10-08-2012, 02:50 PM
Detecting Critical Nodes for MANET Intrusion Detection Systems
Critical-Nodes-MANET.pdf (Size: 225.1 KB / Downloads: 50)
Abstract
Ad hoc routing protocols have been designed to
efficiently reroute traffic when confronted with network
congestion, faulty nodes, and dynamically changing
topologies. The common design goal of reactive,
proactive, and hybrid ad hoc routing protocols is to
faithfully route packets from a source node to a
destination node while maintaining a satisfactory level
of service in a resource-constrained environment.
Detecting malicious nodes in an open ad hoc network
in which participating nodes have no previous security
associations presents a number of challenges not faced
by traditional wired networks. Traffic monitoring in
wired networks is usually performed at switches,
routers and gateways, but an ad hoc network does not
have these types of network elements where the
Intrusion Detection System (IDS) can collect and
analyze audit data for the entire network. A number of
neighbor-monitoring, trust-building, and cluster-based
voting schemes have been proposed in the research to
enable the detection and reporting of malicious activity
in ad hoc networks. The resources consumed by ad hoc
network member nodes to monitor, detect, report, and
diagnose malicious activity, however, may be greater
than simply rerouting packets through a different
available path. This paper presents a method for
determining conditions under which critical nodes
should be monitored, describes the details of a critical
node test implementation, presents experimental
results, and offers a new approach for conserving the
limited resources of an ad hoc network IDS.
1. Introduction
Mobile ad hoc networks (MANETs) present a
number of unique problems for Intrusion Detection
Systems (IDS). Network traffic can be monitored on a
wired network segment, but ad hoc nodes can only
monitor network traffic within their observable radio
transmission range. A wired network under a single
administrative domain allows for discovery, repair,
response, and forensics of suspicious nodes. A
MANET is most likely not under a single
administrative domain, making it difficult to perform
any kind of centralized management or control. In an
ad hoc network, malicious nodes may enter and leave
the immediate radio transmission range at random
intervals, may collude with other malicious nodes to
disrupt network activity and avoid detection, or behave
maliciously only intermittently, further complicating
their detection. A node that sends out false routing
information could be a compromised node, or merely a
node that has a temporarily stale routing table due to
volatile physical conditions. Packets may be dropped
due to network congestion or because a malicious node
is not faithfully executing a routing algorithm [1].
Related Work
A number of IDS techniques have been proposed in
the research literature. Moreover, a number of trustbuilding
and cluster-based voting schemes have been
proposed to enable the sharing and vetting of
messages, and data, generated and gathered by IDS
systems. Zhang and Lee describe a distributed and
collaborative anomaly detection-based IDS for ad hoc
networks [2, 3]. Tseng et al. describe an approach that
involves the use of finite state machines for specifying
correct AODV routing behavior and distributed
network monitors for detecting run-time violation of
the specifications [4]. Pirzada and McDonald present a
method for building confidence measures of route
trustworthiness without a central trust authority. The
authors also present a concise summary of previous
work in the area of establishing trust in ad hoc
networks [5]. Theodorakopoulos and Baras present a
method for establishing trust metrics and evaluating
trust [6]. Michiardi and Molva assign a value to the
“reputation” of a node and use this information to
identify misbehaving nodes and cooperate only with
nodes with trusted reputations [7]. Albers and Camp
couple a trust-based mechanism with a mobile agent
based intrusion detection system, but do not discuss the
security implications or overhead needed to secure the
network and individual nodes from the mobile agents
themselves [8]. Sun, Wu and Pooch introduce a
geographic zone-based intrusion detection framework
that uses location-aware zone gateway nodes to collect
and aggregate alerts from intrazone nodes. Gateway
nodes in neighboring zones can then further collaborate
to perform intrusion detection tasks in a wider area and
to attempt to reduce false positive alarms [9].
Detecting Critical Nodes
The approach described in this paper is built around
the notion of a critical node in an ad hoc network. Our
definition of a critical node is a node whose failure or
malicious behavior disconnects or significantly
degrades the performance of the network. Once
identified, a critical node can be the focus of more
resource intensive monitoring or other diagnostic
measures. If a node is not considered critical, this
metric can be used to help decide if the application or
the risk environment warrant the expenditure of the
additional resources required to monitor, diagnose, and
alert other nodes about the problem. In order to detect a
critical node we look towards a graph theoretic
approach to detect a vertex-cut and an edge-cut.