JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.

ORG

61

A Neural Network Scheme for Anomaly Based Intrusion Detection System in Mobile Ad hoc Networks
Sam Jabbehdari, Samira Hosseini Talari, and Nasser Modiri
AbstractIn mobile ad hoc networks (MANET), wireless nodes can freely and dynamically self-organize into temporary ad-hoc network topologies with no need to pre-existing fixed infrastructure. As mobile ad hoc networks have far more vulnerabilities than the traditional wired networks, security is much more difficult to maintain in the MANET. Malicious nodes and attackers can abuse the vulnerabilities to conduct a lot of passive and active attacks in different layers of the network. In preventive security mechanisms, the conventional approaches such as secure routing, authentication and encryption are used to provide first line of defense but they can no longer protect the network from evolving threats. Therefore, intrusion detection and protection systems (IPS) appear as a second line of defense to safeguard the MANET from threats. In this paper, we propose an anomaly based intrusion detection system (IDS) using a neural network scheme to reach near zero false positive and false negative ratios. To that end, we simulated a mobile ad hoc network and implemented the anomaly based IDS to detect one of the most damaging attacks, the DoS attack over MANET. By analyzing intrusion detection results, we reached the zero false detection ratios and high detection rate. Index Terms Attack, Intrusion Detection System, MANET, Neural Network, Security

1 INTRODUCTION

mobile ad hoc network is a transient network formed dynamically by a collection of arbitrarily located wireless mobile nodes without the use of existing network infrastructure, or centralized administration. In a MANET, the mobile devices must cooperatively provide the functionality usually provided by the network infrastructure e.g., routers, switches, and servers. Routes between the nodes in an ad hoc network may include multiple hops, and hence it is appropriate to call such networks as multi-hop wireless ad hoc networks. MANETs have primarily been used for tactical network related applications to improve battlefield communications/ survivability. The introduction of new wireless technologies greatly facilitates the deployment of ad hoc technology outside of the military domain, and new ad hoc networking applications appeared mainly in specialized fields such as emergency services, disaster recovery, home networking, search and rescue operations, commercial and educational applications and sensor networks [1]. The MANET is particularly vulnerable due to its fundamental characteristics [2]. Before proposing any security solution that can help secure the mobile ad hoc network, it is necessary to find out how we can judge if a MANET is secure or not. Actually what should be covered in the security criteria for the mobile ad hoc network when we want to inspect the security state of the MANET. These evaluation criteria are availability, integration, confidentiality, authenticity, non repudiation, authorization and anonymity [3]. An intrusion is defined as any set of actions that

attempt to compromise the previously mentioned criteria. No matter how many intrusion prevention measures are inserted into a network, there are always some weak links that one could exploit to break in, so the intrusion detection system (IDS) presents a second wall of defense [4]. Therefore upon appearing any intrusions or attacks in the network, intrusion detection and protection systems (IPS) can identify them and implement countermeasures to protect the network or reduce the intrusion damages. The rest of the paper is organized as follows. In Section 2, the security vulnerabilities of MANET and some of well known attacks against it are named and explained. Then some of the approaches of intrusion detection and protection systems in MANET are summarized in section 3. In section 4, we propose our scheme for implementing anomaly based IDS using neural network. Finally in section 5, we describe the mobile ad hoc network simulation, conducting the attack and running the IDS and also evaluation results are mentioned. We then conclude the paper in section 6.

2 SECURITY VULNERABILITIES AND ATTACKS IN MANET

Because mobile ad hoc networks have far more vulnerabilities than the traditional wired networks, security is much more difficult to maintain in the MANET than in the wired network. The various vulnerabilities that exist in these ad hoc networks include lack of secure boundaries, threats from compromised nodes inside the network, lack of centralized management facility, restricted power supply and scalability [3]. The security attacks in MANET can be roughly classified into two major categories, namely passive attacks and active attacks as described below [5]. A passive attack does not disrupt the normal operation of the network, instead the attacker snoops the data exchanged in

Sam Jabbehdari is with the Department of Computer Engineering, North Tehran Branch, Islamic Azad University, Tehran, Iran Samira Hosseini Talari is with the Department of Computer Engineering, North Tehran Branch, Islamic Azad University, Tehran, Iran Nasser Modiri is with the Department of Computer Engineering, North Tehran Branch, Islamic Azad University, Tehran, Iran

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

62

the network without altering it. Here the requirement of confidentiality gets violated. One of the solutions to the problem is to use powerful encryption mechanisms to encrypt the data being transmitted. Some instances of these attacks are eavesdropping attack and traffic analysis and monitoring attack. An active attack attempts to alter or destroy the data being exchanged in the network and disrupt the normal functioning of the network. Active attacks, whether carried out by an external advisory or an internal compromised node involves actions such as impersonation, modification, fabrication and replication. These attacks can happen in different network layers. Some of active attacks in network layer including but not limited to: Wormhole attack [6]: An attacker records packets in one location in the network and tunnels them to another location. Routing can be disrupted when routing control messages are tunneled. This tunnel between two colluding attackers is referred as a wormhole. When a wormhole attack is used against an on-demand routing protocol such as DSR or AODV [7], the attack could prevent the discovery of any routes other than through the wormhole. Blackhole attack [8]: An attacker may create a routing blackhole by removing nodes in a route request and injecting false route replies to the route requests it receives, advertising itself as having the shortest path to a destination and then drops all packets targeted to that destination. Routing attacks [5]: There are several types of attacks mounted on the routing protocol which are aimed at disrupting the operation of the network. Some attacks on the routing protocol include routing table overflow, routing table poisoning, packet replication and route cache poisoning. Resource consumption attack [5]: This is also known as the sleep deprivation attack. An attacker or a compromised node can attempt to consume battery life by requesting excessive route discovery, or by forwarding unnecessary packets to the victim node. Blackmail [9]: This attack is relevant against routing protocols that use mechanisms for the identification of malicious nodes and propagate messages that try to blacklist the offender. An attacker may fabricate such reporting messages and try to isolate legitimate nodes from the network. Selfish behavior [10]: Two kinds of behaviors are defined as selfish. First, an intermediate node may behave selfishly to save its own battery power by silently ignoring the sources route requests. Second, a more malicious node may participate in the route request, but later may silently drop all the data packets coming to it. Denial of service attack (DoS) [5] is another type of attack happening in different network layers, where the attacker injects a large amount of junk packets into the network. These packets overspend a significant portion of network resources, and introduce wireless channel contention and network contention in the MANET. The routing table overflow and sleep deprivation attacks are two other types of the DoS attack.

3 RELATED WORK
There are three main components for an IDS: data collection, detection, and response. The data collection component is re-

sponsible for the collection and pre-processing data tasks including transferring data to a common format, data storage and sending data to the detection module. IDS can use different data sources as inputs to the system such as system logs, network packets, etc. In the detection component, data is analyzed to detect intrusion attempts and then indications of detected intrusions are sent to the response component for acting upon the alarms [11]. An intrusion detection system (IDS) can be classified into 3 categories according to the detection technique that is used [12]: Signature or Misuse based: Misuse detection uses a priori knowledge on intrusions and tries to detect attacks based on specific patterns or signatures of known attacks. Although misuse detection systems are very accurate in revealing known attacks, their basic disadvantage is that attacking mechanisms are under a continuous evolution, which leads to the need for an up-to-date knowledge base. Anomaly based: Anomaly detection has the advantage of being able to discover unknown attacks while it adopts the approach of knowing what is normal. As a result, it attempts to track deviations from the normal behaviors that are considered to be anomalies or possible intrusion. Specification based: The system defines a set of constraints that describe the correct operation of a program or protocol. Then, it monitors the execution of the program with respect to the defined constraints. Many techniques have been applied to protect the MANET from intrusions which some of them are discussed as follows. Huang and Lee [13], developed their prior work on anomaly detection to provide more details on attack types and sources in MANETs. They addressed the run-time resource constraint problem using a cluster-based detection scheme where periodically a node, the clusterhead, is elected as the ID agent to perform IDS functions for all nodes within a cluster. Compared with the scheme where each node is its own ID agent, this scheme is much more efficient while maintaining the same level of effectiveness. For several well-known attacks, they applied simple rules to identify the attack type and the attackers. Nakkeeran et al [14], incorporated agents and data mining techniques to prevent anomaly intrusion in mobile ad hoc networks. Home agents in their solution present in each system collect the data from its own system and use classifier construction to find out the local anomaly through the Naive Bayesian classification algorithm. The mobile agents monitor the neighboring nodes and collect the information from neighboring home agents to determine the correlation among the observed anomalous patterns before the nodes will send the data to the other nodes. This system is cooperative and distributed and is able to detect anomalies in each layer in an ad hoc network and reduce the false positive rate. In [15] the authors proposed a solution to elect a leader node to handle the intrusion detection service on behalf of the whole cluster with the aim of reducing the performance overhead of the IDS. Their proposed framework is able to balance the resource consumption among all the nodes and thus increase the overall lifetime of a cluster by electing truthfully and efficiently the most cost-efficient node known as the leaderIDS. A mechanism was designed using Vickrey, Clarke, and

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

63

Groves (VCG) to give incentives to nodes in the form of reputations for motivating them in revealing truthfully their costs of analysis. Also a cooperative decision game theoretical model was proposed to efficiently catch the misbehaving leader-IDS. In [16] the authors developed an intrusion detection system that uses learning vector quantization neural networks to identify patterns of network attacks in a distributed manner. In the approach used in their research, the Learning Vector Quantization (LVQ) algorithm is utilized to identify instances of MANET attacks in a distributed manner. The LVQ is a combination of a self-organizing map (SOM) for classification and a competitive multilayer neural network which uses the output of the SOM as input for pattern recognition. This system is capable of detecting attacks against the routing protocols in MANETs.

4 ANOMALY BASED INTRUSION DETECTION SYSTEM USING NEURAL NETWORK

If an intrusion detection system can reduce false detection rates (false positive and false negative) [17], the true detection rate will increase and IDS can identify attacks against ad hoc network precisely and in real time. Therefore damages resulted from attacks are prevented and MANET security level will improve. Machine learning techniques are one of the methodologies used in anomaly based intrusion detection systems. These techniques are based on establishing an explicit or implicit model that enables the patterns analyzed to be categorized. Several machine learning-based schemes have been applied to anomaly based IDS. One of these schemes is neural networks that have been adopted in the field of anomaly intrusion detection, mainly because of their flexibility and adaptability to environmental changes [18]. The anomaly based intrusion detection system proposed in this paper is implemented by using neural networks to reach false detection rates of near zero. Neural networks are composed of simple elements called neurons operating in parallel that can be configured in layers with different numbers and sizes. A neural network is trained to perform a particular function by adjusting the values of the connections (weights) between elements. The weights determine the effect of inputs on the generated output. Typically, neural networks are adjusted, or trained, so that a particular input leads to a specific target output. The network is adjusted, based on a comparison of the output and the target, until the network output matches the target. Actually, many such input/target pairs are needed to train a network. In our proposed anomaly based IDS, three main features are calculated from the trace output of simulated MANET. These features that are given to the neural network as input/target pairs include: The number of packets sent to each node (NSP): This feature is equal to the number of packets sent by all the network nodes to each node at every second. This parameter will change during attack execution and has a large value in case

of victim nodes. The number of packets received by each node (NRP): This feature is equal to the number of packets received by each node from all the network nodes at every second. This parameter is directly affected when the MANET is under DoS attack because if a large amount of traffic packets are sent to a victim node by some malicious nodes, the legitimate packets from other normal nodes in the network cannot be received by the victim. The number of packets dropped by each node (NDP): This feature is equal to the number of packets dropped by each node at every second. The DoS attack affects this parameter and causes it to increase noticeably. The neural network uses these 3 parameters and generates a value between 0 and 1 as the detection result of IDS. For implementing the proposed scheme, first a MANET is simulated and the DoS attack is generated over it. After that, we process the trace output of MANET simulation tool to extract the 3 mentioned features and give them as input/ target pairs to IDS. Then the false detection rates are calculated. The next section explains the simulation and IDS implementation in more detail.

5 SIMULATION AND IDS IMPLEMENTATION

In order to simulate the mobile ad hoc network, we used the Network Simulator (NS). The NS is one of the most well known simulation tools for simulating wired and wireless networks. In this paper we used the NS-2.34 version. Table 1 describes the parameters used for configuring the MANET in NS. TABLE 1 THE MANET SIMULATION PARAMETERS IN THE PROPOSED SCHEME

During the simulation, we generated the DoS attack in different traffic scenarios. Table 2 shows the MANET scenarios with different amount of attack and non attack traffic. Maximum number of connections between nodes for sending non attack traffic is set to 15.

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

64

TABLE 2 THE MANET SCENARIOS WITH DIFFERENT ATTACK AND NON ATTACK TRAFFIC

Figure 1 shows the whole number of dropped packets for different traffic scenarios mentioned in table 2.

recognition category. Table 3 shows the parameters for configuring the neural network. TABLE 3 THE NEURAL NETWORK PARAMETERS FOR IMPLEMENTING IDS

Fig. 1. The number of dropped packets for different traffic scenarios

After performing the simulation, the trace output file of NS has various parameters including time, source node number, destination node number, location of each node, source port, destination port, type of transmitted packet, packet size, etc. These parameters can be used as neural network inputs but using all of them is not efficient and useful in decision making and identifying the attacks. In fact after pre-processing of the raw data, they should be converted into more useful feature vectors that can be processed by machine learning algorithms so that the dimensionality of the feature vectors will decrease [19]. The IDS efficiency will decrease dramatically if these features are not extracted correctly, so in this paper we processed the trace files and extracted the 3 mentioned parameters (NSP, NRP and NDP) as inputs to IDS. The simulation time is 150 seconds so we have 15 data records in each second, totally 2265 data records (each record contains the 3 mentioned features). In this paper we used the neural network toolbox of MATLAB software to build the neural network and actually the anomaly based IDS. In the toolbox we selected the pattern

The minimum performance gradient is one of the effective parameters in increasing the true detection rate and decreasing false detection rates of neural network. Table 4 describes the neural network output parameters after setting different values for the minimum performance gradient from 1e-1 to 1e-7. The neural network for this table is trained with the MANET scenario with 3 attacks.

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

65

TABLE 4 THE NEURAL NETWORK OUTPUT PARAMETERS FOR DIFFERENT VALUES OF MINIMUM PERFORMANCE GRADIENT

According to the table 4, after setting the value of 1e-6 for minimum performance gradient, the detection rate of 100, the false detection rate of 0 and the regression (ratio of output to target) value of 1 are achieved and also the MSE (the difference between the output and target) value is smaller than the 5 previous states. Therefore in this paper the value of 1e-6 is configured for the minimum performance gradient. Table 5 explains the values of output parameters after performing the neural network for MANET scenario with 6 attacks, traffic level 3. TABLE 5 THE VALUES OF OUTPUT PARAMETERS AFTER PERFORMING NEURAL NETWORK

Fig. 2. Change of the MSE value according to the traffic level

The implemented IDS outputs imply that the existence/non existence of attack for all the nodes is identified correctly. Therefore false positive and false negative ratios by the proposed anomaly based IDS are gained equal to 0. In the proposed neural network, the MSE parameter will change according to the level of traffic and the number of attacks in the MANET, but the false detection rates in all the network scenarios are zero. Figure 2 shows that if we increase the traffic level, the MSE value will go up. The neural network for this table is trained with the MANET scenario with 3 attacks. Figure 3 compares the output values of neural network with their corresponding targets between time 100 to 150 that the DoS attack occurs in the MANET. After running MANET simulations and attack generation, by analyzing the results and the values of neural network output parameters we reached the false positive and false negative ratios equal to zero. This means that our proposed anomaly based IDS using neural network scheme can detect the DoS attack in different traffic and attack scenarios correctly so the detection rate is improved.
Fig. 3. Comparison between neural network output and target

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG

66

6 CONCLUSION AND FUTURE WORK

In our work the MANETs as wireless networks with expanding applications are evaluated from security point of view and their characteristics are discussed. In order to study or propose the solutions for securing the MANET, we should first observe their vulnerabilities and then evaluate the desired security conditions of ad hoc networks. It is obvious that active and passive attacks are the usual threats from external or compromised nodes in the network. Despite the existence of threats from intrusions and malicious behaviors, using the intrusion detection systems as a second line of defense is unavoidable. By using IDSs in the MANET, the attacks and intrusions can be detected and then countermeasures can be done to protect the network. In this paper, an anomaly based intrusion detection system using neural network is proposed to detect intrusions in mobile ad hoc networks. The proposed IDS results and output parameters show that under different traffic and attack scenarios over the simulated MANET, all the DoS attacks are identified correctly and in real time. Also the false positive and false negative ratios are zero, therefore the IDS detection rate is improved. In the proposed IDS scheme we selected DoS attack as one of the most damaging ones in the network and generated it over MANET. Since anomaly based intrusion detection systems should detect all kinds of attacks including zero day attacks, as a future work it is suggested to generate other kinds of attacks and examine the abilities of the IDS for detecting them. Also in the case of having different kinds of attacks at the same time in the network, measuring the false detection rates is suggested.

[12] S. Menaria, S. Valiveti, and K. Kotecha, Comparative Study of Distributed Intrusion Detection in Ad-hoc Networks, International Journal of Computer Applications, vol. 8,pp. 11-16 2010. [13] Y. Huang and W. Lee, A Cooperative Intrusion Detection System for Ad Hoc Networks, Proc. ACM Workshop on Security in Ad Hoc and Sensor Networks (SASN'03), pp. 135-147, 2003. [14] R. Nakkeeran, T. A. Albert, and R. Ezumalai, Agent Based Efficient Anomaly Intrusion Detection System in Adhoc networks, IACSIT International Journal of Engineering and Technology, vol. 2, pp. 52-56, 2010. [15] H. Otrok , N. Mohammed, L. Wang, M. Debbabi, and P. Bhattacharya, A Game-Theoretic Intrusion Detection Model for Mobile Ad hoc Networks, Computer Communications Journal , vol. 31, pp. 708-721, 2008. [16] J. Cannady, Dynamic Neural Networks in the Detection of Distributed Attacks in Mobile Ad-Hoc Networks, International Journal of Network Security & Its Application (IJNSA), vol.2, pp. 1-7, 2010. [17] R. Hammersland, ROC in Assessing IDS Quality, Norwegian Information Security Lab, Gjvik University College, 2007. [18] P. G. Teodoro, J. D. Verdejo, G. M. Fernandez, and E. Vazaquez, Anomaly-based Network Intrusion Detection: Techniques, Systems and Challenges, Computers & Security journal, vol. 28, pp. 1828, 2009. [19] X. Xu, Adaptive Intrusion Detection Based on Machine Learning: Feature Extraction, Classifier Construction and Sequential Pattern Prediction, International Journal of Web Services Practices, vol.2, pp. 4958, 2006.

REFERENCES
I. Chlamtac, M. Conti, and J. Liu, Mobile Ad Hoc Networking: Imperatives and Challenges, Elsevier B.V. Ad Hoc Networks, vol. 1, pp. 13-64, 2003. [2] A. Joshi1, P. Srivastava, and P. Singh, Security Threats in Mobile Ad Hoc Network, S-JPSET, vol. 1, pp. 125-129, 2010. [3] W. Li and A. Joshi , Security Issues in Mobile Ad Hoc Networks- A Survey, Dept. of Computer Science and Electrical Engineering, University of Maryland, Baltimore, 2006. [4] Y. Zhang and W. Lee, Intrusion Detection in Wireless Ad-Hoc Networks, Proc. 2000 ACM MOBICOM Conf., pp. 275-283, 2000. [5] P. M. Jawandhiya, A Survey of Mobile Ad Hoc Network Attacks, International Journal of Engineering Science and Technology, vol. 2, pp. 4063-4071, 2010. [6] Y.C. Hu, A. Perrig, and D.B. Johnson, Packet Leashes: A Defense against Wormhole Attacks in Wireless Ad Hoc Networks, Technical Report TR01-384, Department of Computer Science, Rice University, 2001. [7] G. Jayakumar and G. Gopinath, Ad Hoc Mobile Wireless Networks Routing Protocols A Review, Journal of Computer Science, vol. 3, pp. 574-582, 2007. [8] R. Perlman, Network Layer Protocols with Byzantine Robustness, PhD dissertation, Dept. of Electrical Engineering and computer science, MIT University, 1988. [9] E. E. Reber, R. L. Mitchell, and C. J. Carter, Secure Routing for Mobile Ad Hoc Networks, IEEE Communications Surveys & Tutorials, vol. 7, 2005. [10] M. Weeks and G. Altun, Efficient, Secure, Dynamic Source Routing for Ad-hoc Networks, Journal of Network and Systems Management, vol. 14, 2006. [11] S. Sen and J. A. Clark, Intrusion Detection in Mobile Ad Hoc Networks, Dept. of Computer Science, University of York, UK, 2004. [1]