sathya thesis
TRANSCRIPT
-
8/10/2019 Sathya Thesis
1/110
1
Introduction
Since their appearance in 1970 in the form of ALOHANET, wireless packet radio networks
have come a long way in terms of numbers, applications, and the feature set, among other
things. The two largest attractions of wireless communication have been mobility and ease
of deployment laying cables is not only laborious and time consuming, but their
maintenance is equally bothersome. Wireless communication today surrounds us in many
colors and flavors, each with its unique frequency band, coverage, and range of
applications. It has matured to a large extent, and standards have evolved for Personal Area
Networks, Local Area Networks as well as Broadband Wireless Access.
1.1 Infrastructure-less Networks
In any but the most trivial networks (point-to-point links), some mechanism is required for
routing the packets from the source to the final destinations. This includes discovery and
maintenance of routes along with associated costs. In what is called an infrastructure-
based wireless network, the job of routing is assigned to dedicated nodes called access
points (AP). Configurations of the APs are much less dynamic than their, possibly mobile,
end-point nodes. APs are like base stations which keep track of nodes
associations/disassociations, authentication etc. and control the traffic flow between their
clients as well as between fellow APs. The AP may also be connected to the Internet
thereby providing Internet connectivity to its clients.
-
8/10/2019 Sathya Thesis
2/110
-
8/10/2019 Sathya Thesis
3/110
3
to be a perfect circle and the links in fact can even be unidirectional in many cases node
A can reach node B on link 1 but node B may not be able to use this link to reach node
A. This can happen due to the signal strengths of the two transmitters being unequal or
can even be based on the transmission path.
In Ad Hoc networks, each node is willing to forward data to other nodes, and so the
determination of which nodes forward data is made dynamically based on the network
connectivity. This is in contrast to the infrastructure-based networks in which designated
nodes, usually with custom hardware and variously known as routers, switches, hubs, and
firewalls, perform the task of forwarding the data. Minimal configuration and quick
deployment make Ad Hoc networks suitable for emergency situations like natural or
human-induced disasters, military conflicts, emergency medical situations etc. An Ad Hoc
network is formed for a purpose by participating wireless nodes and is then torn off.
These networks introduced a new art of network establishment and are well suited for
environments where either the infrastructure is lost or where deploying an infrastructure is
not cost-effective.
1.2 A Brief History of Wireless Ad Hoc Networks
The whole life-cycle of Ad Hoc networks [33] could be categorized into first, second, and
third generation Ad Hoc network systems. Present ad-hoc networks systems are considered
the third generation.
The first generation of wireless Ad Hoc networks dates back to 1972. At the time, they
were called PRNET (Packet Radio Networks). In conjunction with ALOHA and CSMA
-
8/10/2019 Sathya Thesis
4/110
4
(Carrier Sense Multiple Access), approaches for medium access control and a kind of
distance-vector routing, PRNET were used on a trial basis to provide different networking
capabilities in a combat environment.
The second generation [6] of Ad hoc networks emerged in 1980s, when the ad-hoc network
systems were further enhanced and implemented as a part of the SURAN (Survivable
Adaptive Radio Networks) program. This provided a packet-switched network to the
mobile battlefield in an environment without infrastructure. This program proved to be
beneficial in improving the radios' performance by making them smaller, cheaper, and
resilient to electronic attacks.
In the 1990s, the concept of commercial ad-hoc networks [6] arrived with notebook
computers and other viable communications equipment. At the same time, the idea of a
collection of mobile nodes was proposed at several research conferences.
The IEEE 802.11 [7] subcommittee had adopted the term "ad-hoc networks" and the
research community had started to look into the possibility of deploying ad-hoc networks in
other areas of application.
Meanwhile, work was going on to advance the previously built ad-hoc networks. GloMo
[8] (Global Mobile Information Systems) and the NTDR (Near-term Digital Radio) are
results of these efforts. GloMo was designed to provide an office environment with
Ethernet-type multimedia connectivity anywhere and anytime in handheld devices.
NTDR [9] is the only "real" non-prototypical ad-hoc network that is in use today. It uses
clustering and link-state routing, and is self-organized into a two-tier ad-hoc network.
-
8/10/2019 Sathya Thesis
5/110
5
Development of different channel access approaches now in the CSMA/CA and TDMA
molds, and several other routing and topology control mechanisms were some of the other
inventions of that time.
Later on in mid-1990s, within the Internet Engineering Task Force (IETF), the Mobile Ad-
Hoc Networking working group was formed to standardize routing protocols for ad-hoc
networks. The development of routing within the working group and the larger community
resulted in the invention of reactive and proactive routing protocols.
Soon after, the IEEE 802.11 subcommittee standardized a medium access protocol that was
based on collision avoidance and tolerated hidden terminals, making it usable for building
mobile ad-hoc networks prototypes out of notebooks and 802.11 PCMCIA (Personal
Computer Memory Card International Association cards). Wireless local area products
(IEEE 802.11, Hiperlan) provide in-building wireless access; however, they are usually
deployed as access links only, packet relaying being performed by traditional bridges or
routers. Bluetooth is a low cost technology for short range communication; its market is
targeted towards PCs, phones, appliances, watches, etc. It allows multiple nodes to connect
to each other in a multi-hop arrangement.
Efforts are on to standardize different existing schemes for different network controls in a
single framework which could be taken as a standard for all the future applications utilizing
ad-hoc networks as a networking technology. Wireless devices are getting smaller, cheaper,
and more sophisticated. As these devices become more ubiquitous, organizations are
looking for inexpensive ways to keep these devices connected. Building an ad-hoc network
could make that happen.
-
8/10/2019 Sathya Thesis
6/110
6
Wireless Ad Hoc Networks can broadly be classified into three categories: Mobile ad-hoc
networks (MANETs), Wireless Sensor Networks, and Wireless Mesh Networks. Each one
of these has significance for different application areas; each of these differs in the capacity
and capabilities of nodes that participate in the network, the purpose of the network and the
communication protocols employed. The focus of this thesis is MANETs; from this point
onwards, the words MANETs and Wireless Ad Hoc Networks will be used
interchangeably.
1.3 Challenges in Wireless Ad Hoc Networks
The two most significant differences between infrastructure-based and Ad Hoc networks
are a) communications in Ad Hoc networks are truly peer-to-peer and b) the individual
nodes that do jobs of their own are also now required to route packets as required. These
differences lead to some unique and extremely difficult challenges for Ad Hoc networks.
Unlike dedicated routers, hosts in MANETs have limited computational resources and
more importantly, being battery-operated, very limited power. Building routing decisions in
the general-purpose hosts for constantly changing surroundings is big challenge.
However, arguably the most important of these challenges is that of security. MANETs are
like consistent zero-administration personal environment. The absence of infrastructure and
the consequent absence of authorization facilities impede the usual practice of establishing
a line of defense to separate the trusted from the non-trusted. This would have been based
on a security policy, possession of necessary credentials and the ability of nodes to validate
them. In the context of MANETs, there may be no basis for an a priori classification.
Additionally, freely roaming nodes join and leave MANETs independently and without
-
8/10/2019 Sathya Thesis
7/110
7
notice, making it difficult to have a clear picture of the Ad Hoc network membership. In
such an environment, there is no guarantee that a path between two nodes would be free of
malicious nodes. These nodes would not comply with the employed protocol and would
attempt to harm the network operation. The presence of even a small number of adversarial
nodes could cause the entire network to collapse.
1.4 Routing in Ad Hoc Networks
The lack of a backbone infrastructure [37] coupled with the fact that mobile Ad Hoc
networks change their topology frequently and without prior notice makes packet routing in
ad-hoc networks a challenging task. The suggested approaches for routing can be divided
into topology-basedand position-basedrouting.
Topology-based routing protocols use the information about the links that exist in the
network to perform packet forwarding. They can be further divided intoproactive,reactive,
andhybridapproaches.
Proactive algorithms employ classical routing strategies such as distance-vector routing
(e.g., DSDV) or link-state routing (e.g., OLSR and TBRPF). They maintain routing
information about the available paths in the network even if these paths are not currently
used. The main drawback of these approaches is that the maintenance of unused paths may
occupy a significant part of the available bandwidth if the topology of the network changes
frequently.
In response to this observation, reactive routing protocols were developed (e.g., DSR,
TORA, and AODV). Reactive routing protocols maintain only the routes that are currently
-
8/10/2019 Sathya Thesis
8/110
8
in use, thereby reducing the burden on the network when only a small subset of all
available routes is in use at any time. However, they still have some inherent limitations.
First, since routes are only maintained while in use, it is typically required to perform a
route discovery before packets can be exchanged between communication peers. This leads
to a delay for the first packet to be transmitted. Second, even though route maintenance for
reactive algorithms is restricted to the routes currently in use, it may still generate a
significant amount of network traffic when the topology of the network changes frequently.
Finally, packets en route to the destination are likely to be lost if the route to the destination
changes.
Hybrid Ad Hoc routing protocols such as ZRP combine local proactive routing and global
reactive routing in order to achieve a higher level of efficiency and scalability. However,
even a combination of both strategies still needs to maintain at least those network paths
that are currently in use, limiting the amount of topological changes that can be tolerated
within a given amount of time.
Position-based routing algorithms eliminate some of the limitations of topology-based
routing by using additional information. They require that information about the physical
position of the participating nodes be available. Commonly, each node determines its own
position through the use of GPS or some other type of positioning service. A location
service is used by the sender of a packet to determine the position of the destination and to
include it in the packets destination address.
The routing decision at each node is then based on the destinations position contained in
the packet and the position of the forwarding nodes neighbors. Position-based routing thus
-
8/10/2019 Sathya Thesis
9/110
9
does not require the establishment or maintenance of routes. The nodes have neither to
store routing tables nor to transmit messages to keep routing tables up to date. As a further
advantage, position-based routing supports the delivery of packets to all nodes in a given
geographic region in a natural way. This type of service is called geocasting.
Regardless of the approach to routing, a routing protocol should be able to automatically
recover from any problem in a finite amount of time without human intervention.
Conventional routing protocols are designed for nonmoving infrastructures and assume that
routes are bidirectional, which is not always the case for ad-hoc networks. Identification of
mobile terminals and correct routing of packets to and from each terminal while moving
are certainly challenging.
1.4.1 Some Popular Routing Protocols for Ad-Hoc Networks
In this section we discuss some popular routing algorithms proposed for MANETs.
1.4.1.1 Destination-Sequenced Distance Vector (DSDV) Protocol
The Destination-Sequenced Distance Vector (DSDV) protocol is a table-driven routing
protocol based on the improved version of classical Bellman-Ford routing algorithm.
DSDV is based on the Routing Information Protocol (RIP). With RIP, a node holds a
routing table containing all the possible destinations within the network and the number of
hops to each destination. DSDV is also based on distance vector routing and thus uses
bidirectional links. A limitation of DSDV is that it provides only one route for a
source/destination pair.
-
8/10/2019 Sathya Thesis
10/110
-
8/10/2019 Sathya Thesis
11/110
11
1.4.1.2 Dynamic Source Routing (DSR)
DSR [13] uses source routing rather than hop-by-hop routing, with each packet to be routed
carrying in its header the complete, ordered list of nodes through which the packet must
pass. The key advantage of source routing is that intermediate nodes do not need to
maintain up-to-date routing information in order to route the packets they forward, since
the packets themselves already contain all the routing decisions. This fact, coupled with the
on-demand nature of the protocol, eliminates the need for the periodic route advertisement
and neighbor detection packets present in other protocols.
The DSR protocol consists of two mechanisms: Route Discovery and Route Maintenance.
Route Discovery is the mechanism by which a node S wishing to send a packet to a
destination D obtains a source route to D. To perform a Route Discovery, the source node S
broadcasts a ROUTE REQUESTpacket that is flooded through the network in a controlled
manner and is answered by a ROUTE REPLY packet from either the destination node or
another node that knows a route to the destination. To reduce the cost of Route Discovery,
each node maintains a cache of source routes it has learned or overheard, which it uses to
limit the frequency and propagation of ROUTE REQUESTs.
Route Maintenance is the mechanism by which a packets sender S detects if the network
topology has changed such that it can no longer use its route to the destination D because
two nodes listed in the route have moved out of range of each other. When Route
Maintenance indicates a source route is broken, S is notified with a ROUTE ERROR
packet. The sender S can then attempt to use any other route to D already in its cache or
can invoke Route Discovery again to find a new route.
-
8/10/2019 Sathya Thesis
12/110
12
1.4.1.3 Temporally-Ordered Routing Algorithm (TORA)
TORA [14] is a distributed routing protocol based on a link reversal algorithm. It is
designed to discover routes on demand, provide multiple routes to a destination, establish
routes quickly, and minimize communication overhead by localizing algorithmic reaction
to topological changes when possible. Route optimality (shortest-path routing) is
considered of secondary importance, and longer routes are often used to avoid the overhead
of discovering newer routes.
The actions of TORA can be described in terms of water flowing downhill towards a
destination node through a network of tubes that models the routing state of the real
network. The tubes represent links between nodes in the network, the junctions of tubes
represent the nodes, and the water in the tubes represents the packets flowing towards the
destination. Each node has a height with respect to the destination that is computed by the
routing protocol. If a tube between nodes A and B becomes blocked such that water can no
longer flow through it, the height of A is set to a height greater than that of any of its
remaining neighbors, such that water will now flow back out of A (and towards the other
nodes that had been routing packets to the destination via A).
At each node in the network, a logically separate copy of TORA is run for each destination.
When a node needs a route to a particular destination, it broadcasts a QUERY packet
containing the address of the destination for which it requires a route. This packet
propagates through the network until it reaches either the destination or an intermediate
node having a route to the destination. The recipient of the QUERY then broadcasts an
UPDATEpacket listing its height with respect to the destination. As this packet propagates
-
8/10/2019 Sathya Thesis
13/110
13
through the network, each node that receives the UPDATEsets its height to a value greater
than the height of the neighbor from which the UPDATEwas received. This has the effect
of creating a series of directed links from the original sender of the QUERYto the node that
initially generated the UPDATE.
When a node discovers that a route to a destination is no longer valid, it adjusts its height
so that it is a local maximum with respect to its neighbors and transmits an UPDATE
packet. If the node has no neighbors of finite height with respect to this destination, then
the node instead attempts to discover a new route as described above. When a node detects
a network partition, it generates a CLEAR packet that resets routing state and removes
invalid routes from the network. TORA is layered on top of IMEP, the Internet MANETs.
Encapsulation Protocol, which is required to provide reliable, in-order delivery of all
routing control messages from a node to each of its neighbors, plus notification to the
routing protocol whenever a link to one of its neighbors is created or broken. To reduce
overhead, IMEP attempts to aggregate many TORA and IMEP control messages (which
IMEP refers to as objects) together into a single packet (as an object block) before
transmission. Each block carries a sequence number and a response list of other nodes from
which an ACK has not yet been received, and only those nodes ACK the block when
receiving it; IMEP retransmits each block with some period, and continues to retransmit it
if needed for some maximum total period, after which time, the link to each
unacknowledged node is declared down and TORA is notified. IMEP can also provide
network layer address resolution, but we did not use this service, as we used ARP [19] with
all four routing protocols. For link status sensing and maintaining a list of a nodes
-
8/10/2019 Sathya Thesis
14/110
14
neighbors, each IMEP node periodically transmits a BEACON(or BEACON-equivalent)
packet, which is answered by each node hearing it with a HELLO (or HELLO-
equivalent) packet.
1.4.1.4 Ad Hoc On-Demand Distance Vector (AODV)
AODV [15] can be thought of as a combination of both DSR and DSDV. It borrows the
basic on-demand mechanism of Route Discovery and Route Maintenance from DSR, plus
the use of hop-by-hop routing, sequence numbers, and periodic beacons from DSDV.
AODV is an on-demand routing protocol, which initiates a route discovery process only
when desired by a source node. When a source node S wants to send data packets to a
destination node D but cannot find a route in its routing table, it broadcasts a Route Request
(RREQ) message to its neighbors, including the last known sequence number for that
destination. Its neighbors then rebroadcast the RREQ message to their neighbors if they do
not have a fresh enoughroute to the destination node. (A fresh enough route is a valid route
entry for the destination node whose associated sequence number is equal to or greater than
that contained in the RREQ message.) This process continues until the RREQ message
reaches the destination node or an intermediate node that has a fresh enough route.
Every node has its own sequence number and RREQ ID1. AODV uses sequence numbers
to guarantee that all routes are loop-free and contain the most recent routing information.
RREQ ID in conjunction with source IP address uniquely identifies a particular RREQ
message. The destination node or an intermediate node only accepts the first copy of a
RREQ message, and drops the duplicated copies of the same RREQ message.
-
8/10/2019 Sathya Thesis
15/110
15
Each node that forwards the ROUTE REQUEST creates a reverse route for itself back to
node S; after accepting a RREQ message, the destination or intermediate node updates its
reverse route to the source node using the neighbor from which it receives the RREQ
message. The reverse route will be used to send the corresponding Route Reply (RREP)
message to the source node when the ROUTE REQUESTreaches a node with a route to
D, that node generates a ROUTE REPLY that contains the number of hops necessary to
reach D and the sequence number for D most recently seen by the node generating the
REPLY. Meanwhile, it updates the sequence number of the source node in its routing table
to the maximum of the one in its routing table and the one in the RREQ message. When the
source or an intermediate node receives a RREP message, it updates its forward route to
the destination node using the neighbor from which it receives the RREP message. It also
updates the sequence number of the destination node in its routing table to the maximum of
the one in its routing table and the one in the RREP message. A Route Reply
Acknowledgement (RREP-ACK) message is used to acknowledge receipt of a RREP
message. The state created in each node along the path from S to D is hop-by-hop state;
that is, each node remembers only the next hop and not the entire route, as would be done
in source routing.
In order to maintain routes, AODV normally requires that each node periodically transmit a
HELLO message, with a default rate of once per second. Failure to receive three
consecutive HELLOmessages from a neighbor is taken as an indication that the link to the
neighbor in question is down. Alternatively, the AODV specification briefly suggests that a
node may use physical layer or link layer methods to detect link breakages to nodes that it
considers neighbors. When a link goes down, any upstream node that has recently
-
8/10/2019 Sathya Thesis
16/110
16
forwarded packets to a destination using that link is notified via an UNSOLICITED
ROUTE REPLY containing an infinite metric for that destination. Upon receipt of such a
ROUTE REPLY, a node must acquire a new route to the destination using Route Discovery
as described above.
Route maintenance is done with Route Error (RERR) messages. If a node detects a link
break in an active route, it sends out a RERR message to its upstream neighbors that use it
as the next hop in the broken route. When a node receives a RERR message from its
neighbor, it further forwards the RERR message to its upstream neighbors.
AODV is a stateless protocol; the source node or an intermediate node updates its routing
table if it receives a RREP message, regardless of whether it has sent or forwarded a
corresponding RREQ message before. If it cannot find the next hop in the reverse routing
table, it simply drops the RREP message. Otherwise, it unicasts the RREP message to the
next hop in the reverse route.
In general, a node may update the sequence numbers in its routing table whenever it
receives RREQ, RREP, RERR, or RREP-ACK messages from its neighbors.
1.5 Threats and Attacks
The number of different threats and attacks [34] can be categorized into a number of
different areas that they target. The first is to consider the level of the attack which can be
perceptual where the human perception is targeted using the media as a bearer. It may be
broadcasting false information or just observation of social behavior to be able to alter
decision processes.
-
8/10/2019 Sathya Thesis
17/110
17
Secondly the attacks can target the information itself where interception and eavesdropping
comes naturally in thought. Of the more active nature of these attacks might be the creation
of false messages injected into networks. Also the denial or degradation of network
services is a form of active attack on the information level. In this category application
level attacks such as Trojan horses or viruses and the like are also included.
The physical attacks are the third category. The passive nature of this category can be
radiation interception or inductive wiretapping. The more hands on attacks include theft of
equipment, cryptographic or physical keys, and different storage medias. Other kinds of
attacks are social engineering or as drastic as destruction using explosives or other physical
force [3].
1.5.1 Wireless Network Attacks
In contrast to network equipment in wired networks where the devices usually are kept
behind locked doors the Ad Hoc network equipment are usually carried around as small
battery-powered devices or placed inside mobile units like cars. This makes them even
more attractive for attackers since they are often easier to get to and also easier to carry
away from the crime scene. Another point is that it can be quite hard to intercept wired
media without getting noticed both because the media itself might be hard to get to and to
intercept the cables often will need cutting the cables for a while. In the wireless medium it
is as easy as just putting up an antenna, usually small enough not to be noticed [11,6].
Also, since many users of the Ad Hoc networks will be using it in public places the threat
of unintentionally revealing secrets are large. This can be in the form of a conversation
-
8/10/2019 Sathya Thesis
18/110
18
being held so that someone can overhear secret information or shoulder surfing, that is,
someone reading the computer screen or keyboard from behind while entering passwords
or the like. The human nature of bad memory can also be of some help for the attacker. It is
not uncommon that individuals write down passwords and user details on post-it notes and
at a later time throw them away in garbage cans. The retrieval of this kind of information
can help attackers to guess the correct passwords to system resources. This kind of attack
has gotten the common name of dumpster diving [3].
1.5.2 Attacks on Ad Hoc Networks
In addition to often being wireless the structure of an Ad Hoc network, or lack there of,
leads to some special kinds of attacks. Especially attacks on the connectedness of the
network which means attacks on the routing protocol. In this section some of these attacks
will be addressed.
Routing Loop
By sending forged routing packets an attacker can create a routing loop [35,6,10]. This will
result in data packets being sent around consuming both bandwidth and power for a
number of nodes. The packets will not reach their intended recipient and thus can be
considered a sort of denial-of-service attack.
Black Hole
The setup for the black hole attack [35,6,10] is similar to the routing loop attack in which
the attacker sends out forged routing packets. It can setup a route to some destination via
-
8/10/2019 Sathya Thesis
19/110
19
itself and when the actual data packets get there they are simply dropped, forming a black
hole where data enters but never leaves.
Another possibility is for the attacker to forge routes pointing into an area where the
destination node is not located. Everything will be routed into this area but nothing will
leave also creating a sort of black hole.
Grey Hole
A special case of the black hole attack is an grey hole attack [35,6,10]. In this attack the
adversary selectively drops some kinds of packets but not other. For example the attacker
might forward routing packets but not data packets.
Partitioning
Another kind of attack is for the attacker to create a network partition in which some nodes
are split up to not being able to communicate with another set of nodes. By analysing the
network topology the attacker can choose to make the partitioning between the set of nodes
that makes the most harm into the system.
This attack can be accomplished in many kinds of ways. Both by forging routing packets as
in the previous attacks but also using some physical attack such as radio jamming.
Blackmail
Some Ad Hoc routing protocols tries to handle the security problems by keeping lists of
possibly malicious nodes. Each node has a blacklist of, what it thinks, bad nodes and
thereby avoiding using them when setting up routing paths. An attacker might try to
-
8/10/2019 Sathya Thesis
20/110
20
blackmail a good node causing other good nodes to add this node to their blacklists and so
avoid it.
Wormhole
In the wormhole attack an attacker uses a pair of nodes connected in some way. It can be a
special private connection or the packets are tunnelled over the Ad Hoc network. Every
packet that one of the nodes sees are forwarded to the other node which in turn broadcast
them out. This might create short circuits for the actual routing in the Ad Hoc network and
thereby create some routing problems.
Also, all the data can be selectively forwarded or not using this attack thereby controlling
the Ad Hoc network to a large extent. This kind of attack together with a partitioning attack
can gain almost complete control over the network traffic.
Rushing Attack
Many reactive routing protocols keep a sequence number for duplication suppression at
every node. An attacker can distribute a large number of route requests with increasing
sequence numbers forged to appear to be from other nodes. This way when the actual route
request is sent out many nodes suppress it as a duplicate and thereby disrupt the actual
route discovery.
Resource Consumption
By injecting extra data packets into the Ad Hoc network limited resources such as
bandwidth and maybe battery power are consumed for no reason. Even more resources
might be consumed by injecting extra control packets since these might lead to additional
-
8/10/2019 Sathya Thesis
21/110
21
computation. Also, the other nodes might forward control information as it comes in
resulting in even more resource consumption [4].
For devices that try to conserve battery power by only occasionally enabling their
communication device a malicious attacker might communicate in an ordinary way but
with the only intent to drain battery power. Stajano and Anderson call this resource
consumption attack sleep deprivation torture [5].
Dropping Routing Traffic
It is essential in the Ad Hoc network that all nodes participate in the routing process.
However, a node may act selfishly and process only routing information that are related to
itself in order to conserve energy. This behaviour/attack can create network instability or
even segment the network.
Location disclosure
A location disclosure attack can reveal information related to the location of a node or the
topology and structure of the network. The information gained might reveal which other
nodes are adjacent to the target or the physical location of a participating node. The attack
can be implemented by using a command similar to traceroute that exists in Unix-like
systems or with the use of the time-to-live attribute of the routing packet and the addresses
of the devices by sending ICMP error messages. In the end, the attacker knows which
nodes are situated on the route to the target node. If the locations of some of the
intermediary nodes are known, one can gain information about the location of the
destination node as well.
-
8/10/2019 Sathya Thesis
22/110
-
8/10/2019 Sathya Thesis
23/110
23
routing packets, causing erroneous routing table updates and thus misrouting. Some other
security vulnerabilities of ad-hoc networks are:
Limited computational capabilities: Typically, nodes in ad-hoc networks are modular,
independent, and limited in computational capability and therefore may become a source of
vulnerability when they handle public-key cryptography during normal operation.
Limited power supply:Since nodes normally use battery as power supply, an intruder can
exhaust batteries by creating additional transmissions or excessive computations to be
carried out by nodes.
Challenging key management:Dynamic topology and movement of nodes in an Ad Hoc
network make key management difficult if cryptography is used in the routing protocol.
1.8 Securing the MANETs
The provision of security services in the MANETs context faces a set of challenges specific
to this new technology. The insecurity of the wireless links, energy constraints, relatively
poor physical protection of nodes in a hostile environment, and the vulnerability of
statically configured security schemes are definitely such challenges. However, the single
most important feature that differentiates MANETs isthe absence of a fixed infrastructure.
No part of the network is dedicated to support individually any specific network
functionality, with routing (topology discovery, data forwarding) being the most prominent
example. Additional examples of functions that cannot rely on a central service, and which
are also of high relevance to this work, are naming services, certification authorities (CA),
directory and other administrative services.
-
8/10/2019 Sathya Thesis
24/110
24
Even if such services were assumed, their availability would not be guaranteed, either due
to the dynamically changing topology that could easily result in a partitioned network or
due to congested links close to the node acting as a server. Furthermore, performance
issues such as delay constraints on acquiring responses from the assumed infrastructure
would pose an additional challenge.
The absence of infrastructure and the consequent absence of authorization facilities impede
the usual practice of establishing a line of defense, separating nodes into trusted and non-
trusted. Such a distinction would have been based on a security policy, the possession of
the necessary credentials and the ability for nodes to validate them. In the MANETs
context, there may be no ground for an a priori classification since all nodes are required
to cooperate in supporting the network operation, while no prior security association can be
assumed for all the network nodes. Additionally, in MANETs freely roaming nodes form
transient associations with their neighbors, join and leave MANETs sub-domains
independently and without notice. Thus it may be difficult in most cases to have a clear
picture of the Ad Hoc network membership. Consequently, especially in the case of a
large-size network, no form of established trust relationships among the majority of nodes
could be assumed.
In such an environment, there is no guarantee that a path between two nodes would be free
of malicious nodes, which would not comply with the employed protocol and attempt to
harm the network operation. The mechanisms currently incorporated in MANETs routing
protocols cannot cope with disruptions due to malicious behavior. For example, any node
could claim that is one hop away from the sought destination, causing all routes to the
-
8/10/2019 Sathya Thesis
25/110
-
8/10/2019 Sathya Thesis
26/110
26
disrupt network activity and avoid detection. Malicious nodes may behave maliciously only
intermittently, further complicating their detection. A node that sends out false routing
information could be the one that has been compromised, or merely one that has a
temporarily stale routing table due to volatile physical conditions. Dynamic topologies
make it difficult to obtain a global view of the network and any approximation can become
quickly outdated. Traffic monitoring in wired networks is usually performed at switches,
routers and gateways, but an Ad Hoc network does not have these types of network
elements where the IDS can collect audit data for the entire network. Network traffic can
be monitored on a wired network segment, but Ad Hoc nodes or sensors can only monitor
network traffic within its observable radio transmission range. NIST is working with the
University of Maryland Baltimore County (UMBC) to simulate, implement, and test
various MANETs IDS.
1.10 Motivation of Research
Mobile Ad Hoc networks (MANETs) are vulnerable due to its fundamental characteristics,
such as open medium, dynamic topology, distributed operation and constrained capability.
AODV is an important on demand routing protocol. Security is a central requirement for
mobile Ad Hoc networks. Security and robustness will impact the design of the standard
for Ad Hoc networks is the main motivation for this thesis.
1.11 Problem Statement
Intrusion Detection System aimed at securing the AODV protocol has been studied by
Stamouli et al [10] using specification based technique. They conclude that AODV
-
8/10/2019 Sathya Thesis
27/110
27
performs well at all mobility rates and movement speeds. However, we argue that their
definition of mobility (pause time) does not truly represent the dynamic topology of
MANETs. In this thesis, the work of Stamouli et al[10] has been extended and the proposed
protocol is called IDAODV(Intrusion Detection AODV).
In our work, we make use of Knowledge-based intrusion detection. Our Intrusion Detection
and Response Protocol for MANETs have been demonstrated to perform better than that
proposed in [10] in terms of false positives and percentage of packets delivered. Since the
earlier work by Stamouli et al [10] do not report true positive i.e. the detection rate, we
could not compare our results against that parameter with their method.
The implementation of the IDAODV protocol reported in this thesis has shown to work in
real life scenarios. IDAODV performs real time detection of attacks in MANETs running
AODV routing protocol. The prototype has also given some insight into the problems that
arise when trying to run real applications on an Ad Hoc network.
Experimental results validate the ability of our protocol to successfully detect both local
and distributed attacks against the AODV routing protocol, with a low number of false
positives. The algorithm also imposes a very small overhead on the nodes, which is an
important factor for the resource constrained nodes.
1.12 Organization of the Thesis
Chapter 1 provides an overview of Mobile Ad Hoc Networks (MANETs), the application
push and the technology pull, and the different technological issues involved in the design
of MANETs and also discuss some popular routing protocols with security model.
-
8/10/2019 Sathya Thesis
28/110
28
Motivation and problem statement is defined in this chapter. Chapter 2 discusses the
specific problem of Intrusion Detection in MANETs and reviews the methods proposed in
the literature.
We make two contributions in this thesis. The first is detection of intrusion in the form of
attacks on routing infrastructure dropping of packets and sequence number attacks. This
is described and analyzed in Chapter 3. The second type of attack is resource depletion
attack, which is describes and analyzed in Chapter 4. Conclusions are drawn in chapter 5
along with discussions of possible future extensions.
Appendix A contains the terminology and Appendix-B contains AODV implementation
for NS-2 and Appendix C contains pseudo code.
1.13 Chapter Summary
Wireless Ad Hoc networks are becoming an increasingly common platform for bringing
computation to environments with minimal infrastructure. With increasing number of
office, home and personal devices being equipped with computation and wireless
communication capabilities, formation of networks with an as-on-required basis offers
attractive application domains.
The very advantage of Ad Hoc networks the elimination of fixed/ rigid infrastructure
introduces complexities in routing and also raises serious concerns about security issues in
MANETs. However, the flexibility offered by MANETs promise that these networks are
here to stay. The security of such networks has become an important topic of research and
this has formed the basic of the work reported in this thesis.
-
8/10/2019 Sathya Thesis
29/110
29
2 Intrusion Detection in MANETs
The success of MANETs-based applications depends on many factors, trustworthiness
being one of the primary challenges to be met. Despite the existence of well-known
security mechanisms, additional vulnerabilities and features pertinent to this new
networking paradigm might render such traditional solutions inapplicable. The absence of a
central authorization facility in an open and distributed communication environment is a
major challenge, especially due to the need for cooperative network operation. In
particular, in MANETs, any node may compromise the routing protocol functionality by
disrupting the route discovery process.
Wireless Ad Hoc networks are vulnerable to various attacks. These include passive
eavesdropping, active interfering, impersonation, and denial-of-service. Intrusion
prevention measures, such as strong authentication and redundant transmission, can be used
to address some of these attacks. However, these techniques can address only a subset of
the threats, and, moreover, are costly to implement.
The dynamic nature of Ad Hoc networks suggests that prevention techniques should be
complemented by detection techniques that monitor the security status of the network and
identify anomalous and/or malicious behavior. These techniques are usually less expensive
to implement and can be easily deployed in existing Ad Hoc networks without requiring
modifications to the nodes configuration or the routing protocols being used.
-
8/10/2019 Sathya Thesis
30/110
30
2.1 Intrusion Detection
Intrusion is defined as a sequence of related actions performed by a malicious adversary
that results in the compromise of a target system. It is assumed that the actions of the
intruder violate a given security policy. The existence of a security policy that states which
actions are considered malicious and should be prevented is a key requisite for an intrusion
detection system to work.
Intrusion detection is the process of identifying and responding to malicious activities
target at computing and network resources. This identification introduces the notion of
intrusion detection as a process, which involves technology, people and tools. Intrusion
detection is an approach that is complementary with respect to mainstream approaches to
security such as access control and cryptography.
2.2 Motivation
Adoption of intrusion detection system is motivated by several factors, some of which are
listed below:
1. Surveys have shown that most computers are flawed by vulnerabilities, regardless
of manufacturer or purpose, that the number of security incidents is continuously
increasing, and that users and administrators are generally very slow in applying
fixes to vulnerable systems. As a consequence, many experts believe that computer
systems will never be absolutely secure.
2. Deployed security mechanisms e.g. authentication and access control may be
disabled as a consequence of misconfiguration or malicious actions.
-
8/10/2019 Sathya Thesis
31/110
-
8/10/2019 Sathya Thesis
32/110
32
from difference sources at a small number of dedicated hosts. As networks grow bigger and
get faster, such nodes become overwhelmed by increasing number of events.
2.3 Approaches to Intrusion Detection
Intrusion detection techniques [16, 17], have traditionally been classified into two
paradigms, namely anomaly detection, also known as behavior-based intrusion detection
and misuse detection, also called knowledge-based intrusion detection.
In anomaly or behavior-based detection techniques, historical data about a systems activity
and specifications of the intended behavior of users and applications are used to build a
profile of the normal operation of the system. The detection process then attempts to
identify patterns of activity that deviate from the defined profile; anything that does not
correspond to a previously learned behavior is considered anomalous and suggests an
intrusion attempt.
Misuse or knowledge-based detection techniques take a complementary approach. Misuse
detection tools are equipped with a number of attack descriptions (or signatures) that are
matched against the stream of audit data to identify evidence of the occurrence of the
modeled attacks. These IDS accumulate knowledge about attacks examine traffic and try to
identify patterns indicating that a suspicious activity may be occurring.
Misuse and anomaly detection both have advantages and disadvantages. Misuse detection
can perform focused analysis of the audit data and usually produces very few false
positives. However, it can detect only those attacks that have been modeled and possibly
-
8/10/2019 Sathya Thesis
33/110
33
variations on those attacks. This means that this approach can be applied against known
attack patterns only, and the knowledge-base must be updated frequently.
Anomaly detection has the advantage of being able to detect attempts to exploit new and
unforeseen vulnerabilities without a priori knowledge of explicit security flaws. This
advantage is paid for in terms of the large number of false positives generated; the entire
scope of system behavior may not be covered during the learning phase and also legitimate
behavior may change over time . It also comes with the difficulty of training a system with
respect to a highly dynamic environment; obviously a finite training period is also needed.
The assumption that the system in question is free of anomaly during the training period
also may not always be true.
2.4 Intrusion Detection for MANETs
As discussed earlier, Mobile Ad Hoc Networks are fundamentally different from their
wired-side counterparts or even the infrastructure-based networks. The nature of MANETs
not only introduces new security concerns but also exacerbates the problem of detecting
and preventing anomalous behavior. While in a wired network or in an infrastructure-based
wireless network, an intruder could be a host that is either inside or outside the network and
could be subjected to varying degrees of access control and authentication, in a MANETs,
an intruder is a part of the network infrastructure. Moreover, at the outset, an intruder in a
MANETs could be a trusted and integral component of the network infrastructure and only
later exhibit aberrant behavior.
-
8/10/2019 Sathya Thesis
34/110
34
2.5 IDS Techniques for MANETs proposed in the literature
Intrusion Detection that addresses secure routing, arguably the most important issue in
MANETs has interested many researchers. Numerous techniques for ID have been
proposed in the literature, in both the categories of anomaly detection and misuse detection.
In this section we discuss some of these techniques.
2.5.1 Watchdog and Pathrater
Watchdog[18] was the first snooping intrusion detection protocol for MANETs. Watchdog
relies upon DSR. Each node participates by watching its downstream node on the route
from source to destination to ensure that it has retransmitted the packet without
modification. The authors hold that if source routing is not used then a misbehaving node
could simply broadcast to a non-existent node to fool the watchdog. To mitigate the effects
of a misbehaving node, the authors also introduce Pathrater, which selects a path from
source to destination based on reliability metric instead of the shortest path. This
approach relieves the malicious node from the requirement of participating in the routing
process which may be construed as a reward.
2.5.2 Security Enhancements in AODV
BHARGAVA et al [19] proposes a solution to attacks that are caused from a node internal
to the Ad Hoc network where the underlying routing protocol is AODV. The intrusion
detection system is composed of the Intrusion Detection Model (IDM) and the Intrusion
Response Model (IRM). The Intrusion Detection Model claims to capture the following
attacks:
-
8/10/2019 Sathya Thesis
35/110
35
o Distributed False Route Requests
o Denial of Service
o Destination is compromised
o Impersonation
o Routing Information Disclosure
The Intrusion Response Model is a counter that is incremented wherever a malicious act is
encountered. When the value reaches a predefined threshold, the malicious node is isolated.
The authors have provided statistics for the accuracy of the model.
2.5.3 Intrusion Detection in Wireless Ad Hoc Networks
In this scheme, Zhang et al. [20] propose an intrusion detection technique for wireless Ad
Hoc networks that used cooperative statistical anomaly detection techniques. Each
intrusion detection agent runs independently and detects intrusion from local traces. Only
one-hop information is maintained at each node for each route. If local evidence is
inconclusive, the neighboring IDS agents cooperate to perform global intrusion detection.
The authors utilize misuse detection technique to reduce the number of false positives.
This method leverages information about the physical location of the nodes. Therefore, the
nodes need to have an IDS running and a built-in GPS device.
The approach to intrusion detection presented by the authors does not require each node to
possess location detection capabilities. However, dependence on location information may
not always be desirable for all the applications.
-
8/10/2019 Sathya Thesis
36/110
36
2.5.4 Real-time Intrusion Detection for Ad hoc Networks (RIDAN)
The RIDAN system [10] is a novel architecture that used knowledge-based intrusion
detection techniques to detect active attacks that an adversary can perform against the
routing fabric of mobile Ad Hoc networks. Moreover, the system is designed to take
countermeasures to minimize the effectiveness of an attack and keep the performance of
the network within acceptable limits.
The novelty of the system lies in the usage of timed finite state machines that enable the
real-time detection of active attacks; the detection process relies on a state-based misuse
detection system. In this case, every node needs to run the IDS agent.
It is not clear in this system how an attack that requires more than one-hop information gets
detected.
2.5.5 A Specification-based Intrusion Detection System for AODV
[21] proposes a solution based on specification-based intrusion detection to detect attacks
on AODV. The approach involves the use of finite state machines for specifying correct
AODV routing behavior and distributed network monitors for detecting run-time violation
of the specifications. An additional field in the protocol message is proposed to enable the
monitoring.
2.5.6 Secure Efficient Ad hoc Distance Vector (SEAD)
SEAD [22] is a proactive routing protocol based on the design of DSDV. The work focuses
on protecting routing updates, both periodic and triggered, by preventing an attacker to
forge better metrics or sequence numbers in such update packets.
-
8/10/2019 Sathya Thesis
37/110
37
Besides the fields common with DSDV such as destination, metric, next hop and sequence
number, SEAD routing tables maintain a hash value for each entry. The use of one-way
hash chains using a one-way hash function H is the key feature of the proposed security
protocol.
Each node computes a list of hash values h0, h1, , hn, where hi= H(hi-1), 0 < i < n, based
on initial random value h0. The paper assumes the existence of a mechanism for
distributing hn, to all the intended receivers. If a node knows H and a trusted value hn, then
it can authenticate any other value hi, 0 < i n by successively applying the hash function
H and then comparing the result with hn.
To authenticate a route update, a node adds a hash value to each routing table entry. For a
metric j and a sequence number i, the hash value hn-mi+jis used to authenticate the routing
update entry for that sequence number, where, m-1 is the maximum network diameter.
Since an attacker cannot compute a hash value with a smaller index than the advertised
value, he is not able to advertise a route to the same destination with a greater sequence
number or with a better metric.
SEAD provides a robust protocol against attackers trying to create incorrect routing state in
other nodes by modifying the sequence number or the routing metric. SEAD does not
provide a way to prevent an attacker from tampering next hop or destination field in a
routing update. Also, it cannot prevent an attacker to use the same metric and sequence
number learnt from some recent update message for sending a new routing update to a
different destination.
-
8/10/2019 Sathya Thesis
38/110
-
8/10/2019 Sathya Thesis
39/110
39
In the literature survey, we discussed different types of approaches to Intrusion Detection
in MANETs. Each of the approaches works best for a given type of attack, for a particular
scenario. Most of the problems work well for Intrusion Detection one-hop away. There are
not many distributed solutions addressing Intrusion Detection deep down.
In the next chapter, we discuss our approach to the problem of intrusion detection in
MANETs with respect to sequence number modification attack and packet dropping attack.
-
8/10/2019 Sathya Thesis
40/110
40
3 Intrusion Detection AODV (IDAODV)
In this chapter we propose and discuss IDAODV, an Intrusion Detection mechanism for
Wireless Mobile Ad Hoc Networks.
IDAODV is based on State Transition Analysis Technique, which was initially developed
to model host-based and network-based intrusions in a wired network environment.
Of all the routing protocols proposed for MANETs, AODV has been very popular and has
become an Internet standard. This also has been the reason for AODV becoming more and
more vulnerable to attacks. The AODV routing protocol was described in Chapter 2. Our
IDS has been designed on top of this protocol.
3.1 Problem Statement/ AODV Routing Attacks
AODV presents many opportunities to attackers. We first identify a number of misuse
goals that an inside attacker may want to achieve [32]. The misuse goals can be one or
more of the following:
o Route Disruption:Route Disruption means either breaking down an existing route or
preventing a new route from being established.
o Route Invasion:Route invasion means that an inside attacker adds itself into a route
between two endpoints of a communication channel.
o Node Isolation:Node isolation refers to preventing a given node from communicating
with any other node in the network. It differs from Route Disruption in that Route
-
8/10/2019 Sathya Thesis
41/110
41
Disruption is targeting at a route with two given endpoints, while node isolation is
aiming at all possible routes.
o Resource Consumption: Resource consumption refers to consuming the
communication bandwidth in the network or storage space at individual nodes. For
example, an inside attacker may consume the network bandwidth by either forming a
loop in the network.
o Denial of Service
To achieve these goals, the following misuse actions or attacks may be performed:
3.1.1 Packet Dropping Attack
In a packet dropping attack, the attacker simply drops the received routing message. Packet
dropping is detected by checking whether a neighbor forwards packets towards the final
destination. To be able to do this, it is necessary to maintain a neighbor table.
This attack can be divided into various subcategories as follows:
If an attacker applies such attacks to all the RREQ messages it receives, this kind of misuse
is equivalent to not having the attacking node in the network. An inside attacker may also
selectively drop RREQ messages. Attackers that launch such misuses are in nature similar
to the selfish nodes.
If the attacker applies this attack to RREP message, it can in some cases lead to route
disruption.
-
8/10/2019 Sathya Thesis
42/110
42
The attack can also be applied to data packets, where an inside attacker prevents a victim
node from receiving data packets from other nodes for a short period of time. The attacker
may make the following modifications after it receives a RREQ message from the victim
node: (1) Increase the RREQ ID by a small number; (2) Replace the destination IP address
with a non-existent IP address; (3) Increase the source sequence number by at least one; (4)
Set the source IP address in IP header to a non-existent IP address. The attacker then
broadcasts the forged message. When the neighbors of the attacker receive the faked RREQ
message, they update the next hop to the source node to the non-existent node, since the
faked RREQ message will have a greater source sequence number. Due to the non-existent
destination IP address, the faked message can be broadcast to the farthest nodes in the ad-
hoc network. When other nodes want to send data packets to the source node, they will use
the routes established by the faked RREQ message, and the data packets will be dropped
due to the non-existent node. This attack, however, cannot fully isolate the victim node due
to local repair mechanisms in the AODV protocol. The other nodes will initiate another
round of route discovery if they note that the data packets cannot be delivered successfully.
In addition, the victim node
Figure 3.1: Concept of Sequence Number AttackFigure 3.1: Concept of Sequence Number AttackFigure 3.1: Concept of Sequence Number AttackFigure 3.1: Concept of Sequence Number Attack
A B DC
RREQ Broadcast
1 2
6 5
M
-
8/10/2019 Sathya Thesis
43/110
43
may still be able to send data packets to other nodes.
Several of the atomic misuses of RREQ messages use RREQ messages to add entries the
routing table of other nodes. These entries are different from those established through
normal exchange of RREQ and RREP messages. In particular, the lifetime of these entries
is set to a default value (e.g., 3 seconds as in our experiments). Thus, to make such entries
effective, an attacker needs to launch the atomic misuses periodically.
3.1.2 Sequence Number Attack
Sequence number indicates the freshness of route to the associated node. F an attacker
sends out an AODV control packet with a forges large sequence number of the victim
node, it will change the route to that victim node. The sequence number can be increased to
update other nodes' reverse route tables, or decreased to suppress its update. This can apply
to the Source Sequence Number or the Destination Sequence Number.
RREQ ID along with the source IP address uniquely identifies a RREQ message; they
indicate the freshness of a RREQ message. Since a node only accepts the first copy of a
RREQ message, an increased RREQ ID along with the source IP address can guarantee that
the faked RREQ message is accepted by other nodes.
The concept of sequence number attack has been highlighted in Figure 3.1
3.1.3 Field Modification Attack
Although sequence number attack is a subclass of this attack, we list it separately to
highlight its importance and its impact on proper routing.
-
8/10/2019 Sathya Thesis
44/110
44
The attacker can modify other fields in a RREQ or RREP message. Some of these are
RREQ Message Field Modifications
Type Change the message type
RREQ ID Increase to make the faked RREQ message acceptable, or
decrease to make the RREQ message unacceptable.
Hop Count Decrease to update other nodes' reverse routing tables, or
increase to invalidate the update.
Destination IP Address Replace with another IP address
Source IP Address Replace with another IP address to change the reverse route
Several fields have immediate security implications when modified.
To ensure loop freedom in AODV, after receiving a RREQ message, a node updates its
reverse routing table only if the source sequence number field in the RREQ message is
greater than that in its routing table, or the source sequence numbers are equal, but the hop
count field in the RREQ message is smaller than that in the routing table. An inside
attacker may also change these fields to affect other nodes' routing table.
An intermediate node or a source node updates its forward routing table if the destination
sequence number in the RREP message is greater than the one in its routing table, or the
destination sequence numbers are the same, but the hop count in the RREP message plus
-
8/10/2019 Sathya Thesis
45/110
45
one is smaller than the one in its routing table. An inside attacker may increase the
sequence numbers or decrease the hop count in a faked RREQ message to update other
nodes' routing tables, or decrease the sequence numbers or increase the hop count to
invalidate a RREQ message
The attacker can also forge an RREP message, as if it had a fresh enough route to the
destination node. By increasing the destination sequence number, the attacker may suppress
the legitimate RREP message.
3.1.4 Field Addition Attack
An inside attacker may forge a RREQ message without receiving an RREQ message. The
attacker may need to collect some necessary information to forge RREQ messages (e.g., by
listening to the traffic). Theoretically, the attacker may forge any field in a RREQ message
and cause disruption.
3.2 Outline of Intrusion Detection AODV
Our method is based on the work presented in [10]. Like RIDAN, our method uses Finite
State Machines to enable the real-time detection of active attacks. However, RIDAN does
not offer a solution for distributed architecture to detect attacks that require more than one-
hop information.
The IDAODV can be characterized as an architecture models for intrusion detection in
wireless Ad Hoc networks. We call this an architecture model because it does not perform
any change in the underlying routing protocol but merely intercepts routing and application
traffic.
-
8/10/2019 Sathya Thesis
46/110
46
IDAODV has been implemented on top of AODV, which has recently become an Internet
standard. However, the attacks that the IDAODV is designed to detect are specific to the
AODV protocol. The process of detecting the attacks and the overall architecture can be
extended to operate with ease with other protocols like DSR.
The system follows knowledge-based technique to detect network intrusions. The fact that
it uses Finite State Machine (FSM) enables the system to detect malicious activity in real-
time rather than using statistical analysis of previously captured traffic.
A finite state machine can be defined as an abstract machine consisting of a set of states
(including the initial state), a set of input events, a set of output events, and a state
transition function [25]. The function takes the current state and an input event and returns
the new set of output events and the next state. The state machine can also be viewed as a
function, which maps an ordered sequence of input events into a corresponding sequence of
output events.
The intrusion detection component operates locally in every participating node and thus its
performance depends on the network traffic. Based on the number of packets received in
any time unit, more than one FSM that are part of the intrusion detection component may
be triggered.
The FSM was constructed after studying the internal operations of the AODV routing
protocol. In order to recognize the traffic patterns occurring when a malicious attack is
performed against the routing fabric, the traffic for the protocol was analyzed in both its
static and mobile conditions.
-
8/10/2019 Sathya Thesis
47/110
47
Figure 3.2 depicts the top-level architecture of IDAODV.
3.3 Assumptions
We make the following assumptions. They are realistic and can easily be realized in a
MANETs.
o Every link between the participating nodes is bidirectional
o The MAC addresses of the participating nodes remain unchanged.
o
Duplicate MAC addresses are not present.
o Network monitor is able to cover all nodes. Monitors passively listen to the routing
messages and are discussed subsequently.
o Nodes can listen to transmissions from immediate neighbors.
o All the participating nodes other than the malicious nodes have the intrusion detection
component activated.
-
8/10/2019 Sathya Thesis
48/110
48
3.4 Details of IDAODV
We now describe the details of the design and implementation of the proposed IDAODV.
IDAODV detects attacks against the AODV routing protocol in Wireless Mobile Ad Hoc
Networks. The components of IDAODV are discussed in the following sections.
Figure 3.2: Architecture of IDAODVFigure 3.2: Architecture of IDAODVFigure 3.2: Architecture of IDAODVFigure 3.2: Architecture of IDAODV
3.4.1 Network Monitor
The nature of Ad Hoc networks prohibits any single IDS node to observe all messages in a
request-reply flow. Therefore, tracing of RREQ and RREP messages in a request-reply
flow has to be performed by distributed network monitors (NM).
Intruder
A
B
S
Public
Network
Active
Monitor
IDS
Attack
Knowledge
Base
-
8/10/2019 Sathya Thesis
49/110
49
Figure 3.3 depicts the architecture of a network monitor. Network monitors passively listen
to IDAODV routing message and detect incorrect RREQ and RREP messages.
Messages are grouped based on the request-reply flow to which they belong. A request-
reply flow can be uniquely identified by the RREQ ID, the source and destination IP
addresses.
Figure 3.3:Figure 3.3:Figure 3.3:Figure 3.3: Network MonitorNetwork MonitorNetwork MonitorNetwork Monitor
3.4.2 Finite State Machine
Specification-based approach provides a model to analyze attacks based on protocol
specifications.
Network Monitor
Forwarding Table
Session Tree
FSM Constraints
Sniff New Packet
Exchange Data with Other
NM if needed
Updates
Detect Anomaly
Packets
-
8/10/2019 Sathya Thesis
50/110
50
A network monitor employs a finite state machine (FSM) [26] for detecting incorrect
RREQ and RREP messages [21, 27, 28, 29]. It maintains an FSM for each branch of a
request-reply flow. A request flow starts at the Source state. It transits to the RREQ
Forwarding state when a source node broadcasts the first RREQ message (with a new
REQ ID). When a forwarded broadcasting RREQ is detected, it stays in RREQ
Forwarding state unless a corresponding RREP is detected. Then if a unicast RREP is
detected, it goes to RREP Forwarding state and stays there until it reaches the source
node and the route is set up. If any suspicious activity or an anomaly is detected, it goes to
the Suspicious or Alarm states.
When an NM compares a new packet with the old corresponding packet, the primary goal
of the constraints is to make sure that the AODV header of the forwarded control packets is
not modified in an undesired manner. If an intermediate node responds to the request, the
NM will verify this response from its forwarding table as well as with the constraints in
order to make sure that the intermediate node is not lying. In addition, the constraints are
used to detect packet drop and spoofing. The finite state machine is depicted in Figure 3.4.
Stamouli [10] has not used network monitor to trace RREQ and RREP message in a request
reply flow for distributed network. Whereas in the proposed FSM, we used the above flows
Figure 3.3.
3.4.3 Sequence Number Attack Detection
In order for the intrusion detection to identify the sequence number attack, we analyzed
RREQ and RREP messages. The logic flow for the two is shown in Figures 3.5 and 3.6.
-
8/10/2019 Sathya Thesis
51/110
51
Figure 3.4: The finite state machine Figure 3.4: The finite state machine Figure 3.4: The finite state machine Figure 3.4: The finite state machine
RERR from intermediate
node
Spoofing
RREP
forwardin
OtherwiseIf forwarding RREP
is not heard
RREP unicast by intermediate node
and no anomaly is detected
If pair of IP and MAC
address unknown
If SN/ HC is not consistent
Out of Range
Suspicious
Dropped/ LostAlarm
If no forwarding is heard from neighboring
NM
RERR
Source
Otherwise go to RREP
forwarding if it is an RREQ
RREQ
forwarding
SNHC forgedAlarm
If pair of IP and MACaddress unknown
If SN/ HC is not consistent
RERR to source and noanomaly is detected
RREQ from source
RREP Broadcast by
intermediate node and no
anomaly detected
RERR from destination or
RREP from intermediatenode, no anomaly detected
SNHC forged
If none of the neighboring
NM disagrees
-
8/10/2019 Sathya Thesis
52/110
52
Figure 3.5: Analyze RREQ MessageFigure 3.5: Analyze RREQ MessageFigure 3.5: Analyze RREQ MessageFigure 3.5: Analyze RREQ Message
Detected NewRREQ
HC = 0
RREQID dst;
prev = read_route_entry(src).next_hop;
next = read_route_entry(dst).next_hop;
dseq = read_route_entry(dst).seq;
Add_Route(dst, prev, dseq+1);
Active_Reply(src, dst, dseq+1, cur, next);
}
If the attacker is close to a route from Source to Destination such that two consecutive
nodes in this route, prev and next, are in the attackers 1-hop neighborhood, the attacker
can first add a route to the Destination using prev as the next hop. It then generates an
Active_Reply to next, using a larger sequence number for Destination in the RREP
message. It will make next update its route to Destination via cur.
When prev receives a packet from Source, the packet is forwarded according to the
normal path and it will eventually reach next. However, next now thinks the best route
to Destination is through cur and cur forwards it back to prev. This effectively
creates a loop from Source to Destination and all packets will be dropped in the route
when their TTL values drop to zero.
-
8/10/2019 Sathya Thesis
70/110
70
A similar attack can be implemented when the attacker is not close to the targeted route.
The attacker can first find a victim node V that is close to the route. Instead of calling
Add_Route locally on V (which will require an additional compromise on V), the attacker
can use either False_Request or Active_Reply to force V to update its route to
Destination via Vs corresponding prev.
4.1.1 Loop Freedom of IDAODV
AODV is a loop free protocol, which has already proved in [38]. IDAODV also follows the
loop freedom properties of normal AODV protocol.
4.2 Depleting Batteries
Intruders may send data with the objectives of congesting a network or depleting batteries.
We propose a method to detect this type of attack. The method calls for a minor
modification to the existing AODV protocol. It incurs no additional overhead. This attack
can be defined as being due to more number of RREQ_RATELIMIT. The proposed method
has been designed to detect this type of attack on pure AODV as well as modified AODV
protocols. To calculate the effectiveness of the proposed scheme, we simulated the attack in
a mobile environment and studied the performance results.
4.2.1 Proposed Method
From RFC-3561, the default value for RREQ_RATELIMITis 10 RREQs per second. This
means that each node is expected to observe some self-control on the number of RREQs it
sends each second. A compromised node may choose to set the value of
RREQ_RATELIMIT to a very high number or even disable this limiting feature, allowing it
-
8/10/2019 Sathya Thesis
71/110
71
to send a large number of RREQs packets per second. The proposed scheme shifts the
responsibility of monitoring this parameter to the nodes neighbor, ensuring compliance of
this restriction. This technique solves all of the problems caused due to unnecessary
RREQs from a compromised node. Instead of self control, the control exercised by a
nodes neighbor results in preventing this attack.
RREQ_GOODLIST_LIMIT and RREQ_BADLIST_LIMIT
The proposal is based on the application of two parameters: RREQ_GOODLIST_LIMIT
and RREQ_BADLIST_LIMIT.
RREQ_GOODLIST_LIMIT denotes the number of RREQs that can be accepted and
processed per unit of time by a node. The purpose of this parameter is to specify a value
that ensures uniform usage of a nodes resources by its neighbors. RREQs exceeding this
limit are dropped, but their time stamps are recorded. This information aids in monitoring
the neighbors activities. In the simulations carried out, the value of this parameter was
kept at three (3 RREQs can be accepted per unit of time). This value, however, can be
adaptive, depending upon node metrics such as memory, processing power and battery.
TheRREQ_BADLIST_LIMITparameter is used to specify a value that aids in determining
whether a node is acting malicious or not. To do so, the number of RREQs originated or
forwarded by a neighboring node per unit time is tracked. If this count exceeds the value of
RREQ_BADLIST_LIMIT, one can safely assume that the corresponding neighboring node
is trying to flood the network with fake RREQs. A neighboring node identified as
malicious can be badlisted, preventing further flooding of fake RREQs into the network.
-
8/10/2019 Sathya Thesis
72/110
72
The badlisted node is ignored for a period of time given by BADLIST_TIMEOUT, after
which it is unblocked. The proposed scheme has the ability to block a node for
BADLIST_TIMEOUTperiod on an incremental basis. The BADLIST_TIMEOUTperiod is
doubled each time the node repeats its malicious behavior.
In our simulations, the value of RREQ_BADLIST_LIMIT is kept as 10 (i.e. more than 10
RREQs per unit time results in flooding activity). By badlisting a malicious node, all
neighbors of the malicious node restrict the flood of RREQs. In addition, the malicious
node is isolated by this distributed defense and cannot hog its neighbors resources. The
neighboring nodes are therefore free to entertain the RREQs from genuine nodes. Nodes
that are confident about the malicious nature of a particular node can avoid using it for
subsequent network functions. In this way, genuine nodes are saved from experiencing this
attack.
Advantages of the Proposed Scheme
1. The proposed scheme incurs no extra overhead, as it makes minimal modifications
to the existing data structures and functions related to bad listing a node in the
existing version of pure AODV.
2. The proposed scheme is more efficient in terms of the resultant routes established,
resource reservations and computational complexity.
3. If multiple malicious nodes collaborate, they in turn will be restricted and isolated
by their neighbors, because they monitor and exercise control over forwarding
RREQs by nodes. Hence, the scheme successfully prevents distributed attacks.
-
8/10/2019 Sathya Thesis
73/110
73
The algorithms for our scheme are described below:
Algorithm-1 (TIME of RREQ)
1. RREQ Received
2. If RREQ is forwarded then exit
3. Find NODE_ID in the table of RREQ_RATELIMIT for the node that sent the
RREQ
4. Find NODE_ID and
RREQ_TIME = RREQ_TIME + 1
Algorithm-2 (Find RATE of RREQ and find the intruder): This algorithm is run once
every second)
1. For every item of RREQ_RATELIMIT Do
2. If RREQ_TIME > threshold then put NODE_ID into BADLIST
RREQ_TIME = 0
3. Else
RREQ_TIME = 0
The functioning of the intruder is depicted pictorially in Fig 4.1
-
8/10/2019 Sathya Thesis
74/110
74
4.3 Simulation
This experiment result was carried out using NS-2 [31]. We used the simulation
environment detailed in [18] as a starting point. The following subsection provides details
of the simulation environment, metrics and experimental results.
4.3.1 Simulation Environment
Grid Size:1000x1000 Meters
Number of Nodes: 30 nodes in total. Out of these, 16 were involved in normal
communication, and we varied the number of bad nodes.
Routing Protocol: AODVwas used.
-
8/10/2019 Sathya Thesis
75/110
75
Figure 4.1: FunctiFigure 4.1: FunctiFigure 4.1: FunctiFigure 4.1: Functioning of Intruder (Top) , (Bottom) oning of Intruder (Top) , (Bottom) oning of Intruder (Top) , (Bottom) oning of Intruder (Top) , (Bottom)
MAC Layer: 802.11, peer-to-peer mode was chosen as the MAC layer protocol.
Radio: The No fading model was used, with the radio range set to 250 meters.
Mobility:Random waypoint model was used with maximum speed set to 20 meters
per second. Pause time was set to 15 seconds.
Packet Traffic: 10 Constant Bit Rate (CBR) connections were generated
simultaneously, where 4 nodes were the source for two streams each, and 2 nodes
A
B
T
C
D
U
Intruder
Intruder
Bogus Traffic
A
B
E
C
D
F
O
I
L
G
H J
K
N
M
Node
Link for Attack Packet
-
8/10/2019 Sathya Thesis
76/110
76
were the source for single stream. Each destination node receives only one CBR
stream.
Simulation Time:Simulation was run for 900 seconds.
Dropped Packet Timeout: Timeout period for dropped packets was set to 10
seconds.
Dropped Packet Threshold: Set to 10 packets.
Clear Delay: This is an event expiration timer, set to 100 seconds. This is the
amount of time for which a node considers an event before arriving at a conclusion.
Modification Threshold:The modification threshold was set to 5 events.
Neighborhood Hello Period: 30 seconds
The metrics such as delivery ratio, false positive, detected bad nodes are the important
determinants of network performance, which have been used to compare the performance
of the proposed scheme in the network with the performance of the original protocol i.e.
AODV. The study shows that the proposed scheme enhances the security of the routing
protocol without causing substantial degradation in the network performance.
-
8/10/2019 Sathya Thesis
77/110
77
Figure 4.2: Delivery RatioFigure 4.2: Delivery RatioFigure 4.2: Delivery RatioFigure 4.2: Delivery Ratio Vs Number of ConnectionsVs Number of ConnectionsVs Number of ConnectionsVs Number of Connections
Figure 4.3: Delivery Ratio Vs Node MobilityFigure 4.3: Delivery Ratio Vs Node MobilityFigure 4.3: Delivery Ratio Vs Node MobilityFigure 4.3: Delivery Ratio Vs Node Mobility
-
8/10/2019 Sathya Thesis
78/110
78
Figure 4.4: Percentage of False Positive Vs percentage of Bad nodes Figure 4.4: Percentage of False Positive Vs percentage of Bad nodes Figure 4.4: Percentage of False Positive Vs percentage of Bad nodes Figure 4.4: Percentage of False Positive Vs percentage of Bad nodes
Figure 4.5: percentage of detected bad nodes Vs percentage of bad nodesFigure 4.5: percentage of detected bad nodes Vs percentage of bad nodesFigure 4.5: percentage of detected bad nodes Vs percentage of bad nodesFigure 4.5: percentage of detected bad nodes Vs percentage of bad nodes
-
8/10/2019 Sathya Thesis
79/110
79
The average results from Figures 4.2 and 4.3 show that the attack decreases while the
delivery ratio improves by 80%.
Figure 4.4 shows that the performance of Active Response protocols improves with respect
to false positives as the density of the malicious nodes increases.
Detection rate is shown in Figure 4.5. In the best case, 93% of the bad nodes can be
detected; the worst case detection rate is 78%. In the previous chapter, we discussed why a
bad node may go undetected.
4.4 Performance Comparison Analysis with RIDAN System
In this section, we present results of our experiment by using NS-2 simulator for an Ad Hoc
network consisting of 30 nodes. We assume that there is one intruder sending a sequence of
consecutive packets constituting an attack to the destination [39]. The intrusion is
considered detected if the attack packets pass through any of the nodes that constitute the
intrusion detection system.
We use a randomly selected set of 5 nodes out of 30 nodes and experimented with [10] and
consider a sequence of five consecutive packets as constituting the attack signature. We
found the accuracy of detection both in static and dynamic condition.
It is not clear in [10], how an attack that requires more than one-hop information gets
detected but in IDAODV, multihop information is considered which overcome the
limitation of RIDAN system.
-
8/10/2019 Sathya Thesis
80/110
80
We have produced percentage of detection of attack using RIDAN system [10] for both
static and dynamic node case, which was not present in the original work. We have given a
relative performance of IDAODV and RIDAN system below.
For Static Case
Consider that there is only one node in the intrusion detection system. This node is
randomly selected to be one of the nodes out of 30 .We consider a system in which nodes
that constitute the intrusion detection system (IDS) are chosen randomly.
Figure 4.6: percentage of Detection
We show the results for systems with no of Nodes 30 in Figure 4.6. We see that the
performance of IDAODV is better than the RIDAN system [10]. IDAODV also detects
multimode intrusion detection for a static condition.
-
8/10/2019 Sathya Thesis
81/110
81
For Dynamic case
In Dynamic case, we consider a network using AODV. We assume that the intruder is
moving at a speed of 15m/s. We change the criterion used to determine the nodes that make
up the IDS. We use the same criterion as used in case of used in static case. The only
difference is that now the intruder is assumed to be mobile. We show the results for such a
case in Figure 4.7. Here IDAODV also detects multimode intrusion detection for a dynamic
condition.
Figure 4.7: percentage of detection
-
8/10/2019 Sathya Thesis
82/110
82
Number of Nodes 20 40 60 80
RIDAN(Stamouli) 52 80 94 98.5Static
Node case IDAODV 54 84 96 99.3
RIDAN(Stamouli) 52 80.5 94 99Dynamic
Node caseIDAODV 57.5 85.1 95 99.8
Table 4.1: Comparison between RIDAN and IDAODV for % of Detection
The above table gives a comparison of percentage of detection between RIDAN system and
proposed method. For all values of number of nodes, the detection rate of proposed method
is higher than RIDAN system. Where as the com