International Journal of Research and Reviews in Computer Science (IJRRCS) Vol. 1, No. 3, September 2010
against denial of service attacks, with adversaries simply network. For these reasons, the IDS of MANET should have
discarding data packets. The security requirements in ad hoc characteristics that follow these natures, distributed and
networks are similar to those in other networks. The goal is collaborative. Advantage using distributed architecture is the
to protect information transmitted and resources in the security accident can be detected earlier. However, this
network from malicious activities (Deng et al, 2002). These architecture needs huge resources, which is difficult to be
requirements include availability of network services, implemented in small wireless devices such as PDA.
authentication of the users in order to ensure that a malicious The existing MANET IDSs have various methods to detect
user cannot masquerade as a trusted user, confidentiality of and to respond regarding these attacks. The proposed IDSs
the information transmitted in the network, integrity of the are designed for detecting the intrusion activities in the
information in order to ensure that the information is not routing protocol of MANET. The proposed one extends the
modified by an unauthorized entity and non-repudiation in GODOM algorithm on MANET to detect misbehavior nodes
order to ensure that a node cannot refuse the sending of a and reacted if they originated from outside community’s
message that it originated (Subhadrabandhu et al., 2004). network or inside (both the cases). The proposed IDS in DSR
has the following advantages compared to existing GODOM
1.3 Intrusion Detection System a. Effective coverage of given network terrain to detect
attacks, (Uncovered subspaces)
An Intrusion Detection System (IDS) is software and/or b. Detect more number of DSR attacks, and
hardware designed to detect unwanted attempts (Alia c. Higher efficiency and lower cost of execution
Fourati, Khaldoun Al Agha, 2007) at accessing, There are three main types of systems in which IDS can be
manipulating, and/or disabling computer systems, mainly used. They are network, applications and hosts. In a network-
through a network, such as the Internet. These attempts may based intrusion-detection system (NIDS), the sensors are
take the form of attacks, as examples, by crackers, malware located at choke points in network to be monitored, often in
and/or disgruntled employees. An IDS cannot directly detect the demilitarized zone (DMZ) or at network borders. The
attacks within properly encrypted traffic. An intrusion sensor captures all network traffic and analyzes the content
detection system is used to detect several types of malicious of individual packets for malicious traffic. In systems, PIDS
behaviors that can compromise the security and trust of a and APIDS[2] are used to monitor the transport and
computer system. This includes network attacks against protocols for illegal or inappropriate traffic or constructs of a
vulnerable services, data driven attacks on applications, host language. For example, forged SQL queries attempt to delete
based attacks such as privilege escalation, unauthorized database records, virus in emails.
logins and access to sensitive files, and malware (viruses, In a host-based system, the sensor usually consists of a
trojan horses, and worms). software agent, which monitors all activity of the host on
An IDS can be composed of several components: Sensors which it is installed. For example, attempt to modify the
which generate security events, a console to monitor events master boot record, key logger, file access. Depending on the
and alerts and control the sensors, and a central engine that detection techniques used, IDS can be classified into three
records events logged by the sensors in a database and use a main categories (A. Hijazi and N. Nasser 2005) signature or
system of rules to generate alerts from security events misuse based IDS, anomaly based IDS, and specification
received. There are several ways to categorize IDS based IDS, which is a hybrid both of the signature and the
depending on the type and location of the sensors and the anomaly based IDS.
methodology used by the engine to generate alerts. In many The signature-based IDS uses pre-known attack scenarios (or
simple IDS implementations all three components are signatures) and compare them with incoming packets traffic.
combined in a single device or appliance. There are several approaches in the signature detection,
which they differ in representation and matching algorithm
2. Related Work employed to detect the intrusion patterns. The detection
approaches, such as expert system (T. F. Lunt, R.
The classification among the proposed IDS of Jagannathan – 1998) , pattern recognition (M. Esposito, C.
MANET can be composed using the parameters discussed in Mazzariello, 2005), colored Petri nets (S. Kumar and E.
the previous sections, i.e.: architecture, attacks, and IDS Spafford, 1994), and state transition analysis (P.A. Porras
detection techniques [2]. Most of the MANET IDSs tend to and R. Kemmerer, 1992) are grouped on the misuse.
have the distributed architectures and their variants. The IDS Meanwhile, the anomaly-based IDS attempts (Bo Sun
architecture may depend on the network infrastructure. But And Lawrence Osborne, Yang Xiao, Sghaier Guizani, 2007)
the most important thing is the reasons the architecture to be to detect activities that differ from the normal expected
configured in distributed manner. system behavior. This detection has several techniques, i.e.:
As the nature of MANET is so open, attacks can be statistics (P. Porras and A. Valdes, 1998), neural networks
generated from any node within the MANET itself or nodes (H. Debar, M. Becker and D. Siboni 1992), and other
of neighboring networks. Unfortunately, this network lacks techniques such as Chi-square test utilization (N. Ye, X. Li,
in central administration. It is difficult for implementing 2001).The specification-based IDS monitors current behavior
firewall or the IDS on the strategic points. Moreover, each of systems according to specifications that describe desired
node can work as client, server or router. Delivery packets functionality for security-critical entities (C. Ko, J. Rowe, P.
need collaboration work among the nodes participating in the
46
International Journal of Research and Reviews in Computer Science (IJRRCS) Vol. 1, No. 3, September 2010
Brutch, K. Levitt 2001). A mismatch between current 4. Geometric Dominated Set Algorithm
behavior and the specifications will be reported as an attack.
In misuse detection (Signature detection) each instance in a The GODOM algorithm uses a special technique to find the
data set is labeled as “normal” or “intrusive” and a learning active insider nodes called dominated set, meaning that
algorithm is trained over the labeled data. These techniques giving supremacy to the particular nodes in which they help
are able to automatically retrain intrusion detection models to monitor the network threats. In control flow graphs, a
on different input data that include new types of attacks; as node 'd' dominates a node 'n' if every path from the start node
long as they have been labeled appropriately. Unlike to 'n' must go through 'd’. Every node dominates itself. The
signature-based IDS [9], models of misuse are created dominators of a node 'n' are given by the maximal solution to
automatically and can be more sophisticated and precise than the following data-flow equations: Where, 'n_0' is the start
manually created signatures. (Subhadrabandhu, D., S. Sarkar node, the dominator of the start node is the start node itself.
and F. Anjum, 2004) The signature IDS [9] has high degree The set of dominators for any other node 'n' is the
of accuracy in detecting known attacks and their variants. Its intersection of the set of dominators for all predecessors 'p of
disadvantage is that it cannot detect unknown intrusions and n'.
they rely on signatures extracted by human experts. This Dominated set pseudocode algorithm solution:
method uses specifically known patterns of unauthorized // Dominator of the start node is the start itself
behavior to predict and detect subsequent similar attempts. Dom (n_0) = {n_0}
These specific patterns are called signatures. // for all other nodes, set all nodes as the dominators
For host based intrusion detection [10], one example of a for each n in N - {n_0}
signature is "three failed logins". For network intrusion Dom (n) =N;
detection, a signature can be as simple as a specific pattern // iteratively eliminate nodes that are not dominators
that matches a portion of a network packet. The occurrence While changes in any Dom (n)
of a signature might not signify an actual attempted for each n in N - {n_0} :
unauthorized access. Depending on the robustness and Dom (n) = {n} union with intersection over all p in
seriousness of a signature that is triggered, some alarm, predom (n) of Dom (p)
response, or notification should be sent to the proper Direct solution is quadratic in the number of nodes, or O
authorities (n2).
This algorithm, which is almost linear, but its
3. Proposed System implementation tends to be not much more complex and time
consuming for a graph of several 100 nodes or less. The
The proposed work presents an enhanced GODOM proposed algorithm uses geometric information to select the
algorithm for secured packet transmission in DSR protocol. IDS active insiders. This heuristic can be used in topologies
It improves the effective detection coverage in the given where all insiders have equal transmission ranges denoted as
ad hoc network scenario. It also improvises the GODOM 'r'. Thus, 2 insiders are neighbors if and only if the distance
algorithm to handle intrusion attacks even in undefined between them is less than or equal to 'r'. The network is
geometric subspaces. covered by the minimum possible number of circles each
Every communicative node is able to reach the active packet with ranges 'r'. Each IDS capable insider knows or computes
monitoring nodes. The proposed enhanced GODOM the coordinates of the centers of the circles. Each insider
evaluates the pre-specified number of hops the protocol knows its coordinates (e.g., by using Global Positioning
should adapt. It also identifies active nodes even in the System (GPS) or other existing techniques). An insider
subspaces where its geometry is undefined. The status IDS
will checkout every packet using threshold values generated
in due course of secured transmission with enhanced
GODOM. Packet’s abnormality is marked when its
transmission value crosses the specified threshold values.
The scalability of the intrusion attacks in larger networks is
handled efficiently by its effective active node proposition
across the network terrain even in uneven subspaces.
The proposed solution uses the existing GODOM
(GeOmetric DOMinated set) algorithm to find out more
number of active nodes in a MANET. GODOM algorithm
helps a node to find out number of neighboring nodes present
over it and if it has more number of neighbor nodes then it is
selected as an active node. This algorithm will be installed
with DSR protocol algorithm. If the DSR protocol starts
execution then the GODOM algorithm will also execute
along with it. The proposed solution uses STAT (State
Transition Analysis Technique) based IDS designed for
detecting attacks against the DSR routing protocol. Figure 1. Finding Active Nodes using GODOM Algorithm
47
International Journal of Research and Reviews in Computer Science (IJRRCS) Vol. 1, No. 3, September 2010
7000
compare the performance of GODOM-STAIDS using DSR 6000
5000 AODV
and using AODV. Simulation results are shown below. 4000 DSR
The Simulated parameters are 3000
• Selecting active nodes 2000
1000
• No. of Packets sent 0
• Malicious packets detected
25
50
75
100
• Packet Delivery Ratio without malicious packets Number of nodes
Simulation Environment: In the Simulation study, first 25 Figure 2: GODOM: Nodes vs packet sent
nodes were considered. Then two protocols were considered
by executing each. The TCL file executed first to know how 5.2.4. Malicious packet detection by DSR (static vs dynamic
many nodes were selected as active nodes from respective nodes): The DSR protocol detects more number of malicious
nodes and at the end of NAM (Network Animator) files is packets in static nodes and also the detection ratio shows
opened to view the network movements eventually. The sequential increment when number of nodes has been
nodes were increased up to 100 and performance was increased but in the case of dynamic nodes, it shows only
calculated using ‘C’ file. The ‘Trace.c’file is used to extract random detection increment ratios. The Fig. 3 gives the
the trace file in which the Packet send, Active nodes, malicious packet detection ratios.
malicious packet detection, Packet Delivery Ratio. The
nodes were divided into Static (without mobility) and 5.2.5 Malicious packet detection by AODV (static vs dynamic
Dynamic (with mobility) in which their performance were nodes): The AODV protocol detects more number of
calculated using respective algorithms. malicious packets in static nodes and also the detection ratio
shows sequential increment when number of nodes has been
5.1 Scenario Metrics increased but dynamic nodes show only random detection
increment ratios. The Fig. 4 gives the malicious packet
Scenario metrics define the environment in which the ad hoc detection ratios
network functions. These metrics do not contribute to the
performance evaluation of the network, but it is critical to 5.2.6 Malicious packet detection by AODV and DSR in
consider these metrics to ensure comparable results for use in Dynamic nodes: The DSR Protocol detects more number of
any performance evaluation/comparison. malicious packets than AODV in dynamic nodes. When the
number of nodes is increased, the detection rate is also
increased in the proposed algorithm and protocol but in
48
International Journal of Research and Reviews in Computer Science (IJRRCS) Vol. 1, No. 3, September 2010
existing system when number of nodes is increased, the Selecting Active Nodes
detection rate shows slight increment. The Fig. 5 gives the 70
malicious packet detection ratios
600 10
500 0
DSR-D
25
50
75
100
400
DSR-S
300 No. of Nodes
200
100
0
Figure 6: DSR vs AODV: Nodes vs Selecting active nodes.
25
50
75
100
Number of nodes
5.2.8 Packet delivery ratio by AODV and DSR in Dynamic
Fig 3: DSR: Nodes vs malicious packet detected-s vs D nodes: The delivery ratio of DSR and AODV protocol in
dynamic nodes shows that DSR protocol shows better
performance than AODV. The Fig. 7 gives delivery ratio
Malicious Packets Detected
comparisons.
700
600 5.2.9 Packet delivery ratio by DSR (static vs Dynamic
Number of Packets
50
75
100
50
75
100
800
700 Nu mb e r o f no d e s
Number of Packets
600
500
AODV
400
300
DSR Figure 7: DSR vs AODV: Nodes vs delivery ratio-D
200
100
0 Packet Delivery Ratio
25
50
75
100
50
75
100