1. MANETs A Mobile Ad Hoc Network (MANET) is a self-configuring network of mobile nodes connected by wireless links. Characteristics include: no fixed infrastructure dynamically changing topology due to mobility cooperativeness of nodes to provide essential networking resource-constrained environment more vulnerable to attacks than wired networks The Method We use Grammatical Evolution (GE), an evolutionary technique inspired by natural evolution, to evolve detection rules for dropping attacks on MANETs. GE evolves programs written in a BNF grammar. The evolved program (best of run) is distributed to each node on the network. We assume that dropping attacks can be detected by the neighbours of the malicious node who sent/forwarded packets to the malicious nodes but has not received any acknowledgement from it for a while. We assume that an attack can be detected in a time interval ∆ after it has occurred. That’s why a sliding window mechanism which gathers all features in ∆ is applied to training and testing. We use both mobility-related and packet-related features as input to the evolution system. Mobility-related features can give information about mobility directly (such as changes in the number of neighbours) or be the result of mobility (such as increase in the number of new routes added). Packet-related features include information about routing protocol control packets (AODV) and transport protocol packets (TCP). Conclusion We show the potential of the grammatical evolution technique to detect dropping attacks against MANETs. Our GE technique shows a good performance for evolving efficient detectors for known attacks against MANETs. In Future, We aim to employ the GE technique to a variety of attacks on MANETs We aim to employ multi-objective evaluation mechanisms to explore optimal tradeoffs between resources consumed by programs (e.g. memory and power) and detection efficacy. Evolving Intrusion Detection Rules on Mobile Ad Hoc Networks Sevil Sen and John Clark Department of Computer Science,, UK. {ssen, jac}@cs.york.ac.uk Objective We investigate the use of the Grammatical Evolution (GE) technique to detect known attacks on Mobile Ad Hoc Networks (MANETs). We evolve programs by using GE to detect dropping attacks, a particularly important attack for MANETs. We mainly aim to differentiate packet dropping due to malicious behaviour from packet dropping due to mobility in this highly dynamic environment. We evaluate the evolved detection rules on networks with varying mobility and traffic patterns. Experiment and Results The evolved programs are evaluated on networks with low, medium and high mobility/traffic. The results show that false positive rates increase in proportion to mobility as expected. Only the mobility factor of packet losses on MANETs is considered here. The results can be improved by taking into account other factors. The Fitness and The Grammar The fitness function, which evaluates how good the solution is : Fitness = detection rate – k * false positive rate Grammatical Evolution Algorithm Dropping Attacks In MANETs, nodes that are not within each other’s communication range must rely on other nodes to forward their packets. In a dropping attack, malicious nodes drop data packets not destined to themselves. Dropping attacks may : reduce network performance prevent end-to-end communications Major causes of packet losses on MANETs are : wireless link transmission errors mobility (~60%) congestion S = ::= if( ) raise_alarm() ::= | ::= | ( ) | ( ) | ( ) | ::= + | - | / | * ::= sin | cos | log | ln | sqrt | abs | exp | ceil | floor ::= max | min | pow | percent ::= | ≥ | == | != ::= and | or ::= feature set ScenariosDetection Rate False Positive Rate Low mobility, 20 TCP connections79.59%3.81% Low mobility, 30 TCP connections93.85%5.25% Medium mobility, 20 TCP connections92.45%3.95% Medium mobility, 30 TCP connections87.04%6.30% Medium mobility, 20 TCP connections90.48%4.07% Medium mobility, 30 TCP connections (training)82.64%5.53% High mobility, 20 TCP connections83.33%5.05% High mobility, 30 TCP connections84.38%6.22%