A Vehicular Ad Hoc Network Intrusion Detection System Based on BUSNets Presented by: - Uthra Jayaraman - Bhagyashri Thorat

Introduction

A special case of MANETs is vehicular ad hoc networks (VANETs) MANETs (Mobile ad hoc network) are a kind of wireless ad hoc network (WANET) consisting of a peer-to-peer, self-forming, self-healing network. A special case of MANETs is vehicular ad hoc networks (VANETs) Vehicular Ad-Hoc Network or VANETs are a form of MANETs used for communication among vehicles and between vehicles and roadside infrastructure. Road Side Units

Security in ad hoc networks is particularly challenging due to its open wireless medium and dynamic changed topology. All the mobile devices in ad hoc networks communicate through wireless links signals from wireless devices are usually omnidirectional and are transmitted beyond the intended coverage area.

Such properties create new vulnerabilities that do not exist in a fixed wired network. Unlike wired networks attacks in a wireless environment can come from all directions. The ad hoc network is composed of mobiles devices without any fixed infrastructure, making it difficult to apply the centralized administration and control methods. Traditional wired networks access control methods such as firewalls, Virtual Private Network (VPN) and authentication services will can not be used directly to secure the ad hoc networks.

Some attempts have been made to secure MANETs routing protocol, such as: Secure Efficient Ad hoc Distance vector routing protocol (SEAD), the secure on-demand routing protocol - Ariadne, authenticated routing for ad hoc networks (ARAN), Security-aware ad hoc routing (SAAR), Resiliency Oriented Secure (ROS), Secure Routing Protocol (SRP), Secure AODV (SAODV), Secure Link- State Protocol (SLSP), Cooperative Security-Enforcement Routing (CSER).

Even if the these secure routing schemes are perfect and implemented correctly, they still cannot eliminate all attacks, especially the internal or insider attacks. For example, a compromised mobile node is an insider, with all the necessary cryptographic keys, can easy launch several kinds of attacks, such as routing loop attack, black hole attack, gray hole attack. Therefore, it is also necessary to develop detection and response techniques for MANETs. Intrusion prevention measures, such as encryption and authentication, can be used in wireless networks to reduce intrusions, but cannot eliminate them

Mobility introduces additional difficulty in setting up a cooperating detection system. Because a node’s movements is random and it cannot be expected to monitor one special area for a long enough time. A single node can not obtain a large enough sample size of data to accurately detect other nodes’ behavior. This paper presents a novel intrusion detection architecture and an anomaly detection method based on the BUSNet.

The main properties of our method include: intrusion detection architecture is hierarchical, the bus nodes are used to gather detection data, thus no need of complex cluster-head choosing algorithm to elect the cluster-head nodes; the detection algorithm can study the normal behavior of network through a neural network

Related Works

By now, many kinds of attack methods have been discussed in MANETs, such as: wormhole attack can establishes a direct link between two nodes in the network, the attacker eavesdrops messages at one end of the link, tunnels them through the wormhole link and replays them at the other end. Attackers can potentially disrupts routing by short circuiting the normal flow of routing packets, selectively drop packets, and create routing loops to waste the energy of network. Sybil attack which is launched by forging multiple identities, the attacker obtains multiple node identities and insert bogus information into the network.

Denial-of-service (DoS) attacks, Although some methods, such as authentication services and access controls, have been proposed to enhance the security of ad hoc networks, these preventive mechanisms alone cannot deter all possible attacks. Thus, intrusion detection is still needed as a second line of defense.

Monitoring based approach: Even if the these secure routing schemes are perfect and implemented correctly, they still cannot eliminate all attacks, especially the internal or insider attacks. Recently, many intrusion detection methods have been proposed for wireless ad hoc networks. Two types of detection methods are monitoring-based and clustering-based. Monitoring based approach: Watchdog Pathrater Detect the misbehaving nodes Help routing protocols to avoid these nodes Identifies the misbehaving nodes by eavesdropping on the transmission of the next hop. Run by each node in the network, combines knowledge of misbehaving nodes with link reliability data to pick the route most likely to be reliable

The CONFIDANT (Cooperation Of Nodes, Fairness In Dynamic Ad-hoc NeTworks) is similar to Watchdog and Pathrater, each node observes the behaviors of neighbor nodes within its radio range and learns from them. However, the node not only get the behavior information of its one hop neighbor, but also detect the data from its trusted nodes; furthermore, when one node finds one misbehavior node, it will send alarm message to its trusted nodes. Technique CORE, which is based on a monitoring system and a reputation system. Like CONFIDANT, the monitoring system monitors the nodes behavior, and each node can receive a report from other nodes.

However, the difference is CORE allows only positive reports to be passed, since there is no incentive for a node to maliciously spread negative information about other nodes, simple denial of service attacks using the collaboration technique are prevented. The reputation system keeps track of other entities’ rate of collaboration. The reputation metric is computed based on data monitored by the local entity and some information provided by other nodes involved in each operation.

Since the ad hoc network is a dynamic system, especially in VANETs, the topology changes frequently. Clustering is a promising approach for enhancing the scalability of ad hoc networks in the face of frequently changed topology Many hierarchical IDS architectures have been proposed for multi-layered, wireless ad-hoc networks. In this paper, we also use the hierarchical architecture to organize and maintain a dynamic hierarchy of intrusion detection components.

Proposed Solution

Intrusion Detection Based on the BUSNet •The layer 1 consists of vehicles in VANET. •The layer 2 consists of buses. •The layer 3 consists of road side communication infrastructure, such as Access Points. Fig 1. The hierarchical architecture of BUSNet

BUSNet is a virtual mobile backbone infrastructure that is constructed using public nodes. We use the bus nodes as cluster heads to gather the routing control messages and data packets transmitted among the vehicles. The Fig 1., presents a hierarchical intrusion detection system for VANETs. The layer 1 consists of vehicles in VANET. The layer 2 consists of buses. The layer 3 consists of road side communication infrastructure, such as Access Points.

Intrusion Detection Techniques Intrusion detection techniques can be classified into two categories: misuse detection and anomaly detection. Misuse detection looks for signatures of known attacks. Any matched activity is considered an attack. Examples: STAT and IDIOT. Misuse detection can detect known attacks effectively. Anomaly detection models a user’s behaviors, and any significant deviation from the normal behaviors is considered the result of an attack. can be effective against unknown or novel attacks since no a prior knowledge about specific intrusions is required. tend to generate more false alarms that misuse detection systems.

How Anomaly Detection is performed? The basic premise for anomaly detection is that there is intrinsic and observable characteristic of normal behavior that is distinct from that of abnormal behavior. It involves 3 important steps: Feature Selection Model Behavior Comparison Feature selection is a critical part in building normal behavior model and performing comparison. It is done by selecting features from the routing control messages and data packets. By analyzing the routing request message we can detect whether a routing request flooding is happening; through analyzing data packet delivery rate we can detect whether some wormhole links are built. In the hierarchical architecture, The routing control messages and data packets between vehicles can be sniffed by the bus nodes, and they will transfer these data to the access points deployed along the road sides. Then the access points can get a global view of the VANETs, and we can detect anomaly behaviors through analyzing this data.

Table 1. Simulation Parameters Experiment The experiment’s objective is to determine the performance characteristics and effectiveness of the proposed method. The experiments are conducted in network simulator NS2.33. It includes simulation for wireless ad-hoc network infrastructure, popular wireless ad-hoc routing protocols (DSR, DSDV, AODV), and mobility scenario and traffic pattern generation. The Simulation parameters are listed in Table 1 and the total simulation time is 300 secs: Table 1. Simulation Parameters

The behavior features used to train the neural network are obtained by extracting the records from the NS2’s trace files. In the experiment, we first get the packet delivery rate: the ratio between the number of packets originated by the application layer CBR (continuous bit rate) sources and the number of packets received by the final destination. The packet delivery ratio characterizes both the completeness and correctness of the routing protocol. This process is done for different routing protocols: AODV DSR DSDV The delivery ratio under normal circumstance:

Fig 3. Packet Delivery ratio during attack After the neural network is stable, the anomaly behavior is generated by launching a DoS attack the intervals of 0.01. It launches four attacks and with each attack, the delivery ratio reduces. From the Fig. 3 we can find during 20-40, 80-100, 140-180, and 260-280 intervals the packet delivery ratio drops down. Fig 3. Packet Delivery ratio during attack

The anomaly intrusion detection method proposed does not predict the kind of intrusion taking place. If the behavior value is lesser than the intrusion threshold value, we predict that an intrusion has occurred. We train the neural network with different normal features and then use the stable neural network to monitor the host’s network. The experiment was performed by, varying the threshold values and noting down the different alarm times obtained. The results of varying threshold values, number of weights and alarm points for the different routing protocols are tabulated.

Table 2. Neural Network Training And Detection Results Of AODV Table 3. Neural Network Training And Detection Results Of DSDV

Table 4. Neural Network Training and Detection Results of DSR From Table 2. we can observe that, when threshold is 0.05, the IDS falsely alarms an attack at 120; when threshold is 0.3, the IDS does not detect the attack between 80-100; when threshold is 0.4, the IDS does not detect the attacks during 80-100 and 260-280; when threshold is larger than 0.4, the IDS does not detect any attack. From Table 3. we can observe that, when threshold is 0.05, the IDS falsely alarms two attacks at 120 and 200; when threshold is 0.1, the IDS falsely alarms an attack at 200; when threshold is 0.5, the IDS does not detect attacks during 80-100 and 260-280; when threshold is 0.6, the IDS does not detect attacks during 20-40, 80-100 and 260-280; when threshold is larger than 0.6, the IDS does not detect any attack.

Fig 4. The detection error on AODV From Table 4. we can observe that, when threshold is 0.05, the IDS falsely alarms an attack at 120; when threshold is 0.1, the IDS falsely alarms an attack at 120; when threshold is 0.3, the IDS does not detect an attack during 80-100; when threshold is 0.4, the IDS does not detect attacks during 80-100 and 140-180; when threshold is 0.5, the IDS does not detect attacks during 80-100, 140-180, and 260-280; when threshold is 0.6, the IDS does not detect attacks during 80-100, 140-180, and 260-280; when threshold is larger than 0.6, the IDS does not detect any attack. Based on the obtained values, the detection error vs threshold graphs are plotted: Fig 4. The detection error on AODV

Fig 5. The detection error on DSDV Fig 6. The detection error on DSR

False Positive: The situation where the attack has not happened but predicts that an attack has occurred False Negative: The situation where the attack happened but predicts that an attack never happened. From the above graphs, we can infer that the performance of IDS varies according to intrusion threshold. As the threshold value increases, false negative errors increase while false positive errors decrease. Since false negative error is more important in IDS, we need to see that it decreases for the system to be effective.

Conclusion The optimal threshold value for AODV, DSDV, and DSR is 0.2. In mobile ad hoc networks, when an intrusion takes place, intrusion prevention techniques, such as authentication and encryption are usually the first line of defense. However, the open network architecture, shared wireless medium, and highly dynamic network topology make the wireless Ad Hoc Network are more vulnerable than the conventional wired networks. As an additional security measure, the IDS would help us to determine whether an unauthorized user is attempting to access or has already accessed the network.

What did we learn? Even if the system is equipped with powerful encryption and authentication scheme for preventing the intrusion there is always an additional security fence needed. The IDS acts in the similar fashion: will help us to detect if an intrusion is taking place or has already happened. This model can be implemented on any platform, irrespective of the routing protocol being used. Suggestions: But, the simulation time was only for 300 secs. Maybe, the simulation time could be increased so that more number of DOS attacks can take place at different time intervals. Then see that, if the system is able to detect the intervals during which attacks happen. type of neural network weights inputs taken layer

References 1.D. Tian, Y. Wang, G. Lu and G. Yu, "A vehicular ad hoc networks intrusion detection system based on BUSNet," 2010 2nd International Conference on Future Computer and Communication, Wuha, 2010, pp. V1-225-V1-229. 2.ADVANCED WIRELESS & SENSOR NETWORKING LAB ,Southern Illinois University Carbondale

Thank you