EE531-WIRELESS SECURITY

CHAPTER II-NOTES
INTRUSION DETECTION IN WIRELESS AD HOC NETWORKS

2. INTRUSION DETECTION IN WIRELESS AD HOC NETWORKS

2.1 Intrusion Detection Systems(IDS)

2.2 Problem in current IDS techniques

2.3 Requirements of IDS

2.4 Classification of IDS

2.5 Network and host based anomaly detection

2.6 Network and host based misuse detection

2.7 specification based – intrusion detection in MANETs

2.8 distributed IDS and mobile agents

2.9 AODV protocol based IDS

2.10 Intrusion resistant routing algorithms

2.11 Comparison of IDS.

BASICS

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 1

BASICS
• Ad hoc -- a Latin phrase which means "for this [purpose]".
• An autonomous system of mobile hosts connected by wireless links, often called
Mobile Ad hoc NETworks (MANETs)
• Mobile Ad Hoc Network (MANET) is a group of mobile devices, e.g., laptops,
mobile phones, radios, or sensors that communicate with each other wirelessly
— standard Wi-Fi, cellular, local RF network, etc. —and provides the needed
network functionality without an existing fixed structure.

MANET Characteristics:
 No fixed infrastructure
 Dynamic changing topology
 Mobile devices join/leave the network unexpectedly; they can also move freely
 Energy-constrained
 Limited bandwidth
 Each node also serves as router
 Help to relay packets received from neighbors
 Interoperation with the Internet

MANETs vs. Wired networks

o In MANETs, each node also works as router for forwarding packets
o In wired networks, routers perform routing task
MANETs vs. Managed wireless networks
o No infrastructure in MANETs
o Special node known as access point (AP) in managed wireless networks

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 2

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 3
 2.1 INTRUSION DETECTION SYSTEM

 An Intrusion Detection System (IDS) is a security tool that monitors a

computer network or systems for malicious activities or policy
violations.
 It helps detect unauthorized access, potential threats, and abnormal
activities by analyzing traffic and alerting administrators to take action.
 An IDS is crucial for maintaining network security and protecting
sensitive data from cyber-attacks.
 An Intrusion Detection System (IDS) maintains network traffic looks for
unusual activity and sends alerts when it occurs.
 The main duties of an Intrusion Detection System (IDS) are anomaly
detection and reporting, however, certain Intrusion Detection Systems can
take action when malicious activity or unusual traffic is discovered.

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 4

What is an Intrusion Detection System?
- A system called an intrusion detection system (IDS) observes network traffic for
malicious transactions and sends immediate alerts when it is observed. It is
software that checks a network or system for malicious activities or policy
violations. Each illegal activity or violation is often recorded either centrally
using an SIEM system or notified to an administration. IDS monitors a network
or system for malicious activity and protects a computer network from
unauthorized access from users, including perhaps insiders. The intrusion
detector learning task is to build a predictive model (i.e. a classifier) capable of
distinguishing between ‘bad connections’ (intrusion/attacks) and ‘good
(normal) connections’.

-
Figure 1: Intrusion detection system (IDS) overview.

Working of Intrusion Detection System(IDS)

 An IDS (Intrusion Detection System) monitors the traffic on a computer
network to detect any suspicious activity.

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 5

 It analyzes the data flowing through the network to look for patterns and
signs of abnormal behavior.
 The IDS compares the network activity to a set of predefined rules and
patterns to identify any activity that might indicate an attack or intrusion.
 If the IDS detects something that matches one of these rules or patterns, it
sends an alert to the system administrator.
 The system administrator can then investigate the alert and take action to
prevent any damage or further intrusion.
Advantages:
 Early Threat Detection: IDS identifies potential threats early, allowing for
quicker response to prevent damage.
 Enhanced Security: It adds an extra layer of security, complementing other
cyber-security measures to provide comprehensive protection.
 Network Monitoring: Continuously monitors network traffic for unusual
activities, ensuring constant vigilance.
 Detailed Alerts: Provides detailed alerts and logs about suspicious activities,
helping IT teams investigate and respond effectively.
Disadvantages
 False Alarms: IDS can generate false positives, alerting on harmless activities
and causing unnecessary concern.
 Resource Intensive: It can use a lot of system resources, potentially slowing
down network performance.
 Requires Maintenance: Regular updates and tuning are needed to keep the IDS
effective, which can be time-consuming.
 Doesn’t Prevent Attacks: IDS detects and alerts but doesn’t stop attacks, so
additional measures are still needed.

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 6

  Complex to Manage: Setting up and managing an IDS can be complex and may
require specialized knowledge.

Why Are Intrusion Detection Systems (IDS) Important?

 An intrusion detection system provides an extra layer of protection, making it a
critical element of an effective cybersecurity strategy. You can use it alongside
your other cybersecurity tools to catch threats that are able to penetrate your
primary defenses. So even if your main system fails, you are still alerted to the
presence of a threat.
 A healthcare organization, for example, can deploy an IDS to signal to the IT
team that a range of threats has infiltrated its network, including those that have
managed to bypass its firewalls. In this way, the IDS helps the organization to
stay in compliance with data security regulations.

How Does an Intrusion Detection System Work? What Are Its Uses?
 IDS solutions excel in monitoring network traffic and detecting anomalous
activity. They are placed at strategic locations across a network or on devices
themselves to analyze network traffic and recognize signs of a potential attack.
 An IDS works by looking for the signature of known attack types or detecting
activity that deviates from a prescribed normal. It then alerts or reports these
anomalies and potentially malicious actions to administrators so they can be
examined at the application and protocol layers.
 This enables organizations to detect the potential signs of an attack beginning or
being carried out by an attacker. IDS solutions do this through several
capabilities, including:

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 7

 1. Monitoring the performance of key Firewalls, files, routers, and servers to
detect, prevent, and recover from cyber-attacks
2. Enabling system administrators to organize and understand their relevant
operating system audit trails and logs that are often difficult to manage and track
3. Providing an easy-to-use interface that allows staff who are not security
experts to help with the management of an organization’s systems
4. Providing an extensive database of attack signatures that can be used to
match and detect known threats
5. Providing a quick and effective reporting system when anomalous or
malicious activity occurs, which enables the threat to be passed up the stack
6. Generating alarms that notify the necessary individuals, such as system
administrators and security teams, when a breach occurs
7. In some cases, reacting to potentially malicious actors by blocking them and
their access to the server or network to prevent them from carrying out any further
action.

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 8

 2.2 IDS CHALLENGES/PROBLEMS
While IDS solutions are important tools in monitoring and detecting potential threats,
they are not without their challenges. These include:

- False alarms: Also known as false positives, these leave IDS solutions
vulnerable to identifying potential threats that are not a true risk to the
organization. To avoid this, organizations must configure their IDS to
understand what normal looks like, and as a result, what should be
considered as malicious activity.
- False negatives: This is a bigger concern, as the IDS solution mistakes an
actual security threat for legitimate traffic. An attacker is allowed to pass into
the organization’s network, with IT and security teams oblivious to the fact
that their systems have been infiltrated.

As the threat landscape evolves and attackers become more sophisticated, it is

preferable for IDS solutions to provide false positives than false negatives. In other
words, it is better to discover a potential threat and prove it to be wrong than for the
IDS to mistake attackers for legitimate users. Furthermore, IDS solutions increasingly
need to be capable of quickly detecting new threats and signs of malicious behaviour.

2 .3 REQUIREMENTS OF IDS
An IDS comprises five core components that work together to detect, document, and deter
intrusions:
1. Sensors (Data Acquisition Units): These modules function as the primary
data collection mechanism for the IDS. They are deployed at strategic points
within the network (network sensors) or on individual hosts (host-based
Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 9
 sensors). Network sensors continuously capture and transmit network
traffic data to the IDS for analysis. Host-based sensors monitor system
activity on the device, including logs, file access attempts, and running
processes.
2. Data Processing and Analysis Engine: The analysis engine is the core
component responsible for evaluating data collected by the sensors. It
employs various techniques to identify potential intrusions:
 Signature-based Detection: This approach involves matching
captured data against a database of known attack signatures.
These signatures represent characteristic patterns of malicious
activity.
 Anomaly Detection: This technique involves employing statistical
algorithms to establish baselines for normal network traffic or
system activity. The engine then identifies significant deviations
from these baselines as potential intrusions.
3. Alert Generation Engine: Upon detecting suspicious activity, the analysis
engine triggers the alert generation engine. This engine is responsible for
formulating alerts that include details of the suspected intrusion, such as
the type of activity detected, its timestamp, and the source IP address. These
alerts are then disseminated to:
- Security Personnel: For investigation and response actions.
- Security Information and Event Management (SIEM) System: A
central repository that aggregates security events from various sources,
including IDS alerts, to facilitate a comprehensive view of security posture.
4. Management Interface: This software component provides a user interface
for security administrators to interact with the IDS. It allows them to:

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 10

 - Configure the IDS: This involves defining security rules for anomaly
detection, managing sensor deployment, and establishing alert thresholds
and destinations.
- Monitor System Activity: Security personnel can utilize the console to
view real-time data on detected threats, analyze historical data, and
investigate security incidents.
*It is important to note that not all IDS has a management interface available
5. Knowledge Base: The IDS maintains a repository of critical information for
reference and analysis purposes. This knowledge base typically includes:
- Attack Signatures: A well-maintained database of known attack
signatures that facilitates signature-based detection.
- Security Rules: Custom rules defined by the security administrator to
identify suspicious behavior specific to the organization's network or
system.
- Alert History: A chronological record of all generated alerts, including
timestamps, details of the detected activity, and the current investigation
status.
It is expected that an ideal IDS is likely to support several of the
following requirements:
• The IDS should not introduce a new weaknessin the MANET. That is, the
IDS itself shouldnot make a node any weaker than it already is.
• An IDS should run continuously and remaintransparent to the system
and users.
• The IDS should use as little system resources as possible to detect and
prevent intrusions. IDSs that require excessive communication among
nodes or run complex algorithms arenot desirable.• It must be fault-

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 11

 tolerant in the sense that it must be able to recover from system crashes,
hopefully recover to the previous state, and resume the operations before
the crash
• Apart from detecting and responding to intrusions, an IDS should also
resist subversion. It should monitor itself and detect if it has been
compromised by an attacker.
• An IDS should have a proper response. In other words, an IDS should not
only detect but also respond to detected intrusions, preferably without
human intervention.
• Accuracy of the IDS is another major factor in MANETs. Fewer false
positives and false negatives are desired.
• It should interoperate with other intrusion detection systems to
collaboratively detect intrusions. For example, the Internet Engineering
Task Force (IETF) Intrusion Detection Working Group (IDWG) is working
toward proposing such a specification.

2.4 CLASSIFICATION OF IDS

Intrusion Detection System is classified into 7 types:

1. Network intrusion detection system (NIDS): A NIDS solution is deployed at
strategic points within an organization’s network to monitor incoming and outgoing
traffic. This IDS approach monitors and detects malicious and suspicious traffic
coming to and going from all devices connected to the network.
This intrusion detection system takes charge. Installation points of HIDS and NIDS of
the entire network and is capable of operation in mixed and hybrid environments. If

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 12

 anything malicious or unusual is detected on the network or cloud or any other mixed
environment it will initiate alerts.
Advantages Disadvantages
 Detect attacks in the entire network  It might be slow as compared to the
 It can use the information collected network speed.
from attacks on different hosts to  Scrutinizing protected channels
detect attacks on a new or fresh host. may possess difficult.
 Host production/performance  It is also passive in nature.
remains unaffected.

2. Host intrusion detection system (HIDS): A HIDS system is installed on individual

devices that are connected to the internet and an organization’s internal network. This
solution can detect packets that come from inside the business and additional
malicious traffic that a NIDS solution cannot. It can also discover malicious threats
coming from the host, such as a host being infected with malware attempting to
spread it across the organization’s system.
Advantages Disadvantages
 Analyze what an application does.  Excluded from the network
 Detects the attacks excluded from  Needs to be installed on every host
the network spot

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 13

  Passive in nature, so it just informs
about the attack without doing
anything about it.

3. Signature-based intrusion detection system (SIDS): A SIDS solution monitors

all packets on an organization’s network and compares them with attack
signatures on a database of known threats.
A signature-based IDS works by analyzing network traffic or system files for
known patterns of malicious activity. It compares the data against a database
of signatures to identify potential threats. When a match is found, the IDS
triggers an alert and can initiate actions to block or mitigate the detected
intrusion.

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 14

 Advantages
 Familiarity Brings Comfort
 Quick and efficient detection
 Accurate identification
 Minimum false deduction
Disadvantages
 Limited to known threats
 Inability to Spot Zero-Day Attacks
 Maintenance Can Be a Chore
 False Negatives Can Happen

4. Anomaly-based intrusion detection system (AIDS): This solution monitors traffic

on a network and compares it with a predefined baseline that is considered "normal."
It detects anomalous activity and behavior across the network, including bandwidth,
devices, ports, and protocols. An AIDS solution uses machine-learning techniques to
build a baseline of normal behavior and establish a corresponding security policy. This
ensures businesses can discover new, evolving threats that solutions like SIDS cannot.
5. Perimeter intrusion detection system (PIDS): A PIDS solution is placed on a
network to detect intrusion attempts taking place on the perimeter of
organizations’ critical infrastructures.
6. Virtual machine-based intrusion detection system (VMIDS): A VMIDS solution
detects intrusions by monitoring virtual machines. It enables organizations to
monitor traffic across all the devices and systems that their devices are connected to.
7. Stack-based intrusion detection system (SBIDS): SBIDS is integrated into an
organization’s A, which is used as a communications protocol on private networks.

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 15

This approach enables the IDS to watch packets as they move through the
organization’s network and pulls malicious packets before applications or the
operating system can process them.

2.5 NETWORK AND HOST BASED ANOMALY DETECTION

 Anomaly detection is the identification of rare events, items, or observations

which are suspicious because they differ significantly from standard behaviors
or patterns. Anomalies in data are also called standard deviations, outliers,
noise, novelties, and exceptions
 Anomaly-based detection is a technique, which compares ongoing pattern or
behavior (of network or host) with the expected pattern or behavior and if any
deviation is observed then it is termed an anomaly. Such unexpected pattern or
behavior is referred in different ways such as anomaly, exception, surprise,
outliers, aberrations, and peculiarities
 Based on anomaly, detective techniques can be divided into three types;
o Network-based anomaly detection
o Host-based anomaly detection,
o Network + host –based anomaly detection.

Network-Based Anomaly Detection

 Network-Based Anomaly (NBA) detection techniques monitor network traffic
to determine whether communication flows differ from baseline
conditions in terms of traffic volume, source/destination address pairs,

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 16

 diversity of destination addresses, and time of day or the (mis) use of
particular network protocols.
 In different detection approaches, the detection is based on modeling
different aspects of the network traffic such as IP flows, protocol
membership, and packet jitter.
 This involves gathering metrics/observations about the normal behaviour of
the network at different times of the day to compute the baseline
condition. Any deviation observed may allude to suspicious activity like data
leakage. The difficulty with this category of techniques lies in the determination
of the baseline conditions for ‘normal’ user activity. Not only is this difficult to
estimate - the dynamicity inherent in organisations may result in unpredictable
spikes of network activity; the potentially high false positive rate can be
damaging to business activity. The types are
 Supervised Mode
 Semi supervised Mode
 Unsupervised Mode
Supervised mode: In supervised mode, training data sets are prepared for both
normal and abnormal network traffic. Network traffic under monitoring is
compared with both the classes (normal and abnormal) to decide which class it
belongs to. If traffic belongs to the abnormal class then it is considered a
malicious activity, which indicates towards a possible data leakage. It is important to
note that approaches based on supervised mode are not able to identify new traffic
patterns (that does not exist already in normal and abnormal training data sets) as
either normal or abnormal.
Semi-supervised mode:In the semi-supervised mode, training data set is prepared
only for normal network traffic. The network traffic under monitoring is compared

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 17

with the prepared training data set for normal traffic and if it does not match,
then traffic is termed as malicious. One drawback is that if a genuine user
undertakes some activity that is legitimate but new, this approach would term it as
malicious as because of unavailability of the training data, the new activity may not
belong to existing class of normal traffic and may be considered an anomaly.
Unsupervised mode:In the unsupervised mode, training data set is neither
available for normal network traffic neither for abnormal network traffic. This
mode relies on the assumption that normal traffic instances are in majority and
abnormal traffic instances are usually in minority. Since this mode of data exfiltration
detection does not require training data sets, it is widely adopted mode while
designing approaches for data exfiltration detection.
Host-based anomaly detection
 Instead of monitoring the network traffic, another possible approach is to
monitor the host access pattern and compare it with the normal or expected
pattern of access. One of the most critical areas of access inside a host is the
database that is monitored for the types of accesses and the types of functions
(download and upload size, and number of data transfer). The monitoring data
are recorded and compared to normal access patterns for any deviations that
may be data leakage. Similar to Network-based anomaly detection techniques,
Host-Based Anomaly (HBA) detection techniques also operate in three modes;
 Supervised Mode
 semi-supervised Mode
 unsupervised Mode
Unlike network-based anomaly detection where training data sets are prepared based
on normal or abnormal network traffic patterns, the training data sets are prepared
based on normal and abnormal host access patterns.

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 18

Supervised mode: Approach helps detect malware attacks. This is a supervised
learning approach, which cannot detect unknown malicious behaviour. For practical
application of the approach, an updated database of benign and malware is required
all the time. Similarly, windows audit logs do not capture 100% details and the
problem can be relegated to Microsoft to improve their audit log capabilities.
Semi-supervised mode: detection of malware based on analysis of data flow at OS
level between different entities (processes or sockets) of the system via a graph. Data
gathered from system level events through runtime monitors is represented in the
form of quantitative data flow graph. The generated graph consists of nodes and edges
where a node represents a system entity and an edge represents a data flow. If any
entity or data flow in the graph matches any of the three heuristics, it is detected as
malicious. The proposed approach outclasses the related approaches for malware
detection in terms of time and performance efficiency.
Unsupervised mode: DBMSs have their own known vulnerabilities when it comes to
data exfiltration, particularly with regard to their common deployment as part of the
web applications. This additional protection means that anomalous queries injected by
an attacker can be automatically rejected without any particular need for the
application programmer to implement protective measures. Since the protective shell
has to learn both legal and illegal query strings, such an approach will not be able to
stop zero-day attacks. It is very likely that the introduction of this new layer affects
query performance.

2.6 NETWORK AND HOST BASED MISUSE DETECTION

Misuse detection: In misuse detection, decisions are made on the basis of knowledge
of a model of the intrusive process and what traces it ought to leave in the observed

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 19

system. Legal or illegal behavior can be defined and observed behavior compared
accordingly. Such a system tries to detect evidence of intrusive activity irrespective of
any knowledge regarding the background traffic (i.e., the normal behavior of the
system).

In a misuse detection approach, abnormal system behaviour is defined first, and

then all other behaviour is defined as normal. It stands against the anomaly
detection approach which utilizes the reverse: defining normal system behaviour first
and defining all other behaviour as abnormal.
Signature-Based IDS:Signature-based IDS is called as misuse IDS relies on a
predefined database of attack signatures to identify malicious activity. These
signatures represent known patterns or fingerprints of network attacks or suspicious
system behavior. The IDS continuously monitors network traffic or system activity and
compares this data against the database of attack signatures. Any matches trigger an
alert, indicating a potential intrusion attempt.The Types are
 Network based
 Host based
Network based IDS (NIDS): NIDS act as network monitoring devices deployed at
strategic points within a computer network. Their primary function is to continuously
capture and analyze network traffic data traversing a specific network segment. NIDS
can be implemented in two primary ways:
 Dedicated hardware appliances: These are specialized devices solely designed to
perform NIDS functions.
 Software applications on network servers: Existing network servers can be
leveraged to host NIDS software, enabling them to perform network traffic
analysis alongside other server functionalities.

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 20

NIDS typically utilizes network adapter promiscuous mode. This mode allows the
NIDS to capture all network traffic on the attached network segment, regardless of its
intended recipient. NIDS employs two main techniques for analyzing captured
network traffic data: signature-based detection and anomaly-based detection.

Host-Based Intrusion Detection System (HIDS): In contrast to NIDS which focuses

on network traffic analysis, HIDS provides security for individual devices (hosts)
within the network. HIDS function as software agents deployed directly on the
operating system of the host device itself. Their primary function is to monitor and
analyze activity occurring on the host device. HIDS are deployed as software agents on
individual servers, desktops, or laptops within the network. A single HIDS agent is
typically installed on each host device for dedicated monitoring. HIDS collect data
from various sources on the host device, including:
 System logs: These logs record events and activities within the operating
system of the host device.
 File access attempts: HIDS monitor attempts to access files on the host device,
including successful and failed attempts.
 Running processes: HIDS maintain a record of processes currently running on
the host device.
HIDS primarily utilizes anomaly-based detection techniques. By analyzing the
collected data, HIDS establishes baselines for typical host activity. Significant
deviations from these baselines, such as unusual file access attempts or unexpected
processes running, can indicate potential intrusions or suspicious behavior.

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 21

 2.7 SPECIFICATION BASED – INTRUSION DETECTION IN MANETS

 Specification based detection defines a set of constraints thatdescribe the

correct operation of a program or protocol, and monitors the execution of

the program with respect to the defined constraints.

 This technique may provide the capability to detect previously unknown

attacks, while exhibitinga low false positive rate.

 An offshoot to misuse and anomaly detection is compound detection, which is

basically a misuse inspired system that forms a compound decision in view of a

model of both the normal behavior of the system and the intrusive behaviorof

the intruder.

 The detector operates by detecting the intrusion against the background of

the normal traffic in the system. These detectors have a much better chance of

correctly detecting truly interesting events in the supervised system, since they

both know the patterns of intrusive behavior and can relate them to the normal

behavior of the system. They would at the veryleast be able to qualify their

decisions better.

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 22

 2.8 DISTRIBUTED IDS AND MOBILE AGENTS

A DISTRIBUTED IDS

- In this model, an IDS agent runs at eachmobile node, and performs local data

collectionand local detection, whereas cooperativedetection and global

intrusion response can betriggered when a node reports an anomaly.

consider two attack scenarios separately:

• Abnormal updates to routing tables

• Detecting abnormal activities in layers otherthan the routing

layer

- The internals of an IDS agent are structuredinto six pieces, as shown in

Fig. 1. Each nodedoes local intrusion detection independently,and

neighboring nodes collaboratively work ona larger scale. Individual IDS

agents placed oneach and every node run independently andmonitor local

activities (including user, systems,and communication activities within the

radiorange), detect intrusions from local traces, andinitiate responses.

Neighboring IDS agentscooperatively participate in global

intrusiondetection actions when an anomaly is detectedin local data or if

there is inconclusive evidence.

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 23

 - The data collection module gathers localaudit traces and activity logs that are

used bythe local detection engine to detect localanomaly. Detection methods

that need broaderdata sets or require collaborations among localIDS agents

use the cooperative detectionengine. Both the local and global

responsemodules provide intrusion response actions.

- The local response module triggers actions local to this mobile node (e.g., an

IDS agentalerting the local user), while the global one coordinates actions

among neighboring nodes, such as the IDS agents in the network electing a

remedial action. A secure communication module provides a high-confidence

communication channel among IDS agents.

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 24

 2.9 AODV PROTOCOL BASED IDS

 Ad hoc On-Demand Distance Vector (AODV) Routing Status of this Memo This
memo defines an Experimental Protocol for the Internet community.
 AODV is one of the reactive routing protocols developed forMANET. AODV
builds routing tables on demand. When a sourcenode needs to establish a route
to a destination node, it broadcasts aroute request message (RREQ) to all its
neighbors. Eachintermediate node receiving a RREQ message checks its
routingtable for the requested route .

- An intrusion detection and response model (IDRM) to enhance security in the

Ad Hoc On Demand Distance Vector (AODV) routing protocol
- Figure 2 illustrates how the IDRM providessecurity to AODV. In this scheme,
each nodeemploys the IDRM that utilizes neighborhoodinformation to detect
misbehavior of its neighbors.
- When the misbehavior count for a nodeexceeds a predefined threshold, the
informationis sent out to other nodes as part of globalresponse. The other
nodes receive this information,check their local Malcount for this
maliciousnode, and add their results to the initiator’sresponse. In the
intrusion response model(IRM), a node identifies that another node hasbeen
compromised when its Malcount increasesbeyond the threshold value for
that allegedlycompromised node. In such cases, it propagatesthis information
to the entire network by transmittinga special type of packet called a
MALpacket. If another node also suspects that thedetected node is
compromised, it reports its suspicionto the network and retransmits
anotherspecial type of packet called REMAL.
Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 25
 - If two ormore nodes report about a particular node,another special packet,
called a PURGE packet,is transmitted to isolate the malicious node fromthe
network. All nodes that have a route throughthe compromised node look for
newer routes.All packets received from a compromised nodeare dropped.
- Some of the internal attacks include distributedfalse route request, DoS,
impersonation, andcompromise of a destination. The proposed to identify
these internal attacks in thefollowing ways:

1. Distributed false route request: A maliciousnode might send

frequent unnecessary routerequests. When the nodes in the network
receivea number of route requests greater than athreshold count by a
specific source for a destinationin a particular time interval, the node
isdeclared malicious.
2. Denial of service: A malicious node launchesthe DoS attack by
transmitting false controlpackets and using all the network
resources.DoS can be launched by transmitting false routingmessages
or data packets. It can be identifiedif a node is generating control

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 26

 packets that aremore than the threshold count in a particulartime
interval.
3. Destination is compromised: This attack isidentified when the source
does not receive areply from the destination in a particular
timeinterval. The neighbors generate probe/hellopackets to determine
connectivity.
4. Impersonation: It can be avoided if thesender encrypts the packet
with its private keyand other nodes decrypt with the public key ofthe
sender. If the receiver is not able to decryptthe packet, the sender
might not be the realsource; hence, the packet is dropped.

2.10 INTRUSION RESISTANT ROUTING ALGORITHMS

Techniques for Intrusion-Resistant Ad HocRouting Algorithms (TIARA) is a set of

designtechniques that strengthen MANETs against DoS attacks. The TIARA
mechanisms limitthe damage sustained by MANETs from intrusionattacks and allow
continued network operationat an acceptable level during such attacks. Itprovides
protection against attacks on controlrouting traffic as well as data traffic, thereby
providing a comprehensive defense againstintruders. Because of routing algorithm
independence it allows widespread applicability and supportssecure enclaves for
dynamic coalitions.Research efforts at Architecture TechnologyCorporation are aimed
at demonstrating a set ofinnovative design techniques, collectively called

TIARA, that secure ad hoc networks againstDoS attacks. The TIARA approach
involvesfully distributed lightweight firewalls for ad hocwireless networks,
distributed traffic policingmechanisms, intrusion-tolerant routing, distributed
Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 27
intrusion detection mechanisms, flow monitoring,reconfiguration mechanisms,
multipathrouting, and source-initiated route switching. The flow-based route access
control (FRAC)rules define admissible flows. Per-flow securityassociation is
instantiated by secure sessionsetup signaling protocol and contains informationfor
packet authentication. Also, fast authenticationenables low-overhead integrity checks
onpacket flow-ids and sequence numbers. There isreferral-based resource allocation,
which limitsnetworks’ exposure to resource usurpation byspurious sessions, and
flows are assigned an initialallowable resource usage. Moreover, additionalresources
are only granted if the source ofthe flow can present referrals from a certainnumber of
trusted nodes. Referrals have timeboundvalidity. Flow-specific sequence numbers
limit and contain the impact of traffic replayattacks; sequence numbers are embedded
withinsecret locations within each packet. The destinationof flow monitors select flow
parameters todetect intrusion-induced path failures, and multipathrouting and
source-initiated route switchingdivert flow through available alternate paths
tocircumvent intruders. Efforts are on to implementdynamic on-the-fly modifications
to FRAC(firewall) policies, real-time referral-basedresource allocation, lightweight
implementationof traffic policing, fast authentication mechanismsresistant to traffic
analysis, and embeddingsequence numbers and path labels in encryptedpackets.
Although the proposed architectureseems to cover most of the important aspects
ofintrusion detection and prevention in MANETs,implementation of such a design
methodologyentails extensive modification of the routingalgorithms in a MANET. A
summary of countermeasuresused in TIARA against intrusionattacks is shown in
Table 1.

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 28

WATCHDOG-PATHRATER APPROACH
- Two techniques thatimprove throughput in MANETs in the presenceof
compromised nodes that agree to forward packets but fail to do so . A node
may misbehavebecause it is overloaded, selfish, malicious,or broken. An
overloaded node lacks the CPUcycles, buffer space, or available network
bandwidthto forward packets. A selfish node isunwilling to spend battery life,
CPU cycles, oravailable network bandwidth to forward packetsnot of direct
interest to it, even though it expectsothers to forward packets on its behalf. A
maliciousnode launches a DoS attack by droppingpackets. A broken node
might have a softwarefault that prevents it from forwarding packets.
- To mitigate the decrease in the throughputdue to the above node categories,
the authorsuse watchdogs that identify misbehaving nodesand a pathrater
that helps routing protocolsavoid these nodes. When a node forwards
apacket, the node’s watchdog verifies that thenext node in the path also

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 29

 forwards the packet.The watchdog does this by listening promiscuouslyto the
next node’s transmissions. If thenext node does not forward the packet, it is
misbehaving.
The watchdog detects misbehavingnodes. Every time a node fails to forward the
packet, the watchdog increments the failuretally. If the tally exceeds a certain
threshold, itdetermines that the node is misbehaving; thisnode is then avoided using
the pathrater. Thepathrater, run by each node in the network,combines knowledge of
misbehaving nodes withlink reliability data to pick the route most likelyto be reliable.
Each node maintains a rating forevery other node it knows about in the network.It
calculates a path metric by averaging the noderatings in the path.
The watchdog technique has its own advantagesand weaknesses.
 Dynamic source routing (DSR) with the watchdog has the advantagethat
it can detect misbehavior at the forwardinglevel, not just at the link level.
 Watchdog’s weaknessesare that it might nAmbiguous collisions: These
prevent node Afrom overhearing the transmission from nodeB, as shown
in Fig. 3.

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 30

• Receiver collisions: Node A can only tellwhether B has sent a packet, but not if
nodeC received it or not, as shown in Fig. 4.
• Limited transmission power: A misbehavingnode could limit its transmission
power suchthat the signal is strong enough to be overheardby the previous node but
too weak tobe received by the true recipient.
• False misbehavior: This occurs when a nodefalsely reports other nodes as
misbehaving.
• Partial dropping: A node can circumvent thewatchdog by dropping packets at a
lower ratethan the watchdog’s configured minimum misbehavingthreshold.

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 31

 2. 11COMPARISON OF IDS.

Dr R DHAYA EE531-CHAPTER 2 NOTES (POST GRADUATE) Page 32