CS 685-002 : Security in Mobile Computing Systems

TERM PAPER

INTRUSION DETECTION IN WIRELESS NETWORKS

by

Aparna Vattikonda
Ranjit Kumar Gampa
Vishnu Karunya Isukapalli
Viswanadha Raju Kakarlapudi
Contents

1. INTRODUCTION .......…………………. 1

1.1 Computer Security and its Role ……………………….. 1

1.2 Threats of security ....………………………2

1.2.1 Accidental Threat ………………2

1.2.2 Intentional Threat ………………2

1.3 Vulnerabilities of mobile wireless networks …..……………………...3

1.4 Need for Intrusion Detection ……….…………………4

2. BACKGROUND ON INTRUSION DETECTION ……………………5

2.1 Classification of Intrusion Detection Systems ..………………………..5

2.2 Ids Requirements ………………………….6

2.2.1 Functional Requirements

2.2.2 Performance Requirements

2.3 Anomaly Detection ………………………….9

:
2.4 Misuse Detection ………………………….9

2.5 Network Based Intrusion Detection ….……………………..10

2.6 Host Based Intrusion Detection . ………………………...11

3. ANOMALY DETECTION SYSTEMS ….………………………11

3.1 Statistical Approaches ……………………….11

3.2 Predictive Pattern Generation: ………………………12

3.3 Neural Networks ………………………….13

4. MISUSE DETECTION SYSTEMS ………………………….14

1
 4.1 Expert Systems …………………………….14

4.2 Keystroke monitoring …………………………….15

4.3 Model Based Intrusion Detection ……………………………15

5. IDS ISSUES IN MOBILE ENVIRONMENT ……………………………16

6. NEW ARCHITECTURE ……………………………18

6.1 Mobile IDS Agents

6.2 Stationary Secure Database

7. ANOMALY DETECTION IN WIRELESS AD-HOC NETWORKS …………..23

7.1 Building an anomaly detection model ……………………………24

7.1.1 Framework ……………………………24

7.1.2 Attack Models ……………………………24

7.2 Areas where anomaly detection can be used ………………………25

7.2.1 Abnormal Updates in the routing tables ……………………..25

7.2.2 Abnormal Activities In other layers ………………………….26

8. IMPLEMENTED APPROACHES ……………………………26

8.1 IEEE 802.11 …………………………26

8.1.1 Open System Authentication: ………………………27

8.1.2 Shared Key Authentication ………………………….27

8.1.3 Secure key generation and distribution ………………28

8.1.4 Current Approaches for the Key generation …………28

8.1.4.1 Key generation by the telephone manufacturer

and distribution to the Service Provider via a
backbone network

2
 8.1.4.2 Over-the-air phone activation with key
exchange

8.2 Proposed Method for the implementation of Over-the-air phone …28

Activation Approach

8.3 Mitigating Routing Misbehavior …………………………….30

Conclusions

References

3
 ABSTRACT

The rapid proliferation of wireless networks and mobile computing applications

has changed the landscape of network security. The recent denial of service attacks on
major Internet sites have shown us, no open computer network is immune from
intrusions. The wireless ad-hoc network is particularly vulnerable due to its features of
open medium, dynamic changing topology, cooperative algorithms, lack of centralized
monitoring and management point, and lack of a clear line of defense. The traditional
way of protecting networks with firewalls and encryption software is no longer sufficient
and effective.

Many intrusion detection techniques have been developed on fixed wired networks
but have been turned to be inapplicable in this new environment. We need to search for
new architecture and mechanisms to protect wireless networks and mobile computing
application.

In this paper, we examine the vulnerabilities of wireless networks and say that we
must include intrusion detection in the security architecture for mobile computing
environment. We have showed such architecture and evaluated key mechanisms in this
architecture such as applying mobile agents to intrusion detection, anomaly detection and
misuse detection for mobile ad-hoc networks.

4
1. INTRODUCTION

In the last three years, the networking revolution has finally come of age. More
than ever before, we see that the Internet is changing computing, as we know it. The
possibilities and opportunities are limitless; unfortunately, so too are the risks and
chances of malicious intrusions.

It is very important that the security mechanisms of a system are designed so as to

prevent unauthorized access to system resources and data. However, completely
preventing breaches of security appear, at present, unrealistic. We can, however, try to
detect these intrusion attempts so that action may be taken to repair the damage later.
This field of research is called Intrusion Detection.

1.1 Computer Security and its Role

One broad definition of a secure computer system is given by Garfinkel and

Spafford as one that can be depended upon to behave as it is expected to. It is always a
point of benefit to integrate security with dependability and how to obtain a dependable
computing system.

Dependability is the trustworthiness of a system and can be seen as the quality of

the service a system offers. Integrating security and dependability can be done in various
ways. One approach is to treat security as one characteristic of dependability on the same
level as availability, reliability and safety as shown in the figure.

Dependability

Availability Reliability Safety Security

A narrower definition of security is the possibility for a system to protect

objects with respect to confidentiality, authentication, integrity and non-repudiation.

Confidentiality: Transforming data such that only authorized parties can decode it.

5
Authentication: Proving or disproving someone’s or something’s claimed identity.

Integrity checking: Ensuring that data cannot be modified without such modification
. being detectable

Non – repudiation: Proving that a source of some data did in fact send data that he
might later deny sending

1.2 Threats of security

Threats can be seen as potential violations of security and exist because of

vulnerabilities, i.e. weakness, in a system. There are two basic types of threats:
accidental threats and intentional threats.

1.2.1 Accidental Threat:

An accidental threat can be manifested and the result is either an exposure of

confidential information or cause of an illegal system state to occur i.e. modification of
an object. Exposures can emerge from both hardware and software failures as well as
from user and operational mistakes thus resulting in the violation of confidentiality. It can
also be manifested as modification of an object, which is the violation of object integrity.
An object here can be both information and resource.

1.2.2 Intentional Threat:

An intentional threat is an action performed by an entity with the intention to

violate security. Examples of attacks are interruption, modification, interception and
fabrication of data as shown in the figure

Information Information
Source Destination
a) Normal Flow

b) Interruption c) Interception

6
 d) Modification e) Fabrication

1.3 VULNERABILITIES OF MOBILE WIRELESS NETWORKS

The nature of mobile computing environment makes it very vulnerable to an

adversary’s malicious attacks.

Firstly, the use of wireless links renders the network susceptible to attacks ranging
from passive eavesdropping to active interfering as attacks on these links can from any
direction and target at any node. This means that a wireless ad-hoc network will not have
a clear line of defense, and every node has to be prepared for encounters with an
adversary directly or indirectly.

Secondly, mobile nodes are autonomous units that are capable of roaming
independently. Since tracking down a particular mobile node in a global scale network
cannot be done easily, attacks by compromised node from within the network are more
damaging and harder to detect.

Third, decision-making in mobile computing environment is sometimes

decentralized and some wireless network algorithms rely on the cooperative participation
of all nodes and the infrastructure.

Furthermore, mobile computing has introduced new type of computational and

communication activities that seldom appear in fixed or wired environment. Applications
and services in a mobile wireless network can be a weak link as well.

To summarize, a mobile wireless network is vulnerable due to its features of open

medium, dynamic changing topology, cooperative algorithms, lack of centralized
monitoring and management point, and lack of a clear line of defense.

1.4 NEED FOR INTRUSION DETECTION

7
 A computer system should provide confidentiality, integrity and assurance against
denial of service. However, due to increased connectivity (especially on the Internet), and
the vast spectrum of financial possibilities that are opening up, more and more systems
are subject to attack by intruders. These subversion attempts try to exploit flaws in the
operating system as well as in application programs and have resulted in spectacular
incidents like the Internet Worm incident of 1988.

There are two ways to handle subversion attempts. One way is to prevent
subversion itself by building a completely secure system. We could, for example, require
all users to identify and authenticate themselves; we could protect data by various
cryptographic methods and very tight access control mechanisms. However this is not
really feasible because:

1. In practice, it is not possible to build a completely secure system. Miller gives a

compelling report on bugs in popular programs and operating systems that seems
to indicate that (a) bug free software is still a dream and (b) no-one seems to want
to make the effort to try to develop such software. Apart from the fact that we do
not seem to be getting our money's worth when we buy software, there are also
security implications when our E-mail software, for example, can be attacked.
Designing and implementing a totally secure system is thus an extremely difficult
task.
2. The vast installed base of systems worldwide guarantees that any transition to a
secure system, (if it is ever developed) will be long in coming.
3. Cryptographic methods have their own problems. Passwords can be cracked,
users can lose their passwords, and entire crypto-systems can be broken.
4. Even a truly secure system is vulnerable to abuse by insiders who abuse their
privileges.
5. It has been seen that that the relationship between the level of access control and
user efficiency is an inverse one, which means that the stricter the mechanisms,
the lower the efficiency becomes.

The history of security research has taught us a valuable lesson – no matter how
many intrusion prevention measures are inserted in a network, there are always some
weak links that one could exploit to break in.

We thus see that we are stuck with systems that have vulnerabilities for a while to
come. If there are attacks on a system, we would like to detect them as soon as possible
(preferably in real-time) and take appropriate action. This is essentially what an Intrusion
Detection System (IDS) does. An IDS does not usually take preventive measures when an
attack is detected; it is a reactive rather than pro-active agent. It plays the role of an
informant rather than a police officer.

2. BACKGROUND ON INTRUSION DETECTION

8
 In the last three years, the networking revolution has finally come of age. More
than ever before, we see that the Internet is changing computing, as we know it. The
possibilities and opportunities are limitless; unfortunately, so too are the risks and
chances of malicious intrusions.

It is very important that the security mechanisms of a system are designed so as to

prevent unauthorized access to system resources and data. However, completely
preventing breaches of security appear, at present, unrealistic. We can, however, try to
detect these intrusion attempts so that action may be taken to repair the damage later.
This field of research is called Intrusion Detection

A simple firewall can no longer provide enough security as in the past. Today's
corporations are drafting intricate security policies whose enforcement requires the use of
multiple systems, both proactive and reactive (and often multi-layered and highly
redundant). The premise behind intrusion detection systems is simple: Deploy a set of
agents to inspect network traffic and look for the “signatures” of known network attacks.
However, the evolution of network computing and the awesome availability of the
Internet have complicated this concept somewhat. With the advent of Distributed Denial
of Service (DDOS) attacks, which are often launched from hundreds of separate sources,
the traffic source no longer provides reliable temporal clues that an attack is in progress.
Worse yet, the task of responding to such attacks is further complicated by the diversity
of the source systems, and especially by the geographically distributed nature of most
attacks.

Intrusion detection techniques while often regarded as grossly experimental, the

field of intrusion detection has matured a great deal to the point where it has secured a
space in the network defense landscape alongside firewalls and virus protection systems.
While the actual implementations tend to be fairly complex, and often proprietary, the
concept behind intrusion detection is a surprisingly simple one: Inspect all network
activity (both inbound and outbound) and identify suspicious patterns that could be
evidence of a network or system attack.

2.1 Classification of Intrusion Detection Systems

Intrusions can be divided into 6 main types

 Attempted break-ins, which are detected by atypical behavior profiles or
violations of security constraints.
 Masquerade attacks, which are detected by atypical behavior profiles or violations
of security constraints.
 Penetration of the security control system, which are detected by monitoring for
specific patterns of activity.
 Leakage, which is detected by atypical use of system resources.
 Denial of service, which is detected by atypical use of system resources.
 Malicious use, which is detected by atypical behavior profiles, violations of
security constraints, or use of special privileges.

9
2.2 IDS REQUIREMENTS

At least one past effort has identified desirable characteristics for an IDS.
Regardless on what mechanisms an IDS is based, it must do the following:

 Run continuously without human supervision,

 Be fault tolerant and survivable,
 Resist subversion,
 Impose minimal overhead,
 Observe deviations from normal behavior
 Be easily tailored to a specific network
 Adapt to changes over time, and
 Be difficult to fool.

We have developed a similar set of requirements along two themes: functional and
performance requirements.

2.2.1 Functional Requirements

As the network-computing environment increases in complexity, so do the

functional requirements of IDSs. Common functional requirements of an IDS being
deployed in current or near-term operational computing environments include the
following:

 The IDS must continuously monitor and report intrusions.

 The IDS must supply enough information to repair the system, determine the
extent of damage, and establish responsibility for the intrusion.

 The IDS should be modular and configurable as each host and network segment
will require their own tests and these tests will need to be continuously upgraded
and eventually replaced with new tests.

 Since the IDS is assigned the critical role of monitoring the security state of the
network, the IDS itself is a primary target of attack. The IDS must be able to
operate in a hostile computing environment and exhibit a high degree of fault-
tolerance and allow for graceful degradation.

 The IDS should be adaptive to network topology and configuration changes as

computing elements are dynamically added and removed from the network.

 Anomaly detection systems should have a very low false alarm rate. Given the
projected increase in network connectivity and traffic, simply decreasing the

10
 percentage of overall false alarms may not be sufficient as their absolute number
may continue to rise.

 The IDS should be able to learn from past experiences and improve its detection
capabilities over time. A self-tuning IDS will be able to learning from false alarms
with the guidance of system administrators and eventually on its own.

 The IDS should be able to be easily and frequently updated with attack
signatures as new security advisories and security patches become available and
new vulnerabilities and attacks are discovered.

 Decision support tools will be necessary to help system administrators respond

to various attacks. The IDS will be required not only to detect anomalous events,
but also to take automated corrective action.

 The IDS should be able to perform data fusion and be able to process information
from multiple and distributed data sources such as firewalls, routers, and switches.
As real-time detection demands push networked-based solutions to re-
programmable hardware devices that can download new capabilities, the IDS will
need to be able to communicate with the hardware-based devices.

 Data reduction tools will be necessary to help the IDS process the information
gathered from data fusion techniques. Data mining tools will be helpful in running
statistical analysis tools on archived data in support of anomaly detection
techniques.

 The IDS should be capable of providing an automated response to suspicious

activity.

 Rapid changes in network conditions and limited network administration

expertise make it difficult for system administrators to diagnose problems and
take corrective action to minimize the damage that intruders can cause.

 The ability to detect and react to distributed and coordinated attacks will
become necessary. Coordinated attacks against a network will be able to marshal
greater forces and launch many more and varied attacks against a single target.
These attacks can be permutations of known attacks, be rapidly evolving, and be
launched at little cost to the attackers.

 Distributing the computational load and the diagnostic capabilities to agents

scattered throughout the network adds a level of fault-tolerance, but it is often
necessary for the system administrator to have control over the IDS from a central
location.

 The IDS should be able to work with other Commercial Off-the-Shelf (COTS)
security tools, as no vendor toolset is likely to excel in or to provide complete

11
 coverage of the detection, diagnosis, and response responsibilities. The IDS
framework should be able to integrate various data reduction, forensic, host-
based, and network-based security tools. Interoperability and conformance to
standards will further increase the value of the IDS.

 IDS data often requires additional analysis to assess any damage to the network
after an intrusion has been detected. Although the anomalous event was the first
detected, it may not be the first attempt to gain unauthorized access to the
network. Post event analysis will be needed to identify compromised machines
before the network can be restored to a safe condition.

 The IDS itself must also be designed with security in mind. For example, the IDS
must be able to authenticate the administrator, audit administrator actions,
mutually authenticate IDS devices, protect the IDS data, and not create additional
vulnerabilities.

2.2.2 Performance Requirements

An IDS that is functionally correct, but that detects attacks too slowly is of little
use. Thus we must enumerate several performance requirements for IDSs. The IDS
performance requirements include:

 To the extent possible, anomalous events or breaches in security should be

detected in real-time and reported immediately to minimize the damage to the
network and the loss or corruption of confidential information.

 The IDS must not place undue burden or interfere with the normal operations
for which the systems were bought and deployed to begin with. This requirement
makes it necessary for the agents to be cognizant of the consumption of network
resources for which they are competing.

 The IDS must be scalable. As new computing devices are added to the network,
the IDS must be able to handle the additional computational and communication
load.

We can divide the techniques of intrusion detection into two main types.

2.3 Anomaly Detection :

12
 Anomaly detection techniques assume that all intrusive activities are necessarily
anomalous. This means that if we could establish a "normal activity profile" for a system,
we could, in theory, flag all system states varying from the established profile by
statistically significant amounts as intrusion attempts. However, if we consider that the
set of intrusive activities only intersects the set of anomalous activities instead of being
exactly the same, we find a couple of interesting possibilities: (1) Anomalous activities
that are not intrusive are flagged as intrusive. (2) Intrusive activities that are not
anomalous result in false negatives (events are not flagged intrusive, though they actually
are). This is a dangerous problem, and is far more serious than the problem of false
positives.

The main issues in anomaly detection systems thus become the selection of
threshold levels so that neither of the above 2 problems is unreasonably magnified, and
the selection of features to monitor. Anomaly detection systems are also computationally
expensive because of the overhead of keeping track of, and possibly updating several
system profile metrics. Some systems based on this technique are discussed in Section 4
while a block diagram of a typical anomaly detection system is shown in Figure below.

2.4 Misuse Detection:

The concept behind misuse detection schemes is that there are ways to represent
attacks in the form of a pattern or a signature so that even variations of the same attack
can be detected. This means that these systems are not unlike virus detection systems --
they can detect many or all known attack patterns, but they are of little use for as yet
unknown attack methods. An interesting point to note is that anomaly detection systems
try to detect the complement of "bad" behavior. Misuse detection systems try to
recognize known "bad" behavior. The main issues in misuse detection systems are how to
write a signature that encompasses all possible variations of the pertinent attack, and how
to write signatures that do not also match non-intrusive activity. A block diagram of a
typical misuse detection system is shown in Figure below.

13
Advantages:

 Simplicity and nonintrusiveness (which translate into ease of deployment).

Disadvantages:

 Inspecting each packet on the wire is becoming increasingly more difficult with
the recent advances in network and wireless technology in terms of complexity
and speed.
 Most intrusion detection systems employ a combination of both techniques, and
are often deployed on the network, on a specific host, or even on an application
within a host.

2.5 Network Based Intrusion Detection:

The most obvious location for an intrusion detection system is right on the
segment being monitored. Network-based intrusion detectors insert themselves in the
network just like any other device, except they promiscuously examine every packet they
see on the wire.

Advantage:

 Network-based intrusion detection is straightforward to implement and deploy.

Disadvantage:

 Truly shared segments are rare nowadays, which means a single sniffer cannot be
relied to monitor an entire subnet. Instead, detection systems must be integrated in
the port of Ethernet switches (the ones that have visibility into all packets on the
wire), which is not always feasible, even if such a port is available.
 The fact that a single intrusion detection system is servicing the entire segment
makes it an easy target for a DoS attack. Such a system should not contain any
user accounts other than the privileged (root/Administrator) user; host any
unnecessary network services; offer any sort of interactive network access
(console access only); or be hosted on an obscure, proprietary operating system.

14
2.6 Host Based Intrusion Detection

While network-based intrusion detectors are straightforward to deploy and

maintain, there is a whole class of attacks closely coupled to the target system and
extremely hard to fingerprint. These are the ones that exploit vulnerabilities particular to
specific operating systems and application suites. Only host-based intrusion detection
systems (the ones running as an application on a network-connected host) can correlate
the complex array of system-specific parameters that make up the signature of a well-
orchestrated attack.

Advantage:

The host-based approach is ideal for those high-availability servers that

enterprises rely on for everyday business. The most prevalent advantage of the host-based
approach is its ability to detect an inside job-that is, an incident where a lawful user is
using local host resources in a manner that violates the company's security policy. This
type of offense would be virtually impossible to unveil with a network-based intrusion
detection system; because the user could have console access to the system, his or her
actions would not even traverse the wire.

Disadvantage:

Not all is well in the world of host-based intrusion detection, however: Since
these systems are closely tied to the operating system, they become yet one more
application to maintain and migrate. This is a critical point in an environment where
operating system levels are upgraded often, as the intrusion detection system must be
kept up to date for it to work efficiently. Also, deploying host-based detectors alone will
not protect your enterprise against basic, Network-layer DoS attacks (SYN flooding, ping
of death, land attack, and so on). These limitations withstanding, host-based detection
should be an integral part of your overall intrusion defense.

3. ANOMALY DETECTION SYSTEMS:

There have been a few approaches to anomaly intrusion detection systems, some
of which are described below.

3.1 Statistical Approaches:

In this method, initially, behavior profiles for subjects are generated. As the
system continues running, the anomaly detector constantly generates the variance of the
present profile from the original one. We note that, in this case, there may be several
measures that affect the behavior profile, like activity measures, CPU time used, number
of network connections in a time period, etc. In some systems, the current profile and the
previous profile are merged at intervals, but in some other systems profile generation is a
one time activity.

15
Advantages:

 The main advantage to statistical systems is that they adaptively learn the
behavior of users; they are thus potentially more sensitive than human experts.

Disadvantages:

 These statistical approaches can gradually be trained by intruders so that

eventually, intrusive events are considered normal, false positives and false
negatives are generated depending on whether the threshold is set too low or too
high, and relationships between events are missed because of the insensitivity of
statistical measures to the order of events.

An open issue with statistical approaches in particular, and anomaly detection

systems in general, is the selection of measures to monitor. It is not known exactly what
the subset of all possible measures that accurately predicts intrusive activities is. Static
methods of determining these measures are sometimes misleading because of the unique
features of a particular system. Thus, it seems that a combination of static and dynamic
determination of the set of measures should be done. Some problems associated with this
technique have been remedied by other methods, including the method involving
Predictive Pattern Generation, which takes past events into account when analyzing the
data.

3.2 Predictive Pattern Generation:

This method of intrusion detection tries to predict future events based on the
events that have already occurred. Therefore, we could have a rule

E1 - E2 --> (E3 = 80%, E4 = 15%, E5 = 5%)

This would mean that given that events E1 and E2 have occurred, with E2
occurring after E1, there is an 80% probability that event E3 will follow, a 15% chance
that event E4 will follow and a 5% probability that event E5 will follow.

Problem:

The problem with this is that some intrusion scenarios that are not described by
the rules will not be flagged intrusive. Thus, if an event sequence A - B - C exists that is
intrusive, but not listed in the rule base, it will be classified as unrecognized.

Solution:

The above problem can be partially solved by flagging any unknown events as
intrusions (increasing the probability of false positives), or by flagging them as non-

16
intrusive (thus increasing the probability of false negatives). In the normal case, however,
an event is flagged intrusive if the left hand side of a rule is matched, but the right hand
side is statistically very deviant from the prediction.

Advantages:

 There are several advantages to this approach.

 First, rule based sequential patterns can detect anomalous activities that were
difficult with traditional methods.

 Second, systems built using this model are highly adaptive to changes. This is
because low quality patterns are continuously eliminated, finally leaving the
higher quality patterns behind.

 Third, it is easier to detect users who try to train the system during its learning
period.

 And fourth, anomalous activities can be detected and reported within seconds of
receiving audit events.

3.3. Neural Networks:

Another approach taken in intrusion detection systems is the use of neural

networks. The idea here is to train the neural network to predict a user's next action or
command, given the window of ‘n’ previous actions or commands. The network is
trained on a set of representative user commands. After the training period, the network
tries to match actual commands with the actual user profile already present in the net.
Any incorrectly predicted events actually measure the deviation of the user from the
established profile.

Advantages:

Some advantages of using neural networks are:

 They cope well with noisy data.

 Their success does not depend on any statistical assumption about the nature of
the underlying data.

 They are easier to modify for new user communities.

Disadvantages:

17
However, they have some disadvantages:

 First, a small window will result in false positives while a large window will
result in irrelevant data as well as increase the chance of false negatives.

 Second, the net topology is only determined after considerable trial and error.

 The intruder can train the net during its learning phase.

4. MISUSE DETECTION SYSTEMS:

There has been significant research in misuse detection systems in the recent past.
Some of these systems are explained in depth in this section.

4.1 Expert Systems:

These systems are modeled in such a way as to separate the rule matching phase
from the action phase. The matching is done according to audit trail events. IDES follows
a hybrid intrusion detection technique consisting of a misuse detection component as well
as an anomaly detection component. The anomaly detector is based on the statistical
approach, and it flags events as intrusive if they are largely deviant from the expected
behavior. To do this, it builds user profiles based on many different criteria (more than 30
criteria, including CPU and I/O usage, commands used, local network activity, system
errors etc.). These profiles are updated at periodic intervals. The expert system misuse
detection component encodes known intrusion scenarios and attack patterns (bugs in old
versions of send mail could be one vulnerability). The rule database can be changed for
different systems.

Advantages:

 One advantage of the IDES approach is that it has a statistical component as well
as an expert system component. This means that the chances of one system
catching intrusions missed by the other increase.
 Another advantage is the problem's control reasoning is cleanly separated from
the formulation of the solution.

Disadvantages:

 There are some drawbacks to the expert system approach too. For example, the
expert system has to be formulated by a security professional and thus the system
is only as strong as the security personnel who program it. This means that there
is a real chance that expert systems can fail to flag intrusions.

18
 It is for the above reason that IDES has an anomaly as well as a misuse detection
component. These two components are loosely coupled in the sense that they perform
their operations independently for the most part. The IDES system runs on a machine
different from the machine(s) to be monitored, which could be unreasonable overhead.
Furthermore, additions and deletions of rules from the rule-base must take into account
the inter-dependencies between different rules in the rule-base. And there is no
recognition of the sequential ordering of data, because the various conditions that make
up a rule are not recognized to be ordered.

4.2 Keystroke monitoring:

This is a very simple technique that monitors keystrokes for attack patterns.
Unfortunately the system has several defects -- features of shells like bash, ksh, and tcsh
in which user definable aliases are present defeat the technique unless alias expansion
and semantic analysis of the commands is taken up. The method also does not analyze the
running of a program, only the keystrokes. This means that a malicious program cannot
be flagged for intrusive activities. Operating systems do not offer much support for
keystroke capturing, so the keystroke monitor should have a hook that analyses
keystrokes before sending them on to their intended receiver. An improvement to this
would be to monitor system calls by application programs as well, so that an analysis of
the program's execution is possible.

4.3 Model Based Intrusion Detection

States that certain scenarios are inferred by certain other observable activities. If
these activities are monitored, it is possible to find intrusion attempts by looking at
activities that infer a certain intrusion scenario. The model-based scheme consists of three
important modules. The anticipator uses the active models and the scenario models to try
to predict the next step in the scenario that is expected to occur. A scenario model is a
knowledge base with specifications of intrusion scenarios. The planner then translates
this hypothesis into a format that shows the behavior, as it would occur in the audit trail.
It uses the predicted information to plan what to search for next. The interpreter then
searches for this data in the audit trail. The system proceeds this way, accumulating more
and more evidence for an intrusion attempt until a threshold is crossed; at this point, it
signals an intrusion attempt.

This is a very clean approach. Because the planner and the interpreter know what
they are searching for at each step, the large amounts of noise present in audit data can be
filtered, leading to excellent performance improvements. In addition, the system can
predict the attacker's next move based on the intrusion model. These predictions can be
used to verify an intrusion hypothesis, to take preventive measures, or to determine what
data to look for next.

However, there are some critical issues related to this system. First, patterns for
intrusion scenarios must be easily recognized. Second, patterns must always occur in the

19
behavior being looked for. And finally, patterns must be distinguishing; they must not be
associated with any other normal behavior.

5. IDS ISSUES IN MOBILE ENVIRONMENT

Intrusion detection for traditional, wired networks has been the topic of significant
research over the past few years. A problem arises, however, when taking the research for
wired networks and directly applying it to wireless networks. Key assumptions are made
when designing IDS s for wired networks, such as the difficulty for an attacker to
penetrate the physical security of the system, the amount of network bandwidth available
to the IDS, etc. Specific problems faced when building IDS for a mobile network are
addressed below:

A. Lack of Physical Wires

The most obvious difference when building an IDS in a wireless environment is

the fact that an attacker no longer has to gain physical access to the system in order to
compromise the security of the network. Potentially, it is very simple for someone to
eavesdrop on network traffic in a wireless environment because they no longer have to
break through any physical medium to gain access to the traffic.

B. Bandwidth Issues

Wireless networks have more constrained bandwidth as compared to wired

networks. This problem can manifest itself in a number of different ways when an IDS is
using wireless communication to convey information between parts of IDS on separate
nodes. An IDS in a mobile environment must be extremely careful to limit the amount of
communication that takes place between nodes. A second problem that may possibly
arise because of limited bandwidth is erroneous behavior of the IDS due to
communication delay between nodes.

C. Difficulty of Anomaly/Normality Distinction

Distinguishing an anomaly from normalcy has always been somewhat difficult for
wired IDS s and wireless IDS s are no different. If nodes in a network receive false or old
routing information from a particular node then it is difficult to verify if that particular
node has been compromised or not. An attacker could have taken the control of the node
to send false information to other nodes in the network, or the node could just be
temporarily out of sync due to fast movement or other processing requirements.

D. Secure Communication Between IDS Agents

20
 It is likely that in a wireless network there will have to be portions of the IDS
running on each individual node in the network. Each of these IDS agents will have to
communicate with other IDS agents in the network to convey information relating to the
status of the system. It is crucial that the information being passed from agent to agent be
encrypted as to not allow an attacker to gain access to the communication.

E. Lack of Centralized Access/Audit Point

The lack of centralized audit points in ad hoc networks present difficult problems
for intrusion detection. Most static, wired networks have specific repositories where the
IDS can obtain audit data for its misuse and anomaly detection( e.g. switches, routers,
gateways, etc.). Without centralized audit points, IDS s on ad hoc networks are limited to
use only the current traffic coming in and out of the node as audit data. The algorithms
that the IDS uses must be distributed, and take into account the fact that a node can only
see a portion of the network traffic.

F. Possibility of a Node Being Compromised

Since ad hoc networks are dynamic and nodes can move about freely, there is a
possibility that one or more nodes could be captured and compromised, especially if the

network is in a hostile environment. If the algorithms of the IDS are cooperative, it

becomes important to be skeptical of which nodes one can trust. IDS s on ad hoc
networks have to be weary of attacks made from nodes in the network itself, not just
attacks from outside the network.

G. Difficulty In Obtaining Enough Audit Data

21
 Mobile networks do not communicate as frequently as their wired counterparts.
Bandwidth issues, and other issues such as battery life, contribute to this factor. This lack
of communication can become a problem for IDS s attempting to define rules of
normality for anomaly detection. If only a small amount of data is available to establish
normal activity association rules, it is very hard to distinguish an attack from regular
network use.

In summary, we must answer the following questions in developing a viable intrusion

detection system for mobile ad hoc networks:

 What is a good system architecture for building intrusion detection and response
systems that fits the features of mobile ad-hoc networks?

 What are the appropriate audit data sources? How do we detect anomaly based on
partial, local audit traces – if they are the only reliable audit source?

 What is a good model of activities in a mobile computing environment that can

separate anomaly when under attacks from the normalcy?

6. NEW ARCHITECTURE

It is important to understand that most IDS architectural models are based on

static, wired networks. These models alone are insufficient to help design an IDS in a
mobile, ad hoc network environment.

The architecture addressed is a distributed IDS, where each node on the network
will have an IDS agent running on it. The IDS agents on each node in the network work
together via a cooperative intrusion detection algorithm to decide when and how the
network is being attacked.

The architecture is divided into parts: the Mobile IDS Agents, which reside on
each node in the network, and the Stationary Secure Database, which contains global
signatures of known misuse attacks and stores patterns of each users normal activity in a
non-hostile environment.

22
A. Mobile IDS Agents

Each node in the network will have an IDS agent running on it all times. This
agent is responsible for detecting intrusions based on local audit data and participating in
cooperative algorithms with other IDS agents to decide if the network is being attacked.
Each agent has five parts : the Local Audit Trial, the Local Intrusion Database ( LID ),
the Secure Communication Module, the Anomaly Detection Modules ( ADM s), and the
Misuse Detection Modules ( MDM s).

1. The Local Audit Trial

Each agent must constantly check the audit data to decide that an intrusion is not
taking place. The Local Audit Trial will consist of specific items out of the network
traffic as well as user commands to the node. The Local Audit Trial is responsible for
selecting only the items it needs out of the network traffic and system audit data in order
to minimize the size of the audit data collected.

A audit data is collected by the Local Audit Trial, it is passed to the Misuse
Detection Modules and the Anomaly Detection Modules for further analysis. The Local
Audit Trial is only responsible for gathering and storing audit data, not processing it.

2. The Local Intrusion Database ( LID )

The LID is a local database that warehouses all information necessary for the IDS
agent, such as the signature files of known attacks, the established patterns of users on the

23
network, and the normal traffic flow of the network. The Anomaly Detection Modules
and Misuse Detection Modules communicate directly with the LID to determine if an
intrusion is taking place.

3. The Secure Communication Module

The Secure Communication Module is necessary to enable an IDS agent to

communicate with other IDS agents on other nodes. It will allow the MDM s and ADM s
to use cooperative algorithms to detect intrusions. It may also be used to initiate a global
response when an IDS agent or a group of IDS agents detects an intrusion. Basically, any
communication that needs to occur from one IDS agent to another will use the Secure
Communication Module.

Data communicated via the Secure Communication Module will need to be

encrypted in order to ensure that the data received by an IDS agent is accurate and has
not been tampered with. The Secure Communication module is only used by IDS agents

24
and does not communicate any other type of information between nodes. It must share
the bandwidth that the mobile device uses for normal data transmission, so it is required
to be efficient, and can only use the amount of bandwidth in needs.

Also, the Secure Communication module must process information coming to the IDS
agent from other agents in the network. For this reason, it must be fast and efficient, so as
not to take away from the processing time of the mobile unit.

4. The Anomaly Detection Modules ( ADM s)

Each Anomaly Detection Module is responsible for detecting a different type of

anomaly. There can be from one to many Anomaly Detection Modules on each mobile
IDS agent, each working separately or cooperatively with other ADM s. For example,
one ADM might be looking for strange network traffic patterns, while another ADM
might be watching user input speed.

If an ADM can identify an anomaly based solely on the data in the Local
Intrusion database, then it can initiate a local and global response to the intrusion. An
example of a local response could be to shut down the node, rendering it useless to an
attacker. A possible global response would be to use the Secure Communication Module
to alert other IDS agents, allowing them to reconstitute a network while excluding the
compromised node.

If the amount of data in the Local Intrusion database is not sufficient to determine
if the present activity should be classified as an intrusion, then it is possible for the ADM
to use the Secure Communication module to query other nodes in the network to get help
in identifying an intrusion.

5. The Misuse Detection Modules ( MDM s)

The Misuse Detection Modules functions similarly to the ADM s on the IDS
agent. The primary difference is that MDM s only identify known patterns of attacks that
are specified in the Local Intrusion Database. Like the ADM s, if the audit data available
locally is enough to determine if an intrusion is taking place, the proper response can be
initiated. It is also possible for a MDM to use a cooperative algorithm to identify an
intrusion. If a MDM needs more information from other IDS agents on other nodes, it
would be expected to use the Secure Communication module to interact with them. Using
the information given by other IDS agents, the MDM might be able to predict an
intrusion with more accuracy.

B. Stationary Secure Database

25
 The Stationary Secure Database ( SSD ) in this architecture acts as a secure,
trusted repository for mobile nodes to obtain information about the latest misuse
signatures and to find the latest patterns of normal user activity. It is assumed that the
attacker will not compromise the Stationary Secure Database, as it stored in area of high
security. To ensure that the SSD will not be compromised it is kept stationary and not
placed in a hostile environment where attacker attack is likely. It is also assumed that no
physically compromised node will come in contact with the SSD, since the attacker will
not be given physical access to the area where the SSD resides. Although these are severe
restrictions, they can be accommodated through operational procedures and physical
security.

The mobile IDS agents will collect and store audit data ( such as user commands,
network traffic, etc.) while in the field, and will transfer this information when it is
attached to the SSD. The SSD will then use this information for data mining of new
anomaly association rules. The use of the SSD to mine new anomaly rules is beneficial to
the IDS for three reasons. First, the SSD will be fixed, fast machine that is capable of
mining rules much faster than on slower, mobile nodes. Secondly, the processing time
used to mine the new rules of anomaly will not take away from the processing time of the
mobile nodes. The SSD puts the task of creating new rules for anomaly detection on the
wired server and away from the mobile nodes. And thirdly, the SSD is capable of having
much more storage capacity to store an abundance of audit data collected from the nodes.
It is very likely that the mobile nodes will not have enough storage to store substantial
amounts of audit data, but by uploading audit data to the SSD, no data is deleted because
of lack of storage space.

The SSD will also be the place where the system administrator can specify the
newest misuse signatures. When the IDS agents are connected to SSD, they will gain
access to the latest attack signatures automatically. This will make it much easier to
update all the nodes in the network to keep up with the latest attacks. Instead of manually

26
updating the attack files in the Local Intrusion Database of each individual node, or using
the Secure Communication device on each node to communicate the new signatures, the
SSD will be responsible for communicating the new attack signatures to each individual
IDS agent.

One of the best reasons for using the SSD to communicate the new attack
signatures, and establish new patterns of normalcy, is to limit the amount of
communication that must take place between IDS agents in the mobile ad hoc network.
As stated earlier, the IDS agents should not use very much bandwidth, because it is
limited and in use by other applications on the mobile node. The use of SSD allows the
IDS agents to not continually have to share information in order to update their Local
Intrusion Database. Communication between the SSD and the IDS agents will be very
quick and efficient, as there should be no threat of attack. By relying on the SSD to be a
trusted source of update information, the IDS agent no longer has to use cooperative
algorithms to determine if the information being sent is trustworthy or not.
It is feasible that the SSD have other functions besides updating the intrusion
detection information on each IDS agent, which could be a place where the mobile nodes
could charge their batteries while receiving the latest IDS information for example. This
way the time spent at the SSD would be more efficient and not be used for just intrusion
detection.

Despite the benefits of having a SSD in a mobile IDS architecture, there are few
disadvantages of relying on a stationary database to provide vital IDS information. If a
SSD is used, mobile nodes will have to be attached to the non-mobile database
periodically to stay up-to-date with the latest intrusion information. This may not be an
option for some mobile, ad hoc environments. Also, since the SSD must be a trusted
source, it cannot be taken onsite without significant risk. If a mobile IDS agent detects a
new intrusion while in a hostile environment, it cannot be attached to the SSD in order to
communicate the new attack patterns. And, even if it could, other nodes would be in the
hostile environment and would not be able to attach to the SSD right away to get the new
signature. However, these problems might be solved if the IDS agents can communicate
the new patterns of attack to each other via the Secure Communication module while in
the hostile environment. This way, only information that has to be communicated right
away will be sent over the wireless channels, and the less time sensitive information can
be gathered later at the SSD when time permits.

7. Anomaly detection in wire-less Ad-hoc Networks:

In this section we discuss how to build an anomaly detection models for wireless
networks. Detection based on activities in different network layers may differ in the
format and the amount of available audit data as well as the modeling algorithms.

7.1 Building an anomaly detection model:

7.1.1 Framework:

27
 The basic premise for anomaly detection is that there is intrinsic and
observable characteristic of normal behavior that is distinct from that of abnormal
behavior. Entropy and conditional entropy are used to describe the characteristics of the
normal information flows and use the classification algorithms to build anomaly
detection models. We can use a classifier trained using normal data to predict what is
normally the next event given the previous n events. In monitoring when the actual event
is not what the classifier has predicted there is an anomaly. When constructing a classifier
features with high information gain are needed.

Using this frame work we employ the following the procedure for the anomaly detection.
a) Select or partition audit data so that the normal data set has low Entropy
b) Perform appropriate data transformation according to entropy measures
c) Compute classifier using training data.
d) Apply the classifier to test it.
e) Post process alarms to produce intrusion reports.

7.1.2 Attack Models:

Route logic compromise: This type of attacks behaves by manipulating routing

information, either externally by parsing false route messages or internally by maliciously
changing routing cache information. In particular, we consider several special cases: (a)
misrouting: forwarding a packet to an incorrect node; and (b) false message propagation:
distributing a false route update.

Traffic pattern distortion: This type of attacks changes default/normal traffic behavior:
(a) packet dropping; (b) packet generation with faked source address; (c) corruption on
packet contents; and (d) denial-of-service.

Audit Data: The two local data sources used for anomaly detection: (1) local routing
information, including cache entries and traffic statistics and (2) position locator, or GPS,
which we assume will not be compromised and can therefore reliably provide location
and velocity information of nodes within the whole neighborhood. We use only local
information because remote nodes can be compromised and their data
cannot be trusted.

Feature Selection: Feature selection is a critical step in building a detection model.

specifically, since we use classifiers as detectors, we need to select and/or construct
features, from the available audit data, that have high information gain. The criteria of
information gain is not a priori. We use an unsupervised method to construct the feature
set. First, we constructed a large feature set to cover a wide range of behaviors. It is not
efficient to run all experiments with all of these features. A small number of training runs
can be conducted with the whole set of features on small audit data traces randomly
chosen from a previously stored audit logs. For each training run, a corresponding model
is built. The features that appear in the models and has weights not smaller than a
minimum threshold are selected into the essential feature set. For different routing
protocols and different scenarios, the essential feature set is different.

28
In practice, we expect the feature set needs to be updated after certain period, as the
characteristics of routing behavior can change with time.

Classifier: We use two classifiers in our study. One is a decision-tree equivalent

classifier, RIPPER, a rule induction program. The other is a Support Vector Machine
classifier, SVM Light. RIPPER is a typical classifier in that it searches the given feature
space and computes rules that separate data into appropriate (intended) classes. SVM
Light instead pre-processes the data to represent patterns in much higher dimension than
the given feature space. The heuristic is that with sufficiently high dimension, a hyper
plane, thus achieving the goal of classification, can separate data. SVM Light can
produce a more accurate classifier than RIPPER when there are underlying complex
patterns in the data that are not readily represented by the given set of features.

Post Processing: Given an execution trace, we first apply a detector to examine each
observation. Then a post-processing scheme is used to examine the predictions and
generate intrusion reports.

7.2 Areas where anomaly detection can be used

The two main areas where we need anomaly detection is ad-hoc networks is
 Abnormal Updates to the routing table.
 Abnormal activities in other layers.

7.2.1 Abnormal Updates in the routing tables:

The two most important factors that are required for the anomaly detection are
Low False positive rate (percentage of normalancy variations detected as anomalies)
High true positive rate (percentage of anomalies detected)

A routing table usually contains, at the minimum the next hop to each destination
node and the number of hops. The physical movement of nodes or network membership
changes causes a legitimate movement in the routing table. Our objective in this study is
to lead a better understanding of the important and challenging issues in intrusion
detection for ad-hoc routing protocols. First using a given set of training, testing and
evaluation scenarios, and modeling algorithms, we can identify which routing protocol ,
with potentially all its routing information used , can result in better performing detection
models.This will help Answer the question “what information should be included in the
routing table to make “intrusion detection effective”. This finding can be used in
designing more robust protocols.

Next, using a given routing protocol, we can explore the feature space and
algorithm space to find the best performing model. This will give the insight to the
general practices of building intrusion detection for wireless networks.

7.2.2 Abnormal Activities In other layers:

29
 At the wireless application layer, the trace data can use the service as the class
(i.e., one class for each service), and can contain the following features: for the past s
seconds, the total number of requests to the same service, the number of different services
requested, the average duration of the service, the number of nodes that requested (any)
service, the total number of service errors, etc. A classifier on the trace data then
describes for each service the normal behaviors of its requests. Many attacks generate
different statistical patterns than normal requests. Since the features described above are
designed to capture the statistical behavior of the requests, the attacks, when examined
using the feature values, will have large deviations than the normal requests.

8. IMPLEMENTED APPROACHES

Following are the some of the intrusion detection techniques used in wireless and
ad hoc networks.

8.1 IEEE 802.11

The IEEE 802.11 standard provides several mechanisms intended to provide a

secure operating environment. The IEEE 802.11 standard defines the physical layers and
the MAC sub layers for the wireless LANs. There are three different physical layers.

 Frequency hopping Spread Spectrum Radio.

 Direct sequence spread spectrum Radio.
 Base band infrared.

The MAC layer is common for all these layers. The IEEE 802.11 defines two
authentication schemes:

a) Open System Authentication.

b) Shared Key Authentication.

8.1.1 Open System Authentication:

Open system authentication is the default authentication protocol for 802.11. As

the name implies, open system authentication authenticates anyone who requests
authentication. A terminal announces that it wishes to associate with an access point, and
typically the access point allows the association. Essentially it provides NULL
authentication process.

8.1.2 Shared Key Authentication

Shared key authentication uses a standard challenge and response along with a
shared secret key to provide authentication. The shared key Authentication requires that
the Wired Equivalent privacy protocol (WEP) Algorithm be implemented on both the

30
wireless terminal and the access point. The station wishing to authenticate, the initiator,
sends an authentication request management frame indicating that they wish to use
“shared key” authentication. The recipient of the authentication request, the responder,
responds by sending an authentication management frame containing challenge text to
the initiator. The challenge text is generated by using the WEP pseudo-random number
generator (PRNG) with the “shared secret” and a random initialization vector (IV)2 .
Once the initiator receives the management frame from the responder, they copy the
contents of the challenge text into a new management frame body. This new management
frame body is then encrypted with WEP using the “shared secret” along with a new IV
selected by the initiator. The encrypted management frame is then sent to the responder.
The responder decrypts the received frame and verifies that the 32-bit CRC integrity
check value (ICV) is valid, and that the challenge text matches that sent in the first
message. If they do, then authentication is successful. If the authentication is successful,
then the initiator and the responder switch roles and repeat the process to ensure mutual
Authentication.

Mutual Station Authentication Using Shared Keys

Mobiles that are allowed to connect to the network use the same shared key, so this
authentication method is only able to verify if the particular mobile belongs to the group
allowed to connect to the network, but there is no way to distinguish one mobile from
another. Also there are no means available to authenticate the network. The IEEE 802.11
does not define any key management functions. The IEEE 802.11 defines an optional
WEP mechanism to implement the confidentiality and integrity of the traffic in the
network. WEP is used at the station-to-station level and does not offer any end-to-end
security. Using, say, the playback attack, could easily fool the Shared Key Authentication
scheme. Hence, anyway an additional authentication mechanism is needed.

8.1.3 Secure key generation and distribution:

The mobile systems have constraints like minimal computational capabilities and
authentication and the Secure key generation and distribution capability is required by

31
any system, which contains cryptographic authentication, confidentiality and
identification. Developing faster and more powerful hardware components, which require
less Energy and changing the algorithmic and protocol design of the current system
would be useful to meet the future needs.

8.1.4 Current Approaches for the Key generation:

8.1.4.1 Key generation by the telephone manufacturer and distribution to the Service
Provider via a backbone network.

This requires the manufacturers and Service provider to develop a special

distribution channel. (b) Security of keys should be ensured from the time the keys are
sent to the Service provider. from the manufacturer. (c) This approach is unacceptable to
both the Service provider and the manufacturer.

8.1.4.2 Over-the-air phone activation with key exchange

Over-the-air phone is the most preferred approach and requires a collaborative

key generation and distribution between the mobile unit and the Service provider. The
current over-the-air service provisioning (OTASP) uses the Diffie-Hellman key exchange
between the Service provider and mobile unit to exchange a symmetric key called A-key
(Authentication Key). This is used as the “master” symmetric key, which is then used to
generate the session keys; these in turn are used for authentication and encryption. This
method is inefficient because of the amount of time it takes to set up an authentication
session. Also they do not consider exact notions of cryptographic security. The key
exchanged needs to be chosen by the mobile unit only. Less efficient due to constrained
computational environment of mobile agent.

8.2 Proposed Method for the implementation of Over-the-air phone Activation

Approach:

Secure implementation:
Service Provider broadcasts public information together with the signature of the
C.A. (Certification Authority whose digital signature will certify the validity of a
S.P.) on that information. Mobile Unit Authenticates the Service Provider using the built-
in C.A. public key. Generate a random session key SK and a random authentication pad
AP. Encrypt (SK, AP) with Service Providers public key and send it to Service provider.
Service Provider decrypts the session key and authenticated pad sent by Mobile unit.
Generate a key (A-key) and encrypt it together with the authentication pad AP using a
secure symmetric encryption algorithm with the received session key SK. Mobile unit
decrypts the A-key and verify that its last bits are equal to the AP.

Public Key, C.A’s Signature

Service Mobile
Provider Unit

32
C.A
 E({S.K,A.P},S.P’s Public Key)

E({A-Key,A.P},S.K}
I
Identification Signature

To make above system efficient for the practical purposes, we need to find an
efficient way to authenticate the Service Provider to the mobile agent and we need to find
a efficient public-key encryption method to transmit the session key fro mobile unit to
service provider.

Semantic Security ensures that no partial information about the session key can be
obtained, given the encryption and even if the attacker managed to guess the session key
sent by the mobile unit, he would be unable to verify it. Plain text awareness requires that
the attacker not only cannot obtain any advantage from choosing a random message, but
he is required to know the whole plain text.

Secure Symmetric encryption:

The notion of security for symmetric encryption schemes is also semantic

security together with plain text awareness. For security we want to guarantee that even if
an attacker intercepts the encryption and manages to guess either the SK or the pad AP
(obtains a candidate A-key by decrypting the cipher text) it is still impossible for him to
verify that the A-key he obtained is the one included in the cipher text at the same time
M.U. is able to verify that the key sent was generated by someone who knew both the AP
and SK, i.e., it is not simply a random number.
This is seemingly a contradicting goal, since it requires semantic security and
plaintext awareness. But plaintext awareness requires some form of authentication of the
plaintext, and here we want to prevent an attacker from verifying such authentication on
the plaintext even if he guesses the encryption key. The solution is to separate the session
key from the authentication pad, thus M.U. can authenticate the encrypted string using
AP but the attacker cannot verify whether his guess of a (SK, AP) pair is correct since he
does not know the relation between SK and AP.
We have seen that the solution proposed for Secure key generation and
distribution is more efficient and secure than the current practices and can be the first step
in achieving cryptographically provable security in an environment with tight restrictions
on computational power.

8.4 Mitigating Routing Misbehavior:( Sergio Marti et al. [19])

33
 In this section we present the watchdog and the pathrater tools for detecting and
mitigating routing misbehavior. We also describe the limitations of these methods

Watchdog detects misbehaving nodes. Suppose there exists a path from node S to
D through intermediate nodes A, B and C. Node A cannot transmit all the way to node C,
but it can listen in on node B’s traffic. Thus, when A transmits a packet for B to forward
to C, A can often tell if B transmits the packet. If encryption is not performed separately
for each link, which can be expensive, then A can also tell if B has tampered with the
payload or the header.

W
S A B C D

Watch Dog Operation

Every time a node fails to forward the packet, the watchdog increments the failure
tally. If the tally exceeds a certain threshold bandwidth, it determines that the node is
Misbehaving. The watchdog technique has advantages and weaknesses. DSR with the
watchdog has the advantage that it can detect misbehavior at the forwarding level and not
just the link level. Disadvantages with this technique is that it might not detect a
misbehaving go of a node in the presence of

 Ambiguous Collisions
 Receiver Collisions
 Limited Transmission Power
 False Misbehavior
 Partial Dropping

S 2 A 1 B 1 C D
Fig 1 .Node A does not hear the B forwarding packet 1 to C ,because B’s transmission collides at A with
packet 2 from source S.

Pathrater:

Knowledge of misbehaving nodes with link reliability data to pick the route most
likely to be reliable. Each node maintains a rating for every other node it knows about in
the network. It calculates a path metric by averaging the node ratings in the path. We

34
choose this metric because it gives a comparison of the overall reliability of different
paths and allows pathrater to emulate the shortest length path algorithm when no
reliability information has been collected, as explained below. If there are multiple paths
to the same destination, we choose the path with the highest metric. Note that this differs
from standard DSR, which chooses the shortest path in the route cache. Further note that
since the pathrater depends on knowing the exact path a packet has traversed, it must be
implemented on top of a source routing protocol.

35
CONCLUSION

The diligent management of network security is essential to the operation of

networks, regardless of whether they have segments or not. It is important to note that
absolute security is an abstract concept – it does not exist anywhere. All networks are
vulnerable to insider or outsider attacks, and eavesdropping. No one wants to risk having
the data exposed to the casual observer or open malicious mischief. Regardless of
whether the network is wired or wireless, steps can and should always be taken to
preserve network security and integrity.

We have said that any secure network will have vulnerabilities that an adversary
could exploit. This is especially true for wireless ad-hoc networks. Intrusion Detection
can compliment intrusion prevention techniques (such as encryption, authentication,
secure MAC, secure routing, etc.) to improve the network security. However new
techniques must be developed to make intrusion detection work better for the wireless
networks.

We have shown that an architecture for better intrusion detection in wireless

networks should be distributed and cooperative by applying Mobile Agents to the
network and given few of the implemented approaches for intrusion detection.

Currently, the research is taking place in developing new architecture for wireless
networks for better security.

REFERENCES:

36
[1] Lidong Z., Zygmunt J. H., “Securing ad hoc networks”, IEEE Network, Vol. 13,
No. 6, 1999, pp. 24-30.

[2] Sundaram A., "An Introduction to Intrusion Detection",

http://www.acm.org/crossroads/xrds2-4/intrus.html

[3] Marti S., Giuli T.J., Lai K. Baker M., “Mitigating Routing Misbehavior in Mobile
Ad Hoc Networks”, Proceedings of the Annual International Conference on
Mobile Computing and Networking, MOBICOM 2000, pp 255-265.

[4] Arbaugh W., Shankar N., Wan Y.C.J., “Your 802.11 Wireless Network Has No
Clothes”, University of Maryland, 30-Mar-2001.

[5] Wenken Lee, Dong Xiang, Informatic-Theoritic Measures for Anomaly Detection .

[6] Wenken Lee, Yongguang Zhang, Yi-An Huang, Intrusion Detection Techniques for
Mobile wireless networks.

[7] Yongguang Z., Wenke L., “Intrusion Detection in Wireless Ad- Hoc Networks”,
Proceedings of the Annual International Conference on Mobile Computing and
Networking, MobiCom 2000, pp 275-283.

[8] Andrew B.Smith, An Examination of an Intrusion Detection Architecture for

Wireless Ad-Hoc Networks.

[9] C. Krugel , T.Toth. , Applying Mobile Agent Technology to Intrusion Detection

[10] Kumar.S “Classification and Detection of Computer Intrusion ” .

37