26-04-2012, 11:46 AM
On the Effectiveness of Monitoring for Intrusion Detection in Mobile Ad Hoc Networks
Intrusion detection An Energy efficient approach.pdf (Size: 1.31 MB / Downloads: 35)
INTRODUCTION
Amobile ad hoc network (MANET) is a collection of
wireless devices moving in seemingly random directions
and communicating with one another without the aid
of an established infrastructure. To extend the reachability
of a node, the other nodes in the network act as routers.
Thus, the communication may be via multiple intermediate
nodes between source and destination. Since MANETs can
be set up easily and inexpensively, they have a wide range
of applications, especially in military operations and
emergency and disaster relief efforts [9]. However, MANETs
are more vulnerable to security attacks than conventional
wired and wireless networks due to the open wireless
medium used, dynamic topology, distributed and cooperative
sharing of channels and other resources, and power
and computation constraints [28].
TESTBED EVALUATION OF FALSE POSITIVES
In monitoring-based intrusion detection, each node monitors
the forwarding behavior of its neighboring nodes. In
most cases, a node only monitors its next hop in a route.
Consider a three-node segment of a route (with at least two
hops) being used to send data packets. If the three nodes are
denoted as node 1 (source or the node closer to source),
node 2, and node 3 (destination or the node closer to
destination), then node 2 is the next hop of node 1 and
node 3 is the next hop of node 2. When node 1 transmits a
data packet to node 2, it expects to hear node 2’s
transmission of this packet to node 3 within some specified
amount of time. If the fraction of packets not overheard by
node 1 exceeds a specified threshold, then node 1 concludes
that node 2 is dropping too many data packets and suspects
it to be a malicious node.
Testbed Experiments
To understand the extent of false positives in monitoring,
we used a wireless network testbed of three Linksys wrt54g
Wi-Fi routers [10]. The wrt54g routers have a built-in fourport
100 Mbps Ethernet switch, an 801.11g access point, two
standard omnidirectional antennas, a 200 MHz MIPS
processor, and 16 MB of RAM and 4 MB of flash memory,
which serves as the disk memory. We reprogrammed the
routers using OpenWrt Linux [22], [4]. This testbed was set
up as a linear chain in a long corridor in a building with
adjacent routers 20’ apart. All three routers use the same
ssid (which is different from the other Wi-Fi devices in the
building-wide 802.11b/g production network) so that they
can communicate among themselves only. To minimize the
interference, these three routers use a different (noninterfering)
channel from those used by other access points.
Additional Notes and Discussion Regarding the
Experiments
We have conducted a large number experiments, though
the data and the graphs we present are based on
24 experiments. We varied transmission (Tx) power using
the wl program that came with the driver supplied by the
router manufacturer. We used three settings: 32, 64, and
128 mW. We also varied the distance between the routers
initially, but we choose the power setting of 32 mW and 20’
spacing between routers to ensure high packet delivery rate
(98 percent in our experiments). Our objective is to show
that, in a normal scenario with very few actual packet
losses, monitoring can be highly error prone.
GEV Noise Model
We used MATLAB to analyze and model the noise levels
captured in our measurements. MATLAB [26] has an
extensive library of distributions including Gaussian,
gamma, and lognormal. In such diverse fields as image
processing, architectural acoustics, and electronic music, it
is often assumed that noise conforms to Gaussian distribution.
CONCLUSIONS
Several monitoring-based intrusion detection techniques
proposed in literature rely on each node passively
monitoring the data forwarding by its next hop to mitigate
packet dropping attacks by insider nodes. Though monitoring-
based intrusion detection is not likely to be
accurate for ad hoc networks due to varying noise levels,
varying signal propagation characteristics in different
directions, and interference from competing transmissions,
there are no specific studies on the impact of noise on false
positives and the impact of false positives on network
performance.