Fazaluddin Shaik 0924783: Cluster Based Leader Election For Intrusion Detection in Manet

CDLE MECHANISM for INTRUSION DETECTION in MANET
FAZALUDDIN SHAIK
0924783
CLUSTER BASED LEADER ELECTION MECHANISM

FOR INTRUSION DETECTION IN MANET
MSc Computer Networking
Masters Thesis Report
Department of Computer Science & Technology
Unit Leader - Dr Fiaz Hussain
Version - 2010/11
0924783 Page 1
ABSTRACT
In rapid progressive development, Ad hoc networks also made very attractive

applications in communication world because of its flexible dynamic self configuring topology
even under limited resources and dynamic mobility. On the contrary due to open air physical
medium and flexibility nature makes more vulnerable to attacks by compromised nodes.
Traditional security approaches such as authentication and cryptographic protocols are not
supposed to be efficient protection against attacks. Intrusion detection systems are supposed to
be implemented in cluster head of cluster without run on every node due to limited resources of
networks. Election of cost efficient cluster head from among nodes in cluster is more
sophisticated by reason of selfish nature of nodes to save its battery power with no interest to
serve its power to maintain the operation of other nodes in networks. Mechanism designs are
formulated to make node to actively participate in leader selection by providing incentive
computed based Vickrey, Clarke, and Groves (VCG) model to forecast and ensure node behaves
honestly. By reputation process most cost efficient node are elected as leader and then
misbehaving nodes are punished by terminating from network. I proposed priority based node
termination control (PBNTC) controls the selfish node termination by reputation process in
mechanism design theory because the existence of selfish node with high resources are needed
for efficient packet transmission . Cluster based selection with PBNTC reduces the percentage of
leaders, single-node IDS implementation, with increasing average cluster size. Number of living
nodes in networks increases because of effective termination control of nodes. Performance
metrics such as number of living nodes, detection accuracy and average cluster size are
simulated by using NS2 simulator.
0924783 Page 2
Acknowledgement
I would like to express gratitude to my Project Supervisor Dr. Enjie Liu for his encouragement as
well as directing me with the precious guidance and unprejudiced feedback on my work.
This dissertation has been one of imaginative, ingenious and significant educational challenges. I
have never ever faced in my life till date. Without the guidance, support and endurance of my
professors on this project would never have been completed.
I owe my inmost appreciation and admiration to my project head Dr Fiaz Hussain, to my project
supervisor Dr. Enjie Liu and to the UOB staff who were always available to help me a lot in my
academic week-to-week activities.
Lastly, I am honestly thankful to all my acquaintances who circuitously supported me in this

dissertation as giving me an appropriate information about the Deadlines and for Discussing as
well. God Almighty for his blessings.
Dedication
I feel proud to dedicate my dissertation to my loving father Mr.Shaik.Fayasudduin and mother

Mrs. Shaik faheemunnisa begum. for their love and support financially all through my life.
0924783 Page 3
Table of Contents
ABSTRACT
1. INTRODUCTION
1.1 Background of ad hoc network Vulnerabilities...08
1.1.1 Challenges to accomplish security in MANETS 09
1.2 Need for intrusion detection ...09
1.2 .1 Intrusion detection ..10
1.2 .2 Problems of intrusion detection in MANETS.10
1.3 Cluster based intrusion detection.11
1.3.1 Leader selection....12
1.3.2 Mechanism design....12
1.4 Problem assertion....13
1.5 Contribution as Aim....13
1.6 Objectives14
1.7 Thesis layout14
2. LITERATURE REVIEW O N CLUSTER BASED INTRUSION DETECTION

2. Attacks.15
2.1 Attacks against Routing..15
2.2 Attacks against routing protocols15
2.3 Attacks against packet forwarding..16
2.4 Security criteria...17
2.5 Intrusion detection..19
2.5.2 Based on detection techniques.20
2.6 IDS Architectures21
2.6.1 Standalone IDS.22
0924783 Page 4
2.6.2 Local intrusion detection Systems22

2.6.3 Hierarchical architecture...23
2.6.4 Mobile agent architecture.24
3. BACKGROUND KNOWLEDGE
3.1 Game theoretic intrusion detection..26
3.2 Bayesian game theory approach..26
3.2.1 Bayesian Hybrid detection approach26
3.2.2 Perfect Bayesian Equilibrium Analysis (PBE).27
3.3 Behavior based anomaly detection..28
3.3.1 Negative self approach.28
3.4 Sprite: A Simple, Cheat-Proof, Credit-Based System.28
3.4.1 Objectives....29
3.5 Secure and objective reputation based incentive (SORI)29
3.6 CONFIDANT (Cooperation of Nodes: Fairness in Dynamic Adhoc NeTworks)..30
3.7 CORE:.32
3 .8 Mechanism design..33
3.8.1 Main objectives.33
3.9 Vickrey Clarke groves.34
4. DESIGNING OF CDLE
4.1 Existing systems...35
4.2 Proposed systems..35
4.2.1 Cluster based leader selection (CDLE)..36
4.2.2 Priority Based Node Termination Control.36
4.4 Optimized Mechanism design...38
4.4.1 Social choice function38
4.4.2 Cost of analysis..39
4.4.3 Optimized payment function..40
4.4.4Optimized utilitarian function..40
0924783 Page 5
5. IMPLEMENTATION & SIMULATION OF CDLE

5 .1 Artefact Implementation41
5.2 Simulation Grid set up41
5.2.1 Hardware Specifications..42
5.2.2 Software Specifications...42
5.2.3 Simulation Parameters.....42
5.3 Performance metrics...43
5.3.1 Number of alive nodes.....43
5.3.2 Average cluster size.43
5.3.2 Percentage of detection43
5.4 Performance evaluation.43
5.4.1 PBNTC implementation..44
5.4.2 Cluster dependent leader selection..44
5.4.3 Mechanism design with VCK model..44
5.5 Ns2 Network Simulator Tool..45
5.5.1 Objectives of Ns245
5.5.2 Wired network environment45
5.5.3 Wireless environment..46
5.5.4 Mobility in network simulator.46
5.5.5 Nam Visualization...46
6. COMPARATIVE TESTING & EVALUATION

6.1 Simulation Results.....48
6.1.1 Number of alive nodes48
6.1.2 Average cluster size49
6.1.3 Percentage of detection...49
6.2 Testing Results...50
6.2.1 Functional Testing...51
6.3 Existing System Screenshots..53
6.4 Proposed System Screenshots .. .62
0924783 Page 6
7. CONCLUSION76
APPENDIX.77
1. POSTER.82
2. USER GUIDE83
3. QUESTIONS OF MARKET SURVEY..87
TABLE of FIGURES
1- IDS Architecture..21
2- Block Diagram..47
3- Flow Diagram47
TABLE of GRAPHS
1- Number of Alive nodes48

2- Average cluster size.49
3- Perecentage of Detection..50
0924783 Page 7
CHAPTER 1
INTRODUCTION
A mobile ad hoc network (MANET) is a self-configuring network formed with collection

of mobile nodes lacking of any predefined infrastructure in decentralized authority subsequently
network topology often changes due to the dynamic mobility of mobile nodes. In recent years,
Mobile Ad-hoc Networks (MANET) have attracted considerable research efforts recently, due to
persuasive applications in infrastructure less situations such as battle fields, tactical disaster
recovery, search rescue missions and virtual conferences where laptops, PDA or other mobile
devices share wireless medium and communicate to each other [1] [2].
In MANET, every node acts as both host and router is also capable of communicating
cooperatively by forwarding packets operates at multi hop communication with dynamic path.
Several multi-hop routing protocols are used in MANET such as Dynamic Source Routing
(DSR), Optimized Link-State Routing (OLSR), Destination Sequenced Distance-Vector (DSDV)
and Ad Hoc On-Demand Distance Vector (AODV) [3]. In MANET routing, every node is acting
cooperatively with trustworthy operation therefore, if destruction in any node causes failure of
the entire network. Malicious nodes in network might take advantage of weakness in MANET
and launch various kinds of passive attacks such as passive eavesdropping, active snooping,
impersonation, and denial-of-service [3].
1.1 Background of ad hoc network Vulnerabilities

Ad hoc networks have distinct characteristics such as dynamically changing topology,
weak physical protection of nodes, the absence of centralized administration, and high
dependence on intrinsic node cooperation.
Dynamic topology: Dynamic topology ad hoc networks have need of complicated routing
protocols. One of the most difficulties due to dynamic topology is that misbehaving node
generates wrong routing information which is hard to discover.
0924783 Page 8
Absence of infrastructure: An ad hoc network without any fixed infrastructure which

devised traditional security mechanism of cryptography and certification is inapplicable in
adhoc networks.
Vulnerability of nodes: Physical protection of nodes is not possible due to open air face
media hence node can be easily captured and cascade under the control of an attacker [4].
1.1.1 Challenges to accomplish security in MANETS

Mobile Ad Hoc networks need more careful effective security mechanism than traditional
wired networks because attackers have lot of possible ways to impose attacks through subvert
nodes. Because of dynamic mobility and frequent topology changes, mobile users also moving
randomly throughout the network. Generally mobile nodes in adhoc networks are resource
constrained therefore there is a need that each node in network must share resources to obtain the
sufficient energy consumption to maintain the security scheme in adhoc networks [5]. Due to
lack of sufficient security schemes, an attacker can easily defends against the security protection
and makes node to participate in malicious behavior to degrade the network performance. Hence
to obtain the efficient security schemes, system must be monitored to detect anomalies and then
necessary remedies are taken to prevent the attack from network to protect the network
performance [5].
1.2 Need for intrusion detection

There are two basic needs to develop intrusion detection in adhoc networks. In traditional
adhoc networks security is achieved by secure protocol implementation such as proper
encryption and authentication protocols only reduce intrusion but not eliminate them [6].
Hence intrusion detection is needed to provide the next level of protection by preventing
intrusion and also basic component to construct highly secure wireless ad hoc networks. The
second need is the design and maintenance of security protocol on dynamic mobility adhoc
networks which is obtained by hierarchical intrusion and detection architecture. According to
0924783 Page 9
Evans Law, security risk is caused due to the more vulnerable attacks and the increased number
of malicious users.
Security problems in adhoc networks conquered by quadrillion times than already
existing security schemes such as encryption and authentication protocols.
1.2 .1 Intrusion detection

Intrusion is defined as a set of actions that attempt to monitor the systems activities by
both internally or externally to achieve the security criterion such as integrity, confidentiality, or
availability of a resource Intrusion detection techniques are mainly used to detect the presence of
malicious or compromised nodes [4] [5] [6].
1.2.2 Problems of intrusion detection in MANETS

Due to decentralized authority, dynamic mobility and limited resources constraints,
already existing anomaly detection models are not provide appropriate solution to detect
disconnected operations as intrusions. In mobile environment, there is no clear separation
between normalcy and anomaly detection. Existing detection methods are hard to define
intrusion attack signatures (characteristics, vulnerabilities and network topologies of the routing
protocol) in real intrusions due to lack of standardized protocol standards in wireless mobile
environment. In wired networks, traffic monitoring is usually performed at switches, routers and
gateways.
In wireless ad-hoc environment because of absence of centralized authority causes no
place to locate IDS can collect audit data for the entire network for communication activities
taking place within the radio range. Hence cluster management protocols are evolved to
overcome the problems of intrusion detection in adhoc networks. Some times prevention of
compromised nodes is undesirable because compromised nodes must act as intermediate node
for inter-group communication. Bottle neck nodes act as alternative malicious intruder towards
the reduction of dropping data packets for compromising communication in the network. Hence
detecting and removing of such bottleneck nodes cause intrinsic problems [17].
0924783 Page 10
1.3 Cluster based intrusion detection

Nodes are formed as cluster organization in which one node is elected among group
nodes as cluster head acts as a local coordinator to monitors and supervising functions of all
nodes in network as well as manages intra-cluster communication in all nodes in group without
any inter-cluster links through gate way nodes. Gateway nodes are the non-cluster head nodes
located at the edge of a cluster facilitates the inter-cluster communication with its neighborhood
clusters. Cluster member updates information of nodes in cluster periodically about changing
topology and lifetime capability of nodes in cluster with respect to available battery power [8]
[9].
Advantages of clustering
It improves the system capacity by implementing spatial reuse of resources.
Optimization in routing mechanism.
Efficient handling of mobility management.
Efficient bandwidth utilization.
Minimize the amount of storage for communication.
Disadvantages of clustering
Longer record updation time is required when the fields in the clustering index
are changed.
Difficult to recover from database corruption.
If Cluster head becomes intruder then performance of entire network is
degraded [10].
0924783 Page 11
1.3.1 Leader selection

Traditionally, leader of the cluster is selected by random or connectivity approach. But in
adhoc networks, resources are the major criteria to select the leader among various numbers of
nodes in cluster. Node with maximum resources are elected as a leader, because that node only
capable of monitoring and predominating in addition to serve the other nodes in cluster.
Although it is difficult to balance the resource consumption of IDSs among nodes since the
resource level is private information maintained for node. Therefore to attain the resource
capability from every node is a challenging task because all nodes in network are acting selfish
by lying about their resources and not desirable to provide its resources to serve for other nodes
in cluster [11].
On the other hand, moreover if the node reveals its resources information it remains a
challenging issue to elect the optimal leaders to balance the overall resource consumption
without flooding the network.
1.3.2 Mechanism design

Mechanism design is used to design the incentives to motivate the node that is providing
truthful information and also behaves trustworthiness to other nodes in cluster. By providing
incentives for trustworthiness, makes node to actively participate in election process, node with
high incentives are selected as leader head of the cluster, if the nodes are not trustworthy, then
punishment is provided by decreasing incentives values or by disconnect from network.
There are three phases in this design

Cost of analysis function
Valuation function is computed for every node based on information provided by
node.

Reputation system
Incentives are provided to the nodes that are trustworthy and the misbehaving
nodes are found out and punished.

Payment design
The amount of incentives is computed based on Vickrey, Clarke, and Groves (VCG)
model to ensure truth-telling to be the dominant strategy for any node [12].
0924783 Page 12
1.4 Problem assertion

In adhoc networks, set of one-hop neighbor nodes forms a cluster. To detect and prevent
the intrusion in network, IDS are implemented in cluster head. But here the selection of cluster
head among nodes in cluster is difficult due to selfishness of node. To select the cluster head, two
criteria must be taken in account such as Maximum resources and Connectivity. Node conceals its
own resource level because node does not have self interest to provide own battery power for
other network. Hence motivate nodes to nominate for election process and then cost efficient
cluster leader are selected to detect the intrusion detection in network hence nodes in network
reveals its cost of analysis with valuation function to elect the cost efficient leader for every
cluster. Nodes are encouraged by providing proper incentives in the form of reputation to reveal
truthfully about resources level. Amount of payment in the reputation is determined in the form of
reputation computed by on VCG mechanism, where truth telling is the dominant strategy.
Reputations are the only criteria to decide which node will be selected as a cluster based on
trustworthiness and valuation function.
1.5 Contribution as Aim

Following contributions are carried out in the part of detecting selfish node and then
termination of selfish node with certain considerable effort of priority identification. Initially,
study and describe the types of attacks probable in an MANET environment.
Propose priority based node termination control to provide cost effective leader
election with proper reputation process to compute the incentives based on Vickrey,
Clarke, and Groves (VCG) model.
Present the design and performance evaluation of a proposed PBNTC method that
operates efficiently in highly dynamic misbehaving environments.
PBNTC with mechanism based theory is accomplished for efficient detection of
intrusion among cluster of nodes and then make selfish node for active participation
in cluster leader selection by providing proper incentives.
Non trustworthiness selfish nodes are detected and then termination are performed
with considerable efforts depends on the functionality of selfish node in network.
0924783 Page 13
Efficiency of the detection mechanism is evaluated through NS2 based simulation model and
illustrated that PBNTC is more efficient to detect selfish node and make them for active
participation in cluster head selection.
1.6 Objectives of project
To study the various attacks initiated by the misbehavior nodes, selfish node
characteristics and its impact on the performance of the network.
To study and analyze the performance of leader selection in adhoc networks.
To evaluate the performance of leader election models CDLE and CILE leader to
improve the network throughput.
Mechanism design theory with Vickrey, Clarke, and Grovess computation are studied
to provide incentives for selfish nodes.
Propose a well-organized Priority Based Node Termination Control intrusion detection
method to detect selfish and terminate selfish node depends upon the functionality in
network in order to preserve resources of ad hoc networks.
Present the simulation method and performance metrics to measure the efficiency of
proposed Priority Based Node Termination Control intrusion detection method.
1.7 Thesis layout

Chapter 2 of paper explicates the concepts of detection mechanism in Adhoc networks.
Chapter 3 explains the detection and removal methods with their drawbacks. Chapter 4 describes
the existing and proposed algorithm. Section 5 presents the experimental analysis. Chapter 6
includes the important part of the Thesis as Testing and Evaluation. To end with, this paper
concludes with section 7.
0924783 Page 14
CHAPTER 2
LITERATURE REVIEW O N CLUSTER BASED INTRUSION DETECTION
2. Attacks
2.1 Attacks against Routing

Malicious behaviors are take place only when routing process is held within the
network. Because of dynamic mobility and frequently changing topology of the mobile
ad hoc networks, it is incredibly complex to authenticate all the route messages. There are
two categories [13].
Attacks on routing protocols.
Attacks on packet forwarding or delivery.
2.2 Attacks against routing protocols

The chief purpose of attacks on routing protocols is to obstruct the propagation of
routing information towards the victim still there are some routes are applicable to
transmit from victim to other destinations in network. The main influences occur due to
attacks against routing protocols network partition, routing loop, resource deficiency and
route takeover [13] [14].
Wormhole attack
In a wormhole attack, a high speed malicious node properly positioned tunnels is
created between two nodes in network to transmit secret packets. Therefore the whole
network is interrupted by redirecting traffic near adversary node. Wormhole attack is the
origin of other attacks such rushing attacks and Sybil attacks [13] [14].
0924783 Page
15
Sinkhole Attacks
Sinkhole attack is the attack in which compromised node makes attractive itself to
recognize by neighboring node as a best path for transmission to alter the routing
information [13] [14].
Sybil Attacks
In Sybil attacks, a malicious node acts as a normal node like other nodes in
network to acquire the knowledge of other nodes identity in network either by making
new node or from the knowledge of other nodes identity [13] [14].
Black hole attack

The presence of selfish nodes to save its battery power, compromised node
advertises alone as shortest path to the requested node by using routing protocol,
therefore black hole attack drops all the data packets near to the shortest path of requested
node network affects the overall regular operation of the networks [13] [14].
2.3 Attacks against packet forwarding

Attacks on packet forwarding take attempts to agitate the packet delivery along
the predefined path in networks.
Denial of service (DoS)

Denials of service are attacks in which large amount of useless packets infused
with real packets into the network during transmission. Surplus packets utilizes
considerable portion of network resources and launch packet contention in wireless
channel network. Traditional prevention of Denial of service is not relevant in adhoc
networks because of more vulnerable to attacks in the midst of distributed nature services
with interference-prone radio channel of less battery power. DOS attacks are conducted
by radio jamming and battery exhaustion methods.
There are two types of DOS attack
Routing table overflow attack (Radio jamming )
Sleep deprivation attack ( Battery exhaustion )
0924783 Page
16
Spoofing
Spoofing is integrity attacks in which adversary node altering the routing
information lawfully causes network partitioning in networks. Due to lack of integrity
cooperation and authentication in routing protocols create fabrication attacks cause fake
error routing messages with increased traffic congestion and deprives resources of
networks [15].
Selective Forwarding
Selective forwarding is a compromised node can selectively filter traffic from
particular part of the network. Due to reduction of difficulties of selection random
dropping of packets is also appreciable whereas hard to detect and trace of traffic in
network [15].
Eavesdropping
Eavesdropping is an attack to acquire confidential information such as location;
public key, private key and passwords of the nodes are kept and maintained as secret
during the communication between nodes in networks [15].
2.4 Security criteria

Mobile ad hoc network is insecure by its nature because of dynamic mobility,
limited resources and frequent topology changes therefore there is no clear remedy about
security concern. But now to inspect the security level status of adhoc networks, various
criteria are used to evaluate the mobile ad hoc network is secure.
Accessibility
Every node should maintain its capability to do all the predefined assigned
services by not considering about its own security state of network. But this criterion is
very challenging when denial-of-service attacks is captured in network therefore
compromised nodes make network services as unavailable [16].
0924783 Page
17
Reliability
Integrity gives assurance for message identity during transmission. Integrity can
be compromised mainly in two ways [16]:
Malicious altering (messages damaged by adversary node )
Accidental altering (messages damaged due to hardware failure)
Confidentiality
Confidentiality maintains the privacy about the secret information in which
certain information is not accessible for unauthorized user.
Authenticity
Authenticity is essentially gives assurance for every participant in network must
be genial and trustworthy to all nodes in network [16]. If there is lack of authentication
mechanism in network, and then adversary node could easily pretend to be access to
confidential resources or even propagate some fake messages to distract the standard
network communications.
Non repudiation
Non repudiation makes sure that sender and receiver of message cannot renounce
about its communication retrieval information. If any node in the network is identified,
received messages are supposed to be error and then notify the error information as
evidence to other nodes in network for compromising nodes in network [16].
Authorization
Authorization is used to assign access rights depends upon the level of users in
which an access authority is supposed to be credential which indicates the constitutional
rights and permissions by the certificate authority [16].
0924783 Page
18
Anonymity
Anonymity denotes all information is used to identify the proprietor or the current
user of the node to be kept private is not distributed by the node itself or the system
software [16].
2.5 Intrusion detection

In Network Security Bible Intrusion detection and response is the undertaking
task to monitor user and transmission activities for verification of intrusions in network
systems with unfortunate injection of attacks through auditing mechanism and then
corresponding remedies are taken to prevent the intrusions in systems [17].
2.5.1 Types of intrusion detection

Intrusion detection is classified into two types based on data collection as follows.
Network Based (NIDS)

Network-based Intrusion Detection Systems are host independent detection
operates in which every host to detect and inspect the effect of network traffic on entire
networks. The NIDS has wide range of capability to monitor and analyze the entire data
packets details such as packet payload, IP address, ports. However, drawbacks in NIDS
encompassed with high false positive rate [15] [18].
Host Based (HIDS)

Host-based IDS are host dependent installed in every host of networks to capture
network traffic of its own local host and detection properties are adapted to specific host
configuration. IDS installed in host operate slower because each host uses its own battery
power to monitor the system operation independent on network bandwidth availability
[15] [18].
0924783 Page
19
2.5.2 Based on detection techniques

Intrusion detection is classified into three types based on detection techniques as
follows.
Signature or Misuse based IDS

Signature based IDS are used to detect the occurrence of signature or behaviors in
newly incoming packets traffic is performed by comparing with previous specific patterns
or signatures. Lot of signature based IDS are evolved but they differs in representation
and matching algorithm are used to detect the intrusion patterns. Examples of intrusion
detection schemes such as expert system pattern recognition, colored Petri nets and state
transition analysis [20].
However, the main drawback in this type of detection is that attacking
mechanisms are processing continuously therefore same stream of knowledge updation of
detection is also needed as of processing. Lot of signature based IDS are evolved but they
differs in representation and matching algorithm are used to detect the intrusion patterns.
Examples of intrusion detection schemes such as expert system pattern recognition,
colored Petri nets and state transition analysis [19] [20] [21].
Anomaly based IDS

Anomaly based IDS are used to detect unknown attacks by comparing with set of
definition for normal behavior, and then observe variation in networks systems with
unknown attacks. Unknown intrusion is detected by measuring deviation from the normal
behaviors such as anomalies or possible intrusion. This detection has several techniques
such as statistics, neural networks and other techniques such as immunology, data mining
and Chi-square test [19] [20] [21].
Specification based IDS:

Set of constraints are described to maintain the regular process of intrusion
detection in networks. Then IDS inspects the current behavior of systems according to
specifications that describes desired functionality for security-critical entities. The
mismatch occurs between current behavior and the specifications are detected as attack in
0924783 Page
20
networks. Specification based IDS detect unknown attacks with low false positive rate
but previously mentioned detection exhibits high false positive to detect unknown attacks
in networks [19] [20] [21].
2 .6 IDS Architectures
Network infrastructures may be in the form of flat or multi-layer networks.
Intrusion detection is classified into four types based on network infrastructure. Fig 1
represents the cluster dependent intrusion detection in MANET with proposed PBNTC
based on mechanism design theory.
Checker Repudator
CDLE
Leader PBNTC Leader
0924783 Page
21
2.6.1 Standalone IDS

In standalone architecture, each node in adhoc networks is encompassed with
intrusion detection systems individually to determine intrusions in networks. But very
node acts by itself independently to detect attacks inside the host without any cooperation
or coordination between intrusion detection between other nodes in networks. Hence
intrusion detection decisions are based on information available on the individual node
Stand alone architecture is more suitable for flat network infrastructure than for
multilayered network infrastructure [22].
2.6.2 Local intrusion detection Systems

In this type of intrusion detection architecture, every node in network is
responsible to collect the ongoing transmission process to detect the possible intrusions as
well as to initiate a corresponding response for intrusion is obtained independently. Thus
each node in the networks operates its own IDS in which all nodes work together and
form global Ids also suitable for flat wireless sensor networks, whereas global IDS is
initiated due to the presence of inconclusive intrusions detected by individual node in
networks. Every node has local detector to detect intrusion and cooperate with LIDS of
other host in networks and finally make global cooperative IDS [23] [24].
Data collection module

Data collection module is responsible for collecting real time data and activity
logs from various types of resources [23, 24].
Detection engine
i) Local detection engine
Local detection engine is used to detect the presence of intrusion in data item.
Data items are locally collected in data collection module. Two types of attacks are
possible such as known and unknown attacks. Known attacks are easily recognized and
eliminate by misuse based detection IDS with specific patterns and corrective measures.
On the other hand unknown attacks are mainly identified by statistical anomaly detection
0924783 Page
22
techniques which distinguish anomalies from normal behaviors based on the deviation
between the current observation data and the normal profiles of the system [5] [7].
Anomaly detection is performed using the eSOM classification algorithm.
Collect audit data and perform the suitable transformations.
eSOM algorithm is used to compute the training data.
Collected data are classified into Normal or Abnormal [7].
ii) Cooperative detection engine

Cooperative detection engine is needed to initiate cooperative detection process
when apprehensive anomalies are detected in certain nodes, therefore LIDS works
cooperatively with other IDS agents to discover suitable confirmation by selection
algorithm called as distributed consensus algorithm. Detection is performed with
considerable assumption that all nodes in networks are mostly trustworthy [23] [24].
iii) Response engine

If intrusion detected by the detection engine then the response engine is activated
then response engine is responsible to detect the intrusion when it has been confirmed as
intrusion by detection engine. Response for intrusion may be in the form of effective
removal of compromised nodes by reinitializing the communication channel with
reassigning the key or reorganizing the network. Message overhead is caused due to
notify the intrusion information to all nodes in networks. Therefore message overhead are
reduced by sending RTS (Ready to Send) message to the malicious node in which
intrusion are detected. Conversely the local IDS agent can send ALERT messages to all
potentially traffic generators that exist in its routing table, to achieve global intrusion
response with all nodes that are directly communicated with malicious node[23] [24].
2.6.3 Hierarchical architecture

The hierarchical architecture is an extended version of the distributed and
collaborative IDS architecture in which huge power consumption are acquired because of
participation of all nodes in networks. Due to limited power supply in the ad hoc network,
all nodes in networks behaves as selfish way and not cooperative with other nodes to save
0924783 Page
23
its battery power without involving to serve other nodes in networks. To solve the
problem in cooperative intrusion detection, cluster-based intrusion detection technique
for ad hoc network was evolved [25].
Cluster based intrusion detection system

Cluster based intrusion detection system integrates the merits of both Central and
Distributed management models. CBIDS overcomes the problem such as limited battery
power and possible overhead due to multi-layer integrated intrusion detection and
response mechanism by the formation of cluster of nodes in networks. Number of nodes
in network is divided into group of nodes called as cluster. To select the cluster head, high
fairness and efficient methods must be employed. Cluster head is selected for every
cluster as Regional or Cluster agent which collects information from its own cluster and
process the required information from all clusters in networks.
Tasks are distributed to all clusters to reduce the battery consumption and then use
intermediate nodes such as Regional and Cluster to distribute the detection task among all
nodes in networks [25].
2.6.4 Mobile agent architecture

Mobile agent technology is deployed in Multi-sensor intrusion detection system
with hierarchical structure. In which whole system is divided into three main models,
each module represents the light weight mobile agent with certain functionality , total
workload of the system are categorized and assigns to perform the specific functions such
as monitoring, decision-making and initiating a response. Mobile agent architecture is the
best intrusion detection architecture to detect intrusion in networks by mobile agent can
manage the various constraints such as dynamic mobility, frequent topology changes [25]
[17].
Monitoring agent
Monitoring agent is used to monitor both individual host and whole networks.
Host-based monitor agent runs on every node to inspect system-level user-activities runs
on every node individually. Conversely network based monitoring agent runs on selected
0924783 Page
24
nodes to monitor at packet-level to capture packets going through the network within its
radio ranges [25][17].
Action agent
Action agent is the important agent and it is used to initiate a response according
to the detected intrusion in networks. Response may be in the form of either by
discontinuing the process carried out in intrusion detected node or blocking the node
from network. If any intrusion activities are detected in certain node with strong
confirmation then immediate response are produced by this action agent [25] [17].
Decision agent
Unlike action agent, decision agent is deployed only on assured nodes which can
run as network monitoring agents.
Decision agent functions are not performed by host monitors node because it does
not have own capability to make a decision individually about intrusion due to
insufficient awareness about intrusion. Network monitoring node collects all intrusion
packets information within its communication radio range and analysis are carried out to
make collective decisions about network level intrusions [17].
0924783 Page
25
CHAPTER 3
BACKGROUND KNOWLEDGE
3.1 Game theoretic intrusion detection

A cooperative game-theoretic model is planned to investigate the interaction
between checkers which is implemented to monitor the behavior of node and hence also
to reduce the false-positive rate and lot of performance overhead due to interaction
between checkers. On the other hand non cooperative game is used to execute the
detection service between the leader and intruder. Bayesian Nash Equilibrium is used to
detect leaders optimal detection strategy [26] [27].
3.2 Bayesian game theory approach

Each individual node is equipped with IDS and also supposed to be switched ON
to obtain the better protection against attackers. Because of limited resources in adhoc
networks always ON mode is not a proficient option from user view point [27]. Hence to
overcome the above mentioned problem a Bayesian game-theoretic approach is
recommended to design the analysis of interactions between adversary and defending
node to enhance the intrusion detection monitoring efficiency. Bayesian game approach is
a more realistic game provides the agenda for defender node to select the strategies
intended for intrusion detection based on the nature of adversary node and also examines
the equilibrium stratagem of both adversary and defenders nodes. On the way of dynamic
based approach adjustment is made in monitoring strategy based on dynamic updation of
adversary node information and game history [27].
3.2.1 Bayesian Hybrid detection approach

Bayesian hybrid detection approach is proposed to reduce the power spent for
intrusion detection encompassed with two monitoring systems such as lightweight
monitoring and heavyweight monitoring system and the main focus is that efficient
monitoring strategies based on a dynamic Bayesian game formulation. Implementation of
0924783 Page
26
heavy monitoring system is to monitor the intrusion detection which is more complicated
IDS but detection is more effective which provides more detection quality, but consumes
more energy. Decision is taken from updation belief of adversarys node information to
ON or OFF of either lightweight or heavy weight monitoring system. Only one
monitoring systems is active at one time to detect the intrusion and also comprehended
that one heavyweight monitoring system or two lightly weighted monitoring systems in
which one lightly weighted to detect maliciousness of entire network and other lightly
weighted evaluates neighboring nodes individually[28] [29] .
3.2.2 Perfect Bayesian Equilibrium Analysis (PBE)

A Dynamic Bayesian game is a multi-stage game in which defender node carried
out observations are actions performed by adversary node. Main intention of PBE is that
proper interaction between set of actions performed to detect the intrusions and adversary
node information. PBE suggested that adversary and defender node formed a complete
system with the dynamic updation of adversary information according to Bayesian rule
and then response actions are taken for detected intrusion based on Bayesian Nash
equilibrium. PBE with multi-stage attacker/defender must satisfy the four Bayesian
conditions and equilibrium condition P as follows. The above conditions guarantee that
the incomplete-information game has a PBE
B (i) Posterior beliefs are independent in which players have same type belief
about adversary node.
Bayesian rule is used to update possible beliefs of adversary node.
Node should be idle when information about adversary node is unavailable.
All players have same belief about type of another player [30].
Advantages
Reduce the battery consumption for implementation of IDS
Minimizing the prospective damage of undetected attacker.
Equilibrium condition is satisfied with involvement of adversary node
behavior.
Dynamic updation of belief of adversary node reduces drastically attacks [30].
0924783 Page
27
3.3 Behavior based anomaly detection

Problems in watchdog technique are unwanted false alarms due to hazy collisions
with limited transmission power. But the aforesaid problems are overcome by behavior
based anomaly based detection with intelligent machine learning to detect false alarm in
each node by negative selection approach [30].
3.3.1 Negative self approach

Negative selection algorithm is a resistant system with self or non-self bias to
detect the false alarm.
Essential normal features elements of network are collected in set of states (N)
and then list of feature are sub listed in set of states (F) in space X.
Detector D is used to detect and then false alarm are generated when match
occurs between states N and F.
Continuous monitoring is maintained between detectors D against N set by
using list of feature set (F). If any match is found and changes are done
according to the detected variation, but generally detectors are designed not to
found any match with representative samples of N.
In which new pattern in self or non self are denoted as N and then problem space
are denoted in n - dimensional space normalized to [0, 1].
N [0, 1] and then N F = X N F = NULL
The standard normal behavior of system are defined as
B (p) = 1pN
0pF [30]
3.4 Sprite: A Simple, Cheat-Proof, Credit-Based System

Sprite [31] concept motivates the node to actively participating for other nodes
packet forwarding by providing proper incentives for transmission. Reputation system is
a repeated game is used to provide incentive and then make node to active participation
in networks cooperation. Node receives a message from any other nodes in networks and
0924783 Page
28
also maintains the receipt for received message itself. Node reports to Credit Clearance
Service (CCS), about the message forwarding with receipt for received message.
CCS only evaluates cost and credit for node based on number of receipt reported
by nodes in networks. There are two concerns must be taken in consideration, in which
charge and credit are provided to node depending upon the number of receipt reported by
node, therefore selfish node withhold its receipt without reporting to CCS to maximize its
own welfare. Then second is node with low resources is reported receipt for its own
messages to acquire high credit [31].
3.4.1 Objectives
There are four main objectives are acquired by sprite incentive schemes are
follows
To provides incentive to make selfish nodes make actively cooperate with packet
forwarding of other nodes.
Game-theoretic approach is used to compute charge and credit which motivates
each node to report about its receipts honestly.
First pure software solution by game approach with prove the providing of
correctness security.
Message overhead also reduced with efficient cooperation of nodes in networks
[31].
3.5 Secure and objective reputation based incentive (SORI)

Secure and Objective Reputation-based Incentive (SORI) [32] [33] scheme is the
reputation based scheme in which actions is taken to make cooperation of selfish nodes in
packet forwarding of other nodes and then makes parameter for selfish nodes to reveal its
actions honestly. The incentive scheme in reputation mechanism is fall into two
categories as
0924783 Page
29
Reputation-based schemes
In existing reputation based schemes lack of efficient measure to evaluate
quantitative and objective ways to propagate reputation. But for efficient reputation
schemes requires secure mechanism to propagate reputation and then quantify criteria are
used to evaluate reputation of a node in objective way [32] [33] .
Pricing-based schemes
Proper packet forwarding between nodes in networks is obtained by providing the
virtual currencies with implementation of temper resistant hardware trust between
scheme and nodes in networks. Nodes that is responsible for forwarding data packets are
priced by providing currency in the form of virtual and also makes efficient relationship
between nodes in networks [32] [33].
Features
The features of SORI are described as follows
Objective measures are used to quantify reputation of node.
Simplex hash chain based authentication scheme are used to compute secured
propagation of reputation.
Communication overhead is minimized by propagating reputation only to
neighbors not to all nodes in network.
Punishment scheme is equipped with reputation-based mechanism can
successfully identify selfish nodes and punish them accordingly [32] [33].
3.6 CONFIDANT (Cooperation of Nodes: Fairness in Dynamic Adhoc Networks)

CONFIDANT [34] protocol are used to monitor neighbor node behaviors within
transmission range. In CONFIDANT protocol there is no need for any tamper-proof
hardware. Because malicious node does not have awareness about reputation identity of
other nodes and also have no authority code to access and modify reputation.
0924783 Page
30
Monitor system
Monitor system is used to monitor the transmission behavior of both user and
network activities and then misbehaving node behaviors are detected by either comparing
the deviation from normal behavior listening to the transmission status of the next node
called as passive acknowledgement or by observing route protocol behavior. Monitor
component is registered the deviations by proper listening of behavior of neighboring
nodes and reputation system is called to terminate the misbehaving nodes from network
[34].
Trust manager
Trust management in adhoc networks is obtained by Pretty Good Privacy (PGP)
in which trust level are structured as unknown, none, marginal, and complete to validate
the key validation and certification.
The trust manager consists of the following components.
An alarm table contains received alarms information.
A trust table manages trust levels to determine the trustworthiness of an
alarm.
A friends list gathered list of friends node whose has capability to send
potential alarm [34].
Reputation system
Reputation systems are used to provide the rating of nodes involved in
transmission of data packets depends upon quality which is acquired from feedback
mutually given by source and destination activities on network correspondingly
Reputation table consists of information about node entry identity and their quality rating
in networks. Quality rating are modified if only if when clear proof for malicious
behavior according to rate function. If malicious behavior is detected by node itself then
high quality rating is acquired for detection rather than detected by neighbor node. The
underlying principle is on weighting schemes is that node have more confidence on own
knowledge for detection [34].
0924783 Page
31
Path manager
Functions performed by path manager are follows
Path direction is changed according to security criteria depend on
reputation of node.
Malicious nodes path are removed from network.
Activities performed by malicious node also withheld.
Actions also performed in route of malicious node in networks [34].
3.7 CORE
A Collaborative Reputation mechanism is used to enforce node cooperation in
Mobile Ad hoc Networks are abbreviates as CORE. CORE is a generic mechanism in
which nodes are enforced to node for involvement in cooperative transmission of other
nodes in networks based on a collaborative monitoring technique. Reputation in CORE is
defined as each network entity has ability to track the identity of other network and
evaluated by the data information provided nodes in networks [35].
Subjective reputation
Subjective reputation is computed at time for subjects inspection using
weighted means of inspected rating factors on every network identity in networks
achieves significance reputation from the past observations. Direct interaction between
subject and neighbors exist in network.
Subjective reputation is computed as follows.
R (si/h) = ( , n) * n
Where R (si/h) is subjective reputation with the function of h

( , n) is time dependent more relevance from past observations
n is rating factor for n observations [35].
0924783 Page
32
Indirect Reputation
Indirect reputation defines that indirect communication is existing between nodes
and other network members. It is possible to reflect the characteristic of complex
formation of other members of different community. Indirect links are established to
compute the final indirect reputation value [35].
Functional reputation
Functional reputation integrates the functions of aforesaid reputation with respect
to distinct function of h. Hence global value of reputation is calculated with different
observations. Reputation value is evaluated for both packet forwarding and routing [35].
3 .8 Mechanism design
Mechanism design is defined by function M = (O; P) where O is output vector
and P is amount of incentives provided as payment for successful agents in mechanism.
The output function is used to determine the successful winner from all participants in
network. The mechanism m is determined from output and payment is computed based
on inputs of all participants in networks. Game theory and mechanism design are used in
routing protocols of adhoc networks to motivate nodes for actively participates in packet
transmission of other nodes in network [12] [26] [27] [28] [36].
3.8.1 Main objectives

To balance the resource consumption of IDS in every node of network.
Recover node from selfish behavior
To make active participation in forwarding data packet of other nodes.
VCG mechanism is used to evaluate the amount of incentives and also be
the truth telling is dominant strategy.
Cost of analysis deployed to reveal honest participation in election [12].
0924783 Page
33
3.9 Vickrey Clarke groves

Amount of incentives provided to the nodes are computed based on Vickrey
Clarke groves model [37]
Computation of VCG
Utilitarian function: A winner determination function from set of nodes in
network is called utilitarian G (o) = Nk (o).
VCG mechanism: A mechanism operates under VCG model uses a utilitarian objective
function and then output and payment function are determined as follows.
The output functions as follows.
Output = Arg max (Nk (o))
Payment function as follows
P (i) = a j (o) + hi (a-i)
Where hi (a-i) is an arbitrary function for real valuation of all agents except agent
i. The payment is in the form of reputation
Pi =Ri = Vj (tj ,0(ti,t-i))
Disadvantages of VCG
Pushes complexity onto bidders.
Reveals a lot of secured real information.
Possible to evolve very low-revenue outcomes.
Extremely vulnerable to collusion.
Unlimited budgets are required.
0924783 Page
34
CHAPTER 4
DESIGNING OF CDLE
4.1 Existing systems

Ad hoc networks are mostly more vulnerable to various types of attacks due to
dynamic mobility and open air interface medium for propagation when compare to
infrastructure centralized authority of fixed wired networks. Because of dynamic mobility
and decentralized authority, each node in the node must take care of itself to protect from
attacks. But it is too much of resources are wasted for the implementation of intrusion
detection scheme for every node. Hence nodes are grouped into cluster and cluster head
is elect to serve other node in network, where as selfish node with maximum resources
are not nominated for cluster head selection, because of self interest to save its own
power. Hence several existing schemes are proposed for mechanism design theory with
reputation scheme in the direction of provided incentives to make the node for active
participation in cluster head selection .In reputation scheme which are the node are not
trustworthy means then terminate from the network operation.
Aforesaid approaches with mechanism design model are only concentrates on
motivation of selfish nodes for active participation in network. Reputation based
mechanism design identifies that nodes which is misbehaving are supposed to be
terminate from network [34] [35].
4.2 Proposed systems

Proposed Priority Based Node Termination Control (PBNTC) attention is given to
the selfish node that is misbehaving during reputation process. In certain times most of
the nodes are behaving selfishly due its own nature for individual welfare at that instant
termination of misbehaving nodes in networks interrupt the overall communication due to
less enough nodes for transmission. Hence considerable concern must be needed when
terminating node from network even when nodes are misbehaving about revelation of
sensitive information such as resources level. Before terminating misbehave node in
network, priority level are calculated from node transmission activities in network.
0924783 Page
35
Therefore node with less priority level is easily terminated by reputation

mechanism. Cluster based selection with Priority based node termination control reduces
the percentage of leaders, single-node IDS implementation, with increasing average
cluster size. Number of alive nodes in networks is increases because of effective
termination control of nodes.
4.2.1 Cluster based leader selection (CDLE)

Leader election process are initiated due to launching of begin election message
by any node in networks.
Begin election message includes identity of node and hash value, cost of analysis
and time-stamp TSi under the time interval.
Node ni verifies each received message with its corresponding hash value and
then minimum valuation1 of cost of analysis with social SCF.
Done-Election message sent to inform the leader that he has been elected. In this
case, elected leader sends Confirm Leadership message to indicate its acceptance
of leadership.
Sends a copy of the payment back to calculate its reputation and compare it to the
threshold TH to avoid punishment.
Finally, selfish nodes might misbehave after election, which motivates us to select
random checkers to ensure a catch-and-punish scheme in order to motivate an
elected node to be faithful during the detection process [37].
4.2.2 Priority Based Node Termination Control

Misbehaving nodes are terminated from network by reputation catch and punish
process because of that selfish nodes functionality in network communication are
interrupted and then data packet drops are occurred, hence to overcome that proposed
Priority Based Node Termination Control (PBNTC) attention are given to the selfish node
that is misbehaving during reputation process. In certain times most of the nodes are
behaving selfishly due its own nature for individual welfare at that instant termination of
0924783 Page
36
misbehaving nodes in networks interrupt the overall communication due to less enough
nodes for transmission.
Hence considerable concern must be needed when terminating node from network
even when nodes are misbehaving about revelation of sensitive information such as
resources level. Before terminating misbehave node in network, priority level are
calculated from node transmission activities in network. Therefore node with less priority
level is easily terminated by reputation mechanism. Cluster based selection with Priority
based node termination control reduces the percentage of leaders, single-node IDS
implementation, with increasing average cluster size.
Algorithm
Cluster Ca, Cb, Cc

Ca = {a1, a2, a3, a4 a5}
Cb = {b1, b2, b3, b4, b5}
Cc= {c1, c2, c3, c4, c5}
Output function
P(Ca)= a j (o) + hi (a-i)
Ui (ti, 0 (ti, t-i)) = Pi - Vi(ti, 0(ti ,t-i))
Node ni Begin election (IDn, H (IDni, ci, TSi))

Node ni Election (IDni, ci, TSi)
If cluster leader! = ni ;

ni Leader IDS : Done election Leader

IDS ni : Confirm leadership

ni Leader IDS : Deliver payment = P(i)
0924783 Page
37
4.4 Optimized Mechanism design

Nodes perform function according to the own interest, totally n nodes are
participated in adhoc network represented as {ai, ai+1 ..an} and all nodes must have
private sensitive type information such as resources level and denoted as {ti, ti+1.tn}.
In mechanism-design output vector O (i) for agent I is determined from input agent i and
type vector t (i). Valuation function of each participant is resolute from private
information and output vector of every node Vi (t (i), o (i)). Vickrey-Clarke-Groves
(VCG) mechanism is used to achieve incentive compatibility which holds truthful
requests of nodes. Existing systems VCK model are modified for optimized mechanism
design to overcome the selfish nature and also to obtain the optimized output payment
vector.
Each node (ai, ai+1 an) selects strategy S1 from the strategy pool.
Output function O (i) = (ai, ai+1 an) is computed for every participant.
Payment function P (i) = P (ai, ai+1 an) also calculated [12] [34].
4.4.1 Social choice function

In mechanism design based intrusion detection model, nodes in networks are
enforced to reveal utility function with cost of analysis and valuation function to work out
the SCF. SCF are supposed to be minimized and computed in distributed manner and all
nodes in cluster are involved in selection process. A social choice function (SCF) is a
function f (t) X uses to assign a collective choice f (t1 ,t2 . . tn) to each possible profile
of the agents types t= (t1,t2 . . . tn) [12] [37].
SCF = Minimum (vi (ti , O (ti ,t-i))
0924783 Page
38
4.4.2 Cost of analysis

In mechanism design, mobile nodes in the network are the agent reveals its own
private information such that cost of analysis are computed based on node types(t)
categorized to normal and selfish . If node is normal and then node reveals true cost of
analysis otherwise it is supposed to be selfish.
Fairness and privacy are two criteria considered in cost of analysis in which node
with less resources are enforced to be contribute in reputation and then secret information
of node are concealed from malicious node.
Cost of analysis of every node is determined from power factor P () and SP.
C (i) = P ()
SP
Cost of analysis depends on two factors

Power factor
Sampling power
Power factor
Power factor P () of every node are calculated by dividing the time slots of
nodes into k timeslots with time duration (Ti) and energy level of nodes is represented as
{Ei, Ei+1, Ei+2 ..En}.
P () = Ei
KTi
Sampling power
Each node has reputation value Ri with sampling budget and then
percentage of sampling of node i is determined by ratio between reputation of node and
sum of reputation of node.
SP = Ri
Ri
0924783 Page
39
Least cost of analysis is needed for efficient reputation scheme which is achieved
by decreasing percentage of sampling with increasing power factor. Hence node with
high power cost efficient leader is selected by cost of analysis [12] [37].
4.4.3 Optimized payment function

The optimized payments are computes as follows.
P (i) = a j (o) + hi (a-i)
where hi (a-i) is an arbitrary function for real valuation of all agents except agent I
[12] [37].
4.4.4Optimized utilitarian function

Optimized Utility factor for every node is determined from valuation function
with attribute of output and payment function. Each agent maximizes utility vector based
on type of private information. In which mechanism design motivates each agent reports
truthfully about private information by maximizing utility factor is given as follows.
Ui (ti, 0 (ti, t-i)) = Pi - Vi(ti, 0(ti ,t-i))
Where t-i is type of agents except node i

Vi is valuation function of node i.
Pi is payment vector
0(ti) is possible outcomes of node i.
pi R is the payment is provided to every node in the form of reputation
[12] [37].
Jonathan
0924783 Page
40
CHAPTER 5
IMPLEMENTAION & SIMULATION OF CDLE
5 .1 Artefact Implementation
The performance evaluation of cluster dependent leader selection with proposed
priority based node termination control in mobile ad-hoc network under various
constraints such as node density, dynamic mobility have been simulated using NS2. The
simulation is determined by a trace file and performance of system was compared for
node density, dynamic mobility. Network simulator (NS-2) is carried out extensive
simulations to simulate the proposed to obtain priority base node termination control to
improve detection of misbehaving nodes , effective termination leads to increase number
of alive nodes with average cluster size and reduced number of leader nodes in cluster .
5.2 Simulation Grid set up

The objective of thesis is performance evaluation of cluster independent leader
election to detect intrusion detection with efficient termination control in MANET
environment. Initially, nodes (10 to 20) are randomly distributed in area of 1000 1000
within transmission range of each other. Nodes are grouped together and form clusters,
each cluster consists of 5 nodes among the five nodes and cluster head is selected by
connectivity approach. The node mobility is applicable in the range of 5 m/s to 10 m/s in
the model of random way point. CBR traffic is offered to probe route correctness and
packet size is 40 B. Performance metrics such as number of alive nodes, average cluster
size and number of leader nodes are evaluated. By connectivity approach, cluster with
fewer resources also elected as cluster head, hence to overcome that cluster dependent
leader election are enhanced by PBNTC to improve the number of alive nodes and also to
average cluster size. Cluster with high resources are elected as cluster header and then
reputation is used to distribute payment to selfish nodes for active participation in cluster
election process. Checker is used to monitor the resource level of every node in network.
Repudator is implemented to provide incentives to the selfish node and make them for
active participation in election process.
0924783 Page
41
5.2.1 Hardware Specifications
Processor : Pentium III 500MHz.

Monitor : SVGA
RAM : 128 MB SDRAM
Secondary Storage : 40GB HDD
Floppy Drive : 1.44 MB
5.2.2 Software Specifications
Simulation : Cygwin (NS-2)

Operating System : Windows 2000/XP
5.2.3 Simulation Parameters

Some simulation parameters are considered as follows
Parameters Value
Number of mobile nodes 10 ~40 nos
Node mobility 1 ~10 m/s
Mobility model Random way point
Packet size 40 bytes
Type of traffic CBR UDP
MAC protocol IEEE 802.11b
Pause time 0 sec
Number of cluster 4 (clusters)
Transmission speed 2.30162
Simulation time 10 minutes

0924783 Page
42
5.3 Performance metrics

Mobile ad hoc networks have several intrinsic characteristics such as dynamic
topology, limited bandwidth and battery multi-hop routing and distributed power control.
To judge the merit of cluster dependent leader selection with PBNTC and the
implementation of optimized mechanism design to select most cost efficient leader in
both qualitative and quantitative analysis are carried out to measure the suitability and
performance of intrusion detection in adhoc network. Performance metrics are used to
evaluate and also to improve efficiency of the cluster election process to detect and
effective termination of misbehaving nodes with reputation based mechanism design
theory. The performances metrics are number of alive nodes, percentage of detection
accuracy, average cluster size are evaluated.
5.3.1 Number of alive nodes

Numbers of nodes are present in network after termination of nodes by reputation
process.
5.3.2 Average cluster size
Average cluster size is the used to uniform distribution of load to all clusters in
network.
5.3.3 Percentage of detection

Percentage of detection is the numbers of malicious node are detected by intrusion
detection scheme.
5.4 Performance evaluation

Evaluation of the cluster dependent leader selection for intrusion detection in
adhoc networks with priority based node termination control is presented via network
simulations. Network Simulator (ns-2) version is used and the evaluation metrics are
calculated for increase the number of alive nodes and also to effective detection of
misbehaving nodes with high accuracy and also with average cluster size is achieved in
MANET.
0924783 Page
43
Number of alive nodes are improved by effective priority based termination

control with considerable effort are supposed to be taken to terminate the selfish nodes by
mechanism design based reputation scheme. Average cluster size is the number of nodes
in cluster and clusterA in networks are formed with equal number of nodes for every
cluster for uniform distribution of load to all clusters in network, hence average cluster
size is used for uniform distribution of number load and also reduce load collision occurs,
congestion occurs due to high number of nodes under single cluster head. Percentages of
detection of misbehaving nodes are improved due to most efficient cluster head are
selected based on mechanism design theory. high performance is achieve din detection of
misbehaving nodes are achieved by the proper implementation of priority based node
termination control with mechanism design theory in cluster dependent leader elect to
detect the intrusion in adhoc network.
5.4.1 PBNTC implementation

Efficient removals of selfish nodes are acquired by PBNTC implementation in
cluster dependent leader election by mechanism design based reputation scheme. Hence
numbers of alive nodes are efficiently maintained.
5.4.2 Cluster dependent leader selection

Leader to detect intrusion in network are performed by efficient leader election
after the formation of cluster of nodes. hence high effective maintenance are achieved
with the election of cluster head and also for uniform distribution of load and network
resources to all cluster in networks to reduce network congestion collision.
5.4.3 Mechanism design with VCK model

Mechanism design theory with reputation scheme is used to elect cost most
efficient leader is elected by providing proper incentives provided to selfish node to make
active participation in network transmission and also amount of incentives provided to
selfish node are computed by Vickrey Clarke , groves and then optimized payment is
provided to node for active participation for the active involvement for cluster election
0924783 Page
44
process to elect the most cost efficient cluster head with maximum resource so serve the
other nodes in cluster.
5.5 Ns2 Network Simulator Tool

Ns2 is a simulation tool developed South-California University and redeveloped.
NS2 was developed with Tool Command Language (TCL) script, C++ and C languages.
TCL is a control language and C used for the header file and C++ used for data. Wired,
wireless and Satellite networks can be simulated using ns2 script. *.tcl extension is used
to save the files.
5.5.1 Objectives of Ns2

Ns2 is mainly used in network research environment and education purposes. For
example: Protocol design, protocol evaluation and traffic learning etc.
It offers a shared situation with generously distributed, originator and permits a
simple assessment of similar protocols raises assurance in results. Possible to
obtain several levels of aspects in on simulator.
It supports the FreeBSD, Linux, Solaris, Windows and Macintosh operating
systems. It provides good setup for wired and wireless simulations.
5.5.2 Wired network environment

In Wired environment, TCP and UDP protocols are mainly used for establishing a
connection between two nodes. FTP (File Transfer Protocol), Telnet (Tele Network) and
CBR (Constant bit rate) are used to generate traffic in a network. Queuing order is also
stipulated. They are drop-tail, RED, FQ, SFQ and DRR.
Routing - DV, LS, PIM-SM
Transportation TCP, UDP
Traffic Sources web, FTP, Telnet, CBR, Stochastic
Queuing disciplines drop-tail, RED, FQ, SFQ, DRR
QoS Intserv and Diffserv
0924783 Page
45
5.5.3 Wireless environment

In Wireless Network, connection has been established between two nodes using
TCP/ UDP protocols and traffic is generated using FTP (File Transfer Protocol), Telnet
(Tele Network), CBR(Constant bit rate) as same as wired network. Wireless supported
classes must be used for creating wireless network. Ns2 presents different utilities like
Tracing and Visualization. Network AniMator (NAM) is used to achieve the visualization
and it gives GUI interface to create Ns scripts (TCL). XGraph achieve trace analysis.
Wireless networks: Adhoc routing and Mobile IP
Directed diffusion, sensor-MAC
5.5.4 Mobility in network simulator

CMUs Monarch group was contributed an original mobility model. UCB, Sun
Microsystems, ISI etc contributed models (not integrated) in wireless ns comprises
Blueware, BlueHoc, Mobiwan, GPRS, CIMS etc. Mobile node at center of mobility
model and mobile nodes can be moved in a specified topology. They can transmit signals
to wireless channels. Wireless network stack consists of LL, ARP, MAC, IFQ etc and it
permits multi-hop ad hoc networks, wireless LANs, sensor networks simulations etc.
Example for wireless ad hoc routing
Creation of mobile nodes with n number
Topology is created for moving within 670mX670m
Using AODV ad hoc routing protocol
Random Waypoint mobility model
TCP is used for establishing a connection and CBR used for
creating traffic
5.5.5 Nam Visualization
Nam file is used for visualization
Mobile node position
Mobile node moving direction and speed
Energy consumption at nodes (color keyed)
Replace
0924783 Page
46
Block diagram:
Leader election Reputation
Packet transmission
Intrusion Detection CDLE with PBNTC Node termination
Mechanism design
Flow diagram:
Number of nodes
Formation of cluster
CDLE
Non participation of
Selfish node
Reputation
PBNTC
Effective node Removal
0924783 Page
47
CHAPTER 6
COMPARATIVE TESTING & EVALUATION
6.1 Simulation Results

Simulation results are obtained based on the performance evaluation of cluster
dependent leader election for intrusion detection in adhoc environment. Performance
metrics such as number of alive nodes, average cluster size, percentage of detection ratio
are evaluated for PBNTC implementation of cluster based intrusion detection in adhoc
networks.
6.1.1 Number of alive nodes

Number of alive nodes in network is increased by proper termination of nodes by
reputation punishment scheme because implementation of cluster dependent leader
selection for intrusion detection with PBNTC implementation. Proposed PBNTC
increases number of alive nodes because of cluster based intrusion detection enhances the
power consumption of nodes, hence battery power is maintained for long time, prolong
lifetime of MANET nodes also improved.
Graph 1
0924783 Page
48
Graph1 shows that PBNTC improves the number of alive nodes by proper termination
with efficient prolong lifetime of MANET by regular distribution of power consumption
of nodes. It balances the resource consumption of IDS in every node of network and
recover node from selfish behavior
6.1.2 Average cluster size

Average numbers of nodes are maintained in every cluster of network to balance
the load consumption and equivalent distribution of load to every node in network. Hence
average cluster size is maintained in every cluster to improve the power consumption of
nodes by efficient cluster formation of nodes.
Graph 2
Graph 2 illustrates that proposed PBNTC implementation of cluster dependent leader
selection improves average cluster size better than connectivity model. It makes active
participation in forwarding data packet of other nodes. VCG mechanism is used to
evaluate the amount of incentives and also be the truth telling is dominant strategy.
0924783 Page
49
6.1.3 Percentage of detection

Percentage of detection accuracy is improved because of cluster head monitors
the nodes in cluster and then efficient detection is achieved with enhanced inspection of
nodes by cluster head.
Graph3 shows that, percentage of detection f proposed PBNTC performs better

than connectivity because cluster head only responsible to detect the intrusion. Hence
efficient formation of cluster with average cluster size is achieved by cluster dependent
leader selection, percentage of detection accuracy is improved due to most cost efficient
selection of cluster head improves the detection accuracy.
6.2 Testing Results

Testing is carried out in proposed priority based node termination control to verify
proposed technique satisfies the necessities and requirements that motivate to move one
step forward from already existing systems. Hence two types of testing are suppose to be
conceded in intrusion detection in MANETS. First test is functional testing in which
actions are performed on proposed system to verify that obtained output in accordance
with input and requirements to meet for efficient improved systems.
0924783 Page
50
6.2.1 Functional testing
Five steps are executed on proposed systems to enhance functional testing in it.
Identifies the requirements to meet and functions that are expected to perform
by proposed system.
Inputs are fashioned based on functional specifications.
Output is determined based on functional specifications.
Execution of test case
Comparison of actual and expected output.
Functional testing n MMR-BS with adaptive ARQ cross layer design
i) Requirements : Efficient intrusion detection, selfish node termintaion control

based on functional priority
ii) Input: Sufficient resources, Repudator, mechanism design
iii) Expected output:
Decisive factor Expected value

Number of alive nodes 50
Average cluster size 6

Percentage of detection 85%
iv) Functional testing is performed on proposed systems based on determined

criterias.
0924783 Page
51
v) Comparisons of existing and proposed systems:
Decisive factor Existing Proposed

Number of alive nodes 45 50
Average cluster size 7-8 6(constant)
% of detection 65% 85%
Hence proposed systems are validated and check out through functional testing and then
finally found and ensure that proposed systems satisfies all the criterias that is expected
to meet depart from existing systems.
0924783 Page
52
6.3 Existing System
INITIAL POSITION OF NODES:
The network consists of three clusters in the form of cluster dependent and contains the
checker and reputator.
0924783 Page
53
LEADER ELECTION AND PACKET TRANSFER IN CLUSTER1:
The cluster1 selects Node5 as leader by connectivity based approach and transfer the
packets to Node1, 2, 3, 4.
SELFISH NODES AND FAKE MESSAGES:
0924783 Page
54
The selfish node Node3 and Node4 contains the resource as private information and
injects fake messages regarding the resource for their own benefit.
REPUTATORS TO MAKE SELFISHNODE TRUSWORTHY:
The reputator is used to make the selfish nodes trustworthy by providing more
incentives to the selfish node.
0924783 Page
55
SELFISH NODE TERMINATES FROM CONNECTION:
Even though the reputators providing incentives the selfish node with high resource
terminate from connection and life time of leader reduced thus results in network
termination.
0924783 Page
56
0924783 Page
57
The reputator is used to make the selfish nodes trustworthy by providing more
incentives to the selfish node.
0924783 Page
58
termination.
0924783 Page
59
The reputator is used to make the selfish nodes trustworthy by providing more incentives
0924783 Page
60
to the selfish node.

termination.
0924783 Page
61
6.4 PROPOSED SYSTEM:
INITIAL POSITION OF NODES:
The network contains three clusters in the form of cluster dependent and contains the
checker and reputator.
LEADER ELECTION AND PACKET TRANSFER:
0924783 Page
62
SELFISH NODES NODE3 AND NODE4:
The life time of leader is to be reduced and selfish nodes send fake messages to checker
regarding the resource information for their own benefit.
0924783 Page
63
The reputator is used to make the selfish nodes trustworthy by using the VCG Model
providing more incentives.
SELFISH NODE3 SELECTED AS LEADER1:
0924783 Page
64
The selfish node Node3 is selected as leader1 by Leader Election Algorithm and to
transfer the packets between nodes.
ACKNOWLEDGMENT FROM NODES AND LIFE TIME REDUCED:
The acknowledgment is received from nodes to leader and lifetime is reduced in the
leader.
0924783 Page
65
The selfish node Node4 with maximum resource is selected as leader1 by Leader
Election Algorithm to prevent the termination of connection and to transfer the packets
between nodes.
ACKNOWLEDGMENT FROM NODES:
The acknowledgment is received from nodes to leader reduced in the leader.
0924783 Page
66
LEADER2 ELECTION AND PACKET TRANSFER:
0924783 Page
67
0924783 Page
68
leader.
0924783 Page
69
between nodes.

LEADER3 ELECTION AND PACKET TRANSFER:
0924783 Page
70
0924783 Page
71
0924783 Page
72
leader.
between nodes.
0924783 Page
73
PERFORMANCE EVALUATION:
GRAPH:
0924783 Page
74
The performance evaluation for the number of alive nodes, average cluster size and
Detection accuracy is evaluated between the Pbntc and connectivity.
0924783 Page
75
CHAPTER 7
CONCLUSION
In this paper various types of attacks and intrusion detection types are deliberately
studied. Cluster dependent intrusion detection in adhoc networks with mechanism design
theory is completely investigated and then results are obtained to achieve efficient
detection. Performance of various cluster leader selection scheme is analyzed and studied.
Leader election models CDLE and CILE leader are completely investigated and also
analyzed how network throughput is increased. Mechanism design theory with Vickrey,
Clarke, and Grovess computation is also studied and reputation scheme to provide
incentives for selfish nodes. Propose a well-organized Priority Based Node Termination
Control intrusion detection method to detect selfish and terminate selfish node depends
upon the functionality in network in order to preserve resources of ad hoc networks.
Proposed Priority Based Node Termination Control (PBNTC) is performed better
detection accuracy and also simulated using NS2 simulator. Performance effectiveness of
PBNTC was reviewed on the metrics by analytical and simulation models. The PBNTC
control effectively terminates the selfish node with considerable efforts are taken and
then reputation scheme with mechanism design theory are used to make active
participation of node in cluster head selection. Cluster dependent leader selection
performs better than cluster independent leader selection because of single node cluster
head are reduced by efficient formation of cluster. Hence, cluster dependent leader
selection with PBNTC implementation has shown the better performance to achieve high
optimized detection accuracy. Performance of PBNTC approach demonstrates a high
detection rate under different highly dynamic misbehaving environments. NS-2 Simulator
are used to measure the efficiency of proposed Priority Based Node Termination Control
intrusion detection method.
0924783 Page
76
References
[1] R. Ramanathan and J. Redi (2002), A Brief Overview of ad hoc networks:

challenges and Directions, IEEE Communication magazine, volume 40, issue 5,
May. 2002.
[2] Josh Broch David, A. Maltz David B (1988), A Performance Comparison of
Multi-Hop Wireless Ad Hoc Network Routing Protocols Proceedings of the
Fourth Annual IEEE International Conference on Mobile Computing and Networking,
volume 21, issue 3, 1988.
[3] Jyoti Jain, Mehajabeen Fatima (2008), Overview and challenges of routing
protocol and Mac layer in mobile ad-hoc networks, volume 20, issue 7, May.
2008.
[4] Foong Heng Wai, Yin Nwe Aye, Ng Hian James (2007), Intrusion Detection in
Wireless Ad-Hoc Networks, volume 5, issue 9, May. 2007.
[5] Paul Brutch (2003), Challenges in Intrusion Detection for Wireless Ad-hoc
Networks Proceedings of symposium on application and the internet workshop,
USA 2003.
[6]Wensheng Zhang, R. Rao, Guohong Cao (2003), Secure routing in ad hoc
networks and a related intrusion detection problem Proceedings of IEEE
international conference on military communication, volume 9, issue 12, October ,
2003.
[7] Yongguang Zhang, Wenke Lee (2000), Intrusion Detection in Wireless Adhoc
th
Networks Proceedings of 6 annual international conference on mobile
communication networking, USA 2000
[8] Kun Sun, Pai Peng, Peng Ning (2006), Secure Distributed Cluster Formation in
nd
Wireless Sensor Networks proceedings of 22 IEEE conference on computer
security applications, USA 2006.
[9] Abhijit Deodhar and Ritesh Gujarathi A Cluster Based Intrusion Detection System
for Mobile Ad Hoc Networkswww.citeseer.com
0924783 Page
77
[10] Sharmila John Francis and Elijah Blessing Rajsingh (2009), Performance
Analysis of Clustering Protocols in Mobile Ad hoc Networks International
journal of computer science and security, volume 3, issue 5, pages 334-354, 2009.
[11] Navneet Malpani Jennifer L. Welch, Nitin Vaidya (2000), Leader Election
th
Algorithms for Mobile Ad Hoe Networks Proceedings of 4 IEEE international
workshop of discrete algorithm and methods for mobile computing and
communications, 2000, USA.
[12] Min-You Wu, Wei Shu (2004), RPP: A Distributed Routing Mechanism for
Strategic Wireless Ad hoc Networks Proceedings of IEEE international conference
on Global telecommunication, 2004
13. Giovanni Vigna, Sumit Gwalani, Kavitha Srinivasan (2004), An Intrusion
Detection Tool for AODV-based Ad hoc Wireless Networks Proceedings of IEEE
international conference on computer security applications, Vol. 8, Issue 9 2004
14. Ipsa De, Debdutta Barman Roy (2004), Comparative study of Attacks on AODV-
based Mobile Ad Hoc Networks International Journal on Computer Science and
Engineering (IJCSE) , volume4, issue2 , pages 320-350 , 2004
15. Satria Mandala Md. Asri Ngadi (2006), A Survey on MANET Intrusion Detection
volume 40, issue 5, May. 2006.
16. Wenjia Li and Anupam Joshi Security Issues in Mobile Ad Hoc Networks - A
Survey www. citeseer .in
17. Marjan Kuchaki Rafsanjani (2008), Investigating Intrusion Detection Systems in
MANET and Comparing IDSs for Detecting Misbehaving Nodes, Proceedings of
world academy of science engineering and technology, USA, 2008.
18. Oleg Kachirski, Ratan Guha (2003), Effective Intrusion Detection Using Multiple
th
Sensors in Wireless Ad Hoc Networks Proceedings of 36 annual Hawaii international
conference on systems science, 2003, USA.
19. S.Neelavathy Pari 1, D.Sridharan (2010), A Performance Comparison and
Evaluation of Analyzing Node Misbehaviour in MANET using Intrusion Detection
System International journal on computer science and engineering technology , volume
1, issue1 , pages 35-40 , India 2010.
0924783 Page
78
20. Sunita Sahu1, Shishir K. Shandilya (2010), A comprehensive survey on intrusion

detection in MANET International journal of information technology and knowledge
management, volume 2, issue 2, pages 305-3010, 2010.
21. Farooq Anjum, Dhanant Subhadrabandhu Saswati Sarkar (2003), Signature based
Intrusion Detection for Wireless Ad-Hoc Networks: A Comparative study of various
TH
routing protocols IEEE 58 Conference on vehicular technology , 2003, USA
22. Marjan Kuchaki Rafsanjani (2004), An evaluating intrusion detection systems
and comparison of intrusion detection techniques in detecting misbehaving nodes in
MANET, volume 1, issue 2, May. 2004.
23. Yian Huang Wenke Lee (2003), A Cooperative Intrusion Detection System for
Ad Hoc Networks Proceedings of ACM international workshop on security adhoc and
sensor networks , USA , 2003.
24. Sumitra Menaria, Prof Sharada Valiveti, Dr K Kotecha (2010), Comparative study
of Distributed Intrusion Detection in Ad-hoc Networks International journal of
computer applications, volume 8, issue 9, pages 678-690, October 2010, India.
[25] Mohammad Saiful Islam Mamun, A.F.M. Sultanul Kabir (2010), Hierarchical
design based intrusion detection system for wireless ad hoc sensor network
International journal of network security and its applications, volume 2, issue 3, pages
421-438, 2010.
[26] A. Agah, S.K. Das, K. Basu, and M. Asadi (2004), Intrusion detection in sensor
networks: A non-cooperative game approach In Proceedings of the Third IEEE
International Symposium on Network Computing and Applications (NCA'04), pages 343-
346, August-September 2004.
[27] T. Alpcan and T. Basar (2003), A game theoretic approach to decision and
analysis in network intrusion detection In Proceeding of the 42nd IEEE Conference
on Decision and Control (CDC), December 2003.
28. Noman Mohammed, Lingyu Wang (2008), A game-theoretic intrusion detection
model for mobile ad hoc networks International journal on computer communication ,
Volume 31 , Issue 4 , Pages march 2008 ,Netherlands .
0924783 Page
79
[29] Yu Liu, Cristina Comaniciu, Cristina Comaniciu (2006), A Bayesian Game

Approach for Intrusion Detection in Wireless Ad Hoc Networks Proceedings of the
workshop on game theory for communication networking, USA, 2006.
[30]. T.V.P.Sundararajan, Dr. A.Shanmugam (2007), Behavior Based Anomaly
Detection Technique to Mitigate the Routing Misbehavior in MANET International
journal Of computer science and security , volume 3, issue 2, Pages 325-336 ,Malaysia,
2007
[31] Sheng Zhong, Jiang Chen and Yang Richard Yang (2004), Sprite: A Simple,
Cheat-Proof, Credit-Based System for Mobile Ad-Hoc Networks IEEE international
conference on information and technology, USA, 2004.
[32] Qi He, Dapeng Wu and Pradeep Khosla (2006), SORI: A Secure and Objective
Reputation-based Incentive Scheme for Ad-hoc Networks IEEE international
conference on wireless communication and networking, USA, 2006.
[33]Animesh Kr Trivedi1, Rajan Arora1, Rishi Kapoor1 (2006), A Semi-distributed
Reputation-based Intrusion Detection System for Mobile Adhoc Networks
International Journal of Information Assurance and Security, volume 1, issue 4, pages
265 -274 , December 2006 .
[34] Sonja Buchegger, Le Boudec (2001), Performance Analysis of the CONFIDANT
Protocol (Cooperation of Nodes: Fairness in Dynamic Adhoc NeTworks)
Proceedings of IEEE symposium on computer communications, USA, 2001.
[35] Pietro Michiardi and Refik Molva (2002), CORE: A Collaborative Reputation
Mechanism to enforce node cooperation in Mobile Ad hoc Networks International
th
6 joint working conference on communication and multimedia and security, Boston ,
2002 .
[36] Joan Feigenbaum, Christos Papadimitriou, Rahul Sami, Scott Shenker (2002),
st
A BGP-based Mechanism for Lowest-Cost Routing Proceedings of 21 annual
symposium on principles of distributed communication, USA, 2002.
[37] Hadi Otrok, Joan Feigenbaum and Scott Shenker (2005), Distributed Algorithmic
Mechanism Design: Recent Results and Future Direction, volume 6, May. 2005.
0924783 Page
80
[38] Noman Mohammed, Hadi Otrok, Lingyu Wang (2007), Mechanism Design-Based
Secure Leader Election Model for Intrusion Detection in MANET, volume 40, issue
5, May. 2007.
APPENDIX
1. POSTER
2. USER GUIDE
3. QUESTIONS OF MARKET SURVEY
0924783 Page
81
CLUSTER BASED LEADER ELECTION MECHANISM

FOR INTRUSION DETECTION IN MANET
Name FAZALUDDIN SHAIK Supervisor Name Dr. ENJIE LIU

ID - 0924783 Degree MSc COMPUTER NETWORKING
Introduction Artefact Implementation
PBNTC controls the selfish node termination by The performance evaluation of cluster
reputation process in mechanism design theory dependent leader selection with proposed
because the existence of selfish node with high priority based node termination control in
resources are needed for efficient packet mobile ad-hoc network under various
transmission . Cluster based selection with constraints such as node density, dynamic
PBNTC reduces the percentage of leaders, mobility have been simulated using NS2 to
single-node IDS implementation, with simulate the proposed to obtain priority base
increasing average cluster size. node termination control to improve detection
of misbehaving nodes , effective termination
Problem: In ad-hoc networks, set of one-hop leads to increase number of alive nodes with
neighbor nodes forms a cluster. To detect and average cluster size and reduced number of
prevent the intrusion in network, IDS are leader nodes in cluster .
implemented in cluster head. But here the
selection of cluster head among nodes in
cluster is difficult due to selfishness of node. To
select the cluster head, two criteria must be
taken in account such as Maximum resources
and Connectivity.
Aim: Propose a well-organized Priority Based
Node Termination Control intrusion detection
method to detect selfish and terminate selfish
node depends upon the functionality in network
in order to preserve resources of ad hoc
networks.
Objectives:
A- To evaluate the performance of leader
election models CDLE and CILE leader to
improve the network throughput. Conclusion
B- Mechanism design theory with Vickrey, NS-2 simulation demonstrates the cluster dependent
Clarke, and Grovess computation are studied leader selection with PBNTC implementation has
to provide incentives for selfish nodes. shown the better performance to achieve high
optimized detection accuracy. Performance of
Software Specifications: NS-2 Cygwin / PBNTC approach demonstrates a high detection
rate under different highly dynamic misbehaving
Window 2000/XP
environments.
Methodology:
References
1- Sharmila John Francis and Elijah Blessing Rajsingh
(2009), Performance Analysis of Clustering Protocols
in Mobile Ad hoc Networks International journal of
computer science and security, volume 3, issue 5, 2009.
2- Giovanni Vigna, Sumit Gwalani, Kavitha Srinivasan
(2004), An Intrusion Detection Tool for AODV-based Ad
hoc Wireless Networks Proceedings of IEEE international
conference on computer security applications, Vol. 8, Issue
9, 2004
0924783 Page
82
2 USER GUIDE MANUAL

INSTALLING CYGWIN
1) Go to http://www.cygwin.com/install.html ;
2) To be installed the Ns-allinone file
3) Copy to Home Administrator.
4) Open it
5) Install in the local Dir.
6) Location
7) Press there
8) Finish
9) Go to copy on Bashrc file.
10) To be joined all the files under Administration folder.
Network Simulator - 2 Installation Manual:
1) Click on Cygwin
2) Enters "startxwin.bat"
3) cd C:
4) cd cygwin
5) cd home
6) cd ns-Allinone
7) ./install
8) ns tcl
0924783 Page
83
To simulate the project under NS2;
a- Location is C:\cygwin\home\Administrator
b- Consequently then click the icon to go forward.
The minority Screenshots to be installed the Cygwin:
1- First created Cygwin Window.
0924783 Page
84
2- Have to write over it is startxwin.bat for appearing Network Simulator- 2

window.
3- Second window comes infornt of us via the software of Cygwin.
0924783 Page
85
4- Just write the - ns test.tcl
5- In this manner, we will easily execute the Implementation of our Aim.
0924783 Page
86
3. MARKET SURVEY QUESTIONS
0924783 Page
87
0924783 Page
88
0924783 Page
89
0924783 Page
90

Fazaluddin Shaik 0924783: Cluster Based Leader Election For Intrusion Detection in Manet

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Fazaluddin Shaik 0924783: Cluster Based Leader Election For Intrusion Detection in Manet

Diunggah oleh

Hak Cipta:

Format Tersedia

CDLE MECHANISM for INTRUSION DETECTION in MANET

CLUSTER BASED LEADER ELECTION MECHANISM

MSc Computer Networking

Masters Thesis Report

Department of Computer Science & Technology

Unit Leader - Dr Fiaz Hussain

In rapid progressive development, Ad hoc networks also made very attractive

Lastly, I am honestly thankful to all my acquaintances who circuitously supported me in this

I feel proud to dedicate my dissertation to my loving father Mr.Shaik.Fayasudduin and mother

2. LITERATURE REVIEW O N CLUSTER BASED INTRUSION DETECTION

2.6.2 Local intrusion detection Systems22

5. IMPLEMENTATION & SIMULATION OF CDLE

6. COMPARATIVE TESTING & EVALUATION

3. QUESTIONS OF MARKET SURVEY..87

1- Number of Alive nodes48

A mobile ad hoc network (MANET) is a self-configuring network formed with collection

1.1 Background of ad hoc network Vulnerabilities

Absence of infrastructure: An ad hoc network without any fixed infrastructure which

1.1.1 Challenges to accomplish security in MANETS

1.2 Need for intrusion detection

1.2 .1 Intrusion detection

1.2.2 Problems of intrusion detection in MANETS

1.3 Cluster based intrusion detection

1.3.1 Leader selection

1.3.2 Mechanism design

1.4 Problem assertion

1.5 Contribution as Aim

1.6 Objectives of project

1.7 Thesis layout

2.1 Attacks against Routing

2.2 Attacks against routing protocols

Black hole attack

2.3 Attacks against packet forwarding

Denial of service (DoS)

2.4 Security criteria

2.5 Intrusion detection

2.5.1 Types of intrusion detection

Network Based (NIDS)

Host Based (HIDS)

2.5.2 Based on detection techniques

Signature or Misuse based IDS

Anomaly based IDS

Specification based IDS:

Leader PBNTC Leader

2.6.1 Standalone IDS

2.6.2 Local intrusion detection Systems

Data collection module

ii) Cooperative detection engine

iii) Response engine

2.6.3 Hierarchical architecture

Cluster based intrusion detection system

2.6.4 Mobile agent architecture

3.1 Game theoretic intrusion detection

3.2 Bayesian game theory approach

3.2.1 Bayesian Hybrid detection approach

3.2.2 Perfect Bayesian Equilibrium Analysis (PBE)

3.3 Behavior based anomaly detection

3.3.1 Negative self approach

3.4 Sprite: A Simple, Cheat-Proof, Credit-Based System

3.5 Secure and objective reputation based incentive (SORI)

3.6 CONFIDANT (Cooperation of Nodes: Fairness in Dynamic Adhoc Networks)

Where R (si/h) is subjective reputation with the function of h

3.8.1 Main objectives