being either developedor experimented on testbeds or relying on empirical data
The reason that explains this situation is twofold Firstthe deployment of critical MANET is limitednot adver-tised Second to the best of our knowledge experiences ofintrusion in MANETs are not reported intrusions are infact developedsimulated as proofs of concept Neverthelessnot only routing protocols but also the characterization ofthe intrusion together leverage on the experience gained indesigning routing protocols for wired networks and deal-ing with related misbehaviors In particular the similarityexisting between the OSPF and OLSR protocols implies thatmany threats (eg sequence numbers identity spoofing) areshared In other words intrusion may be inspired from theone targeting wired networks Meanwhile the developmentof intrusion detection and the envisioning of attacks areaccelerated
6 Conclusion
We survey and classify the attacks that target ad hoc routingprotocols focusing on theOLSRprotocol In order to facilitatethe definition of intrusion signatures we extend a descriptionmodelmdashan attack is expressed as the preconditions andthe resulting consequencesmdashand enrich it with temporalannotations Once hand-coded these signatures are utilizedby IDAR a log-based distributed intrusion detection systemdedicated to operate in mobile ad hoc networks IDARdistinguishes itself by analyzing the logs generated by arouting protocol and extracts intrusion evidences so as tocompare these latter against predefined intrusion signaturesFor this purpose evidences are categorized into four groupsaccording to their degree of suspiciongravity and hence totheir ability to activatedeactivate the diagnostic We furtherdevelop a link spoofing attack on the OLSR protocol buildthe related detection rules and evaluate the performancesof IDAR relying on the NS3 simulator coupled with LXCvirtual machines Overall the experiments figure out ahigh rate of intrusion detection and low false positivesrate even under increased mobility and density Meanwhileresource consumption and network overhead result from thediagnostic are low and adapted to the resource-constraineddevices Note that ongoing effort is provided as to evaluateIDAR in a real MANET consisting of resource-constraineddevices Still detecting intrusion is not a trivial task due tothe large number of evidences to tackle and the resource-consuming diagnostic A compromise between detectionaccuracy and resource consumption could be found For thispurpose we are working on a new statistical mechanism forgathering the evidences This mechanism aims at enhancingthe scalability of our system by restricting the interrogationto a limited subset of nodes during the diagnostic Moreoveruntil now we assume that honest parties are passive theyalarm others but do not react We are considering thecoupling with countermeasures (eg blacklisting) and theexploring of lightweight binary consensus and trust estab-lishment among the nodes that participate in the intrusiondetection
18 International Journal of Distributed Sensor Networks
References
[1] Z Zhao H Hu G Ahn and R Wu ldquoRisk-aware mitigation formanet routing attacksrdquo IEEE Transactions on Dependable andSecure Computing vol 9 no 2 pp 250ndash260 2012
[2] B Sun L Osborne Y Xiao and S Guizani ldquoIntrusion detectiontechniques in mobile ad hoc and wireless sensor networksrdquoIEEE Wireless Communications vol 14 no 5 pp 56ndash63 2007
[3] S Sesay Z Yang and J He ldquoA survey onmobile ad hoc wirelessnetworkrdquo Information Technology Journal vol 3 no 2 pp 168ndash175 2004
[4] P Brutch and C Ko ldquoChallenges in intrusion detection forwireless ad-hoc networksrdquo in Proceedings of the Symposium onApplications and the Internet Workshops (SAINT rsquo03) pp 368ndash373 2003
[5] S Khan N Alrajeh and K Loo ldquoSecure route selection inwireless mesh networksrdquo Computer Networks vol 56 no 2 pp491ndash503 2012
[6] S Corson and J Macker ldquoMobile ad hoc networking (manet)routing protocol performance issues and evaluation considera-tionsrdquo IETF RFC2501 1999
[7] Y Zhang W Lee and Y Huang ldquoIntrusion detection tech-niques for mobile wireless networksrdquoWireless Networks vol 9no 5 pp 545ndash556 2003
[8] B C Cheng and R Y Tseng ldquoA context adaptive intrusiondetection system for MANETrdquo Computer Communications vol34 no 3 pp 310ndash318 2011
[9] T Eissa S A Razak and M D A Ngadi ldquoTowards providinga new lightweight authentication and encryption scheme forMANETrdquoWireless Networks vol 17 no 4 pp 833ndash842 2011
[10] A Irshad W Noshairwan M Shafiq S Khurram E Irshadand M Usman ldquoSecurity enhancement for authentication ofnodes in MANET by checking the CRL status of serversrdquoCommunications in Computer and Information Science vol 78pp 86ndash95 2010
[11] D E Denning ldquoAn intrusion-detection modelrdquo IEEE Transac-tions on Software Engineering vol 13 no 2 pp 222ndash232 1987
[12] T Clausen and P Jacquet ldquoOptimized link state routing proto-col (OLSR)rdquo IETF Experimental RFC 3626 2003
[13] P Albers O Camp J Percher et al ldquoSecurity in ad hoc networksa general intrusion detection architecture enhancing trust basedapproachesrdquo 2002
[14] F Cuppens N Cuppens-Boulahia S Nuon and T RamardldquoProperty based intrusion detection to secure OLSRrdquo in Pro-ceedings of the 3rd International Conference on Wireless andMobile Communications (ICWMC rsquo07) Guadeloupe FranceMarch 2007
[15] W Cohen ldquoFast effective rule inductionrdquo in Proceedings of theInternational Conference onMachine Learning (ICML rsquo95) 1995
[16] S Sarafijanovic and J-Y le Boudec ldquoAn artificial immunesystem for misbehavior detection in mobile ad-hoc networkswith virtual thymus clustering danger signal and memorydetectorsrdquo in Proceedings of the 3rd International Conference onArtificial Immune Systems (ICARIS rsquo04) 2004
[17] S Sen and J Clark Intrusion Detection in Mobile Ad HocNetworks in Guide to Wireless Ad Hoc Networks SpringerLondon UK 2009
[18] D Subhadrabandhu S Sarkar and F Anjum ldquoA Framework formisuse detection in ad hoc networksmdashpart IIrdquo IEEE Journal onSelected Areas in Communications vol 24 no 2 pp 290ndash3032006
[19] L M Feeney and M Nilsson ldquoInvestigating the energyconsumption of a wireless network interface in an ad hocnetworking environmentrdquo in Proceedings of the 20th AnnualJoint Conference of the IEEE Computer and CommunicationsSocieties pp 1548ndash1557 April 2001
[20] A P Lauf R A Peters and W H Robinson ldquoA distributedintrusion detection system for resource-constrained devices inad-hoc networksrdquo Ad Hoc Networks vol 8 no 3 pp 253ndash2662010
[21] N A Alrajeh S Khan J Lloret and J Loo ldquoSecure routingprotocol using cross-layer design and energy harvesting inwireless sensor networksrdquo International Journal of DistributedSensor Networks vol 2013 Article ID 374796 11 pages 2013
[22] S Sen J Clark and J Tapiador Security Threats in MobileAd Hoc Networks I S of Self-Organizing Networks AuerbachPublications 2010
[23] P Ning and K Sun ldquoHow to misuse AODV a case study ofinsider attacks againstmobile ad-hoc routing protocolsrdquoAdHocNetworks vol 3 no 6 pp 795ndash819 2005
[24] T Clausen C Dearlove P Jacquet and U Herberg ldquoTheoptimized link state routing protocol version 2rdquo IETF ActiveInternet-Draft Draft-Ietf-Manet-Olsrv2-15 2012
[25] U Herberg and T Clausen ldquoSecurity issues in the optimizedlink state routing protocol version 2 (olsrv2)rdquo InternationalJournal of Network Security amp Its Applications vol 2 no 2 2010
[26] YOwada TMaenoH Imai andKMase ldquoOLSRv2 implemen-tation and performance evaluation with link layer feedbackrdquo inProceedings of the International Wireless Communications andMobile Computing Conference (IWCMC rsquo07) pp 67ndash72 Newyork NY USA August 2007
[27] F Hong L Hong and C Fu ldquoSecure OLSRrdquo in Proceedingsof the 19th International Conference on Advanced InformationNetworking and Applications (AINA rsquo05) pp 713ndash718 March2005
[28] LNAMHegland P Spilling andQKure ldquoHybrid protectionof olsrrdquo in Electronic Notes in Theoretical Computer Science2006
[29] P Kunwar S Sofat and D Bansal ldquoComparison of secure olsrrouting protocolrdquo International Journal of Engineering Sciencevol 3 no 6 p 5049 2011
[30] A Adnane C Bidan and R T de Sousa Junior ldquoTrust-basedcountermeasures for securing OLSR protocolrdquo in Proceedingsof the 7th IEEEIFIP International Conference on Embedded andUbiquitous Computing (EUC rsquo09) pp 745ndash752 August 2009
[31] B Wu J Chen J Chen J Wu and M Cardei ldquoA survey ofattacks and countermeasures in mobile ad hoc networksrdquo inWireless Network Security Springer New York NY USA 2007
[32] C Adjih D Raffo and P Muhlethaler ldquoAttacks against OLSRdistributed key management for securityrdquo in Proceedings of theOLSR Interop Workshop 2005
[33] G CerveraM Barbeau J Garcia-Alfaro and E Kranakis ldquoMit-igation of topology control traffic attacks in OLSR networksrdquoin Proceedings of the 5th International Conference on Risks andSecurity of Internet and Systems (CRiSIS rsquo10) October 2010
[34] P M Jawandhiya M M Ghonge M S Ali et al ldquoA surveyof mobile ad hoc network attacksrdquo International Journal ofEngineering Science and Technology vol 2 no 9 pp 4063ndash40712010
[35] L M Feeney ldquoAn energy consumption model for performanceanalysis of routing protocols for mobile ad hoc networksrdquoMobile Networks and Applications vol 6 no 3 pp 239ndash2492001
International Journal of Distributed Sensor Networks 19
[36] G Riley and T Henderson ldquoThe ns-3 network simulatorrdquo inModeling and Tools for Network Simulation Springer BerlinGermany 2010
[37] S Bhattiprolu E Biederman S Hallyn et al ldquoVirtual serversand checkpointrestart inmainstream linuxrdquo SIGOPSOperatingSystems Review vol 42 no 5 pp 104ndash113 2008
[38] J Zhang J Xing and Z Qin ldquoTaprouter an emulatingframework to run real applications on simulated mobile adhoc networkrdquo in Proceedings of the 44th Annual SimulationSymposium (ANSS rsquo11) pp 39ndash46 2011
[39] D Broyles A Jabbar and J P G Sterbenz ldquoDesign andanalysis of a 3-d gauss-markov mobility model for highly-dynamic airborne networksrdquo in Proceedings of the InternationalTelemetering Conference (ITC rsquo10) San Diego CA USA 2010
[40] J Haerri F Filali and C Bonnet ldquoPerformance comparisonof AODV and OLSR in vanets urban environments underrealistic mobility patternsrdquo in Proceedings of the IFIP Med-Hoc-Net Workshop 2006
[41] C H Tseng T Song P Balasubramanyam C Ko and K LevittldquoA specification-based intrusion detection model for OLSRrdquoRecent Advances in Intrusion Detection vol 3858 pp 330ndash3502006
[42] S Kurkowski T Camp and M Colagrosso ldquoManet simulationstudies the incrediblesrdquo SIGMOBILE Mobile Computing andCommunications Review vol 9 no 4 pp 50ndash561 2005
[43] A Abdalla I Saroit A Kotb et al ldquoMisbehavior nodesdetection and isolation for MANETs OLSR protocolrdquo ProcediaComputer Science vol 3 pp 115ndash121 2011
[44] R Puttini J Percher L Me et al ldquoA modular architecture fordistributed ids in manetrdquo in Proceedings of the InternationalConference on Computational Science and Its Applications III2003
[45] A Adnane R T de Sousa L Me and C Bidan ldquoAutonomictrust reasoning enables misbehavior detection in OLSRrdquo inProceedings of the 23rd Annual ACM Symposium on AppliedComputing (SAC rsquo08) pp 2006ndash2013 March 2008
[46] W Wang H Man and Y Liu ldquoA framework for intrusiondetection systems by social network analysis methods in ad hocnetworksrdquo Security and Communication Networks vol 2 no 6pp 669ndash685 2009
[47] H Deng R Xu J Li F Zhang R Levy and W Lee ldquoAgent-based cooperative anomaly detection for wireless ad hoc net-worksrdquo in Proceedings of the 12th International Conference onParallel and Distributed Systems (ICPADS rsquo06) pp 613ndash620 July2006
[48] S KurosawaHNakayamaN Kato et al ldquoDetecting blackholesattack on AODV-based mobile ad hoc networks by dynamiclearningmethodrdquo International Journal of Network Security vol5 no 3 pp 338ndash346 2007
[49] WWang HWang BWang et al ldquoEnergy-aware and selfadap-tive anomaly detection scheme based on network tomographyin mobile ad hoc networksrdquo Information Sciences vol 220 pp580ndash602 2013
[50] M-Y Su ldquoPrevention of selective black hole attacks on mobilead hoc networks through intrusion detection systemsrdquo Com-puter Communications vol 34 no 1 pp 107ndash117 2011
[51] N Marchang and R Datta ldquoCollaborative techniques for intru-sion detection in mobile ad-hoc networksrdquo Ad Hoc Networksvol 6 no 4 pp 508ndash523 2008
[52] B V R N Yadav B Satyanarayana and O B V RamanaiahldquoAn efficient intrusion detection system for mobile ad hoc net-worksrdquo in Emerging Trends in Computing Informatics Systems
Sciences and Engineering vol 151 Springer New York NYUSA 2013
[53] Y Huang and W Lee ldquoAttack analysis and detection for ad hocrouting protocolsrdquo in Recent Advances in Intrusion Detectionvol 3224 Springer Berlin Germany 2004
[54] G Vigna S Gwalani K Srinivasan E M Belding-Royer andR A Kemmerer ldquoAn intrusion detection tool for AODV-basedad hoc wireless networksrdquo in Proceedings of the 20th AnnualComputer SecurityApplications Conference (ACSAC rsquo04) pp 16ndash27 December 2004
[55] M Ayachi C Bidan and N Prigent ldquoA trust-based ids for theaodv protocolrdquo in Information and Communications Securityvol 6476 pp 430ndash444 2010
[56] S Sen and J A Clark ldquoA grammatical evolution approach tointrusion detection on mobile ad hoc networksrdquo in Proceedingsof the 2nd ACMConference onWireless Network Security (WiSecrsquo09) pp 95ndash102 March 2009
[57] S Marti T J Giuli K Lai and M Baker ldquoMitigating routingmisbehavior in mobile ad hoc networksrdquo in Proceedings of the6th Annual International Conference on Mobile Computing andNetworking (MOBICOM rsquo00) pp 255ndash265 August 2000
[58] B Sun K Wu and U Pooch ldquoRouting anomaly detection inmobile ad hoc networksrdquo in Proceedings of The 12th Interna-tional Conference on Computer Communications and Networks(ICCCN rsquo03) 2003
[59] S Bose S Bharathimurugan and A Kannan ldquoMulti-layerintegrated anomaly intrusion detection system for mobileadhoc networksrdquo in Proceedings of the International Conferenceon Signal Processing Communications and Networking (ICSCNrsquo07) pp 360ndash365 February 2007
[60] P Yi Y Zhong and S Zhang ldquoA novel intrusion detectionmethod for mobile ad hoc networksrdquo in Advances in GridComputing vol 3470 pp 1183ndash1192 Springer Berlin Germany2005
[61] C Perkins E Belding-Royer and S Das ldquoAd hoc on-demanddistance vector (AODV) routingrdquo IETF Experimental RFC3561 2003
[62] D Johnson and D Maltz ldquoDynamic source routing in ad hocwireless networksrdquo in Mobile Computing pp 153ndash181 KluwerAcademic 1996
[63] C Perkins and P Bhagwat ldquoHighly dynamic destinationse-quenced distance-vector routing (dsdv) for mobile computersrdquoin Proceedings of the Conference on Communications Architec-tures Protocols and Applications (SIGCOMM rsquo94) vol 24 pp234ndash244 1994
[64] T JoachimsMaking Large-Scale Support VectorMachine Learn-ing Practical MIT Press Cambridge Mass USA 1999
[65] Y Yajima and T Kuo ldquoEfficient formulations for 1-svm and theirapplication to recommendation tasksrdquo Journal of Computersvol 1 no 3 pp 27ndash34 2006
[66] L Bononi and C Tacconi ldquoIntrusion detection for secureclustering and routing inMobileMulti-hopWirelessNetworksrdquoInternational Journal of Information Security vol 6 no 6 pp379ndash392 2007
[67] Y Huang W Fan W Lee et al ldquoCross-feature analysis fordetecting ad-hoc routing anomaliesrdquo in Proceedings of the 23rdInternational Conference on Distributed Computing Systems(ICDCS rsquo03) pp 478ndash487 May 2003
[68] J Quinlan C4 5 Programs for Machine Learning MorganKaufmann Boston Mass USA 1993
20 International Journal of Distributed Sensor Networks
[69] J B D Cabrera C Gutierrez and R K Mehra ldquoEnsemblemethods for anomaly detection and distributed intrusion detec-tion in Mobile Ad-Hoc Networksrdquo Information Fusion vol 9no 1 pp 96ndash119 2008
[70] MWang L Lamont P Mason andM Gorlatova ldquoAn effectiveintrusion detection approach for OLSR MANET protocolrdquoin Proceedings of the 13th IEEE International Conference onNetwork Protocols Workshop (ICNP rsquo05) pp 55ndash60 November2005
[71] C Y Tseng P Balasubramanyam C Ko R Limprasittiporn JRowe and K Levitt ldquoA specification-based intrusion detectionsystem for AODVrdquo in Proceedings of the 1st ACM Workshop onSecurity of Ad Hoc and Sensor Networks pp 125ndash134 October2003
[72] S A Razak S M Furnell N L Clarke and P J BrookeldquoFriend-assisted intrusion detection and response mechanismsfor mobile ad hoc networksrdquo Ad Hoc Networks vol 6 no 7 pp1151ndash1167 2008
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
6 International Journal of Distributed Sensor Networks
[33] For this purpose (Expression 8) 119868 forges a TopologyControl (TC) message including an incorrect set of 1-hopsymmetric neighbors that have selected 119868 as MPR (so-calledMPR selector set) Depending on the level of redundancyrequired a MPR advertises
(1) the MPR selector(s) SelMPR119868
of 119868(2) the MPR selector(s) along with the MPR of 119868
SelMPR119868
cupMPR119868
(3) the 1-hop neighbors 119873119878119868of 119868 (hence including the
MPR selectors and the MPR of 119868)
LetA119868represent the set advertised in the TC messageA
119868=
SelMPR119868
or (SelMPR119868
cupMPR119868) or 119873119878
119868 This attack consists in 119868
advertising an incorrect setA1015840119868differing from the real oneA
119868
119868
TC(A1015840119868)119905997888997888997888997888997888997888rarr 119878A
1015840
119868=A119868
dArr
119868 isin I
(8)
In particular possible falsifications lie in either 119868 insertinga non-existing node or inserting an existing node but non-MPR selector or omitting a node belonging to A
119868 Upon
the reception of a falsified TC message routing table iscorrupted This corruption contaminates the OLSR networkand also any interconnected routing domain Indeed anode well-behaving or not acting as a gateway exports thewrong OLSR routes Symmetrically an intruder may alsoimport incorrect routes to the OLSR domain This latterattack termed sinkhole involves an intruder 119868 defining itselfas a gateway that provides an access to associated host(s)andor network(s) This gateway generates periodically aHNA message including those host(s) andor network(s)(ie the related address(es) and netmask(s)) This attackconstitutes a generalization of the previously defined forgingof corrupted TC messages a node advertises either non-existing or existing but unreachable nodes or omits advertis-ing reachable nodesThe similarity with the TC active forginglead us not detailing it hereafter
The aforementioned forge attacks (eg link or routespoofing attacks sinkhole) necessitate to tamper specificmessage fields while keeping this message syntactically cor-rect More generally bogus control messages can be forgedhence creating an implementation-dependent effect Gener-ally speaking similar tampering may be performed by anintruder that has acted as MPR prior forwarding a falsifiedcontrol message
223 Modify and Forward Attacks Modify and forwardattacks are characterized by an intermediate which capturesthe victimrsquos control message and replays modifies or dropsthis message before forwarding it In the following we depictthe two former cases ignoring the message dropping that hasbeen already described Replaying a control message includesdelaying the emission of this message by recording andforwarding it later (potentially in another area) or repeatingthis message As a consequence routing tables are updated
based on obsolete information Note that each messagecontains a field indicating the period of time during whichthis message is considered as valid and hence it is used toupdate the routing table Both attacks can be systematic (ietargeting anymultihops control traffic) or selectiveTheymayalso be performed in a distributed manner (Expression 9)with two intruders one recording the control message fromone region so as to replay it in another region (ie the oneof the colluding intruder) Without loss of generality let 119868
1
(resp 1198682) be the node that records it (resp replays it)
119878CM(119878)
119905
997888997888997888997888997888rarr 1198681 1198681
CM(119878)997888997888997888997888997888rarr
enc1198682 1198682
CM(119878)1199051015840
997888997888997888997888997888997888rarr 119884
119878 notin 119873119878119884 998810119905 le
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
dArr
119878 isin 119873119878119884
dArr
1198681 1198682isin I
(9)
In practice 1198681tunnels the control traffic by for example
encrypting the routing message andor relying on an alter-native network interface (that may be advertised or not)Then 119868
2replays it This attack leads to the creation of a
wormhole whose length depends on the distance separatingthe two intruders Note that in order to stay invisible both1198681and 1198682may keep the identification field unchanged the
source is 119878 rather than 1198681or 1198682 This possibility corresponds
to a masquerading Sequence numbers constitute a standardmechanism that provides protection against replay attacksgiven that the sequence delivery is not required by OLSRIn counterpart their usage can be hijacked so that thedestination drops the message rather than using it In prac-tice an intruder 119868 increases (a wraparound mechanism isimplemented when the sequence number reaches an extremeboundary it is reset to zero) (resp decreases) the value
of the sequence number sq (119878CM(119878)
119905sq997888997888997888997888997888997888997888rarr 119868 119868
CM(119878)1199051015840sq1015840
997888997888997888997888997888997888997888997888rarr
sq1015840 = sq) so that the destination assumes that 119878 is providingthe freshest (resp an obsolete) route and therefore ignoresthe subsequent (resp the actual) control message(s)
119878
CM(119878)119905sq
997888997888997888997888997888997888997888rarr 119868 119868
CM(119878)1199051015840sq1015840
997888997888997888997888997888997888997888997888rarr sq1015840 = sq 100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
dArr
119868 isin I
(10)
An intruder 119868 may also corrupt the routing table by mali-ciouslymodifying a received controlmessage before forward-ing it This modification consists in tampering either thecontents of themessage or the identification of its sourceTheformer case is similar to the forge attack described abovewherein the intruder tampers the MPR selector set in TCmessage theOLSR routes inHNAmessage or the interface(s)identification in MID message While in the latter case anintruder 119868 forwards the packet containing the control mes-sage without changing the source address [34] Consequently
International Journal of Distributed Sensor Networks 7
two nodes consider themselves as 1-hop neighbors whereasthey are not in the communication range of each otherAn intruder may also disrespect the flooding mechanism inOLSR This happens when the intruder retransmits a controlmessage that is received from a non-MPR selector node [32]
119868 notin MPR119878 119878
CM119905
997888997888997888rarr 119868 119868
CM1199051015840
997888997888997888997888rarr100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
dArr
119868 isin I
(11)
Overall attacks targeting OLSR protocol are classifiedinto 3 types
(i) drop attack that consists in totally or selectivelydropping the controlmessages for example droppingTC message in order to foil route calculation
(ii) active forge attack that attempts to poison OLSRrsquosfunctionalities by introducing novel deceptive controlmessage for example a hello message including anincorrect neighbor set so as to foil MPR selection
(iii) modify and forward attack lies in an intruder thatcaptures and modifies a control message before for-warding it (eg increasing the sequence number of aTC message hence the subsequent TC messages areignored)
An intruder launches the attack either in a standalonemanner or in collusion with other intruder(s) constitutingwhat so-called a Byzantine attack (eg wormhole) togetherusually coupled with masquerading Detecting these attacksis far to be a trivial task because a minor deviation on anattack makes it undetectable In addition an attack can becomposed of several subattacks In order to tackle theseissues we describemodel the attack as general as possiblehence circumventing possible deviationsWe then propose anintrusion detection system that detects composed attacks asmuch as their parties
3 Intrusion Detection
We propose a distributed log- and signature-based intrusiondetection system named IDAR In addition to providing ahigh detection accuracy IDAR aims tomaintain the availableresources in MANET For this purpose the evidences ofattack are extracted from the log and further classifiedaccording to their level of gravity Such classification helpsin planning the diagnostic and henceforth minimizing thecomputation overhead related to attack identificationDuringthe diagnostic evidences arematched to predefined intrusionsignatures The establishment of an intrusion signature andfurther the diagnostic operation are exemplified with the linkspoofing attack we purposely developed
31 Resource-Aware Evidence Gathering IDAR distinguishesitself from other IDSs by extracting the signs of attack fromthe logs instead of sniffing the traffic Thus the consumptionof energy and computational power resulting from evidence
minus600
minus400
minus200
0
200
400
600
800
0 200 400 600 800 1000Size (bytes)
Promiscuous overhearing sender and receiverPromiscuous overhearing senderPromiscuous overhearing receiverNonpromiscuous overhearing sender and receiverNonpromiscuous overhearing senderNonpromiscuous overhearing receiver
Ener
gy (u
Wlowast
s)Figure 1 Energy consumption in promiscuous and nonpromiscu-ous modes
gathering and analyzing is minimized In fact sniffing trafficnecessitates that the wireless network interface stays in modepromiscuous at all time thus the node can overhear all thepackets within its transmission range But promiscuousmodeleads to consuming more energy and hence reducing rapidlythe lifetime of the nodenetwork Indeed a nondestinationnode in the radio range of either the sender or the receiveroverhears some or all of their traffic For the IEEE 80211MAC protocol a nondestination node in discarding (ienonpromiscuous) mode can enter into a reduced energyconsumption mode and discard othersrsquo traffic [35] Suchmode requires less energy than the idle mode which is thedefault mode in ad hoc network While a nondestinationnode operating in promiscuous mode listens to all the trafficwhether or not it is the intended destination The traffic isfurther received as if it was a broadcast traffic thus additionalenergy consumption is associated with promiscuous modeoperation Figure 1 represents a part of the experimentalmeasurements realized in [19] about the energy consumptionof an IEEE 80211 2Mbps wireless card It shows the signifi-cant difference in energy consumption between promiscuousand nonpromiscuous modes Note that the consumption inthe nonpromiscuous mode is negative because it requiresless energy than the reference idle mode Besides increasingthe amount of consumed energy sniffing traffic imposes ahuge computational overhead [20] Indeed the packet-levelanalysis which is applied on the sniffed packets strainssignificantly the available resources that ismemory andCPUprocessing Moreover since all the traffic in the radio rangeis sniffed many of the analyzed packets would be redundantand add nothing to the detection In order to avoid thispermanent strain of resources IDAR does not sniff the trafficbut it rather collects periodically the local logs In particularit focuses on the portion of logs that characterizes the
8 International Journal of Distributed Sensor Networks
activities of the routing protocol (eg packet reception MPRselection) Note that additional logs for example system-security-related logs could be integrated and correlatedOnce parsed a log is used so as to detect a sign of suspiciousactivityThis consists inmatching the log against a predefinedintrusion signature An intrusion signature is thought as apartially ordered sequence of events that characterizes anintrusion Such procedure is potentially not only memorybut also bandwidth consumer Indeed it involves examininglocal logs as well as performing an in-depth diagnostic whereother nodes are requested so as to collect additional attackevidences correlate and match them against the definedintrusion signatures The in-depth diagnostic offers a globalview about the suspicious nodes and therefore it increasesthe accuracy of the detection But it is a costly operation interms of resources Thus the in-depth diagnostic must becarefully planned that is should be initiated only when asufficient degree of suspicion exists and terminated as soon asa result is obtained For this purpose we propose to classifyattack evidences so that depending on their level of gravitythe in-depth diagnostic may be performed According to ourclassification an evidence falls into one of the following fourgroups
(i) Initial-evidence group contains the evidences that leadto launch an in-depth diagnostic over the network
(ii) Suspicious-evidence group contains the evidences thatlead to identify a node as suspicious
(iii) Confirmed-evidence group contains the evidences thatconfirm the occurrence of an attack This results interminating the diagnostic and declaring the suspi-cious node as intruder
(iv) Cancel-evidence group contains the evidences thateliminate the suspicion and stop the diagnostic
These groups are populated with the evidences that areextracted from the log If an evidence belonging to the initial-evidence group is discovered then an in-depth diagnosticis launched so as to confirm (ie discovering an evidencebelonging to confirmed-evidence group) or infirm (ie dis-covering an evidence belonging to the cancel-evidence group)the intrusion both lead to the termination of the diagnosticRelying on these groups the evolution of any attack and itsrelated detection is easily followed In addition its compactform facilitates the lightweight discovering of long-termintrusions
32 Link Spoofing Attack A link spoofing attack lies infalsifying hello message(s) so as to modify the local topologyperceived by adjacent nodes This attack influences the MPRselection In particular this attack owns a global impactthe MPR position provides to the intruder the possibility toeavesdrop tamper misrelay or drop the traffic As discussedin Section 2 (and further detailed in Expression 4) anintruder realizes a link spoofing attack through one of thefollowing three cases
(1) It advertises a non-existing and symmetric nodeThus the intruder guarantees (unless another attacker
advertises the same non-existing node) being selectedas a MPR because this non-existing node is uniquelycovered by the intruder
(2) It advertises existing but nonneighboring node(s)The intruder is selected as a MPR if the advertisednode(s) is (are) not already covered by another (well-behaving or malicious) MPR
(3) It keeps under wraps neighboring and symmetricnode(s) In this case the connectivity of the intruderand consequently its chance of being selected asa MPR are both decreased Used in a standalonemanner this attack aims to decrease the connectivityof one or several nodes a complete isolation necessi-tates that no other (well-behaving) MPR covers thatnode(s)
We develop an attack (Expression 12) wherein an intruderfalsifies a hello message that contains both a non-existingnode (Case 1) and existing but non-neighboring nodes (Case2) The reason that motivates this choice is twofold First byadvertising a nonexisting node 119873 119868 ensures being selectedas a MPR by the victim 119878 (exist119873 isin 119873119878
1015840
119868ni 119873 notin N cap 119873119878
119868)
Note that with the last versions of the RFC a node (iepotentially an intruder) may dictate its selection as a MPRby advertising (in a hello message) its high willingness torelay messages Nevertheless previous versions (and theirrelated implementations) ignore this case Regardless of theversion of the protocol our intruder (as aforementionedpreviously) guarantees being selected as MPR by advertisinga nonexisting and symmetric node Second by announcingcommon neighbors with another node 119871 (Case 2) 119868 increasesthe probability that 119871 is not selected as a MPR (119868 replacing119871) and henceforth increases its proper ascendancy Note thatthe attack we developed does not consider the third casethat involves the reduction of the intruderrsquos connectivityNevertheless attack signature deals with it
119878
hello(119873119878119878)119905997888997888997888997888997888997888997888997888997888rarr 119868 119868
hello(1198731198781015840119868)1199051015840997888997888997888997888997888997888997888997888997888rarr 119878
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
exist119873 isin 1198731198781015840
119868ni 119873 notinN cap 119873119878
119868
exist119871 isin MPR119878ni [119873119878
119871 119873119878119868] sube [119873119878
1015840
119868 119873119878119868]
dArr
119868 isin I 119871 notin MPR119878
exist1198681015840isin I ni 119868
1015840isin MPR
119878
Card (1198731198781015840119868 (119873119878
1015840
119868capN)) gt 0
Card ((1198731198781015840119868 119873119878119868) capN) gt 0
(12)
Herein a key challenge stems from the need to generate ahand-coded intrusion signature that models such attack andhenceforth permits to detect it
33 Signature Establishment As mentioned before a linkspoofing attack aims to inflect the MPR selection such
International Journal of Distributed Sensor Networks 9
Table 2 Evidence characterizing a link spoofing attack
Initial-evidence group1198641 AMPR is replaced by a 1-hop neighbor or by an already selected MPR1198642 AMPR behaves maliciously for example it tampers misrelays or drops the control messages
Suspicious-evidence group1198643 AMPR is the only node that provides connectivity to one (or more) 2-hops neighbor(s)
Confirmed-evidence group1198644 AMPR advertises a partial set of 1-hop neighbors1198645 AMPR advertises nonneighboring node(s) as 1-hop neighbors(s)
Cancel-evidence group1198646 AMPR is defined as an intruderwell-behaving node
selection is triggered upon a change in the symmetric 1- and2-hops neighborhood Rather than launching an in-depthdiagnostic upon every change in the 1- or 2-hops symmet-ric neighborhood we keep to a minimum the number ofthese diagnostics and henceforth the amount of consumedcomputational power and bandwidth by initiating it onlyat the occurrence of an event related to a link spoofingattack More precisely we ignore the changes in the 1-hopneighborhood (eg apparition of 1-hop neighbor) becausethey are observed by the node itself Thus they are notsubject to the remote falsification which is the cornerstoneof a link spoofing attack In contrary changes in the 2-hopsneighborhood are considered as long as they impact theMPRselection In practice the evidences that reveal a link spoofingattack (Table 2) are broken down into
(i) a MPR replacement (Evidence 1 or 1198641 for short)that results from a change in the covering of the 1-hop neighbors one (or several) 1-hop neighbor(s)(possibly the replacing MPR) increase(s) its (their)coverage to the detriment of the replaced MPR AreplacementMPR is a 1-hop neighbor that is excludedfrom the MPRs set even though it provides the sameconnectivity in both the previous and current MPRselection rounds
(ii) No MPR replacement takes place but an alreadyselected MPR is detected as misbehaving node Forinstance a misbehaving MPR may drop falsify ormisrelay the control messages (1198642) Note that anevidence of a special interest herein refers to a nodepromoting itself as a MPR without having beenselected as a MPR Amisbehaving MPR includes alsothe case wherein a MPR continually advertises thesame 2-hops neighbors set despite being no morevalid Contrary to other cases this one is not eventdriven and should be handled based on random orperiodical checks
(iii) aMPR is the only one that covers one or several nodes(1198643)
(iv) a MPR covers partially its adjacent neighbor(s) (1198644)
(v) a MPR provides connectivity to a nonneighboringnode (1198645)
The occurrence of either 1198641 or 1198642 constitutes the startingpoint of an in-depth diagnostic 1198641 and 1198642 belong to theinitial-evidence group The act of being the only MPR thatprovides the connectivity to node(s) (1198643) is suspicious butis not sufficient to launch an in-depth diagnostic becausethis situation is typical in a sparse network Furthermoretwo nodes within the covering range of each other oftenfail in communicating due to the unpredictable nature ofwireless transmission resulting from for example obstaclesand noises Thus diagnosing 1198643 is especially difficult underno specific assumption Overall the occurrence of 1198641 or 1198642and optionally1198643 leads to an in-depth diagnostic (Expression13) In practice the 1-hop neighbor(s) of the suspicious MPRare interrogated Note that part of the interrogated nodesmayexpress a different opinion that results from malicious nodeor an obsolete routing information This calls for taking intoaccount their respective reputation (as we plan in our nearfuture work)
(1198641 or 1198642)
dArr dArr
(1198644 or 1198645) optional (1198643) (1198644 and 1198645)
dArr dArr
The suspicious MPRis an intruder
The suspicious MPRis well-behaving
(13)
If the obtained answers confirm (resp infirm) that thesuspicious MPR covers partially its neighbors (1198644) andoradvertises a distant node as 1-hop neighbor (1198645) then theMPR is declared as an intruder (resp well-behaving) andthe diagnostic is terminated (1198646) Obviously the cooperationbetween the nodes constitutes a cornerstone in our in-depthdiagnostic
34 Cooperative Diagnostic The in-depth diagnostic of a linkspoofing attack consists in verifying the existence of a sym-metric and neighboring relationship between a suspiciousMPR and its advertised 1-hop neighbors (Algorithm 1) Moreprecisely this diagnostic follows the following steps Firstthe MPRs that have been replaced by other MPR or 1-hopneighbor are identified (lines 1-2) because such replacementrepresents the initial evidence of a link spoofing attack (1198641in Table 2) For this purpose the function GetReplaced-Mpris called (Line 1) It establishes the MPRs that have been
10 International Journal of Distributed Sensor Networks
(1) OldMprs = GetReplaced-Mpr()(2) SuspiciousMprs = GetReplacing-Mpr()(3) for (suspicious isin SuspiciousMprs) do(4) InterrogatedNodes = GetCommon2HopsNeighors
(suspicious OldMprs)(5) for (2HopsNeighbor isin InterrogatedNodes) do(6) if (LinkExistence (2HopsNeighbor suspicious) ==
false) then(7) Generate-Alarm (suspicious)(8) end if(9) end for(10) Cancel-Suspicious (suspicious)(11) end for
Algorithm 1 In-depth diagnostic
replaced by comparing the currentMPRs and the penultimateMPRs Then the MPRs sharing 1-hop neighbor(s) with areplaced MPR are identified (function GetReplacing-MPRline 2) Those identified MPRs are tagged as suspicious andare subject to further analysis (lines 3ndash11) the objective is toverify whether some spoofed links have been advertised soas to replace the MPR It follows that the 1-hop neighborsthat are common to a replaced MPR and a suspicious oneare determined (GetCommon2HopsNeighors function line 4)Note that these 1-hop neighbors also correspond to the 2-hops neighbors of the node launching the diagnostic Theyare interrogated (LinkExistence function) so as to verify theexistence of links The interrogation of a 2-hops neighbordenoted by 119860119894 consists in sending a request to 119860119894 asking ifthis latter considers the suspicious MPR as a 1-hop neighborat a specific time 119905 Whenever possible this request is sentwithout going through both the suspicious MPR 119868 or anycolluding intruder 1198681015840 This eluding is necessary in order toprevent 119868 and 1198681015840 from dropping the request andor forging adeceptive answerTherefore the 1-hop neighbor(s) (primarilythe MPR(s)) that covers the interrogated 2-hops neighbors isprovided with the request Note that the suspecting node 119878 isaware of is provided with the connectivity between the nodesthat form its two-hops neighbors Thus 119878may select the one(if existing) that covers 119860119894 If no answer is obtained (iethe related time-out elapses) then the request is sequentiallytransferred through the rest of the covering 1-hop neighbors(keeping in mind that as aforementioned MPRs are pri-marily selected) However when no neighbor is left then an(multihops) alternative path is researched in the routing tableto reach 119860119894 Note that the verification related to a suspiciousMPR is performed within an independent thread hencethe diagnostic of one node (and the result waiting) is not ablocking to others If 119860119894 denies being a 1-hop neighbor of thesuspicious MPR then a countermeasure is triggered Moreprecisely an alarm that establishes the detected attacker(s)is broadcasted (Generate-Alarm function line 7) Otherwiseif no deny takes place the suspicious MPR is no longersuspected (Cancel-Suspicious function line 10) In both casesthe diagnostic terminates Note that if no answer is provided(the inconsistent answers lead also to a claim in the degree
of suspicion However this case is not included in this paperbut it is handled in our other works) then the suspiciousMPR is tagged as not verified and the degree of suspicionin this latter goes up It is worth mentioning that the currentimplementation of IDAR considers the link spoofing attackHowever considering other attacks is not complicated andrequires only specifying the evidences to be searched in thelogs and the information to be exchanged between the nodesduring the in-depth diagnostic
4 Architecture and Performance Evaluation
In this section we introduce the key architectural compo-nents of IDAR (Section 41) Then we present the evaluationof IDAR performance (Section 42) and further discuss theobtained result (Section 43)
41 IDAR Architecture In order to cope with the dynamicnature ofMANET IDAR is both distributed and cooperativeThe proposed architecture (Figure 2) requires that everydevice participates in the detection (The delegation of somedetection operations (eg logs analyzing) may be sharedamong devices But it will not be necessarily less expensive interms of resources consumption)More precisely each devicecontains an instance of IDAR which independently detectsthe signs of suspicion and cooperates with other instancesso as to conduct the diagnostic in a broader range IDAR isimplemented in Perl (httpwwwperlorg) and conceptuallystructured into 4 components
(i) Coordinator that orchestrates all the components Assuch it constitutes the hearth of IDAR In prac-tice it parses dynamically the OLSR logs so as toextract signs of suspicion and match these latteragainst predefined intrusion signaturesThe intrusionsignatures are represented as conditional rules (ifcondition then state) Furthermore it triggers thecommunication and the alarm notification in orderto launch advanced diagnostic
(ii) Communication manager that gathers informationabout for example the adjacent links as requiredby the diagnostic manager Meanwhile it answersthe diagnostic requests This component runs into aseparated thread so that other IDAR operations arenot blocked
(iii) Knowledge database includes the information thatis extirpated from the logs and is provided by thecommunication manager This database is realized inMysql (httpwwwmysqlcom) Stored informationencompasses for example the 1-hop and 2-hopsneighbors and the MPRs
(iv) Alarm notifier is responsible for alarming the networkwhen an intrusion is detected Note that we areplanning to include more countermeasures in thefuture for example eliminating the routes containingan intruder
International Journal of Distributed Sensor Networks 11
SignatureKnowledge
database
Coordinator
Communicationmanager Alarm notifier
Update
Feedback
Diagnostic requestDiagnostic answer
IDAR instance
Routing log
IDAR instanceDiagnostic requestanswer
Routing log
Feed back
Figure 2 IDAR architecture
All the above components have been developed so as tosupport intrusion detection offering a high rate of detectionalong with conserving the resources
42 Performance Evaluation In order to evaluate the perfor-mance of IDAR a mobile ad hoc network has been simulatedusing the network simulator NS3 (httpwwwnsnamorg)[36] Each node in the simulated network is furthercoupled with a Linux Container (LXC) virtual machine(httplxcsourceforgenet) [37] The reason that motivatesthis coupling is twofold First NS3 offers the possibilityto simulate a large-scale mobile ad hoc network SecondLXC an operating-system-level virtualization tool permitsto run multiple isolated machines (also called containers)on a single modified hosting kernel (up to 1024 contain-ers over a single hosting kernel) Each container owns itsproper resources (eg process tree network interface andIP address) Thus the resource consumption (eg memoryusage) can be isolated and measured In practice an instanceof IDAR is installed on each container that appears asa standaloneseparated machine Figure 3 exemplifies thecoupling between nodes in NS3 and LXC containers Fromthe IDAR perspective (as well as from any applicationinstalled on the container) the emission and reception ofpackets is done through the network interface (eth0) Whilethe container contains a simulated ethernet card (V119890119905ℎ)which is connected through an ethernet bridge towards akernel tap device (tap) Note that for each container-nodecoupling new tap and ethernet bridge should be definedin the hosting kernel The ethernet bridge implements theforwarding of link-level framesThe interface 119905119886119901119877119900119906119905119890119903 [38]is implemented in NS3 and is used to exchange packetsbetween the 119905119886119901 device and the WiFi device which enablesNS3 nodes to communicate over a IEEE 80211- and OLSR-enabled MANET Overall the outgoing packets from eth0in the container are delivered to the WiFi device at thecorresponding node in the simulated network and vice versaSimulation is carried using the aforementioned platform
wherein the hosting device is equipped with 32GB of mem-ory and 2 Intel(R) Xeon(R) (6) Core 240GHz CPUsContainers hold a Fedora 12 operating system We considera MANET (Table 3) constituted of 119873 = 30 nodes split into25 well-behaving nodes and 5 intruders While most of otherIDSs are evaluated against one intruder we show that IDARcan handle several intruders in the same time Intruderslaunch repeatedly the implemented link spoofing attack (asdescribed in Expression 12) In our experiments the numberof successful intrusions varies between 15 and 33 accordingto the parameters of simulation scenario (as described inExpression 12) Nodes communicate via IEEE 80211a andare characterized by a transmission range 119879
119909of 90m They
randomly move following the so-called RandomWalk2d [39]mobility pattern provided by NS3 each node moves accord-ing to a randomly chosen direction at a given speed that isthe same for all the nodes When a node hits the networkboundaries (unless specified the network area is defined bya squared area of 119878 = 310 times 310m2) it rebounds followinga reflexive angle Data traffic is further modeled using theV4PingHelper application in NS3 each node exchanges 56-byte ICMP (httpwwwietforgrfcrfc792txt) echo requeststo one another and waits for 1 s before sending it again Weuse OLSR as the underlying routing protocol preserving theconfiguration parameters promoted in the RFC 3626 (eghello message interval is 2 s)
For each experimental scenario the simulation islaunched 5 times each one lasts for 140 s We compare thelaunched attacks with the detected ones and present theaverage of results We aim at evaluating the performance ofIDAR in terms of
(i) intrusion detection rate that reflects the capacity ofdetecting successful intrusions (a successful intrusioncauses the replacement of a legitimate MPR of thevictim by an intruder)
(ii) false positive rate that measures how many times alegitimate node is wrongly designated as an intruder
12 International Journal of Distributed Sensor Networks
Table 3 Simulation parameters
Simulation platformSimulator NS3 + LXC virtual machinesContainer operating system Fedora 12Hosting device memory 32GBHosting device CPU 2 Intel(R) Xeon(R) (6) Core 240GHz
Simulated MANETNumber of mobile nodes 30Number of intruders 5Topology 310 times 310m2
Transmission range 90mMaximum bandwidth 1MbpsTraffic V4PingHelper 56 bytes Icmp packetsMobility model RandomWalk2dMaximum speed 8ms (or 288 kmh)Simulation time 140 s
tapRouterWiFi devicewith OLSR
LXC
cont
aine
r
Ethernet bridge
Tap
LXC
cont
aine
r
veth
Ethernet bridge
Tap
tapRouterWiFi devicewith OLSR
veth
Nod
e 1
Nod
e 119899
NS3
IDAR1 IDAR119899
eth0 eth0
Figure 3 Experiment platform
(iii) detection overhead which represents the additionalnetwork traffic that is generated because of IDARNote that further benchmarks are also provided interms of memory usage
Based on those performance indicators IDAR is furtherevaluated with regard to the network density (Section 421)and node mobility (Section 422)
421 Network Density In order to evaluate the scalingproperties of IDAR we vary the density of the networkThe density of the network corresponds to the averagenumber of neighbors which is defined as in [40] by (119873 times
120587 times 1198792
119909)119878 We selected an interval of density that ranges
from 6 up to 16 neighbors which includes the intruderthe victim and the remaining neighbors Figure 4(a) showsthat the detection rate keeps higher than 80 regardless ofthe network density This demonstrates the relatively limitedimpact of the network density on IDAR performance More
precisely the intrusion detection rate slightly rises from935up to itsmaximum 963when the density varies from6 up to 8 neighbors the greater is the number of neighborsthe higher is the visibility of the attackThen a slow diminishis observed dense networks (with a density exceeding 8) arecharacterised by a high collision rate that causes a declinein the detection rate Similarly Figure 4(b) highlights thatthe average percentage of false positives is neglectful (under59) The analysis of several cases of false positive leads usto find that a false positive occurs when two nodes own adifferent live-times for the bidirectional link that connectsthese later consequently one of the two nodes still confirmsthe existence of this link while the other one denies it Tooverride this problem the period during which those linksare considered valid should be amplified as in [41] Figure 4(c)presents the average memory usage caused by IDAR Thisusage gently fluctuates between 176MB and 222MB It is alsoworthy of mention that contrary to OLSR our system doesnot assign additional functionality toMPR (detectionmay belaunched by one another) IDAR provides an homogeneousload balancing among the nodes As illustrated in Figure 4(d)the traffic caused by IDAR is very low (under 05 for anetwork density inferior to 8) It then slowly rises to reach13 when the network density is 16 In order to understandthe slight fall when the density reaches 14 we compare theaverage number of suspicious cases with regard to a varyingdensityThis average was 708 (resp 658) with density equalsto 12 (resp 14) Consequently the number of diagnostic-related packets is smaller at a density of 14 than at a densityof 12
422 Mobility In order to isolate the influence of themobility the network density is set to 8 The detection ratefalls when the speed increases (Figure 5(a))This results fromthe ever changing topology that results in increasing thenumber of broken links and the related drops of diagnostic-related packetsHowever IDAR still provides a high detectionrate for example the average of detection rate is 707
International Journal of Distributed Sensor Networks 13
0
20
40
60
80
100
6 8 10 12 14 16
Det
ecte
d in
trus
ions
()
Density
Average detection
(a)
0
10
20
30
40
50
6 8 10 12 14 16
False
pos
itive
()
Density
Average of false positives
(b)
0
10
20
30
40
50
6 8 10 12 14 16
Mem
ory
usag
e (M
B)
Density
(c)
025 05
1
5
20
50 100
6 8 10 12 14 16Density
IDA
R ve
rsus
OLS
R tr
affic (
)
(d)
Figure 4 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network density
with a moving speed equals to 8ms (ie around 287
kilometershour equivalent to 1789mileshour) Figure 5(b)shows that the higher is the moving speed the greater it getsfalse positives mainly because of out of date feedback Infact when a node moves away some of its 1-hop neighborsare no longer neighbors but are still announced as suchand are considered as potential attackers A higher increaseof the false positive rate is observed when the node speedranges from 4ms up to 6ms because the instable nodecovering is given its transmission range which leads to anincreased update of its 1-hop neighbors The memory usage(Figure 5(c)) rises staidly from 176MB to 265MB whichis reasonable even for resource-limited devices The impactof the mobility on the bandwidth is shown in Figure 5(d)The IDAR traffic comparing to the OLSR traffic significantlygrows from 036 up to 31 for a speed ranging from 0msup to 2ms Then the bandwidth usage gradually growsand reaches almost 6 when the moving speed is equalto 8ms This is motivated by the fact that increasing thenumber of verified links leads to exchange more diagnostic-related messages in the network In order to understandthe reason behind such variable growth of IDAR trafficwe counted the number of the verified suspicious neighbor
links We found that the average number of the verified linkssignificantly grows from 452 to 2014 when the velocity risesfrom 0ms to 2ms This average then gradually grows andtakes the values 2408 3314 and 406 when the velocityequals to 4ms 6ms and 8ms respectively The limitednumber of the suspicious neighbor links when the nodesare static is justified by the fact that the attacker has alimited choice to falsify its neighbors links Instead when thevelocity is greater than 2ms there is a continuous changein the neighborhood and the attackers can attack more(diversified) targets Meanwhile the continuously changingtopology implies an increased number of investigations
43 Performance Discussion It is clear that the density of thenetwork holds less influence than the mobility on our IDSMore mobility in MANET causes more dropped diagnosticpackets and hence less diagnostic is concluded with a finalresult that is confirming or refuting the suspiciousnessHowever comparing the launched attacks to the discov-ered suspicious events shows that the majority of attacksare tagged as suspicious events and considered for furtherdiagnostic Note that the mobility has a negative influence
14 International Journal of Distributed Sensor Networks
0
20
40
60
80
100
0 2 4 6 8
Det
ecte
d in
trus
ions
()
Velocity (ms)
Average detection
(a)
0
10
20
30
40
50
0 2 4 6 8
False
pos
itive
()
Velocity (ms)
Average of false positives
(b)
0
10
20
30
40
50
0 2 4 6 8
Mem
ory
usag
e (M
B)
Velocity (ms)
(c)
025 05
1
5
20
50 100
0 2 4 6 8
IDA
R ve
rsus
OLS
R tr
affic (
)
Velocity (ms)
(d)
Figure 5 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network mobility
on all the IDSs especially the cooperative ones where thereis an exchange of evidencesalerts Table 4 provides a shortperformance comparing between IDAR and other knownIDSs that are dedicated to ad hoc routing protocol Likethe majority of these IDSs the performance of our systemis challenged against a specific attack link spoofing attackin a simulated MANET (According to [42] around 75of mobile ad hoc published papers use simulation for testissues) Two evaluation factors are common to almost all thelisted IDSs the detection ratecapacity and the positive falserate Even though it was challenged in a MANET whereinthe intruders constitute 166 (Note that this percent is the3rd highest registered percent) of the nodes IDAR providesone of the highest detection rate Regarding the positivefalse rate we can notice that several IDSs especially thosethat are dedicated to DSR protocol show better results thanour system However this latter still generates a limitednumber of false positives It is also possible to reduce thefalse positives rate by amplifying the TTL (Time To Live)parameter of a bidirectional link so as to reduce the impactof obsolete neighborhood-related information during thedetection Recall that most of the generated false positives inIDAR are generated because of the difference in the time-live
of a bidirectional link between the two ends of this link Insuch case this link will be expired in one end while the otherend will keep confirming its existence It is worthmentioningthat except our system the listed IDSs that aim to detect theattacks targeting OLSR protocol do not present neither thedetection rate nor the false positives rate But they merelyprove the capacity of detecting the addressed attack(s) Inaddition IDAR is one of the rare IDSs that are evaluated interms of resources consumption Indeed we measure boththe increment inmemory usage and traffic overhead resultingfrom detection operations IDAR triggers a small incrementin the devicesrsquomemory usage (between 176MBand 265MB)Therefore it can be tolerated by the resource-limited devicesIt further triggers the lowest traffic overhead compared to thelisted IDSs IDAR presents a good scalability and offers a highdetection rate even in the high density networks where a largeamount of routing traffic should be monitored (Figure 4(a))This scalability is reinforced by (i) the limited traffic overhead(ii) the use of routing logs so as to extract the evidencesinstead of sniffing the traffic (iii) the distributed nature ofdetection such that each node is responsible for detecting theattacks targeting it and (iv) the unnecessity of modifying theused routing protocol
International Journal of Distributed Sensor Networks 15
5 Related Work
Systems that detect intrusion targeting ad hoc routing proto-col are extremely diverse in the way they analyze intrusionThey fall into the three key categories
(i) Anomaly detection system defines the correct behav-ior of the nodenetwork so as to detect deviations tothis behavior This correct behavior is automaticallybuilt during an attackless training phase The detec-tion accuracy depends on the ability to (i) describethe correct behavior and (ii) distinguish betweenanomalous and unexpected behaviors
(ii) Specification-based detection system hand-codes thelegitimate functionoperation and then searches for aviolation to this operation
(iii) Signature-based detection system first describes theway an intruder penetrates the system by defining anintrusion signature Then any behavior that is closeto this predefined signature is flagged as intrusion
Hereafter we detail examples of each of these categoriesAnomaly-based detection constitutes the main approachused to detect attacks The IDS proposed by Zhang et al[7] constitutes a de facto standard in MANET It aims atdetecting the attempts to falsify the routes provided by theAODV [61] DSR [62] and DSDV [63] routing protocolsDuring the training phase the impact of movement on thepercentage of changes in the routing table is analyzed Notethat this movement (ie velocity direction and position)is provided by a Global Positioning System (GPS) Thenduring the operation phase an actual percentage of changesdiffering from the predicted one is defined as anomaly Inpractice the distinguishing between anomalous and normalbehaviors is provided by the Support Vector Machine (SVM)Light [64] classifier or by RIPPER [15] a rule-based engineThe hierarchical IDS proposed in [47] detects blackhole androuting request flooding attacks targeting AODV protocolHere MANET is arranged into clusters whereas the nodewith the highest residual energy and number of connectionsis elected as a cluster-head Each cluster-head monitors thetraffic inside its cluster so as to identify the abnormal valuesof (i) the percentage of changes in the routing table and (ii)the propagation of routingdata packets Such abnormalitiesare identified thanks to (1-SVM) classifier [65] a deviationof SVM that needs to be trained with either normal orabnormal scenario but not both of them In [48] (resp [66])a blackhole (and resp dropping) attack targeting AODVprotocol (resp a secured version of AODV protocol includ-ing authentication and reputation estimation) are detectedby investigating features for example the number of routerequests and route replies as well as the average difference ofsequence numbers (Largely increased sequence numbers areknown as a sign of blackhole attack) Then simple anomalydetection is applied if the distance between the actuallyobserved features and the average ones that are recorded dur-ing the training exceeds a given threshold then an intrusionis detected More sophisticated cross-features analysis (CFA)[67] is applied to detect both blackhole and packet drop-ping on AODV and DSR protocols Features including for
example the reachability between 2 nodes and the numberof delivered packets are analyzed within time windows Thisanalysis attempts to quantify the relation existing betweenone feature 119891
119894and the others 119891
1 119891
119894minus1 119891119894+1 119891
119896(with
119896 + 1 defining the number of features analyzed) During theoperation phase the probability of matching between theobserved feature 1198911015840
119894and the predicted feature 119891
119894 which is
established based on 11989110158401 119891
1015840
119894minus1 1198911015840
119894+1 119891
1015840
119896 is calculated by
a decision tree classifier named C45 [68] An anomaly refersto an average of matching probability fewer than a giventhreshold CFA and C45 are also used in [69] with traffic-related features (eg number of receivedtransferred packets)and OLSR- or AODV-related features (eg MPR updates forthe former and route discovery for the latter) A modifiedMarkov chain-based IDS is proposed in [58] so as to detectroute disruption attack targeting DSR protocol Here thedetection depends on identifying unpredicted value of twofeatures the percentage of changes in the number of routesand the percentage of changes in the number of hops Inpractice a Markov chain is based on the immediate previous119899 consecutive values of a feature as to predict the (119899 + 1)thvalue If the difference between a predicted and an observedvalue exceeds a given threshold an intrusion is concluded
Rather than establishing automatically a correct behaviorspecification-based detection system hand-codes the correctbehavior of the routing protocols based on the protocol spec-ification (IETF draft or RFC) Then the system attempts todetect a violation of constraints circumventing this behaviorFour key constraints define the correct behavior of OLSR([14 70])
(1) Neighbor relationmust be reciprocal (ie 2 neighborsmust hear the hello message sent by each other)
(2) TheMPRs and the nodes that select theMPR (ie theMPR selectors) must be adjacent
(3) A node that finds itself advertised as a MPR selectorin a TCmessage must be adjacent to the originator ofthis message
(4) Nodes receive TC messages without modificationsfromMPR(s)
Each node sniffs the traffic in its radio range so as todiscover the violations of any of the above constraints Theseconstraints are modeled by semantic properties in [70] (resprules in [14]) so as to detect link spoofing attack on TC(and resp hello messages) both experiment an ability todetect a link spoofing by observing a violation of the thirdcondition over a simulated network composed of 11 nodesFinite-state machines are used to describe similar constraintson OLSR [41] and the behavior of AODV protocol [52 71]In [41] a centralized detection of link spoofing man-in-the-middle and deny of service attack is performed While in[52 71] incorrect hop countssequence numbers are analyzedby distributed sensors which sniff and group the packets perrequest-reply flow so as to estimate the forwarding path perflow If a route requestreply is illegallymodified or forwardedvia a nonexpected path then an alarm is triggered In [60]similar FSMs are used to define constraints on both the routediscovery in AODV and the packet forwarding operations
16 International Journal of Distributed Sensor Networks
Table4Com
parin
gID
ARperfo
rmance
with
otherIDSs
IDS
Routing
protocol
Num
bero
fno
des
Intrud
ers
()
Moving
speed
Detectio
nrate
False
positives
rate
Increm
entinmem
ory
usage
Increm
entintraffi
coverhead
IDAR
OlSR
30166
0ndash8m
s707ndash963
0ndash132
176ndash
265MB
478ndash6215KB
(036
ndash597
ofOlSRtraffi
c)
[43]
OlSR
303366
10
mdashmdash
mdashmdash
6ndash12
ofOlSR
traffi
c[41]
OlSR
1010
0ms
Detectio
nispo
ssible
mdashmdash
mdash[44]
OlSR
7143
0ms
Detectio
nispo
ssible
mdashmdash
mdash[45]
OlSR
520
0ms
Detectio
nispo
ssible
mdashmdash
mdash[14
]OlSR
119
0ms
Detectio
nispo
ssible
mdashmdash
mdash[46]
AODV
3033
0ndash5m
s3067ndash90
0ndash20
mdashmdash
[47]
AODV
502
0ndash20
ms
90
5
mdashmdash
[48]
AODV
3033
1ndash20
ms
70ndash82
12ndash18
mdashmdash
[49]
AODV
2050
10
1ndash10ms
964ndash9
87
079ndash093
mdash900k
B
[50]
AODV
5238
0ndash20
ms
(Fixed
IDSs)
100
0ndash0
6
mdashmdash
[51]
AODV
521
20238
0ndash10ms
50ndash100
0ndash30
mdashmdash
[52]
AODV
30mdash
0ndash20
ms
70ndash100
05
ndash15
mdashmdash
[53]
AODV
50Ra
ndom
0ndash20
ms
79plusmn10ndash92plusmn3
5plusmn1ndash32plusmn8
mdashmdash
[54]
AODV
102050
mdash0ndash
10ms
0ndash100
0ndash≫100
02ndash06
mdash[55]
AODV
20ndash200
mdash0ndash
20ms
30ndash9
50ndash16
mdashmdash
[56]
AODV
50mdash
1ndash20
ms
998ndash100
083ndash846
mdashmdash
[7]
AODV
mdashmdash
mdash8848plusmn414ndash971plusmn032
145plusmn072ndash202plusmn627
mdashmdash
DSD
Vmdash
mdashmdash
8523plusmn328ndash9061plusmn299
537plusmn310ndash263plusmn549
mdashmdash
DSR
mdashmdash
mdash852plusmn238ndash991plusmn037
003plusmn004ndash153plusmn408
mdashmdash
[57]
DSR
5040
0ndash20
ms
mdashmdash
mdash11ndash313
of
data
traffi
c[58]
DSR
3033
3ndash5m
s60ndash100
25
ndash50
mdashmdash
[59]
DSR
30mdash
mdash75
12
mdashmdash
[60]
DSR
502
0ndash20
ms
837ndash9
74
13ndash72
mdashmdash
International Journal of Distributed Sensor Networks 17
A signature-based system distinguishes itself by model-ing the misbehavior (rather than the correct behavior) soas to identify if a sequence of observed events matchingan intrusion signature AODVSTAT [54] uses state-basedsignatures in order to detect dropping and spoofing attacksalong with network flooding Few sensors sniff the traffic andmatch it against predefined signatures They also exchangeperiodically MAC and IP addresses so as to detect an identityspoofing which is characterized by a node emitting a packetidentified by MAC and IP addresses differing from thoseregistered for this node A dropping attack refers to a nodethat fails to replay route requestreply Finally a node sendinga number of packets exceeding a given threshold is identifiedas willing to exhaust resources In [45] intrusion signaturesare specified in opposition to the legitimate behavior of OLSRdepicted in conjunction with specification rules similar tothose defined in [70] In particular a node 119873 mistrusts twoneighbors 119871 and 119872 that conform to the following rules119872 advertises 119871 as a neighbor while 119871 does not advertise119872 as a neighbor (or reciprocally) both 119871 and 119872 send TCmessages while 119871rsquos neighbors are a subset of 119872rsquos neighbors(or reciprocally) In addition 119873 mistrusts 119872 if 119873 which isnot a neighbor of 119872 finds itself as a MPR selector in a TCof 119873 (constraint 3) In [44] a FSM is employed to modelthe signature of hello message fabrication in OLSR protocolin an agent-based IDS In practice each node uses a SimpleNetworkManagement Protocol (SNMP) agent so as to collectaudit data from the Management Information Base (MIB)After that events are extracted from the collected audit dataand are matched to the attack signatureThe addressed attackaims at breaking the link between a victim node and itsneighbors and thus a DoS takes place To that end theattacker impersonates the identity of the victim and sends afake hello message advertising one of the victim symmetricneighbors with lost link status Upon receiving the fabricatedmessage the neighbor changes the status of its link withthe victim to ldquoheardrdquo and stops routing packets through thevictim
51 Synthesis and Discussion A great majority of the litera-ture is focused on anomaly detectionwhile scarce effort inves-tigates specification- and signature-based intrusion Thisnaturally calls for consolidating the effort on specification-and signature-based detection while following the habitus ofwired network which consists in coupling these detectionsystems with one another for example in [72] wherein acombination of anomaly- and signature-based detection isrealized so as to increase the detection rate Almost all ofthe IDS focuses only on the detection accuracy that isproviding a high detection rate along with limited falsealarms However they do not consider the criticality ofmaintaining the resources and henceforth extending thelifetime of the nodenetwork Our IDS takes into account thenecessity of reducing to minimum both the communicationand computation overload related to intrusion identificationThe absolute majority of the IDSs is simulated (including thesystem we are proposing) rather than being either developedor experimented on testbeds or relying on empirical data
The reason that explains this situation is twofold Firstthe deployment of critical MANET is limitednot adver-tised Second to the best of our knowledge experiences ofintrusion in MANETs are not reported intrusions are infact developedsimulated as proofs of concept Neverthelessnot only routing protocols but also the characterization ofthe intrusion together leverage on the experience gained indesigning routing protocols for wired networks and deal-ing with related misbehaviors In particular the similarityexisting between the OSPF and OLSR protocols implies thatmany threats (eg sequence numbers identity spoofing) areshared In other words intrusion may be inspired from theone targeting wired networks Meanwhile the developmentof intrusion detection and the envisioning of attacks areaccelerated
6 Conclusion
We survey and classify the attacks that target ad hoc routingprotocols focusing on theOLSRprotocol In order to facilitatethe definition of intrusion signatures we extend a descriptionmodelmdashan attack is expressed as the preconditions andthe resulting consequencesmdashand enrich it with temporalannotations Once hand-coded these signatures are utilizedby IDAR a log-based distributed intrusion detection systemdedicated to operate in mobile ad hoc networks IDARdistinguishes itself by analyzing the logs generated by arouting protocol and extracts intrusion evidences so as tocompare these latter against predefined intrusion signaturesFor this purpose evidences are categorized into four groupsaccording to their degree of suspiciongravity and hence totheir ability to activatedeactivate the diagnostic We furtherdevelop a link spoofing attack on the OLSR protocol buildthe related detection rules and evaluate the performancesof IDAR relying on the NS3 simulator coupled with LXCvirtual machines Overall the experiments figure out ahigh rate of intrusion detection and low false positivesrate even under increased mobility and density Meanwhileresource consumption and network overhead result from thediagnostic are low and adapted to the resource-constraineddevices Note that ongoing effort is provided as to evaluateIDAR in a real MANET consisting of resource-constraineddevices Still detecting intrusion is not a trivial task due tothe large number of evidences to tackle and the resource-consuming diagnostic A compromise between detectionaccuracy and resource consumption could be found For thispurpose we are working on a new statistical mechanism forgathering the evidences This mechanism aims at enhancingthe scalability of our system by restricting the interrogationto a limited subset of nodes during the diagnostic Moreoveruntil now we assume that honest parties are passive theyalarm others but do not react We are considering thecoupling with countermeasures (eg blacklisting) and theexploring of lightweight binary consensus and trust estab-lishment among the nodes that participate in the intrusiondetection
18 International Journal of Distributed Sensor Networks
References
[1] Z Zhao H Hu G Ahn and R Wu ldquoRisk-aware mitigation formanet routing attacksrdquo IEEE Transactions on Dependable andSecure Computing vol 9 no 2 pp 250ndash260 2012
[2] B Sun L Osborne Y Xiao and S Guizani ldquoIntrusion detectiontechniques in mobile ad hoc and wireless sensor networksrdquoIEEE Wireless Communications vol 14 no 5 pp 56ndash63 2007
[3] S Sesay Z Yang and J He ldquoA survey onmobile ad hoc wirelessnetworkrdquo Information Technology Journal vol 3 no 2 pp 168ndash175 2004
[4] P Brutch and C Ko ldquoChallenges in intrusion detection forwireless ad-hoc networksrdquo in Proceedings of the Symposium onApplications and the Internet Workshops (SAINT rsquo03) pp 368ndash373 2003
[5] S Khan N Alrajeh and K Loo ldquoSecure route selection inwireless mesh networksrdquo Computer Networks vol 56 no 2 pp491ndash503 2012
[6] S Corson and J Macker ldquoMobile ad hoc networking (manet)routing protocol performance issues and evaluation considera-tionsrdquo IETF RFC2501 1999
[7] Y Zhang W Lee and Y Huang ldquoIntrusion detection tech-niques for mobile wireless networksrdquoWireless Networks vol 9no 5 pp 545ndash556 2003
[8] B C Cheng and R Y Tseng ldquoA context adaptive intrusiondetection system for MANETrdquo Computer Communications vol34 no 3 pp 310ndash318 2011
[9] T Eissa S A Razak and M D A Ngadi ldquoTowards providinga new lightweight authentication and encryption scheme forMANETrdquoWireless Networks vol 17 no 4 pp 833ndash842 2011
[10] A Irshad W Noshairwan M Shafiq S Khurram E Irshadand M Usman ldquoSecurity enhancement for authentication ofnodes in MANET by checking the CRL status of serversrdquoCommunications in Computer and Information Science vol 78pp 86ndash95 2010
[11] D E Denning ldquoAn intrusion-detection modelrdquo IEEE Transac-tions on Software Engineering vol 13 no 2 pp 222ndash232 1987
[12] T Clausen and P Jacquet ldquoOptimized link state routing proto-col (OLSR)rdquo IETF Experimental RFC 3626 2003
[13] P Albers O Camp J Percher et al ldquoSecurity in ad hoc networksa general intrusion detection architecture enhancing trust basedapproachesrdquo 2002
[14] F Cuppens N Cuppens-Boulahia S Nuon and T RamardldquoProperty based intrusion detection to secure OLSRrdquo in Pro-ceedings of the 3rd International Conference on Wireless andMobile Communications (ICWMC rsquo07) Guadeloupe FranceMarch 2007
[15] W Cohen ldquoFast effective rule inductionrdquo in Proceedings of theInternational Conference onMachine Learning (ICML rsquo95) 1995
[16] S Sarafijanovic and J-Y le Boudec ldquoAn artificial immunesystem for misbehavior detection in mobile ad-hoc networkswith virtual thymus clustering danger signal and memorydetectorsrdquo in Proceedings of the 3rd International Conference onArtificial Immune Systems (ICARIS rsquo04) 2004
[17] S Sen and J Clark Intrusion Detection in Mobile Ad HocNetworks in Guide to Wireless Ad Hoc Networks SpringerLondon UK 2009
[18] D Subhadrabandhu S Sarkar and F Anjum ldquoA Framework formisuse detection in ad hoc networksmdashpart IIrdquo IEEE Journal onSelected Areas in Communications vol 24 no 2 pp 290ndash3032006
[19] L M Feeney and M Nilsson ldquoInvestigating the energyconsumption of a wireless network interface in an ad hocnetworking environmentrdquo in Proceedings of the 20th AnnualJoint Conference of the IEEE Computer and CommunicationsSocieties pp 1548ndash1557 April 2001
[20] A P Lauf R A Peters and W H Robinson ldquoA distributedintrusion detection system for resource-constrained devices inad-hoc networksrdquo Ad Hoc Networks vol 8 no 3 pp 253ndash2662010
[21] N A Alrajeh S Khan J Lloret and J Loo ldquoSecure routingprotocol using cross-layer design and energy harvesting inwireless sensor networksrdquo International Journal of DistributedSensor Networks vol 2013 Article ID 374796 11 pages 2013
[22] S Sen J Clark and J Tapiador Security Threats in MobileAd Hoc Networks I S of Self-Organizing Networks AuerbachPublications 2010
[23] P Ning and K Sun ldquoHow to misuse AODV a case study ofinsider attacks againstmobile ad-hoc routing protocolsrdquoAdHocNetworks vol 3 no 6 pp 795ndash819 2005
[24] T Clausen C Dearlove P Jacquet and U Herberg ldquoTheoptimized link state routing protocol version 2rdquo IETF ActiveInternet-Draft Draft-Ietf-Manet-Olsrv2-15 2012
[25] U Herberg and T Clausen ldquoSecurity issues in the optimizedlink state routing protocol version 2 (olsrv2)rdquo InternationalJournal of Network Security amp Its Applications vol 2 no 2 2010
[26] YOwada TMaenoH Imai andKMase ldquoOLSRv2 implemen-tation and performance evaluation with link layer feedbackrdquo inProceedings of the International Wireless Communications andMobile Computing Conference (IWCMC rsquo07) pp 67ndash72 Newyork NY USA August 2007
[27] F Hong L Hong and C Fu ldquoSecure OLSRrdquo in Proceedingsof the 19th International Conference on Advanced InformationNetworking and Applications (AINA rsquo05) pp 713ndash718 March2005
[28] LNAMHegland P Spilling andQKure ldquoHybrid protectionof olsrrdquo in Electronic Notes in Theoretical Computer Science2006
[29] P Kunwar S Sofat and D Bansal ldquoComparison of secure olsrrouting protocolrdquo International Journal of Engineering Sciencevol 3 no 6 p 5049 2011
[30] A Adnane C Bidan and R T de Sousa Junior ldquoTrust-basedcountermeasures for securing OLSR protocolrdquo in Proceedingsof the 7th IEEEIFIP International Conference on Embedded andUbiquitous Computing (EUC rsquo09) pp 745ndash752 August 2009
[31] B Wu J Chen J Chen J Wu and M Cardei ldquoA survey ofattacks and countermeasures in mobile ad hoc networksrdquo inWireless Network Security Springer New York NY USA 2007
[32] C Adjih D Raffo and P Muhlethaler ldquoAttacks against OLSRdistributed key management for securityrdquo in Proceedings of theOLSR Interop Workshop 2005
[33] G CerveraM Barbeau J Garcia-Alfaro and E Kranakis ldquoMit-igation of topology control traffic attacks in OLSR networksrdquoin Proceedings of the 5th International Conference on Risks andSecurity of Internet and Systems (CRiSIS rsquo10) October 2010
[34] P M Jawandhiya M M Ghonge M S Ali et al ldquoA surveyof mobile ad hoc network attacksrdquo International Journal ofEngineering Science and Technology vol 2 no 9 pp 4063ndash40712010
[35] L M Feeney ldquoAn energy consumption model for performanceanalysis of routing protocols for mobile ad hoc networksrdquoMobile Networks and Applications vol 6 no 3 pp 239ndash2492001
International Journal of Distributed Sensor Networks 19
[36] G Riley and T Henderson ldquoThe ns-3 network simulatorrdquo inModeling and Tools for Network Simulation Springer BerlinGermany 2010
[37] S Bhattiprolu E Biederman S Hallyn et al ldquoVirtual serversand checkpointrestart inmainstream linuxrdquo SIGOPSOperatingSystems Review vol 42 no 5 pp 104ndash113 2008
[38] J Zhang J Xing and Z Qin ldquoTaprouter an emulatingframework to run real applications on simulated mobile adhoc networkrdquo in Proceedings of the 44th Annual SimulationSymposium (ANSS rsquo11) pp 39ndash46 2011
[39] D Broyles A Jabbar and J P G Sterbenz ldquoDesign andanalysis of a 3-d gauss-markov mobility model for highly-dynamic airborne networksrdquo in Proceedings of the InternationalTelemetering Conference (ITC rsquo10) San Diego CA USA 2010
[40] J Haerri F Filali and C Bonnet ldquoPerformance comparisonof AODV and OLSR in vanets urban environments underrealistic mobility patternsrdquo in Proceedings of the IFIP Med-Hoc-Net Workshop 2006
[41] C H Tseng T Song P Balasubramanyam C Ko and K LevittldquoA specification-based intrusion detection model for OLSRrdquoRecent Advances in Intrusion Detection vol 3858 pp 330ndash3502006
[42] S Kurkowski T Camp and M Colagrosso ldquoManet simulationstudies the incrediblesrdquo SIGMOBILE Mobile Computing andCommunications Review vol 9 no 4 pp 50ndash561 2005
[43] A Abdalla I Saroit A Kotb et al ldquoMisbehavior nodesdetection and isolation for MANETs OLSR protocolrdquo ProcediaComputer Science vol 3 pp 115ndash121 2011
[44] R Puttini J Percher L Me et al ldquoA modular architecture fordistributed ids in manetrdquo in Proceedings of the InternationalConference on Computational Science and Its Applications III2003
[45] A Adnane R T de Sousa L Me and C Bidan ldquoAutonomictrust reasoning enables misbehavior detection in OLSRrdquo inProceedings of the 23rd Annual ACM Symposium on AppliedComputing (SAC rsquo08) pp 2006ndash2013 March 2008
[46] W Wang H Man and Y Liu ldquoA framework for intrusiondetection systems by social network analysis methods in ad hocnetworksrdquo Security and Communication Networks vol 2 no 6pp 669ndash685 2009
[47] H Deng R Xu J Li F Zhang R Levy and W Lee ldquoAgent-based cooperative anomaly detection for wireless ad hoc net-worksrdquo in Proceedings of the 12th International Conference onParallel and Distributed Systems (ICPADS rsquo06) pp 613ndash620 July2006
[48] S KurosawaHNakayamaN Kato et al ldquoDetecting blackholesattack on AODV-based mobile ad hoc networks by dynamiclearningmethodrdquo International Journal of Network Security vol5 no 3 pp 338ndash346 2007
[49] WWang HWang BWang et al ldquoEnergy-aware and selfadap-tive anomaly detection scheme based on network tomographyin mobile ad hoc networksrdquo Information Sciences vol 220 pp580ndash602 2013
[50] M-Y Su ldquoPrevention of selective black hole attacks on mobilead hoc networks through intrusion detection systemsrdquo Com-puter Communications vol 34 no 1 pp 107ndash117 2011
[51] N Marchang and R Datta ldquoCollaborative techniques for intru-sion detection in mobile ad-hoc networksrdquo Ad Hoc Networksvol 6 no 4 pp 508ndash523 2008
[52] B V R N Yadav B Satyanarayana and O B V RamanaiahldquoAn efficient intrusion detection system for mobile ad hoc net-worksrdquo in Emerging Trends in Computing Informatics Systems
Sciences and Engineering vol 151 Springer New York NYUSA 2013
[53] Y Huang and W Lee ldquoAttack analysis and detection for ad hocrouting protocolsrdquo in Recent Advances in Intrusion Detectionvol 3224 Springer Berlin Germany 2004
[54] G Vigna S Gwalani K Srinivasan E M Belding-Royer andR A Kemmerer ldquoAn intrusion detection tool for AODV-basedad hoc wireless networksrdquo in Proceedings of the 20th AnnualComputer SecurityApplications Conference (ACSAC rsquo04) pp 16ndash27 December 2004
[55] M Ayachi C Bidan and N Prigent ldquoA trust-based ids for theaodv protocolrdquo in Information and Communications Securityvol 6476 pp 430ndash444 2010
[56] S Sen and J A Clark ldquoA grammatical evolution approach tointrusion detection on mobile ad hoc networksrdquo in Proceedingsof the 2nd ACMConference onWireless Network Security (WiSecrsquo09) pp 95ndash102 March 2009
[57] S Marti T J Giuli K Lai and M Baker ldquoMitigating routingmisbehavior in mobile ad hoc networksrdquo in Proceedings of the6th Annual International Conference on Mobile Computing andNetworking (MOBICOM rsquo00) pp 255ndash265 August 2000
[58] B Sun K Wu and U Pooch ldquoRouting anomaly detection inmobile ad hoc networksrdquo in Proceedings of The 12th Interna-tional Conference on Computer Communications and Networks(ICCCN rsquo03) 2003
[59] S Bose S Bharathimurugan and A Kannan ldquoMulti-layerintegrated anomaly intrusion detection system for mobileadhoc networksrdquo in Proceedings of the International Conferenceon Signal Processing Communications and Networking (ICSCNrsquo07) pp 360ndash365 February 2007
[60] P Yi Y Zhong and S Zhang ldquoA novel intrusion detectionmethod for mobile ad hoc networksrdquo in Advances in GridComputing vol 3470 pp 1183ndash1192 Springer Berlin Germany2005
[61] C Perkins E Belding-Royer and S Das ldquoAd hoc on-demanddistance vector (AODV) routingrdquo IETF Experimental RFC3561 2003
[62] D Johnson and D Maltz ldquoDynamic source routing in ad hocwireless networksrdquo in Mobile Computing pp 153ndash181 KluwerAcademic 1996
[63] C Perkins and P Bhagwat ldquoHighly dynamic destinationse-quenced distance-vector routing (dsdv) for mobile computersrdquoin Proceedings of the Conference on Communications Architec-tures Protocols and Applications (SIGCOMM rsquo94) vol 24 pp234ndash244 1994
[64] T JoachimsMaking Large-Scale Support VectorMachine Learn-ing Practical MIT Press Cambridge Mass USA 1999
[65] Y Yajima and T Kuo ldquoEfficient formulations for 1-svm and theirapplication to recommendation tasksrdquo Journal of Computersvol 1 no 3 pp 27ndash34 2006
[66] L Bononi and C Tacconi ldquoIntrusion detection for secureclustering and routing inMobileMulti-hopWirelessNetworksrdquoInternational Journal of Information Security vol 6 no 6 pp379ndash392 2007
[67] Y Huang W Fan W Lee et al ldquoCross-feature analysis fordetecting ad-hoc routing anomaliesrdquo in Proceedings of the 23rdInternational Conference on Distributed Computing Systems(ICDCS rsquo03) pp 478ndash487 May 2003
[68] J Quinlan C4 5 Programs for Machine Learning MorganKaufmann Boston Mass USA 1993
20 International Journal of Distributed Sensor Networks
[69] J B D Cabrera C Gutierrez and R K Mehra ldquoEnsemblemethods for anomaly detection and distributed intrusion detec-tion in Mobile Ad-Hoc Networksrdquo Information Fusion vol 9no 1 pp 96ndash119 2008
[70] MWang L Lamont P Mason andM Gorlatova ldquoAn effectiveintrusion detection approach for OLSR MANET protocolrdquoin Proceedings of the 13th IEEE International Conference onNetwork Protocols Workshop (ICNP rsquo05) pp 55ndash60 November2005
[71] C Y Tseng P Balasubramanyam C Ko R Limprasittiporn JRowe and K Levitt ldquoA specification-based intrusion detectionsystem for AODVrdquo in Proceedings of the 1st ACM Workshop onSecurity of Ad Hoc and Sensor Networks pp 125ndash134 October2003
[72] S A Razak S M Furnell N L Clarke and P J BrookeldquoFriend-assisted intrusion detection and response mechanismsfor mobile ad hoc networksrdquo Ad Hoc Networks vol 6 no 7 pp1151ndash1167 2008
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 7
two nodes consider themselves as 1-hop neighbors whereasthey are not in the communication range of each otherAn intruder may also disrespect the flooding mechanism inOLSR This happens when the intruder retransmits a controlmessage that is received from a non-MPR selector node [32]
119868 notin MPR119878 119878
CM119905
997888997888997888rarr 119868 119868
CM1199051015840
997888997888997888997888rarr100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
dArr
119868 isin I
(11)
Overall attacks targeting OLSR protocol are classifiedinto 3 types
(i) drop attack that consists in totally or selectivelydropping the controlmessages for example droppingTC message in order to foil route calculation
(ii) active forge attack that attempts to poison OLSRrsquosfunctionalities by introducing novel deceptive controlmessage for example a hello message including anincorrect neighbor set so as to foil MPR selection
(iii) modify and forward attack lies in an intruder thatcaptures and modifies a control message before for-warding it (eg increasing the sequence number of aTC message hence the subsequent TC messages areignored)
An intruder launches the attack either in a standalonemanner or in collusion with other intruder(s) constitutingwhat so-called a Byzantine attack (eg wormhole) togetherusually coupled with masquerading Detecting these attacksis far to be a trivial task because a minor deviation on anattack makes it undetectable In addition an attack can becomposed of several subattacks In order to tackle theseissues we describemodel the attack as general as possiblehence circumventing possible deviationsWe then propose anintrusion detection system that detects composed attacks asmuch as their parties
3 Intrusion Detection
We propose a distributed log- and signature-based intrusiondetection system named IDAR In addition to providing ahigh detection accuracy IDAR aims tomaintain the availableresources in MANET For this purpose the evidences ofattack are extracted from the log and further classifiedaccording to their level of gravity Such classification helpsin planning the diagnostic and henceforth minimizing thecomputation overhead related to attack identificationDuringthe diagnostic evidences arematched to predefined intrusionsignatures The establishment of an intrusion signature andfurther the diagnostic operation are exemplified with the linkspoofing attack we purposely developed
31 Resource-Aware Evidence Gathering IDAR distinguishesitself from other IDSs by extracting the signs of attack fromthe logs instead of sniffing the traffic Thus the consumptionof energy and computational power resulting from evidence
minus600
minus400
minus200
0
200
400
600
800
0 200 400 600 800 1000Size (bytes)
Promiscuous overhearing sender and receiverPromiscuous overhearing senderPromiscuous overhearing receiverNonpromiscuous overhearing sender and receiverNonpromiscuous overhearing senderNonpromiscuous overhearing receiver
Ener
gy (u
Wlowast
s)Figure 1 Energy consumption in promiscuous and nonpromiscu-ous modes
gathering and analyzing is minimized In fact sniffing trafficnecessitates that the wireless network interface stays in modepromiscuous at all time thus the node can overhear all thepackets within its transmission range But promiscuousmodeleads to consuming more energy and hence reducing rapidlythe lifetime of the nodenetwork Indeed a nondestinationnode in the radio range of either the sender or the receiveroverhears some or all of their traffic For the IEEE 80211MAC protocol a nondestination node in discarding (ienonpromiscuous) mode can enter into a reduced energyconsumption mode and discard othersrsquo traffic [35] Suchmode requires less energy than the idle mode which is thedefault mode in ad hoc network While a nondestinationnode operating in promiscuous mode listens to all the trafficwhether or not it is the intended destination The traffic isfurther received as if it was a broadcast traffic thus additionalenergy consumption is associated with promiscuous modeoperation Figure 1 represents a part of the experimentalmeasurements realized in [19] about the energy consumptionof an IEEE 80211 2Mbps wireless card It shows the signifi-cant difference in energy consumption between promiscuousand nonpromiscuous modes Note that the consumption inthe nonpromiscuous mode is negative because it requiresless energy than the reference idle mode Besides increasingthe amount of consumed energy sniffing traffic imposes ahuge computational overhead [20] Indeed the packet-levelanalysis which is applied on the sniffed packets strainssignificantly the available resources that ismemory andCPUprocessing Moreover since all the traffic in the radio rangeis sniffed many of the analyzed packets would be redundantand add nothing to the detection In order to avoid thispermanent strain of resources IDAR does not sniff the trafficbut it rather collects periodically the local logs In particularit focuses on the portion of logs that characterizes the
8 International Journal of Distributed Sensor Networks
activities of the routing protocol (eg packet reception MPRselection) Note that additional logs for example system-security-related logs could be integrated and correlatedOnce parsed a log is used so as to detect a sign of suspiciousactivityThis consists inmatching the log against a predefinedintrusion signature An intrusion signature is thought as apartially ordered sequence of events that characterizes anintrusion Such procedure is potentially not only memorybut also bandwidth consumer Indeed it involves examininglocal logs as well as performing an in-depth diagnostic whereother nodes are requested so as to collect additional attackevidences correlate and match them against the definedintrusion signatures The in-depth diagnostic offers a globalview about the suspicious nodes and therefore it increasesthe accuracy of the detection But it is a costly operation interms of resources Thus the in-depth diagnostic must becarefully planned that is should be initiated only when asufficient degree of suspicion exists and terminated as soon asa result is obtained For this purpose we propose to classifyattack evidences so that depending on their level of gravitythe in-depth diagnostic may be performed According to ourclassification an evidence falls into one of the following fourgroups
(i) Initial-evidence group contains the evidences that leadto launch an in-depth diagnostic over the network
(ii) Suspicious-evidence group contains the evidences thatlead to identify a node as suspicious
(iii) Confirmed-evidence group contains the evidences thatconfirm the occurrence of an attack This results interminating the diagnostic and declaring the suspi-cious node as intruder
(iv) Cancel-evidence group contains the evidences thateliminate the suspicion and stop the diagnostic
These groups are populated with the evidences that areextracted from the log If an evidence belonging to the initial-evidence group is discovered then an in-depth diagnosticis launched so as to confirm (ie discovering an evidencebelonging to confirmed-evidence group) or infirm (ie dis-covering an evidence belonging to the cancel-evidence group)the intrusion both lead to the termination of the diagnosticRelying on these groups the evolution of any attack and itsrelated detection is easily followed In addition its compactform facilitates the lightweight discovering of long-termintrusions
32 Link Spoofing Attack A link spoofing attack lies infalsifying hello message(s) so as to modify the local topologyperceived by adjacent nodes This attack influences the MPRselection In particular this attack owns a global impactthe MPR position provides to the intruder the possibility toeavesdrop tamper misrelay or drop the traffic As discussedin Section 2 (and further detailed in Expression 4) anintruder realizes a link spoofing attack through one of thefollowing three cases
(1) It advertises a non-existing and symmetric nodeThus the intruder guarantees (unless another attacker
advertises the same non-existing node) being selectedas a MPR because this non-existing node is uniquelycovered by the intruder
(2) It advertises existing but nonneighboring node(s)The intruder is selected as a MPR if the advertisednode(s) is (are) not already covered by another (well-behaving or malicious) MPR
(3) It keeps under wraps neighboring and symmetricnode(s) In this case the connectivity of the intruderand consequently its chance of being selected asa MPR are both decreased Used in a standalonemanner this attack aims to decrease the connectivityof one or several nodes a complete isolation necessi-tates that no other (well-behaving) MPR covers thatnode(s)
We develop an attack (Expression 12) wherein an intruderfalsifies a hello message that contains both a non-existingnode (Case 1) and existing but non-neighboring nodes (Case2) The reason that motivates this choice is twofold First byadvertising a nonexisting node 119873 119868 ensures being selectedas a MPR by the victim 119878 (exist119873 isin 119873119878
1015840
119868ni 119873 notin N cap 119873119878
119868)
Note that with the last versions of the RFC a node (iepotentially an intruder) may dictate its selection as a MPRby advertising (in a hello message) its high willingness torelay messages Nevertheless previous versions (and theirrelated implementations) ignore this case Regardless of theversion of the protocol our intruder (as aforementionedpreviously) guarantees being selected as MPR by advertisinga nonexisting and symmetric node Second by announcingcommon neighbors with another node 119871 (Case 2) 119868 increasesthe probability that 119871 is not selected as a MPR (119868 replacing119871) and henceforth increases its proper ascendancy Note thatthe attack we developed does not consider the third casethat involves the reduction of the intruderrsquos connectivityNevertheless attack signature deals with it
119878
hello(119873119878119878)119905997888997888997888997888997888997888997888997888997888rarr 119868 119868
hello(1198731198781015840119868)1199051015840997888997888997888997888997888997888997888997888997888rarr 119878
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
exist119873 isin 1198731198781015840
119868ni 119873 notinN cap 119873119878
119868
exist119871 isin MPR119878ni [119873119878
119871 119873119878119868] sube [119873119878
1015840
119868 119873119878119868]
dArr
119868 isin I 119871 notin MPR119878
exist1198681015840isin I ni 119868
1015840isin MPR
119878
Card (1198731198781015840119868 (119873119878
1015840
119868capN)) gt 0
Card ((1198731198781015840119868 119873119878119868) capN) gt 0
(12)
Herein a key challenge stems from the need to generate ahand-coded intrusion signature that models such attack andhenceforth permits to detect it
33 Signature Establishment As mentioned before a linkspoofing attack aims to inflect the MPR selection such
International Journal of Distributed Sensor Networks 9
Table 2 Evidence characterizing a link spoofing attack
Initial-evidence group1198641 AMPR is replaced by a 1-hop neighbor or by an already selected MPR1198642 AMPR behaves maliciously for example it tampers misrelays or drops the control messages
Suspicious-evidence group1198643 AMPR is the only node that provides connectivity to one (or more) 2-hops neighbor(s)
Confirmed-evidence group1198644 AMPR advertises a partial set of 1-hop neighbors1198645 AMPR advertises nonneighboring node(s) as 1-hop neighbors(s)
Cancel-evidence group1198646 AMPR is defined as an intruderwell-behaving node
selection is triggered upon a change in the symmetric 1- and2-hops neighborhood Rather than launching an in-depthdiagnostic upon every change in the 1- or 2-hops symmet-ric neighborhood we keep to a minimum the number ofthese diagnostics and henceforth the amount of consumedcomputational power and bandwidth by initiating it onlyat the occurrence of an event related to a link spoofingattack More precisely we ignore the changes in the 1-hopneighborhood (eg apparition of 1-hop neighbor) becausethey are observed by the node itself Thus they are notsubject to the remote falsification which is the cornerstoneof a link spoofing attack In contrary changes in the 2-hopsneighborhood are considered as long as they impact theMPRselection In practice the evidences that reveal a link spoofingattack (Table 2) are broken down into
(i) a MPR replacement (Evidence 1 or 1198641 for short)that results from a change in the covering of the 1-hop neighbors one (or several) 1-hop neighbor(s)(possibly the replacing MPR) increase(s) its (their)coverage to the detriment of the replaced MPR AreplacementMPR is a 1-hop neighbor that is excludedfrom the MPRs set even though it provides the sameconnectivity in both the previous and current MPRselection rounds
(ii) No MPR replacement takes place but an alreadyselected MPR is detected as misbehaving node Forinstance a misbehaving MPR may drop falsify ormisrelay the control messages (1198642) Note that anevidence of a special interest herein refers to a nodepromoting itself as a MPR without having beenselected as a MPR Amisbehaving MPR includes alsothe case wherein a MPR continually advertises thesame 2-hops neighbors set despite being no morevalid Contrary to other cases this one is not eventdriven and should be handled based on random orperiodical checks
(iii) aMPR is the only one that covers one or several nodes(1198643)
(iv) a MPR covers partially its adjacent neighbor(s) (1198644)
(v) a MPR provides connectivity to a nonneighboringnode (1198645)
The occurrence of either 1198641 or 1198642 constitutes the startingpoint of an in-depth diagnostic 1198641 and 1198642 belong to theinitial-evidence group The act of being the only MPR thatprovides the connectivity to node(s) (1198643) is suspicious butis not sufficient to launch an in-depth diagnostic becausethis situation is typical in a sparse network Furthermoretwo nodes within the covering range of each other oftenfail in communicating due to the unpredictable nature ofwireless transmission resulting from for example obstaclesand noises Thus diagnosing 1198643 is especially difficult underno specific assumption Overall the occurrence of 1198641 or 1198642and optionally1198643 leads to an in-depth diagnostic (Expression13) In practice the 1-hop neighbor(s) of the suspicious MPRare interrogated Note that part of the interrogated nodesmayexpress a different opinion that results from malicious nodeor an obsolete routing information This calls for taking intoaccount their respective reputation (as we plan in our nearfuture work)
(1198641 or 1198642)
dArr dArr
(1198644 or 1198645) optional (1198643) (1198644 and 1198645)
dArr dArr
The suspicious MPRis an intruder
The suspicious MPRis well-behaving
(13)
If the obtained answers confirm (resp infirm) that thesuspicious MPR covers partially its neighbors (1198644) andoradvertises a distant node as 1-hop neighbor (1198645) then theMPR is declared as an intruder (resp well-behaving) andthe diagnostic is terminated (1198646) Obviously the cooperationbetween the nodes constitutes a cornerstone in our in-depthdiagnostic
34 Cooperative Diagnostic The in-depth diagnostic of a linkspoofing attack consists in verifying the existence of a sym-metric and neighboring relationship between a suspiciousMPR and its advertised 1-hop neighbors (Algorithm 1) Moreprecisely this diagnostic follows the following steps Firstthe MPRs that have been replaced by other MPR or 1-hopneighbor are identified (lines 1-2) because such replacementrepresents the initial evidence of a link spoofing attack (1198641in Table 2) For this purpose the function GetReplaced-Mpris called (Line 1) It establishes the MPRs that have been
10 International Journal of Distributed Sensor Networks
(1) OldMprs = GetReplaced-Mpr()(2) SuspiciousMprs = GetReplacing-Mpr()(3) for (suspicious isin SuspiciousMprs) do(4) InterrogatedNodes = GetCommon2HopsNeighors
(suspicious OldMprs)(5) for (2HopsNeighbor isin InterrogatedNodes) do(6) if (LinkExistence (2HopsNeighbor suspicious) ==
false) then(7) Generate-Alarm (suspicious)(8) end if(9) end for(10) Cancel-Suspicious (suspicious)(11) end for
Algorithm 1 In-depth diagnostic
replaced by comparing the currentMPRs and the penultimateMPRs Then the MPRs sharing 1-hop neighbor(s) with areplaced MPR are identified (function GetReplacing-MPRline 2) Those identified MPRs are tagged as suspicious andare subject to further analysis (lines 3ndash11) the objective is toverify whether some spoofed links have been advertised soas to replace the MPR It follows that the 1-hop neighborsthat are common to a replaced MPR and a suspicious oneare determined (GetCommon2HopsNeighors function line 4)Note that these 1-hop neighbors also correspond to the 2-hops neighbors of the node launching the diagnostic Theyare interrogated (LinkExistence function) so as to verify theexistence of links The interrogation of a 2-hops neighbordenoted by 119860119894 consists in sending a request to 119860119894 asking ifthis latter considers the suspicious MPR as a 1-hop neighborat a specific time 119905 Whenever possible this request is sentwithout going through both the suspicious MPR 119868 or anycolluding intruder 1198681015840 This eluding is necessary in order toprevent 119868 and 1198681015840 from dropping the request andor forging adeceptive answerTherefore the 1-hop neighbor(s) (primarilythe MPR(s)) that covers the interrogated 2-hops neighbors isprovided with the request Note that the suspecting node 119878 isaware of is provided with the connectivity between the nodesthat form its two-hops neighbors Thus 119878may select the one(if existing) that covers 119860119894 If no answer is obtained (iethe related time-out elapses) then the request is sequentiallytransferred through the rest of the covering 1-hop neighbors(keeping in mind that as aforementioned MPRs are pri-marily selected) However when no neighbor is left then an(multihops) alternative path is researched in the routing tableto reach 119860119894 Note that the verification related to a suspiciousMPR is performed within an independent thread hencethe diagnostic of one node (and the result waiting) is not ablocking to others If 119860119894 denies being a 1-hop neighbor of thesuspicious MPR then a countermeasure is triggered Moreprecisely an alarm that establishes the detected attacker(s)is broadcasted (Generate-Alarm function line 7) Otherwiseif no deny takes place the suspicious MPR is no longersuspected (Cancel-Suspicious function line 10) In both casesthe diagnostic terminates Note that if no answer is provided(the inconsistent answers lead also to a claim in the degree
of suspicion However this case is not included in this paperbut it is handled in our other works) then the suspiciousMPR is tagged as not verified and the degree of suspicionin this latter goes up It is worth mentioning that the currentimplementation of IDAR considers the link spoofing attackHowever considering other attacks is not complicated andrequires only specifying the evidences to be searched in thelogs and the information to be exchanged between the nodesduring the in-depth diagnostic
4 Architecture and Performance Evaluation
In this section we introduce the key architectural compo-nents of IDAR (Section 41) Then we present the evaluationof IDAR performance (Section 42) and further discuss theobtained result (Section 43)
41 IDAR Architecture In order to cope with the dynamicnature ofMANET IDAR is both distributed and cooperativeThe proposed architecture (Figure 2) requires that everydevice participates in the detection (The delegation of somedetection operations (eg logs analyzing) may be sharedamong devices But it will not be necessarily less expensive interms of resources consumption)More precisely each devicecontains an instance of IDAR which independently detectsthe signs of suspicion and cooperates with other instancesso as to conduct the diagnostic in a broader range IDAR isimplemented in Perl (httpwwwperlorg) and conceptuallystructured into 4 components
(i) Coordinator that orchestrates all the components Assuch it constitutes the hearth of IDAR In prac-tice it parses dynamically the OLSR logs so as toextract signs of suspicion and match these latteragainst predefined intrusion signaturesThe intrusionsignatures are represented as conditional rules (ifcondition then state) Furthermore it triggers thecommunication and the alarm notification in orderto launch advanced diagnostic
(ii) Communication manager that gathers informationabout for example the adjacent links as requiredby the diagnostic manager Meanwhile it answersthe diagnostic requests This component runs into aseparated thread so that other IDAR operations arenot blocked
(iii) Knowledge database includes the information thatis extirpated from the logs and is provided by thecommunication manager This database is realized inMysql (httpwwwmysqlcom) Stored informationencompasses for example the 1-hop and 2-hopsneighbors and the MPRs
(iv) Alarm notifier is responsible for alarming the networkwhen an intrusion is detected Note that we areplanning to include more countermeasures in thefuture for example eliminating the routes containingan intruder
International Journal of Distributed Sensor Networks 11
SignatureKnowledge
database
Coordinator
Communicationmanager Alarm notifier
Update
Feedback
Diagnostic requestDiagnostic answer
IDAR instance
Routing log
IDAR instanceDiagnostic requestanswer
Routing log
Feed back
Figure 2 IDAR architecture
All the above components have been developed so as tosupport intrusion detection offering a high rate of detectionalong with conserving the resources
42 Performance Evaluation In order to evaluate the perfor-mance of IDAR a mobile ad hoc network has been simulatedusing the network simulator NS3 (httpwwwnsnamorg)[36] Each node in the simulated network is furthercoupled with a Linux Container (LXC) virtual machine(httplxcsourceforgenet) [37] The reason that motivatesthis coupling is twofold First NS3 offers the possibilityto simulate a large-scale mobile ad hoc network SecondLXC an operating-system-level virtualization tool permitsto run multiple isolated machines (also called containers)on a single modified hosting kernel (up to 1024 contain-ers over a single hosting kernel) Each container owns itsproper resources (eg process tree network interface andIP address) Thus the resource consumption (eg memoryusage) can be isolated and measured In practice an instanceof IDAR is installed on each container that appears asa standaloneseparated machine Figure 3 exemplifies thecoupling between nodes in NS3 and LXC containers Fromthe IDAR perspective (as well as from any applicationinstalled on the container) the emission and reception ofpackets is done through the network interface (eth0) Whilethe container contains a simulated ethernet card (V119890119905ℎ)which is connected through an ethernet bridge towards akernel tap device (tap) Note that for each container-nodecoupling new tap and ethernet bridge should be definedin the hosting kernel The ethernet bridge implements theforwarding of link-level framesThe interface 119905119886119901119877119900119906119905119890119903 [38]is implemented in NS3 and is used to exchange packetsbetween the 119905119886119901 device and the WiFi device which enablesNS3 nodes to communicate over a IEEE 80211- and OLSR-enabled MANET Overall the outgoing packets from eth0in the container are delivered to the WiFi device at thecorresponding node in the simulated network and vice versaSimulation is carried using the aforementioned platform
wherein the hosting device is equipped with 32GB of mem-ory and 2 Intel(R) Xeon(R) (6) Core 240GHz CPUsContainers hold a Fedora 12 operating system We considera MANET (Table 3) constituted of 119873 = 30 nodes split into25 well-behaving nodes and 5 intruders While most of otherIDSs are evaluated against one intruder we show that IDARcan handle several intruders in the same time Intruderslaunch repeatedly the implemented link spoofing attack (asdescribed in Expression 12) In our experiments the numberof successful intrusions varies between 15 and 33 accordingto the parameters of simulation scenario (as described inExpression 12) Nodes communicate via IEEE 80211a andare characterized by a transmission range 119879
119909of 90m They
randomly move following the so-called RandomWalk2d [39]mobility pattern provided by NS3 each node moves accord-ing to a randomly chosen direction at a given speed that isthe same for all the nodes When a node hits the networkboundaries (unless specified the network area is defined bya squared area of 119878 = 310 times 310m2) it rebounds followinga reflexive angle Data traffic is further modeled using theV4PingHelper application in NS3 each node exchanges 56-byte ICMP (httpwwwietforgrfcrfc792txt) echo requeststo one another and waits for 1 s before sending it again Weuse OLSR as the underlying routing protocol preserving theconfiguration parameters promoted in the RFC 3626 (eghello message interval is 2 s)
For each experimental scenario the simulation islaunched 5 times each one lasts for 140 s We compare thelaunched attacks with the detected ones and present theaverage of results We aim at evaluating the performance ofIDAR in terms of
(i) intrusion detection rate that reflects the capacity ofdetecting successful intrusions (a successful intrusioncauses the replacement of a legitimate MPR of thevictim by an intruder)
(ii) false positive rate that measures how many times alegitimate node is wrongly designated as an intruder
12 International Journal of Distributed Sensor Networks
Table 3 Simulation parameters
Simulation platformSimulator NS3 + LXC virtual machinesContainer operating system Fedora 12Hosting device memory 32GBHosting device CPU 2 Intel(R) Xeon(R) (6) Core 240GHz
Simulated MANETNumber of mobile nodes 30Number of intruders 5Topology 310 times 310m2
Transmission range 90mMaximum bandwidth 1MbpsTraffic V4PingHelper 56 bytes Icmp packetsMobility model RandomWalk2dMaximum speed 8ms (or 288 kmh)Simulation time 140 s
tapRouterWiFi devicewith OLSR
LXC
cont
aine
r
Ethernet bridge
Tap
LXC
cont
aine
r
veth
Ethernet bridge
Tap
tapRouterWiFi devicewith OLSR
veth
Nod
e 1
Nod
e 119899
NS3
IDAR1 IDAR119899
eth0 eth0
Figure 3 Experiment platform
(iii) detection overhead which represents the additionalnetwork traffic that is generated because of IDARNote that further benchmarks are also provided interms of memory usage
Based on those performance indicators IDAR is furtherevaluated with regard to the network density (Section 421)and node mobility (Section 422)
421 Network Density In order to evaluate the scalingproperties of IDAR we vary the density of the networkThe density of the network corresponds to the averagenumber of neighbors which is defined as in [40] by (119873 times
120587 times 1198792
119909)119878 We selected an interval of density that ranges
from 6 up to 16 neighbors which includes the intruderthe victim and the remaining neighbors Figure 4(a) showsthat the detection rate keeps higher than 80 regardless ofthe network density This demonstrates the relatively limitedimpact of the network density on IDAR performance More
precisely the intrusion detection rate slightly rises from935up to itsmaximum 963when the density varies from6 up to 8 neighbors the greater is the number of neighborsthe higher is the visibility of the attackThen a slow diminishis observed dense networks (with a density exceeding 8) arecharacterised by a high collision rate that causes a declinein the detection rate Similarly Figure 4(b) highlights thatthe average percentage of false positives is neglectful (under59) The analysis of several cases of false positive leads usto find that a false positive occurs when two nodes own adifferent live-times for the bidirectional link that connectsthese later consequently one of the two nodes still confirmsthe existence of this link while the other one denies it Tooverride this problem the period during which those linksare considered valid should be amplified as in [41] Figure 4(c)presents the average memory usage caused by IDAR Thisusage gently fluctuates between 176MB and 222MB It is alsoworthy of mention that contrary to OLSR our system doesnot assign additional functionality toMPR (detectionmay belaunched by one another) IDAR provides an homogeneousload balancing among the nodes As illustrated in Figure 4(d)the traffic caused by IDAR is very low (under 05 for anetwork density inferior to 8) It then slowly rises to reach13 when the network density is 16 In order to understandthe slight fall when the density reaches 14 we compare theaverage number of suspicious cases with regard to a varyingdensityThis average was 708 (resp 658) with density equalsto 12 (resp 14) Consequently the number of diagnostic-related packets is smaller at a density of 14 than at a densityof 12
422 Mobility In order to isolate the influence of themobility the network density is set to 8 The detection ratefalls when the speed increases (Figure 5(a))This results fromthe ever changing topology that results in increasing thenumber of broken links and the related drops of diagnostic-related packetsHowever IDAR still provides a high detectionrate for example the average of detection rate is 707
International Journal of Distributed Sensor Networks 13
0
20
40
60
80
100
6 8 10 12 14 16
Det
ecte
d in
trus
ions
()
Density
Average detection
(a)
0
10
20
30
40
50
6 8 10 12 14 16
False
pos
itive
()
Density
Average of false positives
(b)
0
10
20
30
40
50
6 8 10 12 14 16
Mem
ory
usag
e (M
B)
Density
(c)
025 05
1
5
20
50 100
6 8 10 12 14 16Density
IDA
R ve
rsus
OLS
R tr
affic (
)
(d)
Figure 4 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network density
with a moving speed equals to 8ms (ie around 287
kilometershour equivalent to 1789mileshour) Figure 5(b)shows that the higher is the moving speed the greater it getsfalse positives mainly because of out of date feedback Infact when a node moves away some of its 1-hop neighborsare no longer neighbors but are still announced as suchand are considered as potential attackers A higher increaseof the false positive rate is observed when the node speedranges from 4ms up to 6ms because the instable nodecovering is given its transmission range which leads to anincreased update of its 1-hop neighbors The memory usage(Figure 5(c)) rises staidly from 176MB to 265MB whichis reasonable even for resource-limited devices The impactof the mobility on the bandwidth is shown in Figure 5(d)The IDAR traffic comparing to the OLSR traffic significantlygrows from 036 up to 31 for a speed ranging from 0msup to 2ms Then the bandwidth usage gradually growsand reaches almost 6 when the moving speed is equalto 8ms This is motivated by the fact that increasing thenumber of verified links leads to exchange more diagnostic-related messages in the network In order to understandthe reason behind such variable growth of IDAR trafficwe counted the number of the verified suspicious neighbor
links We found that the average number of the verified linkssignificantly grows from 452 to 2014 when the velocity risesfrom 0ms to 2ms This average then gradually grows andtakes the values 2408 3314 and 406 when the velocityequals to 4ms 6ms and 8ms respectively The limitednumber of the suspicious neighbor links when the nodesare static is justified by the fact that the attacker has alimited choice to falsify its neighbors links Instead when thevelocity is greater than 2ms there is a continuous changein the neighborhood and the attackers can attack more(diversified) targets Meanwhile the continuously changingtopology implies an increased number of investigations
43 Performance Discussion It is clear that the density of thenetwork holds less influence than the mobility on our IDSMore mobility in MANET causes more dropped diagnosticpackets and hence less diagnostic is concluded with a finalresult that is confirming or refuting the suspiciousnessHowever comparing the launched attacks to the discov-ered suspicious events shows that the majority of attacksare tagged as suspicious events and considered for furtherdiagnostic Note that the mobility has a negative influence
14 International Journal of Distributed Sensor Networks
0
20
40
60
80
100
0 2 4 6 8
Det
ecte
d in
trus
ions
()
Velocity (ms)
Average detection
(a)
0
10
20
30
40
50
0 2 4 6 8
False
pos
itive
()
Velocity (ms)
Average of false positives
(b)
0
10
20
30
40
50
0 2 4 6 8
Mem
ory
usag
e (M
B)
Velocity (ms)
(c)
025 05
1
5
20
50 100
0 2 4 6 8
IDA
R ve
rsus
OLS
R tr
affic (
)
Velocity (ms)
(d)
Figure 5 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network mobility
on all the IDSs especially the cooperative ones where thereis an exchange of evidencesalerts Table 4 provides a shortperformance comparing between IDAR and other knownIDSs that are dedicated to ad hoc routing protocol Likethe majority of these IDSs the performance of our systemis challenged against a specific attack link spoofing attackin a simulated MANET (According to [42] around 75of mobile ad hoc published papers use simulation for testissues) Two evaluation factors are common to almost all thelisted IDSs the detection ratecapacity and the positive falserate Even though it was challenged in a MANET whereinthe intruders constitute 166 (Note that this percent is the3rd highest registered percent) of the nodes IDAR providesone of the highest detection rate Regarding the positivefalse rate we can notice that several IDSs especially thosethat are dedicated to DSR protocol show better results thanour system However this latter still generates a limitednumber of false positives It is also possible to reduce thefalse positives rate by amplifying the TTL (Time To Live)parameter of a bidirectional link so as to reduce the impactof obsolete neighborhood-related information during thedetection Recall that most of the generated false positives inIDAR are generated because of the difference in the time-live
of a bidirectional link between the two ends of this link Insuch case this link will be expired in one end while the otherend will keep confirming its existence It is worthmentioningthat except our system the listed IDSs that aim to detect theattacks targeting OLSR protocol do not present neither thedetection rate nor the false positives rate But they merelyprove the capacity of detecting the addressed attack(s) Inaddition IDAR is one of the rare IDSs that are evaluated interms of resources consumption Indeed we measure boththe increment inmemory usage and traffic overhead resultingfrom detection operations IDAR triggers a small incrementin the devicesrsquomemory usage (between 176MBand 265MB)Therefore it can be tolerated by the resource-limited devicesIt further triggers the lowest traffic overhead compared to thelisted IDSs IDAR presents a good scalability and offers a highdetection rate even in the high density networks where a largeamount of routing traffic should be monitored (Figure 4(a))This scalability is reinforced by (i) the limited traffic overhead(ii) the use of routing logs so as to extract the evidencesinstead of sniffing the traffic (iii) the distributed nature ofdetection such that each node is responsible for detecting theattacks targeting it and (iv) the unnecessity of modifying theused routing protocol
International Journal of Distributed Sensor Networks 15
5 Related Work
Systems that detect intrusion targeting ad hoc routing proto-col are extremely diverse in the way they analyze intrusionThey fall into the three key categories
(i) Anomaly detection system defines the correct behav-ior of the nodenetwork so as to detect deviations tothis behavior This correct behavior is automaticallybuilt during an attackless training phase The detec-tion accuracy depends on the ability to (i) describethe correct behavior and (ii) distinguish betweenanomalous and unexpected behaviors
(ii) Specification-based detection system hand-codes thelegitimate functionoperation and then searches for aviolation to this operation
(iii) Signature-based detection system first describes theway an intruder penetrates the system by defining anintrusion signature Then any behavior that is closeto this predefined signature is flagged as intrusion
Hereafter we detail examples of each of these categoriesAnomaly-based detection constitutes the main approachused to detect attacks The IDS proposed by Zhang et al[7] constitutes a de facto standard in MANET It aims atdetecting the attempts to falsify the routes provided by theAODV [61] DSR [62] and DSDV [63] routing protocolsDuring the training phase the impact of movement on thepercentage of changes in the routing table is analyzed Notethat this movement (ie velocity direction and position)is provided by a Global Positioning System (GPS) Thenduring the operation phase an actual percentage of changesdiffering from the predicted one is defined as anomaly Inpractice the distinguishing between anomalous and normalbehaviors is provided by the Support Vector Machine (SVM)Light [64] classifier or by RIPPER [15] a rule-based engineThe hierarchical IDS proposed in [47] detects blackhole androuting request flooding attacks targeting AODV protocolHere MANET is arranged into clusters whereas the nodewith the highest residual energy and number of connectionsis elected as a cluster-head Each cluster-head monitors thetraffic inside its cluster so as to identify the abnormal valuesof (i) the percentage of changes in the routing table and (ii)the propagation of routingdata packets Such abnormalitiesare identified thanks to (1-SVM) classifier [65] a deviationof SVM that needs to be trained with either normal orabnormal scenario but not both of them In [48] (resp [66])a blackhole (and resp dropping) attack targeting AODVprotocol (resp a secured version of AODV protocol includ-ing authentication and reputation estimation) are detectedby investigating features for example the number of routerequests and route replies as well as the average difference ofsequence numbers (Largely increased sequence numbers areknown as a sign of blackhole attack) Then simple anomalydetection is applied if the distance between the actuallyobserved features and the average ones that are recorded dur-ing the training exceeds a given threshold then an intrusionis detected More sophisticated cross-features analysis (CFA)[67] is applied to detect both blackhole and packet drop-ping on AODV and DSR protocols Features including for
example the reachability between 2 nodes and the numberof delivered packets are analyzed within time windows Thisanalysis attempts to quantify the relation existing betweenone feature 119891
119894and the others 119891
1 119891
119894minus1 119891119894+1 119891
119896(with
119896 + 1 defining the number of features analyzed) During theoperation phase the probability of matching between theobserved feature 1198911015840
119894and the predicted feature 119891
119894 which is
established based on 11989110158401 119891
1015840
119894minus1 1198911015840
119894+1 119891
1015840
119896 is calculated by
a decision tree classifier named C45 [68] An anomaly refersto an average of matching probability fewer than a giventhreshold CFA and C45 are also used in [69] with traffic-related features (eg number of receivedtransferred packets)and OLSR- or AODV-related features (eg MPR updates forthe former and route discovery for the latter) A modifiedMarkov chain-based IDS is proposed in [58] so as to detectroute disruption attack targeting DSR protocol Here thedetection depends on identifying unpredicted value of twofeatures the percentage of changes in the number of routesand the percentage of changes in the number of hops Inpractice a Markov chain is based on the immediate previous119899 consecutive values of a feature as to predict the (119899 + 1)thvalue If the difference between a predicted and an observedvalue exceeds a given threshold an intrusion is concluded
Rather than establishing automatically a correct behaviorspecification-based detection system hand-codes the correctbehavior of the routing protocols based on the protocol spec-ification (IETF draft or RFC) Then the system attempts todetect a violation of constraints circumventing this behaviorFour key constraints define the correct behavior of OLSR([14 70])
(1) Neighbor relationmust be reciprocal (ie 2 neighborsmust hear the hello message sent by each other)
(2) TheMPRs and the nodes that select theMPR (ie theMPR selectors) must be adjacent
(3) A node that finds itself advertised as a MPR selectorin a TCmessage must be adjacent to the originator ofthis message
(4) Nodes receive TC messages without modificationsfromMPR(s)
Each node sniffs the traffic in its radio range so as todiscover the violations of any of the above constraints Theseconstraints are modeled by semantic properties in [70] (resprules in [14]) so as to detect link spoofing attack on TC(and resp hello messages) both experiment an ability todetect a link spoofing by observing a violation of the thirdcondition over a simulated network composed of 11 nodesFinite-state machines are used to describe similar constraintson OLSR [41] and the behavior of AODV protocol [52 71]In [41] a centralized detection of link spoofing man-in-the-middle and deny of service attack is performed While in[52 71] incorrect hop countssequence numbers are analyzedby distributed sensors which sniff and group the packets perrequest-reply flow so as to estimate the forwarding path perflow If a route requestreply is illegallymodified or forwardedvia a nonexpected path then an alarm is triggered In [60]similar FSMs are used to define constraints on both the routediscovery in AODV and the packet forwarding operations
16 International Journal of Distributed Sensor Networks
Table4Com
parin
gID
ARperfo
rmance
with
otherIDSs
IDS
Routing
protocol
Num
bero
fno
des
Intrud
ers
()
Moving
speed
Detectio
nrate
False
positives
rate
Increm
entinmem
ory
usage
Increm
entintraffi
coverhead
IDAR
OlSR
30166
0ndash8m
s707ndash963
0ndash132
176ndash
265MB
478ndash6215KB
(036
ndash597
ofOlSRtraffi
c)
[43]
OlSR
303366
10
mdashmdash
mdashmdash
6ndash12
ofOlSR
traffi
c[41]
OlSR
1010
0ms
Detectio
nispo
ssible
mdashmdash
mdash[44]
OlSR
7143
0ms
Detectio
nispo
ssible
mdashmdash
mdash[45]
OlSR
520
0ms
Detectio
nispo
ssible
mdashmdash
mdash[14
]OlSR
119
0ms
Detectio
nispo
ssible
mdashmdash
mdash[46]
AODV
3033
0ndash5m
s3067ndash90
0ndash20
mdashmdash
[47]
AODV
502
0ndash20
ms
90
5
mdashmdash
[48]
AODV
3033
1ndash20
ms
70ndash82
12ndash18
mdashmdash
[49]
AODV
2050
10
1ndash10ms
964ndash9
87
079ndash093
mdash900k
B
[50]
AODV
5238
0ndash20
ms
(Fixed
IDSs)
100
0ndash0
6
mdashmdash
[51]
AODV
521
20238
0ndash10ms
50ndash100
0ndash30
mdashmdash
[52]
AODV
30mdash
0ndash20
ms
70ndash100
05
ndash15
mdashmdash
[53]
AODV
50Ra
ndom
0ndash20
ms
79plusmn10ndash92plusmn3
5plusmn1ndash32plusmn8
mdashmdash
[54]
AODV
102050
mdash0ndash
10ms
0ndash100
0ndash≫100
02ndash06
mdash[55]
AODV
20ndash200
mdash0ndash
20ms
30ndash9
50ndash16
mdashmdash
[56]
AODV
50mdash
1ndash20
ms
998ndash100
083ndash846
mdashmdash
[7]
AODV
mdashmdash
mdash8848plusmn414ndash971plusmn032
145plusmn072ndash202plusmn627
mdashmdash
DSD
Vmdash
mdashmdash
8523plusmn328ndash9061plusmn299
537plusmn310ndash263plusmn549
mdashmdash
DSR
mdashmdash
mdash852plusmn238ndash991plusmn037
003plusmn004ndash153plusmn408
mdashmdash
[57]
DSR
5040
0ndash20
ms
mdashmdash
mdash11ndash313
of
data
traffi
c[58]
DSR
3033
3ndash5m
s60ndash100
25
ndash50
mdashmdash
[59]
DSR
30mdash
mdash75
12
mdashmdash
[60]
DSR
502
0ndash20
ms
837ndash9
74
13ndash72
mdashmdash
International Journal of Distributed Sensor Networks 17
A signature-based system distinguishes itself by model-ing the misbehavior (rather than the correct behavior) soas to identify if a sequence of observed events matchingan intrusion signature AODVSTAT [54] uses state-basedsignatures in order to detect dropping and spoofing attacksalong with network flooding Few sensors sniff the traffic andmatch it against predefined signatures They also exchangeperiodically MAC and IP addresses so as to detect an identityspoofing which is characterized by a node emitting a packetidentified by MAC and IP addresses differing from thoseregistered for this node A dropping attack refers to a nodethat fails to replay route requestreply Finally a node sendinga number of packets exceeding a given threshold is identifiedas willing to exhaust resources In [45] intrusion signaturesare specified in opposition to the legitimate behavior of OLSRdepicted in conjunction with specification rules similar tothose defined in [70] In particular a node 119873 mistrusts twoneighbors 119871 and 119872 that conform to the following rules119872 advertises 119871 as a neighbor while 119871 does not advertise119872 as a neighbor (or reciprocally) both 119871 and 119872 send TCmessages while 119871rsquos neighbors are a subset of 119872rsquos neighbors(or reciprocally) In addition 119873 mistrusts 119872 if 119873 which isnot a neighbor of 119872 finds itself as a MPR selector in a TCof 119873 (constraint 3) In [44] a FSM is employed to modelthe signature of hello message fabrication in OLSR protocolin an agent-based IDS In practice each node uses a SimpleNetworkManagement Protocol (SNMP) agent so as to collectaudit data from the Management Information Base (MIB)After that events are extracted from the collected audit dataand are matched to the attack signatureThe addressed attackaims at breaking the link between a victim node and itsneighbors and thus a DoS takes place To that end theattacker impersonates the identity of the victim and sends afake hello message advertising one of the victim symmetricneighbors with lost link status Upon receiving the fabricatedmessage the neighbor changes the status of its link withthe victim to ldquoheardrdquo and stops routing packets through thevictim
51 Synthesis and Discussion A great majority of the litera-ture is focused on anomaly detectionwhile scarce effort inves-tigates specification- and signature-based intrusion Thisnaturally calls for consolidating the effort on specification-and signature-based detection while following the habitus ofwired network which consists in coupling these detectionsystems with one another for example in [72] wherein acombination of anomaly- and signature-based detection isrealized so as to increase the detection rate Almost all ofthe IDS focuses only on the detection accuracy that isproviding a high detection rate along with limited falsealarms However they do not consider the criticality ofmaintaining the resources and henceforth extending thelifetime of the nodenetwork Our IDS takes into account thenecessity of reducing to minimum both the communicationand computation overload related to intrusion identificationThe absolute majority of the IDSs is simulated (including thesystem we are proposing) rather than being either developedor experimented on testbeds or relying on empirical data
The reason that explains this situation is twofold Firstthe deployment of critical MANET is limitednot adver-tised Second to the best of our knowledge experiences ofintrusion in MANETs are not reported intrusions are infact developedsimulated as proofs of concept Neverthelessnot only routing protocols but also the characterization ofthe intrusion together leverage on the experience gained indesigning routing protocols for wired networks and deal-ing with related misbehaviors In particular the similarityexisting between the OSPF and OLSR protocols implies thatmany threats (eg sequence numbers identity spoofing) areshared In other words intrusion may be inspired from theone targeting wired networks Meanwhile the developmentof intrusion detection and the envisioning of attacks areaccelerated
6 Conclusion
We survey and classify the attacks that target ad hoc routingprotocols focusing on theOLSRprotocol In order to facilitatethe definition of intrusion signatures we extend a descriptionmodelmdashan attack is expressed as the preconditions andthe resulting consequencesmdashand enrich it with temporalannotations Once hand-coded these signatures are utilizedby IDAR a log-based distributed intrusion detection systemdedicated to operate in mobile ad hoc networks IDARdistinguishes itself by analyzing the logs generated by arouting protocol and extracts intrusion evidences so as tocompare these latter against predefined intrusion signaturesFor this purpose evidences are categorized into four groupsaccording to their degree of suspiciongravity and hence totheir ability to activatedeactivate the diagnostic We furtherdevelop a link spoofing attack on the OLSR protocol buildthe related detection rules and evaluate the performancesof IDAR relying on the NS3 simulator coupled with LXCvirtual machines Overall the experiments figure out ahigh rate of intrusion detection and low false positivesrate even under increased mobility and density Meanwhileresource consumption and network overhead result from thediagnostic are low and adapted to the resource-constraineddevices Note that ongoing effort is provided as to evaluateIDAR in a real MANET consisting of resource-constraineddevices Still detecting intrusion is not a trivial task due tothe large number of evidences to tackle and the resource-consuming diagnostic A compromise between detectionaccuracy and resource consumption could be found For thispurpose we are working on a new statistical mechanism forgathering the evidences This mechanism aims at enhancingthe scalability of our system by restricting the interrogationto a limited subset of nodes during the diagnostic Moreoveruntil now we assume that honest parties are passive theyalarm others but do not react We are considering thecoupling with countermeasures (eg blacklisting) and theexploring of lightweight binary consensus and trust estab-lishment among the nodes that participate in the intrusiondetection
18 International Journal of Distributed Sensor Networks
References
[1] Z Zhao H Hu G Ahn and R Wu ldquoRisk-aware mitigation formanet routing attacksrdquo IEEE Transactions on Dependable andSecure Computing vol 9 no 2 pp 250ndash260 2012
[2] B Sun L Osborne Y Xiao and S Guizani ldquoIntrusion detectiontechniques in mobile ad hoc and wireless sensor networksrdquoIEEE Wireless Communications vol 14 no 5 pp 56ndash63 2007
[3] S Sesay Z Yang and J He ldquoA survey onmobile ad hoc wirelessnetworkrdquo Information Technology Journal vol 3 no 2 pp 168ndash175 2004
[4] P Brutch and C Ko ldquoChallenges in intrusion detection forwireless ad-hoc networksrdquo in Proceedings of the Symposium onApplications and the Internet Workshops (SAINT rsquo03) pp 368ndash373 2003
[5] S Khan N Alrajeh and K Loo ldquoSecure route selection inwireless mesh networksrdquo Computer Networks vol 56 no 2 pp491ndash503 2012
[6] S Corson and J Macker ldquoMobile ad hoc networking (manet)routing protocol performance issues and evaluation considera-tionsrdquo IETF RFC2501 1999
[7] Y Zhang W Lee and Y Huang ldquoIntrusion detection tech-niques for mobile wireless networksrdquoWireless Networks vol 9no 5 pp 545ndash556 2003
[8] B C Cheng and R Y Tseng ldquoA context adaptive intrusiondetection system for MANETrdquo Computer Communications vol34 no 3 pp 310ndash318 2011
[9] T Eissa S A Razak and M D A Ngadi ldquoTowards providinga new lightweight authentication and encryption scheme forMANETrdquoWireless Networks vol 17 no 4 pp 833ndash842 2011
[10] A Irshad W Noshairwan M Shafiq S Khurram E Irshadand M Usman ldquoSecurity enhancement for authentication ofnodes in MANET by checking the CRL status of serversrdquoCommunications in Computer and Information Science vol 78pp 86ndash95 2010
[11] D E Denning ldquoAn intrusion-detection modelrdquo IEEE Transac-tions on Software Engineering vol 13 no 2 pp 222ndash232 1987
[12] T Clausen and P Jacquet ldquoOptimized link state routing proto-col (OLSR)rdquo IETF Experimental RFC 3626 2003
[13] P Albers O Camp J Percher et al ldquoSecurity in ad hoc networksa general intrusion detection architecture enhancing trust basedapproachesrdquo 2002
[14] F Cuppens N Cuppens-Boulahia S Nuon and T RamardldquoProperty based intrusion detection to secure OLSRrdquo in Pro-ceedings of the 3rd International Conference on Wireless andMobile Communications (ICWMC rsquo07) Guadeloupe FranceMarch 2007
[15] W Cohen ldquoFast effective rule inductionrdquo in Proceedings of theInternational Conference onMachine Learning (ICML rsquo95) 1995
[16] S Sarafijanovic and J-Y le Boudec ldquoAn artificial immunesystem for misbehavior detection in mobile ad-hoc networkswith virtual thymus clustering danger signal and memorydetectorsrdquo in Proceedings of the 3rd International Conference onArtificial Immune Systems (ICARIS rsquo04) 2004
[17] S Sen and J Clark Intrusion Detection in Mobile Ad HocNetworks in Guide to Wireless Ad Hoc Networks SpringerLondon UK 2009
[18] D Subhadrabandhu S Sarkar and F Anjum ldquoA Framework formisuse detection in ad hoc networksmdashpart IIrdquo IEEE Journal onSelected Areas in Communications vol 24 no 2 pp 290ndash3032006
[19] L M Feeney and M Nilsson ldquoInvestigating the energyconsumption of a wireless network interface in an ad hocnetworking environmentrdquo in Proceedings of the 20th AnnualJoint Conference of the IEEE Computer and CommunicationsSocieties pp 1548ndash1557 April 2001
[20] A P Lauf R A Peters and W H Robinson ldquoA distributedintrusion detection system for resource-constrained devices inad-hoc networksrdquo Ad Hoc Networks vol 8 no 3 pp 253ndash2662010
[21] N A Alrajeh S Khan J Lloret and J Loo ldquoSecure routingprotocol using cross-layer design and energy harvesting inwireless sensor networksrdquo International Journal of DistributedSensor Networks vol 2013 Article ID 374796 11 pages 2013
[22] S Sen J Clark and J Tapiador Security Threats in MobileAd Hoc Networks I S of Self-Organizing Networks AuerbachPublications 2010
[23] P Ning and K Sun ldquoHow to misuse AODV a case study ofinsider attacks againstmobile ad-hoc routing protocolsrdquoAdHocNetworks vol 3 no 6 pp 795ndash819 2005
[24] T Clausen C Dearlove P Jacquet and U Herberg ldquoTheoptimized link state routing protocol version 2rdquo IETF ActiveInternet-Draft Draft-Ietf-Manet-Olsrv2-15 2012
[25] U Herberg and T Clausen ldquoSecurity issues in the optimizedlink state routing protocol version 2 (olsrv2)rdquo InternationalJournal of Network Security amp Its Applications vol 2 no 2 2010
[26] YOwada TMaenoH Imai andKMase ldquoOLSRv2 implemen-tation and performance evaluation with link layer feedbackrdquo inProceedings of the International Wireless Communications andMobile Computing Conference (IWCMC rsquo07) pp 67ndash72 Newyork NY USA August 2007
[27] F Hong L Hong and C Fu ldquoSecure OLSRrdquo in Proceedingsof the 19th International Conference on Advanced InformationNetworking and Applications (AINA rsquo05) pp 713ndash718 March2005
[28] LNAMHegland P Spilling andQKure ldquoHybrid protectionof olsrrdquo in Electronic Notes in Theoretical Computer Science2006
[29] P Kunwar S Sofat and D Bansal ldquoComparison of secure olsrrouting protocolrdquo International Journal of Engineering Sciencevol 3 no 6 p 5049 2011
[30] A Adnane C Bidan and R T de Sousa Junior ldquoTrust-basedcountermeasures for securing OLSR protocolrdquo in Proceedingsof the 7th IEEEIFIP International Conference on Embedded andUbiquitous Computing (EUC rsquo09) pp 745ndash752 August 2009
[31] B Wu J Chen J Chen J Wu and M Cardei ldquoA survey ofattacks and countermeasures in mobile ad hoc networksrdquo inWireless Network Security Springer New York NY USA 2007
[32] C Adjih D Raffo and P Muhlethaler ldquoAttacks against OLSRdistributed key management for securityrdquo in Proceedings of theOLSR Interop Workshop 2005
[33] G CerveraM Barbeau J Garcia-Alfaro and E Kranakis ldquoMit-igation of topology control traffic attacks in OLSR networksrdquoin Proceedings of the 5th International Conference on Risks andSecurity of Internet and Systems (CRiSIS rsquo10) October 2010
[34] P M Jawandhiya M M Ghonge M S Ali et al ldquoA surveyof mobile ad hoc network attacksrdquo International Journal ofEngineering Science and Technology vol 2 no 9 pp 4063ndash40712010
[35] L M Feeney ldquoAn energy consumption model for performanceanalysis of routing protocols for mobile ad hoc networksrdquoMobile Networks and Applications vol 6 no 3 pp 239ndash2492001
International Journal of Distributed Sensor Networks 19
[36] G Riley and T Henderson ldquoThe ns-3 network simulatorrdquo inModeling and Tools for Network Simulation Springer BerlinGermany 2010
[37] S Bhattiprolu E Biederman S Hallyn et al ldquoVirtual serversand checkpointrestart inmainstream linuxrdquo SIGOPSOperatingSystems Review vol 42 no 5 pp 104ndash113 2008
[38] J Zhang J Xing and Z Qin ldquoTaprouter an emulatingframework to run real applications on simulated mobile adhoc networkrdquo in Proceedings of the 44th Annual SimulationSymposium (ANSS rsquo11) pp 39ndash46 2011
[39] D Broyles A Jabbar and J P G Sterbenz ldquoDesign andanalysis of a 3-d gauss-markov mobility model for highly-dynamic airborne networksrdquo in Proceedings of the InternationalTelemetering Conference (ITC rsquo10) San Diego CA USA 2010
[40] J Haerri F Filali and C Bonnet ldquoPerformance comparisonof AODV and OLSR in vanets urban environments underrealistic mobility patternsrdquo in Proceedings of the IFIP Med-Hoc-Net Workshop 2006
[41] C H Tseng T Song P Balasubramanyam C Ko and K LevittldquoA specification-based intrusion detection model for OLSRrdquoRecent Advances in Intrusion Detection vol 3858 pp 330ndash3502006
[42] S Kurkowski T Camp and M Colagrosso ldquoManet simulationstudies the incrediblesrdquo SIGMOBILE Mobile Computing andCommunications Review vol 9 no 4 pp 50ndash561 2005
[43] A Abdalla I Saroit A Kotb et al ldquoMisbehavior nodesdetection and isolation for MANETs OLSR protocolrdquo ProcediaComputer Science vol 3 pp 115ndash121 2011
[44] R Puttini J Percher L Me et al ldquoA modular architecture fordistributed ids in manetrdquo in Proceedings of the InternationalConference on Computational Science and Its Applications III2003
[45] A Adnane R T de Sousa L Me and C Bidan ldquoAutonomictrust reasoning enables misbehavior detection in OLSRrdquo inProceedings of the 23rd Annual ACM Symposium on AppliedComputing (SAC rsquo08) pp 2006ndash2013 March 2008
[46] W Wang H Man and Y Liu ldquoA framework for intrusiondetection systems by social network analysis methods in ad hocnetworksrdquo Security and Communication Networks vol 2 no 6pp 669ndash685 2009
[47] H Deng R Xu J Li F Zhang R Levy and W Lee ldquoAgent-based cooperative anomaly detection for wireless ad hoc net-worksrdquo in Proceedings of the 12th International Conference onParallel and Distributed Systems (ICPADS rsquo06) pp 613ndash620 July2006
[48] S KurosawaHNakayamaN Kato et al ldquoDetecting blackholesattack on AODV-based mobile ad hoc networks by dynamiclearningmethodrdquo International Journal of Network Security vol5 no 3 pp 338ndash346 2007
[49] WWang HWang BWang et al ldquoEnergy-aware and selfadap-tive anomaly detection scheme based on network tomographyin mobile ad hoc networksrdquo Information Sciences vol 220 pp580ndash602 2013
[50] M-Y Su ldquoPrevention of selective black hole attacks on mobilead hoc networks through intrusion detection systemsrdquo Com-puter Communications vol 34 no 1 pp 107ndash117 2011
[51] N Marchang and R Datta ldquoCollaborative techniques for intru-sion detection in mobile ad-hoc networksrdquo Ad Hoc Networksvol 6 no 4 pp 508ndash523 2008
[52] B V R N Yadav B Satyanarayana and O B V RamanaiahldquoAn efficient intrusion detection system for mobile ad hoc net-worksrdquo in Emerging Trends in Computing Informatics Systems
Sciences and Engineering vol 151 Springer New York NYUSA 2013
[53] Y Huang and W Lee ldquoAttack analysis and detection for ad hocrouting protocolsrdquo in Recent Advances in Intrusion Detectionvol 3224 Springer Berlin Germany 2004
[54] G Vigna S Gwalani K Srinivasan E M Belding-Royer andR A Kemmerer ldquoAn intrusion detection tool for AODV-basedad hoc wireless networksrdquo in Proceedings of the 20th AnnualComputer SecurityApplications Conference (ACSAC rsquo04) pp 16ndash27 December 2004
[55] M Ayachi C Bidan and N Prigent ldquoA trust-based ids for theaodv protocolrdquo in Information and Communications Securityvol 6476 pp 430ndash444 2010
[56] S Sen and J A Clark ldquoA grammatical evolution approach tointrusion detection on mobile ad hoc networksrdquo in Proceedingsof the 2nd ACMConference onWireless Network Security (WiSecrsquo09) pp 95ndash102 March 2009
[57] S Marti T J Giuli K Lai and M Baker ldquoMitigating routingmisbehavior in mobile ad hoc networksrdquo in Proceedings of the6th Annual International Conference on Mobile Computing andNetworking (MOBICOM rsquo00) pp 255ndash265 August 2000
[58] B Sun K Wu and U Pooch ldquoRouting anomaly detection inmobile ad hoc networksrdquo in Proceedings of The 12th Interna-tional Conference on Computer Communications and Networks(ICCCN rsquo03) 2003
[59] S Bose S Bharathimurugan and A Kannan ldquoMulti-layerintegrated anomaly intrusion detection system for mobileadhoc networksrdquo in Proceedings of the International Conferenceon Signal Processing Communications and Networking (ICSCNrsquo07) pp 360ndash365 February 2007
[60] P Yi Y Zhong and S Zhang ldquoA novel intrusion detectionmethod for mobile ad hoc networksrdquo in Advances in GridComputing vol 3470 pp 1183ndash1192 Springer Berlin Germany2005
[61] C Perkins E Belding-Royer and S Das ldquoAd hoc on-demanddistance vector (AODV) routingrdquo IETF Experimental RFC3561 2003
[62] D Johnson and D Maltz ldquoDynamic source routing in ad hocwireless networksrdquo in Mobile Computing pp 153ndash181 KluwerAcademic 1996
[63] C Perkins and P Bhagwat ldquoHighly dynamic destinationse-quenced distance-vector routing (dsdv) for mobile computersrdquoin Proceedings of the Conference on Communications Architec-tures Protocols and Applications (SIGCOMM rsquo94) vol 24 pp234ndash244 1994
[64] T JoachimsMaking Large-Scale Support VectorMachine Learn-ing Practical MIT Press Cambridge Mass USA 1999
[65] Y Yajima and T Kuo ldquoEfficient formulations for 1-svm and theirapplication to recommendation tasksrdquo Journal of Computersvol 1 no 3 pp 27ndash34 2006
[66] L Bononi and C Tacconi ldquoIntrusion detection for secureclustering and routing inMobileMulti-hopWirelessNetworksrdquoInternational Journal of Information Security vol 6 no 6 pp379ndash392 2007
[67] Y Huang W Fan W Lee et al ldquoCross-feature analysis fordetecting ad-hoc routing anomaliesrdquo in Proceedings of the 23rdInternational Conference on Distributed Computing Systems(ICDCS rsquo03) pp 478ndash487 May 2003
[68] J Quinlan C4 5 Programs for Machine Learning MorganKaufmann Boston Mass USA 1993
20 International Journal of Distributed Sensor Networks
[69] J B D Cabrera C Gutierrez and R K Mehra ldquoEnsemblemethods for anomaly detection and distributed intrusion detec-tion in Mobile Ad-Hoc Networksrdquo Information Fusion vol 9no 1 pp 96ndash119 2008
[70] MWang L Lamont P Mason andM Gorlatova ldquoAn effectiveintrusion detection approach for OLSR MANET protocolrdquoin Proceedings of the 13th IEEE International Conference onNetwork Protocols Workshop (ICNP rsquo05) pp 55ndash60 November2005
[71] C Y Tseng P Balasubramanyam C Ko R Limprasittiporn JRowe and K Levitt ldquoA specification-based intrusion detectionsystem for AODVrdquo in Proceedings of the 1st ACM Workshop onSecurity of Ad Hoc and Sensor Networks pp 125ndash134 October2003
[72] S A Razak S M Furnell N L Clarke and P J BrookeldquoFriend-assisted intrusion detection and response mechanismsfor mobile ad hoc networksrdquo Ad Hoc Networks vol 6 no 7 pp1151ndash1167 2008
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
8 International Journal of Distributed Sensor Networks
activities of the routing protocol (eg packet reception MPRselection) Note that additional logs for example system-security-related logs could be integrated and correlatedOnce parsed a log is used so as to detect a sign of suspiciousactivityThis consists inmatching the log against a predefinedintrusion signature An intrusion signature is thought as apartially ordered sequence of events that characterizes anintrusion Such procedure is potentially not only memorybut also bandwidth consumer Indeed it involves examininglocal logs as well as performing an in-depth diagnostic whereother nodes are requested so as to collect additional attackevidences correlate and match them against the definedintrusion signatures The in-depth diagnostic offers a globalview about the suspicious nodes and therefore it increasesthe accuracy of the detection But it is a costly operation interms of resources Thus the in-depth diagnostic must becarefully planned that is should be initiated only when asufficient degree of suspicion exists and terminated as soon asa result is obtained For this purpose we propose to classifyattack evidences so that depending on their level of gravitythe in-depth diagnostic may be performed According to ourclassification an evidence falls into one of the following fourgroups
(i) Initial-evidence group contains the evidences that leadto launch an in-depth diagnostic over the network
(ii) Suspicious-evidence group contains the evidences thatlead to identify a node as suspicious
(iii) Confirmed-evidence group contains the evidences thatconfirm the occurrence of an attack This results interminating the diagnostic and declaring the suspi-cious node as intruder
(iv) Cancel-evidence group contains the evidences thateliminate the suspicion and stop the diagnostic
These groups are populated with the evidences that areextracted from the log If an evidence belonging to the initial-evidence group is discovered then an in-depth diagnosticis launched so as to confirm (ie discovering an evidencebelonging to confirmed-evidence group) or infirm (ie dis-covering an evidence belonging to the cancel-evidence group)the intrusion both lead to the termination of the diagnosticRelying on these groups the evolution of any attack and itsrelated detection is easily followed In addition its compactform facilitates the lightweight discovering of long-termintrusions
32 Link Spoofing Attack A link spoofing attack lies infalsifying hello message(s) so as to modify the local topologyperceived by adjacent nodes This attack influences the MPRselection In particular this attack owns a global impactthe MPR position provides to the intruder the possibility toeavesdrop tamper misrelay or drop the traffic As discussedin Section 2 (and further detailed in Expression 4) anintruder realizes a link spoofing attack through one of thefollowing three cases
(1) It advertises a non-existing and symmetric nodeThus the intruder guarantees (unless another attacker
advertises the same non-existing node) being selectedas a MPR because this non-existing node is uniquelycovered by the intruder
(2) It advertises existing but nonneighboring node(s)The intruder is selected as a MPR if the advertisednode(s) is (are) not already covered by another (well-behaving or malicious) MPR
(3) It keeps under wraps neighboring and symmetricnode(s) In this case the connectivity of the intruderand consequently its chance of being selected asa MPR are both decreased Used in a standalonemanner this attack aims to decrease the connectivityof one or several nodes a complete isolation necessi-tates that no other (well-behaving) MPR covers thatnode(s)
We develop an attack (Expression 12) wherein an intruderfalsifies a hello message that contains both a non-existingnode (Case 1) and existing but non-neighboring nodes (Case2) The reason that motivates this choice is twofold First byadvertising a nonexisting node 119873 119868 ensures being selectedas a MPR by the victim 119878 (exist119873 isin 119873119878
1015840
119868ni 119873 notin N cap 119873119878
119868)
Note that with the last versions of the RFC a node (iepotentially an intruder) may dictate its selection as a MPRby advertising (in a hello message) its high willingness torelay messages Nevertheless previous versions (and theirrelated implementations) ignore this case Regardless of theversion of the protocol our intruder (as aforementionedpreviously) guarantees being selected as MPR by advertisinga nonexisting and symmetric node Second by announcingcommon neighbors with another node 119871 (Case 2) 119868 increasesthe probability that 119871 is not selected as a MPR (119868 replacing119871) and henceforth increases its proper ascendancy Note thatthe attack we developed does not consider the third casethat involves the reduction of the intruderrsquos connectivityNevertheless attack signature deals with it
119878
hello(119873119878119878)119905997888997888997888997888997888997888997888997888997888rarr 119868 119868
hello(1198731198781015840119868)1199051015840997888997888997888997888997888997888997888997888997888rarr 119878
100381610038161003816100381610038161199051015840minus 11990510038161003816100381610038161003816lt 119905
exist119873 isin 1198731198781015840
119868ni 119873 notinN cap 119873119878
119868
exist119871 isin MPR119878ni [119873119878
119871 119873119878119868] sube [119873119878
1015840
119868 119873119878119868]
dArr
119868 isin I 119871 notin MPR119878
exist1198681015840isin I ni 119868
1015840isin MPR
119878
Card (1198731198781015840119868 (119873119878
1015840
119868capN)) gt 0
Card ((1198731198781015840119868 119873119878119868) capN) gt 0
(12)
Herein a key challenge stems from the need to generate ahand-coded intrusion signature that models such attack andhenceforth permits to detect it
33 Signature Establishment As mentioned before a linkspoofing attack aims to inflect the MPR selection such
International Journal of Distributed Sensor Networks 9
Table 2 Evidence characterizing a link spoofing attack
Initial-evidence group1198641 AMPR is replaced by a 1-hop neighbor or by an already selected MPR1198642 AMPR behaves maliciously for example it tampers misrelays or drops the control messages
Suspicious-evidence group1198643 AMPR is the only node that provides connectivity to one (or more) 2-hops neighbor(s)
Confirmed-evidence group1198644 AMPR advertises a partial set of 1-hop neighbors1198645 AMPR advertises nonneighboring node(s) as 1-hop neighbors(s)
Cancel-evidence group1198646 AMPR is defined as an intruderwell-behaving node
selection is triggered upon a change in the symmetric 1- and2-hops neighborhood Rather than launching an in-depthdiagnostic upon every change in the 1- or 2-hops symmet-ric neighborhood we keep to a minimum the number ofthese diagnostics and henceforth the amount of consumedcomputational power and bandwidth by initiating it onlyat the occurrence of an event related to a link spoofingattack More precisely we ignore the changes in the 1-hopneighborhood (eg apparition of 1-hop neighbor) becausethey are observed by the node itself Thus they are notsubject to the remote falsification which is the cornerstoneof a link spoofing attack In contrary changes in the 2-hopsneighborhood are considered as long as they impact theMPRselection In practice the evidences that reveal a link spoofingattack (Table 2) are broken down into
(i) a MPR replacement (Evidence 1 or 1198641 for short)that results from a change in the covering of the 1-hop neighbors one (or several) 1-hop neighbor(s)(possibly the replacing MPR) increase(s) its (their)coverage to the detriment of the replaced MPR AreplacementMPR is a 1-hop neighbor that is excludedfrom the MPRs set even though it provides the sameconnectivity in both the previous and current MPRselection rounds
(ii) No MPR replacement takes place but an alreadyselected MPR is detected as misbehaving node Forinstance a misbehaving MPR may drop falsify ormisrelay the control messages (1198642) Note that anevidence of a special interest herein refers to a nodepromoting itself as a MPR without having beenselected as a MPR Amisbehaving MPR includes alsothe case wherein a MPR continually advertises thesame 2-hops neighbors set despite being no morevalid Contrary to other cases this one is not eventdriven and should be handled based on random orperiodical checks
(iii) aMPR is the only one that covers one or several nodes(1198643)
(iv) a MPR covers partially its adjacent neighbor(s) (1198644)
(v) a MPR provides connectivity to a nonneighboringnode (1198645)
The occurrence of either 1198641 or 1198642 constitutes the startingpoint of an in-depth diagnostic 1198641 and 1198642 belong to theinitial-evidence group The act of being the only MPR thatprovides the connectivity to node(s) (1198643) is suspicious butis not sufficient to launch an in-depth diagnostic becausethis situation is typical in a sparse network Furthermoretwo nodes within the covering range of each other oftenfail in communicating due to the unpredictable nature ofwireless transmission resulting from for example obstaclesand noises Thus diagnosing 1198643 is especially difficult underno specific assumption Overall the occurrence of 1198641 or 1198642and optionally1198643 leads to an in-depth diagnostic (Expression13) In practice the 1-hop neighbor(s) of the suspicious MPRare interrogated Note that part of the interrogated nodesmayexpress a different opinion that results from malicious nodeor an obsolete routing information This calls for taking intoaccount their respective reputation (as we plan in our nearfuture work)
(1198641 or 1198642)
dArr dArr
(1198644 or 1198645) optional (1198643) (1198644 and 1198645)
dArr dArr
The suspicious MPRis an intruder
The suspicious MPRis well-behaving
(13)
If the obtained answers confirm (resp infirm) that thesuspicious MPR covers partially its neighbors (1198644) andoradvertises a distant node as 1-hop neighbor (1198645) then theMPR is declared as an intruder (resp well-behaving) andthe diagnostic is terminated (1198646) Obviously the cooperationbetween the nodes constitutes a cornerstone in our in-depthdiagnostic
34 Cooperative Diagnostic The in-depth diagnostic of a linkspoofing attack consists in verifying the existence of a sym-metric and neighboring relationship between a suspiciousMPR and its advertised 1-hop neighbors (Algorithm 1) Moreprecisely this diagnostic follows the following steps Firstthe MPRs that have been replaced by other MPR or 1-hopneighbor are identified (lines 1-2) because such replacementrepresents the initial evidence of a link spoofing attack (1198641in Table 2) For this purpose the function GetReplaced-Mpris called (Line 1) It establishes the MPRs that have been
10 International Journal of Distributed Sensor Networks
(1) OldMprs = GetReplaced-Mpr()(2) SuspiciousMprs = GetReplacing-Mpr()(3) for (suspicious isin SuspiciousMprs) do(4) InterrogatedNodes = GetCommon2HopsNeighors
(suspicious OldMprs)(5) for (2HopsNeighbor isin InterrogatedNodes) do(6) if (LinkExistence (2HopsNeighbor suspicious) ==
false) then(7) Generate-Alarm (suspicious)(8) end if(9) end for(10) Cancel-Suspicious (suspicious)(11) end for
Algorithm 1 In-depth diagnostic
replaced by comparing the currentMPRs and the penultimateMPRs Then the MPRs sharing 1-hop neighbor(s) with areplaced MPR are identified (function GetReplacing-MPRline 2) Those identified MPRs are tagged as suspicious andare subject to further analysis (lines 3ndash11) the objective is toverify whether some spoofed links have been advertised soas to replace the MPR It follows that the 1-hop neighborsthat are common to a replaced MPR and a suspicious oneare determined (GetCommon2HopsNeighors function line 4)Note that these 1-hop neighbors also correspond to the 2-hops neighbors of the node launching the diagnostic Theyare interrogated (LinkExistence function) so as to verify theexistence of links The interrogation of a 2-hops neighbordenoted by 119860119894 consists in sending a request to 119860119894 asking ifthis latter considers the suspicious MPR as a 1-hop neighborat a specific time 119905 Whenever possible this request is sentwithout going through both the suspicious MPR 119868 or anycolluding intruder 1198681015840 This eluding is necessary in order toprevent 119868 and 1198681015840 from dropping the request andor forging adeceptive answerTherefore the 1-hop neighbor(s) (primarilythe MPR(s)) that covers the interrogated 2-hops neighbors isprovided with the request Note that the suspecting node 119878 isaware of is provided with the connectivity between the nodesthat form its two-hops neighbors Thus 119878may select the one(if existing) that covers 119860119894 If no answer is obtained (iethe related time-out elapses) then the request is sequentiallytransferred through the rest of the covering 1-hop neighbors(keeping in mind that as aforementioned MPRs are pri-marily selected) However when no neighbor is left then an(multihops) alternative path is researched in the routing tableto reach 119860119894 Note that the verification related to a suspiciousMPR is performed within an independent thread hencethe diagnostic of one node (and the result waiting) is not ablocking to others If 119860119894 denies being a 1-hop neighbor of thesuspicious MPR then a countermeasure is triggered Moreprecisely an alarm that establishes the detected attacker(s)is broadcasted (Generate-Alarm function line 7) Otherwiseif no deny takes place the suspicious MPR is no longersuspected (Cancel-Suspicious function line 10) In both casesthe diagnostic terminates Note that if no answer is provided(the inconsistent answers lead also to a claim in the degree
of suspicion However this case is not included in this paperbut it is handled in our other works) then the suspiciousMPR is tagged as not verified and the degree of suspicionin this latter goes up It is worth mentioning that the currentimplementation of IDAR considers the link spoofing attackHowever considering other attacks is not complicated andrequires only specifying the evidences to be searched in thelogs and the information to be exchanged between the nodesduring the in-depth diagnostic
4 Architecture and Performance Evaluation
In this section we introduce the key architectural compo-nents of IDAR (Section 41) Then we present the evaluationof IDAR performance (Section 42) and further discuss theobtained result (Section 43)
41 IDAR Architecture In order to cope with the dynamicnature ofMANET IDAR is both distributed and cooperativeThe proposed architecture (Figure 2) requires that everydevice participates in the detection (The delegation of somedetection operations (eg logs analyzing) may be sharedamong devices But it will not be necessarily less expensive interms of resources consumption)More precisely each devicecontains an instance of IDAR which independently detectsthe signs of suspicion and cooperates with other instancesso as to conduct the diagnostic in a broader range IDAR isimplemented in Perl (httpwwwperlorg) and conceptuallystructured into 4 components
(i) Coordinator that orchestrates all the components Assuch it constitutes the hearth of IDAR In prac-tice it parses dynamically the OLSR logs so as toextract signs of suspicion and match these latteragainst predefined intrusion signaturesThe intrusionsignatures are represented as conditional rules (ifcondition then state) Furthermore it triggers thecommunication and the alarm notification in orderto launch advanced diagnostic
(ii) Communication manager that gathers informationabout for example the adjacent links as requiredby the diagnostic manager Meanwhile it answersthe diagnostic requests This component runs into aseparated thread so that other IDAR operations arenot blocked
(iii) Knowledge database includes the information thatis extirpated from the logs and is provided by thecommunication manager This database is realized inMysql (httpwwwmysqlcom) Stored informationencompasses for example the 1-hop and 2-hopsneighbors and the MPRs
(iv) Alarm notifier is responsible for alarming the networkwhen an intrusion is detected Note that we areplanning to include more countermeasures in thefuture for example eliminating the routes containingan intruder
International Journal of Distributed Sensor Networks 11
SignatureKnowledge
database
Coordinator
Communicationmanager Alarm notifier
Update
Feedback
Diagnostic requestDiagnostic answer
IDAR instance
Routing log
IDAR instanceDiagnostic requestanswer
Routing log
Feed back
Figure 2 IDAR architecture
All the above components have been developed so as tosupport intrusion detection offering a high rate of detectionalong with conserving the resources
42 Performance Evaluation In order to evaluate the perfor-mance of IDAR a mobile ad hoc network has been simulatedusing the network simulator NS3 (httpwwwnsnamorg)[36] Each node in the simulated network is furthercoupled with a Linux Container (LXC) virtual machine(httplxcsourceforgenet) [37] The reason that motivatesthis coupling is twofold First NS3 offers the possibilityto simulate a large-scale mobile ad hoc network SecondLXC an operating-system-level virtualization tool permitsto run multiple isolated machines (also called containers)on a single modified hosting kernel (up to 1024 contain-ers over a single hosting kernel) Each container owns itsproper resources (eg process tree network interface andIP address) Thus the resource consumption (eg memoryusage) can be isolated and measured In practice an instanceof IDAR is installed on each container that appears asa standaloneseparated machine Figure 3 exemplifies thecoupling between nodes in NS3 and LXC containers Fromthe IDAR perspective (as well as from any applicationinstalled on the container) the emission and reception ofpackets is done through the network interface (eth0) Whilethe container contains a simulated ethernet card (V119890119905ℎ)which is connected through an ethernet bridge towards akernel tap device (tap) Note that for each container-nodecoupling new tap and ethernet bridge should be definedin the hosting kernel The ethernet bridge implements theforwarding of link-level framesThe interface 119905119886119901119877119900119906119905119890119903 [38]is implemented in NS3 and is used to exchange packetsbetween the 119905119886119901 device and the WiFi device which enablesNS3 nodes to communicate over a IEEE 80211- and OLSR-enabled MANET Overall the outgoing packets from eth0in the container are delivered to the WiFi device at thecorresponding node in the simulated network and vice versaSimulation is carried using the aforementioned platform
wherein the hosting device is equipped with 32GB of mem-ory and 2 Intel(R) Xeon(R) (6) Core 240GHz CPUsContainers hold a Fedora 12 operating system We considera MANET (Table 3) constituted of 119873 = 30 nodes split into25 well-behaving nodes and 5 intruders While most of otherIDSs are evaluated against one intruder we show that IDARcan handle several intruders in the same time Intruderslaunch repeatedly the implemented link spoofing attack (asdescribed in Expression 12) In our experiments the numberof successful intrusions varies between 15 and 33 accordingto the parameters of simulation scenario (as described inExpression 12) Nodes communicate via IEEE 80211a andare characterized by a transmission range 119879
119909of 90m They
randomly move following the so-called RandomWalk2d [39]mobility pattern provided by NS3 each node moves accord-ing to a randomly chosen direction at a given speed that isthe same for all the nodes When a node hits the networkboundaries (unless specified the network area is defined bya squared area of 119878 = 310 times 310m2) it rebounds followinga reflexive angle Data traffic is further modeled using theV4PingHelper application in NS3 each node exchanges 56-byte ICMP (httpwwwietforgrfcrfc792txt) echo requeststo one another and waits for 1 s before sending it again Weuse OLSR as the underlying routing protocol preserving theconfiguration parameters promoted in the RFC 3626 (eghello message interval is 2 s)
For each experimental scenario the simulation islaunched 5 times each one lasts for 140 s We compare thelaunched attacks with the detected ones and present theaverage of results We aim at evaluating the performance ofIDAR in terms of
(i) intrusion detection rate that reflects the capacity ofdetecting successful intrusions (a successful intrusioncauses the replacement of a legitimate MPR of thevictim by an intruder)
(ii) false positive rate that measures how many times alegitimate node is wrongly designated as an intruder
12 International Journal of Distributed Sensor Networks
Table 3 Simulation parameters
Simulation platformSimulator NS3 + LXC virtual machinesContainer operating system Fedora 12Hosting device memory 32GBHosting device CPU 2 Intel(R) Xeon(R) (6) Core 240GHz
Simulated MANETNumber of mobile nodes 30Number of intruders 5Topology 310 times 310m2
Transmission range 90mMaximum bandwidth 1MbpsTraffic V4PingHelper 56 bytes Icmp packetsMobility model RandomWalk2dMaximum speed 8ms (or 288 kmh)Simulation time 140 s
tapRouterWiFi devicewith OLSR
LXC
cont
aine
r
Ethernet bridge
Tap
LXC
cont
aine
r
veth
Ethernet bridge
Tap
tapRouterWiFi devicewith OLSR
veth
Nod
e 1
Nod
e 119899
NS3
IDAR1 IDAR119899
eth0 eth0
Figure 3 Experiment platform
(iii) detection overhead which represents the additionalnetwork traffic that is generated because of IDARNote that further benchmarks are also provided interms of memory usage
Based on those performance indicators IDAR is furtherevaluated with regard to the network density (Section 421)and node mobility (Section 422)
421 Network Density In order to evaluate the scalingproperties of IDAR we vary the density of the networkThe density of the network corresponds to the averagenumber of neighbors which is defined as in [40] by (119873 times
120587 times 1198792
119909)119878 We selected an interval of density that ranges
from 6 up to 16 neighbors which includes the intruderthe victim and the remaining neighbors Figure 4(a) showsthat the detection rate keeps higher than 80 regardless ofthe network density This demonstrates the relatively limitedimpact of the network density on IDAR performance More
precisely the intrusion detection rate slightly rises from935up to itsmaximum 963when the density varies from6 up to 8 neighbors the greater is the number of neighborsthe higher is the visibility of the attackThen a slow diminishis observed dense networks (with a density exceeding 8) arecharacterised by a high collision rate that causes a declinein the detection rate Similarly Figure 4(b) highlights thatthe average percentage of false positives is neglectful (under59) The analysis of several cases of false positive leads usto find that a false positive occurs when two nodes own adifferent live-times for the bidirectional link that connectsthese later consequently one of the two nodes still confirmsthe existence of this link while the other one denies it Tooverride this problem the period during which those linksare considered valid should be amplified as in [41] Figure 4(c)presents the average memory usage caused by IDAR Thisusage gently fluctuates between 176MB and 222MB It is alsoworthy of mention that contrary to OLSR our system doesnot assign additional functionality toMPR (detectionmay belaunched by one another) IDAR provides an homogeneousload balancing among the nodes As illustrated in Figure 4(d)the traffic caused by IDAR is very low (under 05 for anetwork density inferior to 8) It then slowly rises to reach13 when the network density is 16 In order to understandthe slight fall when the density reaches 14 we compare theaverage number of suspicious cases with regard to a varyingdensityThis average was 708 (resp 658) with density equalsto 12 (resp 14) Consequently the number of diagnostic-related packets is smaller at a density of 14 than at a densityof 12
422 Mobility In order to isolate the influence of themobility the network density is set to 8 The detection ratefalls when the speed increases (Figure 5(a))This results fromthe ever changing topology that results in increasing thenumber of broken links and the related drops of diagnostic-related packetsHowever IDAR still provides a high detectionrate for example the average of detection rate is 707
International Journal of Distributed Sensor Networks 13
0
20
40
60
80
100
6 8 10 12 14 16
Det
ecte
d in
trus
ions
()
Density
Average detection
(a)
0
10
20
30
40
50
6 8 10 12 14 16
False
pos
itive
()
Density
Average of false positives
(b)
0
10
20
30
40
50
6 8 10 12 14 16
Mem
ory
usag
e (M
B)
Density
(c)
025 05
1
5
20
50 100
6 8 10 12 14 16Density
IDA
R ve
rsus
OLS
R tr
affic (
)
(d)
Figure 4 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network density
with a moving speed equals to 8ms (ie around 287
kilometershour equivalent to 1789mileshour) Figure 5(b)shows that the higher is the moving speed the greater it getsfalse positives mainly because of out of date feedback Infact when a node moves away some of its 1-hop neighborsare no longer neighbors but are still announced as suchand are considered as potential attackers A higher increaseof the false positive rate is observed when the node speedranges from 4ms up to 6ms because the instable nodecovering is given its transmission range which leads to anincreased update of its 1-hop neighbors The memory usage(Figure 5(c)) rises staidly from 176MB to 265MB whichis reasonable even for resource-limited devices The impactof the mobility on the bandwidth is shown in Figure 5(d)The IDAR traffic comparing to the OLSR traffic significantlygrows from 036 up to 31 for a speed ranging from 0msup to 2ms Then the bandwidth usage gradually growsand reaches almost 6 when the moving speed is equalto 8ms This is motivated by the fact that increasing thenumber of verified links leads to exchange more diagnostic-related messages in the network In order to understandthe reason behind such variable growth of IDAR trafficwe counted the number of the verified suspicious neighbor
links We found that the average number of the verified linkssignificantly grows from 452 to 2014 when the velocity risesfrom 0ms to 2ms This average then gradually grows andtakes the values 2408 3314 and 406 when the velocityequals to 4ms 6ms and 8ms respectively The limitednumber of the suspicious neighbor links when the nodesare static is justified by the fact that the attacker has alimited choice to falsify its neighbors links Instead when thevelocity is greater than 2ms there is a continuous changein the neighborhood and the attackers can attack more(diversified) targets Meanwhile the continuously changingtopology implies an increased number of investigations
43 Performance Discussion It is clear that the density of thenetwork holds less influence than the mobility on our IDSMore mobility in MANET causes more dropped diagnosticpackets and hence less diagnostic is concluded with a finalresult that is confirming or refuting the suspiciousnessHowever comparing the launched attacks to the discov-ered suspicious events shows that the majority of attacksare tagged as suspicious events and considered for furtherdiagnostic Note that the mobility has a negative influence
14 International Journal of Distributed Sensor Networks
0
20
40
60
80
100
0 2 4 6 8
Det
ecte
d in
trus
ions
()
Velocity (ms)
Average detection
(a)
0
10
20
30
40
50
0 2 4 6 8
False
pos
itive
()
Velocity (ms)
Average of false positives
(b)
0
10
20
30
40
50
0 2 4 6 8
Mem
ory
usag
e (M
B)
Velocity (ms)
(c)
025 05
1
5
20
50 100
0 2 4 6 8
IDA
R ve
rsus
OLS
R tr
affic (
)
Velocity (ms)
(d)
Figure 5 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network mobility
on all the IDSs especially the cooperative ones where thereis an exchange of evidencesalerts Table 4 provides a shortperformance comparing between IDAR and other knownIDSs that are dedicated to ad hoc routing protocol Likethe majority of these IDSs the performance of our systemis challenged against a specific attack link spoofing attackin a simulated MANET (According to [42] around 75of mobile ad hoc published papers use simulation for testissues) Two evaluation factors are common to almost all thelisted IDSs the detection ratecapacity and the positive falserate Even though it was challenged in a MANET whereinthe intruders constitute 166 (Note that this percent is the3rd highest registered percent) of the nodes IDAR providesone of the highest detection rate Regarding the positivefalse rate we can notice that several IDSs especially thosethat are dedicated to DSR protocol show better results thanour system However this latter still generates a limitednumber of false positives It is also possible to reduce thefalse positives rate by amplifying the TTL (Time To Live)parameter of a bidirectional link so as to reduce the impactof obsolete neighborhood-related information during thedetection Recall that most of the generated false positives inIDAR are generated because of the difference in the time-live
of a bidirectional link between the two ends of this link Insuch case this link will be expired in one end while the otherend will keep confirming its existence It is worthmentioningthat except our system the listed IDSs that aim to detect theattacks targeting OLSR protocol do not present neither thedetection rate nor the false positives rate But they merelyprove the capacity of detecting the addressed attack(s) Inaddition IDAR is one of the rare IDSs that are evaluated interms of resources consumption Indeed we measure boththe increment inmemory usage and traffic overhead resultingfrom detection operations IDAR triggers a small incrementin the devicesrsquomemory usage (between 176MBand 265MB)Therefore it can be tolerated by the resource-limited devicesIt further triggers the lowest traffic overhead compared to thelisted IDSs IDAR presents a good scalability and offers a highdetection rate even in the high density networks where a largeamount of routing traffic should be monitored (Figure 4(a))This scalability is reinforced by (i) the limited traffic overhead(ii) the use of routing logs so as to extract the evidencesinstead of sniffing the traffic (iii) the distributed nature ofdetection such that each node is responsible for detecting theattacks targeting it and (iv) the unnecessity of modifying theused routing protocol
International Journal of Distributed Sensor Networks 15
5 Related Work
Systems that detect intrusion targeting ad hoc routing proto-col are extremely diverse in the way they analyze intrusionThey fall into the three key categories
(i) Anomaly detection system defines the correct behav-ior of the nodenetwork so as to detect deviations tothis behavior This correct behavior is automaticallybuilt during an attackless training phase The detec-tion accuracy depends on the ability to (i) describethe correct behavior and (ii) distinguish betweenanomalous and unexpected behaviors
(ii) Specification-based detection system hand-codes thelegitimate functionoperation and then searches for aviolation to this operation
(iii) Signature-based detection system first describes theway an intruder penetrates the system by defining anintrusion signature Then any behavior that is closeto this predefined signature is flagged as intrusion
Hereafter we detail examples of each of these categoriesAnomaly-based detection constitutes the main approachused to detect attacks The IDS proposed by Zhang et al[7] constitutes a de facto standard in MANET It aims atdetecting the attempts to falsify the routes provided by theAODV [61] DSR [62] and DSDV [63] routing protocolsDuring the training phase the impact of movement on thepercentage of changes in the routing table is analyzed Notethat this movement (ie velocity direction and position)is provided by a Global Positioning System (GPS) Thenduring the operation phase an actual percentage of changesdiffering from the predicted one is defined as anomaly Inpractice the distinguishing between anomalous and normalbehaviors is provided by the Support Vector Machine (SVM)Light [64] classifier or by RIPPER [15] a rule-based engineThe hierarchical IDS proposed in [47] detects blackhole androuting request flooding attacks targeting AODV protocolHere MANET is arranged into clusters whereas the nodewith the highest residual energy and number of connectionsis elected as a cluster-head Each cluster-head monitors thetraffic inside its cluster so as to identify the abnormal valuesof (i) the percentage of changes in the routing table and (ii)the propagation of routingdata packets Such abnormalitiesare identified thanks to (1-SVM) classifier [65] a deviationof SVM that needs to be trained with either normal orabnormal scenario but not both of them In [48] (resp [66])a blackhole (and resp dropping) attack targeting AODVprotocol (resp a secured version of AODV protocol includ-ing authentication and reputation estimation) are detectedby investigating features for example the number of routerequests and route replies as well as the average difference ofsequence numbers (Largely increased sequence numbers areknown as a sign of blackhole attack) Then simple anomalydetection is applied if the distance between the actuallyobserved features and the average ones that are recorded dur-ing the training exceeds a given threshold then an intrusionis detected More sophisticated cross-features analysis (CFA)[67] is applied to detect both blackhole and packet drop-ping on AODV and DSR protocols Features including for
example the reachability between 2 nodes and the numberof delivered packets are analyzed within time windows Thisanalysis attempts to quantify the relation existing betweenone feature 119891
119894and the others 119891
1 119891
119894minus1 119891119894+1 119891
119896(with
119896 + 1 defining the number of features analyzed) During theoperation phase the probability of matching between theobserved feature 1198911015840
119894and the predicted feature 119891
119894 which is
established based on 11989110158401 119891
1015840
119894minus1 1198911015840
119894+1 119891
1015840
119896 is calculated by
a decision tree classifier named C45 [68] An anomaly refersto an average of matching probability fewer than a giventhreshold CFA and C45 are also used in [69] with traffic-related features (eg number of receivedtransferred packets)and OLSR- or AODV-related features (eg MPR updates forthe former and route discovery for the latter) A modifiedMarkov chain-based IDS is proposed in [58] so as to detectroute disruption attack targeting DSR protocol Here thedetection depends on identifying unpredicted value of twofeatures the percentage of changes in the number of routesand the percentage of changes in the number of hops Inpractice a Markov chain is based on the immediate previous119899 consecutive values of a feature as to predict the (119899 + 1)thvalue If the difference between a predicted and an observedvalue exceeds a given threshold an intrusion is concluded
Rather than establishing automatically a correct behaviorspecification-based detection system hand-codes the correctbehavior of the routing protocols based on the protocol spec-ification (IETF draft or RFC) Then the system attempts todetect a violation of constraints circumventing this behaviorFour key constraints define the correct behavior of OLSR([14 70])
(1) Neighbor relationmust be reciprocal (ie 2 neighborsmust hear the hello message sent by each other)
(2) TheMPRs and the nodes that select theMPR (ie theMPR selectors) must be adjacent
(3) A node that finds itself advertised as a MPR selectorin a TCmessage must be adjacent to the originator ofthis message
(4) Nodes receive TC messages without modificationsfromMPR(s)
Each node sniffs the traffic in its radio range so as todiscover the violations of any of the above constraints Theseconstraints are modeled by semantic properties in [70] (resprules in [14]) so as to detect link spoofing attack on TC(and resp hello messages) both experiment an ability todetect a link spoofing by observing a violation of the thirdcondition over a simulated network composed of 11 nodesFinite-state machines are used to describe similar constraintson OLSR [41] and the behavior of AODV protocol [52 71]In [41] a centralized detection of link spoofing man-in-the-middle and deny of service attack is performed While in[52 71] incorrect hop countssequence numbers are analyzedby distributed sensors which sniff and group the packets perrequest-reply flow so as to estimate the forwarding path perflow If a route requestreply is illegallymodified or forwardedvia a nonexpected path then an alarm is triggered In [60]similar FSMs are used to define constraints on both the routediscovery in AODV and the packet forwarding operations
16 International Journal of Distributed Sensor Networks
Table4Com
parin
gID
ARperfo
rmance
with
otherIDSs
IDS
Routing
protocol
Num
bero
fno
des
Intrud
ers
()
Moving
speed
Detectio
nrate
False
positives
rate
Increm
entinmem
ory
usage
Increm
entintraffi
coverhead
IDAR
OlSR
30166
0ndash8m
s707ndash963
0ndash132
176ndash
265MB
478ndash6215KB
(036
ndash597
ofOlSRtraffi
c)
[43]
OlSR
303366
10
mdashmdash
mdashmdash
6ndash12
ofOlSR
traffi
c[41]
OlSR
1010
0ms
Detectio
nispo
ssible
mdashmdash
mdash[44]
OlSR
7143
0ms
Detectio
nispo
ssible
mdashmdash
mdash[45]
OlSR
520
0ms
Detectio
nispo
ssible
mdashmdash
mdash[14
]OlSR
119
0ms
Detectio
nispo
ssible
mdashmdash
mdash[46]
AODV
3033
0ndash5m
s3067ndash90
0ndash20
mdashmdash
[47]
AODV
502
0ndash20
ms
90
5
mdashmdash
[48]
AODV
3033
1ndash20
ms
70ndash82
12ndash18
mdashmdash
[49]
AODV
2050
10
1ndash10ms
964ndash9
87
079ndash093
mdash900k
B
[50]
AODV
5238
0ndash20
ms
(Fixed
IDSs)
100
0ndash0
6
mdashmdash
[51]
AODV
521
20238
0ndash10ms
50ndash100
0ndash30
mdashmdash
[52]
AODV
30mdash
0ndash20
ms
70ndash100
05
ndash15
mdashmdash
[53]
AODV
50Ra
ndom
0ndash20
ms
79plusmn10ndash92plusmn3
5plusmn1ndash32plusmn8
mdashmdash
[54]
AODV
102050
mdash0ndash
10ms
0ndash100
0ndash≫100
02ndash06
mdash[55]
AODV
20ndash200
mdash0ndash
20ms
30ndash9
50ndash16
mdashmdash
[56]
AODV
50mdash
1ndash20
ms
998ndash100
083ndash846
mdashmdash
[7]
AODV
mdashmdash
mdash8848plusmn414ndash971plusmn032
145plusmn072ndash202plusmn627
mdashmdash
DSD
Vmdash
mdashmdash
8523plusmn328ndash9061plusmn299
537plusmn310ndash263plusmn549
mdashmdash
DSR
mdashmdash
mdash852plusmn238ndash991plusmn037
003plusmn004ndash153plusmn408
mdashmdash
[57]
DSR
5040
0ndash20
ms
mdashmdash
mdash11ndash313
of
data
traffi
c[58]
DSR
3033
3ndash5m
s60ndash100
25
ndash50
mdashmdash
[59]
DSR
30mdash
mdash75
12
mdashmdash
[60]
DSR
502
0ndash20
ms
837ndash9
74
13ndash72
mdashmdash
International Journal of Distributed Sensor Networks 17
A signature-based system distinguishes itself by model-ing the misbehavior (rather than the correct behavior) soas to identify if a sequence of observed events matchingan intrusion signature AODVSTAT [54] uses state-basedsignatures in order to detect dropping and spoofing attacksalong with network flooding Few sensors sniff the traffic andmatch it against predefined signatures They also exchangeperiodically MAC and IP addresses so as to detect an identityspoofing which is characterized by a node emitting a packetidentified by MAC and IP addresses differing from thoseregistered for this node A dropping attack refers to a nodethat fails to replay route requestreply Finally a node sendinga number of packets exceeding a given threshold is identifiedas willing to exhaust resources In [45] intrusion signaturesare specified in opposition to the legitimate behavior of OLSRdepicted in conjunction with specification rules similar tothose defined in [70] In particular a node 119873 mistrusts twoneighbors 119871 and 119872 that conform to the following rules119872 advertises 119871 as a neighbor while 119871 does not advertise119872 as a neighbor (or reciprocally) both 119871 and 119872 send TCmessages while 119871rsquos neighbors are a subset of 119872rsquos neighbors(or reciprocally) In addition 119873 mistrusts 119872 if 119873 which isnot a neighbor of 119872 finds itself as a MPR selector in a TCof 119873 (constraint 3) In [44] a FSM is employed to modelthe signature of hello message fabrication in OLSR protocolin an agent-based IDS In practice each node uses a SimpleNetworkManagement Protocol (SNMP) agent so as to collectaudit data from the Management Information Base (MIB)After that events are extracted from the collected audit dataand are matched to the attack signatureThe addressed attackaims at breaking the link between a victim node and itsneighbors and thus a DoS takes place To that end theattacker impersonates the identity of the victim and sends afake hello message advertising one of the victim symmetricneighbors with lost link status Upon receiving the fabricatedmessage the neighbor changes the status of its link withthe victim to ldquoheardrdquo and stops routing packets through thevictim
51 Synthesis and Discussion A great majority of the litera-ture is focused on anomaly detectionwhile scarce effort inves-tigates specification- and signature-based intrusion Thisnaturally calls for consolidating the effort on specification-and signature-based detection while following the habitus ofwired network which consists in coupling these detectionsystems with one another for example in [72] wherein acombination of anomaly- and signature-based detection isrealized so as to increase the detection rate Almost all ofthe IDS focuses only on the detection accuracy that isproviding a high detection rate along with limited falsealarms However they do not consider the criticality ofmaintaining the resources and henceforth extending thelifetime of the nodenetwork Our IDS takes into account thenecessity of reducing to minimum both the communicationand computation overload related to intrusion identificationThe absolute majority of the IDSs is simulated (including thesystem we are proposing) rather than being either developedor experimented on testbeds or relying on empirical data
The reason that explains this situation is twofold Firstthe deployment of critical MANET is limitednot adver-tised Second to the best of our knowledge experiences ofintrusion in MANETs are not reported intrusions are infact developedsimulated as proofs of concept Neverthelessnot only routing protocols but also the characterization ofthe intrusion together leverage on the experience gained indesigning routing protocols for wired networks and deal-ing with related misbehaviors In particular the similarityexisting between the OSPF and OLSR protocols implies thatmany threats (eg sequence numbers identity spoofing) areshared In other words intrusion may be inspired from theone targeting wired networks Meanwhile the developmentof intrusion detection and the envisioning of attacks areaccelerated
6 Conclusion
We survey and classify the attacks that target ad hoc routingprotocols focusing on theOLSRprotocol In order to facilitatethe definition of intrusion signatures we extend a descriptionmodelmdashan attack is expressed as the preconditions andthe resulting consequencesmdashand enrich it with temporalannotations Once hand-coded these signatures are utilizedby IDAR a log-based distributed intrusion detection systemdedicated to operate in mobile ad hoc networks IDARdistinguishes itself by analyzing the logs generated by arouting protocol and extracts intrusion evidences so as tocompare these latter against predefined intrusion signaturesFor this purpose evidences are categorized into four groupsaccording to their degree of suspiciongravity and hence totheir ability to activatedeactivate the diagnostic We furtherdevelop a link spoofing attack on the OLSR protocol buildthe related detection rules and evaluate the performancesof IDAR relying on the NS3 simulator coupled with LXCvirtual machines Overall the experiments figure out ahigh rate of intrusion detection and low false positivesrate even under increased mobility and density Meanwhileresource consumption and network overhead result from thediagnostic are low and adapted to the resource-constraineddevices Note that ongoing effort is provided as to evaluateIDAR in a real MANET consisting of resource-constraineddevices Still detecting intrusion is not a trivial task due tothe large number of evidences to tackle and the resource-consuming diagnostic A compromise between detectionaccuracy and resource consumption could be found For thispurpose we are working on a new statistical mechanism forgathering the evidences This mechanism aims at enhancingthe scalability of our system by restricting the interrogationto a limited subset of nodes during the diagnostic Moreoveruntil now we assume that honest parties are passive theyalarm others but do not react We are considering thecoupling with countermeasures (eg blacklisting) and theexploring of lightweight binary consensus and trust estab-lishment among the nodes that participate in the intrusiondetection
18 International Journal of Distributed Sensor Networks
References
[1] Z Zhao H Hu G Ahn and R Wu ldquoRisk-aware mitigation formanet routing attacksrdquo IEEE Transactions on Dependable andSecure Computing vol 9 no 2 pp 250ndash260 2012
[2] B Sun L Osborne Y Xiao and S Guizani ldquoIntrusion detectiontechniques in mobile ad hoc and wireless sensor networksrdquoIEEE Wireless Communications vol 14 no 5 pp 56ndash63 2007
[3] S Sesay Z Yang and J He ldquoA survey onmobile ad hoc wirelessnetworkrdquo Information Technology Journal vol 3 no 2 pp 168ndash175 2004
[4] P Brutch and C Ko ldquoChallenges in intrusion detection forwireless ad-hoc networksrdquo in Proceedings of the Symposium onApplications and the Internet Workshops (SAINT rsquo03) pp 368ndash373 2003
[5] S Khan N Alrajeh and K Loo ldquoSecure route selection inwireless mesh networksrdquo Computer Networks vol 56 no 2 pp491ndash503 2012
[6] S Corson and J Macker ldquoMobile ad hoc networking (manet)routing protocol performance issues and evaluation considera-tionsrdquo IETF RFC2501 1999
[7] Y Zhang W Lee and Y Huang ldquoIntrusion detection tech-niques for mobile wireless networksrdquoWireless Networks vol 9no 5 pp 545ndash556 2003
[8] B C Cheng and R Y Tseng ldquoA context adaptive intrusiondetection system for MANETrdquo Computer Communications vol34 no 3 pp 310ndash318 2011
[9] T Eissa S A Razak and M D A Ngadi ldquoTowards providinga new lightweight authentication and encryption scheme forMANETrdquoWireless Networks vol 17 no 4 pp 833ndash842 2011
[10] A Irshad W Noshairwan M Shafiq S Khurram E Irshadand M Usman ldquoSecurity enhancement for authentication ofnodes in MANET by checking the CRL status of serversrdquoCommunications in Computer and Information Science vol 78pp 86ndash95 2010
[11] D E Denning ldquoAn intrusion-detection modelrdquo IEEE Transac-tions on Software Engineering vol 13 no 2 pp 222ndash232 1987
[12] T Clausen and P Jacquet ldquoOptimized link state routing proto-col (OLSR)rdquo IETF Experimental RFC 3626 2003
[13] P Albers O Camp J Percher et al ldquoSecurity in ad hoc networksa general intrusion detection architecture enhancing trust basedapproachesrdquo 2002
[14] F Cuppens N Cuppens-Boulahia S Nuon and T RamardldquoProperty based intrusion detection to secure OLSRrdquo in Pro-ceedings of the 3rd International Conference on Wireless andMobile Communications (ICWMC rsquo07) Guadeloupe FranceMarch 2007
[15] W Cohen ldquoFast effective rule inductionrdquo in Proceedings of theInternational Conference onMachine Learning (ICML rsquo95) 1995
[16] S Sarafijanovic and J-Y le Boudec ldquoAn artificial immunesystem for misbehavior detection in mobile ad-hoc networkswith virtual thymus clustering danger signal and memorydetectorsrdquo in Proceedings of the 3rd International Conference onArtificial Immune Systems (ICARIS rsquo04) 2004
[17] S Sen and J Clark Intrusion Detection in Mobile Ad HocNetworks in Guide to Wireless Ad Hoc Networks SpringerLondon UK 2009
[18] D Subhadrabandhu S Sarkar and F Anjum ldquoA Framework formisuse detection in ad hoc networksmdashpart IIrdquo IEEE Journal onSelected Areas in Communications vol 24 no 2 pp 290ndash3032006
[19] L M Feeney and M Nilsson ldquoInvestigating the energyconsumption of a wireless network interface in an ad hocnetworking environmentrdquo in Proceedings of the 20th AnnualJoint Conference of the IEEE Computer and CommunicationsSocieties pp 1548ndash1557 April 2001
[20] A P Lauf R A Peters and W H Robinson ldquoA distributedintrusion detection system for resource-constrained devices inad-hoc networksrdquo Ad Hoc Networks vol 8 no 3 pp 253ndash2662010
[21] N A Alrajeh S Khan J Lloret and J Loo ldquoSecure routingprotocol using cross-layer design and energy harvesting inwireless sensor networksrdquo International Journal of DistributedSensor Networks vol 2013 Article ID 374796 11 pages 2013
[22] S Sen J Clark and J Tapiador Security Threats in MobileAd Hoc Networks I S of Self-Organizing Networks AuerbachPublications 2010
[23] P Ning and K Sun ldquoHow to misuse AODV a case study ofinsider attacks againstmobile ad-hoc routing protocolsrdquoAdHocNetworks vol 3 no 6 pp 795ndash819 2005
[24] T Clausen C Dearlove P Jacquet and U Herberg ldquoTheoptimized link state routing protocol version 2rdquo IETF ActiveInternet-Draft Draft-Ietf-Manet-Olsrv2-15 2012
[25] U Herberg and T Clausen ldquoSecurity issues in the optimizedlink state routing protocol version 2 (olsrv2)rdquo InternationalJournal of Network Security amp Its Applications vol 2 no 2 2010
[26] YOwada TMaenoH Imai andKMase ldquoOLSRv2 implemen-tation and performance evaluation with link layer feedbackrdquo inProceedings of the International Wireless Communications andMobile Computing Conference (IWCMC rsquo07) pp 67ndash72 Newyork NY USA August 2007
[27] F Hong L Hong and C Fu ldquoSecure OLSRrdquo in Proceedingsof the 19th International Conference on Advanced InformationNetworking and Applications (AINA rsquo05) pp 713ndash718 March2005
[28] LNAMHegland P Spilling andQKure ldquoHybrid protectionof olsrrdquo in Electronic Notes in Theoretical Computer Science2006
[29] P Kunwar S Sofat and D Bansal ldquoComparison of secure olsrrouting protocolrdquo International Journal of Engineering Sciencevol 3 no 6 p 5049 2011
[30] A Adnane C Bidan and R T de Sousa Junior ldquoTrust-basedcountermeasures for securing OLSR protocolrdquo in Proceedingsof the 7th IEEEIFIP International Conference on Embedded andUbiquitous Computing (EUC rsquo09) pp 745ndash752 August 2009
[31] B Wu J Chen J Chen J Wu and M Cardei ldquoA survey ofattacks and countermeasures in mobile ad hoc networksrdquo inWireless Network Security Springer New York NY USA 2007
[32] C Adjih D Raffo and P Muhlethaler ldquoAttacks against OLSRdistributed key management for securityrdquo in Proceedings of theOLSR Interop Workshop 2005
[33] G CerveraM Barbeau J Garcia-Alfaro and E Kranakis ldquoMit-igation of topology control traffic attacks in OLSR networksrdquoin Proceedings of the 5th International Conference on Risks andSecurity of Internet and Systems (CRiSIS rsquo10) October 2010
[34] P M Jawandhiya M M Ghonge M S Ali et al ldquoA surveyof mobile ad hoc network attacksrdquo International Journal ofEngineering Science and Technology vol 2 no 9 pp 4063ndash40712010
[35] L M Feeney ldquoAn energy consumption model for performanceanalysis of routing protocols for mobile ad hoc networksrdquoMobile Networks and Applications vol 6 no 3 pp 239ndash2492001
International Journal of Distributed Sensor Networks 19
[36] G Riley and T Henderson ldquoThe ns-3 network simulatorrdquo inModeling and Tools for Network Simulation Springer BerlinGermany 2010
[37] S Bhattiprolu E Biederman S Hallyn et al ldquoVirtual serversand checkpointrestart inmainstream linuxrdquo SIGOPSOperatingSystems Review vol 42 no 5 pp 104ndash113 2008
[38] J Zhang J Xing and Z Qin ldquoTaprouter an emulatingframework to run real applications on simulated mobile adhoc networkrdquo in Proceedings of the 44th Annual SimulationSymposium (ANSS rsquo11) pp 39ndash46 2011
[39] D Broyles A Jabbar and J P G Sterbenz ldquoDesign andanalysis of a 3-d gauss-markov mobility model for highly-dynamic airborne networksrdquo in Proceedings of the InternationalTelemetering Conference (ITC rsquo10) San Diego CA USA 2010
[40] J Haerri F Filali and C Bonnet ldquoPerformance comparisonof AODV and OLSR in vanets urban environments underrealistic mobility patternsrdquo in Proceedings of the IFIP Med-Hoc-Net Workshop 2006
[41] C H Tseng T Song P Balasubramanyam C Ko and K LevittldquoA specification-based intrusion detection model for OLSRrdquoRecent Advances in Intrusion Detection vol 3858 pp 330ndash3502006
[42] S Kurkowski T Camp and M Colagrosso ldquoManet simulationstudies the incrediblesrdquo SIGMOBILE Mobile Computing andCommunications Review vol 9 no 4 pp 50ndash561 2005
[43] A Abdalla I Saroit A Kotb et al ldquoMisbehavior nodesdetection and isolation for MANETs OLSR protocolrdquo ProcediaComputer Science vol 3 pp 115ndash121 2011
[44] R Puttini J Percher L Me et al ldquoA modular architecture fordistributed ids in manetrdquo in Proceedings of the InternationalConference on Computational Science and Its Applications III2003
[45] A Adnane R T de Sousa L Me and C Bidan ldquoAutonomictrust reasoning enables misbehavior detection in OLSRrdquo inProceedings of the 23rd Annual ACM Symposium on AppliedComputing (SAC rsquo08) pp 2006ndash2013 March 2008
[46] W Wang H Man and Y Liu ldquoA framework for intrusiondetection systems by social network analysis methods in ad hocnetworksrdquo Security and Communication Networks vol 2 no 6pp 669ndash685 2009
[47] H Deng R Xu J Li F Zhang R Levy and W Lee ldquoAgent-based cooperative anomaly detection for wireless ad hoc net-worksrdquo in Proceedings of the 12th International Conference onParallel and Distributed Systems (ICPADS rsquo06) pp 613ndash620 July2006
[48] S KurosawaHNakayamaN Kato et al ldquoDetecting blackholesattack on AODV-based mobile ad hoc networks by dynamiclearningmethodrdquo International Journal of Network Security vol5 no 3 pp 338ndash346 2007
[49] WWang HWang BWang et al ldquoEnergy-aware and selfadap-tive anomaly detection scheme based on network tomographyin mobile ad hoc networksrdquo Information Sciences vol 220 pp580ndash602 2013
[50] M-Y Su ldquoPrevention of selective black hole attacks on mobilead hoc networks through intrusion detection systemsrdquo Com-puter Communications vol 34 no 1 pp 107ndash117 2011
[51] N Marchang and R Datta ldquoCollaborative techniques for intru-sion detection in mobile ad-hoc networksrdquo Ad Hoc Networksvol 6 no 4 pp 508ndash523 2008
[52] B V R N Yadav B Satyanarayana and O B V RamanaiahldquoAn efficient intrusion detection system for mobile ad hoc net-worksrdquo in Emerging Trends in Computing Informatics Systems
Sciences and Engineering vol 151 Springer New York NYUSA 2013
[53] Y Huang and W Lee ldquoAttack analysis and detection for ad hocrouting protocolsrdquo in Recent Advances in Intrusion Detectionvol 3224 Springer Berlin Germany 2004
[54] G Vigna S Gwalani K Srinivasan E M Belding-Royer andR A Kemmerer ldquoAn intrusion detection tool for AODV-basedad hoc wireless networksrdquo in Proceedings of the 20th AnnualComputer SecurityApplications Conference (ACSAC rsquo04) pp 16ndash27 December 2004
[55] M Ayachi C Bidan and N Prigent ldquoA trust-based ids for theaodv protocolrdquo in Information and Communications Securityvol 6476 pp 430ndash444 2010
[56] S Sen and J A Clark ldquoA grammatical evolution approach tointrusion detection on mobile ad hoc networksrdquo in Proceedingsof the 2nd ACMConference onWireless Network Security (WiSecrsquo09) pp 95ndash102 March 2009
[57] S Marti T J Giuli K Lai and M Baker ldquoMitigating routingmisbehavior in mobile ad hoc networksrdquo in Proceedings of the6th Annual International Conference on Mobile Computing andNetworking (MOBICOM rsquo00) pp 255ndash265 August 2000
[58] B Sun K Wu and U Pooch ldquoRouting anomaly detection inmobile ad hoc networksrdquo in Proceedings of The 12th Interna-tional Conference on Computer Communications and Networks(ICCCN rsquo03) 2003
[59] S Bose S Bharathimurugan and A Kannan ldquoMulti-layerintegrated anomaly intrusion detection system for mobileadhoc networksrdquo in Proceedings of the International Conferenceon Signal Processing Communications and Networking (ICSCNrsquo07) pp 360ndash365 February 2007
[60] P Yi Y Zhong and S Zhang ldquoA novel intrusion detectionmethod for mobile ad hoc networksrdquo in Advances in GridComputing vol 3470 pp 1183ndash1192 Springer Berlin Germany2005
[61] C Perkins E Belding-Royer and S Das ldquoAd hoc on-demanddistance vector (AODV) routingrdquo IETF Experimental RFC3561 2003
[62] D Johnson and D Maltz ldquoDynamic source routing in ad hocwireless networksrdquo in Mobile Computing pp 153ndash181 KluwerAcademic 1996
[63] C Perkins and P Bhagwat ldquoHighly dynamic destinationse-quenced distance-vector routing (dsdv) for mobile computersrdquoin Proceedings of the Conference on Communications Architec-tures Protocols and Applications (SIGCOMM rsquo94) vol 24 pp234ndash244 1994
[64] T JoachimsMaking Large-Scale Support VectorMachine Learn-ing Practical MIT Press Cambridge Mass USA 1999
[65] Y Yajima and T Kuo ldquoEfficient formulations for 1-svm and theirapplication to recommendation tasksrdquo Journal of Computersvol 1 no 3 pp 27ndash34 2006
[66] L Bononi and C Tacconi ldquoIntrusion detection for secureclustering and routing inMobileMulti-hopWirelessNetworksrdquoInternational Journal of Information Security vol 6 no 6 pp379ndash392 2007
[67] Y Huang W Fan W Lee et al ldquoCross-feature analysis fordetecting ad-hoc routing anomaliesrdquo in Proceedings of the 23rdInternational Conference on Distributed Computing Systems(ICDCS rsquo03) pp 478ndash487 May 2003
[68] J Quinlan C4 5 Programs for Machine Learning MorganKaufmann Boston Mass USA 1993
20 International Journal of Distributed Sensor Networks
[69] J B D Cabrera C Gutierrez and R K Mehra ldquoEnsemblemethods for anomaly detection and distributed intrusion detec-tion in Mobile Ad-Hoc Networksrdquo Information Fusion vol 9no 1 pp 96ndash119 2008
[70] MWang L Lamont P Mason andM Gorlatova ldquoAn effectiveintrusion detection approach for OLSR MANET protocolrdquoin Proceedings of the 13th IEEE International Conference onNetwork Protocols Workshop (ICNP rsquo05) pp 55ndash60 November2005
[71] C Y Tseng P Balasubramanyam C Ko R Limprasittiporn JRowe and K Levitt ldquoA specification-based intrusion detectionsystem for AODVrdquo in Proceedings of the 1st ACM Workshop onSecurity of Ad Hoc and Sensor Networks pp 125ndash134 October2003
[72] S A Razak S M Furnell N L Clarke and P J BrookeldquoFriend-assisted intrusion detection and response mechanismsfor mobile ad hoc networksrdquo Ad Hoc Networks vol 6 no 7 pp1151ndash1167 2008
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 9
Table 2 Evidence characterizing a link spoofing attack
Initial-evidence group1198641 AMPR is replaced by a 1-hop neighbor or by an already selected MPR1198642 AMPR behaves maliciously for example it tampers misrelays or drops the control messages
Suspicious-evidence group1198643 AMPR is the only node that provides connectivity to one (or more) 2-hops neighbor(s)
Confirmed-evidence group1198644 AMPR advertises a partial set of 1-hop neighbors1198645 AMPR advertises nonneighboring node(s) as 1-hop neighbors(s)
Cancel-evidence group1198646 AMPR is defined as an intruderwell-behaving node
selection is triggered upon a change in the symmetric 1- and2-hops neighborhood Rather than launching an in-depthdiagnostic upon every change in the 1- or 2-hops symmet-ric neighborhood we keep to a minimum the number ofthese diagnostics and henceforth the amount of consumedcomputational power and bandwidth by initiating it onlyat the occurrence of an event related to a link spoofingattack More precisely we ignore the changes in the 1-hopneighborhood (eg apparition of 1-hop neighbor) becausethey are observed by the node itself Thus they are notsubject to the remote falsification which is the cornerstoneof a link spoofing attack In contrary changes in the 2-hopsneighborhood are considered as long as they impact theMPRselection In practice the evidences that reveal a link spoofingattack (Table 2) are broken down into
(i) a MPR replacement (Evidence 1 or 1198641 for short)that results from a change in the covering of the 1-hop neighbors one (or several) 1-hop neighbor(s)(possibly the replacing MPR) increase(s) its (their)coverage to the detriment of the replaced MPR AreplacementMPR is a 1-hop neighbor that is excludedfrom the MPRs set even though it provides the sameconnectivity in both the previous and current MPRselection rounds
(ii) No MPR replacement takes place but an alreadyselected MPR is detected as misbehaving node Forinstance a misbehaving MPR may drop falsify ormisrelay the control messages (1198642) Note that anevidence of a special interest herein refers to a nodepromoting itself as a MPR without having beenselected as a MPR Amisbehaving MPR includes alsothe case wherein a MPR continually advertises thesame 2-hops neighbors set despite being no morevalid Contrary to other cases this one is not eventdriven and should be handled based on random orperiodical checks
(iii) aMPR is the only one that covers one or several nodes(1198643)
(iv) a MPR covers partially its adjacent neighbor(s) (1198644)
(v) a MPR provides connectivity to a nonneighboringnode (1198645)
The occurrence of either 1198641 or 1198642 constitutes the startingpoint of an in-depth diagnostic 1198641 and 1198642 belong to theinitial-evidence group The act of being the only MPR thatprovides the connectivity to node(s) (1198643) is suspicious butis not sufficient to launch an in-depth diagnostic becausethis situation is typical in a sparse network Furthermoretwo nodes within the covering range of each other oftenfail in communicating due to the unpredictable nature ofwireless transmission resulting from for example obstaclesand noises Thus diagnosing 1198643 is especially difficult underno specific assumption Overall the occurrence of 1198641 or 1198642and optionally1198643 leads to an in-depth diagnostic (Expression13) In practice the 1-hop neighbor(s) of the suspicious MPRare interrogated Note that part of the interrogated nodesmayexpress a different opinion that results from malicious nodeor an obsolete routing information This calls for taking intoaccount their respective reputation (as we plan in our nearfuture work)
(1198641 or 1198642)
dArr dArr
(1198644 or 1198645) optional (1198643) (1198644 and 1198645)
dArr dArr
The suspicious MPRis an intruder
The suspicious MPRis well-behaving
(13)
If the obtained answers confirm (resp infirm) that thesuspicious MPR covers partially its neighbors (1198644) andoradvertises a distant node as 1-hop neighbor (1198645) then theMPR is declared as an intruder (resp well-behaving) andthe diagnostic is terminated (1198646) Obviously the cooperationbetween the nodes constitutes a cornerstone in our in-depthdiagnostic
34 Cooperative Diagnostic The in-depth diagnostic of a linkspoofing attack consists in verifying the existence of a sym-metric and neighboring relationship between a suspiciousMPR and its advertised 1-hop neighbors (Algorithm 1) Moreprecisely this diagnostic follows the following steps Firstthe MPRs that have been replaced by other MPR or 1-hopneighbor are identified (lines 1-2) because such replacementrepresents the initial evidence of a link spoofing attack (1198641in Table 2) For this purpose the function GetReplaced-Mpris called (Line 1) It establishes the MPRs that have been
10 International Journal of Distributed Sensor Networks
(1) OldMprs = GetReplaced-Mpr()(2) SuspiciousMprs = GetReplacing-Mpr()(3) for (suspicious isin SuspiciousMprs) do(4) InterrogatedNodes = GetCommon2HopsNeighors
(suspicious OldMprs)(5) for (2HopsNeighbor isin InterrogatedNodes) do(6) if (LinkExistence (2HopsNeighbor suspicious) ==
false) then(7) Generate-Alarm (suspicious)(8) end if(9) end for(10) Cancel-Suspicious (suspicious)(11) end for
Algorithm 1 In-depth diagnostic
replaced by comparing the currentMPRs and the penultimateMPRs Then the MPRs sharing 1-hop neighbor(s) with areplaced MPR are identified (function GetReplacing-MPRline 2) Those identified MPRs are tagged as suspicious andare subject to further analysis (lines 3ndash11) the objective is toverify whether some spoofed links have been advertised soas to replace the MPR It follows that the 1-hop neighborsthat are common to a replaced MPR and a suspicious oneare determined (GetCommon2HopsNeighors function line 4)Note that these 1-hop neighbors also correspond to the 2-hops neighbors of the node launching the diagnostic Theyare interrogated (LinkExistence function) so as to verify theexistence of links The interrogation of a 2-hops neighbordenoted by 119860119894 consists in sending a request to 119860119894 asking ifthis latter considers the suspicious MPR as a 1-hop neighborat a specific time 119905 Whenever possible this request is sentwithout going through both the suspicious MPR 119868 or anycolluding intruder 1198681015840 This eluding is necessary in order toprevent 119868 and 1198681015840 from dropping the request andor forging adeceptive answerTherefore the 1-hop neighbor(s) (primarilythe MPR(s)) that covers the interrogated 2-hops neighbors isprovided with the request Note that the suspecting node 119878 isaware of is provided with the connectivity between the nodesthat form its two-hops neighbors Thus 119878may select the one(if existing) that covers 119860119894 If no answer is obtained (iethe related time-out elapses) then the request is sequentiallytransferred through the rest of the covering 1-hop neighbors(keeping in mind that as aforementioned MPRs are pri-marily selected) However when no neighbor is left then an(multihops) alternative path is researched in the routing tableto reach 119860119894 Note that the verification related to a suspiciousMPR is performed within an independent thread hencethe diagnostic of one node (and the result waiting) is not ablocking to others If 119860119894 denies being a 1-hop neighbor of thesuspicious MPR then a countermeasure is triggered Moreprecisely an alarm that establishes the detected attacker(s)is broadcasted (Generate-Alarm function line 7) Otherwiseif no deny takes place the suspicious MPR is no longersuspected (Cancel-Suspicious function line 10) In both casesthe diagnostic terminates Note that if no answer is provided(the inconsistent answers lead also to a claim in the degree
of suspicion However this case is not included in this paperbut it is handled in our other works) then the suspiciousMPR is tagged as not verified and the degree of suspicionin this latter goes up It is worth mentioning that the currentimplementation of IDAR considers the link spoofing attackHowever considering other attacks is not complicated andrequires only specifying the evidences to be searched in thelogs and the information to be exchanged between the nodesduring the in-depth diagnostic
4 Architecture and Performance Evaluation
In this section we introduce the key architectural compo-nents of IDAR (Section 41) Then we present the evaluationof IDAR performance (Section 42) and further discuss theobtained result (Section 43)
41 IDAR Architecture In order to cope with the dynamicnature ofMANET IDAR is both distributed and cooperativeThe proposed architecture (Figure 2) requires that everydevice participates in the detection (The delegation of somedetection operations (eg logs analyzing) may be sharedamong devices But it will not be necessarily less expensive interms of resources consumption)More precisely each devicecontains an instance of IDAR which independently detectsthe signs of suspicion and cooperates with other instancesso as to conduct the diagnostic in a broader range IDAR isimplemented in Perl (httpwwwperlorg) and conceptuallystructured into 4 components
(i) Coordinator that orchestrates all the components Assuch it constitutes the hearth of IDAR In prac-tice it parses dynamically the OLSR logs so as toextract signs of suspicion and match these latteragainst predefined intrusion signaturesThe intrusionsignatures are represented as conditional rules (ifcondition then state) Furthermore it triggers thecommunication and the alarm notification in orderto launch advanced diagnostic
(ii) Communication manager that gathers informationabout for example the adjacent links as requiredby the diagnostic manager Meanwhile it answersthe diagnostic requests This component runs into aseparated thread so that other IDAR operations arenot blocked
(iii) Knowledge database includes the information thatis extirpated from the logs and is provided by thecommunication manager This database is realized inMysql (httpwwwmysqlcom) Stored informationencompasses for example the 1-hop and 2-hopsneighbors and the MPRs
(iv) Alarm notifier is responsible for alarming the networkwhen an intrusion is detected Note that we areplanning to include more countermeasures in thefuture for example eliminating the routes containingan intruder
International Journal of Distributed Sensor Networks 11
SignatureKnowledge
database
Coordinator
Communicationmanager Alarm notifier
Update
Feedback
Diagnostic requestDiagnostic answer
IDAR instance
Routing log
IDAR instanceDiagnostic requestanswer
Routing log
Feed back
Figure 2 IDAR architecture
All the above components have been developed so as tosupport intrusion detection offering a high rate of detectionalong with conserving the resources
42 Performance Evaluation In order to evaluate the perfor-mance of IDAR a mobile ad hoc network has been simulatedusing the network simulator NS3 (httpwwwnsnamorg)[36] Each node in the simulated network is furthercoupled with a Linux Container (LXC) virtual machine(httplxcsourceforgenet) [37] The reason that motivatesthis coupling is twofold First NS3 offers the possibilityto simulate a large-scale mobile ad hoc network SecondLXC an operating-system-level virtualization tool permitsto run multiple isolated machines (also called containers)on a single modified hosting kernel (up to 1024 contain-ers over a single hosting kernel) Each container owns itsproper resources (eg process tree network interface andIP address) Thus the resource consumption (eg memoryusage) can be isolated and measured In practice an instanceof IDAR is installed on each container that appears asa standaloneseparated machine Figure 3 exemplifies thecoupling between nodes in NS3 and LXC containers Fromthe IDAR perspective (as well as from any applicationinstalled on the container) the emission and reception ofpackets is done through the network interface (eth0) Whilethe container contains a simulated ethernet card (V119890119905ℎ)which is connected through an ethernet bridge towards akernel tap device (tap) Note that for each container-nodecoupling new tap and ethernet bridge should be definedin the hosting kernel The ethernet bridge implements theforwarding of link-level framesThe interface 119905119886119901119877119900119906119905119890119903 [38]is implemented in NS3 and is used to exchange packetsbetween the 119905119886119901 device and the WiFi device which enablesNS3 nodes to communicate over a IEEE 80211- and OLSR-enabled MANET Overall the outgoing packets from eth0in the container are delivered to the WiFi device at thecorresponding node in the simulated network and vice versaSimulation is carried using the aforementioned platform
wherein the hosting device is equipped with 32GB of mem-ory and 2 Intel(R) Xeon(R) (6) Core 240GHz CPUsContainers hold a Fedora 12 operating system We considera MANET (Table 3) constituted of 119873 = 30 nodes split into25 well-behaving nodes and 5 intruders While most of otherIDSs are evaluated against one intruder we show that IDARcan handle several intruders in the same time Intruderslaunch repeatedly the implemented link spoofing attack (asdescribed in Expression 12) In our experiments the numberof successful intrusions varies between 15 and 33 accordingto the parameters of simulation scenario (as described inExpression 12) Nodes communicate via IEEE 80211a andare characterized by a transmission range 119879
119909of 90m They
randomly move following the so-called RandomWalk2d [39]mobility pattern provided by NS3 each node moves accord-ing to a randomly chosen direction at a given speed that isthe same for all the nodes When a node hits the networkboundaries (unless specified the network area is defined bya squared area of 119878 = 310 times 310m2) it rebounds followinga reflexive angle Data traffic is further modeled using theV4PingHelper application in NS3 each node exchanges 56-byte ICMP (httpwwwietforgrfcrfc792txt) echo requeststo one another and waits for 1 s before sending it again Weuse OLSR as the underlying routing protocol preserving theconfiguration parameters promoted in the RFC 3626 (eghello message interval is 2 s)
For each experimental scenario the simulation islaunched 5 times each one lasts for 140 s We compare thelaunched attacks with the detected ones and present theaverage of results We aim at evaluating the performance ofIDAR in terms of
(i) intrusion detection rate that reflects the capacity ofdetecting successful intrusions (a successful intrusioncauses the replacement of a legitimate MPR of thevictim by an intruder)
(ii) false positive rate that measures how many times alegitimate node is wrongly designated as an intruder
12 International Journal of Distributed Sensor Networks
Table 3 Simulation parameters
Simulation platformSimulator NS3 + LXC virtual machinesContainer operating system Fedora 12Hosting device memory 32GBHosting device CPU 2 Intel(R) Xeon(R) (6) Core 240GHz
Simulated MANETNumber of mobile nodes 30Number of intruders 5Topology 310 times 310m2
Transmission range 90mMaximum bandwidth 1MbpsTraffic V4PingHelper 56 bytes Icmp packetsMobility model RandomWalk2dMaximum speed 8ms (or 288 kmh)Simulation time 140 s
tapRouterWiFi devicewith OLSR
LXC
cont
aine
r
Ethernet bridge
Tap
LXC
cont
aine
r
veth
Ethernet bridge
Tap
tapRouterWiFi devicewith OLSR
veth
Nod
e 1
Nod
e 119899
NS3
IDAR1 IDAR119899
eth0 eth0
Figure 3 Experiment platform
(iii) detection overhead which represents the additionalnetwork traffic that is generated because of IDARNote that further benchmarks are also provided interms of memory usage
Based on those performance indicators IDAR is furtherevaluated with regard to the network density (Section 421)and node mobility (Section 422)
421 Network Density In order to evaluate the scalingproperties of IDAR we vary the density of the networkThe density of the network corresponds to the averagenumber of neighbors which is defined as in [40] by (119873 times
120587 times 1198792
119909)119878 We selected an interval of density that ranges
from 6 up to 16 neighbors which includes the intruderthe victim and the remaining neighbors Figure 4(a) showsthat the detection rate keeps higher than 80 regardless ofthe network density This demonstrates the relatively limitedimpact of the network density on IDAR performance More
precisely the intrusion detection rate slightly rises from935up to itsmaximum 963when the density varies from6 up to 8 neighbors the greater is the number of neighborsthe higher is the visibility of the attackThen a slow diminishis observed dense networks (with a density exceeding 8) arecharacterised by a high collision rate that causes a declinein the detection rate Similarly Figure 4(b) highlights thatthe average percentage of false positives is neglectful (under59) The analysis of several cases of false positive leads usto find that a false positive occurs when two nodes own adifferent live-times for the bidirectional link that connectsthese later consequently one of the two nodes still confirmsthe existence of this link while the other one denies it Tooverride this problem the period during which those linksare considered valid should be amplified as in [41] Figure 4(c)presents the average memory usage caused by IDAR Thisusage gently fluctuates between 176MB and 222MB It is alsoworthy of mention that contrary to OLSR our system doesnot assign additional functionality toMPR (detectionmay belaunched by one another) IDAR provides an homogeneousload balancing among the nodes As illustrated in Figure 4(d)the traffic caused by IDAR is very low (under 05 for anetwork density inferior to 8) It then slowly rises to reach13 when the network density is 16 In order to understandthe slight fall when the density reaches 14 we compare theaverage number of suspicious cases with regard to a varyingdensityThis average was 708 (resp 658) with density equalsto 12 (resp 14) Consequently the number of diagnostic-related packets is smaller at a density of 14 than at a densityof 12
422 Mobility In order to isolate the influence of themobility the network density is set to 8 The detection ratefalls when the speed increases (Figure 5(a))This results fromthe ever changing topology that results in increasing thenumber of broken links and the related drops of diagnostic-related packetsHowever IDAR still provides a high detectionrate for example the average of detection rate is 707
International Journal of Distributed Sensor Networks 13
0
20
40
60
80
100
6 8 10 12 14 16
Det
ecte
d in
trus
ions
()
Density
Average detection
(a)
0
10
20
30
40
50
6 8 10 12 14 16
False
pos
itive
()
Density
Average of false positives
(b)
0
10
20
30
40
50
6 8 10 12 14 16
Mem
ory
usag
e (M
B)
Density
(c)
025 05
1
5
20
50 100
6 8 10 12 14 16Density
IDA
R ve
rsus
OLS
R tr
affic (
)
(d)
Figure 4 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network density
with a moving speed equals to 8ms (ie around 287
kilometershour equivalent to 1789mileshour) Figure 5(b)shows that the higher is the moving speed the greater it getsfalse positives mainly because of out of date feedback Infact when a node moves away some of its 1-hop neighborsare no longer neighbors but are still announced as suchand are considered as potential attackers A higher increaseof the false positive rate is observed when the node speedranges from 4ms up to 6ms because the instable nodecovering is given its transmission range which leads to anincreased update of its 1-hop neighbors The memory usage(Figure 5(c)) rises staidly from 176MB to 265MB whichis reasonable even for resource-limited devices The impactof the mobility on the bandwidth is shown in Figure 5(d)The IDAR traffic comparing to the OLSR traffic significantlygrows from 036 up to 31 for a speed ranging from 0msup to 2ms Then the bandwidth usage gradually growsand reaches almost 6 when the moving speed is equalto 8ms This is motivated by the fact that increasing thenumber of verified links leads to exchange more diagnostic-related messages in the network In order to understandthe reason behind such variable growth of IDAR trafficwe counted the number of the verified suspicious neighbor
links We found that the average number of the verified linkssignificantly grows from 452 to 2014 when the velocity risesfrom 0ms to 2ms This average then gradually grows andtakes the values 2408 3314 and 406 when the velocityequals to 4ms 6ms and 8ms respectively The limitednumber of the suspicious neighbor links when the nodesare static is justified by the fact that the attacker has alimited choice to falsify its neighbors links Instead when thevelocity is greater than 2ms there is a continuous changein the neighborhood and the attackers can attack more(diversified) targets Meanwhile the continuously changingtopology implies an increased number of investigations
43 Performance Discussion It is clear that the density of thenetwork holds less influence than the mobility on our IDSMore mobility in MANET causes more dropped diagnosticpackets and hence less diagnostic is concluded with a finalresult that is confirming or refuting the suspiciousnessHowever comparing the launched attacks to the discov-ered suspicious events shows that the majority of attacksare tagged as suspicious events and considered for furtherdiagnostic Note that the mobility has a negative influence
14 International Journal of Distributed Sensor Networks
0
20
40
60
80
100
0 2 4 6 8
Det
ecte
d in
trus
ions
()
Velocity (ms)
Average detection
(a)
0
10
20
30
40
50
0 2 4 6 8
False
pos
itive
()
Velocity (ms)
Average of false positives
(b)
0
10
20
30
40
50
0 2 4 6 8
Mem
ory
usag
e (M
B)
Velocity (ms)
(c)
025 05
1
5
20
50 100
0 2 4 6 8
IDA
R ve
rsus
OLS
R tr
affic (
)
Velocity (ms)
(d)
Figure 5 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network mobility
on all the IDSs especially the cooperative ones where thereis an exchange of evidencesalerts Table 4 provides a shortperformance comparing between IDAR and other knownIDSs that are dedicated to ad hoc routing protocol Likethe majority of these IDSs the performance of our systemis challenged against a specific attack link spoofing attackin a simulated MANET (According to [42] around 75of mobile ad hoc published papers use simulation for testissues) Two evaluation factors are common to almost all thelisted IDSs the detection ratecapacity and the positive falserate Even though it was challenged in a MANET whereinthe intruders constitute 166 (Note that this percent is the3rd highest registered percent) of the nodes IDAR providesone of the highest detection rate Regarding the positivefalse rate we can notice that several IDSs especially thosethat are dedicated to DSR protocol show better results thanour system However this latter still generates a limitednumber of false positives It is also possible to reduce thefalse positives rate by amplifying the TTL (Time To Live)parameter of a bidirectional link so as to reduce the impactof obsolete neighborhood-related information during thedetection Recall that most of the generated false positives inIDAR are generated because of the difference in the time-live
of a bidirectional link between the two ends of this link Insuch case this link will be expired in one end while the otherend will keep confirming its existence It is worthmentioningthat except our system the listed IDSs that aim to detect theattacks targeting OLSR protocol do not present neither thedetection rate nor the false positives rate But they merelyprove the capacity of detecting the addressed attack(s) Inaddition IDAR is one of the rare IDSs that are evaluated interms of resources consumption Indeed we measure boththe increment inmemory usage and traffic overhead resultingfrom detection operations IDAR triggers a small incrementin the devicesrsquomemory usage (between 176MBand 265MB)Therefore it can be tolerated by the resource-limited devicesIt further triggers the lowest traffic overhead compared to thelisted IDSs IDAR presents a good scalability and offers a highdetection rate even in the high density networks where a largeamount of routing traffic should be monitored (Figure 4(a))This scalability is reinforced by (i) the limited traffic overhead(ii) the use of routing logs so as to extract the evidencesinstead of sniffing the traffic (iii) the distributed nature ofdetection such that each node is responsible for detecting theattacks targeting it and (iv) the unnecessity of modifying theused routing protocol
International Journal of Distributed Sensor Networks 15
5 Related Work
Systems that detect intrusion targeting ad hoc routing proto-col are extremely diverse in the way they analyze intrusionThey fall into the three key categories
(i) Anomaly detection system defines the correct behav-ior of the nodenetwork so as to detect deviations tothis behavior This correct behavior is automaticallybuilt during an attackless training phase The detec-tion accuracy depends on the ability to (i) describethe correct behavior and (ii) distinguish betweenanomalous and unexpected behaviors
(ii) Specification-based detection system hand-codes thelegitimate functionoperation and then searches for aviolation to this operation
(iii) Signature-based detection system first describes theway an intruder penetrates the system by defining anintrusion signature Then any behavior that is closeto this predefined signature is flagged as intrusion
Hereafter we detail examples of each of these categoriesAnomaly-based detection constitutes the main approachused to detect attacks The IDS proposed by Zhang et al[7] constitutes a de facto standard in MANET It aims atdetecting the attempts to falsify the routes provided by theAODV [61] DSR [62] and DSDV [63] routing protocolsDuring the training phase the impact of movement on thepercentage of changes in the routing table is analyzed Notethat this movement (ie velocity direction and position)is provided by a Global Positioning System (GPS) Thenduring the operation phase an actual percentage of changesdiffering from the predicted one is defined as anomaly Inpractice the distinguishing between anomalous and normalbehaviors is provided by the Support Vector Machine (SVM)Light [64] classifier or by RIPPER [15] a rule-based engineThe hierarchical IDS proposed in [47] detects blackhole androuting request flooding attacks targeting AODV protocolHere MANET is arranged into clusters whereas the nodewith the highest residual energy and number of connectionsis elected as a cluster-head Each cluster-head monitors thetraffic inside its cluster so as to identify the abnormal valuesof (i) the percentage of changes in the routing table and (ii)the propagation of routingdata packets Such abnormalitiesare identified thanks to (1-SVM) classifier [65] a deviationof SVM that needs to be trained with either normal orabnormal scenario but not both of them In [48] (resp [66])a blackhole (and resp dropping) attack targeting AODVprotocol (resp a secured version of AODV protocol includ-ing authentication and reputation estimation) are detectedby investigating features for example the number of routerequests and route replies as well as the average difference ofsequence numbers (Largely increased sequence numbers areknown as a sign of blackhole attack) Then simple anomalydetection is applied if the distance between the actuallyobserved features and the average ones that are recorded dur-ing the training exceeds a given threshold then an intrusionis detected More sophisticated cross-features analysis (CFA)[67] is applied to detect both blackhole and packet drop-ping on AODV and DSR protocols Features including for
example the reachability between 2 nodes and the numberof delivered packets are analyzed within time windows Thisanalysis attempts to quantify the relation existing betweenone feature 119891
119894and the others 119891
1 119891
119894minus1 119891119894+1 119891
119896(with
119896 + 1 defining the number of features analyzed) During theoperation phase the probability of matching between theobserved feature 1198911015840
119894and the predicted feature 119891
119894 which is
established based on 11989110158401 119891
1015840
119894minus1 1198911015840
119894+1 119891
1015840
119896 is calculated by
a decision tree classifier named C45 [68] An anomaly refersto an average of matching probability fewer than a giventhreshold CFA and C45 are also used in [69] with traffic-related features (eg number of receivedtransferred packets)and OLSR- or AODV-related features (eg MPR updates forthe former and route discovery for the latter) A modifiedMarkov chain-based IDS is proposed in [58] so as to detectroute disruption attack targeting DSR protocol Here thedetection depends on identifying unpredicted value of twofeatures the percentage of changes in the number of routesand the percentage of changes in the number of hops Inpractice a Markov chain is based on the immediate previous119899 consecutive values of a feature as to predict the (119899 + 1)thvalue If the difference between a predicted and an observedvalue exceeds a given threshold an intrusion is concluded
Rather than establishing automatically a correct behaviorspecification-based detection system hand-codes the correctbehavior of the routing protocols based on the protocol spec-ification (IETF draft or RFC) Then the system attempts todetect a violation of constraints circumventing this behaviorFour key constraints define the correct behavior of OLSR([14 70])
(1) Neighbor relationmust be reciprocal (ie 2 neighborsmust hear the hello message sent by each other)
(2) TheMPRs and the nodes that select theMPR (ie theMPR selectors) must be adjacent
(3) A node that finds itself advertised as a MPR selectorin a TCmessage must be adjacent to the originator ofthis message
(4) Nodes receive TC messages without modificationsfromMPR(s)
Each node sniffs the traffic in its radio range so as todiscover the violations of any of the above constraints Theseconstraints are modeled by semantic properties in [70] (resprules in [14]) so as to detect link spoofing attack on TC(and resp hello messages) both experiment an ability todetect a link spoofing by observing a violation of the thirdcondition over a simulated network composed of 11 nodesFinite-state machines are used to describe similar constraintson OLSR [41] and the behavior of AODV protocol [52 71]In [41] a centralized detection of link spoofing man-in-the-middle and deny of service attack is performed While in[52 71] incorrect hop countssequence numbers are analyzedby distributed sensors which sniff and group the packets perrequest-reply flow so as to estimate the forwarding path perflow If a route requestreply is illegallymodified or forwardedvia a nonexpected path then an alarm is triggered In [60]similar FSMs are used to define constraints on both the routediscovery in AODV and the packet forwarding operations
16 International Journal of Distributed Sensor Networks
Table4Com
parin
gID
ARperfo
rmance
with
otherIDSs
IDS
Routing
protocol
Num
bero
fno
des
Intrud
ers
()
Moving
speed
Detectio
nrate
False
positives
rate
Increm
entinmem
ory
usage
Increm
entintraffi
coverhead
IDAR
OlSR
30166
0ndash8m
s707ndash963
0ndash132
176ndash
265MB
478ndash6215KB
(036
ndash597
ofOlSRtraffi
c)
[43]
OlSR
303366
10
mdashmdash
mdashmdash
6ndash12
ofOlSR
traffi
c[41]
OlSR
1010
0ms
Detectio
nispo
ssible
mdashmdash
mdash[44]
OlSR
7143
0ms
Detectio
nispo
ssible
mdashmdash
mdash[45]
OlSR
520
0ms
Detectio
nispo
ssible
mdashmdash
mdash[14
]OlSR
119
0ms
Detectio
nispo
ssible
mdashmdash
mdash[46]
AODV
3033
0ndash5m
s3067ndash90
0ndash20
mdashmdash
[47]
AODV
502
0ndash20
ms
90
5
mdashmdash
[48]
AODV
3033
1ndash20
ms
70ndash82
12ndash18
mdashmdash
[49]
AODV
2050
10
1ndash10ms
964ndash9
87
079ndash093
mdash900k
B
[50]
AODV
5238
0ndash20
ms
(Fixed
IDSs)
100
0ndash0
6
mdashmdash
[51]
AODV
521
20238
0ndash10ms
50ndash100
0ndash30
mdashmdash
[52]
AODV
30mdash
0ndash20
ms
70ndash100
05
ndash15
mdashmdash
[53]
AODV
50Ra
ndom
0ndash20
ms
79plusmn10ndash92plusmn3
5plusmn1ndash32plusmn8
mdashmdash
[54]
AODV
102050
mdash0ndash
10ms
0ndash100
0ndash≫100
02ndash06
mdash[55]
AODV
20ndash200
mdash0ndash
20ms
30ndash9
50ndash16
mdashmdash
[56]
AODV
50mdash
1ndash20
ms
998ndash100
083ndash846
mdashmdash
[7]
AODV
mdashmdash
mdash8848plusmn414ndash971plusmn032
145plusmn072ndash202plusmn627
mdashmdash
DSD
Vmdash
mdashmdash
8523plusmn328ndash9061plusmn299
537plusmn310ndash263plusmn549
mdashmdash
DSR
mdashmdash
mdash852plusmn238ndash991plusmn037
003plusmn004ndash153plusmn408
mdashmdash
[57]
DSR
5040
0ndash20
ms
mdashmdash
mdash11ndash313
of
data
traffi
c[58]
DSR
3033
3ndash5m
s60ndash100
25
ndash50
mdashmdash
[59]
DSR
30mdash
mdash75
12
mdashmdash
[60]
DSR
502
0ndash20
ms
837ndash9
74
13ndash72
mdashmdash
International Journal of Distributed Sensor Networks 17
A signature-based system distinguishes itself by model-ing the misbehavior (rather than the correct behavior) soas to identify if a sequence of observed events matchingan intrusion signature AODVSTAT [54] uses state-basedsignatures in order to detect dropping and spoofing attacksalong with network flooding Few sensors sniff the traffic andmatch it against predefined signatures They also exchangeperiodically MAC and IP addresses so as to detect an identityspoofing which is characterized by a node emitting a packetidentified by MAC and IP addresses differing from thoseregistered for this node A dropping attack refers to a nodethat fails to replay route requestreply Finally a node sendinga number of packets exceeding a given threshold is identifiedas willing to exhaust resources In [45] intrusion signaturesare specified in opposition to the legitimate behavior of OLSRdepicted in conjunction with specification rules similar tothose defined in [70] In particular a node 119873 mistrusts twoneighbors 119871 and 119872 that conform to the following rules119872 advertises 119871 as a neighbor while 119871 does not advertise119872 as a neighbor (or reciprocally) both 119871 and 119872 send TCmessages while 119871rsquos neighbors are a subset of 119872rsquos neighbors(or reciprocally) In addition 119873 mistrusts 119872 if 119873 which isnot a neighbor of 119872 finds itself as a MPR selector in a TCof 119873 (constraint 3) In [44] a FSM is employed to modelthe signature of hello message fabrication in OLSR protocolin an agent-based IDS In practice each node uses a SimpleNetworkManagement Protocol (SNMP) agent so as to collectaudit data from the Management Information Base (MIB)After that events are extracted from the collected audit dataand are matched to the attack signatureThe addressed attackaims at breaking the link between a victim node and itsneighbors and thus a DoS takes place To that end theattacker impersonates the identity of the victim and sends afake hello message advertising one of the victim symmetricneighbors with lost link status Upon receiving the fabricatedmessage the neighbor changes the status of its link withthe victim to ldquoheardrdquo and stops routing packets through thevictim
51 Synthesis and Discussion A great majority of the litera-ture is focused on anomaly detectionwhile scarce effort inves-tigates specification- and signature-based intrusion Thisnaturally calls for consolidating the effort on specification-and signature-based detection while following the habitus ofwired network which consists in coupling these detectionsystems with one another for example in [72] wherein acombination of anomaly- and signature-based detection isrealized so as to increase the detection rate Almost all ofthe IDS focuses only on the detection accuracy that isproviding a high detection rate along with limited falsealarms However they do not consider the criticality ofmaintaining the resources and henceforth extending thelifetime of the nodenetwork Our IDS takes into account thenecessity of reducing to minimum both the communicationand computation overload related to intrusion identificationThe absolute majority of the IDSs is simulated (including thesystem we are proposing) rather than being either developedor experimented on testbeds or relying on empirical data
The reason that explains this situation is twofold Firstthe deployment of critical MANET is limitednot adver-tised Second to the best of our knowledge experiences ofintrusion in MANETs are not reported intrusions are infact developedsimulated as proofs of concept Neverthelessnot only routing protocols but also the characterization ofthe intrusion together leverage on the experience gained indesigning routing protocols for wired networks and deal-ing with related misbehaviors In particular the similarityexisting between the OSPF and OLSR protocols implies thatmany threats (eg sequence numbers identity spoofing) areshared In other words intrusion may be inspired from theone targeting wired networks Meanwhile the developmentof intrusion detection and the envisioning of attacks areaccelerated
6 Conclusion
We survey and classify the attacks that target ad hoc routingprotocols focusing on theOLSRprotocol In order to facilitatethe definition of intrusion signatures we extend a descriptionmodelmdashan attack is expressed as the preconditions andthe resulting consequencesmdashand enrich it with temporalannotations Once hand-coded these signatures are utilizedby IDAR a log-based distributed intrusion detection systemdedicated to operate in mobile ad hoc networks IDARdistinguishes itself by analyzing the logs generated by arouting protocol and extracts intrusion evidences so as tocompare these latter against predefined intrusion signaturesFor this purpose evidences are categorized into four groupsaccording to their degree of suspiciongravity and hence totheir ability to activatedeactivate the diagnostic We furtherdevelop a link spoofing attack on the OLSR protocol buildthe related detection rules and evaluate the performancesof IDAR relying on the NS3 simulator coupled with LXCvirtual machines Overall the experiments figure out ahigh rate of intrusion detection and low false positivesrate even under increased mobility and density Meanwhileresource consumption and network overhead result from thediagnostic are low and adapted to the resource-constraineddevices Note that ongoing effort is provided as to evaluateIDAR in a real MANET consisting of resource-constraineddevices Still detecting intrusion is not a trivial task due tothe large number of evidences to tackle and the resource-consuming diagnostic A compromise between detectionaccuracy and resource consumption could be found For thispurpose we are working on a new statistical mechanism forgathering the evidences This mechanism aims at enhancingthe scalability of our system by restricting the interrogationto a limited subset of nodes during the diagnostic Moreoveruntil now we assume that honest parties are passive theyalarm others but do not react We are considering thecoupling with countermeasures (eg blacklisting) and theexploring of lightweight binary consensus and trust estab-lishment among the nodes that participate in the intrusiondetection
18 International Journal of Distributed Sensor Networks
References
[1] Z Zhao H Hu G Ahn and R Wu ldquoRisk-aware mitigation formanet routing attacksrdquo IEEE Transactions on Dependable andSecure Computing vol 9 no 2 pp 250ndash260 2012
[2] B Sun L Osborne Y Xiao and S Guizani ldquoIntrusion detectiontechniques in mobile ad hoc and wireless sensor networksrdquoIEEE Wireless Communications vol 14 no 5 pp 56ndash63 2007
[3] S Sesay Z Yang and J He ldquoA survey onmobile ad hoc wirelessnetworkrdquo Information Technology Journal vol 3 no 2 pp 168ndash175 2004
[4] P Brutch and C Ko ldquoChallenges in intrusion detection forwireless ad-hoc networksrdquo in Proceedings of the Symposium onApplications and the Internet Workshops (SAINT rsquo03) pp 368ndash373 2003
[5] S Khan N Alrajeh and K Loo ldquoSecure route selection inwireless mesh networksrdquo Computer Networks vol 56 no 2 pp491ndash503 2012
[6] S Corson and J Macker ldquoMobile ad hoc networking (manet)routing protocol performance issues and evaluation considera-tionsrdquo IETF RFC2501 1999
[7] Y Zhang W Lee and Y Huang ldquoIntrusion detection tech-niques for mobile wireless networksrdquoWireless Networks vol 9no 5 pp 545ndash556 2003
[8] B C Cheng and R Y Tseng ldquoA context adaptive intrusiondetection system for MANETrdquo Computer Communications vol34 no 3 pp 310ndash318 2011
[9] T Eissa S A Razak and M D A Ngadi ldquoTowards providinga new lightweight authentication and encryption scheme forMANETrdquoWireless Networks vol 17 no 4 pp 833ndash842 2011
[10] A Irshad W Noshairwan M Shafiq S Khurram E Irshadand M Usman ldquoSecurity enhancement for authentication ofnodes in MANET by checking the CRL status of serversrdquoCommunications in Computer and Information Science vol 78pp 86ndash95 2010
[11] D E Denning ldquoAn intrusion-detection modelrdquo IEEE Transac-tions on Software Engineering vol 13 no 2 pp 222ndash232 1987
[12] T Clausen and P Jacquet ldquoOptimized link state routing proto-col (OLSR)rdquo IETF Experimental RFC 3626 2003
[13] P Albers O Camp J Percher et al ldquoSecurity in ad hoc networksa general intrusion detection architecture enhancing trust basedapproachesrdquo 2002
[14] F Cuppens N Cuppens-Boulahia S Nuon and T RamardldquoProperty based intrusion detection to secure OLSRrdquo in Pro-ceedings of the 3rd International Conference on Wireless andMobile Communications (ICWMC rsquo07) Guadeloupe FranceMarch 2007
[15] W Cohen ldquoFast effective rule inductionrdquo in Proceedings of theInternational Conference onMachine Learning (ICML rsquo95) 1995
[16] S Sarafijanovic and J-Y le Boudec ldquoAn artificial immunesystem for misbehavior detection in mobile ad-hoc networkswith virtual thymus clustering danger signal and memorydetectorsrdquo in Proceedings of the 3rd International Conference onArtificial Immune Systems (ICARIS rsquo04) 2004
[17] S Sen and J Clark Intrusion Detection in Mobile Ad HocNetworks in Guide to Wireless Ad Hoc Networks SpringerLondon UK 2009
[18] D Subhadrabandhu S Sarkar and F Anjum ldquoA Framework formisuse detection in ad hoc networksmdashpart IIrdquo IEEE Journal onSelected Areas in Communications vol 24 no 2 pp 290ndash3032006
[19] L M Feeney and M Nilsson ldquoInvestigating the energyconsumption of a wireless network interface in an ad hocnetworking environmentrdquo in Proceedings of the 20th AnnualJoint Conference of the IEEE Computer and CommunicationsSocieties pp 1548ndash1557 April 2001
[20] A P Lauf R A Peters and W H Robinson ldquoA distributedintrusion detection system for resource-constrained devices inad-hoc networksrdquo Ad Hoc Networks vol 8 no 3 pp 253ndash2662010
[21] N A Alrajeh S Khan J Lloret and J Loo ldquoSecure routingprotocol using cross-layer design and energy harvesting inwireless sensor networksrdquo International Journal of DistributedSensor Networks vol 2013 Article ID 374796 11 pages 2013
[22] S Sen J Clark and J Tapiador Security Threats in MobileAd Hoc Networks I S of Self-Organizing Networks AuerbachPublications 2010
[23] P Ning and K Sun ldquoHow to misuse AODV a case study ofinsider attacks againstmobile ad-hoc routing protocolsrdquoAdHocNetworks vol 3 no 6 pp 795ndash819 2005
[24] T Clausen C Dearlove P Jacquet and U Herberg ldquoTheoptimized link state routing protocol version 2rdquo IETF ActiveInternet-Draft Draft-Ietf-Manet-Olsrv2-15 2012
[25] U Herberg and T Clausen ldquoSecurity issues in the optimizedlink state routing protocol version 2 (olsrv2)rdquo InternationalJournal of Network Security amp Its Applications vol 2 no 2 2010
[26] YOwada TMaenoH Imai andKMase ldquoOLSRv2 implemen-tation and performance evaluation with link layer feedbackrdquo inProceedings of the International Wireless Communications andMobile Computing Conference (IWCMC rsquo07) pp 67ndash72 Newyork NY USA August 2007
[27] F Hong L Hong and C Fu ldquoSecure OLSRrdquo in Proceedingsof the 19th International Conference on Advanced InformationNetworking and Applications (AINA rsquo05) pp 713ndash718 March2005
[28] LNAMHegland P Spilling andQKure ldquoHybrid protectionof olsrrdquo in Electronic Notes in Theoretical Computer Science2006
[29] P Kunwar S Sofat and D Bansal ldquoComparison of secure olsrrouting protocolrdquo International Journal of Engineering Sciencevol 3 no 6 p 5049 2011
[30] A Adnane C Bidan and R T de Sousa Junior ldquoTrust-basedcountermeasures for securing OLSR protocolrdquo in Proceedingsof the 7th IEEEIFIP International Conference on Embedded andUbiquitous Computing (EUC rsquo09) pp 745ndash752 August 2009
[31] B Wu J Chen J Chen J Wu and M Cardei ldquoA survey ofattacks and countermeasures in mobile ad hoc networksrdquo inWireless Network Security Springer New York NY USA 2007
[32] C Adjih D Raffo and P Muhlethaler ldquoAttacks against OLSRdistributed key management for securityrdquo in Proceedings of theOLSR Interop Workshop 2005
[33] G CerveraM Barbeau J Garcia-Alfaro and E Kranakis ldquoMit-igation of topology control traffic attacks in OLSR networksrdquoin Proceedings of the 5th International Conference on Risks andSecurity of Internet and Systems (CRiSIS rsquo10) October 2010
[34] P M Jawandhiya M M Ghonge M S Ali et al ldquoA surveyof mobile ad hoc network attacksrdquo International Journal ofEngineering Science and Technology vol 2 no 9 pp 4063ndash40712010
[35] L M Feeney ldquoAn energy consumption model for performanceanalysis of routing protocols for mobile ad hoc networksrdquoMobile Networks and Applications vol 6 no 3 pp 239ndash2492001
International Journal of Distributed Sensor Networks 19
[36] G Riley and T Henderson ldquoThe ns-3 network simulatorrdquo inModeling and Tools for Network Simulation Springer BerlinGermany 2010
[37] S Bhattiprolu E Biederman S Hallyn et al ldquoVirtual serversand checkpointrestart inmainstream linuxrdquo SIGOPSOperatingSystems Review vol 42 no 5 pp 104ndash113 2008
[38] J Zhang J Xing and Z Qin ldquoTaprouter an emulatingframework to run real applications on simulated mobile adhoc networkrdquo in Proceedings of the 44th Annual SimulationSymposium (ANSS rsquo11) pp 39ndash46 2011
[39] D Broyles A Jabbar and J P G Sterbenz ldquoDesign andanalysis of a 3-d gauss-markov mobility model for highly-dynamic airborne networksrdquo in Proceedings of the InternationalTelemetering Conference (ITC rsquo10) San Diego CA USA 2010
[40] J Haerri F Filali and C Bonnet ldquoPerformance comparisonof AODV and OLSR in vanets urban environments underrealistic mobility patternsrdquo in Proceedings of the IFIP Med-Hoc-Net Workshop 2006
[41] C H Tseng T Song P Balasubramanyam C Ko and K LevittldquoA specification-based intrusion detection model for OLSRrdquoRecent Advances in Intrusion Detection vol 3858 pp 330ndash3502006
[42] S Kurkowski T Camp and M Colagrosso ldquoManet simulationstudies the incrediblesrdquo SIGMOBILE Mobile Computing andCommunications Review vol 9 no 4 pp 50ndash561 2005
[43] A Abdalla I Saroit A Kotb et al ldquoMisbehavior nodesdetection and isolation for MANETs OLSR protocolrdquo ProcediaComputer Science vol 3 pp 115ndash121 2011
[44] R Puttini J Percher L Me et al ldquoA modular architecture fordistributed ids in manetrdquo in Proceedings of the InternationalConference on Computational Science and Its Applications III2003
[45] A Adnane R T de Sousa L Me and C Bidan ldquoAutonomictrust reasoning enables misbehavior detection in OLSRrdquo inProceedings of the 23rd Annual ACM Symposium on AppliedComputing (SAC rsquo08) pp 2006ndash2013 March 2008
[46] W Wang H Man and Y Liu ldquoA framework for intrusiondetection systems by social network analysis methods in ad hocnetworksrdquo Security and Communication Networks vol 2 no 6pp 669ndash685 2009
[47] H Deng R Xu J Li F Zhang R Levy and W Lee ldquoAgent-based cooperative anomaly detection for wireless ad hoc net-worksrdquo in Proceedings of the 12th International Conference onParallel and Distributed Systems (ICPADS rsquo06) pp 613ndash620 July2006
[48] S KurosawaHNakayamaN Kato et al ldquoDetecting blackholesattack on AODV-based mobile ad hoc networks by dynamiclearningmethodrdquo International Journal of Network Security vol5 no 3 pp 338ndash346 2007
[49] WWang HWang BWang et al ldquoEnergy-aware and selfadap-tive anomaly detection scheme based on network tomographyin mobile ad hoc networksrdquo Information Sciences vol 220 pp580ndash602 2013
[50] M-Y Su ldquoPrevention of selective black hole attacks on mobilead hoc networks through intrusion detection systemsrdquo Com-puter Communications vol 34 no 1 pp 107ndash117 2011
[51] N Marchang and R Datta ldquoCollaborative techniques for intru-sion detection in mobile ad-hoc networksrdquo Ad Hoc Networksvol 6 no 4 pp 508ndash523 2008
[52] B V R N Yadav B Satyanarayana and O B V RamanaiahldquoAn efficient intrusion detection system for mobile ad hoc net-worksrdquo in Emerging Trends in Computing Informatics Systems
Sciences and Engineering vol 151 Springer New York NYUSA 2013
[53] Y Huang and W Lee ldquoAttack analysis and detection for ad hocrouting protocolsrdquo in Recent Advances in Intrusion Detectionvol 3224 Springer Berlin Germany 2004
[54] G Vigna S Gwalani K Srinivasan E M Belding-Royer andR A Kemmerer ldquoAn intrusion detection tool for AODV-basedad hoc wireless networksrdquo in Proceedings of the 20th AnnualComputer SecurityApplications Conference (ACSAC rsquo04) pp 16ndash27 December 2004
[55] M Ayachi C Bidan and N Prigent ldquoA trust-based ids for theaodv protocolrdquo in Information and Communications Securityvol 6476 pp 430ndash444 2010
[56] S Sen and J A Clark ldquoA grammatical evolution approach tointrusion detection on mobile ad hoc networksrdquo in Proceedingsof the 2nd ACMConference onWireless Network Security (WiSecrsquo09) pp 95ndash102 March 2009
[57] S Marti T J Giuli K Lai and M Baker ldquoMitigating routingmisbehavior in mobile ad hoc networksrdquo in Proceedings of the6th Annual International Conference on Mobile Computing andNetworking (MOBICOM rsquo00) pp 255ndash265 August 2000
[58] B Sun K Wu and U Pooch ldquoRouting anomaly detection inmobile ad hoc networksrdquo in Proceedings of The 12th Interna-tional Conference on Computer Communications and Networks(ICCCN rsquo03) 2003
[59] S Bose S Bharathimurugan and A Kannan ldquoMulti-layerintegrated anomaly intrusion detection system for mobileadhoc networksrdquo in Proceedings of the International Conferenceon Signal Processing Communications and Networking (ICSCNrsquo07) pp 360ndash365 February 2007
[60] P Yi Y Zhong and S Zhang ldquoA novel intrusion detectionmethod for mobile ad hoc networksrdquo in Advances in GridComputing vol 3470 pp 1183ndash1192 Springer Berlin Germany2005
[61] C Perkins E Belding-Royer and S Das ldquoAd hoc on-demanddistance vector (AODV) routingrdquo IETF Experimental RFC3561 2003
[62] D Johnson and D Maltz ldquoDynamic source routing in ad hocwireless networksrdquo in Mobile Computing pp 153ndash181 KluwerAcademic 1996
[63] C Perkins and P Bhagwat ldquoHighly dynamic destinationse-quenced distance-vector routing (dsdv) for mobile computersrdquoin Proceedings of the Conference on Communications Architec-tures Protocols and Applications (SIGCOMM rsquo94) vol 24 pp234ndash244 1994
[64] T JoachimsMaking Large-Scale Support VectorMachine Learn-ing Practical MIT Press Cambridge Mass USA 1999
[65] Y Yajima and T Kuo ldquoEfficient formulations for 1-svm and theirapplication to recommendation tasksrdquo Journal of Computersvol 1 no 3 pp 27ndash34 2006
[66] L Bononi and C Tacconi ldquoIntrusion detection for secureclustering and routing inMobileMulti-hopWirelessNetworksrdquoInternational Journal of Information Security vol 6 no 6 pp379ndash392 2007
[67] Y Huang W Fan W Lee et al ldquoCross-feature analysis fordetecting ad-hoc routing anomaliesrdquo in Proceedings of the 23rdInternational Conference on Distributed Computing Systems(ICDCS rsquo03) pp 478ndash487 May 2003
[68] J Quinlan C4 5 Programs for Machine Learning MorganKaufmann Boston Mass USA 1993
20 International Journal of Distributed Sensor Networks
[69] J B D Cabrera C Gutierrez and R K Mehra ldquoEnsemblemethods for anomaly detection and distributed intrusion detec-tion in Mobile Ad-Hoc Networksrdquo Information Fusion vol 9no 1 pp 96ndash119 2008
[70] MWang L Lamont P Mason andM Gorlatova ldquoAn effectiveintrusion detection approach for OLSR MANET protocolrdquoin Proceedings of the 13th IEEE International Conference onNetwork Protocols Workshop (ICNP rsquo05) pp 55ndash60 November2005
[71] C Y Tseng P Balasubramanyam C Ko R Limprasittiporn JRowe and K Levitt ldquoA specification-based intrusion detectionsystem for AODVrdquo in Proceedings of the 1st ACM Workshop onSecurity of Ad Hoc and Sensor Networks pp 125ndash134 October2003
[72] S A Razak S M Furnell N L Clarke and P J BrookeldquoFriend-assisted intrusion detection and response mechanismsfor mobile ad hoc networksrdquo Ad Hoc Networks vol 6 no 7 pp1151ndash1167 2008
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
10 International Journal of Distributed Sensor Networks
(1) OldMprs = GetReplaced-Mpr()(2) SuspiciousMprs = GetReplacing-Mpr()(3) for (suspicious isin SuspiciousMprs) do(4) InterrogatedNodes = GetCommon2HopsNeighors
(suspicious OldMprs)(5) for (2HopsNeighbor isin InterrogatedNodes) do(6) if (LinkExistence (2HopsNeighbor suspicious) ==
false) then(7) Generate-Alarm (suspicious)(8) end if(9) end for(10) Cancel-Suspicious (suspicious)(11) end for
Algorithm 1 In-depth diagnostic
replaced by comparing the currentMPRs and the penultimateMPRs Then the MPRs sharing 1-hop neighbor(s) with areplaced MPR are identified (function GetReplacing-MPRline 2) Those identified MPRs are tagged as suspicious andare subject to further analysis (lines 3ndash11) the objective is toverify whether some spoofed links have been advertised soas to replace the MPR It follows that the 1-hop neighborsthat are common to a replaced MPR and a suspicious oneare determined (GetCommon2HopsNeighors function line 4)Note that these 1-hop neighbors also correspond to the 2-hops neighbors of the node launching the diagnostic Theyare interrogated (LinkExistence function) so as to verify theexistence of links The interrogation of a 2-hops neighbordenoted by 119860119894 consists in sending a request to 119860119894 asking ifthis latter considers the suspicious MPR as a 1-hop neighborat a specific time 119905 Whenever possible this request is sentwithout going through both the suspicious MPR 119868 or anycolluding intruder 1198681015840 This eluding is necessary in order toprevent 119868 and 1198681015840 from dropping the request andor forging adeceptive answerTherefore the 1-hop neighbor(s) (primarilythe MPR(s)) that covers the interrogated 2-hops neighbors isprovided with the request Note that the suspecting node 119878 isaware of is provided with the connectivity between the nodesthat form its two-hops neighbors Thus 119878may select the one(if existing) that covers 119860119894 If no answer is obtained (iethe related time-out elapses) then the request is sequentiallytransferred through the rest of the covering 1-hop neighbors(keeping in mind that as aforementioned MPRs are pri-marily selected) However when no neighbor is left then an(multihops) alternative path is researched in the routing tableto reach 119860119894 Note that the verification related to a suspiciousMPR is performed within an independent thread hencethe diagnostic of one node (and the result waiting) is not ablocking to others If 119860119894 denies being a 1-hop neighbor of thesuspicious MPR then a countermeasure is triggered Moreprecisely an alarm that establishes the detected attacker(s)is broadcasted (Generate-Alarm function line 7) Otherwiseif no deny takes place the suspicious MPR is no longersuspected (Cancel-Suspicious function line 10) In both casesthe diagnostic terminates Note that if no answer is provided(the inconsistent answers lead also to a claim in the degree
of suspicion However this case is not included in this paperbut it is handled in our other works) then the suspiciousMPR is tagged as not verified and the degree of suspicionin this latter goes up It is worth mentioning that the currentimplementation of IDAR considers the link spoofing attackHowever considering other attacks is not complicated andrequires only specifying the evidences to be searched in thelogs and the information to be exchanged between the nodesduring the in-depth diagnostic
4 Architecture and Performance Evaluation
In this section we introduce the key architectural compo-nents of IDAR (Section 41) Then we present the evaluationof IDAR performance (Section 42) and further discuss theobtained result (Section 43)
41 IDAR Architecture In order to cope with the dynamicnature ofMANET IDAR is both distributed and cooperativeThe proposed architecture (Figure 2) requires that everydevice participates in the detection (The delegation of somedetection operations (eg logs analyzing) may be sharedamong devices But it will not be necessarily less expensive interms of resources consumption)More precisely each devicecontains an instance of IDAR which independently detectsthe signs of suspicion and cooperates with other instancesso as to conduct the diagnostic in a broader range IDAR isimplemented in Perl (httpwwwperlorg) and conceptuallystructured into 4 components
(i) Coordinator that orchestrates all the components Assuch it constitutes the hearth of IDAR In prac-tice it parses dynamically the OLSR logs so as toextract signs of suspicion and match these latteragainst predefined intrusion signaturesThe intrusionsignatures are represented as conditional rules (ifcondition then state) Furthermore it triggers thecommunication and the alarm notification in orderto launch advanced diagnostic
(ii) Communication manager that gathers informationabout for example the adjacent links as requiredby the diagnostic manager Meanwhile it answersthe diagnostic requests This component runs into aseparated thread so that other IDAR operations arenot blocked
(iii) Knowledge database includes the information thatis extirpated from the logs and is provided by thecommunication manager This database is realized inMysql (httpwwwmysqlcom) Stored informationencompasses for example the 1-hop and 2-hopsneighbors and the MPRs
(iv) Alarm notifier is responsible for alarming the networkwhen an intrusion is detected Note that we areplanning to include more countermeasures in thefuture for example eliminating the routes containingan intruder
International Journal of Distributed Sensor Networks 11
SignatureKnowledge
database
Coordinator
Communicationmanager Alarm notifier
Update
Feedback
Diagnostic requestDiagnostic answer
IDAR instance
Routing log
IDAR instanceDiagnostic requestanswer
Routing log
Feed back
Figure 2 IDAR architecture
All the above components have been developed so as tosupport intrusion detection offering a high rate of detectionalong with conserving the resources
42 Performance Evaluation In order to evaluate the perfor-mance of IDAR a mobile ad hoc network has been simulatedusing the network simulator NS3 (httpwwwnsnamorg)[36] Each node in the simulated network is furthercoupled with a Linux Container (LXC) virtual machine(httplxcsourceforgenet) [37] The reason that motivatesthis coupling is twofold First NS3 offers the possibilityto simulate a large-scale mobile ad hoc network SecondLXC an operating-system-level virtualization tool permitsto run multiple isolated machines (also called containers)on a single modified hosting kernel (up to 1024 contain-ers over a single hosting kernel) Each container owns itsproper resources (eg process tree network interface andIP address) Thus the resource consumption (eg memoryusage) can be isolated and measured In practice an instanceof IDAR is installed on each container that appears asa standaloneseparated machine Figure 3 exemplifies thecoupling between nodes in NS3 and LXC containers Fromthe IDAR perspective (as well as from any applicationinstalled on the container) the emission and reception ofpackets is done through the network interface (eth0) Whilethe container contains a simulated ethernet card (V119890119905ℎ)which is connected through an ethernet bridge towards akernel tap device (tap) Note that for each container-nodecoupling new tap and ethernet bridge should be definedin the hosting kernel The ethernet bridge implements theforwarding of link-level framesThe interface 119905119886119901119877119900119906119905119890119903 [38]is implemented in NS3 and is used to exchange packetsbetween the 119905119886119901 device and the WiFi device which enablesNS3 nodes to communicate over a IEEE 80211- and OLSR-enabled MANET Overall the outgoing packets from eth0in the container are delivered to the WiFi device at thecorresponding node in the simulated network and vice versaSimulation is carried using the aforementioned platform
wherein the hosting device is equipped with 32GB of mem-ory and 2 Intel(R) Xeon(R) (6) Core 240GHz CPUsContainers hold a Fedora 12 operating system We considera MANET (Table 3) constituted of 119873 = 30 nodes split into25 well-behaving nodes and 5 intruders While most of otherIDSs are evaluated against one intruder we show that IDARcan handle several intruders in the same time Intruderslaunch repeatedly the implemented link spoofing attack (asdescribed in Expression 12) In our experiments the numberof successful intrusions varies between 15 and 33 accordingto the parameters of simulation scenario (as described inExpression 12) Nodes communicate via IEEE 80211a andare characterized by a transmission range 119879
119909of 90m They
randomly move following the so-called RandomWalk2d [39]mobility pattern provided by NS3 each node moves accord-ing to a randomly chosen direction at a given speed that isthe same for all the nodes When a node hits the networkboundaries (unless specified the network area is defined bya squared area of 119878 = 310 times 310m2) it rebounds followinga reflexive angle Data traffic is further modeled using theV4PingHelper application in NS3 each node exchanges 56-byte ICMP (httpwwwietforgrfcrfc792txt) echo requeststo one another and waits for 1 s before sending it again Weuse OLSR as the underlying routing protocol preserving theconfiguration parameters promoted in the RFC 3626 (eghello message interval is 2 s)
For each experimental scenario the simulation islaunched 5 times each one lasts for 140 s We compare thelaunched attacks with the detected ones and present theaverage of results We aim at evaluating the performance ofIDAR in terms of
(i) intrusion detection rate that reflects the capacity ofdetecting successful intrusions (a successful intrusioncauses the replacement of a legitimate MPR of thevictim by an intruder)
(ii) false positive rate that measures how many times alegitimate node is wrongly designated as an intruder
12 International Journal of Distributed Sensor Networks
Table 3 Simulation parameters
Simulation platformSimulator NS3 + LXC virtual machinesContainer operating system Fedora 12Hosting device memory 32GBHosting device CPU 2 Intel(R) Xeon(R) (6) Core 240GHz
Simulated MANETNumber of mobile nodes 30Number of intruders 5Topology 310 times 310m2
Transmission range 90mMaximum bandwidth 1MbpsTraffic V4PingHelper 56 bytes Icmp packetsMobility model RandomWalk2dMaximum speed 8ms (or 288 kmh)Simulation time 140 s
tapRouterWiFi devicewith OLSR
LXC
cont
aine
r
Ethernet bridge
Tap
LXC
cont
aine
r
veth
Ethernet bridge
Tap
tapRouterWiFi devicewith OLSR
veth
Nod
e 1
Nod
e 119899
NS3
IDAR1 IDAR119899
eth0 eth0
Figure 3 Experiment platform
(iii) detection overhead which represents the additionalnetwork traffic that is generated because of IDARNote that further benchmarks are also provided interms of memory usage
Based on those performance indicators IDAR is furtherevaluated with regard to the network density (Section 421)and node mobility (Section 422)
421 Network Density In order to evaluate the scalingproperties of IDAR we vary the density of the networkThe density of the network corresponds to the averagenumber of neighbors which is defined as in [40] by (119873 times
120587 times 1198792
119909)119878 We selected an interval of density that ranges
from 6 up to 16 neighbors which includes the intruderthe victim and the remaining neighbors Figure 4(a) showsthat the detection rate keeps higher than 80 regardless ofthe network density This demonstrates the relatively limitedimpact of the network density on IDAR performance More
precisely the intrusion detection rate slightly rises from935up to itsmaximum 963when the density varies from6 up to 8 neighbors the greater is the number of neighborsthe higher is the visibility of the attackThen a slow diminishis observed dense networks (with a density exceeding 8) arecharacterised by a high collision rate that causes a declinein the detection rate Similarly Figure 4(b) highlights thatthe average percentage of false positives is neglectful (under59) The analysis of several cases of false positive leads usto find that a false positive occurs when two nodes own adifferent live-times for the bidirectional link that connectsthese later consequently one of the two nodes still confirmsthe existence of this link while the other one denies it Tooverride this problem the period during which those linksare considered valid should be amplified as in [41] Figure 4(c)presents the average memory usage caused by IDAR Thisusage gently fluctuates between 176MB and 222MB It is alsoworthy of mention that contrary to OLSR our system doesnot assign additional functionality toMPR (detectionmay belaunched by one another) IDAR provides an homogeneousload balancing among the nodes As illustrated in Figure 4(d)the traffic caused by IDAR is very low (under 05 for anetwork density inferior to 8) It then slowly rises to reach13 when the network density is 16 In order to understandthe slight fall when the density reaches 14 we compare theaverage number of suspicious cases with regard to a varyingdensityThis average was 708 (resp 658) with density equalsto 12 (resp 14) Consequently the number of diagnostic-related packets is smaller at a density of 14 than at a densityof 12
422 Mobility In order to isolate the influence of themobility the network density is set to 8 The detection ratefalls when the speed increases (Figure 5(a))This results fromthe ever changing topology that results in increasing thenumber of broken links and the related drops of diagnostic-related packetsHowever IDAR still provides a high detectionrate for example the average of detection rate is 707
International Journal of Distributed Sensor Networks 13
0
20
40
60
80
100
6 8 10 12 14 16
Det
ecte
d in
trus
ions
()
Density
Average detection
(a)
0
10
20
30
40
50
6 8 10 12 14 16
False
pos
itive
()
Density
Average of false positives
(b)
0
10
20
30
40
50
6 8 10 12 14 16
Mem
ory
usag
e (M
B)
Density
(c)
025 05
1
5
20
50 100
6 8 10 12 14 16Density
IDA
R ve
rsus
OLS
R tr
affic (
)
(d)
Figure 4 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network density
with a moving speed equals to 8ms (ie around 287
kilometershour equivalent to 1789mileshour) Figure 5(b)shows that the higher is the moving speed the greater it getsfalse positives mainly because of out of date feedback Infact when a node moves away some of its 1-hop neighborsare no longer neighbors but are still announced as suchand are considered as potential attackers A higher increaseof the false positive rate is observed when the node speedranges from 4ms up to 6ms because the instable nodecovering is given its transmission range which leads to anincreased update of its 1-hop neighbors The memory usage(Figure 5(c)) rises staidly from 176MB to 265MB whichis reasonable even for resource-limited devices The impactof the mobility on the bandwidth is shown in Figure 5(d)The IDAR traffic comparing to the OLSR traffic significantlygrows from 036 up to 31 for a speed ranging from 0msup to 2ms Then the bandwidth usage gradually growsand reaches almost 6 when the moving speed is equalto 8ms This is motivated by the fact that increasing thenumber of verified links leads to exchange more diagnostic-related messages in the network In order to understandthe reason behind such variable growth of IDAR trafficwe counted the number of the verified suspicious neighbor
links We found that the average number of the verified linkssignificantly grows from 452 to 2014 when the velocity risesfrom 0ms to 2ms This average then gradually grows andtakes the values 2408 3314 and 406 when the velocityequals to 4ms 6ms and 8ms respectively The limitednumber of the suspicious neighbor links when the nodesare static is justified by the fact that the attacker has alimited choice to falsify its neighbors links Instead when thevelocity is greater than 2ms there is a continuous changein the neighborhood and the attackers can attack more(diversified) targets Meanwhile the continuously changingtopology implies an increased number of investigations
43 Performance Discussion It is clear that the density of thenetwork holds less influence than the mobility on our IDSMore mobility in MANET causes more dropped diagnosticpackets and hence less diagnostic is concluded with a finalresult that is confirming or refuting the suspiciousnessHowever comparing the launched attacks to the discov-ered suspicious events shows that the majority of attacksare tagged as suspicious events and considered for furtherdiagnostic Note that the mobility has a negative influence
14 International Journal of Distributed Sensor Networks
0
20
40
60
80
100
0 2 4 6 8
Det
ecte
d in
trus
ions
()
Velocity (ms)
Average detection
(a)
0
10
20
30
40
50
0 2 4 6 8
False
pos
itive
()
Velocity (ms)
Average of false positives
(b)
0
10
20
30
40
50
0 2 4 6 8
Mem
ory
usag
e (M
B)
Velocity (ms)
(c)
025 05
1
5
20
50 100
0 2 4 6 8
IDA
R ve
rsus
OLS
R tr
affic (
)
Velocity (ms)
(d)
Figure 5 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network mobility
on all the IDSs especially the cooperative ones where thereis an exchange of evidencesalerts Table 4 provides a shortperformance comparing between IDAR and other knownIDSs that are dedicated to ad hoc routing protocol Likethe majority of these IDSs the performance of our systemis challenged against a specific attack link spoofing attackin a simulated MANET (According to [42] around 75of mobile ad hoc published papers use simulation for testissues) Two evaluation factors are common to almost all thelisted IDSs the detection ratecapacity and the positive falserate Even though it was challenged in a MANET whereinthe intruders constitute 166 (Note that this percent is the3rd highest registered percent) of the nodes IDAR providesone of the highest detection rate Regarding the positivefalse rate we can notice that several IDSs especially thosethat are dedicated to DSR protocol show better results thanour system However this latter still generates a limitednumber of false positives It is also possible to reduce thefalse positives rate by amplifying the TTL (Time To Live)parameter of a bidirectional link so as to reduce the impactof obsolete neighborhood-related information during thedetection Recall that most of the generated false positives inIDAR are generated because of the difference in the time-live
of a bidirectional link between the two ends of this link Insuch case this link will be expired in one end while the otherend will keep confirming its existence It is worthmentioningthat except our system the listed IDSs that aim to detect theattacks targeting OLSR protocol do not present neither thedetection rate nor the false positives rate But they merelyprove the capacity of detecting the addressed attack(s) Inaddition IDAR is one of the rare IDSs that are evaluated interms of resources consumption Indeed we measure boththe increment inmemory usage and traffic overhead resultingfrom detection operations IDAR triggers a small incrementin the devicesrsquomemory usage (between 176MBand 265MB)Therefore it can be tolerated by the resource-limited devicesIt further triggers the lowest traffic overhead compared to thelisted IDSs IDAR presents a good scalability and offers a highdetection rate even in the high density networks where a largeamount of routing traffic should be monitored (Figure 4(a))This scalability is reinforced by (i) the limited traffic overhead(ii) the use of routing logs so as to extract the evidencesinstead of sniffing the traffic (iii) the distributed nature ofdetection such that each node is responsible for detecting theattacks targeting it and (iv) the unnecessity of modifying theused routing protocol
International Journal of Distributed Sensor Networks 15
5 Related Work
Systems that detect intrusion targeting ad hoc routing proto-col are extremely diverse in the way they analyze intrusionThey fall into the three key categories
(i) Anomaly detection system defines the correct behav-ior of the nodenetwork so as to detect deviations tothis behavior This correct behavior is automaticallybuilt during an attackless training phase The detec-tion accuracy depends on the ability to (i) describethe correct behavior and (ii) distinguish betweenanomalous and unexpected behaviors
(ii) Specification-based detection system hand-codes thelegitimate functionoperation and then searches for aviolation to this operation
(iii) Signature-based detection system first describes theway an intruder penetrates the system by defining anintrusion signature Then any behavior that is closeto this predefined signature is flagged as intrusion
Hereafter we detail examples of each of these categoriesAnomaly-based detection constitutes the main approachused to detect attacks The IDS proposed by Zhang et al[7] constitutes a de facto standard in MANET It aims atdetecting the attempts to falsify the routes provided by theAODV [61] DSR [62] and DSDV [63] routing protocolsDuring the training phase the impact of movement on thepercentage of changes in the routing table is analyzed Notethat this movement (ie velocity direction and position)is provided by a Global Positioning System (GPS) Thenduring the operation phase an actual percentage of changesdiffering from the predicted one is defined as anomaly Inpractice the distinguishing between anomalous and normalbehaviors is provided by the Support Vector Machine (SVM)Light [64] classifier or by RIPPER [15] a rule-based engineThe hierarchical IDS proposed in [47] detects blackhole androuting request flooding attacks targeting AODV protocolHere MANET is arranged into clusters whereas the nodewith the highest residual energy and number of connectionsis elected as a cluster-head Each cluster-head monitors thetraffic inside its cluster so as to identify the abnormal valuesof (i) the percentage of changes in the routing table and (ii)the propagation of routingdata packets Such abnormalitiesare identified thanks to (1-SVM) classifier [65] a deviationof SVM that needs to be trained with either normal orabnormal scenario but not both of them In [48] (resp [66])a blackhole (and resp dropping) attack targeting AODVprotocol (resp a secured version of AODV protocol includ-ing authentication and reputation estimation) are detectedby investigating features for example the number of routerequests and route replies as well as the average difference ofsequence numbers (Largely increased sequence numbers areknown as a sign of blackhole attack) Then simple anomalydetection is applied if the distance between the actuallyobserved features and the average ones that are recorded dur-ing the training exceeds a given threshold then an intrusionis detected More sophisticated cross-features analysis (CFA)[67] is applied to detect both blackhole and packet drop-ping on AODV and DSR protocols Features including for
example the reachability between 2 nodes and the numberof delivered packets are analyzed within time windows Thisanalysis attempts to quantify the relation existing betweenone feature 119891
119894and the others 119891
1 119891
119894minus1 119891119894+1 119891
119896(with
119896 + 1 defining the number of features analyzed) During theoperation phase the probability of matching between theobserved feature 1198911015840
119894and the predicted feature 119891
119894 which is
established based on 11989110158401 119891
1015840
119894minus1 1198911015840
119894+1 119891
1015840
119896 is calculated by
a decision tree classifier named C45 [68] An anomaly refersto an average of matching probability fewer than a giventhreshold CFA and C45 are also used in [69] with traffic-related features (eg number of receivedtransferred packets)and OLSR- or AODV-related features (eg MPR updates forthe former and route discovery for the latter) A modifiedMarkov chain-based IDS is proposed in [58] so as to detectroute disruption attack targeting DSR protocol Here thedetection depends on identifying unpredicted value of twofeatures the percentage of changes in the number of routesand the percentage of changes in the number of hops Inpractice a Markov chain is based on the immediate previous119899 consecutive values of a feature as to predict the (119899 + 1)thvalue If the difference between a predicted and an observedvalue exceeds a given threshold an intrusion is concluded
Rather than establishing automatically a correct behaviorspecification-based detection system hand-codes the correctbehavior of the routing protocols based on the protocol spec-ification (IETF draft or RFC) Then the system attempts todetect a violation of constraints circumventing this behaviorFour key constraints define the correct behavior of OLSR([14 70])
(1) Neighbor relationmust be reciprocal (ie 2 neighborsmust hear the hello message sent by each other)
(2) TheMPRs and the nodes that select theMPR (ie theMPR selectors) must be adjacent
(3) A node that finds itself advertised as a MPR selectorin a TCmessage must be adjacent to the originator ofthis message
(4) Nodes receive TC messages without modificationsfromMPR(s)
Each node sniffs the traffic in its radio range so as todiscover the violations of any of the above constraints Theseconstraints are modeled by semantic properties in [70] (resprules in [14]) so as to detect link spoofing attack on TC(and resp hello messages) both experiment an ability todetect a link spoofing by observing a violation of the thirdcondition over a simulated network composed of 11 nodesFinite-state machines are used to describe similar constraintson OLSR [41] and the behavior of AODV protocol [52 71]In [41] a centralized detection of link spoofing man-in-the-middle and deny of service attack is performed While in[52 71] incorrect hop countssequence numbers are analyzedby distributed sensors which sniff and group the packets perrequest-reply flow so as to estimate the forwarding path perflow If a route requestreply is illegallymodified or forwardedvia a nonexpected path then an alarm is triggered In [60]similar FSMs are used to define constraints on both the routediscovery in AODV and the packet forwarding operations
16 International Journal of Distributed Sensor Networks
Table4Com
parin
gID
ARperfo
rmance
with
otherIDSs
IDS
Routing
protocol
Num
bero
fno
des
Intrud
ers
()
Moving
speed
Detectio
nrate
False
positives
rate
Increm
entinmem
ory
usage
Increm
entintraffi
coverhead
IDAR
OlSR
30166
0ndash8m
s707ndash963
0ndash132
176ndash
265MB
478ndash6215KB
(036
ndash597
ofOlSRtraffi
c)
[43]
OlSR
303366
10
mdashmdash
mdashmdash
6ndash12
ofOlSR
traffi
c[41]
OlSR
1010
0ms
Detectio
nispo
ssible
mdashmdash
mdash[44]
OlSR
7143
0ms
Detectio
nispo
ssible
mdashmdash
mdash[45]
OlSR
520
0ms
Detectio
nispo
ssible
mdashmdash
mdash[14
]OlSR
119
0ms
Detectio
nispo
ssible
mdashmdash
mdash[46]
AODV
3033
0ndash5m
s3067ndash90
0ndash20
mdashmdash
[47]
AODV
502
0ndash20
ms
90
5
mdashmdash
[48]
AODV
3033
1ndash20
ms
70ndash82
12ndash18
mdashmdash
[49]
AODV
2050
10
1ndash10ms
964ndash9
87
079ndash093
mdash900k
B
[50]
AODV
5238
0ndash20
ms
(Fixed
IDSs)
100
0ndash0
6
mdashmdash
[51]
AODV
521
20238
0ndash10ms
50ndash100
0ndash30
mdashmdash
[52]
AODV
30mdash
0ndash20
ms
70ndash100
05
ndash15
mdashmdash
[53]
AODV
50Ra
ndom
0ndash20
ms
79plusmn10ndash92plusmn3
5plusmn1ndash32plusmn8
mdashmdash
[54]
AODV
102050
mdash0ndash
10ms
0ndash100
0ndash≫100
02ndash06
mdash[55]
AODV
20ndash200
mdash0ndash
20ms
30ndash9
50ndash16
mdashmdash
[56]
AODV
50mdash
1ndash20
ms
998ndash100
083ndash846
mdashmdash
[7]
AODV
mdashmdash
mdash8848plusmn414ndash971plusmn032
145plusmn072ndash202plusmn627
mdashmdash
DSD
Vmdash
mdashmdash
8523plusmn328ndash9061plusmn299
537plusmn310ndash263plusmn549
mdashmdash
DSR
mdashmdash
mdash852plusmn238ndash991plusmn037
003plusmn004ndash153plusmn408
mdashmdash
[57]
DSR
5040
0ndash20
ms
mdashmdash
mdash11ndash313
of
data
traffi
c[58]
DSR
3033
3ndash5m
s60ndash100
25
ndash50
mdashmdash
[59]
DSR
30mdash
mdash75
12
mdashmdash
[60]
DSR
502
0ndash20
ms
837ndash9
74
13ndash72
mdashmdash
International Journal of Distributed Sensor Networks 17
A signature-based system distinguishes itself by model-ing the misbehavior (rather than the correct behavior) soas to identify if a sequence of observed events matchingan intrusion signature AODVSTAT [54] uses state-basedsignatures in order to detect dropping and spoofing attacksalong with network flooding Few sensors sniff the traffic andmatch it against predefined signatures They also exchangeperiodically MAC and IP addresses so as to detect an identityspoofing which is characterized by a node emitting a packetidentified by MAC and IP addresses differing from thoseregistered for this node A dropping attack refers to a nodethat fails to replay route requestreply Finally a node sendinga number of packets exceeding a given threshold is identifiedas willing to exhaust resources In [45] intrusion signaturesare specified in opposition to the legitimate behavior of OLSRdepicted in conjunction with specification rules similar tothose defined in [70] In particular a node 119873 mistrusts twoneighbors 119871 and 119872 that conform to the following rules119872 advertises 119871 as a neighbor while 119871 does not advertise119872 as a neighbor (or reciprocally) both 119871 and 119872 send TCmessages while 119871rsquos neighbors are a subset of 119872rsquos neighbors(or reciprocally) In addition 119873 mistrusts 119872 if 119873 which isnot a neighbor of 119872 finds itself as a MPR selector in a TCof 119873 (constraint 3) In [44] a FSM is employed to modelthe signature of hello message fabrication in OLSR protocolin an agent-based IDS In practice each node uses a SimpleNetworkManagement Protocol (SNMP) agent so as to collectaudit data from the Management Information Base (MIB)After that events are extracted from the collected audit dataand are matched to the attack signatureThe addressed attackaims at breaking the link between a victim node and itsneighbors and thus a DoS takes place To that end theattacker impersonates the identity of the victim and sends afake hello message advertising one of the victim symmetricneighbors with lost link status Upon receiving the fabricatedmessage the neighbor changes the status of its link withthe victim to ldquoheardrdquo and stops routing packets through thevictim
51 Synthesis and Discussion A great majority of the litera-ture is focused on anomaly detectionwhile scarce effort inves-tigates specification- and signature-based intrusion Thisnaturally calls for consolidating the effort on specification-and signature-based detection while following the habitus ofwired network which consists in coupling these detectionsystems with one another for example in [72] wherein acombination of anomaly- and signature-based detection isrealized so as to increase the detection rate Almost all ofthe IDS focuses only on the detection accuracy that isproviding a high detection rate along with limited falsealarms However they do not consider the criticality ofmaintaining the resources and henceforth extending thelifetime of the nodenetwork Our IDS takes into account thenecessity of reducing to minimum both the communicationand computation overload related to intrusion identificationThe absolute majority of the IDSs is simulated (including thesystem we are proposing) rather than being either developedor experimented on testbeds or relying on empirical data
The reason that explains this situation is twofold Firstthe deployment of critical MANET is limitednot adver-tised Second to the best of our knowledge experiences ofintrusion in MANETs are not reported intrusions are infact developedsimulated as proofs of concept Neverthelessnot only routing protocols but also the characterization ofthe intrusion together leverage on the experience gained indesigning routing protocols for wired networks and deal-ing with related misbehaviors In particular the similarityexisting between the OSPF and OLSR protocols implies thatmany threats (eg sequence numbers identity spoofing) areshared In other words intrusion may be inspired from theone targeting wired networks Meanwhile the developmentof intrusion detection and the envisioning of attacks areaccelerated
6 Conclusion
We survey and classify the attacks that target ad hoc routingprotocols focusing on theOLSRprotocol In order to facilitatethe definition of intrusion signatures we extend a descriptionmodelmdashan attack is expressed as the preconditions andthe resulting consequencesmdashand enrich it with temporalannotations Once hand-coded these signatures are utilizedby IDAR a log-based distributed intrusion detection systemdedicated to operate in mobile ad hoc networks IDARdistinguishes itself by analyzing the logs generated by arouting protocol and extracts intrusion evidences so as tocompare these latter against predefined intrusion signaturesFor this purpose evidences are categorized into four groupsaccording to their degree of suspiciongravity and hence totheir ability to activatedeactivate the diagnostic We furtherdevelop a link spoofing attack on the OLSR protocol buildthe related detection rules and evaluate the performancesof IDAR relying on the NS3 simulator coupled with LXCvirtual machines Overall the experiments figure out ahigh rate of intrusion detection and low false positivesrate even under increased mobility and density Meanwhileresource consumption and network overhead result from thediagnostic are low and adapted to the resource-constraineddevices Note that ongoing effort is provided as to evaluateIDAR in a real MANET consisting of resource-constraineddevices Still detecting intrusion is not a trivial task due tothe large number of evidences to tackle and the resource-consuming diagnostic A compromise between detectionaccuracy and resource consumption could be found For thispurpose we are working on a new statistical mechanism forgathering the evidences This mechanism aims at enhancingthe scalability of our system by restricting the interrogationto a limited subset of nodes during the diagnostic Moreoveruntil now we assume that honest parties are passive theyalarm others but do not react We are considering thecoupling with countermeasures (eg blacklisting) and theexploring of lightweight binary consensus and trust estab-lishment among the nodes that participate in the intrusiondetection
18 International Journal of Distributed Sensor Networks
References
[1] Z Zhao H Hu G Ahn and R Wu ldquoRisk-aware mitigation formanet routing attacksrdquo IEEE Transactions on Dependable andSecure Computing vol 9 no 2 pp 250ndash260 2012
[2] B Sun L Osborne Y Xiao and S Guizani ldquoIntrusion detectiontechniques in mobile ad hoc and wireless sensor networksrdquoIEEE Wireless Communications vol 14 no 5 pp 56ndash63 2007
[3] S Sesay Z Yang and J He ldquoA survey onmobile ad hoc wirelessnetworkrdquo Information Technology Journal vol 3 no 2 pp 168ndash175 2004
[4] P Brutch and C Ko ldquoChallenges in intrusion detection forwireless ad-hoc networksrdquo in Proceedings of the Symposium onApplications and the Internet Workshops (SAINT rsquo03) pp 368ndash373 2003
[5] S Khan N Alrajeh and K Loo ldquoSecure route selection inwireless mesh networksrdquo Computer Networks vol 56 no 2 pp491ndash503 2012
[6] S Corson and J Macker ldquoMobile ad hoc networking (manet)routing protocol performance issues and evaluation considera-tionsrdquo IETF RFC2501 1999
[7] Y Zhang W Lee and Y Huang ldquoIntrusion detection tech-niques for mobile wireless networksrdquoWireless Networks vol 9no 5 pp 545ndash556 2003
[8] B C Cheng and R Y Tseng ldquoA context adaptive intrusiondetection system for MANETrdquo Computer Communications vol34 no 3 pp 310ndash318 2011
[9] T Eissa S A Razak and M D A Ngadi ldquoTowards providinga new lightweight authentication and encryption scheme forMANETrdquoWireless Networks vol 17 no 4 pp 833ndash842 2011
[10] A Irshad W Noshairwan M Shafiq S Khurram E Irshadand M Usman ldquoSecurity enhancement for authentication ofnodes in MANET by checking the CRL status of serversrdquoCommunications in Computer and Information Science vol 78pp 86ndash95 2010
[11] D E Denning ldquoAn intrusion-detection modelrdquo IEEE Transac-tions on Software Engineering vol 13 no 2 pp 222ndash232 1987
[12] T Clausen and P Jacquet ldquoOptimized link state routing proto-col (OLSR)rdquo IETF Experimental RFC 3626 2003
[13] P Albers O Camp J Percher et al ldquoSecurity in ad hoc networksa general intrusion detection architecture enhancing trust basedapproachesrdquo 2002
[14] F Cuppens N Cuppens-Boulahia S Nuon and T RamardldquoProperty based intrusion detection to secure OLSRrdquo in Pro-ceedings of the 3rd International Conference on Wireless andMobile Communications (ICWMC rsquo07) Guadeloupe FranceMarch 2007
[15] W Cohen ldquoFast effective rule inductionrdquo in Proceedings of theInternational Conference onMachine Learning (ICML rsquo95) 1995
[16] S Sarafijanovic and J-Y le Boudec ldquoAn artificial immunesystem for misbehavior detection in mobile ad-hoc networkswith virtual thymus clustering danger signal and memorydetectorsrdquo in Proceedings of the 3rd International Conference onArtificial Immune Systems (ICARIS rsquo04) 2004
[17] S Sen and J Clark Intrusion Detection in Mobile Ad HocNetworks in Guide to Wireless Ad Hoc Networks SpringerLondon UK 2009
[18] D Subhadrabandhu S Sarkar and F Anjum ldquoA Framework formisuse detection in ad hoc networksmdashpart IIrdquo IEEE Journal onSelected Areas in Communications vol 24 no 2 pp 290ndash3032006
[19] L M Feeney and M Nilsson ldquoInvestigating the energyconsumption of a wireless network interface in an ad hocnetworking environmentrdquo in Proceedings of the 20th AnnualJoint Conference of the IEEE Computer and CommunicationsSocieties pp 1548ndash1557 April 2001
[20] A P Lauf R A Peters and W H Robinson ldquoA distributedintrusion detection system for resource-constrained devices inad-hoc networksrdquo Ad Hoc Networks vol 8 no 3 pp 253ndash2662010
[21] N A Alrajeh S Khan J Lloret and J Loo ldquoSecure routingprotocol using cross-layer design and energy harvesting inwireless sensor networksrdquo International Journal of DistributedSensor Networks vol 2013 Article ID 374796 11 pages 2013
[22] S Sen J Clark and J Tapiador Security Threats in MobileAd Hoc Networks I S of Self-Organizing Networks AuerbachPublications 2010
[23] P Ning and K Sun ldquoHow to misuse AODV a case study ofinsider attacks againstmobile ad-hoc routing protocolsrdquoAdHocNetworks vol 3 no 6 pp 795ndash819 2005
[24] T Clausen C Dearlove P Jacquet and U Herberg ldquoTheoptimized link state routing protocol version 2rdquo IETF ActiveInternet-Draft Draft-Ietf-Manet-Olsrv2-15 2012
[25] U Herberg and T Clausen ldquoSecurity issues in the optimizedlink state routing protocol version 2 (olsrv2)rdquo InternationalJournal of Network Security amp Its Applications vol 2 no 2 2010
[26] YOwada TMaenoH Imai andKMase ldquoOLSRv2 implemen-tation and performance evaluation with link layer feedbackrdquo inProceedings of the International Wireless Communications andMobile Computing Conference (IWCMC rsquo07) pp 67ndash72 Newyork NY USA August 2007
[27] F Hong L Hong and C Fu ldquoSecure OLSRrdquo in Proceedingsof the 19th International Conference on Advanced InformationNetworking and Applications (AINA rsquo05) pp 713ndash718 March2005
[28] LNAMHegland P Spilling andQKure ldquoHybrid protectionof olsrrdquo in Electronic Notes in Theoretical Computer Science2006
[29] P Kunwar S Sofat and D Bansal ldquoComparison of secure olsrrouting protocolrdquo International Journal of Engineering Sciencevol 3 no 6 p 5049 2011
[30] A Adnane C Bidan and R T de Sousa Junior ldquoTrust-basedcountermeasures for securing OLSR protocolrdquo in Proceedingsof the 7th IEEEIFIP International Conference on Embedded andUbiquitous Computing (EUC rsquo09) pp 745ndash752 August 2009
[31] B Wu J Chen J Chen J Wu and M Cardei ldquoA survey ofattacks and countermeasures in mobile ad hoc networksrdquo inWireless Network Security Springer New York NY USA 2007
[32] C Adjih D Raffo and P Muhlethaler ldquoAttacks against OLSRdistributed key management for securityrdquo in Proceedings of theOLSR Interop Workshop 2005
[33] G CerveraM Barbeau J Garcia-Alfaro and E Kranakis ldquoMit-igation of topology control traffic attacks in OLSR networksrdquoin Proceedings of the 5th International Conference on Risks andSecurity of Internet and Systems (CRiSIS rsquo10) October 2010
[34] P M Jawandhiya M M Ghonge M S Ali et al ldquoA surveyof mobile ad hoc network attacksrdquo International Journal ofEngineering Science and Technology vol 2 no 9 pp 4063ndash40712010
[35] L M Feeney ldquoAn energy consumption model for performanceanalysis of routing protocols for mobile ad hoc networksrdquoMobile Networks and Applications vol 6 no 3 pp 239ndash2492001
International Journal of Distributed Sensor Networks 19
[36] G Riley and T Henderson ldquoThe ns-3 network simulatorrdquo inModeling and Tools for Network Simulation Springer BerlinGermany 2010
[37] S Bhattiprolu E Biederman S Hallyn et al ldquoVirtual serversand checkpointrestart inmainstream linuxrdquo SIGOPSOperatingSystems Review vol 42 no 5 pp 104ndash113 2008
[38] J Zhang J Xing and Z Qin ldquoTaprouter an emulatingframework to run real applications on simulated mobile adhoc networkrdquo in Proceedings of the 44th Annual SimulationSymposium (ANSS rsquo11) pp 39ndash46 2011
[39] D Broyles A Jabbar and J P G Sterbenz ldquoDesign andanalysis of a 3-d gauss-markov mobility model for highly-dynamic airborne networksrdquo in Proceedings of the InternationalTelemetering Conference (ITC rsquo10) San Diego CA USA 2010
[40] J Haerri F Filali and C Bonnet ldquoPerformance comparisonof AODV and OLSR in vanets urban environments underrealistic mobility patternsrdquo in Proceedings of the IFIP Med-Hoc-Net Workshop 2006
[41] C H Tseng T Song P Balasubramanyam C Ko and K LevittldquoA specification-based intrusion detection model for OLSRrdquoRecent Advances in Intrusion Detection vol 3858 pp 330ndash3502006
[42] S Kurkowski T Camp and M Colagrosso ldquoManet simulationstudies the incrediblesrdquo SIGMOBILE Mobile Computing andCommunications Review vol 9 no 4 pp 50ndash561 2005
[43] A Abdalla I Saroit A Kotb et al ldquoMisbehavior nodesdetection and isolation for MANETs OLSR protocolrdquo ProcediaComputer Science vol 3 pp 115ndash121 2011
[44] R Puttini J Percher L Me et al ldquoA modular architecture fordistributed ids in manetrdquo in Proceedings of the InternationalConference on Computational Science and Its Applications III2003
[45] A Adnane R T de Sousa L Me and C Bidan ldquoAutonomictrust reasoning enables misbehavior detection in OLSRrdquo inProceedings of the 23rd Annual ACM Symposium on AppliedComputing (SAC rsquo08) pp 2006ndash2013 March 2008
[46] W Wang H Man and Y Liu ldquoA framework for intrusiondetection systems by social network analysis methods in ad hocnetworksrdquo Security and Communication Networks vol 2 no 6pp 669ndash685 2009
[47] H Deng R Xu J Li F Zhang R Levy and W Lee ldquoAgent-based cooperative anomaly detection for wireless ad hoc net-worksrdquo in Proceedings of the 12th International Conference onParallel and Distributed Systems (ICPADS rsquo06) pp 613ndash620 July2006
[48] S KurosawaHNakayamaN Kato et al ldquoDetecting blackholesattack on AODV-based mobile ad hoc networks by dynamiclearningmethodrdquo International Journal of Network Security vol5 no 3 pp 338ndash346 2007
[49] WWang HWang BWang et al ldquoEnergy-aware and selfadap-tive anomaly detection scheme based on network tomographyin mobile ad hoc networksrdquo Information Sciences vol 220 pp580ndash602 2013
[50] M-Y Su ldquoPrevention of selective black hole attacks on mobilead hoc networks through intrusion detection systemsrdquo Com-puter Communications vol 34 no 1 pp 107ndash117 2011
[51] N Marchang and R Datta ldquoCollaborative techniques for intru-sion detection in mobile ad-hoc networksrdquo Ad Hoc Networksvol 6 no 4 pp 508ndash523 2008
[52] B V R N Yadav B Satyanarayana and O B V RamanaiahldquoAn efficient intrusion detection system for mobile ad hoc net-worksrdquo in Emerging Trends in Computing Informatics Systems
Sciences and Engineering vol 151 Springer New York NYUSA 2013
[53] Y Huang and W Lee ldquoAttack analysis and detection for ad hocrouting protocolsrdquo in Recent Advances in Intrusion Detectionvol 3224 Springer Berlin Germany 2004
[54] G Vigna S Gwalani K Srinivasan E M Belding-Royer andR A Kemmerer ldquoAn intrusion detection tool for AODV-basedad hoc wireless networksrdquo in Proceedings of the 20th AnnualComputer SecurityApplications Conference (ACSAC rsquo04) pp 16ndash27 December 2004
[55] M Ayachi C Bidan and N Prigent ldquoA trust-based ids for theaodv protocolrdquo in Information and Communications Securityvol 6476 pp 430ndash444 2010
[56] S Sen and J A Clark ldquoA grammatical evolution approach tointrusion detection on mobile ad hoc networksrdquo in Proceedingsof the 2nd ACMConference onWireless Network Security (WiSecrsquo09) pp 95ndash102 March 2009
[57] S Marti T J Giuli K Lai and M Baker ldquoMitigating routingmisbehavior in mobile ad hoc networksrdquo in Proceedings of the6th Annual International Conference on Mobile Computing andNetworking (MOBICOM rsquo00) pp 255ndash265 August 2000
[58] B Sun K Wu and U Pooch ldquoRouting anomaly detection inmobile ad hoc networksrdquo in Proceedings of The 12th Interna-tional Conference on Computer Communications and Networks(ICCCN rsquo03) 2003
[59] S Bose S Bharathimurugan and A Kannan ldquoMulti-layerintegrated anomaly intrusion detection system for mobileadhoc networksrdquo in Proceedings of the International Conferenceon Signal Processing Communications and Networking (ICSCNrsquo07) pp 360ndash365 February 2007
[60] P Yi Y Zhong and S Zhang ldquoA novel intrusion detectionmethod for mobile ad hoc networksrdquo in Advances in GridComputing vol 3470 pp 1183ndash1192 Springer Berlin Germany2005
[61] C Perkins E Belding-Royer and S Das ldquoAd hoc on-demanddistance vector (AODV) routingrdquo IETF Experimental RFC3561 2003
[62] D Johnson and D Maltz ldquoDynamic source routing in ad hocwireless networksrdquo in Mobile Computing pp 153ndash181 KluwerAcademic 1996
[63] C Perkins and P Bhagwat ldquoHighly dynamic destinationse-quenced distance-vector routing (dsdv) for mobile computersrdquoin Proceedings of the Conference on Communications Architec-tures Protocols and Applications (SIGCOMM rsquo94) vol 24 pp234ndash244 1994
[64] T JoachimsMaking Large-Scale Support VectorMachine Learn-ing Practical MIT Press Cambridge Mass USA 1999
[65] Y Yajima and T Kuo ldquoEfficient formulations for 1-svm and theirapplication to recommendation tasksrdquo Journal of Computersvol 1 no 3 pp 27ndash34 2006
[66] L Bononi and C Tacconi ldquoIntrusion detection for secureclustering and routing inMobileMulti-hopWirelessNetworksrdquoInternational Journal of Information Security vol 6 no 6 pp379ndash392 2007
[67] Y Huang W Fan W Lee et al ldquoCross-feature analysis fordetecting ad-hoc routing anomaliesrdquo in Proceedings of the 23rdInternational Conference on Distributed Computing Systems(ICDCS rsquo03) pp 478ndash487 May 2003
[68] J Quinlan C4 5 Programs for Machine Learning MorganKaufmann Boston Mass USA 1993
20 International Journal of Distributed Sensor Networks
[69] J B D Cabrera C Gutierrez and R K Mehra ldquoEnsemblemethods for anomaly detection and distributed intrusion detec-tion in Mobile Ad-Hoc Networksrdquo Information Fusion vol 9no 1 pp 96ndash119 2008
[70] MWang L Lamont P Mason andM Gorlatova ldquoAn effectiveintrusion detection approach for OLSR MANET protocolrdquoin Proceedings of the 13th IEEE International Conference onNetwork Protocols Workshop (ICNP rsquo05) pp 55ndash60 November2005
[71] C Y Tseng P Balasubramanyam C Ko R Limprasittiporn JRowe and K Levitt ldquoA specification-based intrusion detectionsystem for AODVrdquo in Proceedings of the 1st ACM Workshop onSecurity of Ad Hoc and Sensor Networks pp 125ndash134 October2003
[72] S A Razak S M Furnell N L Clarke and P J BrookeldquoFriend-assisted intrusion detection and response mechanismsfor mobile ad hoc networksrdquo Ad Hoc Networks vol 6 no 7 pp1151ndash1167 2008
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 11
SignatureKnowledge
database
Coordinator
Communicationmanager Alarm notifier
Update
Feedback
Diagnostic requestDiagnostic answer
IDAR instance
Routing log
IDAR instanceDiagnostic requestanswer
Routing log
Feed back
Figure 2 IDAR architecture
All the above components have been developed so as tosupport intrusion detection offering a high rate of detectionalong with conserving the resources
42 Performance Evaluation In order to evaluate the perfor-mance of IDAR a mobile ad hoc network has been simulatedusing the network simulator NS3 (httpwwwnsnamorg)[36] Each node in the simulated network is furthercoupled with a Linux Container (LXC) virtual machine(httplxcsourceforgenet) [37] The reason that motivatesthis coupling is twofold First NS3 offers the possibilityto simulate a large-scale mobile ad hoc network SecondLXC an operating-system-level virtualization tool permitsto run multiple isolated machines (also called containers)on a single modified hosting kernel (up to 1024 contain-ers over a single hosting kernel) Each container owns itsproper resources (eg process tree network interface andIP address) Thus the resource consumption (eg memoryusage) can be isolated and measured In practice an instanceof IDAR is installed on each container that appears asa standaloneseparated machine Figure 3 exemplifies thecoupling between nodes in NS3 and LXC containers Fromthe IDAR perspective (as well as from any applicationinstalled on the container) the emission and reception ofpackets is done through the network interface (eth0) Whilethe container contains a simulated ethernet card (V119890119905ℎ)which is connected through an ethernet bridge towards akernel tap device (tap) Note that for each container-nodecoupling new tap and ethernet bridge should be definedin the hosting kernel The ethernet bridge implements theforwarding of link-level framesThe interface 119905119886119901119877119900119906119905119890119903 [38]is implemented in NS3 and is used to exchange packetsbetween the 119905119886119901 device and the WiFi device which enablesNS3 nodes to communicate over a IEEE 80211- and OLSR-enabled MANET Overall the outgoing packets from eth0in the container are delivered to the WiFi device at thecorresponding node in the simulated network and vice versaSimulation is carried using the aforementioned platform
wherein the hosting device is equipped with 32GB of mem-ory and 2 Intel(R) Xeon(R) (6) Core 240GHz CPUsContainers hold a Fedora 12 operating system We considera MANET (Table 3) constituted of 119873 = 30 nodes split into25 well-behaving nodes and 5 intruders While most of otherIDSs are evaluated against one intruder we show that IDARcan handle several intruders in the same time Intruderslaunch repeatedly the implemented link spoofing attack (asdescribed in Expression 12) In our experiments the numberof successful intrusions varies between 15 and 33 accordingto the parameters of simulation scenario (as described inExpression 12) Nodes communicate via IEEE 80211a andare characterized by a transmission range 119879
119909of 90m They
randomly move following the so-called RandomWalk2d [39]mobility pattern provided by NS3 each node moves accord-ing to a randomly chosen direction at a given speed that isthe same for all the nodes When a node hits the networkboundaries (unless specified the network area is defined bya squared area of 119878 = 310 times 310m2) it rebounds followinga reflexive angle Data traffic is further modeled using theV4PingHelper application in NS3 each node exchanges 56-byte ICMP (httpwwwietforgrfcrfc792txt) echo requeststo one another and waits for 1 s before sending it again Weuse OLSR as the underlying routing protocol preserving theconfiguration parameters promoted in the RFC 3626 (eghello message interval is 2 s)
For each experimental scenario the simulation islaunched 5 times each one lasts for 140 s We compare thelaunched attacks with the detected ones and present theaverage of results We aim at evaluating the performance ofIDAR in terms of
(i) intrusion detection rate that reflects the capacity ofdetecting successful intrusions (a successful intrusioncauses the replacement of a legitimate MPR of thevictim by an intruder)
(ii) false positive rate that measures how many times alegitimate node is wrongly designated as an intruder
12 International Journal of Distributed Sensor Networks
Table 3 Simulation parameters
Simulation platformSimulator NS3 + LXC virtual machinesContainer operating system Fedora 12Hosting device memory 32GBHosting device CPU 2 Intel(R) Xeon(R) (6) Core 240GHz
Simulated MANETNumber of mobile nodes 30Number of intruders 5Topology 310 times 310m2
Transmission range 90mMaximum bandwidth 1MbpsTraffic V4PingHelper 56 bytes Icmp packetsMobility model RandomWalk2dMaximum speed 8ms (or 288 kmh)Simulation time 140 s
tapRouterWiFi devicewith OLSR
LXC
cont
aine
r
Ethernet bridge
Tap
LXC
cont
aine
r
veth
Ethernet bridge
Tap
tapRouterWiFi devicewith OLSR
veth
Nod
e 1
Nod
e 119899
NS3
IDAR1 IDAR119899
eth0 eth0
Figure 3 Experiment platform
(iii) detection overhead which represents the additionalnetwork traffic that is generated because of IDARNote that further benchmarks are also provided interms of memory usage
Based on those performance indicators IDAR is furtherevaluated with regard to the network density (Section 421)and node mobility (Section 422)
421 Network Density In order to evaluate the scalingproperties of IDAR we vary the density of the networkThe density of the network corresponds to the averagenumber of neighbors which is defined as in [40] by (119873 times
120587 times 1198792
119909)119878 We selected an interval of density that ranges
from 6 up to 16 neighbors which includes the intruderthe victim and the remaining neighbors Figure 4(a) showsthat the detection rate keeps higher than 80 regardless ofthe network density This demonstrates the relatively limitedimpact of the network density on IDAR performance More
precisely the intrusion detection rate slightly rises from935up to itsmaximum 963when the density varies from6 up to 8 neighbors the greater is the number of neighborsthe higher is the visibility of the attackThen a slow diminishis observed dense networks (with a density exceeding 8) arecharacterised by a high collision rate that causes a declinein the detection rate Similarly Figure 4(b) highlights thatthe average percentage of false positives is neglectful (under59) The analysis of several cases of false positive leads usto find that a false positive occurs when two nodes own adifferent live-times for the bidirectional link that connectsthese later consequently one of the two nodes still confirmsthe existence of this link while the other one denies it Tooverride this problem the period during which those linksare considered valid should be amplified as in [41] Figure 4(c)presents the average memory usage caused by IDAR Thisusage gently fluctuates between 176MB and 222MB It is alsoworthy of mention that contrary to OLSR our system doesnot assign additional functionality toMPR (detectionmay belaunched by one another) IDAR provides an homogeneousload balancing among the nodes As illustrated in Figure 4(d)the traffic caused by IDAR is very low (under 05 for anetwork density inferior to 8) It then slowly rises to reach13 when the network density is 16 In order to understandthe slight fall when the density reaches 14 we compare theaverage number of suspicious cases with regard to a varyingdensityThis average was 708 (resp 658) with density equalsto 12 (resp 14) Consequently the number of diagnostic-related packets is smaller at a density of 14 than at a densityof 12
422 Mobility In order to isolate the influence of themobility the network density is set to 8 The detection ratefalls when the speed increases (Figure 5(a))This results fromthe ever changing topology that results in increasing thenumber of broken links and the related drops of diagnostic-related packetsHowever IDAR still provides a high detectionrate for example the average of detection rate is 707
International Journal of Distributed Sensor Networks 13
0
20
40
60
80
100
6 8 10 12 14 16
Det
ecte
d in
trus
ions
()
Density
Average detection
(a)
0
10
20
30
40
50
6 8 10 12 14 16
False
pos
itive
()
Density
Average of false positives
(b)
0
10
20
30
40
50
6 8 10 12 14 16
Mem
ory
usag
e (M
B)
Density
(c)
025 05
1
5
20
50 100
6 8 10 12 14 16Density
IDA
R ve
rsus
OLS
R tr
affic (
)
(d)
Figure 4 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network density
with a moving speed equals to 8ms (ie around 287
kilometershour equivalent to 1789mileshour) Figure 5(b)shows that the higher is the moving speed the greater it getsfalse positives mainly because of out of date feedback Infact when a node moves away some of its 1-hop neighborsare no longer neighbors but are still announced as suchand are considered as potential attackers A higher increaseof the false positive rate is observed when the node speedranges from 4ms up to 6ms because the instable nodecovering is given its transmission range which leads to anincreased update of its 1-hop neighbors The memory usage(Figure 5(c)) rises staidly from 176MB to 265MB whichis reasonable even for resource-limited devices The impactof the mobility on the bandwidth is shown in Figure 5(d)The IDAR traffic comparing to the OLSR traffic significantlygrows from 036 up to 31 for a speed ranging from 0msup to 2ms Then the bandwidth usage gradually growsand reaches almost 6 when the moving speed is equalto 8ms This is motivated by the fact that increasing thenumber of verified links leads to exchange more diagnostic-related messages in the network In order to understandthe reason behind such variable growth of IDAR trafficwe counted the number of the verified suspicious neighbor
links We found that the average number of the verified linkssignificantly grows from 452 to 2014 when the velocity risesfrom 0ms to 2ms This average then gradually grows andtakes the values 2408 3314 and 406 when the velocityequals to 4ms 6ms and 8ms respectively The limitednumber of the suspicious neighbor links when the nodesare static is justified by the fact that the attacker has alimited choice to falsify its neighbors links Instead when thevelocity is greater than 2ms there is a continuous changein the neighborhood and the attackers can attack more(diversified) targets Meanwhile the continuously changingtopology implies an increased number of investigations
43 Performance Discussion It is clear that the density of thenetwork holds less influence than the mobility on our IDSMore mobility in MANET causes more dropped diagnosticpackets and hence less diagnostic is concluded with a finalresult that is confirming or refuting the suspiciousnessHowever comparing the launched attacks to the discov-ered suspicious events shows that the majority of attacksare tagged as suspicious events and considered for furtherdiagnostic Note that the mobility has a negative influence
14 International Journal of Distributed Sensor Networks
0
20
40
60
80
100
0 2 4 6 8
Det
ecte
d in
trus
ions
()
Velocity (ms)
Average detection
(a)
0
10
20
30
40
50
0 2 4 6 8
False
pos
itive
()
Velocity (ms)
Average of false positives
(b)
0
10
20
30
40
50
0 2 4 6 8
Mem
ory
usag
e (M
B)
Velocity (ms)
(c)
025 05
1
5
20
50 100
0 2 4 6 8
IDA
R ve
rsus
OLS
R tr
affic (
)
Velocity (ms)
(d)
Figure 5 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network mobility
on all the IDSs especially the cooperative ones where thereis an exchange of evidencesalerts Table 4 provides a shortperformance comparing between IDAR and other knownIDSs that are dedicated to ad hoc routing protocol Likethe majority of these IDSs the performance of our systemis challenged against a specific attack link spoofing attackin a simulated MANET (According to [42] around 75of mobile ad hoc published papers use simulation for testissues) Two evaluation factors are common to almost all thelisted IDSs the detection ratecapacity and the positive falserate Even though it was challenged in a MANET whereinthe intruders constitute 166 (Note that this percent is the3rd highest registered percent) of the nodes IDAR providesone of the highest detection rate Regarding the positivefalse rate we can notice that several IDSs especially thosethat are dedicated to DSR protocol show better results thanour system However this latter still generates a limitednumber of false positives It is also possible to reduce thefalse positives rate by amplifying the TTL (Time To Live)parameter of a bidirectional link so as to reduce the impactof obsolete neighborhood-related information during thedetection Recall that most of the generated false positives inIDAR are generated because of the difference in the time-live
of a bidirectional link between the two ends of this link Insuch case this link will be expired in one end while the otherend will keep confirming its existence It is worthmentioningthat except our system the listed IDSs that aim to detect theattacks targeting OLSR protocol do not present neither thedetection rate nor the false positives rate But they merelyprove the capacity of detecting the addressed attack(s) Inaddition IDAR is one of the rare IDSs that are evaluated interms of resources consumption Indeed we measure boththe increment inmemory usage and traffic overhead resultingfrom detection operations IDAR triggers a small incrementin the devicesrsquomemory usage (between 176MBand 265MB)Therefore it can be tolerated by the resource-limited devicesIt further triggers the lowest traffic overhead compared to thelisted IDSs IDAR presents a good scalability and offers a highdetection rate even in the high density networks where a largeamount of routing traffic should be monitored (Figure 4(a))This scalability is reinforced by (i) the limited traffic overhead(ii) the use of routing logs so as to extract the evidencesinstead of sniffing the traffic (iii) the distributed nature ofdetection such that each node is responsible for detecting theattacks targeting it and (iv) the unnecessity of modifying theused routing protocol
International Journal of Distributed Sensor Networks 15
5 Related Work
Systems that detect intrusion targeting ad hoc routing proto-col are extremely diverse in the way they analyze intrusionThey fall into the three key categories
(i) Anomaly detection system defines the correct behav-ior of the nodenetwork so as to detect deviations tothis behavior This correct behavior is automaticallybuilt during an attackless training phase The detec-tion accuracy depends on the ability to (i) describethe correct behavior and (ii) distinguish betweenanomalous and unexpected behaviors
(ii) Specification-based detection system hand-codes thelegitimate functionoperation and then searches for aviolation to this operation
(iii) Signature-based detection system first describes theway an intruder penetrates the system by defining anintrusion signature Then any behavior that is closeto this predefined signature is flagged as intrusion
Hereafter we detail examples of each of these categoriesAnomaly-based detection constitutes the main approachused to detect attacks The IDS proposed by Zhang et al[7] constitutes a de facto standard in MANET It aims atdetecting the attempts to falsify the routes provided by theAODV [61] DSR [62] and DSDV [63] routing protocolsDuring the training phase the impact of movement on thepercentage of changes in the routing table is analyzed Notethat this movement (ie velocity direction and position)is provided by a Global Positioning System (GPS) Thenduring the operation phase an actual percentage of changesdiffering from the predicted one is defined as anomaly Inpractice the distinguishing between anomalous and normalbehaviors is provided by the Support Vector Machine (SVM)Light [64] classifier or by RIPPER [15] a rule-based engineThe hierarchical IDS proposed in [47] detects blackhole androuting request flooding attacks targeting AODV protocolHere MANET is arranged into clusters whereas the nodewith the highest residual energy and number of connectionsis elected as a cluster-head Each cluster-head monitors thetraffic inside its cluster so as to identify the abnormal valuesof (i) the percentage of changes in the routing table and (ii)the propagation of routingdata packets Such abnormalitiesare identified thanks to (1-SVM) classifier [65] a deviationof SVM that needs to be trained with either normal orabnormal scenario but not both of them In [48] (resp [66])a blackhole (and resp dropping) attack targeting AODVprotocol (resp a secured version of AODV protocol includ-ing authentication and reputation estimation) are detectedby investigating features for example the number of routerequests and route replies as well as the average difference ofsequence numbers (Largely increased sequence numbers areknown as a sign of blackhole attack) Then simple anomalydetection is applied if the distance between the actuallyobserved features and the average ones that are recorded dur-ing the training exceeds a given threshold then an intrusionis detected More sophisticated cross-features analysis (CFA)[67] is applied to detect both blackhole and packet drop-ping on AODV and DSR protocols Features including for
example the reachability between 2 nodes and the numberof delivered packets are analyzed within time windows Thisanalysis attempts to quantify the relation existing betweenone feature 119891
119894and the others 119891
1 119891
119894minus1 119891119894+1 119891
119896(with
119896 + 1 defining the number of features analyzed) During theoperation phase the probability of matching between theobserved feature 1198911015840
119894and the predicted feature 119891
119894 which is
established based on 11989110158401 119891
1015840
119894minus1 1198911015840
119894+1 119891
1015840
119896 is calculated by
a decision tree classifier named C45 [68] An anomaly refersto an average of matching probability fewer than a giventhreshold CFA and C45 are also used in [69] with traffic-related features (eg number of receivedtransferred packets)and OLSR- or AODV-related features (eg MPR updates forthe former and route discovery for the latter) A modifiedMarkov chain-based IDS is proposed in [58] so as to detectroute disruption attack targeting DSR protocol Here thedetection depends on identifying unpredicted value of twofeatures the percentage of changes in the number of routesand the percentage of changes in the number of hops Inpractice a Markov chain is based on the immediate previous119899 consecutive values of a feature as to predict the (119899 + 1)thvalue If the difference between a predicted and an observedvalue exceeds a given threshold an intrusion is concluded
Rather than establishing automatically a correct behaviorspecification-based detection system hand-codes the correctbehavior of the routing protocols based on the protocol spec-ification (IETF draft or RFC) Then the system attempts todetect a violation of constraints circumventing this behaviorFour key constraints define the correct behavior of OLSR([14 70])
(1) Neighbor relationmust be reciprocal (ie 2 neighborsmust hear the hello message sent by each other)
(2) TheMPRs and the nodes that select theMPR (ie theMPR selectors) must be adjacent
(3) A node that finds itself advertised as a MPR selectorin a TCmessage must be adjacent to the originator ofthis message
(4) Nodes receive TC messages without modificationsfromMPR(s)
Each node sniffs the traffic in its radio range so as todiscover the violations of any of the above constraints Theseconstraints are modeled by semantic properties in [70] (resprules in [14]) so as to detect link spoofing attack on TC(and resp hello messages) both experiment an ability todetect a link spoofing by observing a violation of the thirdcondition over a simulated network composed of 11 nodesFinite-state machines are used to describe similar constraintson OLSR [41] and the behavior of AODV protocol [52 71]In [41] a centralized detection of link spoofing man-in-the-middle and deny of service attack is performed While in[52 71] incorrect hop countssequence numbers are analyzedby distributed sensors which sniff and group the packets perrequest-reply flow so as to estimate the forwarding path perflow If a route requestreply is illegallymodified or forwardedvia a nonexpected path then an alarm is triggered In [60]similar FSMs are used to define constraints on both the routediscovery in AODV and the packet forwarding operations
16 International Journal of Distributed Sensor Networks
Table4Com
parin
gID
ARperfo
rmance
with
otherIDSs
IDS
Routing
protocol
Num
bero
fno
des
Intrud
ers
()
Moving
speed
Detectio
nrate
False
positives
rate
Increm
entinmem
ory
usage
Increm
entintraffi
coverhead
IDAR
OlSR
30166
0ndash8m
s707ndash963
0ndash132
176ndash
265MB
478ndash6215KB
(036
ndash597
ofOlSRtraffi
c)
[43]
OlSR
303366
10
mdashmdash
mdashmdash
6ndash12
ofOlSR
traffi
c[41]
OlSR
1010
0ms
Detectio
nispo
ssible
mdashmdash
mdash[44]
OlSR
7143
0ms
Detectio
nispo
ssible
mdashmdash
mdash[45]
OlSR
520
0ms
Detectio
nispo
ssible
mdashmdash
mdash[14
]OlSR
119
0ms
Detectio
nispo
ssible
mdashmdash
mdash[46]
AODV
3033
0ndash5m
s3067ndash90
0ndash20
mdashmdash
[47]
AODV
502
0ndash20
ms
90
5
mdashmdash
[48]
AODV
3033
1ndash20
ms
70ndash82
12ndash18
mdashmdash
[49]
AODV
2050
10
1ndash10ms
964ndash9
87
079ndash093
mdash900k
B
[50]
AODV
5238
0ndash20
ms
(Fixed
IDSs)
100
0ndash0
6
mdashmdash
[51]
AODV
521
20238
0ndash10ms
50ndash100
0ndash30
mdashmdash
[52]
AODV
30mdash
0ndash20
ms
70ndash100
05
ndash15
mdashmdash
[53]
AODV
50Ra
ndom
0ndash20
ms
79plusmn10ndash92plusmn3
5plusmn1ndash32plusmn8
mdashmdash
[54]
AODV
102050
mdash0ndash
10ms
0ndash100
0ndash≫100
02ndash06
mdash[55]
AODV
20ndash200
mdash0ndash
20ms
30ndash9
50ndash16
mdashmdash
[56]
AODV
50mdash
1ndash20
ms
998ndash100
083ndash846
mdashmdash
[7]
AODV
mdashmdash
mdash8848plusmn414ndash971plusmn032
145plusmn072ndash202plusmn627
mdashmdash
DSD
Vmdash
mdashmdash
8523plusmn328ndash9061plusmn299
537plusmn310ndash263plusmn549
mdashmdash
DSR
mdashmdash
mdash852plusmn238ndash991plusmn037
003plusmn004ndash153plusmn408
mdashmdash
[57]
DSR
5040
0ndash20
ms
mdashmdash
mdash11ndash313
of
data
traffi
c[58]
DSR
3033
3ndash5m
s60ndash100
25
ndash50
mdashmdash
[59]
DSR
30mdash
mdash75
12
mdashmdash
[60]
DSR
502
0ndash20
ms
837ndash9
74
13ndash72
mdashmdash
International Journal of Distributed Sensor Networks 17
A signature-based system distinguishes itself by model-ing the misbehavior (rather than the correct behavior) soas to identify if a sequence of observed events matchingan intrusion signature AODVSTAT [54] uses state-basedsignatures in order to detect dropping and spoofing attacksalong with network flooding Few sensors sniff the traffic andmatch it against predefined signatures They also exchangeperiodically MAC and IP addresses so as to detect an identityspoofing which is characterized by a node emitting a packetidentified by MAC and IP addresses differing from thoseregistered for this node A dropping attack refers to a nodethat fails to replay route requestreply Finally a node sendinga number of packets exceeding a given threshold is identifiedas willing to exhaust resources In [45] intrusion signaturesare specified in opposition to the legitimate behavior of OLSRdepicted in conjunction with specification rules similar tothose defined in [70] In particular a node 119873 mistrusts twoneighbors 119871 and 119872 that conform to the following rules119872 advertises 119871 as a neighbor while 119871 does not advertise119872 as a neighbor (or reciprocally) both 119871 and 119872 send TCmessages while 119871rsquos neighbors are a subset of 119872rsquos neighbors(or reciprocally) In addition 119873 mistrusts 119872 if 119873 which isnot a neighbor of 119872 finds itself as a MPR selector in a TCof 119873 (constraint 3) In [44] a FSM is employed to modelthe signature of hello message fabrication in OLSR protocolin an agent-based IDS In practice each node uses a SimpleNetworkManagement Protocol (SNMP) agent so as to collectaudit data from the Management Information Base (MIB)After that events are extracted from the collected audit dataand are matched to the attack signatureThe addressed attackaims at breaking the link between a victim node and itsneighbors and thus a DoS takes place To that end theattacker impersonates the identity of the victim and sends afake hello message advertising one of the victim symmetricneighbors with lost link status Upon receiving the fabricatedmessage the neighbor changes the status of its link withthe victim to ldquoheardrdquo and stops routing packets through thevictim
51 Synthesis and Discussion A great majority of the litera-ture is focused on anomaly detectionwhile scarce effort inves-tigates specification- and signature-based intrusion Thisnaturally calls for consolidating the effort on specification-and signature-based detection while following the habitus ofwired network which consists in coupling these detectionsystems with one another for example in [72] wherein acombination of anomaly- and signature-based detection isrealized so as to increase the detection rate Almost all ofthe IDS focuses only on the detection accuracy that isproviding a high detection rate along with limited falsealarms However they do not consider the criticality ofmaintaining the resources and henceforth extending thelifetime of the nodenetwork Our IDS takes into account thenecessity of reducing to minimum both the communicationand computation overload related to intrusion identificationThe absolute majority of the IDSs is simulated (including thesystem we are proposing) rather than being either developedor experimented on testbeds or relying on empirical data
The reason that explains this situation is twofold Firstthe deployment of critical MANET is limitednot adver-tised Second to the best of our knowledge experiences ofintrusion in MANETs are not reported intrusions are infact developedsimulated as proofs of concept Neverthelessnot only routing protocols but also the characterization ofthe intrusion together leverage on the experience gained indesigning routing protocols for wired networks and deal-ing with related misbehaviors In particular the similarityexisting between the OSPF and OLSR protocols implies thatmany threats (eg sequence numbers identity spoofing) areshared In other words intrusion may be inspired from theone targeting wired networks Meanwhile the developmentof intrusion detection and the envisioning of attacks areaccelerated
6 Conclusion
We survey and classify the attacks that target ad hoc routingprotocols focusing on theOLSRprotocol In order to facilitatethe definition of intrusion signatures we extend a descriptionmodelmdashan attack is expressed as the preconditions andthe resulting consequencesmdashand enrich it with temporalannotations Once hand-coded these signatures are utilizedby IDAR a log-based distributed intrusion detection systemdedicated to operate in mobile ad hoc networks IDARdistinguishes itself by analyzing the logs generated by arouting protocol and extracts intrusion evidences so as tocompare these latter against predefined intrusion signaturesFor this purpose evidences are categorized into four groupsaccording to their degree of suspiciongravity and hence totheir ability to activatedeactivate the diagnostic We furtherdevelop a link spoofing attack on the OLSR protocol buildthe related detection rules and evaluate the performancesof IDAR relying on the NS3 simulator coupled with LXCvirtual machines Overall the experiments figure out ahigh rate of intrusion detection and low false positivesrate even under increased mobility and density Meanwhileresource consumption and network overhead result from thediagnostic are low and adapted to the resource-constraineddevices Note that ongoing effort is provided as to evaluateIDAR in a real MANET consisting of resource-constraineddevices Still detecting intrusion is not a trivial task due tothe large number of evidences to tackle and the resource-consuming diagnostic A compromise between detectionaccuracy and resource consumption could be found For thispurpose we are working on a new statistical mechanism forgathering the evidences This mechanism aims at enhancingthe scalability of our system by restricting the interrogationto a limited subset of nodes during the diagnostic Moreoveruntil now we assume that honest parties are passive theyalarm others but do not react We are considering thecoupling with countermeasures (eg blacklisting) and theexploring of lightweight binary consensus and trust estab-lishment among the nodes that participate in the intrusiondetection
18 International Journal of Distributed Sensor Networks
References
[1] Z Zhao H Hu G Ahn and R Wu ldquoRisk-aware mitigation formanet routing attacksrdquo IEEE Transactions on Dependable andSecure Computing vol 9 no 2 pp 250ndash260 2012
[2] B Sun L Osborne Y Xiao and S Guizani ldquoIntrusion detectiontechniques in mobile ad hoc and wireless sensor networksrdquoIEEE Wireless Communications vol 14 no 5 pp 56ndash63 2007
[3] S Sesay Z Yang and J He ldquoA survey onmobile ad hoc wirelessnetworkrdquo Information Technology Journal vol 3 no 2 pp 168ndash175 2004
[4] P Brutch and C Ko ldquoChallenges in intrusion detection forwireless ad-hoc networksrdquo in Proceedings of the Symposium onApplications and the Internet Workshops (SAINT rsquo03) pp 368ndash373 2003
[5] S Khan N Alrajeh and K Loo ldquoSecure route selection inwireless mesh networksrdquo Computer Networks vol 56 no 2 pp491ndash503 2012
[6] S Corson and J Macker ldquoMobile ad hoc networking (manet)routing protocol performance issues and evaluation considera-tionsrdquo IETF RFC2501 1999
[7] Y Zhang W Lee and Y Huang ldquoIntrusion detection tech-niques for mobile wireless networksrdquoWireless Networks vol 9no 5 pp 545ndash556 2003
[8] B C Cheng and R Y Tseng ldquoA context adaptive intrusiondetection system for MANETrdquo Computer Communications vol34 no 3 pp 310ndash318 2011
[9] T Eissa S A Razak and M D A Ngadi ldquoTowards providinga new lightweight authentication and encryption scheme forMANETrdquoWireless Networks vol 17 no 4 pp 833ndash842 2011
[10] A Irshad W Noshairwan M Shafiq S Khurram E Irshadand M Usman ldquoSecurity enhancement for authentication ofnodes in MANET by checking the CRL status of serversrdquoCommunications in Computer and Information Science vol 78pp 86ndash95 2010
[11] D E Denning ldquoAn intrusion-detection modelrdquo IEEE Transac-tions on Software Engineering vol 13 no 2 pp 222ndash232 1987
[12] T Clausen and P Jacquet ldquoOptimized link state routing proto-col (OLSR)rdquo IETF Experimental RFC 3626 2003
[13] P Albers O Camp J Percher et al ldquoSecurity in ad hoc networksa general intrusion detection architecture enhancing trust basedapproachesrdquo 2002
[14] F Cuppens N Cuppens-Boulahia S Nuon and T RamardldquoProperty based intrusion detection to secure OLSRrdquo in Pro-ceedings of the 3rd International Conference on Wireless andMobile Communications (ICWMC rsquo07) Guadeloupe FranceMarch 2007
[15] W Cohen ldquoFast effective rule inductionrdquo in Proceedings of theInternational Conference onMachine Learning (ICML rsquo95) 1995
[16] S Sarafijanovic and J-Y le Boudec ldquoAn artificial immunesystem for misbehavior detection in mobile ad-hoc networkswith virtual thymus clustering danger signal and memorydetectorsrdquo in Proceedings of the 3rd International Conference onArtificial Immune Systems (ICARIS rsquo04) 2004
[17] S Sen and J Clark Intrusion Detection in Mobile Ad HocNetworks in Guide to Wireless Ad Hoc Networks SpringerLondon UK 2009
[18] D Subhadrabandhu S Sarkar and F Anjum ldquoA Framework formisuse detection in ad hoc networksmdashpart IIrdquo IEEE Journal onSelected Areas in Communications vol 24 no 2 pp 290ndash3032006
[19] L M Feeney and M Nilsson ldquoInvestigating the energyconsumption of a wireless network interface in an ad hocnetworking environmentrdquo in Proceedings of the 20th AnnualJoint Conference of the IEEE Computer and CommunicationsSocieties pp 1548ndash1557 April 2001
[20] A P Lauf R A Peters and W H Robinson ldquoA distributedintrusion detection system for resource-constrained devices inad-hoc networksrdquo Ad Hoc Networks vol 8 no 3 pp 253ndash2662010
[21] N A Alrajeh S Khan J Lloret and J Loo ldquoSecure routingprotocol using cross-layer design and energy harvesting inwireless sensor networksrdquo International Journal of DistributedSensor Networks vol 2013 Article ID 374796 11 pages 2013
[22] S Sen J Clark and J Tapiador Security Threats in MobileAd Hoc Networks I S of Self-Organizing Networks AuerbachPublications 2010
[23] P Ning and K Sun ldquoHow to misuse AODV a case study ofinsider attacks againstmobile ad-hoc routing protocolsrdquoAdHocNetworks vol 3 no 6 pp 795ndash819 2005
[24] T Clausen C Dearlove P Jacquet and U Herberg ldquoTheoptimized link state routing protocol version 2rdquo IETF ActiveInternet-Draft Draft-Ietf-Manet-Olsrv2-15 2012
[25] U Herberg and T Clausen ldquoSecurity issues in the optimizedlink state routing protocol version 2 (olsrv2)rdquo InternationalJournal of Network Security amp Its Applications vol 2 no 2 2010
[26] YOwada TMaenoH Imai andKMase ldquoOLSRv2 implemen-tation and performance evaluation with link layer feedbackrdquo inProceedings of the International Wireless Communications andMobile Computing Conference (IWCMC rsquo07) pp 67ndash72 Newyork NY USA August 2007
[27] F Hong L Hong and C Fu ldquoSecure OLSRrdquo in Proceedingsof the 19th International Conference on Advanced InformationNetworking and Applications (AINA rsquo05) pp 713ndash718 March2005
[28] LNAMHegland P Spilling andQKure ldquoHybrid protectionof olsrrdquo in Electronic Notes in Theoretical Computer Science2006
[29] P Kunwar S Sofat and D Bansal ldquoComparison of secure olsrrouting protocolrdquo International Journal of Engineering Sciencevol 3 no 6 p 5049 2011
[30] A Adnane C Bidan and R T de Sousa Junior ldquoTrust-basedcountermeasures for securing OLSR protocolrdquo in Proceedingsof the 7th IEEEIFIP International Conference on Embedded andUbiquitous Computing (EUC rsquo09) pp 745ndash752 August 2009
[31] B Wu J Chen J Chen J Wu and M Cardei ldquoA survey ofattacks and countermeasures in mobile ad hoc networksrdquo inWireless Network Security Springer New York NY USA 2007
[32] C Adjih D Raffo and P Muhlethaler ldquoAttacks against OLSRdistributed key management for securityrdquo in Proceedings of theOLSR Interop Workshop 2005
[33] G CerveraM Barbeau J Garcia-Alfaro and E Kranakis ldquoMit-igation of topology control traffic attacks in OLSR networksrdquoin Proceedings of the 5th International Conference on Risks andSecurity of Internet and Systems (CRiSIS rsquo10) October 2010
[34] P M Jawandhiya M M Ghonge M S Ali et al ldquoA surveyof mobile ad hoc network attacksrdquo International Journal ofEngineering Science and Technology vol 2 no 9 pp 4063ndash40712010
[35] L M Feeney ldquoAn energy consumption model for performanceanalysis of routing protocols for mobile ad hoc networksrdquoMobile Networks and Applications vol 6 no 3 pp 239ndash2492001
International Journal of Distributed Sensor Networks 19
[36] G Riley and T Henderson ldquoThe ns-3 network simulatorrdquo inModeling and Tools for Network Simulation Springer BerlinGermany 2010
[37] S Bhattiprolu E Biederman S Hallyn et al ldquoVirtual serversand checkpointrestart inmainstream linuxrdquo SIGOPSOperatingSystems Review vol 42 no 5 pp 104ndash113 2008
[38] J Zhang J Xing and Z Qin ldquoTaprouter an emulatingframework to run real applications on simulated mobile adhoc networkrdquo in Proceedings of the 44th Annual SimulationSymposium (ANSS rsquo11) pp 39ndash46 2011
[39] D Broyles A Jabbar and J P G Sterbenz ldquoDesign andanalysis of a 3-d gauss-markov mobility model for highly-dynamic airborne networksrdquo in Proceedings of the InternationalTelemetering Conference (ITC rsquo10) San Diego CA USA 2010
[40] J Haerri F Filali and C Bonnet ldquoPerformance comparisonof AODV and OLSR in vanets urban environments underrealistic mobility patternsrdquo in Proceedings of the IFIP Med-Hoc-Net Workshop 2006
[41] C H Tseng T Song P Balasubramanyam C Ko and K LevittldquoA specification-based intrusion detection model for OLSRrdquoRecent Advances in Intrusion Detection vol 3858 pp 330ndash3502006
[42] S Kurkowski T Camp and M Colagrosso ldquoManet simulationstudies the incrediblesrdquo SIGMOBILE Mobile Computing andCommunications Review vol 9 no 4 pp 50ndash561 2005
[43] A Abdalla I Saroit A Kotb et al ldquoMisbehavior nodesdetection and isolation for MANETs OLSR protocolrdquo ProcediaComputer Science vol 3 pp 115ndash121 2011
[44] R Puttini J Percher L Me et al ldquoA modular architecture fordistributed ids in manetrdquo in Proceedings of the InternationalConference on Computational Science and Its Applications III2003
[45] A Adnane R T de Sousa L Me and C Bidan ldquoAutonomictrust reasoning enables misbehavior detection in OLSRrdquo inProceedings of the 23rd Annual ACM Symposium on AppliedComputing (SAC rsquo08) pp 2006ndash2013 March 2008
[46] W Wang H Man and Y Liu ldquoA framework for intrusiondetection systems by social network analysis methods in ad hocnetworksrdquo Security and Communication Networks vol 2 no 6pp 669ndash685 2009
[47] H Deng R Xu J Li F Zhang R Levy and W Lee ldquoAgent-based cooperative anomaly detection for wireless ad hoc net-worksrdquo in Proceedings of the 12th International Conference onParallel and Distributed Systems (ICPADS rsquo06) pp 613ndash620 July2006
[48] S KurosawaHNakayamaN Kato et al ldquoDetecting blackholesattack on AODV-based mobile ad hoc networks by dynamiclearningmethodrdquo International Journal of Network Security vol5 no 3 pp 338ndash346 2007
[49] WWang HWang BWang et al ldquoEnergy-aware and selfadap-tive anomaly detection scheme based on network tomographyin mobile ad hoc networksrdquo Information Sciences vol 220 pp580ndash602 2013
[50] M-Y Su ldquoPrevention of selective black hole attacks on mobilead hoc networks through intrusion detection systemsrdquo Com-puter Communications vol 34 no 1 pp 107ndash117 2011
[51] N Marchang and R Datta ldquoCollaborative techniques for intru-sion detection in mobile ad-hoc networksrdquo Ad Hoc Networksvol 6 no 4 pp 508ndash523 2008
[52] B V R N Yadav B Satyanarayana and O B V RamanaiahldquoAn efficient intrusion detection system for mobile ad hoc net-worksrdquo in Emerging Trends in Computing Informatics Systems
Sciences and Engineering vol 151 Springer New York NYUSA 2013
[53] Y Huang and W Lee ldquoAttack analysis and detection for ad hocrouting protocolsrdquo in Recent Advances in Intrusion Detectionvol 3224 Springer Berlin Germany 2004
[54] G Vigna S Gwalani K Srinivasan E M Belding-Royer andR A Kemmerer ldquoAn intrusion detection tool for AODV-basedad hoc wireless networksrdquo in Proceedings of the 20th AnnualComputer SecurityApplications Conference (ACSAC rsquo04) pp 16ndash27 December 2004
[55] M Ayachi C Bidan and N Prigent ldquoA trust-based ids for theaodv protocolrdquo in Information and Communications Securityvol 6476 pp 430ndash444 2010
[56] S Sen and J A Clark ldquoA grammatical evolution approach tointrusion detection on mobile ad hoc networksrdquo in Proceedingsof the 2nd ACMConference onWireless Network Security (WiSecrsquo09) pp 95ndash102 March 2009
[57] S Marti T J Giuli K Lai and M Baker ldquoMitigating routingmisbehavior in mobile ad hoc networksrdquo in Proceedings of the6th Annual International Conference on Mobile Computing andNetworking (MOBICOM rsquo00) pp 255ndash265 August 2000
[58] B Sun K Wu and U Pooch ldquoRouting anomaly detection inmobile ad hoc networksrdquo in Proceedings of The 12th Interna-tional Conference on Computer Communications and Networks(ICCCN rsquo03) 2003
[59] S Bose S Bharathimurugan and A Kannan ldquoMulti-layerintegrated anomaly intrusion detection system for mobileadhoc networksrdquo in Proceedings of the International Conferenceon Signal Processing Communications and Networking (ICSCNrsquo07) pp 360ndash365 February 2007
[60] P Yi Y Zhong and S Zhang ldquoA novel intrusion detectionmethod for mobile ad hoc networksrdquo in Advances in GridComputing vol 3470 pp 1183ndash1192 Springer Berlin Germany2005
[61] C Perkins E Belding-Royer and S Das ldquoAd hoc on-demanddistance vector (AODV) routingrdquo IETF Experimental RFC3561 2003
[62] D Johnson and D Maltz ldquoDynamic source routing in ad hocwireless networksrdquo in Mobile Computing pp 153ndash181 KluwerAcademic 1996
[63] C Perkins and P Bhagwat ldquoHighly dynamic destinationse-quenced distance-vector routing (dsdv) for mobile computersrdquoin Proceedings of the Conference on Communications Architec-tures Protocols and Applications (SIGCOMM rsquo94) vol 24 pp234ndash244 1994
[64] T JoachimsMaking Large-Scale Support VectorMachine Learn-ing Practical MIT Press Cambridge Mass USA 1999
[65] Y Yajima and T Kuo ldquoEfficient formulations for 1-svm and theirapplication to recommendation tasksrdquo Journal of Computersvol 1 no 3 pp 27ndash34 2006
[66] L Bononi and C Tacconi ldquoIntrusion detection for secureclustering and routing inMobileMulti-hopWirelessNetworksrdquoInternational Journal of Information Security vol 6 no 6 pp379ndash392 2007
[67] Y Huang W Fan W Lee et al ldquoCross-feature analysis fordetecting ad-hoc routing anomaliesrdquo in Proceedings of the 23rdInternational Conference on Distributed Computing Systems(ICDCS rsquo03) pp 478ndash487 May 2003
[68] J Quinlan C4 5 Programs for Machine Learning MorganKaufmann Boston Mass USA 1993
20 International Journal of Distributed Sensor Networks
[69] J B D Cabrera C Gutierrez and R K Mehra ldquoEnsemblemethods for anomaly detection and distributed intrusion detec-tion in Mobile Ad-Hoc Networksrdquo Information Fusion vol 9no 1 pp 96ndash119 2008
[70] MWang L Lamont P Mason andM Gorlatova ldquoAn effectiveintrusion detection approach for OLSR MANET protocolrdquoin Proceedings of the 13th IEEE International Conference onNetwork Protocols Workshop (ICNP rsquo05) pp 55ndash60 November2005
[71] C Y Tseng P Balasubramanyam C Ko R Limprasittiporn JRowe and K Levitt ldquoA specification-based intrusion detectionsystem for AODVrdquo in Proceedings of the 1st ACM Workshop onSecurity of Ad Hoc and Sensor Networks pp 125ndash134 October2003
[72] S A Razak S M Furnell N L Clarke and P J BrookeldquoFriend-assisted intrusion detection and response mechanismsfor mobile ad hoc networksrdquo Ad Hoc Networks vol 6 no 7 pp1151ndash1167 2008
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
12 International Journal of Distributed Sensor Networks
Table 3 Simulation parameters
Simulation platformSimulator NS3 + LXC virtual machinesContainer operating system Fedora 12Hosting device memory 32GBHosting device CPU 2 Intel(R) Xeon(R) (6) Core 240GHz
Simulated MANETNumber of mobile nodes 30Number of intruders 5Topology 310 times 310m2
Transmission range 90mMaximum bandwidth 1MbpsTraffic V4PingHelper 56 bytes Icmp packetsMobility model RandomWalk2dMaximum speed 8ms (or 288 kmh)Simulation time 140 s
tapRouterWiFi devicewith OLSR
LXC
cont
aine
r
Ethernet bridge
Tap
LXC
cont
aine
r
veth
Ethernet bridge
Tap
tapRouterWiFi devicewith OLSR
veth
Nod
e 1
Nod
e 119899
NS3
IDAR1 IDAR119899
eth0 eth0
Figure 3 Experiment platform
(iii) detection overhead which represents the additionalnetwork traffic that is generated because of IDARNote that further benchmarks are also provided interms of memory usage
Based on those performance indicators IDAR is furtherevaluated with regard to the network density (Section 421)and node mobility (Section 422)
421 Network Density In order to evaluate the scalingproperties of IDAR we vary the density of the networkThe density of the network corresponds to the averagenumber of neighbors which is defined as in [40] by (119873 times
120587 times 1198792
119909)119878 We selected an interval of density that ranges
from 6 up to 16 neighbors which includes the intruderthe victim and the remaining neighbors Figure 4(a) showsthat the detection rate keeps higher than 80 regardless ofthe network density This demonstrates the relatively limitedimpact of the network density on IDAR performance More
precisely the intrusion detection rate slightly rises from935up to itsmaximum 963when the density varies from6 up to 8 neighbors the greater is the number of neighborsthe higher is the visibility of the attackThen a slow diminishis observed dense networks (with a density exceeding 8) arecharacterised by a high collision rate that causes a declinein the detection rate Similarly Figure 4(b) highlights thatthe average percentage of false positives is neglectful (under59) The analysis of several cases of false positive leads usto find that a false positive occurs when two nodes own adifferent live-times for the bidirectional link that connectsthese later consequently one of the two nodes still confirmsthe existence of this link while the other one denies it Tooverride this problem the period during which those linksare considered valid should be amplified as in [41] Figure 4(c)presents the average memory usage caused by IDAR Thisusage gently fluctuates between 176MB and 222MB It is alsoworthy of mention that contrary to OLSR our system doesnot assign additional functionality toMPR (detectionmay belaunched by one another) IDAR provides an homogeneousload balancing among the nodes As illustrated in Figure 4(d)the traffic caused by IDAR is very low (under 05 for anetwork density inferior to 8) It then slowly rises to reach13 when the network density is 16 In order to understandthe slight fall when the density reaches 14 we compare theaverage number of suspicious cases with regard to a varyingdensityThis average was 708 (resp 658) with density equalsto 12 (resp 14) Consequently the number of diagnostic-related packets is smaller at a density of 14 than at a densityof 12
422 Mobility In order to isolate the influence of themobility the network density is set to 8 The detection ratefalls when the speed increases (Figure 5(a))This results fromthe ever changing topology that results in increasing thenumber of broken links and the related drops of diagnostic-related packetsHowever IDAR still provides a high detectionrate for example the average of detection rate is 707
International Journal of Distributed Sensor Networks 13
0
20
40
60
80
100
6 8 10 12 14 16
Det
ecte
d in
trus
ions
()
Density
Average detection
(a)
0
10
20
30
40
50
6 8 10 12 14 16
False
pos
itive
()
Density
Average of false positives
(b)
0
10
20
30
40
50
6 8 10 12 14 16
Mem
ory
usag
e (M
B)
Density
(c)
025 05
1
5
20
50 100
6 8 10 12 14 16Density
IDA
R ve
rsus
OLS
R tr
affic (
)
(d)
Figure 4 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network density
with a moving speed equals to 8ms (ie around 287
kilometershour equivalent to 1789mileshour) Figure 5(b)shows that the higher is the moving speed the greater it getsfalse positives mainly because of out of date feedback Infact when a node moves away some of its 1-hop neighborsare no longer neighbors but are still announced as suchand are considered as potential attackers A higher increaseof the false positive rate is observed when the node speedranges from 4ms up to 6ms because the instable nodecovering is given its transmission range which leads to anincreased update of its 1-hop neighbors The memory usage(Figure 5(c)) rises staidly from 176MB to 265MB whichis reasonable even for resource-limited devices The impactof the mobility on the bandwidth is shown in Figure 5(d)The IDAR traffic comparing to the OLSR traffic significantlygrows from 036 up to 31 for a speed ranging from 0msup to 2ms Then the bandwidth usage gradually growsand reaches almost 6 when the moving speed is equalto 8ms This is motivated by the fact that increasing thenumber of verified links leads to exchange more diagnostic-related messages in the network In order to understandthe reason behind such variable growth of IDAR trafficwe counted the number of the verified suspicious neighbor
links We found that the average number of the verified linkssignificantly grows from 452 to 2014 when the velocity risesfrom 0ms to 2ms This average then gradually grows andtakes the values 2408 3314 and 406 when the velocityequals to 4ms 6ms and 8ms respectively The limitednumber of the suspicious neighbor links when the nodesare static is justified by the fact that the attacker has alimited choice to falsify its neighbors links Instead when thevelocity is greater than 2ms there is a continuous changein the neighborhood and the attackers can attack more(diversified) targets Meanwhile the continuously changingtopology implies an increased number of investigations
43 Performance Discussion It is clear that the density of thenetwork holds less influence than the mobility on our IDSMore mobility in MANET causes more dropped diagnosticpackets and hence less diagnostic is concluded with a finalresult that is confirming or refuting the suspiciousnessHowever comparing the launched attacks to the discov-ered suspicious events shows that the majority of attacksare tagged as suspicious events and considered for furtherdiagnostic Note that the mobility has a negative influence
14 International Journal of Distributed Sensor Networks
0
20
40
60
80
100
0 2 4 6 8
Det
ecte
d in
trus
ions
()
Velocity (ms)
Average detection
(a)
0
10
20
30
40
50
0 2 4 6 8
False
pos
itive
()
Velocity (ms)
Average of false positives
(b)
0
10
20
30
40
50
0 2 4 6 8
Mem
ory
usag
e (M
B)
Velocity (ms)
(c)
025 05
1
5
20
50 100
0 2 4 6 8
IDA
R ve
rsus
OLS
R tr
affic (
)
Velocity (ms)
(d)
Figure 5 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network mobility
on all the IDSs especially the cooperative ones where thereis an exchange of evidencesalerts Table 4 provides a shortperformance comparing between IDAR and other knownIDSs that are dedicated to ad hoc routing protocol Likethe majority of these IDSs the performance of our systemis challenged against a specific attack link spoofing attackin a simulated MANET (According to [42] around 75of mobile ad hoc published papers use simulation for testissues) Two evaluation factors are common to almost all thelisted IDSs the detection ratecapacity and the positive falserate Even though it was challenged in a MANET whereinthe intruders constitute 166 (Note that this percent is the3rd highest registered percent) of the nodes IDAR providesone of the highest detection rate Regarding the positivefalse rate we can notice that several IDSs especially thosethat are dedicated to DSR protocol show better results thanour system However this latter still generates a limitednumber of false positives It is also possible to reduce thefalse positives rate by amplifying the TTL (Time To Live)parameter of a bidirectional link so as to reduce the impactof obsolete neighborhood-related information during thedetection Recall that most of the generated false positives inIDAR are generated because of the difference in the time-live
of a bidirectional link between the two ends of this link Insuch case this link will be expired in one end while the otherend will keep confirming its existence It is worthmentioningthat except our system the listed IDSs that aim to detect theattacks targeting OLSR protocol do not present neither thedetection rate nor the false positives rate But they merelyprove the capacity of detecting the addressed attack(s) Inaddition IDAR is one of the rare IDSs that are evaluated interms of resources consumption Indeed we measure boththe increment inmemory usage and traffic overhead resultingfrom detection operations IDAR triggers a small incrementin the devicesrsquomemory usage (between 176MBand 265MB)Therefore it can be tolerated by the resource-limited devicesIt further triggers the lowest traffic overhead compared to thelisted IDSs IDAR presents a good scalability and offers a highdetection rate even in the high density networks where a largeamount of routing traffic should be monitored (Figure 4(a))This scalability is reinforced by (i) the limited traffic overhead(ii) the use of routing logs so as to extract the evidencesinstead of sniffing the traffic (iii) the distributed nature ofdetection such that each node is responsible for detecting theattacks targeting it and (iv) the unnecessity of modifying theused routing protocol
International Journal of Distributed Sensor Networks 15
5 Related Work
Systems that detect intrusion targeting ad hoc routing proto-col are extremely diverse in the way they analyze intrusionThey fall into the three key categories
(i) Anomaly detection system defines the correct behav-ior of the nodenetwork so as to detect deviations tothis behavior This correct behavior is automaticallybuilt during an attackless training phase The detec-tion accuracy depends on the ability to (i) describethe correct behavior and (ii) distinguish betweenanomalous and unexpected behaviors
(ii) Specification-based detection system hand-codes thelegitimate functionoperation and then searches for aviolation to this operation
(iii) Signature-based detection system first describes theway an intruder penetrates the system by defining anintrusion signature Then any behavior that is closeto this predefined signature is flagged as intrusion
Hereafter we detail examples of each of these categoriesAnomaly-based detection constitutes the main approachused to detect attacks The IDS proposed by Zhang et al[7] constitutes a de facto standard in MANET It aims atdetecting the attempts to falsify the routes provided by theAODV [61] DSR [62] and DSDV [63] routing protocolsDuring the training phase the impact of movement on thepercentage of changes in the routing table is analyzed Notethat this movement (ie velocity direction and position)is provided by a Global Positioning System (GPS) Thenduring the operation phase an actual percentage of changesdiffering from the predicted one is defined as anomaly Inpractice the distinguishing between anomalous and normalbehaviors is provided by the Support Vector Machine (SVM)Light [64] classifier or by RIPPER [15] a rule-based engineThe hierarchical IDS proposed in [47] detects blackhole androuting request flooding attacks targeting AODV protocolHere MANET is arranged into clusters whereas the nodewith the highest residual energy and number of connectionsis elected as a cluster-head Each cluster-head monitors thetraffic inside its cluster so as to identify the abnormal valuesof (i) the percentage of changes in the routing table and (ii)the propagation of routingdata packets Such abnormalitiesare identified thanks to (1-SVM) classifier [65] a deviationof SVM that needs to be trained with either normal orabnormal scenario but not both of them In [48] (resp [66])a blackhole (and resp dropping) attack targeting AODVprotocol (resp a secured version of AODV protocol includ-ing authentication and reputation estimation) are detectedby investigating features for example the number of routerequests and route replies as well as the average difference ofsequence numbers (Largely increased sequence numbers areknown as a sign of blackhole attack) Then simple anomalydetection is applied if the distance between the actuallyobserved features and the average ones that are recorded dur-ing the training exceeds a given threshold then an intrusionis detected More sophisticated cross-features analysis (CFA)[67] is applied to detect both blackhole and packet drop-ping on AODV and DSR protocols Features including for
example the reachability between 2 nodes and the numberof delivered packets are analyzed within time windows Thisanalysis attempts to quantify the relation existing betweenone feature 119891
119894and the others 119891
1 119891
119894minus1 119891119894+1 119891
119896(with
119896 + 1 defining the number of features analyzed) During theoperation phase the probability of matching between theobserved feature 1198911015840
119894and the predicted feature 119891
119894 which is
established based on 11989110158401 119891
1015840
119894minus1 1198911015840
119894+1 119891
1015840
119896 is calculated by
a decision tree classifier named C45 [68] An anomaly refersto an average of matching probability fewer than a giventhreshold CFA and C45 are also used in [69] with traffic-related features (eg number of receivedtransferred packets)and OLSR- or AODV-related features (eg MPR updates forthe former and route discovery for the latter) A modifiedMarkov chain-based IDS is proposed in [58] so as to detectroute disruption attack targeting DSR protocol Here thedetection depends on identifying unpredicted value of twofeatures the percentage of changes in the number of routesand the percentage of changes in the number of hops Inpractice a Markov chain is based on the immediate previous119899 consecutive values of a feature as to predict the (119899 + 1)thvalue If the difference between a predicted and an observedvalue exceeds a given threshold an intrusion is concluded
Rather than establishing automatically a correct behaviorspecification-based detection system hand-codes the correctbehavior of the routing protocols based on the protocol spec-ification (IETF draft or RFC) Then the system attempts todetect a violation of constraints circumventing this behaviorFour key constraints define the correct behavior of OLSR([14 70])
(1) Neighbor relationmust be reciprocal (ie 2 neighborsmust hear the hello message sent by each other)
(2) TheMPRs and the nodes that select theMPR (ie theMPR selectors) must be adjacent
(3) A node that finds itself advertised as a MPR selectorin a TCmessage must be adjacent to the originator ofthis message
(4) Nodes receive TC messages without modificationsfromMPR(s)
Each node sniffs the traffic in its radio range so as todiscover the violations of any of the above constraints Theseconstraints are modeled by semantic properties in [70] (resprules in [14]) so as to detect link spoofing attack on TC(and resp hello messages) both experiment an ability todetect a link spoofing by observing a violation of the thirdcondition over a simulated network composed of 11 nodesFinite-state machines are used to describe similar constraintson OLSR [41] and the behavior of AODV protocol [52 71]In [41] a centralized detection of link spoofing man-in-the-middle and deny of service attack is performed While in[52 71] incorrect hop countssequence numbers are analyzedby distributed sensors which sniff and group the packets perrequest-reply flow so as to estimate the forwarding path perflow If a route requestreply is illegallymodified or forwardedvia a nonexpected path then an alarm is triggered In [60]similar FSMs are used to define constraints on both the routediscovery in AODV and the packet forwarding operations
16 International Journal of Distributed Sensor Networks
Table4Com
parin
gID
ARperfo
rmance
with
otherIDSs
IDS
Routing
protocol
Num
bero
fno
des
Intrud
ers
()
Moving
speed
Detectio
nrate
False
positives
rate
Increm
entinmem
ory
usage
Increm
entintraffi
coverhead
IDAR
OlSR
30166
0ndash8m
s707ndash963
0ndash132
176ndash
265MB
478ndash6215KB
(036
ndash597
ofOlSRtraffi
c)
[43]
OlSR
303366
10
mdashmdash
mdashmdash
6ndash12
ofOlSR
traffi
c[41]
OlSR
1010
0ms
Detectio
nispo
ssible
mdashmdash
mdash[44]
OlSR
7143
0ms
Detectio
nispo
ssible
mdashmdash
mdash[45]
OlSR
520
0ms
Detectio
nispo
ssible
mdashmdash
mdash[14
]OlSR
119
0ms
Detectio
nispo
ssible
mdashmdash
mdash[46]
AODV
3033
0ndash5m
s3067ndash90
0ndash20
mdashmdash
[47]
AODV
502
0ndash20
ms
90
5
mdashmdash
[48]
AODV
3033
1ndash20
ms
70ndash82
12ndash18
mdashmdash
[49]
AODV
2050
10
1ndash10ms
964ndash9
87
079ndash093
mdash900k
B
[50]
AODV
5238
0ndash20
ms
(Fixed
IDSs)
100
0ndash0
6
mdashmdash
[51]
AODV
521
20238
0ndash10ms
50ndash100
0ndash30
mdashmdash
[52]
AODV
30mdash
0ndash20
ms
70ndash100
05
ndash15
mdashmdash
[53]
AODV
50Ra
ndom
0ndash20
ms
79plusmn10ndash92plusmn3
5plusmn1ndash32plusmn8
mdashmdash
[54]
AODV
102050
mdash0ndash
10ms
0ndash100
0ndash≫100
02ndash06
mdash[55]
AODV
20ndash200
mdash0ndash
20ms
30ndash9
50ndash16
mdashmdash
[56]
AODV
50mdash
1ndash20
ms
998ndash100
083ndash846
mdashmdash
[7]
AODV
mdashmdash
mdash8848plusmn414ndash971plusmn032
145plusmn072ndash202plusmn627
mdashmdash
DSD
Vmdash
mdashmdash
8523plusmn328ndash9061plusmn299
537plusmn310ndash263plusmn549
mdashmdash
DSR
mdashmdash
mdash852plusmn238ndash991plusmn037
003plusmn004ndash153plusmn408
mdashmdash
[57]
DSR
5040
0ndash20
ms
mdashmdash
mdash11ndash313
of
data
traffi
c[58]
DSR
3033
3ndash5m
s60ndash100
25
ndash50
mdashmdash
[59]
DSR
30mdash
mdash75
12
mdashmdash
[60]
DSR
502
0ndash20
ms
837ndash9
74
13ndash72
mdashmdash
International Journal of Distributed Sensor Networks 17
A signature-based system distinguishes itself by model-ing the misbehavior (rather than the correct behavior) soas to identify if a sequence of observed events matchingan intrusion signature AODVSTAT [54] uses state-basedsignatures in order to detect dropping and spoofing attacksalong with network flooding Few sensors sniff the traffic andmatch it against predefined signatures They also exchangeperiodically MAC and IP addresses so as to detect an identityspoofing which is characterized by a node emitting a packetidentified by MAC and IP addresses differing from thoseregistered for this node A dropping attack refers to a nodethat fails to replay route requestreply Finally a node sendinga number of packets exceeding a given threshold is identifiedas willing to exhaust resources In [45] intrusion signaturesare specified in opposition to the legitimate behavior of OLSRdepicted in conjunction with specification rules similar tothose defined in [70] In particular a node 119873 mistrusts twoneighbors 119871 and 119872 that conform to the following rules119872 advertises 119871 as a neighbor while 119871 does not advertise119872 as a neighbor (or reciprocally) both 119871 and 119872 send TCmessages while 119871rsquos neighbors are a subset of 119872rsquos neighbors(or reciprocally) In addition 119873 mistrusts 119872 if 119873 which isnot a neighbor of 119872 finds itself as a MPR selector in a TCof 119873 (constraint 3) In [44] a FSM is employed to modelthe signature of hello message fabrication in OLSR protocolin an agent-based IDS In practice each node uses a SimpleNetworkManagement Protocol (SNMP) agent so as to collectaudit data from the Management Information Base (MIB)After that events are extracted from the collected audit dataand are matched to the attack signatureThe addressed attackaims at breaking the link between a victim node and itsneighbors and thus a DoS takes place To that end theattacker impersonates the identity of the victim and sends afake hello message advertising one of the victim symmetricneighbors with lost link status Upon receiving the fabricatedmessage the neighbor changes the status of its link withthe victim to ldquoheardrdquo and stops routing packets through thevictim
51 Synthesis and Discussion A great majority of the litera-ture is focused on anomaly detectionwhile scarce effort inves-tigates specification- and signature-based intrusion Thisnaturally calls for consolidating the effort on specification-and signature-based detection while following the habitus ofwired network which consists in coupling these detectionsystems with one another for example in [72] wherein acombination of anomaly- and signature-based detection isrealized so as to increase the detection rate Almost all ofthe IDS focuses only on the detection accuracy that isproviding a high detection rate along with limited falsealarms However they do not consider the criticality ofmaintaining the resources and henceforth extending thelifetime of the nodenetwork Our IDS takes into account thenecessity of reducing to minimum both the communicationand computation overload related to intrusion identificationThe absolute majority of the IDSs is simulated (including thesystem we are proposing) rather than being either developedor experimented on testbeds or relying on empirical data
The reason that explains this situation is twofold Firstthe deployment of critical MANET is limitednot adver-tised Second to the best of our knowledge experiences ofintrusion in MANETs are not reported intrusions are infact developedsimulated as proofs of concept Neverthelessnot only routing protocols but also the characterization ofthe intrusion together leverage on the experience gained indesigning routing protocols for wired networks and deal-ing with related misbehaviors In particular the similarityexisting between the OSPF and OLSR protocols implies thatmany threats (eg sequence numbers identity spoofing) areshared In other words intrusion may be inspired from theone targeting wired networks Meanwhile the developmentof intrusion detection and the envisioning of attacks areaccelerated
6 Conclusion
We survey and classify the attacks that target ad hoc routingprotocols focusing on theOLSRprotocol In order to facilitatethe definition of intrusion signatures we extend a descriptionmodelmdashan attack is expressed as the preconditions andthe resulting consequencesmdashand enrich it with temporalannotations Once hand-coded these signatures are utilizedby IDAR a log-based distributed intrusion detection systemdedicated to operate in mobile ad hoc networks IDARdistinguishes itself by analyzing the logs generated by arouting protocol and extracts intrusion evidences so as tocompare these latter against predefined intrusion signaturesFor this purpose evidences are categorized into four groupsaccording to their degree of suspiciongravity and hence totheir ability to activatedeactivate the diagnostic We furtherdevelop a link spoofing attack on the OLSR protocol buildthe related detection rules and evaluate the performancesof IDAR relying on the NS3 simulator coupled with LXCvirtual machines Overall the experiments figure out ahigh rate of intrusion detection and low false positivesrate even under increased mobility and density Meanwhileresource consumption and network overhead result from thediagnostic are low and adapted to the resource-constraineddevices Note that ongoing effort is provided as to evaluateIDAR in a real MANET consisting of resource-constraineddevices Still detecting intrusion is not a trivial task due tothe large number of evidences to tackle and the resource-consuming diagnostic A compromise between detectionaccuracy and resource consumption could be found For thispurpose we are working on a new statistical mechanism forgathering the evidences This mechanism aims at enhancingthe scalability of our system by restricting the interrogationto a limited subset of nodes during the diagnostic Moreoveruntil now we assume that honest parties are passive theyalarm others but do not react We are considering thecoupling with countermeasures (eg blacklisting) and theexploring of lightweight binary consensus and trust estab-lishment among the nodes that participate in the intrusiondetection
18 International Journal of Distributed Sensor Networks
References
[1] Z Zhao H Hu G Ahn and R Wu ldquoRisk-aware mitigation formanet routing attacksrdquo IEEE Transactions on Dependable andSecure Computing vol 9 no 2 pp 250ndash260 2012
[2] B Sun L Osborne Y Xiao and S Guizani ldquoIntrusion detectiontechniques in mobile ad hoc and wireless sensor networksrdquoIEEE Wireless Communications vol 14 no 5 pp 56ndash63 2007
[3] S Sesay Z Yang and J He ldquoA survey onmobile ad hoc wirelessnetworkrdquo Information Technology Journal vol 3 no 2 pp 168ndash175 2004
[4] P Brutch and C Ko ldquoChallenges in intrusion detection forwireless ad-hoc networksrdquo in Proceedings of the Symposium onApplications and the Internet Workshops (SAINT rsquo03) pp 368ndash373 2003
[5] S Khan N Alrajeh and K Loo ldquoSecure route selection inwireless mesh networksrdquo Computer Networks vol 56 no 2 pp491ndash503 2012
[6] S Corson and J Macker ldquoMobile ad hoc networking (manet)routing protocol performance issues and evaluation considera-tionsrdquo IETF RFC2501 1999
[7] Y Zhang W Lee and Y Huang ldquoIntrusion detection tech-niques for mobile wireless networksrdquoWireless Networks vol 9no 5 pp 545ndash556 2003
[8] B C Cheng and R Y Tseng ldquoA context adaptive intrusiondetection system for MANETrdquo Computer Communications vol34 no 3 pp 310ndash318 2011
[9] T Eissa S A Razak and M D A Ngadi ldquoTowards providinga new lightweight authentication and encryption scheme forMANETrdquoWireless Networks vol 17 no 4 pp 833ndash842 2011
[10] A Irshad W Noshairwan M Shafiq S Khurram E Irshadand M Usman ldquoSecurity enhancement for authentication ofnodes in MANET by checking the CRL status of serversrdquoCommunications in Computer and Information Science vol 78pp 86ndash95 2010
[11] D E Denning ldquoAn intrusion-detection modelrdquo IEEE Transac-tions on Software Engineering vol 13 no 2 pp 222ndash232 1987
[12] T Clausen and P Jacquet ldquoOptimized link state routing proto-col (OLSR)rdquo IETF Experimental RFC 3626 2003
[13] P Albers O Camp J Percher et al ldquoSecurity in ad hoc networksa general intrusion detection architecture enhancing trust basedapproachesrdquo 2002
[14] F Cuppens N Cuppens-Boulahia S Nuon and T RamardldquoProperty based intrusion detection to secure OLSRrdquo in Pro-ceedings of the 3rd International Conference on Wireless andMobile Communications (ICWMC rsquo07) Guadeloupe FranceMarch 2007
[15] W Cohen ldquoFast effective rule inductionrdquo in Proceedings of theInternational Conference onMachine Learning (ICML rsquo95) 1995
[16] S Sarafijanovic and J-Y le Boudec ldquoAn artificial immunesystem for misbehavior detection in mobile ad-hoc networkswith virtual thymus clustering danger signal and memorydetectorsrdquo in Proceedings of the 3rd International Conference onArtificial Immune Systems (ICARIS rsquo04) 2004
[17] S Sen and J Clark Intrusion Detection in Mobile Ad HocNetworks in Guide to Wireless Ad Hoc Networks SpringerLondon UK 2009
[18] D Subhadrabandhu S Sarkar and F Anjum ldquoA Framework formisuse detection in ad hoc networksmdashpart IIrdquo IEEE Journal onSelected Areas in Communications vol 24 no 2 pp 290ndash3032006
[19] L M Feeney and M Nilsson ldquoInvestigating the energyconsumption of a wireless network interface in an ad hocnetworking environmentrdquo in Proceedings of the 20th AnnualJoint Conference of the IEEE Computer and CommunicationsSocieties pp 1548ndash1557 April 2001
[20] A P Lauf R A Peters and W H Robinson ldquoA distributedintrusion detection system for resource-constrained devices inad-hoc networksrdquo Ad Hoc Networks vol 8 no 3 pp 253ndash2662010
[21] N A Alrajeh S Khan J Lloret and J Loo ldquoSecure routingprotocol using cross-layer design and energy harvesting inwireless sensor networksrdquo International Journal of DistributedSensor Networks vol 2013 Article ID 374796 11 pages 2013
[22] S Sen J Clark and J Tapiador Security Threats in MobileAd Hoc Networks I S of Self-Organizing Networks AuerbachPublications 2010
[23] P Ning and K Sun ldquoHow to misuse AODV a case study ofinsider attacks againstmobile ad-hoc routing protocolsrdquoAdHocNetworks vol 3 no 6 pp 795ndash819 2005
[24] T Clausen C Dearlove P Jacquet and U Herberg ldquoTheoptimized link state routing protocol version 2rdquo IETF ActiveInternet-Draft Draft-Ietf-Manet-Olsrv2-15 2012
[25] U Herberg and T Clausen ldquoSecurity issues in the optimizedlink state routing protocol version 2 (olsrv2)rdquo InternationalJournal of Network Security amp Its Applications vol 2 no 2 2010
[26] YOwada TMaenoH Imai andKMase ldquoOLSRv2 implemen-tation and performance evaluation with link layer feedbackrdquo inProceedings of the International Wireless Communications andMobile Computing Conference (IWCMC rsquo07) pp 67ndash72 Newyork NY USA August 2007
[27] F Hong L Hong and C Fu ldquoSecure OLSRrdquo in Proceedingsof the 19th International Conference on Advanced InformationNetworking and Applications (AINA rsquo05) pp 713ndash718 March2005
[28] LNAMHegland P Spilling andQKure ldquoHybrid protectionof olsrrdquo in Electronic Notes in Theoretical Computer Science2006
[29] P Kunwar S Sofat and D Bansal ldquoComparison of secure olsrrouting protocolrdquo International Journal of Engineering Sciencevol 3 no 6 p 5049 2011
[30] A Adnane C Bidan and R T de Sousa Junior ldquoTrust-basedcountermeasures for securing OLSR protocolrdquo in Proceedingsof the 7th IEEEIFIP International Conference on Embedded andUbiquitous Computing (EUC rsquo09) pp 745ndash752 August 2009
[31] B Wu J Chen J Chen J Wu and M Cardei ldquoA survey ofattacks and countermeasures in mobile ad hoc networksrdquo inWireless Network Security Springer New York NY USA 2007
[32] C Adjih D Raffo and P Muhlethaler ldquoAttacks against OLSRdistributed key management for securityrdquo in Proceedings of theOLSR Interop Workshop 2005
[33] G CerveraM Barbeau J Garcia-Alfaro and E Kranakis ldquoMit-igation of topology control traffic attacks in OLSR networksrdquoin Proceedings of the 5th International Conference on Risks andSecurity of Internet and Systems (CRiSIS rsquo10) October 2010
[34] P M Jawandhiya M M Ghonge M S Ali et al ldquoA surveyof mobile ad hoc network attacksrdquo International Journal ofEngineering Science and Technology vol 2 no 9 pp 4063ndash40712010
[35] L M Feeney ldquoAn energy consumption model for performanceanalysis of routing protocols for mobile ad hoc networksrdquoMobile Networks and Applications vol 6 no 3 pp 239ndash2492001
International Journal of Distributed Sensor Networks 19
[36] G Riley and T Henderson ldquoThe ns-3 network simulatorrdquo inModeling and Tools for Network Simulation Springer BerlinGermany 2010
[37] S Bhattiprolu E Biederman S Hallyn et al ldquoVirtual serversand checkpointrestart inmainstream linuxrdquo SIGOPSOperatingSystems Review vol 42 no 5 pp 104ndash113 2008
[38] J Zhang J Xing and Z Qin ldquoTaprouter an emulatingframework to run real applications on simulated mobile adhoc networkrdquo in Proceedings of the 44th Annual SimulationSymposium (ANSS rsquo11) pp 39ndash46 2011
[39] D Broyles A Jabbar and J P G Sterbenz ldquoDesign andanalysis of a 3-d gauss-markov mobility model for highly-dynamic airborne networksrdquo in Proceedings of the InternationalTelemetering Conference (ITC rsquo10) San Diego CA USA 2010
[40] J Haerri F Filali and C Bonnet ldquoPerformance comparisonof AODV and OLSR in vanets urban environments underrealistic mobility patternsrdquo in Proceedings of the IFIP Med-Hoc-Net Workshop 2006
[41] C H Tseng T Song P Balasubramanyam C Ko and K LevittldquoA specification-based intrusion detection model for OLSRrdquoRecent Advances in Intrusion Detection vol 3858 pp 330ndash3502006
[42] S Kurkowski T Camp and M Colagrosso ldquoManet simulationstudies the incrediblesrdquo SIGMOBILE Mobile Computing andCommunications Review vol 9 no 4 pp 50ndash561 2005
[43] A Abdalla I Saroit A Kotb et al ldquoMisbehavior nodesdetection and isolation for MANETs OLSR protocolrdquo ProcediaComputer Science vol 3 pp 115ndash121 2011
[44] R Puttini J Percher L Me et al ldquoA modular architecture fordistributed ids in manetrdquo in Proceedings of the InternationalConference on Computational Science and Its Applications III2003
[45] A Adnane R T de Sousa L Me and C Bidan ldquoAutonomictrust reasoning enables misbehavior detection in OLSRrdquo inProceedings of the 23rd Annual ACM Symposium on AppliedComputing (SAC rsquo08) pp 2006ndash2013 March 2008
[46] W Wang H Man and Y Liu ldquoA framework for intrusiondetection systems by social network analysis methods in ad hocnetworksrdquo Security and Communication Networks vol 2 no 6pp 669ndash685 2009
[47] H Deng R Xu J Li F Zhang R Levy and W Lee ldquoAgent-based cooperative anomaly detection for wireless ad hoc net-worksrdquo in Proceedings of the 12th International Conference onParallel and Distributed Systems (ICPADS rsquo06) pp 613ndash620 July2006
[48] S KurosawaHNakayamaN Kato et al ldquoDetecting blackholesattack on AODV-based mobile ad hoc networks by dynamiclearningmethodrdquo International Journal of Network Security vol5 no 3 pp 338ndash346 2007
[49] WWang HWang BWang et al ldquoEnergy-aware and selfadap-tive anomaly detection scheme based on network tomographyin mobile ad hoc networksrdquo Information Sciences vol 220 pp580ndash602 2013
[50] M-Y Su ldquoPrevention of selective black hole attacks on mobilead hoc networks through intrusion detection systemsrdquo Com-puter Communications vol 34 no 1 pp 107ndash117 2011
[51] N Marchang and R Datta ldquoCollaborative techniques for intru-sion detection in mobile ad-hoc networksrdquo Ad Hoc Networksvol 6 no 4 pp 508ndash523 2008
[52] B V R N Yadav B Satyanarayana and O B V RamanaiahldquoAn efficient intrusion detection system for mobile ad hoc net-worksrdquo in Emerging Trends in Computing Informatics Systems
Sciences and Engineering vol 151 Springer New York NYUSA 2013
[53] Y Huang and W Lee ldquoAttack analysis and detection for ad hocrouting protocolsrdquo in Recent Advances in Intrusion Detectionvol 3224 Springer Berlin Germany 2004
[54] G Vigna S Gwalani K Srinivasan E M Belding-Royer andR A Kemmerer ldquoAn intrusion detection tool for AODV-basedad hoc wireless networksrdquo in Proceedings of the 20th AnnualComputer SecurityApplications Conference (ACSAC rsquo04) pp 16ndash27 December 2004
[55] M Ayachi C Bidan and N Prigent ldquoA trust-based ids for theaodv protocolrdquo in Information and Communications Securityvol 6476 pp 430ndash444 2010
[56] S Sen and J A Clark ldquoA grammatical evolution approach tointrusion detection on mobile ad hoc networksrdquo in Proceedingsof the 2nd ACMConference onWireless Network Security (WiSecrsquo09) pp 95ndash102 March 2009
[57] S Marti T J Giuli K Lai and M Baker ldquoMitigating routingmisbehavior in mobile ad hoc networksrdquo in Proceedings of the6th Annual International Conference on Mobile Computing andNetworking (MOBICOM rsquo00) pp 255ndash265 August 2000
[58] B Sun K Wu and U Pooch ldquoRouting anomaly detection inmobile ad hoc networksrdquo in Proceedings of The 12th Interna-tional Conference on Computer Communications and Networks(ICCCN rsquo03) 2003
[59] S Bose S Bharathimurugan and A Kannan ldquoMulti-layerintegrated anomaly intrusion detection system for mobileadhoc networksrdquo in Proceedings of the International Conferenceon Signal Processing Communications and Networking (ICSCNrsquo07) pp 360ndash365 February 2007
[60] P Yi Y Zhong and S Zhang ldquoA novel intrusion detectionmethod for mobile ad hoc networksrdquo in Advances in GridComputing vol 3470 pp 1183ndash1192 Springer Berlin Germany2005
[61] C Perkins E Belding-Royer and S Das ldquoAd hoc on-demanddistance vector (AODV) routingrdquo IETF Experimental RFC3561 2003
[62] D Johnson and D Maltz ldquoDynamic source routing in ad hocwireless networksrdquo in Mobile Computing pp 153ndash181 KluwerAcademic 1996
[63] C Perkins and P Bhagwat ldquoHighly dynamic destinationse-quenced distance-vector routing (dsdv) for mobile computersrdquoin Proceedings of the Conference on Communications Architec-tures Protocols and Applications (SIGCOMM rsquo94) vol 24 pp234ndash244 1994
[64] T JoachimsMaking Large-Scale Support VectorMachine Learn-ing Practical MIT Press Cambridge Mass USA 1999
[65] Y Yajima and T Kuo ldquoEfficient formulations for 1-svm and theirapplication to recommendation tasksrdquo Journal of Computersvol 1 no 3 pp 27ndash34 2006
[66] L Bononi and C Tacconi ldquoIntrusion detection for secureclustering and routing inMobileMulti-hopWirelessNetworksrdquoInternational Journal of Information Security vol 6 no 6 pp379ndash392 2007
[67] Y Huang W Fan W Lee et al ldquoCross-feature analysis fordetecting ad-hoc routing anomaliesrdquo in Proceedings of the 23rdInternational Conference on Distributed Computing Systems(ICDCS rsquo03) pp 478ndash487 May 2003
[68] J Quinlan C4 5 Programs for Machine Learning MorganKaufmann Boston Mass USA 1993
20 International Journal of Distributed Sensor Networks
[69] J B D Cabrera C Gutierrez and R K Mehra ldquoEnsemblemethods for anomaly detection and distributed intrusion detec-tion in Mobile Ad-Hoc Networksrdquo Information Fusion vol 9no 1 pp 96ndash119 2008
[70] MWang L Lamont P Mason andM Gorlatova ldquoAn effectiveintrusion detection approach for OLSR MANET protocolrdquoin Proceedings of the 13th IEEE International Conference onNetwork Protocols Workshop (ICNP rsquo05) pp 55ndash60 November2005
[71] C Y Tseng P Balasubramanyam C Ko R Limprasittiporn JRowe and K Levitt ldquoA specification-based intrusion detectionsystem for AODVrdquo in Proceedings of the 1st ACM Workshop onSecurity of Ad Hoc and Sensor Networks pp 125ndash134 October2003
[72] S A Razak S M Furnell N L Clarke and P J BrookeldquoFriend-assisted intrusion detection and response mechanismsfor mobile ad hoc networksrdquo Ad Hoc Networks vol 6 no 7 pp1151ndash1167 2008
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 13
0
20
40
60
80
100
6 8 10 12 14 16
Det
ecte
d in
trus
ions
()
Density
Average detection
(a)
0
10
20
30
40
50
6 8 10 12 14 16
False
pos
itive
()
Density
Average of false positives
(b)
0
10
20
30
40
50
6 8 10 12 14 16
Mem
ory
usag
e (M
B)
Density
(c)
025 05
1
5
20
50 100
6 8 10 12 14 16Density
IDA
R ve
rsus
OLS
R tr
affic (
)
(d)
Figure 4 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network density
with a moving speed equals to 8ms (ie around 287
kilometershour equivalent to 1789mileshour) Figure 5(b)shows that the higher is the moving speed the greater it getsfalse positives mainly because of out of date feedback Infact when a node moves away some of its 1-hop neighborsare no longer neighbors but are still announced as suchand are considered as potential attackers A higher increaseof the false positive rate is observed when the node speedranges from 4ms up to 6ms because the instable nodecovering is given its transmission range which leads to anincreased update of its 1-hop neighbors The memory usage(Figure 5(c)) rises staidly from 176MB to 265MB whichis reasonable even for resource-limited devices The impactof the mobility on the bandwidth is shown in Figure 5(d)The IDAR traffic comparing to the OLSR traffic significantlygrows from 036 up to 31 for a speed ranging from 0msup to 2ms Then the bandwidth usage gradually growsand reaches almost 6 when the moving speed is equalto 8ms This is motivated by the fact that increasing thenumber of verified links leads to exchange more diagnostic-related messages in the network In order to understandthe reason behind such variable growth of IDAR trafficwe counted the number of the verified suspicious neighbor
links We found that the average number of the verified linkssignificantly grows from 452 to 2014 when the velocity risesfrom 0ms to 2ms This average then gradually grows andtakes the values 2408 3314 and 406 when the velocityequals to 4ms 6ms and 8ms respectively The limitednumber of the suspicious neighbor links when the nodesare static is justified by the fact that the attacker has alimited choice to falsify its neighbors links Instead when thevelocity is greater than 2ms there is a continuous changein the neighborhood and the attackers can attack more(diversified) targets Meanwhile the continuously changingtopology implies an increased number of investigations
43 Performance Discussion It is clear that the density of thenetwork holds less influence than the mobility on our IDSMore mobility in MANET causes more dropped diagnosticpackets and hence less diagnostic is concluded with a finalresult that is confirming or refuting the suspiciousnessHowever comparing the launched attacks to the discov-ered suspicious events shows that the majority of attacksare tagged as suspicious events and considered for furtherdiagnostic Note that the mobility has a negative influence
14 International Journal of Distributed Sensor Networks
0
20
40
60
80
100
0 2 4 6 8
Det
ecte
d in
trus
ions
()
Velocity (ms)
Average detection
(a)
0
10
20
30
40
50
0 2 4 6 8
False
pos
itive
()
Velocity (ms)
Average of false positives
(b)
0
10
20
30
40
50
0 2 4 6 8
Mem
ory
usag
e (M
B)
Velocity (ms)
(c)
025 05
1
5
20
50 100
0 2 4 6 8
IDA
R ve
rsus
OLS
R tr
affic (
)
Velocity (ms)
(d)
Figure 5 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network mobility
on all the IDSs especially the cooperative ones where thereis an exchange of evidencesalerts Table 4 provides a shortperformance comparing between IDAR and other knownIDSs that are dedicated to ad hoc routing protocol Likethe majority of these IDSs the performance of our systemis challenged against a specific attack link spoofing attackin a simulated MANET (According to [42] around 75of mobile ad hoc published papers use simulation for testissues) Two evaluation factors are common to almost all thelisted IDSs the detection ratecapacity and the positive falserate Even though it was challenged in a MANET whereinthe intruders constitute 166 (Note that this percent is the3rd highest registered percent) of the nodes IDAR providesone of the highest detection rate Regarding the positivefalse rate we can notice that several IDSs especially thosethat are dedicated to DSR protocol show better results thanour system However this latter still generates a limitednumber of false positives It is also possible to reduce thefalse positives rate by amplifying the TTL (Time To Live)parameter of a bidirectional link so as to reduce the impactof obsolete neighborhood-related information during thedetection Recall that most of the generated false positives inIDAR are generated because of the difference in the time-live
of a bidirectional link between the two ends of this link Insuch case this link will be expired in one end while the otherend will keep confirming its existence It is worthmentioningthat except our system the listed IDSs that aim to detect theattacks targeting OLSR protocol do not present neither thedetection rate nor the false positives rate But they merelyprove the capacity of detecting the addressed attack(s) Inaddition IDAR is one of the rare IDSs that are evaluated interms of resources consumption Indeed we measure boththe increment inmemory usage and traffic overhead resultingfrom detection operations IDAR triggers a small incrementin the devicesrsquomemory usage (between 176MBand 265MB)Therefore it can be tolerated by the resource-limited devicesIt further triggers the lowest traffic overhead compared to thelisted IDSs IDAR presents a good scalability and offers a highdetection rate even in the high density networks where a largeamount of routing traffic should be monitored (Figure 4(a))This scalability is reinforced by (i) the limited traffic overhead(ii) the use of routing logs so as to extract the evidencesinstead of sniffing the traffic (iii) the distributed nature ofdetection such that each node is responsible for detecting theattacks targeting it and (iv) the unnecessity of modifying theused routing protocol
International Journal of Distributed Sensor Networks 15
5 Related Work
Systems that detect intrusion targeting ad hoc routing proto-col are extremely diverse in the way they analyze intrusionThey fall into the three key categories
(i) Anomaly detection system defines the correct behav-ior of the nodenetwork so as to detect deviations tothis behavior This correct behavior is automaticallybuilt during an attackless training phase The detec-tion accuracy depends on the ability to (i) describethe correct behavior and (ii) distinguish betweenanomalous and unexpected behaviors
(ii) Specification-based detection system hand-codes thelegitimate functionoperation and then searches for aviolation to this operation
(iii) Signature-based detection system first describes theway an intruder penetrates the system by defining anintrusion signature Then any behavior that is closeto this predefined signature is flagged as intrusion
Hereafter we detail examples of each of these categoriesAnomaly-based detection constitutes the main approachused to detect attacks The IDS proposed by Zhang et al[7] constitutes a de facto standard in MANET It aims atdetecting the attempts to falsify the routes provided by theAODV [61] DSR [62] and DSDV [63] routing protocolsDuring the training phase the impact of movement on thepercentage of changes in the routing table is analyzed Notethat this movement (ie velocity direction and position)is provided by a Global Positioning System (GPS) Thenduring the operation phase an actual percentage of changesdiffering from the predicted one is defined as anomaly Inpractice the distinguishing between anomalous and normalbehaviors is provided by the Support Vector Machine (SVM)Light [64] classifier or by RIPPER [15] a rule-based engineThe hierarchical IDS proposed in [47] detects blackhole androuting request flooding attacks targeting AODV protocolHere MANET is arranged into clusters whereas the nodewith the highest residual energy and number of connectionsis elected as a cluster-head Each cluster-head monitors thetraffic inside its cluster so as to identify the abnormal valuesof (i) the percentage of changes in the routing table and (ii)the propagation of routingdata packets Such abnormalitiesare identified thanks to (1-SVM) classifier [65] a deviationof SVM that needs to be trained with either normal orabnormal scenario but not both of them In [48] (resp [66])a blackhole (and resp dropping) attack targeting AODVprotocol (resp a secured version of AODV protocol includ-ing authentication and reputation estimation) are detectedby investigating features for example the number of routerequests and route replies as well as the average difference ofsequence numbers (Largely increased sequence numbers areknown as a sign of blackhole attack) Then simple anomalydetection is applied if the distance between the actuallyobserved features and the average ones that are recorded dur-ing the training exceeds a given threshold then an intrusionis detected More sophisticated cross-features analysis (CFA)[67] is applied to detect both blackhole and packet drop-ping on AODV and DSR protocols Features including for
example the reachability between 2 nodes and the numberof delivered packets are analyzed within time windows Thisanalysis attempts to quantify the relation existing betweenone feature 119891
119894and the others 119891
1 119891
119894minus1 119891119894+1 119891
119896(with
119896 + 1 defining the number of features analyzed) During theoperation phase the probability of matching between theobserved feature 1198911015840
119894and the predicted feature 119891
119894 which is
established based on 11989110158401 119891
1015840
119894minus1 1198911015840
119894+1 119891
1015840
119896 is calculated by
a decision tree classifier named C45 [68] An anomaly refersto an average of matching probability fewer than a giventhreshold CFA and C45 are also used in [69] with traffic-related features (eg number of receivedtransferred packets)and OLSR- or AODV-related features (eg MPR updates forthe former and route discovery for the latter) A modifiedMarkov chain-based IDS is proposed in [58] so as to detectroute disruption attack targeting DSR protocol Here thedetection depends on identifying unpredicted value of twofeatures the percentage of changes in the number of routesand the percentage of changes in the number of hops Inpractice a Markov chain is based on the immediate previous119899 consecutive values of a feature as to predict the (119899 + 1)thvalue If the difference between a predicted and an observedvalue exceeds a given threshold an intrusion is concluded
Rather than establishing automatically a correct behaviorspecification-based detection system hand-codes the correctbehavior of the routing protocols based on the protocol spec-ification (IETF draft or RFC) Then the system attempts todetect a violation of constraints circumventing this behaviorFour key constraints define the correct behavior of OLSR([14 70])
(1) Neighbor relationmust be reciprocal (ie 2 neighborsmust hear the hello message sent by each other)
(2) TheMPRs and the nodes that select theMPR (ie theMPR selectors) must be adjacent
(3) A node that finds itself advertised as a MPR selectorin a TCmessage must be adjacent to the originator ofthis message
(4) Nodes receive TC messages without modificationsfromMPR(s)
Each node sniffs the traffic in its radio range so as todiscover the violations of any of the above constraints Theseconstraints are modeled by semantic properties in [70] (resprules in [14]) so as to detect link spoofing attack on TC(and resp hello messages) both experiment an ability todetect a link spoofing by observing a violation of the thirdcondition over a simulated network composed of 11 nodesFinite-state machines are used to describe similar constraintson OLSR [41] and the behavior of AODV protocol [52 71]In [41] a centralized detection of link spoofing man-in-the-middle and deny of service attack is performed While in[52 71] incorrect hop countssequence numbers are analyzedby distributed sensors which sniff and group the packets perrequest-reply flow so as to estimate the forwarding path perflow If a route requestreply is illegallymodified or forwardedvia a nonexpected path then an alarm is triggered In [60]similar FSMs are used to define constraints on both the routediscovery in AODV and the packet forwarding operations
16 International Journal of Distributed Sensor Networks
Table4Com
parin
gID
ARperfo
rmance
with
otherIDSs
IDS
Routing
protocol
Num
bero
fno
des
Intrud
ers
()
Moving
speed
Detectio
nrate
False
positives
rate
Increm
entinmem
ory
usage
Increm
entintraffi
coverhead
IDAR
OlSR
30166
0ndash8m
s707ndash963
0ndash132
176ndash
265MB
478ndash6215KB
(036
ndash597
ofOlSRtraffi
c)
[43]
OlSR
303366
10
mdashmdash
mdashmdash
6ndash12
ofOlSR
traffi
c[41]
OlSR
1010
0ms
Detectio
nispo
ssible
mdashmdash
mdash[44]
OlSR
7143
0ms
Detectio
nispo
ssible
mdashmdash
mdash[45]
OlSR
520
0ms
Detectio
nispo
ssible
mdashmdash
mdash[14
]OlSR
119
0ms
Detectio
nispo
ssible
mdashmdash
mdash[46]
AODV
3033
0ndash5m
s3067ndash90
0ndash20
mdashmdash
[47]
AODV
502
0ndash20
ms
90
5
mdashmdash
[48]
AODV
3033
1ndash20
ms
70ndash82
12ndash18
mdashmdash
[49]
AODV
2050
10
1ndash10ms
964ndash9
87
079ndash093
mdash900k
B
[50]
AODV
5238
0ndash20
ms
(Fixed
IDSs)
100
0ndash0
6
mdashmdash
[51]
AODV
521
20238
0ndash10ms
50ndash100
0ndash30
mdashmdash
[52]
AODV
30mdash
0ndash20
ms
70ndash100
05
ndash15
mdashmdash
[53]
AODV
50Ra
ndom
0ndash20
ms
79plusmn10ndash92plusmn3
5plusmn1ndash32plusmn8
mdashmdash
[54]
AODV
102050
mdash0ndash
10ms
0ndash100
0ndash≫100
02ndash06
mdash[55]
AODV
20ndash200
mdash0ndash
20ms
30ndash9
50ndash16
mdashmdash
[56]
AODV
50mdash
1ndash20
ms
998ndash100
083ndash846
mdashmdash
[7]
AODV
mdashmdash
mdash8848plusmn414ndash971plusmn032
145plusmn072ndash202plusmn627
mdashmdash
DSD
Vmdash
mdashmdash
8523plusmn328ndash9061plusmn299
537plusmn310ndash263plusmn549
mdashmdash
DSR
mdashmdash
mdash852plusmn238ndash991plusmn037
003plusmn004ndash153plusmn408
mdashmdash
[57]
DSR
5040
0ndash20
ms
mdashmdash
mdash11ndash313
of
data
traffi
c[58]
DSR
3033
3ndash5m
s60ndash100
25
ndash50
mdashmdash
[59]
DSR
30mdash
mdash75
12
mdashmdash
[60]
DSR
502
0ndash20
ms
837ndash9
74
13ndash72
mdashmdash
International Journal of Distributed Sensor Networks 17
A signature-based system distinguishes itself by model-ing the misbehavior (rather than the correct behavior) soas to identify if a sequence of observed events matchingan intrusion signature AODVSTAT [54] uses state-basedsignatures in order to detect dropping and spoofing attacksalong with network flooding Few sensors sniff the traffic andmatch it against predefined signatures They also exchangeperiodically MAC and IP addresses so as to detect an identityspoofing which is characterized by a node emitting a packetidentified by MAC and IP addresses differing from thoseregistered for this node A dropping attack refers to a nodethat fails to replay route requestreply Finally a node sendinga number of packets exceeding a given threshold is identifiedas willing to exhaust resources In [45] intrusion signaturesare specified in opposition to the legitimate behavior of OLSRdepicted in conjunction with specification rules similar tothose defined in [70] In particular a node 119873 mistrusts twoneighbors 119871 and 119872 that conform to the following rules119872 advertises 119871 as a neighbor while 119871 does not advertise119872 as a neighbor (or reciprocally) both 119871 and 119872 send TCmessages while 119871rsquos neighbors are a subset of 119872rsquos neighbors(or reciprocally) In addition 119873 mistrusts 119872 if 119873 which isnot a neighbor of 119872 finds itself as a MPR selector in a TCof 119873 (constraint 3) In [44] a FSM is employed to modelthe signature of hello message fabrication in OLSR protocolin an agent-based IDS In practice each node uses a SimpleNetworkManagement Protocol (SNMP) agent so as to collectaudit data from the Management Information Base (MIB)After that events are extracted from the collected audit dataand are matched to the attack signatureThe addressed attackaims at breaking the link between a victim node and itsneighbors and thus a DoS takes place To that end theattacker impersonates the identity of the victim and sends afake hello message advertising one of the victim symmetricneighbors with lost link status Upon receiving the fabricatedmessage the neighbor changes the status of its link withthe victim to ldquoheardrdquo and stops routing packets through thevictim
51 Synthesis and Discussion A great majority of the litera-ture is focused on anomaly detectionwhile scarce effort inves-tigates specification- and signature-based intrusion Thisnaturally calls for consolidating the effort on specification-and signature-based detection while following the habitus ofwired network which consists in coupling these detectionsystems with one another for example in [72] wherein acombination of anomaly- and signature-based detection isrealized so as to increase the detection rate Almost all ofthe IDS focuses only on the detection accuracy that isproviding a high detection rate along with limited falsealarms However they do not consider the criticality ofmaintaining the resources and henceforth extending thelifetime of the nodenetwork Our IDS takes into account thenecessity of reducing to minimum both the communicationand computation overload related to intrusion identificationThe absolute majority of the IDSs is simulated (including thesystem we are proposing) rather than being either developedor experimented on testbeds or relying on empirical data
The reason that explains this situation is twofold Firstthe deployment of critical MANET is limitednot adver-tised Second to the best of our knowledge experiences ofintrusion in MANETs are not reported intrusions are infact developedsimulated as proofs of concept Neverthelessnot only routing protocols but also the characterization ofthe intrusion together leverage on the experience gained indesigning routing protocols for wired networks and deal-ing with related misbehaviors In particular the similarityexisting between the OSPF and OLSR protocols implies thatmany threats (eg sequence numbers identity spoofing) areshared In other words intrusion may be inspired from theone targeting wired networks Meanwhile the developmentof intrusion detection and the envisioning of attacks areaccelerated
6 Conclusion
We survey and classify the attacks that target ad hoc routingprotocols focusing on theOLSRprotocol In order to facilitatethe definition of intrusion signatures we extend a descriptionmodelmdashan attack is expressed as the preconditions andthe resulting consequencesmdashand enrich it with temporalannotations Once hand-coded these signatures are utilizedby IDAR a log-based distributed intrusion detection systemdedicated to operate in mobile ad hoc networks IDARdistinguishes itself by analyzing the logs generated by arouting protocol and extracts intrusion evidences so as tocompare these latter against predefined intrusion signaturesFor this purpose evidences are categorized into four groupsaccording to their degree of suspiciongravity and hence totheir ability to activatedeactivate the diagnostic We furtherdevelop a link spoofing attack on the OLSR protocol buildthe related detection rules and evaluate the performancesof IDAR relying on the NS3 simulator coupled with LXCvirtual machines Overall the experiments figure out ahigh rate of intrusion detection and low false positivesrate even under increased mobility and density Meanwhileresource consumption and network overhead result from thediagnostic are low and adapted to the resource-constraineddevices Note that ongoing effort is provided as to evaluateIDAR in a real MANET consisting of resource-constraineddevices Still detecting intrusion is not a trivial task due tothe large number of evidences to tackle and the resource-consuming diagnostic A compromise between detectionaccuracy and resource consumption could be found For thispurpose we are working on a new statistical mechanism forgathering the evidences This mechanism aims at enhancingthe scalability of our system by restricting the interrogationto a limited subset of nodes during the diagnostic Moreoveruntil now we assume that honest parties are passive theyalarm others but do not react We are considering thecoupling with countermeasures (eg blacklisting) and theexploring of lightweight binary consensus and trust estab-lishment among the nodes that participate in the intrusiondetection
18 International Journal of Distributed Sensor Networks
References
[1] Z Zhao H Hu G Ahn and R Wu ldquoRisk-aware mitigation formanet routing attacksrdquo IEEE Transactions on Dependable andSecure Computing vol 9 no 2 pp 250ndash260 2012
[2] B Sun L Osborne Y Xiao and S Guizani ldquoIntrusion detectiontechniques in mobile ad hoc and wireless sensor networksrdquoIEEE Wireless Communications vol 14 no 5 pp 56ndash63 2007
[3] S Sesay Z Yang and J He ldquoA survey onmobile ad hoc wirelessnetworkrdquo Information Technology Journal vol 3 no 2 pp 168ndash175 2004
[4] P Brutch and C Ko ldquoChallenges in intrusion detection forwireless ad-hoc networksrdquo in Proceedings of the Symposium onApplications and the Internet Workshops (SAINT rsquo03) pp 368ndash373 2003
[5] S Khan N Alrajeh and K Loo ldquoSecure route selection inwireless mesh networksrdquo Computer Networks vol 56 no 2 pp491ndash503 2012
[6] S Corson and J Macker ldquoMobile ad hoc networking (manet)routing protocol performance issues and evaluation considera-tionsrdquo IETF RFC2501 1999
[7] Y Zhang W Lee and Y Huang ldquoIntrusion detection tech-niques for mobile wireless networksrdquoWireless Networks vol 9no 5 pp 545ndash556 2003
[8] B C Cheng and R Y Tseng ldquoA context adaptive intrusiondetection system for MANETrdquo Computer Communications vol34 no 3 pp 310ndash318 2011
[9] T Eissa S A Razak and M D A Ngadi ldquoTowards providinga new lightweight authentication and encryption scheme forMANETrdquoWireless Networks vol 17 no 4 pp 833ndash842 2011
[10] A Irshad W Noshairwan M Shafiq S Khurram E Irshadand M Usman ldquoSecurity enhancement for authentication ofnodes in MANET by checking the CRL status of serversrdquoCommunications in Computer and Information Science vol 78pp 86ndash95 2010
[11] D E Denning ldquoAn intrusion-detection modelrdquo IEEE Transac-tions on Software Engineering vol 13 no 2 pp 222ndash232 1987
[12] T Clausen and P Jacquet ldquoOptimized link state routing proto-col (OLSR)rdquo IETF Experimental RFC 3626 2003
[13] P Albers O Camp J Percher et al ldquoSecurity in ad hoc networksa general intrusion detection architecture enhancing trust basedapproachesrdquo 2002
[14] F Cuppens N Cuppens-Boulahia S Nuon and T RamardldquoProperty based intrusion detection to secure OLSRrdquo in Pro-ceedings of the 3rd International Conference on Wireless andMobile Communications (ICWMC rsquo07) Guadeloupe FranceMarch 2007
[15] W Cohen ldquoFast effective rule inductionrdquo in Proceedings of theInternational Conference onMachine Learning (ICML rsquo95) 1995
[16] S Sarafijanovic and J-Y le Boudec ldquoAn artificial immunesystem for misbehavior detection in mobile ad-hoc networkswith virtual thymus clustering danger signal and memorydetectorsrdquo in Proceedings of the 3rd International Conference onArtificial Immune Systems (ICARIS rsquo04) 2004
[17] S Sen and J Clark Intrusion Detection in Mobile Ad HocNetworks in Guide to Wireless Ad Hoc Networks SpringerLondon UK 2009
[18] D Subhadrabandhu S Sarkar and F Anjum ldquoA Framework formisuse detection in ad hoc networksmdashpart IIrdquo IEEE Journal onSelected Areas in Communications vol 24 no 2 pp 290ndash3032006
[19] L M Feeney and M Nilsson ldquoInvestigating the energyconsumption of a wireless network interface in an ad hocnetworking environmentrdquo in Proceedings of the 20th AnnualJoint Conference of the IEEE Computer and CommunicationsSocieties pp 1548ndash1557 April 2001
[20] A P Lauf R A Peters and W H Robinson ldquoA distributedintrusion detection system for resource-constrained devices inad-hoc networksrdquo Ad Hoc Networks vol 8 no 3 pp 253ndash2662010
[21] N A Alrajeh S Khan J Lloret and J Loo ldquoSecure routingprotocol using cross-layer design and energy harvesting inwireless sensor networksrdquo International Journal of DistributedSensor Networks vol 2013 Article ID 374796 11 pages 2013
[22] S Sen J Clark and J Tapiador Security Threats in MobileAd Hoc Networks I S of Self-Organizing Networks AuerbachPublications 2010
[23] P Ning and K Sun ldquoHow to misuse AODV a case study ofinsider attacks againstmobile ad-hoc routing protocolsrdquoAdHocNetworks vol 3 no 6 pp 795ndash819 2005
[24] T Clausen C Dearlove P Jacquet and U Herberg ldquoTheoptimized link state routing protocol version 2rdquo IETF ActiveInternet-Draft Draft-Ietf-Manet-Olsrv2-15 2012
[25] U Herberg and T Clausen ldquoSecurity issues in the optimizedlink state routing protocol version 2 (olsrv2)rdquo InternationalJournal of Network Security amp Its Applications vol 2 no 2 2010
[26] YOwada TMaenoH Imai andKMase ldquoOLSRv2 implemen-tation and performance evaluation with link layer feedbackrdquo inProceedings of the International Wireless Communications andMobile Computing Conference (IWCMC rsquo07) pp 67ndash72 Newyork NY USA August 2007
[27] F Hong L Hong and C Fu ldquoSecure OLSRrdquo in Proceedingsof the 19th International Conference on Advanced InformationNetworking and Applications (AINA rsquo05) pp 713ndash718 March2005
[28] LNAMHegland P Spilling andQKure ldquoHybrid protectionof olsrrdquo in Electronic Notes in Theoretical Computer Science2006
[29] P Kunwar S Sofat and D Bansal ldquoComparison of secure olsrrouting protocolrdquo International Journal of Engineering Sciencevol 3 no 6 p 5049 2011
[30] A Adnane C Bidan and R T de Sousa Junior ldquoTrust-basedcountermeasures for securing OLSR protocolrdquo in Proceedingsof the 7th IEEEIFIP International Conference on Embedded andUbiquitous Computing (EUC rsquo09) pp 745ndash752 August 2009
[31] B Wu J Chen J Chen J Wu and M Cardei ldquoA survey ofattacks and countermeasures in mobile ad hoc networksrdquo inWireless Network Security Springer New York NY USA 2007
[32] C Adjih D Raffo and P Muhlethaler ldquoAttacks against OLSRdistributed key management for securityrdquo in Proceedings of theOLSR Interop Workshop 2005
[33] G CerveraM Barbeau J Garcia-Alfaro and E Kranakis ldquoMit-igation of topology control traffic attacks in OLSR networksrdquoin Proceedings of the 5th International Conference on Risks andSecurity of Internet and Systems (CRiSIS rsquo10) October 2010
[34] P M Jawandhiya M M Ghonge M S Ali et al ldquoA surveyof mobile ad hoc network attacksrdquo International Journal ofEngineering Science and Technology vol 2 no 9 pp 4063ndash40712010
[35] L M Feeney ldquoAn energy consumption model for performanceanalysis of routing protocols for mobile ad hoc networksrdquoMobile Networks and Applications vol 6 no 3 pp 239ndash2492001
International Journal of Distributed Sensor Networks 19
[36] G Riley and T Henderson ldquoThe ns-3 network simulatorrdquo inModeling and Tools for Network Simulation Springer BerlinGermany 2010
[37] S Bhattiprolu E Biederman S Hallyn et al ldquoVirtual serversand checkpointrestart inmainstream linuxrdquo SIGOPSOperatingSystems Review vol 42 no 5 pp 104ndash113 2008
[38] J Zhang J Xing and Z Qin ldquoTaprouter an emulatingframework to run real applications on simulated mobile adhoc networkrdquo in Proceedings of the 44th Annual SimulationSymposium (ANSS rsquo11) pp 39ndash46 2011
[39] D Broyles A Jabbar and J P G Sterbenz ldquoDesign andanalysis of a 3-d gauss-markov mobility model for highly-dynamic airborne networksrdquo in Proceedings of the InternationalTelemetering Conference (ITC rsquo10) San Diego CA USA 2010
[40] J Haerri F Filali and C Bonnet ldquoPerformance comparisonof AODV and OLSR in vanets urban environments underrealistic mobility patternsrdquo in Proceedings of the IFIP Med-Hoc-Net Workshop 2006
[41] C H Tseng T Song P Balasubramanyam C Ko and K LevittldquoA specification-based intrusion detection model for OLSRrdquoRecent Advances in Intrusion Detection vol 3858 pp 330ndash3502006
[42] S Kurkowski T Camp and M Colagrosso ldquoManet simulationstudies the incrediblesrdquo SIGMOBILE Mobile Computing andCommunications Review vol 9 no 4 pp 50ndash561 2005
[43] A Abdalla I Saroit A Kotb et al ldquoMisbehavior nodesdetection and isolation for MANETs OLSR protocolrdquo ProcediaComputer Science vol 3 pp 115ndash121 2011
[44] R Puttini J Percher L Me et al ldquoA modular architecture fordistributed ids in manetrdquo in Proceedings of the InternationalConference on Computational Science and Its Applications III2003
[45] A Adnane R T de Sousa L Me and C Bidan ldquoAutonomictrust reasoning enables misbehavior detection in OLSRrdquo inProceedings of the 23rd Annual ACM Symposium on AppliedComputing (SAC rsquo08) pp 2006ndash2013 March 2008
[46] W Wang H Man and Y Liu ldquoA framework for intrusiondetection systems by social network analysis methods in ad hocnetworksrdquo Security and Communication Networks vol 2 no 6pp 669ndash685 2009
[47] H Deng R Xu J Li F Zhang R Levy and W Lee ldquoAgent-based cooperative anomaly detection for wireless ad hoc net-worksrdquo in Proceedings of the 12th International Conference onParallel and Distributed Systems (ICPADS rsquo06) pp 613ndash620 July2006
[48] S KurosawaHNakayamaN Kato et al ldquoDetecting blackholesattack on AODV-based mobile ad hoc networks by dynamiclearningmethodrdquo International Journal of Network Security vol5 no 3 pp 338ndash346 2007
[49] WWang HWang BWang et al ldquoEnergy-aware and selfadap-tive anomaly detection scheme based on network tomographyin mobile ad hoc networksrdquo Information Sciences vol 220 pp580ndash602 2013
[50] M-Y Su ldquoPrevention of selective black hole attacks on mobilead hoc networks through intrusion detection systemsrdquo Com-puter Communications vol 34 no 1 pp 107ndash117 2011
[51] N Marchang and R Datta ldquoCollaborative techniques for intru-sion detection in mobile ad-hoc networksrdquo Ad Hoc Networksvol 6 no 4 pp 508ndash523 2008
[52] B V R N Yadav B Satyanarayana and O B V RamanaiahldquoAn efficient intrusion detection system for mobile ad hoc net-worksrdquo in Emerging Trends in Computing Informatics Systems
Sciences and Engineering vol 151 Springer New York NYUSA 2013
[53] Y Huang and W Lee ldquoAttack analysis and detection for ad hocrouting protocolsrdquo in Recent Advances in Intrusion Detectionvol 3224 Springer Berlin Germany 2004
[54] G Vigna S Gwalani K Srinivasan E M Belding-Royer andR A Kemmerer ldquoAn intrusion detection tool for AODV-basedad hoc wireless networksrdquo in Proceedings of the 20th AnnualComputer SecurityApplications Conference (ACSAC rsquo04) pp 16ndash27 December 2004
[55] M Ayachi C Bidan and N Prigent ldquoA trust-based ids for theaodv protocolrdquo in Information and Communications Securityvol 6476 pp 430ndash444 2010
[56] S Sen and J A Clark ldquoA grammatical evolution approach tointrusion detection on mobile ad hoc networksrdquo in Proceedingsof the 2nd ACMConference onWireless Network Security (WiSecrsquo09) pp 95ndash102 March 2009
[57] S Marti T J Giuli K Lai and M Baker ldquoMitigating routingmisbehavior in mobile ad hoc networksrdquo in Proceedings of the6th Annual International Conference on Mobile Computing andNetworking (MOBICOM rsquo00) pp 255ndash265 August 2000
[58] B Sun K Wu and U Pooch ldquoRouting anomaly detection inmobile ad hoc networksrdquo in Proceedings of The 12th Interna-tional Conference on Computer Communications and Networks(ICCCN rsquo03) 2003
[59] S Bose S Bharathimurugan and A Kannan ldquoMulti-layerintegrated anomaly intrusion detection system for mobileadhoc networksrdquo in Proceedings of the International Conferenceon Signal Processing Communications and Networking (ICSCNrsquo07) pp 360ndash365 February 2007
[60] P Yi Y Zhong and S Zhang ldquoA novel intrusion detectionmethod for mobile ad hoc networksrdquo in Advances in GridComputing vol 3470 pp 1183ndash1192 Springer Berlin Germany2005
[61] C Perkins E Belding-Royer and S Das ldquoAd hoc on-demanddistance vector (AODV) routingrdquo IETF Experimental RFC3561 2003
[62] D Johnson and D Maltz ldquoDynamic source routing in ad hocwireless networksrdquo in Mobile Computing pp 153ndash181 KluwerAcademic 1996
[63] C Perkins and P Bhagwat ldquoHighly dynamic destinationse-quenced distance-vector routing (dsdv) for mobile computersrdquoin Proceedings of the Conference on Communications Architec-tures Protocols and Applications (SIGCOMM rsquo94) vol 24 pp234ndash244 1994
[64] T JoachimsMaking Large-Scale Support VectorMachine Learn-ing Practical MIT Press Cambridge Mass USA 1999
[65] Y Yajima and T Kuo ldquoEfficient formulations for 1-svm and theirapplication to recommendation tasksrdquo Journal of Computersvol 1 no 3 pp 27ndash34 2006
[66] L Bononi and C Tacconi ldquoIntrusion detection for secureclustering and routing inMobileMulti-hopWirelessNetworksrdquoInternational Journal of Information Security vol 6 no 6 pp379ndash392 2007
[67] Y Huang W Fan W Lee et al ldquoCross-feature analysis fordetecting ad-hoc routing anomaliesrdquo in Proceedings of the 23rdInternational Conference on Distributed Computing Systems(ICDCS rsquo03) pp 478ndash487 May 2003
[68] J Quinlan C4 5 Programs for Machine Learning MorganKaufmann Boston Mass USA 1993
20 International Journal of Distributed Sensor Networks
[69] J B D Cabrera C Gutierrez and R K Mehra ldquoEnsemblemethods for anomaly detection and distributed intrusion detec-tion in Mobile Ad-Hoc Networksrdquo Information Fusion vol 9no 1 pp 96ndash119 2008
[70] MWang L Lamont P Mason andM Gorlatova ldquoAn effectiveintrusion detection approach for OLSR MANET protocolrdquoin Proceedings of the 13th IEEE International Conference onNetwork Protocols Workshop (ICNP rsquo05) pp 55ndash60 November2005
[71] C Y Tseng P Balasubramanyam C Ko R Limprasittiporn JRowe and K Levitt ldquoA specification-based intrusion detectionsystem for AODVrdquo in Proceedings of the 1st ACM Workshop onSecurity of Ad Hoc and Sensor Networks pp 125ndash134 October2003
[72] S A Razak S M Furnell N L Clarke and P J BrookeldquoFriend-assisted intrusion detection and response mechanismsfor mobile ad hoc networksrdquo Ad Hoc Networks vol 6 no 7 pp1151ndash1167 2008
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
14 International Journal of Distributed Sensor Networks
0
20
40
60
80
100
0 2 4 6 8
Det
ecte
d in
trus
ions
()
Velocity (ms)
Average detection
(a)
0
10
20
30
40
50
0 2 4 6 8
False
pos
itive
()
Velocity (ms)
Average of false positives
(b)
0
10
20
30
40
50
0 2 4 6 8
Mem
ory
usag
e (M
B)
Velocity (ms)
(c)
025 05
1
5
20
50 100
0 2 4 6 8
IDA
R ve
rsus
OLS
R tr
affic (
)
Velocity (ms)
(d)
Figure 5 Intrusion detection rate (a) false positives rate (b) memory usage (c) and traffic (d) depending on the network mobility
on all the IDSs especially the cooperative ones where thereis an exchange of evidencesalerts Table 4 provides a shortperformance comparing between IDAR and other knownIDSs that are dedicated to ad hoc routing protocol Likethe majority of these IDSs the performance of our systemis challenged against a specific attack link spoofing attackin a simulated MANET (According to [42] around 75of mobile ad hoc published papers use simulation for testissues) Two evaluation factors are common to almost all thelisted IDSs the detection ratecapacity and the positive falserate Even though it was challenged in a MANET whereinthe intruders constitute 166 (Note that this percent is the3rd highest registered percent) of the nodes IDAR providesone of the highest detection rate Regarding the positivefalse rate we can notice that several IDSs especially thosethat are dedicated to DSR protocol show better results thanour system However this latter still generates a limitednumber of false positives It is also possible to reduce thefalse positives rate by amplifying the TTL (Time To Live)parameter of a bidirectional link so as to reduce the impactof obsolete neighborhood-related information during thedetection Recall that most of the generated false positives inIDAR are generated because of the difference in the time-live
of a bidirectional link between the two ends of this link Insuch case this link will be expired in one end while the otherend will keep confirming its existence It is worthmentioningthat except our system the listed IDSs that aim to detect theattacks targeting OLSR protocol do not present neither thedetection rate nor the false positives rate But they merelyprove the capacity of detecting the addressed attack(s) Inaddition IDAR is one of the rare IDSs that are evaluated interms of resources consumption Indeed we measure boththe increment inmemory usage and traffic overhead resultingfrom detection operations IDAR triggers a small incrementin the devicesrsquomemory usage (between 176MBand 265MB)Therefore it can be tolerated by the resource-limited devicesIt further triggers the lowest traffic overhead compared to thelisted IDSs IDAR presents a good scalability and offers a highdetection rate even in the high density networks where a largeamount of routing traffic should be monitored (Figure 4(a))This scalability is reinforced by (i) the limited traffic overhead(ii) the use of routing logs so as to extract the evidencesinstead of sniffing the traffic (iii) the distributed nature ofdetection such that each node is responsible for detecting theattacks targeting it and (iv) the unnecessity of modifying theused routing protocol
International Journal of Distributed Sensor Networks 15
5 Related Work
Systems that detect intrusion targeting ad hoc routing proto-col are extremely diverse in the way they analyze intrusionThey fall into the three key categories
(i) Anomaly detection system defines the correct behav-ior of the nodenetwork so as to detect deviations tothis behavior This correct behavior is automaticallybuilt during an attackless training phase The detec-tion accuracy depends on the ability to (i) describethe correct behavior and (ii) distinguish betweenanomalous and unexpected behaviors
(ii) Specification-based detection system hand-codes thelegitimate functionoperation and then searches for aviolation to this operation
(iii) Signature-based detection system first describes theway an intruder penetrates the system by defining anintrusion signature Then any behavior that is closeto this predefined signature is flagged as intrusion
Hereafter we detail examples of each of these categoriesAnomaly-based detection constitutes the main approachused to detect attacks The IDS proposed by Zhang et al[7] constitutes a de facto standard in MANET It aims atdetecting the attempts to falsify the routes provided by theAODV [61] DSR [62] and DSDV [63] routing protocolsDuring the training phase the impact of movement on thepercentage of changes in the routing table is analyzed Notethat this movement (ie velocity direction and position)is provided by a Global Positioning System (GPS) Thenduring the operation phase an actual percentage of changesdiffering from the predicted one is defined as anomaly Inpractice the distinguishing between anomalous and normalbehaviors is provided by the Support Vector Machine (SVM)Light [64] classifier or by RIPPER [15] a rule-based engineThe hierarchical IDS proposed in [47] detects blackhole androuting request flooding attacks targeting AODV protocolHere MANET is arranged into clusters whereas the nodewith the highest residual energy and number of connectionsis elected as a cluster-head Each cluster-head monitors thetraffic inside its cluster so as to identify the abnormal valuesof (i) the percentage of changes in the routing table and (ii)the propagation of routingdata packets Such abnormalitiesare identified thanks to (1-SVM) classifier [65] a deviationof SVM that needs to be trained with either normal orabnormal scenario but not both of them In [48] (resp [66])a blackhole (and resp dropping) attack targeting AODVprotocol (resp a secured version of AODV protocol includ-ing authentication and reputation estimation) are detectedby investigating features for example the number of routerequests and route replies as well as the average difference ofsequence numbers (Largely increased sequence numbers areknown as a sign of blackhole attack) Then simple anomalydetection is applied if the distance between the actuallyobserved features and the average ones that are recorded dur-ing the training exceeds a given threshold then an intrusionis detected More sophisticated cross-features analysis (CFA)[67] is applied to detect both blackhole and packet drop-ping on AODV and DSR protocols Features including for
example the reachability between 2 nodes and the numberof delivered packets are analyzed within time windows Thisanalysis attempts to quantify the relation existing betweenone feature 119891
119894and the others 119891
1 119891
119894minus1 119891119894+1 119891
119896(with
119896 + 1 defining the number of features analyzed) During theoperation phase the probability of matching between theobserved feature 1198911015840
119894and the predicted feature 119891
119894 which is
established based on 11989110158401 119891
1015840
119894minus1 1198911015840
119894+1 119891
1015840
119896 is calculated by
a decision tree classifier named C45 [68] An anomaly refersto an average of matching probability fewer than a giventhreshold CFA and C45 are also used in [69] with traffic-related features (eg number of receivedtransferred packets)and OLSR- or AODV-related features (eg MPR updates forthe former and route discovery for the latter) A modifiedMarkov chain-based IDS is proposed in [58] so as to detectroute disruption attack targeting DSR protocol Here thedetection depends on identifying unpredicted value of twofeatures the percentage of changes in the number of routesand the percentage of changes in the number of hops Inpractice a Markov chain is based on the immediate previous119899 consecutive values of a feature as to predict the (119899 + 1)thvalue If the difference between a predicted and an observedvalue exceeds a given threshold an intrusion is concluded
Rather than establishing automatically a correct behaviorspecification-based detection system hand-codes the correctbehavior of the routing protocols based on the protocol spec-ification (IETF draft or RFC) Then the system attempts todetect a violation of constraints circumventing this behaviorFour key constraints define the correct behavior of OLSR([14 70])
(1) Neighbor relationmust be reciprocal (ie 2 neighborsmust hear the hello message sent by each other)
(2) TheMPRs and the nodes that select theMPR (ie theMPR selectors) must be adjacent
(3) A node that finds itself advertised as a MPR selectorin a TCmessage must be adjacent to the originator ofthis message
(4) Nodes receive TC messages without modificationsfromMPR(s)
Each node sniffs the traffic in its radio range so as todiscover the violations of any of the above constraints Theseconstraints are modeled by semantic properties in [70] (resprules in [14]) so as to detect link spoofing attack on TC(and resp hello messages) both experiment an ability todetect a link spoofing by observing a violation of the thirdcondition over a simulated network composed of 11 nodesFinite-state machines are used to describe similar constraintson OLSR [41] and the behavior of AODV protocol [52 71]In [41] a centralized detection of link spoofing man-in-the-middle and deny of service attack is performed While in[52 71] incorrect hop countssequence numbers are analyzedby distributed sensors which sniff and group the packets perrequest-reply flow so as to estimate the forwarding path perflow If a route requestreply is illegallymodified or forwardedvia a nonexpected path then an alarm is triggered In [60]similar FSMs are used to define constraints on both the routediscovery in AODV and the packet forwarding operations
16 International Journal of Distributed Sensor Networks
Table4Com
parin
gID
ARperfo
rmance
with
otherIDSs
IDS
Routing
protocol
Num
bero
fno
des
Intrud
ers
()
Moving
speed
Detectio
nrate
False
positives
rate
Increm
entinmem
ory
usage
Increm
entintraffi
coverhead
IDAR
OlSR
30166
0ndash8m
s707ndash963
0ndash132
176ndash
265MB
478ndash6215KB
(036
ndash597
ofOlSRtraffi
c)
[43]
OlSR
303366
10
mdashmdash
mdashmdash
6ndash12
ofOlSR
traffi
c[41]
OlSR
1010
0ms
Detectio
nispo
ssible
mdashmdash
mdash[44]
OlSR
7143
0ms
Detectio
nispo
ssible
mdashmdash
mdash[45]
OlSR
520
0ms
Detectio
nispo
ssible
mdashmdash
mdash[14
]OlSR
119
0ms
Detectio
nispo
ssible
mdashmdash
mdash[46]
AODV
3033
0ndash5m
s3067ndash90
0ndash20
mdashmdash
[47]
AODV
502
0ndash20
ms
90
5
mdashmdash
[48]
AODV
3033
1ndash20
ms
70ndash82
12ndash18
mdashmdash
[49]
AODV
2050
10
1ndash10ms
964ndash9
87
079ndash093
mdash900k
B
[50]
AODV
5238
0ndash20
ms
(Fixed
IDSs)
100
0ndash0
6
mdashmdash
[51]
AODV
521
20238
0ndash10ms
50ndash100
0ndash30
mdashmdash
[52]
AODV
30mdash
0ndash20
ms
70ndash100
05
ndash15
mdashmdash
[53]
AODV
50Ra
ndom
0ndash20
ms
79plusmn10ndash92plusmn3
5plusmn1ndash32plusmn8
mdashmdash
[54]
AODV
102050
mdash0ndash
10ms
0ndash100
0ndash≫100
02ndash06
mdash[55]
AODV
20ndash200
mdash0ndash
20ms
30ndash9
50ndash16
mdashmdash
[56]
AODV
50mdash
1ndash20
ms
998ndash100
083ndash846
mdashmdash
[7]
AODV
mdashmdash
mdash8848plusmn414ndash971plusmn032
145plusmn072ndash202plusmn627
mdashmdash
DSD
Vmdash
mdashmdash
8523plusmn328ndash9061plusmn299
537plusmn310ndash263plusmn549
mdashmdash
DSR
mdashmdash
mdash852plusmn238ndash991plusmn037
003plusmn004ndash153plusmn408
mdashmdash
[57]
DSR
5040
0ndash20
ms
mdashmdash
mdash11ndash313
of
data
traffi
c[58]
DSR
3033
3ndash5m
s60ndash100
25
ndash50
mdashmdash
[59]
DSR
30mdash
mdash75
12
mdashmdash
[60]
DSR
502
0ndash20
ms
837ndash9
74
13ndash72
mdashmdash
International Journal of Distributed Sensor Networks 17
A signature-based system distinguishes itself by model-ing the misbehavior (rather than the correct behavior) soas to identify if a sequence of observed events matchingan intrusion signature AODVSTAT [54] uses state-basedsignatures in order to detect dropping and spoofing attacksalong with network flooding Few sensors sniff the traffic andmatch it against predefined signatures They also exchangeperiodically MAC and IP addresses so as to detect an identityspoofing which is characterized by a node emitting a packetidentified by MAC and IP addresses differing from thoseregistered for this node A dropping attack refers to a nodethat fails to replay route requestreply Finally a node sendinga number of packets exceeding a given threshold is identifiedas willing to exhaust resources In [45] intrusion signaturesare specified in opposition to the legitimate behavior of OLSRdepicted in conjunction with specification rules similar tothose defined in [70] In particular a node 119873 mistrusts twoneighbors 119871 and 119872 that conform to the following rules119872 advertises 119871 as a neighbor while 119871 does not advertise119872 as a neighbor (or reciprocally) both 119871 and 119872 send TCmessages while 119871rsquos neighbors are a subset of 119872rsquos neighbors(or reciprocally) In addition 119873 mistrusts 119872 if 119873 which isnot a neighbor of 119872 finds itself as a MPR selector in a TCof 119873 (constraint 3) In [44] a FSM is employed to modelthe signature of hello message fabrication in OLSR protocolin an agent-based IDS In practice each node uses a SimpleNetworkManagement Protocol (SNMP) agent so as to collectaudit data from the Management Information Base (MIB)After that events are extracted from the collected audit dataand are matched to the attack signatureThe addressed attackaims at breaking the link between a victim node and itsneighbors and thus a DoS takes place To that end theattacker impersonates the identity of the victim and sends afake hello message advertising one of the victim symmetricneighbors with lost link status Upon receiving the fabricatedmessage the neighbor changes the status of its link withthe victim to ldquoheardrdquo and stops routing packets through thevictim
51 Synthesis and Discussion A great majority of the litera-ture is focused on anomaly detectionwhile scarce effort inves-tigates specification- and signature-based intrusion Thisnaturally calls for consolidating the effort on specification-and signature-based detection while following the habitus ofwired network which consists in coupling these detectionsystems with one another for example in [72] wherein acombination of anomaly- and signature-based detection isrealized so as to increase the detection rate Almost all ofthe IDS focuses only on the detection accuracy that isproviding a high detection rate along with limited falsealarms However they do not consider the criticality ofmaintaining the resources and henceforth extending thelifetime of the nodenetwork Our IDS takes into account thenecessity of reducing to minimum both the communicationand computation overload related to intrusion identificationThe absolute majority of the IDSs is simulated (including thesystem we are proposing) rather than being either developedor experimented on testbeds or relying on empirical data
The reason that explains this situation is twofold Firstthe deployment of critical MANET is limitednot adver-tised Second to the best of our knowledge experiences ofintrusion in MANETs are not reported intrusions are infact developedsimulated as proofs of concept Neverthelessnot only routing protocols but also the characterization ofthe intrusion together leverage on the experience gained indesigning routing protocols for wired networks and deal-ing with related misbehaviors In particular the similarityexisting between the OSPF and OLSR protocols implies thatmany threats (eg sequence numbers identity spoofing) areshared In other words intrusion may be inspired from theone targeting wired networks Meanwhile the developmentof intrusion detection and the envisioning of attacks areaccelerated
6 Conclusion
We survey and classify the attacks that target ad hoc routingprotocols focusing on theOLSRprotocol In order to facilitatethe definition of intrusion signatures we extend a descriptionmodelmdashan attack is expressed as the preconditions andthe resulting consequencesmdashand enrich it with temporalannotations Once hand-coded these signatures are utilizedby IDAR a log-based distributed intrusion detection systemdedicated to operate in mobile ad hoc networks IDARdistinguishes itself by analyzing the logs generated by arouting protocol and extracts intrusion evidences so as tocompare these latter against predefined intrusion signaturesFor this purpose evidences are categorized into four groupsaccording to their degree of suspiciongravity and hence totheir ability to activatedeactivate the diagnostic We furtherdevelop a link spoofing attack on the OLSR protocol buildthe related detection rules and evaluate the performancesof IDAR relying on the NS3 simulator coupled with LXCvirtual machines Overall the experiments figure out ahigh rate of intrusion detection and low false positivesrate even under increased mobility and density Meanwhileresource consumption and network overhead result from thediagnostic are low and adapted to the resource-constraineddevices Note that ongoing effort is provided as to evaluateIDAR in a real MANET consisting of resource-constraineddevices Still detecting intrusion is not a trivial task due tothe large number of evidences to tackle and the resource-consuming diagnostic A compromise between detectionaccuracy and resource consumption could be found For thispurpose we are working on a new statistical mechanism forgathering the evidences This mechanism aims at enhancingthe scalability of our system by restricting the interrogationto a limited subset of nodes during the diagnostic Moreoveruntil now we assume that honest parties are passive theyalarm others but do not react We are considering thecoupling with countermeasures (eg blacklisting) and theexploring of lightweight binary consensus and trust estab-lishment among the nodes that participate in the intrusiondetection
18 International Journal of Distributed Sensor Networks
References
[1] Z Zhao H Hu G Ahn and R Wu ldquoRisk-aware mitigation formanet routing attacksrdquo IEEE Transactions on Dependable andSecure Computing vol 9 no 2 pp 250ndash260 2012
[2] B Sun L Osborne Y Xiao and S Guizani ldquoIntrusion detectiontechniques in mobile ad hoc and wireless sensor networksrdquoIEEE Wireless Communications vol 14 no 5 pp 56ndash63 2007
[3] S Sesay Z Yang and J He ldquoA survey onmobile ad hoc wirelessnetworkrdquo Information Technology Journal vol 3 no 2 pp 168ndash175 2004
[4] P Brutch and C Ko ldquoChallenges in intrusion detection forwireless ad-hoc networksrdquo in Proceedings of the Symposium onApplications and the Internet Workshops (SAINT rsquo03) pp 368ndash373 2003
[5] S Khan N Alrajeh and K Loo ldquoSecure route selection inwireless mesh networksrdquo Computer Networks vol 56 no 2 pp491ndash503 2012
[6] S Corson and J Macker ldquoMobile ad hoc networking (manet)routing protocol performance issues and evaluation considera-tionsrdquo IETF RFC2501 1999
[7] Y Zhang W Lee and Y Huang ldquoIntrusion detection tech-niques for mobile wireless networksrdquoWireless Networks vol 9no 5 pp 545ndash556 2003
[8] B C Cheng and R Y Tseng ldquoA context adaptive intrusiondetection system for MANETrdquo Computer Communications vol34 no 3 pp 310ndash318 2011
[9] T Eissa S A Razak and M D A Ngadi ldquoTowards providinga new lightweight authentication and encryption scheme forMANETrdquoWireless Networks vol 17 no 4 pp 833ndash842 2011
[10] A Irshad W Noshairwan M Shafiq S Khurram E Irshadand M Usman ldquoSecurity enhancement for authentication ofnodes in MANET by checking the CRL status of serversrdquoCommunications in Computer and Information Science vol 78pp 86ndash95 2010
[11] D E Denning ldquoAn intrusion-detection modelrdquo IEEE Transac-tions on Software Engineering vol 13 no 2 pp 222ndash232 1987
[12] T Clausen and P Jacquet ldquoOptimized link state routing proto-col (OLSR)rdquo IETF Experimental RFC 3626 2003
[13] P Albers O Camp J Percher et al ldquoSecurity in ad hoc networksa general intrusion detection architecture enhancing trust basedapproachesrdquo 2002
[14] F Cuppens N Cuppens-Boulahia S Nuon and T RamardldquoProperty based intrusion detection to secure OLSRrdquo in Pro-ceedings of the 3rd International Conference on Wireless andMobile Communications (ICWMC rsquo07) Guadeloupe FranceMarch 2007
[15] W Cohen ldquoFast effective rule inductionrdquo in Proceedings of theInternational Conference onMachine Learning (ICML rsquo95) 1995
[16] S Sarafijanovic and J-Y le Boudec ldquoAn artificial immunesystem for misbehavior detection in mobile ad-hoc networkswith virtual thymus clustering danger signal and memorydetectorsrdquo in Proceedings of the 3rd International Conference onArtificial Immune Systems (ICARIS rsquo04) 2004
[17] S Sen and J Clark Intrusion Detection in Mobile Ad HocNetworks in Guide to Wireless Ad Hoc Networks SpringerLondon UK 2009
[18] D Subhadrabandhu S Sarkar and F Anjum ldquoA Framework formisuse detection in ad hoc networksmdashpart IIrdquo IEEE Journal onSelected Areas in Communications vol 24 no 2 pp 290ndash3032006
[19] L M Feeney and M Nilsson ldquoInvestigating the energyconsumption of a wireless network interface in an ad hocnetworking environmentrdquo in Proceedings of the 20th AnnualJoint Conference of the IEEE Computer and CommunicationsSocieties pp 1548ndash1557 April 2001
[20] A P Lauf R A Peters and W H Robinson ldquoA distributedintrusion detection system for resource-constrained devices inad-hoc networksrdquo Ad Hoc Networks vol 8 no 3 pp 253ndash2662010
[21] N A Alrajeh S Khan J Lloret and J Loo ldquoSecure routingprotocol using cross-layer design and energy harvesting inwireless sensor networksrdquo International Journal of DistributedSensor Networks vol 2013 Article ID 374796 11 pages 2013
[22] S Sen J Clark and J Tapiador Security Threats in MobileAd Hoc Networks I S of Self-Organizing Networks AuerbachPublications 2010
[23] P Ning and K Sun ldquoHow to misuse AODV a case study ofinsider attacks againstmobile ad-hoc routing protocolsrdquoAdHocNetworks vol 3 no 6 pp 795ndash819 2005
[24] T Clausen C Dearlove P Jacquet and U Herberg ldquoTheoptimized link state routing protocol version 2rdquo IETF ActiveInternet-Draft Draft-Ietf-Manet-Olsrv2-15 2012
[25] U Herberg and T Clausen ldquoSecurity issues in the optimizedlink state routing protocol version 2 (olsrv2)rdquo InternationalJournal of Network Security amp Its Applications vol 2 no 2 2010
[26] YOwada TMaenoH Imai andKMase ldquoOLSRv2 implemen-tation and performance evaluation with link layer feedbackrdquo inProceedings of the International Wireless Communications andMobile Computing Conference (IWCMC rsquo07) pp 67ndash72 Newyork NY USA August 2007
[27] F Hong L Hong and C Fu ldquoSecure OLSRrdquo in Proceedingsof the 19th International Conference on Advanced InformationNetworking and Applications (AINA rsquo05) pp 713ndash718 March2005
[28] LNAMHegland P Spilling andQKure ldquoHybrid protectionof olsrrdquo in Electronic Notes in Theoretical Computer Science2006
[29] P Kunwar S Sofat and D Bansal ldquoComparison of secure olsrrouting protocolrdquo International Journal of Engineering Sciencevol 3 no 6 p 5049 2011
[30] A Adnane C Bidan and R T de Sousa Junior ldquoTrust-basedcountermeasures for securing OLSR protocolrdquo in Proceedingsof the 7th IEEEIFIP International Conference on Embedded andUbiquitous Computing (EUC rsquo09) pp 745ndash752 August 2009
[31] B Wu J Chen J Chen J Wu and M Cardei ldquoA survey ofattacks and countermeasures in mobile ad hoc networksrdquo inWireless Network Security Springer New York NY USA 2007
[32] C Adjih D Raffo and P Muhlethaler ldquoAttacks against OLSRdistributed key management for securityrdquo in Proceedings of theOLSR Interop Workshop 2005
[33] G CerveraM Barbeau J Garcia-Alfaro and E Kranakis ldquoMit-igation of topology control traffic attacks in OLSR networksrdquoin Proceedings of the 5th International Conference on Risks andSecurity of Internet and Systems (CRiSIS rsquo10) October 2010
[34] P M Jawandhiya M M Ghonge M S Ali et al ldquoA surveyof mobile ad hoc network attacksrdquo International Journal ofEngineering Science and Technology vol 2 no 9 pp 4063ndash40712010
[35] L M Feeney ldquoAn energy consumption model for performanceanalysis of routing protocols for mobile ad hoc networksrdquoMobile Networks and Applications vol 6 no 3 pp 239ndash2492001
International Journal of Distributed Sensor Networks 19
[36] G Riley and T Henderson ldquoThe ns-3 network simulatorrdquo inModeling and Tools for Network Simulation Springer BerlinGermany 2010
[37] S Bhattiprolu E Biederman S Hallyn et al ldquoVirtual serversand checkpointrestart inmainstream linuxrdquo SIGOPSOperatingSystems Review vol 42 no 5 pp 104ndash113 2008
[38] J Zhang J Xing and Z Qin ldquoTaprouter an emulatingframework to run real applications on simulated mobile adhoc networkrdquo in Proceedings of the 44th Annual SimulationSymposium (ANSS rsquo11) pp 39ndash46 2011
[39] D Broyles A Jabbar and J P G Sterbenz ldquoDesign andanalysis of a 3-d gauss-markov mobility model for highly-dynamic airborne networksrdquo in Proceedings of the InternationalTelemetering Conference (ITC rsquo10) San Diego CA USA 2010
[40] J Haerri F Filali and C Bonnet ldquoPerformance comparisonof AODV and OLSR in vanets urban environments underrealistic mobility patternsrdquo in Proceedings of the IFIP Med-Hoc-Net Workshop 2006
[41] C H Tseng T Song P Balasubramanyam C Ko and K LevittldquoA specification-based intrusion detection model for OLSRrdquoRecent Advances in Intrusion Detection vol 3858 pp 330ndash3502006
[42] S Kurkowski T Camp and M Colagrosso ldquoManet simulationstudies the incrediblesrdquo SIGMOBILE Mobile Computing andCommunications Review vol 9 no 4 pp 50ndash561 2005
[43] A Abdalla I Saroit A Kotb et al ldquoMisbehavior nodesdetection and isolation for MANETs OLSR protocolrdquo ProcediaComputer Science vol 3 pp 115ndash121 2011
[44] R Puttini J Percher L Me et al ldquoA modular architecture fordistributed ids in manetrdquo in Proceedings of the InternationalConference on Computational Science and Its Applications III2003
[45] A Adnane R T de Sousa L Me and C Bidan ldquoAutonomictrust reasoning enables misbehavior detection in OLSRrdquo inProceedings of the 23rd Annual ACM Symposium on AppliedComputing (SAC rsquo08) pp 2006ndash2013 March 2008
[46] W Wang H Man and Y Liu ldquoA framework for intrusiondetection systems by social network analysis methods in ad hocnetworksrdquo Security and Communication Networks vol 2 no 6pp 669ndash685 2009
[47] H Deng R Xu J Li F Zhang R Levy and W Lee ldquoAgent-based cooperative anomaly detection for wireless ad hoc net-worksrdquo in Proceedings of the 12th International Conference onParallel and Distributed Systems (ICPADS rsquo06) pp 613ndash620 July2006
[48] S KurosawaHNakayamaN Kato et al ldquoDetecting blackholesattack on AODV-based mobile ad hoc networks by dynamiclearningmethodrdquo International Journal of Network Security vol5 no 3 pp 338ndash346 2007
[49] WWang HWang BWang et al ldquoEnergy-aware and selfadap-tive anomaly detection scheme based on network tomographyin mobile ad hoc networksrdquo Information Sciences vol 220 pp580ndash602 2013
[50] M-Y Su ldquoPrevention of selective black hole attacks on mobilead hoc networks through intrusion detection systemsrdquo Com-puter Communications vol 34 no 1 pp 107ndash117 2011
[51] N Marchang and R Datta ldquoCollaborative techniques for intru-sion detection in mobile ad-hoc networksrdquo Ad Hoc Networksvol 6 no 4 pp 508ndash523 2008
[52] B V R N Yadav B Satyanarayana and O B V RamanaiahldquoAn efficient intrusion detection system for mobile ad hoc net-worksrdquo in Emerging Trends in Computing Informatics Systems
Sciences and Engineering vol 151 Springer New York NYUSA 2013
[53] Y Huang and W Lee ldquoAttack analysis and detection for ad hocrouting protocolsrdquo in Recent Advances in Intrusion Detectionvol 3224 Springer Berlin Germany 2004
[54] G Vigna S Gwalani K Srinivasan E M Belding-Royer andR A Kemmerer ldquoAn intrusion detection tool for AODV-basedad hoc wireless networksrdquo in Proceedings of the 20th AnnualComputer SecurityApplications Conference (ACSAC rsquo04) pp 16ndash27 December 2004
[55] M Ayachi C Bidan and N Prigent ldquoA trust-based ids for theaodv protocolrdquo in Information and Communications Securityvol 6476 pp 430ndash444 2010
[56] S Sen and J A Clark ldquoA grammatical evolution approach tointrusion detection on mobile ad hoc networksrdquo in Proceedingsof the 2nd ACMConference onWireless Network Security (WiSecrsquo09) pp 95ndash102 March 2009
[57] S Marti T J Giuli K Lai and M Baker ldquoMitigating routingmisbehavior in mobile ad hoc networksrdquo in Proceedings of the6th Annual International Conference on Mobile Computing andNetworking (MOBICOM rsquo00) pp 255ndash265 August 2000
[58] B Sun K Wu and U Pooch ldquoRouting anomaly detection inmobile ad hoc networksrdquo in Proceedings of The 12th Interna-tional Conference on Computer Communications and Networks(ICCCN rsquo03) 2003
[59] S Bose S Bharathimurugan and A Kannan ldquoMulti-layerintegrated anomaly intrusion detection system for mobileadhoc networksrdquo in Proceedings of the International Conferenceon Signal Processing Communications and Networking (ICSCNrsquo07) pp 360ndash365 February 2007
[60] P Yi Y Zhong and S Zhang ldquoA novel intrusion detectionmethod for mobile ad hoc networksrdquo in Advances in GridComputing vol 3470 pp 1183ndash1192 Springer Berlin Germany2005
[61] C Perkins E Belding-Royer and S Das ldquoAd hoc on-demanddistance vector (AODV) routingrdquo IETF Experimental RFC3561 2003
[62] D Johnson and D Maltz ldquoDynamic source routing in ad hocwireless networksrdquo in Mobile Computing pp 153ndash181 KluwerAcademic 1996
[63] C Perkins and P Bhagwat ldquoHighly dynamic destinationse-quenced distance-vector routing (dsdv) for mobile computersrdquoin Proceedings of the Conference on Communications Architec-tures Protocols and Applications (SIGCOMM rsquo94) vol 24 pp234ndash244 1994
[64] T JoachimsMaking Large-Scale Support VectorMachine Learn-ing Practical MIT Press Cambridge Mass USA 1999
[65] Y Yajima and T Kuo ldquoEfficient formulations for 1-svm and theirapplication to recommendation tasksrdquo Journal of Computersvol 1 no 3 pp 27ndash34 2006
[66] L Bononi and C Tacconi ldquoIntrusion detection for secureclustering and routing inMobileMulti-hopWirelessNetworksrdquoInternational Journal of Information Security vol 6 no 6 pp379ndash392 2007
[67] Y Huang W Fan W Lee et al ldquoCross-feature analysis fordetecting ad-hoc routing anomaliesrdquo in Proceedings of the 23rdInternational Conference on Distributed Computing Systems(ICDCS rsquo03) pp 478ndash487 May 2003
[68] J Quinlan C4 5 Programs for Machine Learning MorganKaufmann Boston Mass USA 1993
20 International Journal of Distributed Sensor Networks
[69] J B D Cabrera C Gutierrez and R K Mehra ldquoEnsemblemethods for anomaly detection and distributed intrusion detec-tion in Mobile Ad-Hoc Networksrdquo Information Fusion vol 9no 1 pp 96ndash119 2008
[70] MWang L Lamont P Mason andM Gorlatova ldquoAn effectiveintrusion detection approach for OLSR MANET protocolrdquoin Proceedings of the 13th IEEE International Conference onNetwork Protocols Workshop (ICNP rsquo05) pp 55ndash60 November2005
[71] C Y Tseng P Balasubramanyam C Ko R Limprasittiporn JRowe and K Levitt ldquoA specification-based intrusion detectionsystem for AODVrdquo in Proceedings of the 1st ACM Workshop onSecurity of Ad Hoc and Sensor Networks pp 125ndash134 October2003
[72] S A Razak S M Furnell N L Clarke and P J BrookeldquoFriend-assisted intrusion detection and response mechanismsfor mobile ad hoc networksrdquo Ad Hoc Networks vol 6 no 7 pp1151ndash1167 2008
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 15
5 Related Work
Systems that detect intrusion targeting ad hoc routing proto-col are extremely diverse in the way they analyze intrusionThey fall into the three key categories
(i) Anomaly detection system defines the correct behav-ior of the nodenetwork so as to detect deviations tothis behavior This correct behavior is automaticallybuilt during an attackless training phase The detec-tion accuracy depends on the ability to (i) describethe correct behavior and (ii) distinguish betweenanomalous and unexpected behaviors
(ii) Specification-based detection system hand-codes thelegitimate functionoperation and then searches for aviolation to this operation
(iii) Signature-based detection system first describes theway an intruder penetrates the system by defining anintrusion signature Then any behavior that is closeto this predefined signature is flagged as intrusion
Hereafter we detail examples of each of these categoriesAnomaly-based detection constitutes the main approachused to detect attacks The IDS proposed by Zhang et al[7] constitutes a de facto standard in MANET It aims atdetecting the attempts to falsify the routes provided by theAODV [61] DSR [62] and DSDV [63] routing protocolsDuring the training phase the impact of movement on thepercentage of changes in the routing table is analyzed Notethat this movement (ie velocity direction and position)is provided by a Global Positioning System (GPS) Thenduring the operation phase an actual percentage of changesdiffering from the predicted one is defined as anomaly Inpractice the distinguishing between anomalous and normalbehaviors is provided by the Support Vector Machine (SVM)Light [64] classifier or by RIPPER [15] a rule-based engineThe hierarchical IDS proposed in [47] detects blackhole androuting request flooding attacks targeting AODV protocolHere MANET is arranged into clusters whereas the nodewith the highest residual energy and number of connectionsis elected as a cluster-head Each cluster-head monitors thetraffic inside its cluster so as to identify the abnormal valuesof (i) the percentage of changes in the routing table and (ii)the propagation of routingdata packets Such abnormalitiesare identified thanks to (1-SVM) classifier [65] a deviationof SVM that needs to be trained with either normal orabnormal scenario but not both of them In [48] (resp [66])a blackhole (and resp dropping) attack targeting AODVprotocol (resp a secured version of AODV protocol includ-ing authentication and reputation estimation) are detectedby investigating features for example the number of routerequests and route replies as well as the average difference ofsequence numbers (Largely increased sequence numbers areknown as a sign of blackhole attack) Then simple anomalydetection is applied if the distance between the actuallyobserved features and the average ones that are recorded dur-ing the training exceeds a given threshold then an intrusionis detected More sophisticated cross-features analysis (CFA)[67] is applied to detect both blackhole and packet drop-ping on AODV and DSR protocols Features including for
example the reachability between 2 nodes and the numberof delivered packets are analyzed within time windows Thisanalysis attempts to quantify the relation existing betweenone feature 119891
119894and the others 119891
1 119891
119894minus1 119891119894+1 119891
119896(with
119896 + 1 defining the number of features analyzed) During theoperation phase the probability of matching between theobserved feature 1198911015840
119894and the predicted feature 119891
119894 which is
established based on 11989110158401 119891
1015840
119894minus1 1198911015840
119894+1 119891
1015840
119896 is calculated by
a decision tree classifier named C45 [68] An anomaly refersto an average of matching probability fewer than a giventhreshold CFA and C45 are also used in [69] with traffic-related features (eg number of receivedtransferred packets)and OLSR- or AODV-related features (eg MPR updates forthe former and route discovery for the latter) A modifiedMarkov chain-based IDS is proposed in [58] so as to detectroute disruption attack targeting DSR protocol Here thedetection depends on identifying unpredicted value of twofeatures the percentage of changes in the number of routesand the percentage of changes in the number of hops Inpractice a Markov chain is based on the immediate previous119899 consecutive values of a feature as to predict the (119899 + 1)thvalue If the difference between a predicted and an observedvalue exceeds a given threshold an intrusion is concluded
Rather than establishing automatically a correct behaviorspecification-based detection system hand-codes the correctbehavior of the routing protocols based on the protocol spec-ification (IETF draft or RFC) Then the system attempts todetect a violation of constraints circumventing this behaviorFour key constraints define the correct behavior of OLSR([14 70])
(1) Neighbor relationmust be reciprocal (ie 2 neighborsmust hear the hello message sent by each other)
(2) TheMPRs and the nodes that select theMPR (ie theMPR selectors) must be adjacent
(3) A node that finds itself advertised as a MPR selectorin a TCmessage must be adjacent to the originator ofthis message
(4) Nodes receive TC messages without modificationsfromMPR(s)
Each node sniffs the traffic in its radio range so as todiscover the violations of any of the above constraints Theseconstraints are modeled by semantic properties in [70] (resprules in [14]) so as to detect link spoofing attack on TC(and resp hello messages) both experiment an ability todetect a link spoofing by observing a violation of the thirdcondition over a simulated network composed of 11 nodesFinite-state machines are used to describe similar constraintson OLSR [41] and the behavior of AODV protocol [52 71]In [41] a centralized detection of link spoofing man-in-the-middle and deny of service attack is performed While in[52 71] incorrect hop countssequence numbers are analyzedby distributed sensors which sniff and group the packets perrequest-reply flow so as to estimate the forwarding path perflow If a route requestreply is illegallymodified or forwardedvia a nonexpected path then an alarm is triggered In [60]similar FSMs are used to define constraints on both the routediscovery in AODV and the packet forwarding operations
16 International Journal of Distributed Sensor Networks
Table4Com
parin
gID
ARperfo
rmance
with
otherIDSs
IDS
Routing
protocol
Num
bero
fno
des
Intrud
ers
()
Moving
speed
Detectio
nrate
False
positives
rate
Increm
entinmem
ory
usage
Increm
entintraffi
coverhead
IDAR
OlSR
30166
0ndash8m
s707ndash963
0ndash132
176ndash
265MB
478ndash6215KB
(036
ndash597
ofOlSRtraffi
c)
[43]
OlSR
303366
10
mdashmdash
mdashmdash
6ndash12
ofOlSR
traffi
c[41]
OlSR
1010
0ms
Detectio
nispo
ssible
mdashmdash
mdash[44]
OlSR
7143
0ms
Detectio
nispo
ssible
mdashmdash
mdash[45]
OlSR
520
0ms
Detectio
nispo
ssible
mdashmdash
mdash[14
]OlSR
119
0ms
Detectio
nispo
ssible
mdashmdash
mdash[46]
AODV
3033
0ndash5m
s3067ndash90
0ndash20
mdashmdash
[47]
AODV
502
0ndash20
ms
90
5
mdashmdash
[48]
AODV
3033
1ndash20
ms
70ndash82
12ndash18
mdashmdash
[49]
AODV
2050
10
1ndash10ms
964ndash9
87
079ndash093
mdash900k
B
[50]
AODV
5238
0ndash20
ms
(Fixed
IDSs)
100
0ndash0
6
mdashmdash
[51]
AODV
521
20238
0ndash10ms
50ndash100
0ndash30
mdashmdash
[52]
AODV
30mdash
0ndash20
ms
70ndash100
05
ndash15
mdashmdash
[53]
AODV
50Ra
ndom
0ndash20
ms
79plusmn10ndash92plusmn3
5plusmn1ndash32plusmn8
mdashmdash
[54]
AODV
102050
mdash0ndash
10ms
0ndash100
0ndash≫100
02ndash06
mdash[55]
AODV
20ndash200
mdash0ndash
20ms
30ndash9
50ndash16
mdashmdash
[56]
AODV
50mdash
1ndash20
ms
998ndash100
083ndash846
mdashmdash
[7]
AODV
mdashmdash
mdash8848plusmn414ndash971plusmn032
145plusmn072ndash202plusmn627
mdashmdash
DSD
Vmdash
mdashmdash
8523plusmn328ndash9061plusmn299
537plusmn310ndash263plusmn549
mdashmdash
DSR
mdashmdash
mdash852plusmn238ndash991plusmn037
003plusmn004ndash153plusmn408
mdashmdash
[57]
DSR
5040
0ndash20
ms
mdashmdash
mdash11ndash313
of
data
traffi
c[58]
DSR
3033
3ndash5m
s60ndash100
25
ndash50
mdashmdash
[59]
DSR
30mdash
mdash75
12
mdashmdash
[60]
DSR
502
0ndash20
ms
837ndash9
74
13ndash72
mdashmdash
International Journal of Distributed Sensor Networks 17
A signature-based system distinguishes itself by model-ing the misbehavior (rather than the correct behavior) soas to identify if a sequence of observed events matchingan intrusion signature AODVSTAT [54] uses state-basedsignatures in order to detect dropping and spoofing attacksalong with network flooding Few sensors sniff the traffic andmatch it against predefined signatures They also exchangeperiodically MAC and IP addresses so as to detect an identityspoofing which is characterized by a node emitting a packetidentified by MAC and IP addresses differing from thoseregistered for this node A dropping attack refers to a nodethat fails to replay route requestreply Finally a node sendinga number of packets exceeding a given threshold is identifiedas willing to exhaust resources In [45] intrusion signaturesare specified in opposition to the legitimate behavior of OLSRdepicted in conjunction with specification rules similar tothose defined in [70] In particular a node 119873 mistrusts twoneighbors 119871 and 119872 that conform to the following rules119872 advertises 119871 as a neighbor while 119871 does not advertise119872 as a neighbor (or reciprocally) both 119871 and 119872 send TCmessages while 119871rsquos neighbors are a subset of 119872rsquos neighbors(or reciprocally) In addition 119873 mistrusts 119872 if 119873 which isnot a neighbor of 119872 finds itself as a MPR selector in a TCof 119873 (constraint 3) In [44] a FSM is employed to modelthe signature of hello message fabrication in OLSR protocolin an agent-based IDS In practice each node uses a SimpleNetworkManagement Protocol (SNMP) agent so as to collectaudit data from the Management Information Base (MIB)After that events are extracted from the collected audit dataand are matched to the attack signatureThe addressed attackaims at breaking the link between a victim node and itsneighbors and thus a DoS takes place To that end theattacker impersonates the identity of the victim and sends afake hello message advertising one of the victim symmetricneighbors with lost link status Upon receiving the fabricatedmessage the neighbor changes the status of its link withthe victim to ldquoheardrdquo and stops routing packets through thevictim
51 Synthesis and Discussion A great majority of the litera-ture is focused on anomaly detectionwhile scarce effort inves-tigates specification- and signature-based intrusion Thisnaturally calls for consolidating the effort on specification-and signature-based detection while following the habitus ofwired network which consists in coupling these detectionsystems with one another for example in [72] wherein acombination of anomaly- and signature-based detection isrealized so as to increase the detection rate Almost all ofthe IDS focuses only on the detection accuracy that isproviding a high detection rate along with limited falsealarms However they do not consider the criticality ofmaintaining the resources and henceforth extending thelifetime of the nodenetwork Our IDS takes into account thenecessity of reducing to minimum both the communicationand computation overload related to intrusion identificationThe absolute majority of the IDSs is simulated (including thesystem we are proposing) rather than being either developedor experimented on testbeds or relying on empirical data
The reason that explains this situation is twofold Firstthe deployment of critical MANET is limitednot adver-tised Second to the best of our knowledge experiences ofintrusion in MANETs are not reported intrusions are infact developedsimulated as proofs of concept Neverthelessnot only routing protocols but also the characterization ofthe intrusion together leverage on the experience gained indesigning routing protocols for wired networks and deal-ing with related misbehaviors In particular the similarityexisting between the OSPF and OLSR protocols implies thatmany threats (eg sequence numbers identity spoofing) areshared In other words intrusion may be inspired from theone targeting wired networks Meanwhile the developmentof intrusion detection and the envisioning of attacks areaccelerated
6 Conclusion
We survey and classify the attacks that target ad hoc routingprotocols focusing on theOLSRprotocol In order to facilitatethe definition of intrusion signatures we extend a descriptionmodelmdashan attack is expressed as the preconditions andthe resulting consequencesmdashand enrich it with temporalannotations Once hand-coded these signatures are utilizedby IDAR a log-based distributed intrusion detection systemdedicated to operate in mobile ad hoc networks IDARdistinguishes itself by analyzing the logs generated by arouting protocol and extracts intrusion evidences so as tocompare these latter against predefined intrusion signaturesFor this purpose evidences are categorized into four groupsaccording to their degree of suspiciongravity and hence totheir ability to activatedeactivate the diagnostic We furtherdevelop a link spoofing attack on the OLSR protocol buildthe related detection rules and evaluate the performancesof IDAR relying on the NS3 simulator coupled with LXCvirtual machines Overall the experiments figure out ahigh rate of intrusion detection and low false positivesrate even under increased mobility and density Meanwhileresource consumption and network overhead result from thediagnostic are low and adapted to the resource-constraineddevices Note that ongoing effort is provided as to evaluateIDAR in a real MANET consisting of resource-constraineddevices Still detecting intrusion is not a trivial task due tothe large number of evidences to tackle and the resource-consuming diagnostic A compromise between detectionaccuracy and resource consumption could be found For thispurpose we are working on a new statistical mechanism forgathering the evidences This mechanism aims at enhancingthe scalability of our system by restricting the interrogationto a limited subset of nodes during the diagnostic Moreoveruntil now we assume that honest parties are passive theyalarm others but do not react We are considering thecoupling with countermeasures (eg blacklisting) and theexploring of lightweight binary consensus and trust estab-lishment among the nodes that participate in the intrusiondetection
18 International Journal of Distributed Sensor Networks
References
[1] Z Zhao H Hu G Ahn and R Wu ldquoRisk-aware mitigation formanet routing attacksrdquo IEEE Transactions on Dependable andSecure Computing vol 9 no 2 pp 250ndash260 2012
[2] B Sun L Osborne Y Xiao and S Guizani ldquoIntrusion detectiontechniques in mobile ad hoc and wireless sensor networksrdquoIEEE Wireless Communications vol 14 no 5 pp 56ndash63 2007
[3] S Sesay Z Yang and J He ldquoA survey onmobile ad hoc wirelessnetworkrdquo Information Technology Journal vol 3 no 2 pp 168ndash175 2004
[4] P Brutch and C Ko ldquoChallenges in intrusion detection forwireless ad-hoc networksrdquo in Proceedings of the Symposium onApplications and the Internet Workshops (SAINT rsquo03) pp 368ndash373 2003
[5] S Khan N Alrajeh and K Loo ldquoSecure route selection inwireless mesh networksrdquo Computer Networks vol 56 no 2 pp491ndash503 2012
[6] S Corson and J Macker ldquoMobile ad hoc networking (manet)routing protocol performance issues and evaluation considera-tionsrdquo IETF RFC2501 1999
[7] Y Zhang W Lee and Y Huang ldquoIntrusion detection tech-niques for mobile wireless networksrdquoWireless Networks vol 9no 5 pp 545ndash556 2003
[8] B C Cheng and R Y Tseng ldquoA context adaptive intrusiondetection system for MANETrdquo Computer Communications vol34 no 3 pp 310ndash318 2011
[9] T Eissa S A Razak and M D A Ngadi ldquoTowards providinga new lightweight authentication and encryption scheme forMANETrdquoWireless Networks vol 17 no 4 pp 833ndash842 2011
[10] A Irshad W Noshairwan M Shafiq S Khurram E Irshadand M Usman ldquoSecurity enhancement for authentication ofnodes in MANET by checking the CRL status of serversrdquoCommunications in Computer and Information Science vol 78pp 86ndash95 2010
[11] D E Denning ldquoAn intrusion-detection modelrdquo IEEE Transac-tions on Software Engineering vol 13 no 2 pp 222ndash232 1987
[12] T Clausen and P Jacquet ldquoOptimized link state routing proto-col (OLSR)rdquo IETF Experimental RFC 3626 2003
[13] P Albers O Camp J Percher et al ldquoSecurity in ad hoc networksa general intrusion detection architecture enhancing trust basedapproachesrdquo 2002
[14] F Cuppens N Cuppens-Boulahia S Nuon and T RamardldquoProperty based intrusion detection to secure OLSRrdquo in Pro-ceedings of the 3rd International Conference on Wireless andMobile Communications (ICWMC rsquo07) Guadeloupe FranceMarch 2007
[15] W Cohen ldquoFast effective rule inductionrdquo in Proceedings of theInternational Conference onMachine Learning (ICML rsquo95) 1995
[16] S Sarafijanovic and J-Y le Boudec ldquoAn artificial immunesystem for misbehavior detection in mobile ad-hoc networkswith virtual thymus clustering danger signal and memorydetectorsrdquo in Proceedings of the 3rd International Conference onArtificial Immune Systems (ICARIS rsquo04) 2004
[17] S Sen and J Clark Intrusion Detection in Mobile Ad HocNetworks in Guide to Wireless Ad Hoc Networks SpringerLondon UK 2009
[18] D Subhadrabandhu S Sarkar and F Anjum ldquoA Framework formisuse detection in ad hoc networksmdashpart IIrdquo IEEE Journal onSelected Areas in Communications vol 24 no 2 pp 290ndash3032006
[19] L M Feeney and M Nilsson ldquoInvestigating the energyconsumption of a wireless network interface in an ad hocnetworking environmentrdquo in Proceedings of the 20th AnnualJoint Conference of the IEEE Computer and CommunicationsSocieties pp 1548ndash1557 April 2001
[20] A P Lauf R A Peters and W H Robinson ldquoA distributedintrusion detection system for resource-constrained devices inad-hoc networksrdquo Ad Hoc Networks vol 8 no 3 pp 253ndash2662010
[21] N A Alrajeh S Khan J Lloret and J Loo ldquoSecure routingprotocol using cross-layer design and energy harvesting inwireless sensor networksrdquo International Journal of DistributedSensor Networks vol 2013 Article ID 374796 11 pages 2013
[22] S Sen J Clark and J Tapiador Security Threats in MobileAd Hoc Networks I S of Self-Organizing Networks AuerbachPublications 2010
[23] P Ning and K Sun ldquoHow to misuse AODV a case study ofinsider attacks againstmobile ad-hoc routing protocolsrdquoAdHocNetworks vol 3 no 6 pp 795ndash819 2005
[24] T Clausen C Dearlove P Jacquet and U Herberg ldquoTheoptimized link state routing protocol version 2rdquo IETF ActiveInternet-Draft Draft-Ietf-Manet-Olsrv2-15 2012
[25] U Herberg and T Clausen ldquoSecurity issues in the optimizedlink state routing protocol version 2 (olsrv2)rdquo InternationalJournal of Network Security amp Its Applications vol 2 no 2 2010
[26] YOwada TMaenoH Imai andKMase ldquoOLSRv2 implemen-tation and performance evaluation with link layer feedbackrdquo inProceedings of the International Wireless Communications andMobile Computing Conference (IWCMC rsquo07) pp 67ndash72 Newyork NY USA August 2007
[27] F Hong L Hong and C Fu ldquoSecure OLSRrdquo in Proceedingsof the 19th International Conference on Advanced InformationNetworking and Applications (AINA rsquo05) pp 713ndash718 March2005
[28] LNAMHegland P Spilling andQKure ldquoHybrid protectionof olsrrdquo in Electronic Notes in Theoretical Computer Science2006
[29] P Kunwar S Sofat and D Bansal ldquoComparison of secure olsrrouting protocolrdquo International Journal of Engineering Sciencevol 3 no 6 p 5049 2011
[30] A Adnane C Bidan and R T de Sousa Junior ldquoTrust-basedcountermeasures for securing OLSR protocolrdquo in Proceedingsof the 7th IEEEIFIP International Conference on Embedded andUbiquitous Computing (EUC rsquo09) pp 745ndash752 August 2009
[31] B Wu J Chen J Chen J Wu and M Cardei ldquoA survey ofattacks and countermeasures in mobile ad hoc networksrdquo inWireless Network Security Springer New York NY USA 2007
[32] C Adjih D Raffo and P Muhlethaler ldquoAttacks against OLSRdistributed key management for securityrdquo in Proceedings of theOLSR Interop Workshop 2005
[33] G CerveraM Barbeau J Garcia-Alfaro and E Kranakis ldquoMit-igation of topology control traffic attacks in OLSR networksrdquoin Proceedings of the 5th International Conference on Risks andSecurity of Internet and Systems (CRiSIS rsquo10) October 2010
[34] P M Jawandhiya M M Ghonge M S Ali et al ldquoA surveyof mobile ad hoc network attacksrdquo International Journal ofEngineering Science and Technology vol 2 no 9 pp 4063ndash40712010
[35] L M Feeney ldquoAn energy consumption model for performanceanalysis of routing protocols for mobile ad hoc networksrdquoMobile Networks and Applications vol 6 no 3 pp 239ndash2492001
International Journal of Distributed Sensor Networks 19
[36] G Riley and T Henderson ldquoThe ns-3 network simulatorrdquo inModeling and Tools for Network Simulation Springer BerlinGermany 2010
[37] S Bhattiprolu E Biederman S Hallyn et al ldquoVirtual serversand checkpointrestart inmainstream linuxrdquo SIGOPSOperatingSystems Review vol 42 no 5 pp 104ndash113 2008
[38] J Zhang J Xing and Z Qin ldquoTaprouter an emulatingframework to run real applications on simulated mobile adhoc networkrdquo in Proceedings of the 44th Annual SimulationSymposium (ANSS rsquo11) pp 39ndash46 2011
[39] D Broyles A Jabbar and J P G Sterbenz ldquoDesign andanalysis of a 3-d gauss-markov mobility model for highly-dynamic airborne networksrdquo in Proceedings of the InternationalTelemetering Conference (ITC rsquo10) San Diego CA USA 2010
[40] J Haerri F Filali and C Bonnet ldquoPerformance comparisonof AODV and OLSR in vanets urban environments underrealistic mobility patternsrdquo in Proceedings of the IFIP Med-Hoc-Net Workshop 2006
[41] C H Tseng T Song P Balasubramanyam C Ko and K LevittldquoA specification-based intrusion detection model for OLSRrdquoRecent Advances in Intrusion Detection vol 3858 pp 330ndash3502006
[42] S Kurkowski T Camp and M Colagrosso ldquoManet simulationstudies the incrediblesrdquo SIGMOBILE Mobile Computing andCommunications Review vol 9 no 4 pp 50ndash561 2005
[43] A Abdalla I Saroit A Kotb et al ldquoMisbehavior nodesdetection and isolation for MANETs OLSR protocolrdquo ProcediaComputer Science vol 3 pp 115ndash121 2011
[44] R Puttini J Percher L Me et al ldquoA modular architecture fordistributed ids in manetrdquo in Proceedings of the InternationalConference on Computational Science and Its Applications III2003
[45] A Adnane R T de Sousa L Me and C Bidan ldquoAutonomictrust reasoning enables misbehavior detection in OLSRrdquo inProceedings of the 23rd Annual ACM Symposium on AppliedComputing (SAC rsquo08) pp 2006ndash2013 March 2008
[46] W Wang H Man and Y Liu ldquoA framework for intrusiondetection systems by social network analysis methods in ad hocnetworksrdquo Security and Communication Networks vol 2 no 6pp 669ndash685 2009
[47] H Deng R Xu J Li F Zhang R Levy and W Lee ldquoAgent-based cooperative anomaly detection for wireless ad hoc net-worksrdquo in Proceedings of the 12th International Conference onParallel and Distributed Systems (ICPADS rsquo06) pp 613ndash620 July2006
[48] S KurosawaHNakayamaN Kato et al ldquoDetecting blackholesattack on AODV-based mobile ad hoc networks by dynamiclearningmethodrdquo International Journal of Network Security vol5 no 3 pp 338ndash346 2007
[49] WWang HWang BWang et al ldquoEnergy-aware and selfadap-tive anomaly detection scheme based on network tomographyin mobile ad hoc networksrdquo Information Sciences vol 220 pp580ndash602 2013
[50] M-Y Su ldquoPrevention of selective black hole attacks on mobilead hoc networks through intrusion detection systemsrdquo Com-puter Communications vol 34 no 1 pp 107ndash117 2011
[51] N Marchang and R Datta ldquoCollaborative techniques for intru-sion detection in mobile ad-hoc networksrdquo Ad Hoc Networksvol 6 no 4 pp 508ndash523 2008
[52] B V R N Yadav B Satyanarayana and O B V RamanaiahldquoAn efficient intrusion detection system for mobile ad hoc net-worksrdquo in Emerging Trends in Computing Informatics Systems
Sciences and Engineering vol 151 Springer New York NYUSA 2013
[53] Y Huang and W Lee ldquoAttack analysis and detection for ad hocrouting protocolsrdquo in Recent Advances in Intrusion Detectionvol 3224 Springer Berlin Germany 2004
[54] G Vigna S Gwalani K Srinivasan E M Belding-Royer andR A Kemmerer ldquoAn intrusion detection tool for AODV-basedad hoc wireless networksrdquo in Proceedings of the 20th AnnualComputer SecurityApplications Conference (ACSAC rsquo04) pp 16ndash27 December 2004
[55] M Ayachi C Bidan and N Prigent ldquoA trust-based ids for theaodv protocolrdquo in Information and Communications Securityvol 6476 pp 430ndash444 2010
[56] S Sen and J A Clark ldquoA grammatical evolution approach tointrusion detection on mobile ad hoc networksrdquo in Proceedingsof the 2nd ACMConference onWireless Network Security (WiSecrsquo09) pp 95ndash102 March 2009
[57] S Marti T J Giuli K Lai and M Baker ldquoMitigating routingmisbehavior in mobile ad hoc networksrdquo in Proceedings of the6th Annual International Conference on Mobile Computing andNetworking (MOBICOM rsquo00) pp 255ndash265 August 2000
[58] B Sun K Wu and U Pooch ldquoRouting anomaly detection inmobile ad hoc networksrdquo in Proceedings of The 12th Interna-tional Conference on Computer Communications and Networks(ICCCN rsquo03) 2003
[59] S Bose S Bharathimurugan and A Kannan ldquoMulti-layerintegrated anomaly intrusion detection system for mobileadhoc networksrdquo in Proceedings of the International Conferenceon Signal Processing Communications and Networking (ICSCNrsquo07) pp 360ndash365 February 2007
[60] P Yi Y Zhong and S Zhang ldquoA novel intrusion detectionmethod for mobile ad hoc networksrdquo in Advances in GridComputing vol 3470 pp 1183ndash1192 Springer Berlin Germany2005
[61] C Perkins E Belding-Royer and S Das ldquoAd hoc on-demanddistance vector (AODV) routingrdquo IETF Experimental RFC3561 2003
[62] D Johnson and D Maltz ldquoDynamic source routing in ad hocwireless networksrdquo in Mobile Computing pp 153ndash181 KluwerAcademic 1996
[63] C Perkins and P Bhagwat ldquoHighly dynamic destinationse-quenced distance-vector routing (dsdv) for mobile computersrdquoin Proceedings of the Conference on Communications Architec-tures Protocols and Applications (SIGCOMM rsquo94) vol 24 pp234ndash244 1994
[64] T JoachimsMaking Large-Scale Support VectorMachine Learn-ing Practical MIT Press Cambridge Mass USA 1999
[65] Y Yajima and T Kuo ldquoEfficient formulations for 1-svm and theirapplication to recommendation tasksrdquo Journal of Computersvol 1 no 3 pp 27ndash34 2006
[66] L Bononi and C Tacconi ldquoIntrusion detection for secureclustering and routing inMobileMulti-hopWirelessNetworksrdquoInternational Journal of Information Security vol 6 no 6 pp379ndash392 2007
[67] Y Huang W Fan W Lee et al ldquoCross-feature analysis fordetecting ad-hoc routing anomaliesrdquo in Proceedings of the 23rdInternational Conference on Distributed Computing Systems(ICDCS rsquo03) pp 478ndash487 May 2003
[68] J Quinlan C4 5 Programs for Machine Learning MorganKaufmann Boston Mass USA 1993
20 International Journal of Distributed Sensor Networks
[69] J B D Cabrera C Gutierrez and R K Mehra ldquoEnsemblemethods for anomaly detection and distributed intrusion detec-tion in Mobile Ad-Hoc Networksrdquo Information Fusion vol 9no 1 pp 96ndash119 2008
[70] MWang L Lamont P Mason andM Gorlatova ldquoAn effectiveintrusion detection approach for OLSR MANET protocolrdquoin Proceedings of the 13th IEEE International Conference onNetwork Protocols Workshop (ICNP rsquo05) pp 55ndash60 November2005
[71] C Y Tseng P Balasubramanyam C Ko R Limprasittiporn JRowe and K Levitt ldquoA specification-based intrusion detectionsystem for AODVrdquo in Proceedings of the 1st ACM Workshop onSecurity of Ad Hoc and Sensor Networks pp 125ndash134 October2003
[72] S A Razak S M Furnell N L Clarke and P J BrookeldquoFriend-assisted intrusion detection and response mechanismsfor mobile ad hoc networksrdquo Ad Hoc Networks vol 6 no 7 pp1151ndash1167 2008
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
16 International Journal of Distributed Sensor Networks
Table4Com
parin
gID
ARperfo
rmance
with
otherIDSs
IDS
Routing
protocol
Num
bero
fno
des
Intrud
ers
()
Moving
speed
Detectio
nrate
False
positives
rate
Increm
entinmem
ory
usage
Increm
entintraffi
coverhead
IDAR
OlSR
30166
0ndash8m
s707ndash963
0ndash132
176ndash
265MB
478ndash6215KB
(036
ndash597
ofOlSRtraffi
c)
[43]
OlSR
303366
10
mdashmdash
mdashmdash
6ndash12
ofOlSR
traffi
c[41]
OlSR
1010
0ms
Detectio
nispo
ssible
mdashmdash
mdash[44]
OlSR
7143
0ms
Detectio
nispo
ssible
mdashmdash
mdash[45]
OlSR
520
0ms
Detectio
nispo
ssible
mdashmdash
mdash[14
]OlSR
119
0ms
Detectio
nispo
ssible
mdashmdash
mdash[46]
AODV
3033
0ndash5m
s3067ndash90
0ndash20
mdashmdash
[47]
AODV
502
0ndash20
ms
90
5
mdashmdash
[48]
AODV
3033
1ndash20
ms
70ndash82
12ndash18
mdashmdash
[49]
AODV
2050
10
1ndash10ms
964ndash9
87
079ndash093
mdash900k
B
[50]
AODV
5238
0ndash20
ms
(Fixed
IDSs)
100
0ndash0
6
mdashmdash
[51]
AODV
521
20238
0ndash10ms
50ndash100
0ndash30
mdashmdash
[52]
AODV
30mdash
0ndash20
ms
70ndash100
05
ndash15
mdashmdash
[53]
AODV
50Ra
ndom
0ndash20
ms
79plusmn10ndash92plusmn3
5plusmn1ndash32plusmn8
mdashmdash
[54]
AODV
102050
mdash0ndash
10ms
0ndash100
0ndash≫100
02ndash06
mdash[55]
AODV
20ndash200
mdash0ndash
20ms
30ndash9
50ndash16
mdashmdash
[56]
AODV
50mdash
1ndash20
ms
998ndash100
083ndash846
mdashmdash
[7]
AODV
mdashmdash
mdash8848plusmn414ndash971plusmn032
145plusmn072ndash202plusmn627
mdashmdash
DSD
Vmdash
mdashmdash
8523plusmn328ndash9061plusmn299
537plusmn310ndash263plusmn549
mdashmdash
DSR
mdashmdash
mdash852plusmn238ndash991plusmn037
003plusmn004ndash153plusmn408
mdashmdash
[57]
DSR
5040
0ndash20
ms
mdashmdash
mdash11ndash313
of
data
traffi
c[58]
DSR
3033
3ndash5m
s60ndash100
25
ndash50
mdashmdash
[59]
DSR
30mdash
mdash75
12
mdashmdash
[60]
DSR
502
0ndash20
ms
837ndash9
74
13ndash72
mdashmdash
International Journal of Distributed Sensor Networks 17
A signature-based system distinguishes itself by model-ing the misbehavior (rather than the correct behavior) soas to identify if a sequence of observed events matchingan intrusion signature AODVSTAT [54] uses state-basedsignatures in order to detect dropping and spoofing attacksalong with network flooding Few sensors sniff the traffic andmatch it against predefined signatures They also exchangeperiodically MAC and IP addresses so as to detect an identityspoofing which is characterized by a node emitting a packetidentified by MAC and IP addresses differing from thoseregistered for this node A dropping attack refers to a nodethat fails to replay route requestreply Finally a node sendinga number of packets exceeding a given threshold is identifiedas willing to exhaust resources In [45] intrusion signaturesare specified in opposition to the legitimate behavior of OLSRdepicted in conjunction with specification rules similar tothose defined in [70] In particular a node 119873 mistrusts twoneighbors 119871 and 119872 that conform to the following rules119872 advertises 119871 as a neighbor while 119871 does not advertise119872 as a neighbor (or reciprocally) both 119871 and 119872 send TCmessages while 119871rsquos neighbors are a subset of 119872rsquos neighbors(or reciprocally) In addition 119873 mistrusts 119872 if 119873 which isnot a neighbor of 119872 finds itself as a MPR selector in a TCof 119873 (constraint 3) In [44] a FSM is employed to modelthe signature of hello message fabrication in OLSR protocolin an agent-based IDS In practice each node uses a SimpleNetworkManagement Protocol (SNMP) agent so as to collectaudit data from the Management Information Base (MIB)After that events are extracted from the collected audit dataand are matched to the attack signatureThe addressed attackaims at breaking the link between a victim node and itsneighbors and thus a DoS takes place To that end theattacker impersonates the identity of the victim and sends afake hello message advertising one of the victim symmetricneighbors with lost link status Upon receiving the fabricatedmessage the neighbor changes the status of its link withthe victim to ldquoheardrdquo and stops routing packets through thevictim
51 Synthesis and Discussion A great majority of the litera-ture is focused on anomaly detectionwhile scarce effort inves-tigates specification- and signature-based intrusion Thisnaturally calls for consolidating the effort on specification-and signature-based detection while following the habitus ofwired network which consists in coupling these detectionsystems with one another for example in [72] wherein acombination of anomaly- and signature-based detection isrealized so as to increase the detection rate Almost all ofthe IDS focuses only on the detection accuracy that isproviding a high detection rate along with limited falsealarms However they do not consider the criticality ofmaintaining the resources and henceforth extending thelifetime of the nodenetwork Our IDS takes into account thenecessity of reducing to minimum both the communicationand computation overload related to intrusion identificationThe absolute majority of the IDSs is simulated (including thesystem we are proposing) rather than being either developedor experimented on testbeds or relying on empirical data
The reason that explains this situation is twofold Firstthe deployment of critical MANET is limitednot adver-tised Second to the best of our knowledge experiences ofintrusion in MANETs are not reported intrusions are infact developedsimulated as proofs of concept Neverthelessnot only routing protocols but also the characterization ofthe intrusion together leverage on the experience gained indesigning routing protocols for wired networks and deal-ing with related misbehaviors In particular the similarityexisting between the OSPF and OLSR protocols implies thatmany threats (eg sequence numbers identity spoofing) areshared In other words intrusion may be inspired from theone targeting wired networks Meanwhile the developmentof intrusion detection and the envisioning of attacks areaccelerated
6 Conclusion
We survey and classify the attacks that target ad hoc routingprotocols focusing on theOLSRprotocol In order to facilitatethe definition of intrusion signatures we extend a descriptionmodelmdashan attack is expressed as the preconditions andthe resulting consequencesmdashand enrich it with temporalannotations Once hand-coded these signatures are utilizedby IDAR a log-based distributed intrusion detection systemdedicated to operate in mobile ad hoc networks IDARdistinguishes itself by analyzing the logs generated by arouting protocol and extracts intrusion evidences so as tocompare these latter against predefined intrusion signaturesFor this purpose evidences are categorized into four groupsaccording to their degree of suspiciongravity and hence totheir ability to activatedeactivate the diagnostic We furtherdevelop a link spoofing attack on the OLSR protocol buildthe related detection rules and evaluate the performancesof IDAR relying on the NS3 simulator coupled with LXCvirtual machines Overall the experiments figure out ahigh rate of intrusion detection and low false positivesrate even under increased mobility and density Meanwhileresource consumption and network overhead result from thediagnostic are low and adapted to the resource-constraineddevices Note that ongoing effort is provided as to evaluateIDAR in a real MANET consisting of resource-constraineddevices Still detecting intrusion is not a trivial task due tothe large number of evidences to tackle and the resource-consuming diagnostic A compromise between detectionaccuracy and resource consumption could be found For thispurpose we are working on a new statistical mechanism forgathering the evidences This mechanism aims at enhancingthe scalability of our system by restricting the interrogationto a limited subset of nodes during the diagnostic Moreoveruntil now we assume that honest parties are passive theyalarm others but do not react We are considering thecoupling with countermeasures (eg blacklisting) and theexploring of lightweight binary consensus and trust estab-lishment among the nodes that participate in the intrusiondetection
18 International Journal of Distributed Sensor Networks
References
[1] Z Zhao H Hu G Ahn and R Wu ldquoRisk-aware mitigation formanet routing attacksrdquo IEEE Transactions on Dependable andSecure Computing vol 9 no 2 pp 250ndash260 2012
[2] B Sun L Osborne Y Xiao and S Guizani ldquoIntrusion detectiontechniques in mobile ad hoc and wireless sensor networksrdquoIEEE Wireless Communications vol 14 no 5 pp 56ndash63 2007
[3] S Sesay Z Yang and J He ldquoA survey onmobile ad hoc wirelessnetworkrdquo Information Technology Journal vol 3 no 2 pp 168ndash175 2004
[4] P Brutch and C Ko ldquoChallenges in intrusion detection forwireless ad-hoc networksrdquo in Proceedings of the Symposium onApplications and the Internet Workshops (SAINT rsquo03) pp 368ndash373 2003
[5] S Khan N Alrajeh and K Loo ldquoSecure route selection inwireless mesh networksrdquo Computer Networks vol 56 no 2 pp491ndash503 2012
[6] S Corson and J Macker ldquoMobile ad hoc networking (manet)routing protocol performance issues and evaluation considera-tionsrdquo IETF RFC2501 1999
[7] Y Zhang W Lee and Y Huang ldquoIntrusion detection tech-niques for mobile wireless networksrdquoWireless Networks vol 9no 5 pp 545ndash556 2003
[8] B C Cheng and R Y Tseng ldquoA context adaptive intrusiondetection system for MANETrdquo Computer Communications vol34 no 3 pp 310ndash318 2011
[9] T Eissa S A Razak and M D A Ngadi ldquoTowards providinga new lightweight authentication and encryption scheme forMANETrdquoWireless Networks vol 17 no 4 pp 833ndash842 2011
[10] A Irshad W Noshairwan M Shafiq S Khurram E Irshadand M Usman ldquoSecurity enhancement for authentication ofnodes in MANET by checking the CRL status of serversrdquoCommunications in Computer and Information Science vol 78pp 86ndash95 2010
[11] D E Denning ldquoAn intrusion-detection modelrdquo IEEE Transac-tions on Software Engineering vol 13 no 2 pp 222ndash232 1987
[12] T Clausen and P Jacquet ldquoOptimized link state routing proto-col (OLSR)rdquo IETF Experimental RFC 3626 2003
[13] P Albers O Camp J Percher et al ldquoSecurity in ad hoc networksa general intrusion detection architecture enhancing trust basedapproachesrdquo 2002
[14] F Cuppens N Cuppens-Boulahia S Nuon and T RamardldquoProperty based intrusion detection to secure OLSRrdquo in Pro-ceedings of the 3rd International Conference on Wireless andMobile Communications (ICWMC rsquo07) Guadeloupe FranceMarch 2007
[15] W Cohen ldquoFast effective rule inductionrdquo in Proceedings of theInternational Conference onMachine Learning (ICML rsquo95) 1995
[16] S Sarafijanovic and J-Y le Boudec ldquoAn artificial immunesystem for misbehavior detection in mobile ad-hoc networkswith virtual thymus clustering danger signal and memorydetectorsrdquo in Proceedings of the 3rd International Conference onArtificial Immune Systems (ICARIS rsquo04) 2004
[17] S Sen and J Clark Intrusion Detection in Mobile Ad HocNetworks in Guide to Wireless Ad Hoc Networks SpringerLondon UK 2009
[18] D Subhadrabandhu S Sarkar and F Anjum ldquoA Framework formisuse detection in ad hoc networksmdashpart IIrdquo IEEE Journal onSelected Areas in Communications vol 24 no 2 pp 290ndash3032006
[19] L M Feeney and M Nilsson ldquoInvestigating the energyconsumption of a wireless network interface in an ad hocnetworking environmentrdquo in Proceedings of the 20th AnnualJoint Conference of the IEEE Computer and CommunicationsSocieties pp 1548ndash1557 April 2001
[20] A P Lauf R A Peters and W H Robinson ldquoA distributedintrusion detection system for resource-constrained devices inad-hoc networksrdquo Ad Hoc Networks vol 8 no 3 pp 253ndash2662010
[21] N A Alrajeh S Khan J Lloret and J Loo ldquoSecure routingprotocol using cross-layer design and energy harvesting inwireless sensor networksrdquo International Journal of DistributedSensor Networks vol 2013 Article ID 374796 11 pages 2013
[22] S Sen J Clark and J Tapiador Security Threats in MobileAd Hoc Networks I S of Self-Organizing Networks AuerbachPublications 2010
[23] P Ning and K Sun ldquoHow to misuse AODV a case study ofinsider attacks againstmobile ad-hoc routing protocolsrdquoAdHocNetworks vol 3 no 6 pp 795ndash819 2005
[24] T Clausen C Dearlove P Jacquet and U Herberg ldquoTheoptimized link state routing protocol version 2rdquo IETF ActiveInternet-Draft Draft-Ietf-Manet-Olsrv2-15 2012
[25] U Herberg and T Clausen ldquoSecurity issues in the optimizedlink state routing protocol version 2 (olsrv2)rdquo InternationalJournal of Network Security amp Its Applications vol 2 no 2 2010
[26] YOwada TMaenoH Imai andKMase ldquoOLSRv2 implemen-tation and performance evaluation with link layer feedbackrdquo inProceedings of the International Wireless Communications andMobile Computing Conference (IWCMC rsquo07) pp 67ndash72 Newyork NY USA August 2007
[27] F Hong L Hong and C Fu ldquoSecure OLSRrdquo in Proceedingsof the 19th International Conference on Advanced InformationNetworking and Applications (AINA rsquo05) pp 713ndash718 March2005
[28] LNAMHegland P Spilling andQKure ldquoHybrid protectionof olsrrdquo in Electronic Notes in Theoretical Computer Science2006
[29] P Kunwar S Sofat and D Bansal ldquoComparison of secure olsrrouting protocolrdquo International Journal of Engineering Sciencevol 3 no 6 p 5049 2011
[30] A Adnane C Bidan and R T de Sousa Junior ldquoTrust-basedcountermeasures for securing OLSR protocolrdquo in Proceedingsof the 7th IEEEIFIP International Conference on Embedded andUbiquitous Computing (EUC rsquo09) pp 745ndash752 August 2009
[31] B Wu J Chen J Chen J Wu and M Cardei ldquoA survey ofattacks and countermeasures in mobile ad hoc networksrdquo inWireless Network Security Springer New York NY USA 2007
[32] C Adjih D Raffo and P Muhlethaler ldquoAttacks against OLSRdistributed key management for securityrdquo in Proceedings of theOLSR Interop Workshop 2005
[33] G CerveraM Barbeau J Garcia-Alfaro and E Kranakis ldquoMit-igation of topology control traffic attacks in OLSR networksrdquoin Proceedings of the 5th International Conference on Risks andSecurity of Internet and Systems (CRiSIS rsquo10) October 2010
[34] P M Jawandhiya M M Ghonge M S Ali et al ldquoA surveyof mobile ad hoc network attacksrdquo International Journal ofEngineering Science and Technology vol 2 no 9 pp 4063ndash40712010
[35] L M Feeney ldquoAn energy consumption model for performanceanalysis of routing protocols for mobile ad hoc networksrdquoMobile Networks and Applications vol 6 no 3 pp 239ndash2492001
International Journal of Distributed Sensor Networks 19
[36] G Riley and T Henderson ldquoThe ns-3 network simulatorrdquo inModeling and Tools for Network Simulation Springer BerlinGermany 2010
[37] S Bhattiprolu E Biederman S Hallyn et al ldquoVirtual serversand checkpointrestart inmainstream linuxrdquo SIGOPSOperatingSystems Review vol 42 no 5 pp 104ndash113 2008
[38] J Zhang J Xing and Z Qin ldquoTaprouter an emulatingframework to run real applications on simulated mobile adhoc networkrdquo in Proceedings of the 44th Annual SimulationSymposium (ANSS rsquo11) pp 39ndash46 2011
[39] D Broyles A Jabbar and J P G Sterbenz ldquoDesign andanalysis of a 3-d gauss-markov mobility model for highly-dynamic airborne networksrdquo in Proceedings of the InternationalTelemetering Conference (ITC rsquo10) San Diego CA USA 2010
[40] J Haerri F Filali and C Bonnet ldquoPerformance comparisonof AODV and OLSR in vanets urban environments underrealistic mobility patternsrdquo in Proceedings of the IFIP Med-Hoc-Net Workshop 2006
[41] C H Tseng T Song P Balasubramanyam C Ko and K LevittldquoA specification-based intrusion detection model for OLSRrdquoRecent Advances in Intrusion Detection vol 3858 pp 330ndash3502006
[42] S Kurkowski T Camp and M Colagrosso ldquoManet simulationstudies the incrediblesrdquo SIGMOBILE Mobile Computing andCommunications Review vol 9 no 4 pp 50ndash561 2005
[43] A Abdalla I Saroit A Kotb et al ldquoMisbehavior nodesdetection and isolation for MANETs OLSR protocolrdquo ProcediaComputer Science vol 3 pp 115ndash121 2011
[44] R Puttini J Percher L Me et al ldquoA modular architecture fordistributed ids in manetrdquo in Proceedings of the InternationalConference on Computational Science and Its Applications III2003
[45] A Adnane R T de Sousa L Me and C Bidan ldquoAutonomictrust reasoning enables misbehavior detection in OLSRrdquo inProceedings of the 23rd Annual ACM Symposium on AppliedComputing (SAC rsquo08) pp 2006ndash2013 March 2008
[46] W Wang H Man and Y Liu ldquoA framework for intrusiondetection systems by social network analysis methods in ad hocnetworksrdquo Security and Communication Networks vol 2 no 6pp 669ndash685 2009
[47] H Deng R Xu J Li F Zhang R Levy and W Lee ldquoAgent-based cooperative anomaly detection for wireless ad hoc net-worksrdquo in Proceedings of the 12th International Conference onParallel and Distributed Systems (ICPADS rsquo06) pp 613ndash620 July2006
[48] S KurosawaHNakayamaN Kato et al ldquoDetecting blackholesattack on AODV-based mobile ad hoc networks by dynamiclearningmethodrdquo International Journal of Network Security vol5 no 3 pp 338ndash346 2007
[49] WWang HWang BWang et al ldquoEnergy-aware and selfadap-tive anomaly detection scheme based on network tomographyin mobile ad hoc networksrdquo Information Sciences vol 220 pp580ndash602 2013
[50] M-Y Su ldquoPrevention of selective black hole attacks on mobilead hoc networks through intrusion detection systemsrdquo Com-puter Communications vol 34 no 1 pp 107ndash117 2011
[51] N Marchang and R Datta ldquoCollaborative techniques for intru-sion detection in mobile ad-hoc networksrdquo Ad Hoc Networksvol 6 no 4 pp 508ndash523 2008
[52] B V R N Yadav B Satyanarayana and O B V RamanaiahldquoAn efficient intrusion detection system for mobile ad hoc net-worksrdquo in Emerging Trends in Computing Informatics Systems
Sciences and Engineering vol 151 Springer New York NYUSA 2013
[53] Y Huang and W Lee ldquoAttack analysis and detection for ad hocrouting protocolsrdquo in Recent Advances in Intrusion Detectionvol 3224 Springer Berlin Germany 2004
[54] G Vigna S Gwalani K Srinivasan E M Belding-Royer andR A Kemmerer ldquoAn intrusion detection tool for AODV-basedad hoc wireless networksrdquo in Proceedings of the 20th AnnualComputer SecurityApplications Conference (ACSAC rsquo04) pp 16ndash27 December 2004
[55] M Ayachi C Bidan and N Prigent ldquoA trust-based ids for theaodv protocolrdquo in Information and Communications Securityvol 6476 pp 430ndash444 2010
[56] S Sen and J A Clark ldquoA grammatical evolution approach tointrusion detection on mobile ad hoc networksrdquo in Proceedingsof the 2nd ACMConference onWireless Network Security (WiSecrsquo09) pp 95ndash102 March 2009
[57] S Marti T J Giuli K Lai and M Baker ldquoMitigating routingmisbehavior in mobile ad hoc networksrdquo in Proceedings of the6th Annual International Conference on Mobile Computing andNetworking (MOBICOM rsquo00) pp 255ndash265 August 2000
[58] B Sun K Wu and U Pooch ldquoRouting anomaly detection inmobile ad hoc networksrdquo in Proceedings of The 12th Interna-tional Conference on Computer Communications and Networks(ICCCN rsquo03) 2003
[59] S Bose S Bharathimurugan and A Kannan ldquoMulti-layerintegrated anomaly intrusion detection system for mobileadhoc networksrdquo in Proceedings of the International Conferenceon Signal Processing Communications and Networking (ICSCNrsquo07) pp 360ndash365 February 2007
[60] P Yi Y Zhong and S Zhang ldquoA novel intrusion detectionmethod for mobile ad hoc networksrdquo in Advances in GridComputing vol 3470 pp 1183ndash1192 Springer Berlin Germany2005
[61] C Perkins E Belding-Royer and S Das ldquoAd hoc on-demanddistance vector (AODV) routingrdquo IETF Experimental RFC3561 2003
[62] D Johnson and D Maltz ldquoDynamic source routing in ad hocwireless networksrdquo in Mobile Computing pp 153ndash181 KluwerAcademic 1996
[63] C Perkins and P Bhagwat ldquoHighly dynamic destinationse-quenced distance-vector routing (dsdv) for mobile computersrdquoin Proceedings of the Conference on Communications Architec-tures Protocols and Applications (SIGCOMM rsquo94) vol 24 pp234ndash244 1994
[64] T JoachimsMaking Large-Scale Support VectorMachine Learn-ing Practical MIT Press Cambridge Mass USA 1999
[65] Y Yajima and T Kuo ldquoEfficient formulations for 1-svm and theirapplication to recommendation tasksrdquo Journal of Computersvol 1 no 3 pp 27ndash34 2006
[66] L Bononi and C Tacconi ldquoIntrusion detection for secureclustering and routing inMobileMulti-hopWirelessNetworksrdquoInternational Journal of Information Security vol 6 no 6 pp379ndash392 2007
[67] Y Huang W Fan W Lee et al ldquoCross-feature analysis fordetecting ad-hoc routing anomaliesrdquo in Proceedings of the 23rdInternational Conference on Distributed Computing Systems(ICDCS rsquo03) pp 478ndash487 May 2003
[68] J Quinlan C4 5 Programs for Machine Learning MorganKaufmann Boston Mass USA 1993
20 International Journal of Distributed Sensor Networks
[69] J B D Cabrera C Gutierrez and R K Mehra ldquoEnsemblemethods for anomaly detection and distributed intrusion detec-tion in Mobile Ad-Hoc Networksrdquo Information Fusion vol 9no 1 pp 96ndash119 2008
[70] MWang L Lamont P Mason andM Gorlatova ldquoAn effectiveintrusion detection approach for OLSR MANET protocolrdquoin Proceedings of the 13th IEEE International Conference onNetwork Protocols Workshop (ICNP rsquo05) pp 55ndash60 November2005
[71] C Y Tseng P Balasubramanyam C Ko R Limprasittiporn JRowe and K Levitt ldquoA specification-based intrusion detectionsystem for AODVrdquo in Proceedings of the 1st ACM Workshop onSecurity of Ad Hoc and Sensor Networks pp 125ndash134 October2003
[72] S A Razak S M Furnell N L Clarke and P J BrookeldquoFriend-assisted intrusion detection and response mechanismsfor mobile ad hoc networksrdquo Ad Hoc Networks vol 6 no 7 pp1151ndash1167 2008
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 17
A signature-based system distinguishes itself by model-ing the misbehavior (rather than the correct behavior) soas to identify if a sequence of observed events matchingan intrusion signature AODVSTAT [54] uses state-basedsignatures in order to detect dropping and spoofing attacksalong with network flooding Few sensors sniff the traffic andmatch it against predefined signatures They also exchangeperiodically MAC and IP addresses so as to detect an identityspoofing which is characterized by a node emitting a packetidentified by MAC and IP addresses differing from thoseregistered for this node A dropping attack refers to a nodethat fails to replay route requestreply Finally a node sendinga number of packets exceeding a given threshold is identifiedas willing to exhaust resources In [45] intrusion signaturesare specified in opposition to the legitimate behavior of OLSRdepicted in conjunction with specification rules similar tothose defined in [70] In particular a node 119873 mistrusts twoneighbors 119871 and 119872 that conform to the following rules119872 advertises 119871 as a neighbor while 119871 does not advertise119872 as a neighbor (or reciprocally) both 119871 and 119872 send TCmessages while 119871rsquos neighbors are a subset of 119872rsquos neighbors(or reciprocally) In addition 119873 mistrusts 119872 if 119873 which isnot a neighbor of 119872 finds itself as a MPR selector in a TCof 119873 (constraint 3) In [44] a FSM is employed to modelthe signature of hello message fabrication in OLSR protocolin an agent-based IDS In practice each node uses a SimpleNetworkManagement Protocol (SNMP) agent so as to collectaudit data from the Management Information Base (MIB)After that events are extracted from the collected audit dataand are matched to the attack signatureThe addressed attackaims at breaking the link between a victim node and itsneighbors and thus a DoS takes place To that end theattacker impersonates the identity of the victim and sends afake hello message advertising one of the victim symmetricneighbors with lost link status Upon receiving the fabricatedmessage the neighbor changes the status of its link withthe victim to ldquoheardrdquo and stops routing packets through thevictim
51 Synthesis and Discussion A great majority of the litera-ture is focused on anomaly detectionwhile scarce effort inves-tigates specification- and signature-based intrusion Thisnaturally calls for consolidating the effort on specification-and signature-based detection while following the habitus ofwired network which consists in coupling these detectionsystems with one another for example in [72] wherein acombination of anomaly- and signature-based detection isrealized so as to increase the detection rate Almost all ofthe IDS focuses only on the detection accuracy that isproviding a high detection rate along with limited falsealarms However they do not consider the criticality ofmaintaining the resources and henceforth extending thelifetime of the nodenetwork Our IDS takes into account thenecessity of reducing to minimum both the communicationand computation overload related to intrusion identificationThe absolute majority of the IDSs is simulated (including thesystem we are proposing) rather than being either developedor experimented on testbeds or relying on empirical data
The reason that explains this situation is twofold Firstthe deployment of critical MANET is limitednot adver-tised Second to the best of our knowledge experiences ofintrusion in MANETs are not reported intrusions are infact developedsimulated as proofs of concept Neverthelessnot only routing protocols but also the characterization ofthe intrusion together leverage on the experience gained indesigning routing protocols for wired networks and deal-ing with related misbehaviors In particular the similarityexisting between the OSPF and OLSR protocols implies thatmany threats (eg sequence numbers identity spoofing) areshared In other words intrusion may be inspired from theone targeting wired networks Meanwhile the developmentof intrusion detection and the envisioning of attacks areaccelerated
6 Conclusion
We survey and classify the attacks that target ad hoc routingprotocols focusing on theOLSRprotocol In order to facilitatethe definition of intrusion signatures we extend a descriptionmodelmdashan attack is expressed as the preconditions andthe resulting consequencesmdashand enrich it with temporalannotations Once hand-coded these signatures are utilizedby IDAR a log-based distributed intrusion detection systemdedicated to operate in mobile ad hoc networks IDARdistinguishes itself by analyzing the logs generated by arouting protocol and extracts intrusion evidences so as tocompare these latter against predefined intrusion signaturesFor this purpose evidences are categorized into four groupsaccording to their degree of suspiciongravity and hence totheir ability to activatedeactivate the diagnostic We furtherdevelop a link spoofing attack on the OLSR protocol buildthe related detection rules and evaluate the performancesof IDAR relying on the NS3 simulator coupled with LXCvirtual machines Overall the experiments figure out ahigh rate of intrusion detection and low false positivesrate even under increased mobility and density Meanwhileresource consumption and network overhead result from thediagnostic are low and adapted to the resource-constraineddevices Note that ongoing effort is provided as to evaluateIDAR in a real MANET consisting of resource-constraineddevices Still detecting intrusion is not a trivial task due tothe large number of evidences to tackle and the resource-consuming diagnostic A compromise between detectionaccuracy and resource consumption could be found For thispurpose we are working on a new statistical mechanism forgathering the evidences This mechanism aims at enhancingthe scalability of our system by restricting the interrogationto a limited subset of nodes during the diagnostic Moreoveruntil now we assume that honest parties are passive theyalarm others but do not react We are considering thecoupling with countermeasures (eg blacklisting) and theexploring of lightweight binary consensus and trust estab-lishment among the nodes that participate in the intrusiondetection
18 International Journal of Distributed Sensor Networks
References
[1] Z Zhao H Hu G Ahn and R Wu ldquoRisk-aware mitigation formanet routing attacksrdquo IEEE Transactions on Dependable andSecure Computing vol 9 no 2 pp 250ndash260 2012
[2] B Sun L Osborne Y Xiao and S Guizani ldquoIntrusion detectiontechniques in mobile ad hoc and wireless sensor networksrdquoIEEE Wireless Communications vol 14 no 5 pp 56ndash63 2007
[3] S Sesay Z Yang and J He ldquoA survey onmobile ad hoc wirelessnetworkrdquo Information Technology Journal vol 3 no 2 pp 168ndash175 2004
[4] P Brutch and C Ko ldquoChallenges in intrusion detection forwireless ad-hoc networksrdquo in Proceedings of the Symposium onApplications and the Internet Workshops (SAINT rsquo03) pp 368ndash373 2003
[5] S Khan N Alrajeh and K Loo ldquoSecure route selection inwireless mesh networksrdquo Computer Networks vol 56 no 2 pp491ndash503 2012
[6] S Corson and J Macker ldquoMobile ad hoc networking (manet)routing protocol performance issues and evaluation considera-tionsrdquo IETF RFC2501 1999
[7] Y Zhang W Lee and Y Huang ldquoIntrusion detection tech-niques for mobile wireless networksrdquoWireless Networks vol 9no 5 pp 545ndash556 2003
[8] B C Cheng and R Y Tseng ldquoA context adaptive intrusiondetection system for MANETrdquo Computer Communications vol34 no 3 pp 310ndash318 2011
[9] T Eissa S A Razak and M D A Ngadi ldquoTowards providinga new lightweight authentication and encryption scheme forMANETrdquoWireless Networks vol 17 no 4 pp 833ndash842 2011
[10] A Irshad W Noshairwan M Shafiq S Khurram E Irshadand M Usman ldquoSecurity enhancement for authentication ofnodes in MANET by checking the CRL status of serversrdquoCommunications in Computer and Information Science vol 78pp 86ndash95 2010
[11] D E Denning ldquoAn intrusion-detection modelrdquo IEEE Transac-tions on Software Engineering vol 13 no 2 pp 222ndash232 1987
[12] T Clausen and P Jacquet ldquoOptimized link state routing proto-col (OLSR)rdquo IETF Experimental RFC 3626 2003
[13] P Albers O Camp J Percher et al ldquoSecurity in ad hoc networksa general intrusion detection architecture enhancing trust basedapproachesrdquo 2002
[14] F Cuppens N Cuppens-Boulahia S Nuon and T RamardldquoProperty based intrusion detection to secure OLSRrdquo in Pro-ceedings of the 3rd International Conference on Wireless andMobile Communications (ICWMC rsquo07) Guadeloupe FranceMarch 2007
[15] W Cohen ldquoFast effective rule inductionrdquo in Proceedings of theInternational Conference onMachine Learning (ICML rsquo95) 1995
[16] S Sarafijanovic and J-Y le Boudec ldquoAn artificial immunesystem for misbehavior detection in mobile ad-hoc networkswith virtual thymus clustering danger signal and memorydetectorsrdquo in Proceedings of the 3rd International Conference onArtificial Immune Systems (ICARIS rsquo04) 2004
[17] S Sen and J Clark Intrusion Detection in Mobile Ad HocNetworks in Guide to Wireless Ad Hoc Networks SpringerLondon UK 2009
[18] D Subhadrabandhu S Sarkar and F Anjum ldquoA Framework formisuse detection in ad hoc networksmdashpart IIrdquo IEEE Journal onSelected Areas in Communications vol 24 no 2 pp 290ndash3032006
[19] L M Feeney and M Nilsson ldquoInvestigating the energyconsumption of a wireless network interface in an ad hocnetworking environmentrdquo in Proceedings of the 20th AnnualJoint Conference of the IEEE Computer and CommunicationsSocieties pp 1548ndash1557 April 2001
[20] A P Lauf R A Peters and W H Robinson ldquoA distributedintrusion detection system for resource-constrained devices inad-hoc networksrdquo Ad Hoc Networks vol 8 no 3 pp 253ndash2662010
[21] N A Alrajeh S Khan J Lloret and J Loo ldquoSecure routingprotocol using cross-layer design and energy harvesting inwireless sensor networksrdquo International Journal of DistributedSensor Networks vol 2013 Article ID 374796 11 pages 2013
[22] S Sen J Clark and J Tapiador Security Threats in MobileAd Hoc Networks I S of Self-Organizing Networks AuerbachPublications 2010
[23] P Ning and K Sun ldquoHow to misuse AODV a case study ofinsider attacks againstmobile ad-hoc routing protocolsrdquoAdHocNetworks vol 3 no 6 pp 795ndash819 2005
[24] T Clausen C Dearlove P Jacquet and U Herberg ldquoTheoptimized link state routing protocol version 2rdquo IETF ActiveInternet-Draft Draft-Ietf-Manet-Olsrv2-15 2012
[25] U Herberg and T Clausen ldquoSecurity issues in the optimizedlink state routing protocol version 2 (olsrv2)rdquo InternationalJournal of Network Security amp Its Applications vol 2 no 2 2010
[26] YOwada TMaenoH Imai andKMase ldquoOLSRv2 implemen-tation and performance evaluation with link layer feedbackrdquo inProceedings of the International Wireless Communications andMobile Computing Conference (IWCMC rsquo07) pp 67ndash72 Newyork NY USA August 2007
[27] F Hong L Hong and C Fu ldquoSecure OLSRrdquo in Proceedingsof the 19th International Conference on Advanced InformationNetworking and Applications (AINA rsquo05) pp 713ndash718 March2005
[28] LNAMHegland P Spilling andQKure ldquoHybrid protectionof olsrrdquo in Electronic Notes in Theoretical Computer Science2006
[29] P Kunwar S Sofat and D Bansal ldquoComparison of secure olsrrouting protocolrdquo International Journal of Engineering Sciencevol 3 no 6 p 5049 2011
[30] A Adnane C Bidan and R T de Sousa Junior ldquoTrust-basedcountermeasures for securing OLSR protocolrdquo in Proceedingsof the 7th IEEEIFIP International Conference on Embedded andUbiquitous Computing (EUC rsquo09) pp 745ndash752 August 2009
[31] B Wu J Chen J Chen J Wu and M Cardei ldquoA survey ofattacks and countermeasures in mobile ad hoc networksrdquo inWireless Network Security Springer New York NY USA 2007
[32] C Adjih D Raffo and P Muhlethaler ldquoAttacks against OLSRdistributed key management for securityrdquo in Proceedings of theOLSR Interop Workshop 2005
[33] G CerveraM Barbeau J Garcia-Alfaro and E Kranakis ldquoMit-igation of topology control traffic attacks in OLSR networksrdquoin Proceedings of the 5th International Conference on Risks andSecurity of Internet and Systems (CRiSIS rsquo10) October 2010
[34] P M Jawandhiya M M Ghonge M S Ali et al ldquoA surveyof mobile ad hoc network attacksrdquo International Journal ofEngineering Science and Technology vol 2 no 9 pp 4063ndash40712010
[35] L M Feeney ldquoAn energy consumption model for performanceanalysis of routing protocols for mobile ad hoc networksrdquoMobile Networks and Applications vol 6 no 3 pp 239ndash2492001
International Journal of Distributed Sensor Networks 19
[36] G Riley and T Henderson ldquoThe ns-3 network simulatorrdquo inModeling and Tools for Network Simulation Springer BerlinGermany 2010
[37] S Bhattiprolu E Biederman S Hallyn et al ldquoVirtual serversand checkpointrestart inmainstream linuxrdquo SIGOPSOperatingSystems Review vol 42 no 5 pp 104ndash113 2008
[38] J Zhang J Xing and Z Qin ldquoTaprouter an emulatingframework to run real applications on simulated mobile adhoc networkrdquo in Proceedings of the 44th Annual SimulationSymposium (ANSS rsquo11) pp 39ndash46 2011
[39] D Broyles A Jabbar and J P G Sterbenz ldquoDesign andanalysis of a 3-d gauss-markov mobility model for highly-dynamic airborne networksrdquo in Proceedings of the InternationalTelemetering Conference (ITC rsquo10) San Diego CA USA 2010
[40] J Haerri F Filali and C Bonnet ldquoPerformance comparisonof AODV and OLSR in vanets urban environments underrealistic mobility patternsrdquo in Proceedings of the IFIP Med-Hoc-Net Workshop 2006
[41] C H Tseng T Song P Balasubramanyam C Ko and K LevittldquoA specification-based intrusion detection model for OLSRrdquoRecent Advances in Intrusion Detection vol 3858 pp 330ndash3502006
[42] S Kurkowski T Camp and M Colagrosso ldquoManet simulationstudies the incrediblesrdquo SIGMOBILE Mobile Computing andCommunications Review vol 9 no 4 pp 50ndash561 2005
[43] A Abdalla I Saroit A Kotb et al ldquoMisbehavior nodesdetection and isolation for MANETs OLSR protocolrdquo ProcediaComputer Science vol 3 pp 115ndash121 2011
[44] R Puttini J Percher L Me et al ldquoA modular architecture fordistributed ids in manetrdquo in Proceedings of the InternationalConference on Computational Science and Its Applications III2003
[45] A Adnane R T de Sousa L Me and C Bidan ldquoAutonomictrust reasoning enables misbehavior detection in OLSRrdquo inProceedings of the 23rd Annual ACM Symposium on AppliedComputing (SAC rsquo08) pp 2006ndash2013 March 2008
[46] W Wang H Man and Y Liu ldquoA framework for intrusiondetection systems by social network analysis methods in ad hocnetworksrdquo Security and Communication Networks vol 2 no 6pp 669ndash685 2009
[47] H Deng R Xu J Li F Zhang R Levy and W Lee ldquoAgent-based cooperative anomaly detection for wireless ad hoc net-worksrdquo in Proceedings of the 12th International Conference onParallel and Distributed Systems (ICPADS rsquo06) pp 613ndash620 July2006
[48] S KurosawaHNakayamaN Kato et al ldquoDetecting blackholesattack on AODV-based mobile ad hoc networks by dynamiclearningmethodrdquo International Journal of Network Security vol5 no 3 pp 338ndash346 2007
[49] WWang HWang BWang et al ldquoEnergy-aware and selfadap-tive anomaly detection scheme based on network tomographyin mobile ad hoc networksrdquo Information Sciences vol 220 pp580ndash602 2013
[50] M-Y Su ldquoPrevention of selective black hole attacks on mobilead hoc networks through intrusion detection systemsrdquo Com-puter Communications vol 34 no 1 pp 107ndash117 2011
[51] N Marchang and R Datta ldquoCollaborative techniques for intru-sion detection in mobile ad-hoc networksrdquo Ad Hoc Networksvol 6 no 4 pp 508ndash523 2008
[52] B V R N Yadav B Satyanarayana and O B V RamanaiahldquoAn efficient intrusion detection system for mobile ad hoc net-worksrdquo in Emerging Trends in Computing Informatics Systems
Sciences and Engineering vol 151 Springer New York NYUSA 2013
[53] Y Huang and W Lee ldquoAttack analysis and detection for ad hocrouting protocolsrdquo in Recent Advances in Intrusion Detectionvol 3224 Springer Berlin Germany 2004
[54] G Vigna S Gwalani K Srinivasan E M Belding-Royer andR A Kemmerer ldquoAn intrusion detection tool for AODV-basedad hoc wireless networksrdquo in Proceedings of the 20th AnnualComputer SecurityApplications Conference (ACSAC rsquo04) pp 16ndash27 December 2004
[55] M Ayachi C Bidan and N Prigent ldquoA trust-based ids for theaodv protocolrdquo in Information and Communications Securityvol 6476 pp 430ndash444 2010
[56] S Sen and J A Clark ldquoA grammatical evolution approach tointrusion detection on mobile ad hoc networksrdquo in Proceedingsof the 2nd ACMConference onWireless Network Security (WiSecrsquo09) pp 95ndash102 March 2009
[57] S Marti T J Giuli K Lai and M Baker ldquoMitigating routingmisbehavior in mobile ad hoc networksrdquo in Proceedings of the6th Annual International Conference on Mobile Computing andNetworking (MOBICOM rsquo00) pp 255ndash265 August 2000
[58] B Sun K Wu and U Pooch ldquoRouting anomaly detection inmobile ad hoc networksrdquo in Proceedings of The 12th Interna-tional Conference on Computer Communications and Networks(ICCCN rsquo03) 2003
[59] S Bose S Bharathimurugan and A Kannan ldquoMulti-layerintegrated anomaly intrusion detection system for mobileadhoc networksrdquo in Proceedings of the International Conferenceon Signal Processing Communications and Networking (ICSCNrsquo07) pp 360ndash365 February 2007
[60] P Yi Y Zhong and S Zhang ldquoA novel intrusion detectionmethod for mobile ad hoc networksrdquo in Advances in GridComputing vol 3470 pp 1183ndash1192 Springer Berlin Germany2005
[61] C Perkins E Belding-Royer and S Das ldquoAd hoc on-demanddistance vector (AODV) routingrdquo IETF Experimental RFC3561 2003
[62] D Johnson and D Maltz ldquoDynamic source routing in ad hocwireless networksrdquo in Mobile Computing pp 153ndash181 KluwerAcademic 1996
[63] C Perkins and P Bhagwat ldquoHighly dynamic destinationse-quenced distance-vector routing (dsdv) for mobile computersrdquoin Proceedings of the Conference on Communications Architec-tures Protocols and Applications (SIGCOMM rsquo94) vol 24 pp234ndash244 1994
[64] T JoachimsMaking Large-Scale Support VectorMachine Learn-ing Practical MIT Press Cambridge Mass USA 1999
[65] Y Yajima and T Kuo ldquoEfficient formulations for 1-svm and theirapplication to recommendation tasksrdquo Journal of Computersvol 1 no 3 pp 27ndash34 2006
[66] L Bononi and C Tacconi ldquoIntrusion detection for secureclustering and routing inMobileMulti-hopWirelessNetworksrdquoInternational Journal of Information Security vol 6 no 6 pp379ndash392 2007
[67] Y Huang W Fan W Lee et al ldquoCross-feature analysis fordetecting ad-hoc routing anomaliesrdquo in Proceedings of the 23rdInternational Conference on Distributed Computing Systems(ICDCS rsquo03) pp 478ndash487 May 2003
[68] J Quinlan C4 5 Programs for Machine Learning MorganKaufmann Boston Mass USA 1993
20 International Journal of Distributed Sensor Networks
[69] J B D Cabrera C Gutierrez and R K Mehra ldquoEnsemblemethods for anomaly detection and distributed intrusion detec-tion in Mobile Ad-Hoc Networksrdquo Information Fusion vol 9no 1 pp 96ndash119 2008
[70] MWang L Lamont P Mason andM Gorlatova ldquoAn effectiveintrusion detection approach for OLSR MANET protocolrdquoin Proceedings of the 13th IEEE International Conference onNetwork Protocols Workshop (ICNP rsquo05) pp 55ndash60 November2005
[71] C Y Tseng P Balasubramanyam C Ko R Limprasittiporn JRowe and K Levitt ldquoA specification-based intrusion detectionsystem for AODVrdquo in Proceedings of the 1st ACM Workshop onSecurity of Ad Hoc and Sensor Networks pp 125ndash134 October2003
[72] S A Razak S M Furnell N L Clarke and P J BrookeldquoFriend-assisted intrusion detection and response mechanismsfor mobile ad hoc networksrdquo Ad Hoc Networks vol 6 no 7 pp1151ndash1167 2008
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
18 International Journal of Distributed Sensor Networks
References
[1] Z Zhao H Hu G Ahn and R Wu ldquoRisk-aware mitigation formanet routing attacksrdquo IEEE Transactions on Dependable andSecure Computing vol 9 no 2 pp 250ndash260 2012
[2] B Sun L Osborne Y Xiao and S Guizani ldquoIntrusion detectiontechniques in mobile ad hoc and wireless sensor networksrdquoIEEE Wireless Communications vol 14 no 5 pp 56ndash63 2007
[3] S Sesay Z Yang and J He ldquoA survey onmobile ad hoc wirelessnetworkrdquo Information Technology Journal vol 3 no 2 pp 168ndash175 2004
[4] P Brutch and C Ko ldquoChallenges in intrusion detection forwireless ad-hoc networksrdquo in Proceedings of the Symposium onApplications and the Internet Workshops (SAINT rsquo03) pp 368ndash373 2003
[5] S Khan N Alrajeh and K Loo ldquoSecure route selection inwireless mesh networksrdquo Computer Networks vol 56 no 2 pp491ndash503 2012
[6] S Corson and J Macker ldquoMobile ad hoc networking (manet)routing protocol performance issues and evaluation considera-tionsrdquo IETF RFC2501 1999
[7] Y Zhang W Lee and Y Huang ldquoIntrusion detection tech-niques for mobile wireless networksrdquoWireless Networks vol 9no 5 pp 545ndash556 2003
[8] B C Cheng and R Y Tseng ldquoA context adaptive intrusiondetection system for MANETrdquo Computer Communications vol34 no 3 pp 310ndash318 2011
[9] T Eissa S A Razak and M D A Ngadi ldquoTowards providinga new lightweight authentication and encryption scheme forMANETrdquoWireless Networks vol 17 no 4 pp 833ndash842 2011
[10] A Irshad W Noshairwan M Shafiq S Khurram E Irshadand M Usman ldquoSecurity enhancement for authentication ofnodes in MANET by checking the CRL status of serversrdquoCommunications in Computer and Information Science vol 78pp 86ndash95 2010
[11] D E Denning ldquoAn intrusion-detection modelrdquo IEEE Transac-tions on Software Engineering vol 13 no 2 pp 222ndash232 1987
[12] T Clausen and P Jacquet ldquoOptimized link state routing proto-col (OLSR)rdquo IETF Experimental RFC 3626 2003
[13] P Albers O Camp J Percher et al ldquoSecurity in ad hoc networksa general intrusion detection architecture enhancing trust basedapproachesrdquo 2002
[14] F Cuppens N Cuppens-Boulahia S Nuon and T RamardldquoProperty based intrusion detection to secure OLSRrdquo in Pro-ceedings of the 3rd International Conference on Wireless andMobile Communications (ICWMC rsquo07) Guadeloupe FranceMarch 2007
[15] W Cohen ldquoFast effective rule inductionrdquo in Proceedings of theInternational Conference onMachine Learning (ICML rsquo95) 1995
[16] S Sarafijanovic and J-Y le Boudec ldquoAn artificial immunesystem for misbehavior detection in mobile ad-hoc networkswith virtual thymus clustering danger signal and memorydetectorsrdquo in Proceedings of the 3rd International Conference onArtificial Immune Systems (ICARIS rsquo04) 2004
[17] S Sen and J Clark Intrusion Detection in Mobile Ad HocNetworks in Guide to Wireless Ad Hoc Networks SpringerLondon UK 2009
[18] D Subhadrabandhu S Sarkar and F Anjum ldquoA Framework formisuse detection in ad hoc networksmdashpart IIrdquo IEEE Journal onSelected Areas in Communications vol 24 no 2 pp 290ndash3032006
[19] L M Feeney and M Nilsson ldquoInvestigating the energyconsumption of a wireless network interface in an ad hocnetworking environmentrdquo in Proceedings of the 20th AnnualJoint Conference of the IEEE Computer and CommunicationsSocieties pp 1548ndash1557 April 2001
[20] A P Lauf R A Peters and W H Robinson ldquoA distributedintrusion detection system for resource-constrained devices inad-hoc networksrdquo Ad Hoc Networks vol 8 no 3 pp 253ndash2662010
[21] N A Alrajeh S Khan J Lloret and J Loo ldquoSecure routingprotocol using cross-layer design and energy harvesting inwireless sensor networksrdquo International Journal of DistributedSensor Networks vol 2013 Article ID 374796 11 pages 2013
[22] S Sen J Clark and J Tapiador Security Threats in MobileAd Hoc Networks I S of Self-Organizing Networks AuerbachPublications 2010
[23] P Ning and K Sun ldquoHow to misuse AODV a case study ofinsider attacks againstmobile ad-hoc routing protocolsrdquoAdHocNetworks vol 3 no 6 pp 795ndash819 2005
[24] T Clausen C Dearlove P Jacquet and U Herberg ldquoTheoptimized link state routing protocol version 2rdquo IETF ActiveInternet-Draft Draft-Ietf-Manet-Olsrv2-15 2012
[25] U Herberg and T Clausen ldquoSecurity issues in the optimizedlink state routing protocol version 2 (olsrv2)rdquo InternationalJournal of Network Security amp Its Applications vol 2 no 2 2010
[26] YOwada TMaenoH Imai andKMase ldquoOLSRv2 implemen-tation and performance evaluation with link layer feedbackrdquo inProceedings of the International Wireless Communications andMobile Computing Conference (IWCMC rsquo07) pp 67ndash72 Newyork NY USA August 2007
[27] F Hong L Hong and C Fu ldquoSecure OLSRrdquo in Proceedingsof the 19th International Conference on Advanced InformationNetworking and Applications (AINA rsquo05) pp 713ndash718 March2005
[28] LNAMHegland P Spilling andQKure ldquoHybrid protectionof olsrrdquo in Electronic Notes in Theoretical Computer Science2006
[29] P Kunwar S Sofat and D Bansal ldquoComparison of secure olsrrouting protocolrdquo International Journal of Engineering Sciencevol 3 no 6 p 5049 2011
[30] A Adnane C Bidan and R T de Sousa Junior ldquoTrust-basedcountermeasures for securing OLSR protocolrdquo in Proceedingsof the 7th IEEEIFIP International Conference on Embedded andUbiquitous Computing (EUC rsquo09) pp 745ndash752 August 2009
[31] B Wu J Chen J Chen J Wu and M Cardei ldquoA survey ofattacks and countermeasures in mobile ad hoc networksrdquo inWireless Network Security Springer New York NY USA 2007
[32] C Adjih D Raffo and P Muhlethaler ldquoAttacks against OLSRdistributed key management for securityrdquo in Proceedings of theOLSR Interop Workshop 2005
[33] G CerveraM Barbeau J Garcia-Alfaro and E Kranakis ldquoMit-igation of topology control traffic attacks in OLSR networksrdquoin Proceedings of the 5th International Conference on Risks andSecurity of Internet and Systems (CRiSIS rsquo10) October 2010
[34] P M Jawandhiya M M Ghonge M S Ali et al ldquoA surveyof mobile ad hoc network attacksrdquo International Journal ofEngineering Science and Technology vol 2 no 9 pp 4063ndash40712010
[35] L M Feeney ldquoAn energy consumption model for performanceanalysis of routing protocols for mobile ad hoc networksrdquoMobile Networks and Applications vol 6 no 3 pp 239ndash2492001
International Journal of Distributed Sensor Networks 19
[36] G Riley and T Henderson ldquoThe ns-3 network simulatorrdquo inModeling and Tools for Network Simulation Springer BerlinGermany 2010
[37] S Bhattiprolu E Biederman S Hallyn et al ldquoVirtual serversand checkpointrestart inmainstream linuxrdquo SIGOPSOperatingSystems Review vol 42 no 5 pp 104ndash113 2008
[38] J Zhang J Xing and Z Qin ldquoTaprouter an emulatingframework to run real applications on simulated mobile adhoc networkrdquo in Proceedings of the 44th Annual SimulationSymposium (ANSS rsquo11) pp 39ndash46 2011
[39] D Broyles A Jabbar and J P G Sterbenz ldquoDesign andanalysis of a 3-d gauss-markov mobility model for highly-dynamic airborne networksrdquo in Proceedings of the InternationalTelemetering Conference (ITC rsquo10) San Diego CA USA 2010
[40] J Haerri F Filali and C Bonnet ldquoPerformance comparisonof AODV and OLSR in vanets urban environments underrealistic mobility patternsrdquo in Proceedings of the IFIP Med-Hoc-Net Workshop 2006
[41] C H Tseng T Song P Balasubramanyam C Ko and K LevittldquoA specification-based intrusion detection model for OLSRrdquoRecent Advances in Intrusion Detection vol 3858 pp 330ndash3502006
[42] S Kurkowski T Camp and M Colagrosso ldquoManet simulationstudies the incrediblesrdquo SIGMOBILE Mobile Computing andCommunications Review vol 9 no 4 pp 50ndash561 2005
[43] A Abdalla I Saroit A Kotb et al ldquoMisbehavior nodesdetection and isolation for MANETs OLSR protocolrdquo ProcediaComputer Science vol 3 pp 115ndash121 2011
[44] R Puttini J Percher L Me et al ldquoA modular architecture fordistributed ids in manetrdquo in Proceedings of the InternationalConference on Computational Science and Its Applications III2003
[45] A Adnane R T de Sousa L Me and C Bidan ldquoAutonomictrust reasoning enables misbehavior detection in OLSRrdquo inProceedings of the 23rd Annual ACM Symposium on AppliedComputing (SAC rsquo08) pp 2006ndash2013 March 2008
[46] W Wang H Man and Y Liu ldquoA framework for intrusiondetection systems by social network analysis methods in ad hocnetworksrdquo Security and Communication Networks vol 2 no 6pp 669ndash685 2009
[47] H Deng R Xu J Li F Zhang R Levy and W Lee ldquoAgent-based cooperative anomaly detection for wireless ad hoc net-worksrdquo in Proceedings of the 12th International Conference onParallel and Distributed Systems (ICPADS rsquo06) pp 613ndash620 July2006
[48] S KurosawaHNakayamaN Kato et al ldquoDetecting blackholesattack on AODV-based mobile ad hoc networks by dynamiclearningmethodrdquo International Journal of Network Security vol5 no 3 pp 338ndash346 2007
[49] WWang HWang BWang et al ldquoEnergy-aware and selfadap-tive anomaly detection scheme based on network tomographyin mobile ad hoc networksrdquo Information Sciences vol 220 pp580ndash602 2013
[50] M-Y Su ldquoPrevention of selective black hole attacks on mobilead hoc networks through intrusion detection systemsrdquo Com-puter Communications vol 34 no 1 pp 107ndash117 2011
[51] N Marchang and R Datta ldquoCollaborative techniques for intru-sion detection in mobile ad-hoc networksrdquo Ad Hoc Networksvol 6 no 4 pp 508ndash523 2008
[52] B V R N Yadav B Satyanarayana and O B V RamanaiahldquoAn efficient intrusion detection system for mobile ad hoc net-worksrdquo in Emerging Trends in Computing Informatics Systems
Sciences and Engineering vol 151 Springer New York NYUSA 2013
[53] Y Huang and W Lee ldquoAttack analysis and detection for ad hocrouting protocolsrdquo in Recent Advances in Intrusion Detectionvol 3224 Springer Berlin Germany 2004
[54] G Vigna S Gwalani K Srinivasan E M Belding-Royer andR A Kemmerer ldquoAn intrusion detection tool for AODV-basedad hoc wireless networksrdquo in Proceedings of the 20th AnnualComputer SecurityApplications Conference (ACSAC rsquo04) pp 16ndash27 December 2004
[55] M Ayachi C Bidan and N Prigent ldquoA trust-based ids for theaodv protocolrdquo in Information and Communications Securityvol 6476 pp 430ndash444 2010
[56] S Sen and J A Clark ldquoA grammatical evolution approach tointrusion detection on mobile ad hoc networksrdquo in Proceedingsof the 2nd ACMConference onWireless Network Security (WiSecrsquo09) pp 95ndash102 March 2009
[57] S Marti T J Giuli K Lai and M Baker ldquoMitigating routingmisbehavior in mobile ad hoc networksrdquo in Proceedings of the6th Annual International Conference on Mobile Computing andNetworking (MOBICOM rsquo00) pp 255ndash265 August 2000
[58] B Sun K Wu and U Pooch ldquoRouting anomaly detection inmobile ad hoc networksrdquo in Proceedings of The 12th Interna-tional Conference on Computer Communications and Networks(ICCCN rsquo03) 2003
[59] S Bose S Bharathimurugan and A Kannan ldquoMulti-layerintegrated anomaly intrusion detection system for mobileadhoc networksrdquo in Proceedings of the International Conferenceon Signal Processing Communications and Networking (ICSCNrsquo07) pp 360ndash365 February 2007
[60] P Yi Y Zhong and S Zhang ldquoA novel intrusion detectionmethod for mobile ad hoc networksrdquo in Advances in GridComputing vol 3470 pp 1183ndash1192 Springer Berlin Germany2005
[61] C Perkins E Belding-Royer and S Das ldquoAd hoc on-demanddistance vector (AODV) routingrdquo IETF Experimental RFC3561 2003
[62] D Johnson and D Maltz ldquoDynamic source routing in ad hocwireless networksrdquo in Mobile Computing pp 153ndash181 KluwerAcademic 1996
[63] C Perkins and P Bhagwat ldquoHighly dynamic destinationse-quenced distance-vector routing (dsdv) for mobile computersrdquoin Proceedings of the Conference on Communications Architec-tures Protocols and Applications (SIGCOMM rsquo94) vol 24 pp234ndash244 1994
[64] T JoachimsMaking Large-Scale Support VectorMachine Learn-ing Practical MIT Press Cambridge Mass USA 1999
[65] Y Yajima and T Kuo ldquoEfficient formulations for 1-svm and theirapplication to recommendation tasksrdquo Journal of Computersvol 1 no 3 pp 27ndash34 2006
[66] L Bononi and C Tacconi ldquoIntrusion detection for secureclustering and routing inMobileMulti-hopWirelessNetworksrdquoInternational Journal of Information Security vol 6 no 6 pp379ndash392 2007
[67] Y Huang W Fan W Lee et al ldquoCross-feature analysis fordetecting ad-hoc routing anomaliesrdquo in Proceedings of the 23rdInternational Conference on Distributed Computing Systems(ICDCS rsquo03) pp 478ndash487 May 2003
[68] J Quinlan C4 5 Programs for Machine Learning MorganKaufmann Boston Mass USA 1993
20 International Journal of Distributed Sensor Networks
[69] J B D Cabrera C Gutierrez and R K Mehra ldquoEnsemblemethods for anomaly detection and distributed intrusion detec-tion in Mobile Ad-Hoc Networksrdquo Information Fusion vol 9no 1 pp 96ndash119 2008
[70] MWang L Lamont P Mason andM Gorlatova ldquoAn effectiveintrusion detection approach for OLSR MANET protocolrdquoin Proceedings of the 13th IEEE International Conference onNetwork Protocols Workshop (ICNP rsquo05) pp 55ndash60 November2005
[71] C Y Tseng P Balasubramanyam C Ko R Limprasittiporn JRowe and K Levitt ldquoA specification-based intrusion detectionsystem for AODVrdquo in Proceedings of the 1st ACM Workshop onSecurity of Ad Hoc and Sensor Networks pp 125ndash134 October2003
[72] S A Razak S M Furnell N L Clarke and P J BrookeldquoFriend-assisted intrusion detection and response mechanismsfor mobile ad hoc networksrdquo Ad Hoc Networks vol 6 no 7 pp1151ndash1167 2008
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 19
[36] G Riley and T Henderson ldquoThe ns-3 network simulatorrdquo inModeling and Tools for Network Simulation Springer BerlinGermany 2010
[37] S Bhattiprolu E Biederman S Hallyn et al ldquoVirtual serversand checkpointrestart inmainstream linuxrdquo SIGOPSOperatingSystems Review vol 42 no 5 pp 104ndash113 2008
[38] J Zhang J Xing and Z Qin ldquoTaprouter an emulatingframework to run real applications on simulated mobile adhoc networkrdquo in Proceedings of the 44th Annual SimulationSymposium (ANSS rsquo11) pp 39ndash46 2011
[39] D Broyles A Jabbar and J P G Sterbenz ldquoDesign andanalysis of a 3-d gauss-markov mobility model for highly-dynamic airborne networksrdquo in Proceedings of the InternationalTelemetering Conference (ITC rsquo10) San Diego CA USA 2010
[40] J Haerri F Filali and C Bonnet ldquoPerformance comparisonof AODV and OLSR in vanets urban environments underrealistic mobility patternsrdquo in Proceedings of the IFIP Med-Hoc-Net Workshop 2006
[41] C H Tseng T Song P Balasubramanyam C Ko and K LevittldquoA specification-based intrusion detection model for OLSRrdquoRecent Advances in Intrusion Detection vol 3858 pp 330ndash3502006
[42] S Kurkowski T Camp and M Colagrosso ldquoManet simulationstudies the incrediblesrdquo SIGMOBILE Mobile Computing andCommunications Review vol 9 no 4 pp 50ndash561 2005
[43] A Abdalla I Saroit A Kotb et al ldquoMisbehavior nodesdetection and isolation for MANETs OLSR protocolrdquo ProcediaComputer Science vol 3 pp 115ndash121 2011
[44] R Puttini J Percher L Me et al ldquoA modular architecture fordistributed ids in manetrdquo in Proceedings of the InternationalConference on Computational Science and Its Applications III2003
[45] A Adnane R T de Sousa L Me and C Bidan ldquoAutonomictrust reasoning enables misbehavior detection in OLSRrdquo inProceedings of the 23rd Annual ACM Symposium on AppliedComputing (SAC rsquo08) pp 2006ndash2013 March 2008
[46] W Wang H Man and Y Liu ldquoA framework for intrusiondetection systems by social network analysis methods in ad hocnetworksrdquo Security and Communication Networks vol 2 no 6pp 669ndash685 2009
[47] H Deng R Xu J Li F Zhang R Levy and W Lee ldquoAgent-based cooperative anomaly detection for wireless ad hoc net-worksrdquo in Proceedings of the 12th International Conference onParallel and Distributed Systems (ICPADS rsquo06) pp 613ndash620 July2006
[48] S KurosawaHNakayamaN Kato et al ldquoDetecting blackholesattack on AODV-based mobile ad hoc networks by dynamiclearningmethodrdquo International Journal of Network Security vol5 no 3 pp 338ndash346 2007
[49] WWang HWang BWang et al ldquoEnergy-aware and selfadap-tive anomaly detection scheme based on network tomographyin mobile ad hoc networksrdquo Information Sciences vol 220 pp580ndash602 2013
[50] M-Y Su ldquoPrevention of selective black hole attacks on mobilead hoc networks through intrusion detection systemsrdquo Com-puter Communications vol 34 no 1 pp 107ndash117 2011
[51] N Marchang and R Datta ldquoCollaborative techniques for intru-sion detection in mobile ad-hoc networksrdquo Ad Hoc Networksvol 6 no 4 pp 508ndash523 2008
[52] B V R N Yadav B Satyanarayana and O B V RamanaiahldquoAn efficient intrusion detection system for mobile ad hoc net-worksrdquo in Emerging Trends in Computing Informatics Systems
Sciences and Engineering vol 151 Springer New York NYUSA 2013
[53] Y Huang and W Lee ldquoAttack analysis and detection for ad hocrouting protocolsrdquo in Recent Advances in Intrusion Detectionvol 3224 Springer Berlin Germany 2004
[54] G Vigna S Gwalani K Srinivasan E M Belding-Royer andR A Kemmerer ldquoAn intrusion detection tool for AODV-basedad hoc wireless networksrdquo in Proceedings of the 20th AnnualComputer SecurityApplications Conference (ACSAC rsquo04) pp 16ndash27 December 2004
[55] M Ayachi C Bidan and N Prigent ldquoA trust-based ids for theaodv protocolrdquo in Information and Communications Securityvol 6476 pp 430ndash444 2010
[56] S Sen and J A Clark ldquoA grammatical evolution approach tointrusion detection on mobile ad hoc networksrdquo in Proceedingsof the 2nd ACMConference onWireless Network Security (WiSecrsquo09) pp 95ndash102 March 2009
[57] S Marti T J Giuli K Lai and M Baker ldquoMitigating routingmisbehavior in mobile ad hoc networksrdquo in Proceedings of the6th Annual International Conference on Mobile Computing andNetworking (MOBICOM rsquo00) pp 255ndash265 August 2000
[58] B Sun K Wu and U Pooch ldquoRouting anomaly detection inmobile ad hoc networksrdquo in Proceedings of The 12th Interna-tional Conference on Computer Communications and Networks(ICCCN rsquo03) 2003
[59] S Bose S Bharathimurugan and A Kannan ldquoMulti-layerintegrated anomaly intrusion detection system for mobileadhoc networksrdquo in Proceedings of the International Conferenceon Signal Processing Communications and Networking (ICSCNrsquo07) pp 360ndash365 February 2007
[60] P Yi Y Zhong and S Zhang ldquoA novel intrusion detectionmethod for mobile ad hoc networksrdquo in Advances in GridComputing vol 3470 pp 1183ndash1192 Springer Berlin Germany2005
[61] C Perkins E Belding-Royer and S Das ldquoAd hoc on-demanddistance vector (AODV) routingrdquo IETF Experimental RFC3561 2003
[62] D Johnson and D Maltz ldquoDynamic source routing in ad hocwireless networksrdquo in Mobile Computing pp 153ndash181 KluwerAcademic 1996
[63] C Perkins and P Bhagwat ldquoHighly dynamic destinationse-quenced distance-vector routing (dsdv) for mobile computersrdquoin Proceedings of the Conference on Communications Architec-tures Protocols and Applications (SIGCOMM rsquo94) vol 24 pp234ndash244 1994
[64] T JoachimsMaking Large-Scale Support VectorMachine Learn-ing Practical MIT Press Cambridge Mass USA 1999
[65] Y Yajima and T Kuo ldquoEfficient formulations for 1-svm and theirapplication to recommendation tasksrdquo Journal of Computersvol 1 no 3 pp 27ndash34 2006
[66] L Bononi and C Tacconi ldquoIntrusion detection for secureclustering and routing inMobileMulti-hopWirelessNetworksrdquoInternational Journal of Information Security vol 6 no 6 pp379ndash392 2007
[67] Y Huang W Fan W Lee et al ldquoCross-feature analysis fordetecting ad-hoc routing anomaliesrdquo in Proceedings of the 23rdInternational Conference on Distributed Computing Systems(ICDCS rsquo03) pp 478ndash487 May 2003
[68] J Quinlan C4 5 Programs for Machine Learning MorganKaufmann Boston Mass USA 1993
20 International Journal of Distributed Sensor Networks
[69] J B D Cabrera C Gutierrez and R K Mehra ldquoEnsemblemethods for anomaly detection and distributed intrusion detec-tion in Mobile Ad-Hoc Networksrdquo Information Fusion vol 9no 1 pp 96ndash119 2008
[70] MWang L Lamont P Mason andM Gorlatova ldquoAn effectiveintrusion detection approach for OLSR MANET protocolrdquoin Proceedings of the 13th IEEE International Conference onNetwork Protocols Workshop (ICNP rsquo05) pp 55ndash60 November2005
[71] C Y Tseng P Balasubramanyam C Ko R Limprasittiporn JRowe and K Levitt ldquoA specification-based intrusion detectionsystem for AODVrdquo in Proceedings of the 1st ACM Workshop onSecurity of Ad Hoc and Sensor Networks pp 125ndash134 October2003
[72] S A Razak S M Furnell N L Clarke and P J BrookeldquoFriend-assisted intrusion detection and response mechanismsfor mobile ad hoc networksrdquo Ad Hoc Networks vol 6 no 7 pp1151ndash1167 2008
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
20 International Journal of Distributed Sensor Networks
[69] J B D Cabrera C Gutierrez and R K Mehra ldquoEnsemblemethods for anomaly detection and distributed intrusion detec-tion in Mobile Ad-Hoc Networksrdquo Information Fusion vol 9no 1 pp 96ndash119 2008
[70] MWang L Lamont P Mason andM Gorlatova ldquoAn effectiveintrusion detection approach for OLSR MANET protocolrdquoin Proceedings of the 13th IEEE International Conference onNetwork Protocols Workshop (ICNP rsquo05) pp 55ndash60 November2005
[71] C Y Tseng P Balasubramanyam C Ko R Limprasittiporn JRowe and K Levitt ldquoA specification-based intrusion detectionsystem for AODVrdquo in Proceedings of the 1st ACM Workshop onSecurity of Ad Hoc and Sensor Networks pp 125ndash134 October2003
[72] S A Razak S M Furnell N L Clarke and P J BrookeldquoFriend-assisted intrusion detection and response mechanismsfor mobile ad hoc networksrdquo Ad Hoc Networks vol 6 no 7 pp1151ndash1167 2008
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of