Intrusion Detection System (IDS) for MANETs

1. Introduction

An ad-hoc (or "spontaneous") network is a local area network or other small network, especially one with wireless or temporary plug-in connections, in which some of the network devices are part of the network only for the duration of a communications session or, in the case of mobile or portable devices, while in some close proximity to the rest of the network. n !atin, ad hoc literally means "for this," further meaning "for this purpose only," and thus usually temporary. "he term has been applied to future office or home networks in which new devices can be #uickly added, using, for example, the proposed $luetooth technology in which devices communicate with the computer and perhaps other devices using wireless transmission. Ad hoc networks such as $luetooth are networks designed to dynamically connect remote devices such as cell phones, laptops, and %ersonal &igital Assistants (%&As). "hese networks are termed 'ad hoc( because of their shifting network topologies. )hereas )!A*s use a fixed network infrastructure, ad hoc networks maintain random network configurations, relying on a masterslave system connected by wireless links to enable devices to communicate. n a $luetooth network, the master of the piconet controls the changing network topologies of these networks. t also controls the flow of data between devices that are capable of supporting direct links to each other. As devices move about in an unpredictable fashion, these networks must be reconfigured on the fly to handle the dynamic topology. "he routing that protocol $luetooth employs allows the master to establish and maintain these shifting networks.

Figure 1: Notional Ad

oc Net!or"

+igure , illustrates an example of a $luetooth-enabled mobile phone connecting to a mobile phone network, synchroni-ing with a %&A address book, and downloading e-mail on an ... /01.,, )!A*.
1

Ad hoc networks are a new paradigm of wireless communication for mobile hosts (which we call nodes). n an ad hoc network, there is no fixed infrastructure such as base stations or mobile switching centers. 2obile nodes that are within each other3s radio range communicate directly via wireless links, while those that are far apart rely on other nodes to relay messages as routers. *ode mobility in an ad hoc network causes fre#uent changes of the network topology. +igure 1 shows such an example4 initially, nodes A and & have a direct link between them. )hen & moves out of A3s radio range, the link is broken. 5owever, the network is still connected, because A can reach & through 6, ., and +.

Figure #: Dynamicity of MANETs +igure 14 "opology change in ad hoc networks4 nodes A, $, 6, &, ., and + constitute an ad hoc network. "he circle represents the radio range of node A. "he network initially has the topology in (a) and when node 7&3 moves out of the radio range of 7A3, the network topology changes to the one in (b). "he following flowchart depicts the working of any general ad-hoc network
8tart *odes send signal to find the number of other nodes within range 8ynchroni-ing between nodes 8ender node send messages to receiving node 9eceiving node :es 8end back 9eady signal 6ommunication begins "ermination %rocess 8top s receiving node ready *o )ait for sometime

Figure $: %or"ing of a general Ad& oc Net!or"

2

Ad hoc networks are generally closed in that they do not connect to the nternet and are typically created between participants. $ut, if one of the participants has a connection to a public or private network, this connection can be shared among other members of the ad hoc network. "his will allow other users on the spontaneous ad hoc network to connect to the nternet as well. 2ilitary tactical operations are still the main application of ad hoc networks today. +or example, military units (e.g., soldiers, tanks, or planes), e#uipped with wireless communication devices, could form an ad hoc network when they roam in a battlefield. Ad hoc networks can also be used for emergency, law enforcement, and rescue missions. 8ince an ad hoc network can be deployed rapidly with relatively low cost, it becomes an attractive option for commercial uses such as sensor networks or virtual classrooms. Ad hoc networks are common for portable video game systems like the 8ony %8% or the *intendo &8 because they allow players to link to each other to play video games wirelessly. 8ome retail stores even create networks within them to allow customers to obtain new game demos via the store;s own ad hoc network. 1.1 Ad oc Net!or" Security 'ulnera(ilities

"he lack of centrali-ed control and infrastructure of an ad hoc network increases its vulnerability and exposure to attacks. <nlike its fixed wired counterpart where an attacker must gain physical access through several lines of defense at firewalls and gateways, attacks on a wireless network can come from all directions including nodes thought to be participating in the network, as the absence of authori-ation facilities impedes the usual practice of distinguishing nodes as trusted and non-trusted. Additionally, since the nodes are often mobile, the topology of the network may be constantly changing as nodes =oin in and move out of the network as they move in and out of radio range. Also, nodes may operate in a disconnected state to preserve a limited power supply, which also affects the network topology. "his dynamically changing topology makes it difficult for nodes in a network to recogni-e a malicious node. "he wireless nature of communication and lack of any security infrastructure raises several security problems. 1.# MANET )ulnera(ilities and *ossi(le attac"s

2A*."s are inherently vulnerable to several kinds of attacks due to open medium of communication, resource constrained devices and the collaborative nature of the routing process. 2A*."s basically function to provide connectivity to devices in the absence of infrastructure support using a shared open communication medium and rely on collaboration from participating devices in doing so. &evices participate in the 2A*." by complying with the specifications of the routing protocol. !ack of conventional mechanisms for identification and authentication for individual devices and reliance on unknown nodes for collaboration increases the vulnerabilities of the 2A*." connectivity and resources of the individual devices (like routing tables and message buffer).

8ince 2A*."s have not been widely deployed, no actual data is currently available that allows comprehensive attack analysis. 5uang and !ee >,?@ propose an attack analysis model for ad hoc networks that uses a taxonomy of anomalous events to detect and analy-e attacks. 8everal possible attacks on 2A*."s have been identified in literature >,?-,A@. "hey can be broadly classified in to two types4 (i) 9outing-disruption attacks B (ii) 9esource-consumption attacks. A more detailed survey and discussion on current state of secure routing protocols has been presented by 5u B %errig >,A@. Attacks can target various layers of protocol stacks. 9esource consumption attacks that exploit vulnerabilities in the 2edium Access 6ontrol (2A6) layer and %hysical (%5:) layers to consume bandwidth and energy in order to starve resource constrained device, are examples of sleep-deprivation attacks. "o prevent against such attacks, security mechanisms must be provided in the 2A6 and %5: layers. "hey cannot be repulsed at higher levels. )e focus only on attacks specific to networking and application layers (routing process and data traffic). A detailed classification of the possible attacks can be found in >,?@.

Figure +: Ta,onomy of Security Attac"s *assi)e Attac"s: n passive attacks, an intruder monitors the channels of communications without interfering with the normal function of the system, thereby only threatening confidentiality of data. 8ome commonly used methods of passive attacks are browsing, leaking, inferencing, mas#uerading and traffic analysis. %assive attacks, such as eavesdropping, can be devastating to security critical areas as military applications. Acti)e Attac"s: Active attacks, on the other hand, involve replication, modification, and deletion of data. And since nodes without ade#uate protection in a wireless ad hoc network are prone to being captured, compromised, or hi=acked, these networks are particularly vulnerable to attacks that come from inside. nternal attacks are far more damaging and difficult to detect. A malicious node can disrupt the network by deleting or modifying messages or even attacking the routing protocol by refusing to forward messages or advertising incorrect paths. "his can be difficult to detect, because false routing messages could be benign, =ust the result of an outdated routing table. Cther active attacks include energy exhaustion attacks, referred to as sleep deprivation torture, and denial-of-service (&o8) attacks.
4

-ac"ground

An intrusion is defined as an action that attempts to compromise the confidentiality, integrity, or availability of a resource >,@. As the name states, an intrusion detection system ( &8) is a system that detects a network intrusion. t is often termed a second line of defense because it is only activated when the intrusion prevention system has failed. deally, such a system can detect, identify, and e=ect an intruder before any damage is done. n this way, an &8 can also serve as a deterrent because intruders recogni-e that even if they can gain access they are likely to be expelled by the &8. &8s for traditional networks function under the assumption that normal activity and intrusion activity have distinct behaviour >1DE@. Additionally, to implement an &8, users and program activities must be observable, for example, via a system auditing mechanism >F@, so that deviations from the norm can be recogni-ed. $ased on the type of audit data collected, an &8 can be classified as network or host-based. *etwork-based &8 operate by passively or actively monitoring the network itself. %ackets are collected from network traffic and analy-ed to identify an intrusion. *etwork-based &8 often re#uires a dedicated host or special e#uipment, which makes them vulnerable to attack. 5ost-based &8 monitors activity on each individual node. &ata is collected from the system3s audit trails, system and application logs, or audit data generated by a model that intercepts system calls >?@. &8 can be further classified on the basis of detection techni#ues. ntrusion detection techni#ues can be categori-ed into misuse detection and anomaly detection. 2isuse detection uses the signature of known attacks to identify an intrusion. "he advantage of this techni#ue is that instances of known attacks can be #uickly and accurately identified. 5owever, misuse detection lacks the ability to detect newly invented attacks leaving the network vulnerable. n anomaly detection, a profile of normal activity is created and is used to classify any unreasonable deviations from the established norm as a potential attack. &ata mining technology is often used in the profile creation because it is beneficial to automatically construct models due to the large amount of data collected. "he advantage of anomaly-based detection is that no prior knowledge of intrusions are re#uired, so novel attacks can be detected. 5owever, this techni#ue may suffer from high false-positive rates and additionally may not be able to accurately describe the attack that is occurring. #.1 Ty.es of Ad& oc /outing *rotocols $asically there are three types of routing protocols4 ,. *roacti)e /outing *rotocols: 5erein the nodes keep updating their routing tables by periodical messages. "his can be seen in Cptimi-ed !ink 8tate 9outing %rotocol (C!89) and the "opology $roadcast based on 9everse %ath +orwarding %rotocol ("$9%+).

1. /eacti)e or 0n Demand /outing *rotocols: 5ere the routes are created only when they are needed. "he application of this protocol can be seen in the &ynamic 8ource 9outing %rotocol (&89) and the Ad-hoc Cn-demand &istance Gector 9outing %rotocol (AC&G). H. y(rid routing .rotocols: 5ybrid methods combine proactive and reactive methods to find efficient routes. I5!8 is one example of hybrid routing protocols. n I5!8, the whole network is divided into non overlapping -ones. I5!8 is proactive if the traffic destination is within the same -one of the source. t is reactive because a location search is needed to find the -one & of the destination. +ig.E is a categori-ation of existing routing protocols in 2A*."s. n the figure, solid lines represent direct descendants while dotted lines depict logical descendants. 8ince new routing protocols are always being proposed for 2A*."s, we do not expect to include all of them here.

Figure 1: A 2lassification of MANET /outing *rotocols. n today3s world the most common ad-hoc protocols are the Ad-hoc Cn-demand &istance Gector routing protocol and the &estination-8e#uenced &istance-Gector routing protocol and the &ynamic 8ource 9outing. All these protocols are #uite insecure because attackers can easily obtain information about the network topology. "his is because in the AC&G and &89 protocols, the route discovery packets are carried in clear text. "hus a malicious node can discover the network structure =ust by analy-ing this kind of packets and may be able to determine the role of each node in the network. )ith all this information more serious attacks can be launched in order to disrupt network operations. #.# Ty.es of Attac"s Faced (y /outing *rotocols: &ue to their underlined architecture, ad-hoc networks are more easily attacked than a wired network. "he attacks prevalent on ad-hoc routing protocols can be broadly classified into passive and active attacks.
6

A %assive Attack does not disrupt the operation of the protocol, but tries to discover valuable information by listening to traffic. %assive attacks basically involve obtaining vital routing information by sniffing about the network. 8uch attacks are usually difficult to detect and hence, defending against such attacks is complicated. .ven if it is not possible to identify the exact location of a node, one may be able to discover information about the network topology, using these attacks. An Active Attack, however, in=ects arbitrary packets and tries to disrupt the operation of the protocol in order to limit availability, gain authentication, or attract packets destined to other nodes. "he goal is basically to attract all packets to the attacker for analysis or to disable the network. 8uch attacks can be detected and the nodes can be identified.
There are three more prominent attacks prevalent against ad-hoc networks, most of which are active attacks.

1. Attacks based on modification. "his is the simplest way for a malicious node to disturb the operations of an ad-hoc network. "he only task the malicious node needs to perform, is to announce better routes (to reach other nodes or =ust a specific one) than the ones presently existing. "his kind of attack is based on the modification of the metric value for a route or by altering control message fields. "here are three ways in which this can be achieved4 9edirection by 6hanging the 9oute 8e#uence *umber. 9edirection by Altering the 5op 6ount. &enial of 8ervice by Altering 9outing nformation. #. mpersonation Attacks. 2ore generally known as 7spoofing3, since the malicious node hides its3 % and or 2A6 address and uses that of another node. 8ince current ad-hoc routing protocols like AC&G and &89 do not authenticate source % address, a malicious node can launch many attacks by using spoofing. "ake for example a situation where in an attacker creates loops in the network to isolate a node from the remainder of the network. "o do this, the attacker needs to spoof the % address of the node he wants to isolate from the network and then announce new route to the others nodes. $y doing this, he can easily modify the network topology as he wants. $. Attack by +abrication of nformation. "here are basically three sub categories for fabrication attacks. n any of the three cases, detection is very difficult. +alsification of 9oute .rror 2essages. 6orrupting 9outing 8tate - 9oute 6ache %oisoning. 9outing table overflow attack.

$. Intrusion Detection for Mo(ile Ad $.1 Introduction

oc Net!or"s

A wireless ad hoc network provides communication between various devices (nodes) via a shared wireless channel. 5owever, unlike a more conventional wireless network, nodes in an ad hoc network communicate without the assistance of a fixed network infrastructure. *odes within one another3s radio range can communicate through wireless links and dynamically form networks >A@. Additionally, nodes must cooperate by forwarding packets so that nodes not directly connected or beyond radio ranges can communicate with each other. Cften the nodes in an ad hoc network are mobile. "hese networks are called 2A*."s. Ad hoc networks are suited for situations where rapid network deployment is re#uired or it is prohibitively costly to deploy and manage a network infrastructure. 8ome examples include military soldiers in the field, emergency services in a disaster area, attendees in a conference room, sensors scattered throughout a city for biological detection, space exploration, forestry or lumber industry, and temporary offices such as campaign head#uarters >/@. )hile there has been much work in &8 for traditional wired networks, it is difficult to apply much of this research to wireless ad hoc networks because of key architectural differences, most notably the lack of a fixed infrastructure. "he lack of centrali-ed audit points, such as switches, routers, and gateways, makes it difficult to collect audit data for the entire network. &ata collection, in a wireless ad hoc network, is limited to activities taking place with radio range, so &8s must work with locali-ed partial information. Also, without a centrali-ed authority, the algorithms used for intrusion detection must be distributed in nature, yet it must be kept in mind that attacks may be made from nodes inside the network. "his means that one of the nodes participating in a collaborative intrusion detection algorithm may be a malevolent node. Additionally, while misuse detection can be applied successfully in traditional networks, this is not the case for wireless ad hoc networks. 8ince they are relatively new, not many specific attacks have emerged for wireless ad hoc networks. "herefore more emphasis should be given to anomaly-based detection. Anomaly-based &8s detect patterns based on long-term modeling and the classification of normal and abnormal activity. 8ince wireless ad hoc networks are very dynamic in structure, this can be very challenging. And owing to mobility and power constraints, there is not always a clear separation between normalcy and anomaly in an ad hoc network. 6onstrained battery power also affects the detection algorithms used, since a limited power supply re#uires that intrusion detection algorithms be highly efficient.

$.# /e3uirements for an IDS for Mo(ile Ad

8

oc Net!or"s

An &8 in a wireless ad hoc environment must be effective and efficient. An effective &8 correctly classifies normal and malicious activities. t must be fault-tolerant and resist subversion and it cannot introduce a new weakness into the network. An efficient &8 is cost-effective and uses little system resources, since to be effective an &8 must run continuously. An &8 in an ad hoc environment must work collaboratively to identify intrusions. And lastly, all &8s must initiate a proper response when an intrusion is detected. n an ad hoc environment, these responses include reinitiali-ing communication channels, identifying a compromised node and reorgani-ing the network to exclude that node, notifying the end user to take action, and even launching a counterattack.

$.$ Intrusion *re)ention for Mo(ile Ad 4oc Net!or"s

"he prevention of intrusions in wireless ad hoc networks would re#uire the development of new secured protocols or modification of the logic of existing protocols to enhance their security. "raditional security solutions that re#uire trusted authorities or certificate repositories are not well suited for securing wireless ad hoc networks as these networks exhibit fre#uent partitioning due to node mobility and disconnection. 8everal solutions have been presented to deal with these issues using either a partially distributed certificate authority >J@ or a self-organi-ed public-key management system >,0@. A self-organi-ed key management system allows users to generate publicD private key pairs, issue certificates, and to perform authentication regardless of the network partitions and without any centrali-ed services or trusted authority. )hile these intrusion prevention techni#ues can be used to reduce intrusions, none are completely foolproof. 5istory has shown us that regardless of the number and types of prevention measures that are inserted into a network, there are always some weak links through which attackers can gain access. As a second line of a defense, an &8 can be used to identify an intrusion and e=ect an intruder potentially before any damage is done. Kiven its inherent weaknesses, such a system is a necessity for a wireless ad hoc network.

+.

/elated !or"

"his section, deals with an overview of the current research in intrusion detection for wireless ad hoc networks, including architecture, data sources for detection models, and detection algorithms.

+.1 Distri(uted Intrusion Detection

Ihang et al >F@ proposed a distributed and cooperative &8 for wireless ad hoc networks. n their system, every node participates in intrusion detection and response via an &8 agent placed on it. "he &8 agent is divided into six pieces4 data collection module, local detection agent, cooperative detection agent, local response module, global response module, and a secure communication module, which provide a high-confidence communication channel among nodes in the network. "he data collection module gathers streams of audit data from various sources including system activity within the node, communication activities by the node or observable by (within radio range of) the node. "his data can be integrated and used in a multilayer intrusion detection method. "he data collected in the collection module is analy-ed by the local detection agent for signs of an intrusion. "raditional &8s use data only from the lower layer, as the application level can be protected through application layer firewalls and application-specific modules. $ut in wireless networks there are no firewalls to protect the application layer, so intrusion detection in this layer becomes necessary. Also, certain attacks, for example, a &o8 attack, may be more #uickly identified in the application layer. "herefore, this &8 uses modules from the lower layer as well as the application level. &etection at each layer can be initiated or aided by evidence from other layers. f a node considers the evidence of the intrusion as 'strong,( it can independently determine that there is a network intrusion and initiate the proper response. 5owever, if the node considers the evidence of intrusion as weak, it can start the cooperative detection agent by propagating state information among neighboring nodes. "his information could include only the level of confidence of an intrusion or it could include the identity of the suspected malicious node along with the confidence level. Cn receiving an anomaly state re#uest, each node, including the initiator, sends its state information to its immediate neighbors. .ach of the nodes then decides whether the ma=ority of the reports received reflect an anomaly. f so, any node can conclude that the network is under attack. "he node that makes such a conclusion can initiate an appropriate response. "he intrusion response can be either local or global. n a local response, a node initiates actions local to itself, while in a global response, a node coordinates actions among neighboring nodes in the network. "he actions taken are based on the network, applications, and confidence
10

in the evidence. 8ome possible responses include forcing a re-key or identifying the compromised node or nodes and reorgani-ing the network to exclude such nodes. "his system uses anomaly-based intrusion detection by creating a model that can be used to classify an action as normal or a potential intrusion. "he model is constructed by defining a set of features, which can be used to classify a system state. $ecause the set of features that could potentially identify a system state is #uite large, an unsupervised method is used to determine the set to be used in classification that is called the essential feature set. A classifier is then used to compute rules to partition the data into the two classes. ntrusion reports are created by examining the current state of the essential feature set and using this information to classify the system (network) state as normal or abnormal. "he system was tested by creating four separate models, using two different feature sets with information available from the routing protocol, which collect data only from the local node. "wo different classifiers were used, 9 %%.9, a decision-tree-e#uivalent classifier, and 8G2 !ight that partitions the data with a hyperplane. 8imulation data was then run using three wireless ad hoc protocols, dynamic source routing (&89), ad hoc on-demand distance vector routing (AC&G), and destination-se#uence distance-vector routing (&8&G). n general, good results were obtained, particularly using the 8G2 !ight classifier and the &89 protocol, which showed anomaly detection rates of approximately JJL and a false alarm rate of less than 0.0FL.

+.#

ierarc4ical 2oo.erati)e Intrusion Detection

8terne et al >,@ take Ihang et al.3s idea of a cooperative &8 and augment it with a dynamic hierarchical structure. )hile cooperative &8s may be successful in detecting malicious behavior with respect to routing protocols, such systems have not shown that they are applicable to more conventional attacks. Additionally, a hierarchical structure is traditionally more amenable to growth. n the fully cooperative, distributed &8, such as the one discussed above, communication overhead can rise very #uickly, in the order of the s#uare of the number of nodes. A hierarchical model, on the other hand, allows data sharing without such a rapid increase in communication overhead. "he proposed architecture was designed for military applications and as such mimics the structure found in such organi-ations in the manner in which intrusion detection data is passed up the hierarchy while intrusion response directives flow down to the lower levels. Ad hoc networks typically construct routes using topology-based clustering. *odes create neighborhoods based on proximity. 8uch clusters can then select a node to be a neighborhood representative called a cluster head. "he cluster heads then organi-e into a second level of clusters and select representatives who =oin in a third level of clusters and so on until all the nodes in the network are interconnected. n a dynamic hierarchical structure, the cluster head is selected based on a variety of attributes including connectivity, hardiness, power and storage capacity, and bandwidth capabilities.

11

n the proposed architecture, the nodes cooperate to protect the network but remain responsible for intrusion detection mechanisms to protect themselves. "he nodes share tasks such as monitoring, logging, analy-ing, and reporting data at various layers of the network. 2onitoring is both promiscuous and direct. %romiscuous monitoring is monitoring the communication of neighboring nodes even when a node is not involved in the transmission of a message. &irect monitoring involves reporting of a node of its activity. n a fully cooperative &8, all nodes monitor the traffic that flows through it. n the hierarchical model, monitoring responsibilities are given to the two nodes that are the first and last hop between each pair of nodes. "he responsible nodes are automatically updated when a route changes as a node would be aware of the path a packet is taking and what its position is in the routing of the packet. "his simple strategy can dramatically reduce the amount of communication overhead and duplicated effort. Additionally, this sort of monitoring is suitable for detecting conventional attacks on the network. *odes at the lowest level are responsible for collecting certain data as well as intrusion detection and reporting. "he key principle in this system is that intrusion detection should occur at the lowest level of the hierarchy at which data is available to make an accurate decision. 8ince leaf nodes do not aggregate data they generally do not analy-e intrusion information since this typically re#uires large amount of data. "his analysis is performed by the cluster heads that collect from their cluster members and perform detection computations on the consolidated data. A cluster head may #uery members of its clusters or its peers for additional information. Additionally, a cluster head sends consolidated data to its superior. *odes at the top of the hierarchy have responsibility for managing the &8 through activities such as distribution decision rules and signatures of known attacks. A node3s authority increases as it moves toward the top of the hierarchy, thus mimicking the structure found in many organi-ations.

+.$ Mo(ile Agent&-ased Intrusion Detection Systems

Marchirski and Kuha >,,@ prose a distributed &8 for wireless ad hoc networks based on mobile agent technology. 2obile agents are autonomous software entities that can halt themselves, ship themselves to another agent-enabled host on the network, and continue execution, deciding where to go and what to do along the way >,,@. Agents are dynamically updateable and have a specific functionality. "he proposed system uses a modular architecture with several types of mobile agents that perform functions such as network monitoring, host monitoring, decision making, and action. Cnly certain nodes will have agents for network packet monitoring while every node in the network will have an agent to monitor system- and application-level activities. n the cooperative decision-making process, every node will decide on an intrusion threat level at the host level while only those nodes containing a network monitoring agent will participate in making decisions on a network-based intrusion. All nodes will contain an action host that is responsible for responding to an intrusion. $y distributing the functions of the &8 into separate modules represented by a lightweight mobile agent, the workload of intrusion detection is spread across the nodes of the net- work to minimi-e power consumption and reduce processing time. "here
12

are three agent classes4 action, decision, and monitoring. "he monitoring class is further divided into agents that monitor packet-level data, user (application) data, and system-level data. 8ince the agents that monitor network packets and make network intrusion detection decisions are located on a subset of the nodes of the network, a distributed algorithm is used to select the nodes to host these agents. "he algorithm used logically divides a mobile network into clusters with a single cluster head for each. "he cluster head then hosts the network-monitoring sensor, which collects all packets within radio range and analy-es them for known patterns of attacks. "he cluster heads monitor packets sent by every member of its cluster, while ignoring those sent by nodes outside of its cluster. "his prevents duplicate processing of packets by two different cluster heads. "he packet information is inserted into a fixed-si-ed #ueue, which is used by the decision agent to analy-e the state of the network and its nodes. !ocal detection agents monitor local activity looking for suspicious activities. f an anomaly is detected with strong evidence, action is taken to terminate the suspicious activity. f an anomaly is detected with less confidence, the node reports its status to the decision-making agent on the cluster head. "he proposed system uses a decision-making process, where individual nodes make decisions on their local state while the global decision-making agent, located on the cluster head, collects information from the network and all the nodes within its cluster. "he agent can then conclude with some confidence whether a node has been compromised. )hen such a determination is made the agent instructs the local node to take action. "his action should result in a decreased threat level. f that does not occur, the node can be excluded from the network. "he authors propose the use of an anomaly detection model to identify potential intrusions into the network. "he mobile agent approach creates an &8 that minimi-es the use of scare computational and power resources. 5owever, at the same time, it creates points of failures that could be exploited by an attacker. "he authors recogni-e this limitation and propose additional research into an effective means of defense.

+.+ 2ross&Feature Analysis for Intrusion Detection

As mentioned above, while misuse detection can be effectively used to identify intrusions in a wired network this is not the case for ad hoc networks, given their relative infancy. "herefore, anomaly detection is currently the preferred methodology. Anomaly detection generally involves mining historical data to detect patterns related to normal and abnormal activities and then building a classifier based on these patterns. Cne method for building such a classifier is suggested in 9ef. >,1@, using a techni#ue for identifying anomalies called cross-feature analysis. A basic assumption for a network of any kind is that there exists a set of features that can unambiguously identify whether a network is in a normal or abnormal state. "he set of features can be stored in a feature vector and often there are a set of such feature vectors related to a normal network state. 6ross-feature analysis attempts to explore the relationship between the values in the feature vector and the state of the network. <sing all normal feature vectors, a
13

classifier is built that predicts the value of a given feature based on the values of the other features and a normal system state. &uring the training process a classifier is built for each of the features, fi , in the feature vector of the form 6i 4 Nf, , f1 , . . . , fiO, , fiP,, . . . , fn Q R fi . "his classifier contains a set of rules or a decision tree that can predict the value of a feature given the other features. "he assumption made is that if the predicted value of a feature does not match the actual value of the feature, it can be assumed that there is anomaly. At the end of the training process there exists a set of classifiers, one for each of the features in the feature vector. "hese classifiers are then used to analy-e the network logs and identify anomalies. "wo different algorithms are suggested. "he simplest one is called average match count. )hen an event is analy-ed, the classifiers are used to predict each of the features in the feature vector and a count is kept of the number of matches that occur. A simple average is taken and if the average number of matches is less than a designated threshold, the network is assumed to be in an abnormal state. A second algorithm is suggested that uses probabilities instead of the simple binary matching classification. 2ost classifiers can return the probability that the labeled feature contains a certain value, given the values of the remaining features. "he classifiers are used to estimate the probability of each value in the feature vector. "hese probabilities are averaged and again the network is assumed to be in an abnormal state if the average probability is less than a given threshold. 6ross-feature analysis was tested using a feature vector designed to identify routing anomalies. <sing a network simulator and four different routing protocols, two routing anomalies were generated4 black hole attacks and selected packet dropping. "hree different classifiers were built using three different classification algorithms4 decision tree, class association rules, and naSve $ayes. *ear-perfect results were obtained using the decision tree classifier and average probability detection.

+.1 S'M&-ased Intrusion Detection Systems

An alternate method for using a set of features to classify a network state as normal or abnormal is to use a support vector machine (8G2) >,H@. 8G2s are classifiers that identify a hyperplane to separate two classes of data4 positive and negative. &ata is mapped to very high-dimensional space using a special type of function called a kernel function. "hen a hyperplane is defined that works as a decision boundary between the two classes of data. "his idea works on the heuristic that data that appear non-separable in lower dimensions is separable in higher dimensions. "he proposed 8G2-based intrusion detection module has two components. An unsupervised 8G2 detection module, ,-8G2&2, which can be used when no training data is available and a supervised 8G2 detection module, 1-8G2&2, which can be trained using available attack data. ,-8G2&2 can be used until a system has a history that can be used to train 1-8G2&2. <nsupervised intrusion detection can be modeled as outlier detection, using the assumption that an abnormal state is sufficiently different from a normal network state. Cnce the system has been
14

used for a period of time, the abnormal data, outliers, can be labeled as normal or abnormal and be used to train the model and derive a new decision boundary. "his revised decision model can then be used to classify a network state as normal or abnormal. "he proposed &8 consists of four components4 local data collection, 8G2-based intrusion detection, local response, and global response. &ata is collected locally from various network audit streams and is passed to the 8G2&2. "he 8G2&2 classifies the network state as normal or a possible intrusion in which case it also identifies the source node. "he local response module distributes local detection results based on the data collected locally while the global response module consolidates other nodes locally collected data and makes a decision based on this consolidated data. "he method of sharing data is dependent on the &8 architecture and this type of detection is conducive to either a fully distributed architecture such as the system proposed by Ihang et al >F@ or a hierarchical architecture. "he system was tested using a network simulator, which created simulations of two different &o8 attacks against the AC&G routing protocol, black hole attacks, and fre#uent false routing re#uesting (++99). "he detection rate for 1-8G2&2 was approximately J?L for both the fully distributed and the hierarchical system architectures, with a slightly higher false alarm rate in the fully distributed system. ,-8G2&2 was able to detect both types of attacks with a detection rate of approximately /FL but with a false alarm rate approaching 10L. )hile the system was tested on only a single routing protocol and a specific set of routing-based attacks, the authors believe that the system can be extended to other routing protocols and attack types with the appropriate parameter selection.

+.5 A 6ame T4eory A..roac4 to Intrusion Detection

Kame theory has been used extensively to model a variety of problems, such as routing behavior and distributed power control, in wireless ad hoc networks. %atcha and %ark >,E@ present the use of game theory to model the interaction between an attacker and &8. "his scenario is modeled as a two- player game. "he key to such a model is the interaction of the players such that the actions of one player affect the other player in either a positive or negative way. "his is obviously the case in an &8, as an intrusion negatively impacts the node being attacked, while stopping an intrusion has a negative impact on the attacker. Additionally, in game theory, a player always takes actions that are in that player3s best interest. "his, again, is the case with &8 in wireless ad hoc networks. n the proposed game model, the ob=ective of the attacker is to send a malicious message with the intention of attacking the other player, which is another node in the network. "he intrusion is considered successful if the malicious message reaches the target without being detected while the &8 is successful if it detects the intrusion and the intruding node is blocked. n the game theory model presented, the attacker is considered the sender and the host-based &8 is the receiver. "he host-based &8 has a prior belief regarding the probability that a node is an

15

attacker or a regular node. "he &8 uses this probability to calculate the expected payoff from blocking the sender3s transmission. %ayoffreceiver T (sUmiss) P (tUfalseAlarm) O (st (Udetect P UfalseAlarm P Umiss )) (,)

)here Umiss is the cost of missing an intrusion, U falseAlarm the cost of a false alarm, Udetect the gain of detection, s the probability that the sender is an attacker, and t the probability of detecting the intrusion. "he payoff for the attacker is found using, %ayoffsender T (tVcaught ) P ((, O t)Vintrude ) (1)

)here V caught is the cost of being detected and blocked and Vintrude the gain of a successful intrusion. "he strategy for the sending node is to decide whether to send a message based on the strategy of the &8 and to send a message if it maximi-es its expected payoff. "he choice of strategy by the &8 is based on the receiver3s prior belief, calculated using $ayes rules, so that it is able to maximi-e the effective payoff by minimi-ing the cost due to false alarms and missed attacks. 8ince $ayes theorem is recursive in nature, these probabilities will be recalculated regularly and this should reduce the number of false alarms and missed intrusions.

+.7 2om(ining Misuse Detection !it4 Anomaly Detection

"he idea of combining anomaly detection with misuse detection is presented by *adkarni and 2ishra >,/@. "he idea behind this approach is that while anomaly detection leads to a high degree of false positives and misuse detection can miss some attacks, the combination of the two methods is superior to using either separately. Additionally, this proposed &8 is adaptive in ad=usting its thresholds to abnormal activities, effective with an average accuracy rate of over J0L, efficient in conserving resources and power consumption, and protocol-independent. "he proposed &8 can be broken into three stages4 initiali-ation, audit data analysis, and threshold ad=ustment. &uring the initiali-ation phase, a node analy-es network traffic and gathers information about the normal behavior of the network. <sing this information, initial threshold values are created for each of the 'normal( occurrence of attack-like actions in the network. "wo arrays are maintained, one with predefined threshold values that store the number of maximum number of symptoms for each attack that occur under normal operating conditions and another array of maximum time intervals during which such symptoms occur. &uring the operating stage, audit data consisting of routing updates and packet headers is used for analysis and identification of abnormal behavior. At each node, a three-dimensional array of abnormal event counters is maintained. t consists of a counter related to each attack for each of the other nodes in the network and for each variation in the type of abnormal behavior for the attack. *either one incident of abnormal behavior nor a series of widely dispersed incidents signals an attack. 5owever, a series of abnormal behaviors all associated with the same attack symptoms occurring
16

at higher- than-normal fre#uency may signify an attack. "herefore this set of counters is maintained, one for each type of attack. A counter is incremented when a related incident occurs and after a single incident of abnormal behavior, the suspicious status of the related node is noted and the activity of the node is monitored for a possible intrusion. f the suspicious node continues to display abnormal behavior that can be interpreted as some symptom of the attack, or the variation of such an attack, during a specific time frame the &8 identifies that there is an intrusion and initiates an appropriate response. "he adaptive properties of this &8 are noted in the threshold ad=ustment stage. After regular time intervals without an intrusion, threshold values are ad=usted. "his is to prevent the possibility that malicious nodes are operating =ust under a threshold level. "herefore the threshold for each attack, or variation of such an attack, is increased by a fixed percentage. f an attack does occur, the threshold is ad=usted to take into account the properties of the attack. t is revised to the difference in the detected rate of abnormal behaviors and the 'normal( rate of abnormal behaviors multiplied by time interval of the attack. "he proposed &8 was tested using the user datagram protocol (<&%) and mobile nodes with the testing focusing on the detection accuracy when varying node mobility and density. %reliminary results showed that the &8 detected malicious nodes over J0L of the time with a low false alarm rate of approximately 1L.

+.8 %atc4dog and *at4rater

Cne of the earliest proposals for an &8 for wireless ad hoc networks is by 2arti et al >A@. )hile the goal of their proposal is to increase through-put in the network, it focuses on intrusion prevention methods by introducing two overlays to the &89 algorithm, in which every packet has a route path that consists of nodes that have agreed to forward the packet. "he proposed system consists of two tools to detect and mitigate abnormal routing behavior. "he )atchdog tool identifies misbehaving nodes, while %athrater aids the routing protocol in avoiding such nodes.

Figure 5: %atc4dog 0.eration )atchdog works by using promiscuous listening. .ach node in a routing path verifies that its successor appropriately forwards the message to the next node in the path. +or example, node 8 wishes to send a message to node & using the routing path 8-A-$-6-&. )hen node $ forwards packet to & through 6, A can listen to $3s transmission and verify that $ has attempted to pass the packet to 6. Additionally, if encryption is performed separately for each link, A can also tell if $ has tampered with the header or the message itself. 8ince failing to forward a single packet is not indicative of a malicious node, each node maintains statistics for the routing behavior of its
17

neighbors. "his is accomplished by maintaining a buffer of recently sent packets. .ach time a node monitors a message, it compares it with the packets in the buffer to see if there is a match. f there is a match the packet is removed from the buffer. And if a packet remains in the buffer for longer than a specified time period, the )atchdog increments a failure counter for the node responsible for forwarding the packet. After the counter exceeds a certain threshold the node is identified as misbehaving and a message is sent to the source identifying the misbehaving node. "he information collected by )atchdog can be used by the %athrater to determine an efficient route that avoids routing packets through misbehaving nodes. .ach node maintains a rating for all other nodes in the network. A newly discovered node receives a neutral score. +or every time interval where a node acts appropriately in forwarding a message, its score is increased. 5owever, if )atchdog notes that a node failed to forward a packet, the node3s score is decremented. f a node is designated as misbehaving it receives a high negative score. )hen computing a route, each potential path for a message receives a score, which is the average rating of the nodes in the path. f there are multiple paths to the same node, the path with the highest score is chosen. "his guarantees that messages are routed through the most reliable nodes. .ven though the combination of )atchdog and %athrater increases the overhead at a node, testing showed that overall network throughput was increased. Additionally, simulations showed that network throughput was not adversely affected by false detection. .

18

1.

Intrusion Detection in MANETs

1.1

Assum.tions and 0(ser)ations

)e assume that the packet drops is one of the result of intrusion which is a type of attack may be grey-hole attack or black-hole attack. And the limit for the packet drop is also specified and an alarm is raised when that limit is crossed. 5ere we track only grey-hole attack and blackhole attack. "he protocols used are &8&G and AC&G >,F@. 1.# 9ni)ersal de.loyment An 2A*." &8 should be able to function on any mobile device participating in the 2A*.", and not re#uire additional special or superior capabilities as compared to its peers. "he &8 must be universally deployable and should ideally be abele to dynamically adapt to existing capabilities of a device to maximi-e its effectiveness and efficiency. 1.$ *latform

"he platform for simulation of the prototype of the "hreshold based intrusion &etection is chosen to be *81 (*etwork 8imulator Gersion 1) >,F@. )e are simulating for a total number of fifteen nodes. 1.+ *ro.osed a..roac4

)e detect intrusion by neighboring nodes by their deviation from known or expected behaviour. )e monitor the drops as we track only grey-hole and black-hole attack. A threshold is fixed for the drops per second and when that threshold is crossed the &8 gives an alert saying probable intrusion. )e have considered the threshold as maximum F packet drops per second. "his is considered F packets per second because there are drops of packets due to congestion. 5ence we need to consider the congestion which is most of the time a non-intruder phenomenon. "he nodes are monitored every , second for the drops in that second. f the drops are more than threshold then the alert of intrusion is raised and that node is isolated from the topology. "he assumption is that , more packet drops is an anomaly which is caused due to intrusion when the intruder introduces a grey-hole attack (where a selective type of packets are forwarded and rest all are dropped) or a black-hole attack (where the node drops all the packets that come to it and creating the black hole). "otally ,F nodes are simulated in the topology and each one is monitored using monitors >,F@.
19

Figure 7: *ro.osed IDS Arc4itecture 1.1 *ractical considerations

+or the &8 to be effective it has to be scalable. t may be possible in certain situations to have a list of suspects that can be watched instead of all the nodes in the neighbourhood. Another possibility is to monitor a random choice of neighbour nodes. )e also have to account for the buffering capacity of nodes. <sing threshold based detection will potentially allow a malicious node to go unnoticed if it drops a few packets intermittently. 5owever, the damage caused by such intermittent packet drops will be acceptable and will not significantly affect the 2A*.". f a node exceeds a small threshold of such allowed 'misbehaviour( it will be detected and classified as intrusive. An attacker cannot significantly disrupt communication while staying under the detection thresholds, however will be detected if the threshold is crossed, i.e. the impact of such an attack will be negligible by choosing an appropriate threshold. 6onsider the three relative movements of node 6 with respect to A B $, $ being monitored as shown in the above figure. "he relative movement of the monitoring node with respect to its neighbours can cause false positives. n (i), (ii) B (iii) 6 is moving left hori-ontally monitoring $. )hen it gets out of range of $, it will continue to hear packets sent by A to $ to be forwarded, but it3s out of range of $. nitially these will be registered as packets drops by $W however, the neighbour table will soon be updated since 5.!!C messages from $ will no longer be heard. "he time-out periods are always chosen to be more than the 5.!!C message intervals, thus accounting for such situations. n (a), (b) B (c) the movement is towards $ and away from A. 8o there will be no intrusions detected, since A will go out of range first. n (,),
20

(1) B (H) the movement is perpendicular and e#uidistant from A B $. "rivially, 6 can hear either A B $ or none, so there cannot be any false positives.

Figure 8: Effects of mo(ility on IDS 1.5 Im.lementation

"otally ,F nodes are simulated in the scenario. "he nodes use either AC&G or &8&G. n our implementation the malicious behaviour is implemented by the modification of AC&G i.e. the node using the AC&G protocol behaves maliciously and represents a grey-hole attack. "he drops from each node are tracked and the node which crosses the threshold is a suspect of intrusion.

21

*rototy.e im.lementation and Analysis

5.1

Net!or" Simulation !it4 NS&#

"he pro=ect is simulated in the ad-hoc network environment. 5ere simulation has been chosen rather than in real wireless network because4 i. ii. iii. "he deployment and debugging of wireless application in real network is a bit expensive. "he unavailability of hardware support. 8ince 2A*."s have not yet been widely deployed, no actual data is currently available that allows comprehensive attack analysis.

mplementation and simulation in *8-1 needs four phases >,F@. "hey are4 *4ase 14 mplementing the proposed scenario by combination of 6PP B "6! code to *8-1. *4ase #4 Analy-ing the simulation in "6! script. *4ase $4 9unning the simulation. *4ase +4 Analy-ing the generated trace files after running simulation.

22

5.1

Static simulation *arameters

*A/AMETE/S

'A:9ES 12bps +ree space propagation "wo ray ground 2odel. <niform Cmni directional ... /01.,, &rop-tailY%riority Xueue F0 AC&G B &8&G ,F /00 Z ?00 9andom way point model H mYs F mYs 6$9(<&%Y"6%) 0.00F s F,1 bytes .very , second F packets Y second ,A0 seconds

6hannel capacity
6hannel model *ode placement Antenna type 2A6 layer nterface Xueue type nterface Xueue length 9outing protocols *umber of nodes 2oving region 2obility model 2inimum speed 2aximum speed "raffic nterval transmission time &ata packet si-e "race for intrusion "hreshold 8imulation time

23

Figure ;: Simulation *arameters

5.#

/esults from ns# simulated en)ironment

Figure 1<: 24annel utili=ation (y A0D' !it4 no malicious nodes

24

"hese results were obtained when all the nodes were set with AC&G routing before it was made malicious. )e see that the channel was utili-ed maximum.

Figure 11: 24annel utili=ation (y DSD' !it4 no malicious nodes "hese results were obtained when all the nodes were set with &8&G routing. "he network is not that well utili-ed as compared to AC&G.

25

A snapshot of *8-1 environment used in this pro=ect work is shown in the Figure 1# below. "he figure shows the placement of mobile nodes and the packets and their radio transmission.

26

Droppe d packet

Figure 1#: Sna.s4ot of simulated en)ironment in NS&#

27

Figure 1#: Sna.s4ot of simulated en)ironment in NS&#(cont.)

28

Figure 1$: Sna.s4ot of trace file of NS&#

+igure ,H, shows the format of a trace file which consists of the packet details for sender and receiver.

2onclusion and Future %or"

29

7.1

2onclusion

2A*."s are increasingly implemented for situations where fixed infrastructure networks are not practical. 5owever, with this flexibility comes an additional security burden. ntrusion prevention is not always practical, so intrusion detection becomes an important second line of defense. $ecause of this, there has recently been a significant amount of research on this topic. "his pro=ect is such an attempt to defend the system from the intruders. Although we have limited the detection to only grey-hole attack and black-hole attacks it can be improved to accommodate other type of attack detections.

7.#

Future !or"

5ere the detection is only prototyped for grey-hole attack and black-hole attack which can be further enhanced to accommodate the detection other types of attacks also. "here is always modification going on to fulfill the system re#uirements. Also the current prototype may also be improved. "he implemented prototype is simulated using *8-1 simulator. f this could be implemented in real wireless network environment then results could be more accurate. 8ince this is =ust a simulation, the actual implementation of the prototype for detection of intrusion in real wireless networks may be future work pending for this prototype.

/eferences
30

>,@

8terne, &., $alasubramanyam, %., 6arman, &., )ilson, $., Mo, 6., $alupari, 9., "seng, 6.-:., $owen, "., !evitt, M. and 9owe, [., A general cooperative intrusion detection architecture for 2A*."s, in "he Hrd ... nternational )orkshop on nformation Assurance, 2arch 100F. 2a, !. and "sai, [.[.%., 8ecurity 2odeling and Analysis of 2obile Agent 8ystems, mperial 6ollege %ress, !ondon, 100?. 2a, !. and "sai, [.[.%., Attacks and countermeasure in software system security, 5andbook of 8oftware .ngineering and Mnowledge .ngineering, Gol. , )orld 8cientific %ublisher, 8ingapore, 100F. :u, I. and "sai, [.[.%., An efficient intrusion detection system using a boosting-based learning algorithm, nternational [ournal of 6omputer Applications in "echnology, 1A(E)411HD1H,, 100?. Ihang, :., !ee, ). and 5uang, :., ntrusion detection techni#ues for mobile wireless networks, A62 )ireless *etworks, J(F)4FEFDFF?, 100H. $urtch, %. and Mo, 6., 6hallenges in intrusion detection for wireless ad-hoc networks, 8ymposium on Applications and the nternet )orkshops (8A *"30H )orkshops), 100H. 2arti, 8., Kiuli, "., !ai, M. and $aker, 2., 2itigating routing misbehavior in mobile ad hoc networks, in %roceedings of the ?th Annual nternational 6onference on 2obile 6omputing and *etworking, pp. 1FFD1?F, August 1000. *adkarni, M. and 2ishra, A., A novel intrusion detection approach for wireless ad hoc networks, ... )ireless 6ommunications and *etworking 6onference, 14/H,D/H?, 2arch 100E. Ihou, !. and 5ass, I.[., 8ecuring ad hoc *etworks, ... *etwork, ,H(?)4 1EDH0, ,JJJ. 6apkun, 8., $uttyan, !. and 5ubaux, [.%., 8elf-organi-ed public-key management for mobile ad hoc networks, ... "ransactions on 2obile 6omputing, 01(,)4F1D?E, 100H. Marchirski, C. and Kuha, 9., .ffective intrusion detection using multiple sensors in wireless ad hoc networks, in %roceedings of the H?th Annual 5awaii nternational 6onference on 8ystem 8ciences, 1(1)4FA, 100H. 5uang, :.A., +an, )., !ee, ). and :u, %.8., 6ross-feature analysis for detecting ad-hoc routing anomalies, in %roceedings of the 1Hrd nternational 6onference on &istributed 6omputing 8ystems, EA/, 8eptember 100H. &eng, 5., Ieng, X.A. and Agrawal, &.%., 8G2-based intrusion detection system for wireless ad hoc networks, in %roceedings of the F/th ... Gehicular "echnology 6onference, Gol. H, pp. 1,EAD1,F,, Cctober 100H.
31

>1@ >H@

>E@

>F@ >?@ >A@

>/@

>J@ > ,0 @ > ,, @

> ,1 @

> ,H @

> ,E @

%atcha, A. and %ark, [.2., A game theoretic approach to modeling intrusion detection in mobile ad hoc networks, in %roceedings of the Fth Annual ... nformation Assurance )orkshop, pp. 1/0D1/E, [une 100E. Mevin +all (.ditor) and Mannan Garadhan (.ditor), "he ns 2anual, "he G *" %ro=ect, A 6ollaboration between researchers at <6 $erkeley, !$!, <86Y 8 and \erox %A96. :. 5uang, ). !ee, Attack analysis and &etection for Ad hoc 9outing %rotocols, in4 9ecent Advances in ntrusion &etection4 Ath nternational 8ymposium, 9A & 100E, 100E. :.-6. 5u, A. %errig, A survey of 8ecure wireless ad hoc routing 01 (100E). !uke Mlein-$erndt, 'A Xuick Kuide to AC&G 9outing( * 8" (*ational nstitute of 8tandards and "echnology). 6. .. %erkins and %. $hagwat, '5ighly &ynamic &estination 8e#uenced &istance Gector 9outing (&8&G) for 2obile 6omputers( n %roceedings of 8 K6C22, ,JJE.

[ 15 ]

> ,? @ > ,A @ > ,/ @ > ,J @

32

A..endi,& I: %or"ing of A0D' >18?

33

Figure 1+: Nodes and t4eir /adio ranges AC&G is a method of routing messages between mobile computers. t allows these mobile computers, or nodes, to pass messages through their neighbors to nodes with which they cannot directly communicate. AC&G does this by discovering the routes along which messages can be passed. AC&G makes sure these routes do not contain loops and tries to find the shortest route possible. AC&G is also able to handle changes in routes and can create new routes if there is an error. "he diagram above shows a set up of four nodes on a wireless network. "he circles illustrate the range of communication for each node. $ecause of the limited range, each node can only communicate with the nodes next to it. *odes you can communicate with directly are considered to be *eighbors. A node keeps track of its *eighbors by listening for a 5.!!C message that each node broadcast at set intervals. )hen one node needs to send a message to another node that is not its *eighbor it broadcasts a 9oute 9e#uest (99.X) message. "he 99.X message contains several key bits of information4 the source, the destination, the lifespan of the message and a 8e#uence *umber which serves as a uni#ue &.
34

Figure 11: //E@ .ac"et transmission

n the example, *ode , wishes to send a message to *ode H. *ode ,3s *eighbors are *odes 1 P E. 8ince *ode , can not directly communicate with *ode H, *ode , sends out a 99.X. "he 99.X is heard by *ode E and *ode 1.

35

Figure 15: //E* re.ly for //E@

)hen *ode ,3s *eighbors receive the 99.X message they have two choicesW if they know a route to the destination or if they are the destination they can send a 9oute 9eply (99.%) message back to *ode ,, otherwise they will rebroadcast the 99.X to their set of *eighbors. "he message keeps getting rebroadcast until its lifespan is up. f *ode , does not receive a reply in a set amount of time, it will rebroadcast the re#uest except this time the 99.X message will have a longer lifespan and a new & number. All of the *odes use the 8e#uence *umber in the 99.X to insure that they do not rebroadcast a 99.X.
36

n the example, *ode 1 has a route to *ode H and replies to the 99.X by sending out a 99.%. *ode E on the other hand does not have a route to *ode H so it rebroadcasts the 99.X.

Figure 17: Se3uence num(ering of .ac"ets

8e#uence numbers serve as time stamps. "hey allow nodes to compare how 'fresh( their information on other nodes is. .very time a node sends out any type of message it increase its own 8e#uence number. .ach node records the 8e#uence number of all the other nodes it talks to. A higher 8e#uence numbers signifies a fresher route. "his it is possible for other nodes to figure out which one has more accurate information. n the example, *ode , is forwarding a 99.% to *ode E. t notices that the route in the 99.% has a better 8e#uence number than the route in it3s 9outing !ist. *ode , then replaces the route it currently has with the route in the 9oute 9eply
37

Figure 18: /E// messages

"he 9oute .rror 2essage (9.99) allows AC&G to ad=ust routes when *odes move around. )henever a *ode receives 9.99 it looks at the 9outing "able and removes all the routes that contain the bad *odes. "he diagrams above illustrate the three circumstances under which a *ode would broadcast a 9.99 to its neighbors.

38

n the first scenario the *ode receives a &ata packet that it is supposed to forward but it does not have a route to the destination. "he real problem is not that the *ode does not have a routeW the problem is that some other node thinks that the correct 9oute to the &estination is through that *ode. n the second scenario the *ode receives a 9.99 that cause at least one of its 9oute to become invalidated. f it happens, the *ode would then send out a 9.99 with all the new *odes which are now unreachable. n the third scenario the *ode detects that it cannot communicate with one of its *eighbors. )hen this happens it looks at the route table for 9oute that use the *eighbor for a next hop and marks them as invalid. "hen it sends out a 9.99 with the *eighbor and the invalid routes.

A0D' c4aracteristics4 )ill find routes only as needed <se of 8e#uence numbers to track accuracy of information Cnly keeps track of next hop for a route instead of the entire route <se of periodic 5.!!C messages to track *eighbors

39

A..endi, A II: %or"ing of DSD' >1;?

%ackets are transmitted between the stations of the network by using routing tables which are stored at each station oft he network. .ach routing table, at each of the stations, lists all available destinations, and the number of hops to each. .ach route table entry is tagged with a se#uence number which is originated by the destination station. "o maintain the consistency of routing tables in a dynamically varying topology, each station periodically transmits updates, and transmits updates immediately when significant new information is available. "hese packets indicate which stations are accessible from each station and the number of hops necessary to reach these accessible stations, as is often done in distance-vector routing
40

algorithms. "he packets may be transmitted containing either layer 1 (2A6) addresses or layer H (network) addresses. 9outing information is advertised by broadcasting or multicasting the packets which are transmitted periodically and incrementally as topological changes are detected for instance, when stations move within the network. &ata is also kept about the length of time between arrival of the first and the arrival of the best route for each particular destination. $ased on this data, a decision may be made to delay advertising routes which are about to change soon, thus damping fluctuations of the route tables. "he advertisement of routes which may not have stabili-ed yet is delayed in order to reduce the number of rebroadcasts of possible route entries that normally arrive with the same se#uence number. "he &8&G protocol re#uires each mobile station to advertise, to each of its current neighbors, its own routing table (for instance, by broadcasting its entries). "he entries in this list may change fairly dynamically over time, so the advertisement must be made often enough to ensure that every mobile computer can almost always locate every other mobile computer of the collection. n addition, each mobile computer agrees to relay data packets to other computers upon re#uest. "his agreement places a premium on the ability to determine the shortest number of hops for a route to a destinationW we would like to avoid unnecessarily disturbing mobile hosts if they are in sleep mode. n this way a mobile computer may exchange data with any other mobile computer in the group even if the target of the data is not within range for direct communication. f the notification of which other mobile computers are accessible from any particular computer in the collection is done at layer 1, then &8&G will work with whatever higher layer (e.g., *etwork !ayer) protocol might be in use. All the computers interoperating to create data paths between themselves broadcast the necessary data periodically, say once every few seconds. n a wireless medium, it is important to keep in mind that broadcasts are limited in range by the physical characteristics of the medium. "his is different than the situation with wired media, which usually have a much more welldefined range of reception. "he data broadcast by each mobile computer will contain its new se#uence number and the following information for each new route4 "he destination3s addressW "he number of hops re#uired to reach the destinationW and "he se#uence number of the information received regarding that destination, as originally stamped by the destinationW

)hen a 2obile 5ost receives new routing information it is compared to the information already available from previous routing information packets. Any route with a more recent se#uence number is used. 9outes with older se#uence numbers are discarded. A route with a
41

se#uence number e#ual to an existing route is chosen if it has a 'better( metric, and the existing route discarded, or stored as less preferable. "he metrics for routes chosen from the newly received broadcast information are each incremented by one hop. *ewly recorded routes are scheduled for immediate advertisement to the current 2obile 5ost3s neighbors. 9outes which show an improved metric are scheduled for advertisement at a time which depends on the average settling time for routes to the particular destination under consideration.

Figure 1;: Mo)ement in an ad&4oc net!or"

42

6onsider 25E in +igure ,J. "able , shows a possible structure of the forwarding table which is maintained at 25E. 8uppose the address of each 2obile 5ost is represented as 25i 8uppose further that all se#uence numbers are denoted 8***]25i, where 25i specifies the computer that created the se#uence number and 8*** is a se#uence number value. Also suppose that there are entries for all other 2obile 5osts, with se#uence numbers 8***]25i, before 25, moves away from 251. "he install time field helps determine when to delete stale routes. )ith our protocol, the deletion of stale routes should rarely occur, since the detection of link breakages should propagate through the ad-hoc network immediately. *evertheless, we expect to continue to monitor for the existence of stale routes and take appropriate action. +rom table ,, one could surmise, for instance, that all the computers became available to 25E at about the same time, since its install-time for most of them is about the same. Cne could also surmise that none of the links between the computers were broken, because all of the se#uence number fields have times with even digits in the units place. %trl]25i would all be pointers to null structures, because there are not any routes in +igure ,J which are likely to be superseded or compete with other possible routes to any particular destination.

"able 1 shows the structure of the advertised route table of 25E. *ow suppose that 25, moves into the general vicinity of 25F and 25A, and away from the others (especially 251). "he new internal forwarding tables at 25E might then appear as shown in table H.

43

Cnly the entry for 25, shows a new metric, but in the intervening time, many new se#uence number entries have been received. "he first entry thus must be advertised in subse#uent incremental routing information updates until the next full dump occurs. )hen 25, moved into the vicinity of 25F and 25A, it triggered an immediate incremental routing information update which was then broadcast to 25?. 25?, having, determined that significant new routing information had been received, also triggered an immediate update which carried along the new routing information for 25,. 25E, upon receiving this information, would then broadcast it at every interval until the next full routing information dump. At 25E, the incremental advertised routing update would have the form as shown in table E.

*ro.erties of t4e DSD' *rotocol At all instants, the &8&G protocol guarantees loop-free paths to each destination. "o see why this property holds, consider a collection of G mobile hosts forming an instance of an adhoc style network. +urther assume that the system is in steady-state, i.e. routing tables of all nodes have already converged to the actual shortest paths.
44