INTRUSION DETECTION SYSTEMS IN MOBILE AD-HOC NETWORS Anas A. Al-Roubaiey Implementation and Performance Evaluation of Adaptive ACKnowledgment (AACK)

CONTENTS Background Literature Review Problem Statement Misbehaving Actions in MANET Proposed IDS Performance Evaluation Conclusions and Future Work 6 June 20092KFUPM: MS Defense

BACKGROUND BACKGROUND Mobile Ad hoc NETwork 6 June 2009KFUPM: MS Defense3  Definition  MANET is a collection of wireless mobile nodes which may form a temporary network, without the use of any fixed infrastructure or centralized administration  Characteristics  Multi-hop communication  Dynamic topology  Constrained resources  Nodes work as routers F1 F2 F3 D S

 Applications  Military and Rescue operations  Extend BS range 6 June 2009KFUPM: MS Defense4 BACKGROUND BACKGROUND MANET Applications

6 June 2009KFUPM: MS Defense5 BACKGROUND BACKGROUND Routing in MANET  MANET Routing Protocols  DSR basic functions  Route discovery  Route maintenance

6 June 2009KFUPM: MS Defense6 BACKGROUND BACKGROUND Route discovery in DSR S D  Route Request (RREQ) Broadcasting

6 June 2009KFUPM: MS Defense 7 BACKGROUND BACKGROUND Route discovery in DSR S D  Route Reply (RREP) Unicasting

6 June 2009KFUPM: MS Defense8 BACKGROUND BACKGROUND Route Maintenance in DSR S D RERR(5,8)  Mobility of a node can break routes passing through it

CONTENTS Background Literature Review Problem Statement Misbehaving Actions in MANET Proposed IDS Performance Evaluation Conclusions and Future Work 6 June 20099KFUPM: MS Defense

Misbehaving Actions in MANET Misbehaving Actions in MANET Securing DSR  DSR vulnerable to attacks  Passive ( eavesdropping)  Active ( dropping packets)  Proposed solutions  Prevention techniques (Cryptography)  Detection techniques ( Watchdog)  Detection Techniques  Second wall of defense  Detect and banish the misbehaving nodes 6 June 2009KFUPM: MS Defense10 Problem:  In a malicious environment, misbehaving nodes may not cooperate.  How can they misbehave?  What is the effect of them on network performance ?

6 June 2009KFUPM: MS Defense11 Misbehaving Actions in MANET Misbehaving Actions in MANET Nodes misbehaviour C M S  Cooperative node:  cooperate in both route discovery and packet forwarding functions  Selfish node :  Prevent data packet forwarding  try to save their own resources (energy and bandwidth)  Malicious node:  Prevent data packet forwarding  Try to disrupt the network

Packet Dropping InMANET Intended Selfish Save Power Save BW MaliciousBlack holeGray hole Non-Intended Node Errors CPU overloaded SW fault Network Errors CongestionCollisions 6 June 2009KFUPM: MS Defense12 Misbehaving Actions in MANET Misbehaving Actions in MANET Nodes misbehaviour

6 June 2009KFUPM: MS Defense13 Misbehaving Actions in MANET Misbehaving Actions in MANET Misbehaving model ASD RREQ packets from S to D RREP packets from D to S CBR packets from S to D M S  What is the effect on the Network performance as we increase the % of misbehaving nodes?

CONTENTS Background Literature Review Problem Statement Misbehaving Actions in MANET Proposed IDS Performance Evaluation Conclusions and Future Work 6 June KFUPM: MS Defense

LITERATURE REVIEW LITERATURE REVIEW Watchdog IDS 6 June 2009KFUPM: MS Defense15  How it works  When a node forwards a packet, the node’s watchdog verifies that the next node in the path also forwards the packet  Watchdog does this by listening promiscuously to the next node’s transmissions  Problems  Ambiguous collisions, False misbehavior, Partial dropping, Collusion  Receiver collisions, Limited transmission power Hint: Promiscuous mode means a node accepts the packets regardless of its destination SABCD

LITERATURE REVIEW LITERATURE REVIEW Previous IDS 6 June 2009KFUPM: MS Defense16 Mechanism Published Date RP Detection Function Misbehaving Detected Use WD Problems Solved Watchdog 2000DSRAll nodesAll Packet Drop (APD)YesNone CORE 2002All Selective Packet Drop (SPD)Yes Partial Dropping CONFIDANT 2002DSRAllAPD + Routing AttacksYesNone Patcha 2003AODVSomeAPDYesCollusion CineMA 2004DSRSomeSPDYes Partial Dropping Parker 2004AllSomeAPDYesNone TWOACK 2005DSRAllAPDNoRC+TC Routeguard 2005DSRAllSPDYes Partial Dropping ExWatchdog 2007DSRAllAPDYes False Misbehaving Cop 2008DSRSomeAPDYesNone

CONTENTS Background Literature Review Problem Statement Misbehaving Actions in MANET Proposed IDS Performance Evaluation Conclusions and Future Work 6 June KFUPM: MS Defense

PROBLEM STATEMENT PROBLEM STATEMENT Receiver Collision 6 June 2009KFUPM: MS Defense18  Node A believes that B has forwarded packet 1 on to C  However, C never received the packet due to a collision with packet 2 being sent from D

6 June 2009 KFUPM: MS Defense 19 limit its transmission power  A node could limit its transmission power such that the signal is strong enough to be overheard by the previous node but too weak to be received by the true recipient. B C A PROBLEM STATEMENT PROBLEM STATEMENT Limited Power Transmission

CONTENTS Background Literature Review Problem Statement Misbehaving Actions in MANET Proposed IDS Performance Evaluation Conclusions and Future Work 6 June KFUPM: MS Defense

 Study the impact of Misbehaving nodes on Network Performance  Propose a solution for the two problems, RC and LPT  Enhancing TWOACK  reduce routing overhead Minimizing acknowledgment transmissions per one data packet  Increase detection efficiency Node detection instead of link detection 6 June 2009KFUPM: MS Defense21 PROPOSED IDS PROPOSED IDS Research Objectives

PROPOSED IDS PROPOSED IDS AACK Mechanism Definition  Definition  AACK stands for Adaptive ACKnowledgment  Adapts the number of acknowledgments based on network state  Components  End to end acknowledgment  E-TWOACK  Switching system  Response system  Node types  Node types : SDF  Source, Destination, Forwarder 6 June 2009KFUPM: MS Defense22 F1SDF2 SourceDestinationForwarders

PROPOSED IDS PROPOSED IDS End to end Acknowledgment 6 June 2009KFUPM: MS Defense23

6 June 2009KFUPM: MS Defense24 PROPOSED IDS PROPOSED IDS TWOACK – How it works

 Disadvantage  Detects ML instead of MN  Misbehaving node still active in other links  Specially in high mobility scenarios where links are changing rapidly 6 June 2009KFUPM: MS Defense25 PROPOSED IDS PROPOSED IDS TWOACK – Link Detection MMMM F2-F3 is ML

 The order of three consecutive nodes has 4 probabilities : F – D  S – F – D F – D  F – F – D F is the misbehaving node because in the nature of the packet dropping attacks the attackers just existing on the intermediate nodes F1 – F2  S – F1 – F2 if S receives alarm then F2 is MN If S does not receive alarm then F1 is MN F2 – F3  F1 – F2 – F3 F3 is the MN because F2 is reported by the S and F1 as well-behave node. 6 June 2009KFUPM: MS Defense26 PROPOSED IDS PROPOSED IDS E-TWOACK – Node Detection

6 June 2009KFUPM: MS Defense27 PROPOSED IDS PROPOSED IDS E-TWOACK – Detection Procedure

PROPOSED IDS PROPOSED IDS Switching Scheme 6 June 2009KFUPM: MS Defense28 AACK modes  AACK modes  End to end acknowledgment ( Aack mode)  E-TWOACK ( Tack mode) Data packets  Data packets  AA packets ( Aack mode)  TA packets (Tack mode)  One bit from DSR header is used Data Packets AATA

PROPOSED IDS PROPOSED IDS Switching Scheme 6 June 2009KFUPM: MS Defense29 Tack Aack

PROPOSED IDS PROPOSED IDS Response System 6 June 2009KFUPM: MS Defense30

CONTENTS Background Literature Review Problem Statement Misbehaving Actions in MANET Proposed IDS Performance Evaluation Conclusions and Future Work 6 June KFUPM: MS Defense

Performance Evaluation Performance Evaluation why NS-2 ?  Suitable for researchers  Free and open source simulator 6 June 2009KFUPM: MS Defense32  Simulator usage survey of simulation-based papers in MANET, 2005.

 Packet Delivery Ratio  Routing Overhead  Average end to end Delay 6 June 2009KFUPM: MS Defense33 Performance Evaluation Performance Evaluation Performance metrics

ParameterValue Number of nodes50 nodes Simulation area670 meter X 670 meter Simulation time900 second Mobility modelRandom waypoint with pause time 0 Maximum speed1 (low mobility) m/s20 ( high mobility) m/s Antenna modelOmni-directional 6 June 2009KFUPM: MS Defense34 Performance Evaluation Performance Evaluation Simulation parameters

ParameterValue Transmission range250 meter MAC protocol CSMA/CA WD and TA timeout0.1 and 0.2 sec WD and TA threshold40 packets AACK timeout AACK threshold30 Packets Misbehaving nodes varying from 0 % – 40 % (40% smart attackers) Data traffic CBR and Video traffic 6 June 2009KFUPM: MS Defense35 Performance Evaluation Performance Evaluation Simulation parameters

6 June 2009KFUPM: MS Defense36 Performance Evaluation Performance Evaluation CBR: Low speed  DSR has the lowest PDR  no detection mechanism used  WD has better PDR than DSR  partial detection for MN  AA outperforms TA especially in 30 and 40 % of Misbehaving nodes  All the schemes performance decreases as MN increases

 AA has lower overhead than TA  Reduction of TA Ack packets  WD has almost the same overhead as DSR  No packets are used for detection  Just alarm packets are used 6 June 2009KFUPM: MS Defense37 Performance Evaluation Performance Evaluation CBR: Low speed

 TA has the highest delay  More computation  More acknowledgment packets  AA has lower value than TA  The intermediate nodes will not do the detection function all the time 6 June 2009KFUPM: MS Defense38 Performance Evaluation Performance Evaluation CBR: Low speed

 DSR and WD PDR decreases much more than in low speed, 50 % with 40% of MN  High rate of broken links  With no MN, AA and TA performance is lower than DSR and WD  Their overhead packets due to detection function  TA outperforms AA in case of 40% MN  Switching overhead 6 June 2009KFUPM: MS Defense39 Performance Evaluation Performance Evaluation CBR: High speed

 RoH of TA increased from 16% in LS to 40% in HS  AA and TA have larger overhead than WD and DSR  Due to Ack packets and Alarms 6 June 2009KFUPM: MS Defense40 Performance Evaluation Performance Evaluation CBR: High speed

 in average AA and TA has the same AED  AED is more than in LS  Salvaged packets increase with HS 6 June 2009KFUPM: MS Defense41 Performance Evaluation Performance Evaluation CBR: High speed

Performance Evaluation Performance Evaluation video traffic  For our best of knowledge, this is the first attempt to evaluate IDSs in MANETs using video traffic  Not supported by NS-2.  we use Contributions of NS-2 users, which have been used in publications  Small experiment is conducted to choose the best video traffic type (MPEG-4 or H.264) over DSR  5 stationary nodes, 670 X 670 flat space  30 frame / second 6 June 2009KFUPM: MS Defense42

 At sender  At receiver 6 June 2009KFUPM: MS Defense43 Raw Video encoder converter Input Trace file Input Trace file NS-2 Raw Video decoder converter output Trace file NS-2 Performance Evaluation Performance Evaluation video traffic

6 June 2009KFUPM: MS Defense44 Performance Evaluation Performance Evaluation video traffic

 Peak Signal to Noise Ratio  PSNR measures the error between a reconstructed image and the original one 6 June 2009KFUPM: MS Defense45 Performance Evaluation Performance Evaluation video traffic PSNR [dB]MOS valueClass ≥ 375Excellent Good Fair Poor <201Bad

6 June 2009KFUPM: MS Defense46 Performance Evaluation Performance Evaluation video traffic: High Speed  notice the decreasing of PDR to 34 %  High data rate up to 50 p/s  More collision and congestions  AA outperform TA and DSR in presence of MN

 RoH here is much less than in case of CBR  data traffic rate is much more than it was in CBR  TA also has a slight increase RoH more than AA 6 June 2009KFUPM: MS Defense47 Performance Evaluation Performance Evaluation video traffic: High Speed

 As the # hops increases, e-to-e delay increases  Also, TA has the highest e-to-e delay as in CBR results  In one hop all the schemes are almost the same  No misbehaving nodes  No acknowledgments 6 June 2009KFUPM: MS Defense48 Performance Evaluation Performance Evaluation video traffic: High Speed

CONTENTS Background Literature Review Problem Statement Misbehaving Actions in MANET Proposed IDS Performance Evaluation Conclusions and Future Work 6 June KFUPM: MS Defense

CONCLUSIONS AND FUTURE WORK CONCLUSIONS AND FUTURE WORK Conclusion 6 June KFUPM: MS Defense  In this research we continue the improvement of the existing IDSs over MANETs  A new IDS is proposed and studied for addressing packet dropping misbehaving by  Solve the RC and LPT of watchdog  Enhancing TWOACK Technique  Implementation of IDS over variable environments is a challenge.  Timeout and threshold parameters should be dynamically adapted to the network speed and traffic rate

CONCLUSIONS AND FUTURE WORK CONCLUSIONS AND FUTURE WORK Future Works 6 June KFUPM: MS Defense  Solve the other WD problems such as partial dropping and colluding attacks using AACK  Extend the AACK to work with other MANET routing protocols  Study AACK IDS performance under other popular routing protocols (both reactive and proactive).  Do more performance evaluation for AACK in terms of power consumption and memory usage