3. the problem statement - shodhgangashodhganga.inflibnet.ac.in/bitstream/10603/48102/12/12_chapter...

5

3

Performance Study of An Ad hoc Network

under Malicious Node Attack

Deptt. of ECE, NERIST Page 53

3. The Problem Statement

The performance and use of wireless technologies has increased tremendously,

opening up avenues for application in the less explored areas. MANET is one

important field of concern, in which the mobile nodes organize themselves in a

network without the help of any predefined infrastructure. Securing MANETs is an

important part of deploying and utilizing them since, MANET is used in critical

applications where data and communication integrity is important. Existing solutions

for wireless networks can be used to obtain a certain level of such security.

Nevertheless, these solutions may always be sufficient, as ad hoc network have their

own vulnerabilities which cannot be addressed by these solutions. To obtain an

acceptable level of security in such a context, security solution should be coupled

with an intrusion detection mechanism. A quantitative method is proposed to detect

intrusion in MANETs with mobile nodes. This is a behavioural anomaly based

system, which makes it dynamic, scalable, configurable and robust. We have used

Adhoc On-demand Distance Vector (AODV) routing protocol to verify our method

by running simulations with mobile nodes. We have observed by using this method,

we can achieve a high malicious node detection rate and a low false positive

detection rate.

Designing an intrusion detection system for mobile ad hoc networks is very

challenging. The very nature of wireless network, i.e. lack of fixed infrastructure

makes it difficult to collect audit data for the network. The limited resources of the

wireless network are vital parameters that need to be considered while designing the

IDS framework. Sometimes it is very difficult to differentiate between false alarms

and true positives.

Our objective is to design an efficient mechanism for intrusion detection system in

the mobile ad hoc environment. We have divided the problems into following major

5

4




issues.

Statistical security features required to be considered while designing the

detection engines.

The designed intrusion detection system should have low overhead for the

system.

After the intrusion system was designed, its performance to be evaluated and

the proposed work validated.

Proposed Methodology

Our Aim : To compare effects of normal AODV, Black Hole Attack and

Gray Hole Attack in terms of Network Throughput, Average Packets Dropped and

End-to-End Delay in MANET and to find the performance of the ad hoc network by

changing different network parameters. We have used NS-2 to simulate the Black

Hole and Gray Hole attacks. Then we compared the results of the AODV routing

protocol with and without Black Hole and Gray Hole Attacks. We implement a

security method, using AODV, as a counter measure of Black Hole and Gray Hole

attack. Thus, we studied and compared the performance of the network before and

after introducing the detection method to minimize the effect of the attacks.

Planned Work:

Realisation of AODV: This section mainly deals with the implementation of

our scenarios by manipulating the AODV routing protocol and performance metrics

are evaluated based on different parameters.

Realisation of Black Hole and Gray Hole Attack: In this module,

implementation of the attacks in MANETs and its consequences is taken into

consideration.

Realisation of Security Method for Black Hole and Gray Hole Attack: In this

segment, a security method which will focus on minimizing the effect of Black Hole

5

5




and Gray Hole Attack in MANET and provide safety to the ad hoc network is

proposed.

To evaluate the performance of the MANET Intrusion Detection System and

validate the work.

3.1. The AODV Communication Mechanisms

AODV is an ad hoc IP routing protocol that supports unicast, broadcast and

multicast. The routing decisions are made using distance vectors. The multicast

operation of the protocol enables nodes that are not part of any multicast group to

participate in forwarding the data and signal packets.

Unicast Routing

The simplest routing over the internet is the static routing in which the shortest route

in terms of number of hops is chosen throughout the connection. In contrast to static

routing the internet can find an alternative route once it discovers that a route is

disconnected. This option is used in ns by adding the command

$ns rtproto AODV

NS can simulate noisy links or even links that becomes disconnected. To simulate a

disconnection of a link between nodes $n1 and $n4 from time 1 to 4.5, for example,

we should type

Figure 3.1: A routing example

4

3

2 0

1

5

5

6




$ns rtmodel-at 1.0 down $n1 $n4

$ns rtmodel-at 4.5 up $n1 $n4

We now consider the network depicted in Figure 3.1. This has two alternative routes

between the source node 0 and the destination node 5.

The default static routing, used by ns, will choose the route 0-1-4-5 for setting

connections.

Multicast routing

There may be several multicast groups of members and the groups may overlap in

multicasting. In IP multicast, receiver must request membership in multicast group

where as a sender can send without first joining a group. Senders do not receive

feedback from the network about the receivers in IP multicast routing. All the nodes

in the network may not be able to handle multicast. In NS we can declare the nodes

with multicast capabilities.

Multicast requires enhancements to the nodes and links of the network, NS has

therefore specific requirements from the simulator class before creating the topology.

We thus begin by the special command

Set ns [new Simulator]

$ns multicast

As source will stop completely sending packets if there are no connected receivers in

that group; it will resume sending packet when a receiver connects.

As example of a multicast configuration with a six node network is depicted in

figure 3.2.

5

7



Deptt. of ECE, NERIST 7

Figure 3.2: A multicast routing example

Broadcast routing

Broadcast is the term used to describe communication where a piece of information

is sent from one point to all other points. In this case, there is just one sender, but the

information is sent to all connected receivers.

Broadcast transmission is supported on most LANs (e.g. Ethernet), and may be used

to send the same message to all computers on the LAN (e.g. the address resolution

protocol (arp) uses this to send an address resolution query to all computers on a

LAN). Network layer protocols (such as IPv4) also support a form of broadcast that

allows the same packet to be sent to every system in a logical network (in IPv4 this

consists of the IP network ID and an all 1's host number).

The Broadcast Storm

MANET consists of a set of Mobile Hosts that may communicate with one

another from time to time

No base stations are present

Each host is equipped with a CSMA/CA

Transmission of a message to all other MHs required

The broadcast is spontaneous

3 2

5

4 1 0

http://www.erg.abdn.ac.uk/~gorry/course/lan-pages/enet.html

http://www.erg.abdn.ac.uk/~gorry/course/inet-pages/icmp.html

http://www.erg.abdn.ac.uk/~gorry/course/inet-pages/icmp.html

http://www.erg.abdn.ac.uk/~gorry/course/inet-pages/ip.html

5

8




Due to Mobile Host mobility and lack of synchronization, any kind of global

topology knowledge is prohibitive

Little or no local information may be collected in advance

The broadcast is frequently unreliable

Acknowledgement mechanism is rarely used

Distribute a broadcast message to as many Mobile Hosts as possible without

putting too much effort

A Mobile Host may miss a broadcast message because it is off-line, it is

temporarily isolated from the network, or it experiences repetitive collisions

Broadcast

o Acknowledgements may cause serious medium contention

o In many applications 100% reliable broadcast is unnecessary

o Mobile Host can detect duplicate broadcast messages

o If flooding is used blindly, many redundant messages will be sent and serious

contention/collision will be incurred

Redundant rebroadcasts

o When a Mobile Host decides to rebroadcast, all its neighbors may already

have the message

Contention

o Transmissions from neighbors may severely contend with each other

Collision

o Due to absence of collision detection, collisions are more likely to occur and

cause more damage

Example (simple flooding)

5

9




Figure 3.3: A simple flooding example

3.2. Implementing attacks on AODV routing Protocol

Black Hole Attack

MANETs face various security threats in which the traffic is redirected to such a

node that actually does not exist in the network. Black Hole attack disturbs the

routing protocol by misleading other nodes about the routing information. In Black

Hole attack a malicious node uses its routing protocol in order to endorse itself for

having the shortest path to the destination node or to the packet it wants to interrupt.

This destructive node advertises its availability of new routes without checking the

routing table. Thus the attacker node always have the availability in replying the

route request, thereby intercept the data packet and retain it [10]. In flooding based

protocol, the malicious node reply will be received by the requesting node before the

response of reply of the actual node. Hence the malicious and forged route is created.

The node will either drop all the packets or promote it to the unknown address, once

6

0




this route is established [11].

The malicious drop rate is defined by the ratio of dropped packet number and

received packet number. The malicious drop rate of a Black Hole is 100 %.

The Black Hole attack has two properties;

The node exploits the mobile ad hoc routing protocol, such as AODV, to

intercept packets. It shows a valid route to a target node, even though the route is

false.

The attacker consumes the intercepted packets without forwarding it.

However, there is a risk that the neighbouring node may check and represent the

ongoing attacks. Alternatively, an attacker may suppress or modifies packets

originating from some nodes, leaving the data from the other nodes unchanged. This

limits the suspicion of its wrong doing.

Adversary selectively drops only data packets, but still participates in the

routing protocol correctly.

The damage is directly related to the likelihood of an adversary being selected

as part of the route.

Black Hole Attack Mitigation

o A node can overhear its neighboring nodes forwarding packets to other

destinations

o Local monitoring can detect:

o Packet forge: An outgoing packet that has no corresponding incoming packet

o Packet modification: Difference between the incoming and outgoing packet

fields

o Intentional packet delay: A packet was forwarded after a threshold time

instead of immediately

o Average Packets Dropped: Packets were not forwarded within a maximum

6

1




acceptable timeout threshold.

Missed detection: In the figure 3.3. shown below, a malicious event goes

undetected at guard G because:

A collision occurs at G when the malicious node S transmits

False detection: A normal event is classified by a guard G as a malicious

event because:

A collision occurs at G when the sender S transmits a packet

A collision occurs at G when the monitored node D forwards the packet

o Does not work when power control and multi-rate are used

o Also vulnerable to attacks from two consecutive colluding adversaries

Secure Data Transmission (SDT)

o Uses end-to-end acknowledgements from destination

o Disseminates a packet across several node-disjoint paths

o Good for well connected networks

o Bad for sparsely connected networks

o Protection of node-disjoint path discovery is not fully achieved against

colluding adversaries

o Also vulnerable to flood rushing attacks

When a node requires a route to a destination, it initiates a route discovery process

within the network. The intruder sends fake RREP packets. An inside attacker may

6

2




forge a RREP message as a fresh route to the destination node after receiving a

RREQ message in AODV routing. The attacker than forges a fake RREP message by

increasing the destination sequence number. This is to suppress the other RREP

messages that the source node may receive from the other nodes.

The attacker disrupts the route between the victim nodes to a given destination or

invades between by suppressing other alternative route. These nodes are the Black

Hole nodes. After receiving a RREQ message from nodes, an inside attacker will

send a false RREP message instantly with the modified high sequence number. The

source node will assume that there is a new route available towards the destination.

The source node ignores the RREP packet from the other nodes including the correct

nodes where it automatically denies the other nodes and it will start sending the

packets towards the malicious nodes. Then the malicious node takes all the routes

towards itself and it does not allow forwarding the packets anywhere. This type of

attack will happen frequently which is severe to find out and we have to use a

detection technique to solve this attack. This attack is called a black hole attack

where it swallows all the data.

Gray Hole Attack

A variation of Black Hole Attack is the Gray Hole Attack, in which the nodes will

drop the packets selectively. Selective forward attack is of two types, they are

Dropping all the UDP packets and forwarding the TCP packets.

Dropping 50% of the packets or dropping them with a probabilistic

distribution. These are attacks that seek to disrupt the network without being

detected by security system.

Gray Hole is a node that can switch from behaving correctly to behaving like a Black

Hole that is actually an attacker, and acts as a normal node. Hence it is difficult to

identify the attacker easily. Every node maintains a routing table that stores the next

6

3




hop node information which is a route packet to destination node. If a source node is

in need to route a packet to the destination node, it uses a specific route and will be

checked in the routing table of its availability. If a node appreciates a route discovery

process by broadcasting Route Request (RREQ) message to its neighbor, the

intermediate nodes will update their routing tables for reverse route to the source on

receiving the route request message. A Route Reply (RREP) message is sent back to

the source node when the RREQ query reaches either the destination node or any

other node which has a current route to the destination. The Gray Hole Attack has

two phases.

A malicious node exploits the AODV protocol to advertise itself as having a

valid route to destination node, with the intention of interrupting packets of spurious

route.

The node drops the interrupted packets with a certain probability and

detection of Gray Hole attacks is a difficult process. Normally, in the Gray Hole

attacks, the attacker behaves maliciously for the time until the packets are dropped

and then switch to their normal behavior [12]. Both the normal node and the

attackers are same. Due to this behavior it is very difficult to figure out such kind of

attacks in the network. The other popular known name of Gray Hole attack is

misbehaving attack [13].

In this type of attack, the attacker misleads the network by approving to forward the

packets in the network. The attacker drops the packet as soon as it receives the

packets from the neighbouring node. This is an active attack where the attacker node

behaves normal in the beginning and reply true RREP messages to the nodes that has

sent the RREQ messages. Once it receives the packet, it starts dropping the packets

and thereby launches Denial-of-Service (DoS) attack. The malicious activity may

vary.

A gray hole does not drop all the data packets but just part of packets. The Gray

6

4




Magnitude is defined as the percentage of the packets which are maliciously dropped

by an attacker. For example, a Gray Hole with a gray magnitude of 60 percent will

drop a data packet with a probability of 60 percent.

The main criterion for identification of a malicious node is the estimated percentage

of Average Packets Dropped, which is compared against pre-established mis-

behaviour threshold. Any other node dropping more packets than this threshold is

said to be mis-behaving. Those nodes whose percentage of dropping packets is

below the threshold are said to be behaving properly. In Gray hole attack, the nodes

either drop packets selectively, as for example, dropping all UDP packets while

forwarding TCP packets or drop packets in a statistical manner, as for example,

dropping 50 percent of the packets or dropping them with a probabilistic distribution.

Gray hole attack may occur due to a malicious node which is deliberately or

damaged node interface. Hence, if proper security measures are not taken to detect

such attacks, the operation of the network will be disrupted.

Mobile ad hoc networks need a routing protocol that is robust against both

dynamically changing topology and malicious attacks. Routing protocols for ad hoc

networks are still under research, and there is no single standard routing protocol.

We have decided to use the AODV (Ad hoc On-demand Distance Vector) routing

protocol. ADOV is an on-demand algorithm, i.e. it builds routes between nodes only

as desired, and maintains them as long as it is needed by the source nodes. It is

capable of unicast or multicast routing, multicast groups and has been noted to be

scalable.

Proposed Framework for Black Hole and Gray Hole Attack

Black Hole and Gray Hole attack involves in dropping packets. Black Hole attack

drops all received packets intended for forwarding, whereas Gray Hole attack drops

packets at certain frequencies. Both the attacks consist of two steps;

6

5




Attracting steps-where the nodes attract other nodes by sending false

information in the communication.

Invading step-where the node invades the communication process and drop

the packets.

During the attack, the attacker has to identify whether the incoming packets are

AODV packets. Then the attacker determines the route and selects the routing

process by sending RREQ packets. First, the attacker coordinates in routing by

sending RREQ packets. During invading step, the attacker starts increasing its

sequence number compared to other nodes in network. Thus it induces attack by

sending a fake reply to the nodes in the network.

Implementation of Black Hole and Gray Hole Attack The behaviour of the node which has to exhibit Black Hole or Gray Hole Attack will

have to follow a new protocol. As the simulation is carried out in AODV, we

preferred to simulate Black Hole or Gray Hole behaviour in AODV. The simulation

is carried out in NS-2.35 over Debian Linux. We installed the NS-2.35 and

duplicated the AODV protocol directory and renamed it as BlackHoleAodv and

GrayHoleAodv. This new directory is added after modification to NS to function as

a Black Hole and Gray Hole AODV routing protocol. All the files names with aodv

is renamed as BlackHoleAodv and GrayHoleAodv respectively in the directory

excepting the file aodv_packet.h. This is important because in the simulation, the

sources of AODV, Black Hole AODV and Gray Hole AODV protocol will send the

same AODV packets to all the receivers. All the subroutines, classes, functions,

variables, constants and structures having name aodv are changed to BlackHoleAodv

and GrayHoleAodv. Few more files of NS are modified like ns-lib.tcl and /makefile.

The new compiled NS program functioned well as new routing protocols called

Black Hole Aodv and Gray Hole Aodv respectively.

6

6




The performance of the new implemented Black Hole AODV and Gray Hole AODV

protocols is compared with that of the existing AODV routing protocol to study the

behaviour of the network under these attacks.

Detection of Black Hole and Gray Hole Attack

Figure 3.4: A Black Hole/Gray Hole Attack

In the above Figure;

S : Source

D : Destination

1 : Node 1

3 : Node 3

4 : Node 4

2 : Malicious Node

To detect the Black Hole and Gray Hole nodes, we have adopted a procedure.. The

source node S, occasionally checks through all available routes to determine if all the

messages sent are received correctly by the destination. The sender broadcasts a

“check” request message, for example source node ‘S’ wants to send data packet to

destination node ‘D’, and initiates the route discovery process. Node ‘2’ is assumed

to be a malicious node. It claims that it has route to the destination whenever it

receives route request packets, and immediately sends the responds to node ‘S’. If

6

7




the response from node ‘2’ reaches node ‘S’ first, then node ‘S’ thinks that the route

discovery is complete. Thus, it ignores all other reply messages and begin to send

data packets to Node ‘2’, as such, all the packets through the malicious Node ‘2’ are

consumed or are lost. In Black hole attack all the packets are dropped, whereas in

Gray Hole attack the node refuses to forward certain packets and simply drops them.

Thus the attacker either drops all packets or selectively drops the packets originating

from single IP address or range of IP addresses. The Black Hole nodes and Gray

Hole nodes in MANETS are very effective. The simulation result shows the

effectiveness and efficiency of the mechanism.

In our work, we have simulated malicious node that drops all the packets which

passes through it. We have created malicious nodes in AODV protocol by modifying

the aodv.cc and aodv.h files.

In aodv.h file we add “bool malicious” in the program as follows. This variable is

used to define whether the node is malicious or not.

/* * History management */

bool malicious;

double PerHopTime(aodv_rt_entry *rt);

nsaddr_t index; // IP Address of this node u_int32_t seqno; // Sequence Number int bid; // Broadcast ID aodv_rtable rthead; // routing table aodv_ncache nbhead; // Neighbor Cache aodv_bcache bihead; // Broadcast ID Cache

In aodv.cc we add the line “malicious = false;”. This line is added as initially nodes

are not malicious and we need to add the line to define which node is malicious.

/* Constructor */

6

8




AODV::AODV(nsaddr_t id) : Agent(PT_AODV), btimer(this), htimer(this), ntimer(this), rtimer(this), lrtimer(this), rqueue() { index = id; seqno = 2; bid = 1; malicious = false; LIST_INIT(&nbhead); LIST_INIT(&bihead);

logtarget = 0; ifqueue = 0; }

Now we need to add the line to catch the nodes which are malicious. We add the line

“malicious = true”

int AODV::command(int argc, const char*const* argv) { if(strcmp(argv[1], "hacker") == 0) { malicious = true; return TCL_OK; } if(argc == 2) { Tcl& tcl = Tcl::instance(); if(strncasecmp(argv[1], "id", 2) == 0) { tcl.resultf("%d", index); return TCL_OK; } if(strcmp(argv[1], "hacker") == 0) { return TCL_OK;

}

Now we need to define what a malicious node should do. Here in this case we want

that the malicious node should drop any packet that is received. We define this in

Route Handling Functions.

/* Route Handling Functions */

6

9




void AODV::rt_resolve(Packet *p) { struct hdr_cmn *ch = HDR_CMN(p); struct hdr_ip *ih = HDR_IP(p); aodv_rt_entry *rt;

// if I am malicious node if (malicious == true ) { drop(p, DROP_RTR_ROUTE_LOOP);

/* DROP_RTR_ROUTE_LOOP is added for no reason. */ }

In our TCL file we define malicious node with following command.

$ns at 0.0 "[$node_(5) set ragent_] hacker" This command defines the node (5) to be

malicious and drop all the packets.

After the modifications in the aodv.cc and aodv.h file, we recompile and install the

program using Makefile.

3.3. Research Approach

The proposed solution is based on a quantitative intrusion detection technique [16].

This technique is applied to a MANET with mobile nodes.

The Objective

Our main objective is to find a quantitative, distributed and dynamic intrusive

detective solution for MANETs that involve mobile nodes in a non-cluster based

environment.

Besides, we developed a simulation for mobile networks which includes

o Implementation of the AODV routing protocol

o Simulate the mobile nodes by varying different network parameters

o Introducing malicious nodes in a network

7

0




o Making a comparative study from the data obtained from the trace files

o Efficiency of the network in terms of the throughput, average packets dropped

and latency before and after the implementation of IDS.

o Finally, conclude on an optimal solution in terms of space, group size, speed

of the malicious and non-malicious nodes in the network.

Specific needs and Challenges

We break up our research problem definition into further details to assist us in

proposing a solution. This solution will address each of the challenges or problem

faced in creating an Intrusion Detection System

Nodes in MANETs that display erroneous or malevolent behavior are often termed

“malicious”. Here, we refer all nodes displaying undefined or unexpected behavior

as “malicious node”. Hence our aim is to identify the nodes displaying malicious

behavior.

Nodes moving in uncontrolled environments with relatively poor physical protection

have a non-negligible probability of compromised. The network faces threats of

attacks from the outside world as well as by the compromised nodes within the

network. Therefore, we require finding out whether our solution is time continuous

or not.

Selecting a Simulator

We have used NS2 simulator for carrying out the various simulations. We used NS-

2.35 under debian linux 4. The reason for choosing NS2 is that it is simple to

understand and can implement various protocols. The implementation of the

malicious node behavior, the Intrusion detection system and its integration with the

existing NS2 software is easier.

7

1




In cellular networks, the wireless part is restricted only to the access to a network,

and within the network classical routing protocols can be used. Ad-hoc network in

contrast rely on special routing protocols that have to be adapted to frequent

topology changes.

To model well cellular networks, often sophisticated simulation tools of the physical

radio channel are needed, as well as the simulation of power control mechanism.

NS2 does not have an advanced physical layer module although it contains some

simple modeling features of radio channels.

In ad-hoc networks, in contrast, the routing protocols are central, NS2 allows to

simulate the main existing routing as well as transport and applications that use

them. Moreover, it allows taking into account the MAC and link layer, the mobility,

and some basic features of the physical layer.

NS2 simulator can be used to simulate classical queuing models. In the simplest

form of classical models, the time between packets arrival is random and has some

general probability distribution. The time it takes to transmit a packet is random as

well distributed according to some other transmission rate but a varying size of a

packet.

The Intrusion Detection System (IDS)

Intrusion detection is an activity that determines whether a process or user is

attempting something unexpected. It works, as defined, on the basis of examining

activity on a specific machine or network and deciding whether the activity is normal

or suspicious. It can either compare current activity to known attack patterns or

simply raise an alarm condition when specific measurements exceed present values.

There have been many approaches to intrusion detection in MANETs. The initial

classification is based on authentication based schemes. These rely on the

7

2




identification of nodes by unique identifier. Use of encryption keys fall into this

category, and they have been deeply studied. The second approach is behavioural

based algorithm where intrusion is defined based on nodal activities, rather than its

identifier. This is a better approach for the following reasons.

Node identities can be easily stolen but it is not easy to replicate the behavior.

Identity based behavior requires storage of identifier database and logic.

Each new node is given a unique identifier, which makes the process of

deployment more expensive.

Thus, we limit our intrusion detection system based on behavior. This is more

efficient, lightweight and easily scalable solution to Intrusion Detection in MANETs.

The Intrusion Detection Systems based on behavior can be classified based on;

Anomaly Detection

A baseline profile of the normal system activity is created. Whenever there is any

deviation from the baseline, the system activity is treated as a possible intrusion. The

shortcomings of this approach are,

Anomalous activities that are not intrusive are flagged as intrusive (false

positives)

Intrusive activities that behave in a non-anomalous manner are not detected

(false negatives)

Anomaly detection may demand that the normal profile be periodically updated and

the deviations from the normal profile computed in mobile computing. These

periodic calculations may impose heavy load on some of the resource constrained

devices.

A distributive and Co-operative intrusion detection model based on statistically

7

3




anomaly detection technique was proposed by Zhang and Lee [14]. In such

networks, every node participates and runs and IDS agent. This agent performs local

data collection and detection. When a node reports an anomaly, a co-operative

detection and global intrusion response can be triggered. Here, two attack scenarios

are considered separately:

Abnormal updates to routing table

Detection of abnormal activities in the layers other than the routing layers.

Signature Misuse Detection

In this kind of detection, the signature and the traces of the intruder is observed in

the system. A legal behavior model is defined and the observed behavior is

compared against the legal model to detect the intrusion. The system tries to detect

the intrusion activity irrespective of the traffic background of the network.

Specification based Detection

Under this kind of detection, a set of constraints are defined which defines the

correct operation of a program or protocol. The programs are monitored and

executed with respect to the defined constraints. IDS based on this approach are

proposed by Tseng and Balasubramanyam [15].

Compound Detection

This is an improvement over misuse and anomaly detection. A compound decision

based on the normal behavior of the system and the intrusive behavior of the intruder

is formed. Here, the detector operates by detecting the intrusion against the historical

normal traffic in the system. This gives better accuracy in detecting undefined

behavior. M. Alam, T. Li et al. in [16], proposed an IDS which uses a quantitative

method of anomaly definition based on transmission characteristics depending on

historical transmission behavior of the node. Though the above suggestion gives us a

non-centralized solution, it does not cater to the mobile nodes or MANETs.

7

4




Implementation of Intrusion Detection System

Similar to the implementation of the Blackhole/Grayhole AODV, we have to

implement the Intrusion Detection System. We copy the directory of AODV and

rename the same as idsaodv. All the files having name aodv is renamed as idsaodv

except for aodv_packet.h. The files ns-lib.tcl and /make file is modified to include

this new idsaodv protocol.

The modified program is compiled and installed thereafter. The modified NS is

tested for Black Hole AODV and Gray Hole AODV with AODV routing protocol.

The results of simulation of the Black Hole AODV and the Gray hole AODV is

compared with the IDS AODV for network throughput and average packets dropped.

Intrusion Detection

A secure ad hoc network requires identification of nodes within the network that

have malicious behavior. This is done is two stages.

Recognizing the nodes displaying malicious behavior

The current research tries to detect malicious nodes that drop data packets partially

or fully. Every node keeps a count of the number of acknowledgements it receives

from the neighboring nodes to which it has tried to transmit. Thus each node records

the throughput of every neighbor node during communication. This behavior is

measured over a period of time which determines the historical quality of behavior

of the neighbor node. The stability of the nodal behavior is denoted by “STB()”, data

transmission quality is referred to as “DTQ” which is a function of STB(), the

probability of error in the channel is P(), the power needed for transmitting the total

data attempted to be sent is D, the energy to send one byte of data is “E”, k is a

constant (which depends upon the efficiency of the node in terms of resources,

memory, battery backup etc.), and T is the time period for which the behavior of a

particular node is observed.

7

5




∑

The research work is limited to non-cluster based networks and transmission is

considered in terms of packets. A packet is either transmitted completely or not at

all.

Each node calculates and maintains the DTQ for all the neighboring nodes. When

the DTQ value is less than the threshold value, the neighbor node is marked as

malicious node.

The process of malicious node recognition is shown by the flowchart in figure 5.1.

Figure 3.5: Flow Chart to identify the malicious Node.

Confirming the Identification

This confirms that the malicious node is correctly identified. The decision is based

7

6




on a group consensus approach. A request is sent to every node in a network to

accept or reject the decision. On receiving such a request, nodes can either vote for

or veto by referring to its own DTQ readings. Based on the replies the vote initiating

node draws a consensus. If the votes approving malicious behaviour are more, the

node is added into a blacklist. Any further communication with this node is barred

by all the other nodes.

Here, for example node A has detected that node B’s has fallen below a threshold

therefore node A sends a broadcast request for a vote on its suspicion. When the

nodes in the Adhoc network receives such a request, they check their DTQ values in

their respective tables for node B. Depending on the search they send a positive or

negative reply by voting. The votes received are summed by node to decide the

status of node B.

Voting Details

Vote Arrival: The node initiating vote keeps a count of the number of votes

received. For a particular vote request, it does not register more than one vote from

the same neighbor. After receiving votes from all the neighbors, the node decides for

or against the voted-upon node. Here, we consider the total number of nodes less one

which is the maximum expected neighbor count.

Vote Request Time-out: The ideal situation is when all the neighbors respond to a

request. In MANETs, as packets are lost during transit and some of the nodes decide

not to vote, the vote initiator cannot wait indefinitely. The vote-request time out

solves this dilemma, and is said as soon as the vote-request is sent out. At the end of

this time-out period, the vote request initiator aggregates all the votes it has received,

and makes a decision based on the counts. All the votes received after this timeout

are ignored.

The Voters: All the nodes that receive a vote request attempt to vote. However, if

7

7




the number of messages they receive from the vote initiator is not sufficient for them

to decide they refrain from voting.

Figure 3.6: Flow chart for the Voting Process

Process after Vote Decision:

Blacklisting: Once a node is blacklisted, a message is sent to all the nodes with this

information immediately, as shown in the figure 5.2. All nodes receiving this

message add the node to their blacklist details too. Hence forth, no communication

from such nodes is responded to anymore.

Acquitted: If a node is acquitted after the vote decision, it is treated as a usual node

7

8




by all the other nodes. No information about the acquittal is sent out. Hence, the vote

initiator who has a low DTQ value of a particular node will now have to wait again

for the next bucket to occur before it can re-initiate the vote request, as the vote

request initiation is allowed only once every bucket. This ensures that there is no

repeated or pre-mature vote request.

3.4. Performance Metrics

In the performance evaluation of a protocol for MANETs, the protocol should be

tested under realistic conditions. We perform extensive simulations using NS-2

simulator. A routing protocol for MANETs is usually evaluated in terms of

performance metrics. The metrics used by us are Network Throughput, Average end-

to-end delay (Delay) and Average Packet Drop.

Network Throughput

Throughput is the measure of how fast we can actually send through network. The

number of packets delivered to the receiver provides the throughput of the network.

It is the ratio of the total amount of data that reaches a receiver from a sender to the

time it takes for the receiver to get the last packet.

Throughput =

Average end-to-end delay (Delay)

The average time from the beginning of the packet transmission (including route

acquisition delay) at source node until packet delivery to a destination. The packet

end-to-end delay is the average time that packets take to traverse the network. This is

the time from the generation of the packet by the sender up to their reception at the

destination’s application layer and is expressed in seconds. It therefore includes all

the delays in the network such as buffer queues, transmission time and delays

induced by routing activities and MAC control exchanges. Various applications

7

9




require different levels of packet delay. Delay sensitive applications such as voice

require a low average delay in the network whereas other applications such as FTP

may be tolerant to delays up to a certain level. MANETs are characterised by node

mobility, packet retransmissions due to weak signal strengths between nodes, and

connection tearing and making. These cause the delay in the network to increase.

The end-to-end delay is therefore a measure of the how well a routing protocol

adapts to the various constraints in the network and represents the reliability the

routing protocol.

Where

= End to end delay

= Transmission delay

= Propagating delay

= Processing delay

Equation for average end to end delay is:

∑

∑

Where n is number of received packets.

Average Packet Drop

Packet loss occurs when one or more packets being transmitted across the network

fail to arrive at the destination. It may be due to the path breaks caused by mobility

of nodes, congestion of the network and node failure due to a drain battery. It is

defined as the Average Packets Dropped by the routers during transmission.

Forward Percentage =

8

0




Packet loss is the discarding of packets in a network when a router or other network

device is overloaded and cannot accept additional packets at a given moment.

Packets are the fundamental unit of information transport in all modern computer

networks, and increasingly in other communications networks as well.

The losses are usually due to congestion on the network and buffer overflows on the

end-systems. A buffer is a portion of a computer’s memory that is set aside as a

temporary holding place for data that is being sent to or received from an external

device. A buffer overflow occurs any time more information is written into the

buffer than there is space allocated for it in the memory.

3.5. Literature Review

AODV is one of the most protuberant communication protocols in MANET. Due to

many weaknesses, AODV attracts many researches to develop new variants protocol

based on AODV protocol to improve its performance. A number of IDS techniques

have been proposed in the research literature

We review black hole attacks, the authors in [17] revised the AODV routing protocol

to reduce the chances for a Black Hole Node to grab routing paths. This method is

very useful to prevent a black hole node located near a source node.

Another approach using AODV proposed in [18] is that a source node does not

immediately send out a data packet, upon the receipt of the first Route Reply, but

waits for subsequent collection of Route Replies from its neighbouring nodes. After

comparing all route replies the source node selects one from the neighbouring nodes

which has the same next hop as other alternative routes and begins to send out the

data packets.

The authors of [19] also proposed a revised AODV routing protocol, called PCBHA

(Prevention of a Co-operative Black Hole Attack), in order to prevent cooperative

8

1




black holes.

A dynamic learning method was proposed [20] to detect a black hole node. If the

characteristics change of a node exceeds the threshold within a period of time, this

node is judged as a Black Hole Node. Otherwise, the data of the latest observation is

added to the data set for dynamic updating purposes.

A general approach for detecting the black hole attack was presented [21] which

based on the neighbourhood to detect the interloper. A routing recovery protocol to

set up a correct course to the true destination was planned. This method introduced

the neighbour set of a node which consisted of all the nodes that are within the radio

transmission range. Two types of control packets shared the neighbour set between

the different nodes. When two neighbour sets received at the same time are different,

it was presumed that it was generated by two different nodes. The disadvantage with

this scheme is that should be public key infrastructure otherwise the detection

remains susceptible.

A solution to defend selective forwarding attack (Gray Hole Attack) in Wireless

Mesh Networks was offered consists of two stages [22]. First stage is Counter-

Threshold Based that uses the detection threshold and packet counter to discover the

attacks. Second stage is Query Based that uses acknowledgement from intermediate

nodes to confirm the attacker.

Another method for detecting Gray Hole Attack [23] was proposed. Each intrusion

detection agent runs independently and detects intrusion from traces. Only one-hop

information is maintained at each node for each route. If local evidence is

inconclusive, the neighbouring IDS agents cooperate to perform global intrusion

detection.

The Black and Gray Hole attack [24] will bring great damage to the performance of

8

2




Ad Hoc network. The malicious drop rate is defined by the ratio of dropped packet

number and received packet number. For example, a Gray Hole is gray magnitude of

60% will drop a data packet with a probability of 60% and a classical Black Hole has

a grey magnitude of 100%.

The Intrusion Detection systems are broadly classified into five categories [25], [26].

a) Stand Alone Intrusion Detection System,

b) Distributive and Co-operative Intrusion Detection System,

c) Host Based Intrusion Detection System,

d) Network Based Intrusion Detection System, and

e) Hierarchical Intrusion Detection System.

A number of IDS techniques have been proposed in research literature. Cluster based

voting schemes have been proposed to enable sharing and vetting of messages, and

data, generated and gathered by IDS systems.

A distributed and collaborative anomaly detection based IDS for Adhoc Networks

monitors the AODV routing behaviour was proposed [14]. AODV routing behaviour

and distributed network monitors for detecting run-time violation of specifications.

A method for building confidence measures of root trust worthiness without a central

trust authority was presented in [27]. The authors also present a concise summary of

previous work of establishing trust in Adhoc networks.

In [28], a value was assigned to the “reputation” of a node and this information was

used to identify the misbehaving nodes. Co-operation was only with the nodes with

trusted reputation.

A trust-based mechanism was coupled with a mobile agent based intrusion detection

system [29] however; it does not discuss the security implications or overhead

8

3




required to secure the network and individual nodes from the mobile agents

themselves. Gateway nodes in neighbouring zones can then further collaborate to

perform intrusion detection tasks in a wider area to attempt to reduce false positive

alarms.

These detectors operate by detecting the intrusion against the historical and normal

traffic in the system. Hence, these detectors have a greater accuracy in detecting

undefined behaviour. They would at the very least be able to qualify their decisions

better. In [30] IDS was proposed which uses a quantitative method of anomaly

definition based on transmission characteristics, but factors in historical transmission

behaviour of the node.

A collaborative method for black hole attack prevention was proposed [32]. A

architecture to deal with collusion amongst nodes was designed using a watchdog

method. The algorithm classified the nodes in a network into three types: trusted,

watchdog, and ordinary nodes. The normal node neighbours were observed by every

watch dog chosen and decides whether they can be treated as trusted or malicious.

An aggregate signature algorithm to trace packet dropping nodes was proposed [33].

This consisted of three related algorithms.

(a) The creating proof algorithm

(b) The check-up algorithm

(c) The diagnosis algorithm

Here, the reliability is satisfying as proof on forwarded packets is used. As by-

directional communicational links are not required, the application scope is wide.

The malicious nodes are well detected and the bandwidth overhead is low as the

nodes do not need to check each other.

In [34], an intrusion detection system based on Suburban Ad Hoc Network (SAHN)

8

4




was proposed. This SAHN-IDS was useful for multi-hop Adhoc network, where the

misbehaving node were detected by getting unfair share of transmission channel.

The efficiency of the proposed scheme was shown by the simulation results.

A novel intrusion detection and response system has been proposed [35], which was

known as Router-guard. This worked mainly on the concept of monitoring and node

cooperation and successfully detected malicious mobile nodes and protected the

system.

In [36] a “Cross Layer Based Intrusion Detection System” (CIDS) has been

proposed for Adhoc networks. The trace file patterns were analysed to detect the

intruders. The network efficiency was increased as it could communicate data

securely from the source to the destination.

Probes disguised as normal packets to detect malicious nodes [37] were used. A

centralised authority that receives reports on statistics of various IP flows was used

[38]. However these techniques could not distinguish between causes for packet loss.

Reputation based systems are a new paradigm which are used for enhancing security.

These systems are easy to use and can face a variety of attacks. These systems do no

rely on the conventional use of common secret to establish confidential and secured

communication between two parties. These systems are based on observations and

are used to decide whom to trust and to encourage trust worthy behaviour. In [39]

three goals for reputation systems were identified:

a. Isolate untrustworthy principal from trustworthy principal.

b. To persuade the principals to behave in trustworthy manner.

c. To prevent the untrustworthy principals from participating in the reputation

mechanism.

Most of the proposed methods for Intrusion Detection and Malicious Node Detection

8

5




can discover a few types of attacks like depending on the status of the network. The

problem occurs when we come across a malicious node whose nature of attack is

unknown to the network. The other problem which Intrusion Detection System faces

is the requirement of large bandwidth for exchange of large packets amongst the

nodes. This leads to large amount of processing and reduces the network

performance as the number of packets received by the target nodes will be less.

3. the problem statement - shodhgangashodhganga.inflibnet.ac.in/bitstream/10603/48102/12/12_chapter...

Documents