1 / 52

INTRUSION DETECTION SYSTEMS IN MOBILE AD-HOC NETWORS

INTRUSION DETECTION SYSTEMS IN MOBILE AD-HOC NETWORS. Implementation and Performance Evaluation of A daptive ACK nowledgment ( AACK ). Anas A. Al-Roubaiey. CONTENTS. Background. Misbehaving Actions in MANET. Literature Review. Problem Statement. Proposed IDS. Performance Evaluation.

ksena
Download Presentation

INTRUSION DETECTION SYSTEMS IN MOBILE AD-HOC NETWORS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INTRUSION DETECTION SYSTEMS IN MOBILE AD-HOC NETWORS Implementation and Performance Evaluation of Adaptive ACKnowledgment (AACK) Anas A. Al-Roubaiey

  2. CONTENTS Background Misbehaving Actions in MANET Literature Review Problem Statement Proposed IDS Performance Evaluation Conclusions and Future Work KFUPM: MS Defense

  3. BACKGROUND Mobile Ad hoc NETwork F1 • Definition • MANET is a collection of wireless mobile nodes which may form a temporary network, without the use of any fixed infrastructure or centralized administration • Characteristics • Multi-hop communication • Dynamic topology • Constrained resources • Nodes work as routers S F2 D F3 KFUPM: MS Defense

  4. BACKGROUNDMANET Applications • Applications • Military and Rescue operations • Extend BS range KFUPM: MS Defense

  5. BACKGROUNDRouting in MANET • MANET Routing Protocols • DSR basic functions • Route discovery • Route maintenance KFUPM: MS Defense

  6. BACKGROUNDRoute discovery in DSR • Route Request (RREQ) Broadcasting 1-2 1-2-5 D 5 8 1 2 1-3-4 S 1 1-3-4-7 1-3-4 4 7 1 1-3 3 1-3-4 1-3-4-6 6 KFUPM: MS Defense

  7. BACKGROUNDRoute discovery in DSR • Route Reply (RREP) Unicasting 1-2-5-8 1-2-5-8 D 1-2-5-8 5 8 2 S 1 4 7 3 6 KFUPM: MS Defense 7

  8. BACKGROUNDRoute Maintenance in DSR • Mobility of a node can break routes passing through it D 5 8 2 RERR(5,8) S 1 RERR(5,8) 4 7 3 6 KFUPM: MS Defense

  9. CONTENTS Background Misbehaving Actions in MANET Literature Review Problem Statement Proposed IDS Performance Evaluation Conclusions and Future Work KFUPM: MS Defense

  10. Misbehaving Actions in MANETSecuring DSR • DSR vulnerable to attacks • Passive ( eavesdropping) • Active ( dropping packets) • Proposed solutions • Prevention techniques (Cryptography) • Detection techniques ( Watchdog) • Detection Techniques • Second wall of defense • Detect and banish the misbehaving nodes Problem: • In a malicious environment, misbehaving nodes may not cooperate. • How can they misbehave? • What is the effect of them on network performance ? KFUPM: MS Defense

  11. M Misbehaving Actions in MANETNodes misbehaviour • Cooperative node: • cooperate in both route discovery and packet forwarding functions • Selfish node : • Prevent data packet forwarding • try to save their own resources (energy and bandwidth) • Malicious node: • Prevent data packet forwarding • Try to disrupt the network C S KFUPM: MS Defense

  12. Misbehaving Actions in MANETNodes misbehaviour KFUPM: MS Defense

  13. M Misbehaving Actions in MANETMisbehaving model S A S D RREQ packets from S to D RREP packets from D to S CBR packets from S to D • What is the effect on the Network performance as we increase the % of misbehaving nodes? KFUPM: MS Defense

  14. CONTENTS Background Misbehaving Actions in MANET Literature Review Problem Statement Proposed IDS Performance Evaluation Conclusions and Future Work KFUPM: MS Defense

  15. LITERATURE REVIEWWatchdog IDS • How it works • When a node forwards a packet, the node’s watchdog verifies that the next node in the path also forwards the packet • Watchdog does this by listening promiscuously to the next node’s transmissions • Problems • Ambiguous collisions, False misbehavior, Partial dropping, Collusion • Receiver collisions, Limited transmission power S A B C D Hint: Promiscuous mode means a node accepts the packets regardless of its destination KFUPM: MS Defense

  16. LITERATURE REVIEWPrevious IDS KFUPM: MS Defense

  17. CONTENTS Background Misbehaving Actions in MANET Literature Review Problem Statement Proposed IDS Performance Evaluation Conclusions and Future Work KFUPM: MS Defense

  18. PROBLEM STATEMENTReceiver Collision • Node A believes that B has forwarded packet 1 on to C • However, C never received the packet due to a collision with packet 2 being sent from D KFUPM: MS Defense

  19. PROBLEM STATEMENTLimited Power Transmission • A node could limit its transmission power such that the signal is strong enough to be overheard by the previous node but too weak to be received by the true recipient. B A C KFUPM: MS Defense

  20. CONTENTS Background Misbehaving Actions in MANET Literature Review Problem Statement Proposed IDS Performance Evaluation Conclusions and Future Work KFUPM: MS Defense

  21. PROPOSED IDSResearch Objectives • Study the impact of Misbehaving nodes on Network Performance • Propose a solution for the two problems, RC and LPT • Enhancing TWOACK • reduce routing overhead • Minimizing acknowledgment transmissions per one data packet • Increase detection efficiency • Node detection instead of link detection KFUPM: MS Defense

  22. PROPOSED IDSAACK Mechanism • Definition • AACK stands for Adaptive ACKnowledgment • Adapts the number of acknowledgments based on network state • Components • End to end acknowledgment • E-TWOACK • Switching system • Response system • Node types: • Source, Destination, Forwarder S F1 F2 D Source Forwarders Destination KFUPM: MS Defense

  23. PROPOSED IDS End to end Acknowledgment KFUPM: MS Defense

  24. PROPOSED IDSTWOACK – How it works KFUPM: MS Defense

  25. M M M M PROPOSED IDSTWOACK – Link Detection • Disadvantage • Detects ML instead of MN • Misbehaving node still active in other links • Specially in high mobility scenarios where links are changing rapidly F2-F3 is ML KFUPM: MS Defense

  26. PROPOSED IDSE-TWOACK – Node Detection • The order of three consecutive nodes has 4 probabilities : • S – F – D • F – F – D • F is the misbehaving node because in the nature of the packet dropping attacks the attackers just existing on the intermediate nodes • S – F1 – F2 • if S receives alarm then F2 is MN • If S does not receive alarm then F1 is MN • F1 – F2 – F3 • F3 is the MN because F2 is reported by the S and F1 as well-behave node. KFUPM: MS Defense

  27. PROPOSED IDSE-TWOACK – Detection Procedure KFUPM: MS Defense

  28. PROPOSED IDS Switching Scheme • AACK modes • End to end acknowledgment ( Aack mode) • E-TWOACK ( Tack mode) • Data packets • AA packets ( Aack mode) • TA packets (Tack mode) • One bit from DSR header is used KFUPM: MS Defense

  29. PROPOSED IDS Switching Scheme Tack Aack KFUPM: MS Defense

  30. PROPOSED IDS Response System KFUPM: MS Defense

  31. CONTENTS Background Misbehaving Actions in MANET Literature Review Problem Statement Proposed IDS Performance Evaluation Conclusions and Future Work KFUPM: MS Defense

  32. Performance Evaluationwhy NS-2 ? • Suitable for researchers • Free and open source simulator • Simulator usage survey of simulation-based papers in MANET, 2005. KFUPM: MS Defense

  33. Performance EvaluationPerformance metrics • Packet Delivery Ratio • Routing Overhead • Averageend to end Delay KFUPM: MS Defense

  34. Performance EvaluationSimulation parameters KFUPM: MS Defense

  35. Performance EvaluationSimulation parameters KFUPM: MS Defense

  36. Performance EvaluationCBR: Low speed • DSR has the lowest PDR • no detection mechanism used • WD has better PDR than DSR • partial detection for MN • AA outperforms TA especially in 30 and 40 % of Misbehaving nodes • All the schemes performance decreases as MN increases KFUPM: MS Defense

  37. Performance EvaluationCBR: Low speed • AA has lower overhead than TA • Reduction of TA Ack packets • WD has almost the same overhead as DSR • No packets are used for detection • Just alarm packets are used KFUPM: MS Defense

  38. Performance EvaluationCBR: Low speed • TA has the highest delay • More computation • More acknowledgment packets • AA has lower value than TA • The intermediate nodes will not do the detection function all the time KFUPM: MS Defense

  39. Performance EvaluationCBR: High speed • DSR and WD PDR decreases much more than in low speed, 50 % with 40% of MN • High rate of broken links • With no MN, AA and TA performance is lower than DSR and WD • Their overhead packets due to detection function • TA outperforms AA in case of 40% MN • Switching overhead KFUPM: MS Defense

  40. Performance EvaluationCBR: High speed • RoH of TA increased from 16% in LS to 40% in HS • AA and TA have larger overhead than WD and DSR • Due to Ack packets and Alarms KFUPM: MS Defense

  41. Performance EvaluationCBR: High speed • in average AA and TA has the same AED • AED is more than in LS • Salvaged packets increase with HS KFUPM: MS Defense

  42. Performance Evaluationvideo traffic • For our best of knowledge, this is the first attempt to evaluate IDSs in MANETs using video traffic • Not supported by NS-2. • we use Contributions of NS-2 users, which have been used in publications • Small experiment is conducted to choose the best video traffic type (MPEG-4 or H.264) over DSR • 5 stationary nodes, 670 X 670 flat space • 30 frame / second KFUPM: MS Defense

  43. Performance Evaluationvideo traffic • At sender • At receiver Raw Video encoder converter Input Trace file NS-2 output Trace file converter decoder Raw Video NS-2 KFUPM: MS Defense

  44. Performance Evaluationvideo traffic KFUPM: MS Defense

  45. Performance Evaluationvideo traffic • Peak Signal to Noise Ratio • PSNR measures the error between a reconstructed image and the original one KFUPM: MS Defense

  46. Performance Evaluationvideo traffic: High Speed • notice the decreasing of PDR to 34 % • High data rate up to 50 p/s • More collision and congestions • AA outperform TA and DSR in presence of MN KFUPM: MS Defense

  47. Performance Evaluationvideo traffic: High Speed • RoH here is much less than in case of CBR • data traffic rate is much more than it was in CBR • TA also has a slight increase RoH more than AA KFUPM: MS Defense

  48. Performance Evaluationvideo traffic: High Speed • As the # hops increases, e-to-e delay increases • Also, TA has the highest e-to-e delay as in CBR results • In one hop all the schemes are almost the same • No misbehaving nodes • No acknowledgments KFUPM: MS Defense

  49. CONTENTS Background Misbehaving Actions in MANET Literature Review Problem Statement Proposed IDS Performance Evaluation Conclusions and Future Work KFUPM: MS Defense

  50. CONCLUSIONS AND FUTURE WORKConclusion • In this research we continue the improvement of the existing IDSs over MANETs • A new IDS is proposed and studied for addressing packet dropping misbehaving by • Solve the RC and LPT of watchdog • Enhancing TWOACK Technique • Implementation of IDS over variable environments is a challenge. • Timeout and threshold parameters should be dynamically adapted to the network speed and traffic rate KFUPM: MS Defense

More Related