sathya thesis

Upload: sathyanandam-sathyanandam

Post on 02-Jun-2018

230 views

Category:

Documents


0 download

TRANSCRIPT

  • 8/10/2019 Sathya Thesis

    1/110

    1

    Introduction

    Since their appearance in 1970 in the form of ALOHANET, wireless packet radio networks

    have come a long way in terms of numbers, applications, and the feature set, among other

    things. The two largest attractions of wireless communication have been mobility and ease

    of deployment laying cables is not only laborious and time consuming, but their

    maintenance is equally bothersome. Wireless communication today surrounds us in many

    colors and flavors, each with its unique frequency band, coverage, and range of

    applications. It has matured to a large extent, and standards have evolved for Personal Area

    Networks, Local Area Networks as well as Broadband Wireless Access.

    1.1 Infrastructure-less Networks

    In any but the most trivial networks (point-to-point links), some mechanism is required for

    routing the packets from the source to the final destinations. This includes discovery and

    maintenance of routes along with associated costs. In what is called an infrastructure-

    based wireless network, the job of routing is assigned to dedicated nodes called access

    points (AP). Configurations of the APs are much less dynamic than their, possibly mobile,

    end-point nodes. APs are like base stations which keep track of nodes

    associations/disassociations, authentication etc. and control the traffic flow between their

    clients as well as between fellow APs. The AP may also be connected to the Internet

    thereby providing Internet connectivity to its clients.

  • 8/10/2019 Sathya Thesis

    2/110

  • 8/10/2019 Sathya Thesis

    3/110

    3

    to be a perfect circle and the links in fact can even be unidirectional in many cases node

    A can reach node B on link 1 but node B may not be able to use this link to reach node

    A. This can happen due to the signal strengths of the two transmitters being unequal or

    can even be based on the transmission path.

    In Ad Hoc networks, each node is willing to forward data to other nodes, and so the

    determination of which nodes forward data is made dynamically based on the network

    connectivity. This is in contrast to the infrastructure-based networks in which designated

    nodes, usually with custom hardware and variously known as routers, switches, hubs, and

    firewalls, perform the task of forwarding the data. Minimal configuration and quick

    deployment make Ad Hoc networks suitable for emergency situations like natural or

    human-induced disasters, military conflicts, emergency medical situations etc. An Ad Hoc

    network is formed for a purpose by participating wireless nodes and is then torn off.

    These networks introduced a new art of network establishment and are well suited for

    environments where either the infrastructure is lost or where deploying an infrastructure is

    not cost-effective.

    1.2 A Brief History of Wireless Ad Hoc Networks

    The whole life-cycle of Ad Hoc networks [33] could be categorized into first, second, and

    third generation Ad Hoc network systems. Present ad-hoc networks systems are considered

    the third generation.

    The first generation of wireless Ad Hoc networks dates back to 1972. At the time, they

    were called PRNET (Packet Radio Networks). In conjunction with ALOHA and CSMA

  • 8/10/2019 Sathya Thesis

    4/110

    4

    (Carrier Sense Multiple Access), approaches for medium access control and a kind of

    distance-vector routing, PRNET were used on a trial basis to provide different networking

    capabilities in a combat environment.

    The second generation [6] of Ad hoc networks emerged in 1980s, when the ad-hoc network

    systems were further enhanced and implemented as a part of the SURAN (Survivable

    Adaptive Radio Networks) program. This provided a packet-switched network to the

    mobile battlefield in an environment without infrastructure. This program proved to be

    beneficial in improving the radios' performance by making them smaller, cheaper, and

    resilient to electronic attacks.

    In the 1990s, the concept of commercial ad-hoc networks [6] arrived with notebook

    computers and other viable communications equipment. At the same time, the idea of a

    collection of mobile nodes was proposed at several research conferences.

    The IEEE 802.11 [7] subcommittee had adopted the term "ad-hoc networks" and the

    research community had started to look into the possibility of deploying ad-hoc networks in

    other areas of application.

    Meanwhile, work was going on to advance the previously built ad-hoc networks. GloMo

    [8] (Global Mobile Information Systems) and the NTDR (Near-term Digital Radio) are

    results of these efforts. GloMo was designed to provide an office environment with

    Ethernet-type multimedia connectivity anywhere and anytime in handheld devices.

    NTDR [9] is the only "real" non-prototypical ad-hoc network that is in use today. It uses

    clustering and link-state routing, and is self-organized into a two-tier ad-hoc network.

  • 8/10/2019 Sathya Thesis

    5/110

    5

    Development of different channel access approaches now in the CSMA/CA and TDMA

    molds, and several other routing and topology control mechanisms were some of the other

    inventions of that time.

    Later on in mid-1990s, within the Internet Engineering Task Force (IETF), the Mobile Ad-

    Hoc Networking working group was formed to standardize routing protocols for ad-hoc

    networks. The development of routing within the working group and the larger community

    resulted in the invention of reactive and proactive routing protocols.

    Soon after, the IEEE 802.11 subcommittee standardized a medium access protocol that was

    based on collision avoidance and tolerated hidden terminals, making it usable for building

    mobile ad-hoc networks prototypes out of notebooks and 802.11 PCMCIA (Personal

    Computer Memory Card International Association cards). Wireless local area products

    (IEEE 802.11, Hiperlan) provide in-building wireless access; however, they are usually

    deployed as access links only, packet relaying being performed by traditional bridges or

    routers. Bluetooth is a low cost technology for short range communication; its market is

    targeted towards PCs, phones, appliances, watches, etc. It allows multiple nodes to connect

    to each other in a multi-hop arrangement.

    Efforts are on to standardize different existing schemes for different network controls in a

    single framework which could be taken as a standard for all the future applications utilizing

    ad-hoc networks as a networking technology. Wireless devices are getting smaller, cheaper,

    and more sophisticated. As these devices become more ubiquitous, organizations are

    looking for inexpensive ways to keep these devices connected. Building an ad-hoc network

    could make that happen.

  • 8/10/2019 Sathya Thesis

    6/110

    6

    Wireless Ad Hoc Networks can broadly be classified into three categories: Mobile ad-hoc

    networks (MANETs), Wireless Sensor Networks, and Wireless Mesh Networks. Each one

    of these has significance for different application areas; each of these differs in the capacity

    and capabilities of nodes that participate in the network, the purpose of the network and the

    communication protocols employed. The focus of this thesis is MANETs; from this point

    onwards, the words MANETs and Wireless Ad Hoc Networks will be used

    interchangeably.

    1.3 Challenges in Wireless Ad Hoc Networks

    The two most significant differences between infrastructure-based and Ad Hoc networks

    are a) communications in Ad Hoc networks are truly peer-to-peer and b) the individual

    nodes that do jobs of their own are also now required to route packets as required. These

    differences lead to some unique and extremely difficult challenges for Ad Hoc networks.

    Unlike dedicated routers, hosts in MANETs have limited computational resources and

    more importantly, being battery-operated, very limited power. Building routing decisions in

    the general-purpose hosts for constantly changing surroundings is big challenge.

    However, arguably the most important of these challenges is that of security. MANETs are

    like consistent zero-administration personal environment. The absence of infrastructure and

    the consequent absence of authorization facilities impede the usual practice of establishing

    a line of defense to separate the trusted from the non-trusted. This would have been based

    on a security policy, possession of necessary credentials and the ability of nodes to validate

    them. In the context of MANETs, there may be no basis for an a priori classification.

    Additionally, freely roaming nodes join and leave MANETs independently and without

  • 8/10/2019 Sathya Thesis

    7/110

    7

    notice, making it difficult to have a clear picture of the Ad Hoc network membership. In

    such an environment, there is no guarantee that a path between two nodes would be free of

    malicious nodes. These nodes would not comply with the employed protocol and would

    attempt to harm the network operation. The presence of even a small number of adversarial

    nodes could cause the entire network to collapse.

    1.4 Routing in Ad Hoc Networks

    The lack of a backbone infrastructure [37] coupled with the fact that mobile Ad Hoc

    networks change their topology frequently and without prior notice makes packet routing in

    ad-hoc networks a challenging task. The suggested approaches for routing can be divided

    into topology-basedand position-basedrouting.

    Topology-based routing protocols use the information about the links that exist in the

    network to perform packet forwarding. They can be further divided intoproactive,reactive,

    andhybridapproaches.

    Proactive algorithms employ classical routing strategies such as distance-vector routing

    (e.g., DSDV) or link-state routing (e.g., OLSR and TBRPF). They maintain routing

    information about the available paths in the network even if these paths are not currently

    used. The main drawback of these approaches is that the maintenance of unused paths may

    occupy a significant part of the available bandwidth if the topology of the network changes

    frequently.

    In response to this observation, reactive routing protocols were developed (e.g., DSR,

    TORA, and AODV). Reactive routing protocols maintain only the routes that are currently

  • 8/10/2019 Sathya Thesis

    8/110

    8

    in use, thereby reducing the burden on the network when only a small subset of all

    available routes is in use at any time. However, they still have some inherent limitations.

    First, since routes are only maintained while in use, it is typically required to perform a

    route discovery before packets can be exchanged between communication peers. This leads

    to a delay for the first packet to be transmitted. Second, even though route maintenance for

    reactive algorithms is restricted to the routes currently in use, it may still generate a

    significant amount of network traffic when the topology of the network changes frequently.

    Finally, packets en route to the destination are likely to be lost if the route to the destination

    changes.

    Hybrid Ad Hoc routing protocols such as ZRP combine local proactive routing and global

    reactive routing in order to achieve a higher level of efficiency and scalability. However,

    even a combination of both strategies still needs to maintain at least those network paths

    that are currently in use, limiting the amount of topological changes that can be tolerated

    within a given amount of time.

    Position-based routing algorithms eliminate some of the limitations of topology-based

    routing by using additional information. They require that information about the physical

    position of the participating nodes be available. Commonly, each node determines its own

    position through the use of GPS or some other type of positioning service. A location

    service is used by the sender of a packet to determine the position of the destination and to

    include it in the packets destination address.

    The routing decision at each node is then based on the destinations position contained in

    the packet and the position of the forwarding nodes neighbors. Position-based routing thus

  • 8/10/2019 Sathya Thesis

    9/110

    9

    does not require the establishment or maintenance of routes. The nodes have neither to

    store routing tables nor to transmit messages to keep routing tables up to date. As a further

    advantage, position-based routing supports the delivery of packets to all nodes in a given

    geographic region in a natural way. This type of service is called geocasting.

    Regardless of the approach to routing, a routing protocol should be able to automatically

    recover from any problem in a finite amount of time without human intervention.

    Conventional routing protocols are designed for nonmoving infrastructures and assume that

    routes are bidirectional, which is not always the case for ad-hoc networks. Identification of

    mobile terminals and correct routing of packets to and from each terminal while moving

    are certainly challenging.

    1.4.1 Some Popular Routing Protocols for Ad-Hoc Networks

    In this section we discuss some popular routing algorithms proposed for MANETs.

    1.4.1.1 Destination-Sequenced Distance Vector (DSDV) Protocol

    The Destination-Sequenced Distance Vector (DSDV) protocol is a table-driven routing

    protocol based on the improved version of classical Bellman-Ford routing algorithm.

    DSDV is based on the Routing Information Protocol (RIP). With RIP, a node holds a

    routing table containing all the possible destinations within the network and the number of

    hops to each destination. DSDV is also based on distance vector routing and thus uses

    bidirectional links. A limitation of DSDV is that it provides only one route for a

    source/destination pair.

  • 8/10/2019 Sathya Thesis

    10/110

  • 8/10/2019 Sathya Thesis

    11/110

    11

    1.4.1.2 Dynamic Source Routing (DSR)

    DSR [13] uses source routing rather than hop-by-hop routing, with each packet to be routed

    carrying in its header the complete, ordered list of nodes through which the packet must

    pass. The key advantage of source routing is that intermediate nodes do not need to

    maintain up-to-date routing information in order to route the packets they forward, since

    the packets themselves already contain all the routing decisions. This fact, coupled with the

    on-demand nature of the protocol, eliminates the need for the periodic route advertisement

    and neighbor detection packets present in other protocols.

    The DSR protocol consists of two mechanisms: Route Discovery and Route Maintenance.

    Route Discovery is the mechanism by which a node S wishing to send a packet to a

    destination D obtains a source route to D. To perform a Route Discovery, the source node S

    broadcasts a ROUTE REQUESTpacket that is flooded through the network in a controlled

    manner and is answered by a ROUTE REPLY packet from either the destination node or

    another node that knows a route to the destination. To reduce the cost of Route Discovery,

    each node maintains a cache of source routes it has learned or overheard, which it uses to

    limit the frequency and propagation of ROUTE REQUESTs.

    Route Maintenance is the mechanism by which a packets sender S detects if the network

    topology has changed such that it can no longer use its route to the destination D because

    two nodes listed in the route have moved out of range of each other. When Route

    Maintenance indicates a source route is broken, S is notified with a ROUTE ERROR

    packet. The sender S can then attempt to use any other route to D already in its cache or

    can invoke Route Discovery again to find a new route.

  • 8/10/2019 Sathya Thesis

    12/110

    12

    1.4.1.3 Temporally-Ordered Routing Algorithm (TORA)

    TORA [14] is a distributed routing protocol based on a link reversal algorithm. It is

    designed to discover routes on demand, provide multiple routes to a destination, establish

    routes quickly, and minimize communication overhead by localizing algorithmic reaction

    to topological changes when possible. Route optimality (shortest-path routing) is

    considered of secondary importance, and longer routes are often used to avoid the overhead

    of discovering newer routes.

    The actions of TORA can be described in terms of water flowing downhill towards a

    destination node through a network of tubes that models the routing state of the real

    network. The tubes represent links between nodes in the network, the junctions of tubes

    represent the nodes, and the water in the tubes represents the packets flowing towards the

    destination. Each node has a height with respect to the destination that is computed by the

    routing protocol. If a tube between nodes A and B becomes blocked such that water can no

    longer flow through it, the height of A is set to a height greater than that of any of its

    remaining neighbors, such that water will now flow back out of A (and towards the other

    nodes that had been routing packets to the destination via A).

    At each node in the network, a logically separate copy of TORA is run for each destination.

    When a node needs a route to a particular destination, it broadcasts a QUERY packet

    containing the address of the destination for which it requires a route. This packet

    propagates through the network until it reaches either the destination or an intermediate

    node having a route to the destination. The recipient of the QUERY then broadcasts an

    UPDATEpacket listing its height with respect to the destination. As this packet propagates

  • 8/10/2019 Sathya Thesis

    13/110

    13

    through the network, each node that receives the UPDATEsets its height to a value greater

    than the height of the neighbor from which the UPDATEwas received. This has the effect

    of creating a series of directed links from the original sender of the QUERYto the node that

    initially generated the UPDATE.

    When a node discovers that a route to a destination is no longer valid, it adjusts its height

    so that it is a local maximum with respect to its neighbors and transmits an UPDATE

    packet. If the node has no neighbors of finite height with respect to this destination, then

    the node instead attempts to discover a new route as described above. When a node detects

    a network partition, it generates a CLEAR packet that resets routing state and removes

    invalid routes from the network. TORA is layered on top of IMEP, the Internet MANETs.

    Encapsulation Protocol, which is required to provide reliable, in-order delivery of all

    routing control messages from a node to each of its neighbors, plus notification to the

    routing protocol whenever a link to one of its neighbors is created or broken. To reduce

    overhead, IMEP attempts to aggregate many TORA and IMEP control messages (which

    IMEP refers to as objects) together into a single packet (as an object block) before

    transmission. Each block carries a sequence number and a response list of other nodes from

    which an ACK has not yet been received, and only those nodes ACK the block when

    receiving it; IMEP retransmits each block with some period, and continues to retransmit it

    if needed for some maximum total period, after which time, the link to each

    unacknowledged node is declared down and TORA is notified. IMEP can also provide

    network layer address resolution, but we did not use this service, as we used ARP [19] with

    all four routing protocols. For link status sensing and maintaining a list of a nodes

  • 8/10/2019 Sathya Thesis

    14/110

    14

    neighbors, each IMEP node periodically transmits a BEACON(or BEACON-equivalent)

    packet, which is answered by each node hearing it with a HELLO (or HELLO-

    equivalent) packet.

    1.4.1.4 Ad Hoc On-Demand Distance Vector (AODV)

    AODV [15] can be thought of as a combination of both DSR and DSDV. It borrows the

    basic on-demand mechanism of Route Discovery and Route Maintenance from DSR, plus

    the use of hop-by-hop routing, sequence numbers, and periodic beacons from DSDV.

    AODV is an on-demand routing protocol, which initiates a route discovery process only

    when desired by a source node. When a source node S wants to send data packets to a

    destination node D but cannot find a route in its routing table, it broadcasts a Route Request

    (RREQ) message to its neighbors, including the last known sequence number for that

    destination. Its neighbors then rebroadcast the RREQ message to their neighbors if they do

    not have a fresh enoughroute to the destination node. (A fresh enough route is a valid route

    entry for the destination node whose associated sequence number is equal to or greater than

    that contained in the RREQ message.) This process continues until the RREQ message

    reaches the destination node or an intermediate node that has a fresh enough route.

    Every node has its own sequence number and RREQ ID1. AODV uses sequence numbers

    to guarantee that all routes are loop-free and contain the most recent routing information.

    RREQ ID in conjunction with source IP address uniquely identifies a particular RREQ

    message. The destination node or an intermediate node only accepts the first copy of a

    RREQ message, and drops the duplicated copies of the same RREQ message.

  • 8/10/2019 Sathya Thesis

    15/110

    15

    Each node that forwards the ROUTE REQUEST creates a reverse route for itself back to

    node S; after accepting a RREQ message, the destination or intermediate node updates its

    reverse route to the source node using the neighbor from which it receives the RREQ

    message. The reverse route will be used to send the corresponding Route Reply (RREP)

    message to the source node when the ROUTE REQUESTreaches a node with a route to

    D, that node generates a ROUTE REPLY that contains the number of hops necessary to

    reach D and the sequence number for D most recently seen by the node generating the

    REPLY. Meanwhile, it updates the sequence number of the source node in its routing table

    to the maximum of the one in its routing table and the one in the RREQ message. When the

    source or an intermediate node receives a RREP message, it updates its forward route to

    the destination node using the neighbor from which it receives the RREP message. It also

    updates the sequence number of the destination node in its routing table to the maximum of

    the one in its routing table and the one in the RREP message. A Route Reply

    Acknowledgement (RREP-ACK) message is used to acknowledge receipt of a RREP

    message. The state created in each node along the path from S to D is hop-by-hop state;

    that is, each node remembers only the next hop and not the entire route, as would be done

    in source routing.

    In order to maintain routes, AODV normally requires that each node periodically transmit a

    HELLO message, with a default rate of once per second. Failure to receive three

    consecutive HELLOmessages from a neighbor is taken as an indication that the link to the

    neighbor in question is down. Alternatively, the AODV specification briefly suggests that a

    node may use physical layer or link layer methods to detect link breakages to nodes that it

    considers neighbors. When a link goes down, any upstream node that has recently

  • 8/10/2019 Sathya Thesis

    16/110

    16

    forwarded packets to a destination using that link is notified via an UNSOLICITED

    ROUTE REPLY containing an infinite metric for that destination. Upon receipt of such a

    ROUTE REPLY, a node must acquire a new route to the destination using Route Discovery

    as described above.

    Route maintenance is done with Route Error (RERR) messages. If a node detects a link

    break in an active route, it sends out a RERR message to its upstream neighbors that use it

    as the next hop in the broken route. When a node receives a RERR message from its

    neighbor, it further forwards the RERR message to its upstream neighbors.

    AODV is a stateless protocol; the source node or an intermediate node updates its routing

    table if it receives a RREP message, regardless of whether it has sent or forwarded a

    corresponding RREQ message before. If it cannot find the next hop in the reverse routing

    table, it simply drops the RREP message. Otherwise, it unicasts the RREP message to the

    next hop in the reverse route.

    In general, a node may update the sequence numbers in its routing table whenever it

    receives RREQ, RREP, RERR, or RREP-ACK messages from its neighbors.

    1.5 Threats and Attacks

    The number of different threats and attacks [34] can be categorized into a number of

    different areas that they target. The first is to consider the level of the attack which can be

    perceptual where the human perception is targeted using the media as a bearer. It may be

    broadcasting false information or just observation of social behavior to be able to alter

    decision processes.

  • 8/10/2019 Sathya Thesis

    17/110

    17

    Secondly the attacks can target the information itself where interception and eavesdropping

    comes naturally in thought. Of the more active nature of these attacks might be the creation

    of false messages injected into networks. Also the denial or degradation of network

    services is a form of active attack on the information level. In this category application

    level attacks such as Trojan horses or viruses and the like are also included.

    The physical attacks are the third category. The passive nature of this category can be

    radiation interception or inductive wiretapping. The more hands on attacks include theft of

    equipment, cryptographic or physical keys, and different storage medias. Other kinds of

    attacks are social engineering or as drastic as destruction using explosives or other physical

    force [3].

    1.5.1 Wireless Network Attacks

    In contrast to network equipment in wired networks where the devices usually are kept

    behind locked doors the Ad Hoc network equipment are usually carried around as small

    battery-powered devices or placed inside mobile units like cars. This makes them even

    more attractive for attackers since they are often easier to get to and also easier to carry

    away from the crime scene. Another point is that it can be quite hard to intercept wired

    media without getting noticed both because the media itself might be hard to get to and to

    intercept the cables often will need cutting the cables for a while. In the wireless medium it

    is as easy as just putting up an antenna, usually small enough not to be noticed [11,6].

    Also, since many users of the Ad Hoc networks will be using it in public places the threat

    of unintentionally revealing secrets are large. This can be in the form of a conversation

  • 8/10/2019 Sathya Thesis

    18/110

    18

    being held so that someone can overhear secret information or shoulder surfing, that is,

    someone reading the computer screen or keyboard from behind while entering passwords

    or the like. The human nature of bad memory can also be of some help for the attacker. It is

    not uncommon that individuals write down passwords and user details on post-it notes and

    at a later time throw them away in garbage cans. The retrieval of this kind of information

    can help attackers to guess the correct passwords to system resources. This kind of attack

    has gotten the common name of dumpster diving [3].

    1.5.2 Attacks on Ad Hoc Networks

    In addition to often being wireless the structure of an Ad Hoc network, or lack there of,

    leads to some special kinds of attacks. Especially attacks on the connectedness of the

    network which means attacks on the routing protocol. In this section some of these attacks

    will be addressed.

    Routing Loop

    By sending forged routing packets an attacker can create a routing loop [35,6,10]. This will

    result in data packets being sent around consuming both bandwidth and power for a

    number of nodes. The packets will not reach their intended recipient and thus can be

    considered a sort of denial-of-service attack.

    Black Hole

    The setup for the black hole attack [35,6,10] is similar to the routing loop attack in which

    the attacker sends out forged routing packets. It can setup a route to some destination via

  • 8/10/2019 Sathya Thesis

    19/110

    19

    itself and when the actual data packets get there they are simply dropped, forming a black

    hole where data enters but never leaves.

    Another possibility is for the attacker to forge routes pointing into an area where the

    destination node is not located. Everything will be routed into this area but nothing will

    leave also creating a sort of black hole.

    Grey Hole

    A special case of the black hole attack is an grey hole attack [35,6,10]. In this attack the

    adversary selectively drops some kinds of packets but not other. For example the attacker

    might forward routing packets but not data packets.

    Partitioning

    Another kind of attack is for the attacker to create a network partition in which some nodes

    are split up to not being able to communicate with another set of nodes. By analysing the

    network topology the attacker can choose to make the partitioning between the set of nodes

    that makes the most harm into the system.

    This attack can be accomplished in many kinds of ways. Both by forging routing packets as

    in the previous attacks but also using some physical attack such as radio jamming.

    Blackmail

    Some Ad Hoc routing protocols tries to handle the security problems by keeping lists of

    possibly malicious nodes. Each node has a blacklist of, what it thinks, bad nodes and

    thereby avoiding using them when setting up routing paths. An attacker might try to

  • 8/10/2019 Sathya Thesis

    20/110

    20

    blackmail a good node causing other good nodes to add this node to their blacklists and so

    avoid it.

    Wormhole

    In the wormhole attack an attacker uses a pair of nodes connected in some way. It can be a

    special private connection or the packets are tunnelled over the Ad Hoc network. Every

    packet that one of the nodes sees are forwarded to the other node which in turn broadcast

    them out. This might create short circuits for the actual routing in the Ad Hoc network and

    thereby create some routing problems.

    Also, all the data can be selectively forwarded or not using this attack thereby controlling

    the Ad Hoc network to a large extent. This kind of attack together with a partitioning attack

    can gain almost complete control over the network traffic.

    Rushing Attack

    Many reactive routing protocols keep a sequence number for duplication suppression at

    every node. An attacker can distribute a large number of route requests with increasing

    sequence numbers forged to appear to be from other nodes. This way when the actual route

    request is sent out many nodes suppress it as a duplicate and thereby disrupt the actual

    route discovery.

    Resource Consumption

    By injecting extra data packets into the Ad Hoc network limited resources such as

    bandwidth and maybe battery power are consumed for no reason. Even more resources

    might be consumed by injecting extra control packets since these might lead to additional

  • 8/10/2019 Sathya Thesis

    21/110

    21

    computation. Also, the other nodes might forward control information as it comes in

    resulting in even more resource consumption [4].

    For devices that try to conserve battery power by only occasionally enabling their

    communication device a malicious attacker might communicate in an ordinary way but

    with the only intent to drain battery power. Stajano and Anderson call this resource

    consumption attack sleep deprivation torture [5].

    Dropping Routing Traffic

    It is essential in the Ad Hoc network that all nodes participate in the routing process.

    However, a node may act selfishly and process only routing information that are related to

    itself in order to conserve energy. This behaviour/attack can create network instability or

    even segment the network.

    Location disclosure

    A location disclosure attack can reveal information related to the location of a node or the

    topology and structure of the network. The information gained might reveal which other

    nodes are adjacent to the target or the physical location of a participating node. The attack

    can be implemented by using a command similar to traceroute that exists in Unix-like

    systems or with the use of the time-to-live attribute of the routing packet and the addresses

    of the devices by sending ICMP error messages. In the end, the attacker knows which

    nodes are situated on the route to the target node. If the locations of some of the

    intermediary nodes are known, one can gain information about the location of the

    destination node as well.

  • 8/10/2019 Sathya Thesis

    22/110

  • 8/10/2019 Sathya Thesis

    23/110

    23

    routing packets, causing erroneous routing table updates and thus misrouting. Some other

    security vulnerabilities of ad-hoc networks are:

    Limited computational capabilities: Typically, nodes in ad-hoc networks are modular,

    independent, and limited in computational capability and therefore may become a source of

    vulnerability when they handle public-key cryptography during normal operation.

    Limited power supply:Since nodes normally use battery as power supply, an intruder can

    exhaust batteries by creating additional transmissions or excessive computations to be

    carried out by nodes.

    Challenging key management:Dynamic topology and movement of nodes in an Ad Hoc

    network make key management difficult if cryptography is used in the routing protocol.

    1.8 Securing the MANETs

    The provision of security services in the MANETs context faces a set of challenges specific

    to this new technology. The insecurity of the wireless links, energy constraints, relatively

    poor physical protection of nodes in a hostile environment, and the vulnerability of

    statically configured security schemes are definitely such challenges. However, the single

    most important feature that differentiates MANETs isthe absence of a fixed infrastructure.

    No part of the network is dedicated to support individually any specific network

    functionality, with routing (topology discovery, data forwarding) being the most prominent

    example. Additional examples of functions that cannot rely on a central service, and which

    are also of high relevance to this work, are naming services, certification authorities (CA),

    directory and other administrative services.

  • 8/10/2019 Sathya Thesis

    24/110

    24

    Even if such services were assumed, their availability would not be guaranteed, either due

    to the dynamically changing topology that could easily result in a partitioned network or

    due to congested links close to the node acting as a server. Furthermore, performance

    issues such as delay constraints on acquiring responses from the assumed infrastructure

    would pose an additional challenge.

    The absence of infrastructure and the consequent absence of authorization facilities impede

    the usual practice of establishing a line of defense, separating nodes into trusted and non-

    trusted. Such a distinction would have been based on a security policy, the possession of

    the necessary credentials and the ability for nodes to validate them. In the MANETs

    context, there may be no ground for an a priori classification since all nodes are required

    to cooperate in supporting the network operation, while no prior security association can be

    assumed for all the network nodes. Additionally, in MANETs freely roaming nodes form

    transient associations with their neighbors, join and leave MANETs sub-domains

    independently and without notice. Thus it may be difficult in most cases to have a clear

    picture of the Ad Hoc network membership. Consequently, especially in the case of a

    large-size network, no form of established trust relationships among the majority of nodes

    could be assumed.

    In such an environment, there is no guarantee that a path between two nodes would be free

    of malicious nodes, which would not comply with the employed protocol and attempt to

    harm the network operation. The mechanisms currently incorporated in MANETs routing

    protocols cannot cope with disruptions due to malicious behavior. For example, any node

    could claim that is one hop away from the sought destination, causing all routes to the

  • 8/10/2019 Sathya Thesis

    25/110

  • 8/10/2019 Sathya Thesis

    26/110

    26

    disrupt network activity and avoid detection. Malicious nodes may behave maliciously only

    intermittently, further complicating their detection. A node that sends out false routing

    information could be the one that has been compromised, or merely one that has a

    temporarily stale routing table due to volatile physical conditions. Dynamic topologies

    make it difficult to obtain a global view of the network and any approximation can become

    quickly outdated. Traffic monitoring in wired networks is usually performed at switches,

    routers and gateways, but an Ad Hoc network does not have these types of network

    elements where the IDS can collect audit data for the entire network. Network traffic can

    be monitored on a wired network segment, but Ad Hoc nodes or sensors can only monitor

    network traffic within its observable radio transmission range. NIST is working with the

    University of Maryland Baltimore County (UMBC) to simulate, implement, and test

    various MANETs IDS.

    1.10 Motivation of Research

    Mobile Ad Hoc networks (MANETs) are vulnerable due to its fundamental characteristics,

    such as open medium, dynamic topology, distributed operation and constrained capability.

    AODV is an important on demand routing protocol. Security is a central requirement for

    mobile Ad Hoc networks. Security and robustness will impact the design of the standard

    for Ad Hoc networks is the main motivation for this thesis.

    1.11 Problem Statement

    Intrusion Detection System aimed at securing the AODV protocol has been studied by

    Stamouli et al [10] using specification based technique. They conclude that AODV

  • 8/10/2019 Sathya Thesis

    27/110

    27

    performs well at all mobility rates and movement speeds. However, we argue that their

    definition of mobility (pause time) does not truly represent the dynamic topology of

    MANETs. In this thesis, the work of Stamouli et al[10] has been extended and the proposed

    protocol is called IDAODV(Intrusion Detection AODV).

    In our work, we make use of Knowledge-based intrusion detection. Our Intrusion Detection

    and Response Protocol for MANETs have been demonstrated to perform better than that

    proposed in [10] in terms of false positives and percentage of packets delivered. Since the

    earlier work by Stamouli et al [10] do not report true positive i.e. the detection rate, we

    could not compare our results against that parameter with their method.

    The implementation of the IDAODV protocol reported in this thesis has shown to work in

    real life scenarios. IDAODV performs real time detection of attacks in MANETs running

    AODV routing protocol. The prototype has also given some insight into the problems that

    arise when trying to run real applications on an Ad Hoc network.

    Experimental results validate the ability of our protocol to successfully detect both local

    and distributed attacks against the AODV routing protocol, with a low number of false

    positives. The algorithm also imposes a very small overhead on the nodes, which is an

    important factor for the resource constrained nodes.

    1.12 Organization of the Thesis

    Chapter 1 provides an overview of Mobile Ad Hoc Networks (MANETs), the application

    push and the technology pull, and the different technological issues involved in the design

    of MANETs and also discuss some popular routing protocols with security model.

  • 8/10/2019 Sathya Thesis

    28/110

    28

    Motivation and problem statement is defined in this chapter. Chapter 2 discusses the

    specific problem of Intrusion Detection in MANETs and reviews the methods proposed in

    the literature.

    We make two contributions in this thesis. The first is detection of intrusion in the form of

    attacks on routing infrastructure dropping of packets and sequence number attacks. This

    is described and analyzed in Chapter 3. The second type of attack is resource depletion

    attack, which is describes and analyzed in Chapter 4. Conclusions are drawn in chapter 5

    along with discussions of possible future extensions.

    Appendix A contains the terminology and Appendix-B contains AODV implementation

    for NS-2 and Appendix C contains pseudo code.

    1.13 Chapter Summary

    Wireless Ad Hoc networks are becoming an increasingly common platform for bringing

    computation to environments with minimal infrastructure. With increasing number of

    office, home and personal devices being equipped with computation and wireless

    communication capabilities, formation of networks with an as-on-required basis offers

    attractive application domains.

    The very advantage of Ad Hoc networks the elimination of fixed/ rigid infrastructure

    introduces complexities in routing and also raises serious concerns about security issues in

    MANETs. However, the flexibility offered by MANETs promise that these networks are

    here to stay. The security of such networks has become an important topic of research and

    this has formed the basic of the work reported in this thesis.

  • 8/10/2019 Sathya Thesis

    29/110

    29

    2 Intrusion Detection in MANETs

    The success of MANETs-based applications depends on many factors, trustworthiness

    being one of the primary challenges to be met. Despite the existence of well-known

    security mechanisms, additional vulnerabilities and features pertinent to this new

    networking paradigm might render such traditional solutions inapplicable. The absence of a

    central authorization facility in an open and distributed communication environment is a

    major challenge, especially due to the need for cooperative network operation. In

    particular, in MANETs, any node may compromise the routing protocol functionality by

    disrupting the route discovery process.

    Wireless Ad Hoc networks are vulnerable to various attacks. These include passive

    eavesdropping, active interfering, impersonation, and denial-of-service. Intrusion

    prevention measures, such as strong authentication and redundant transmission, can be used

    to address some of these attacks. However, these techniques can address only a subset of

    the threats, and, moreover, are costly to implement.

    The dynamic nature of Ad Hoc networks suggests that prevention techniques should be

    complemented by detection techniques that monitor the security status of the network and

    identify anomalous and/or malicious behavior. These techniques are usually less expensive

    to implement and can be easily deployed in existing Ad Hoc networks without requiring

    modifications to the nodes configuration or the routing protocols being used.

  • 8/10/2019 Sathya Thesis

    30/110

    30

    2.1 Intrusion Detection

    Intrusion is defined as a sequence of related actions performed by a malicious adversary

    that results in the compromise of a target system. It is assumed that the actions of the

    intruder violate a given security policy. The existence of a security policy that states which

    actions are considered malicious and should be prevented is a key requisite for an intrusion

    detection system to work.

    Intrusion detection is the process of identifying and responding to malicious activities

    target at computing and network resources. This identification introduces the notion of

    intrusion detection as a process, which involves technology, people and tools. Intrusion

    detection is an approach that is complementary with respect to mainstream approaches to

    security such as access control and cryptography.

    2.2 Motivation

    Adoption of intrusion detection system is motivated by several factors, some of which are

    listed below:

    1. Surveys have shown that most computers are flawed by vulnerabilities, regardless

    of manufacturer or purpose, that the number of security incidents is continuously

    increasing, and that users and administrators are generally very slow in applying

    fixes to vulnerable systems. As a consequence, many experts believe that computer

    systems will never be absolutely secure.

    2. Deployed security mechanisms e.g. authentication and access control may be

    disabled as a consequence of misconfiguration or malicious actions.

  • 8/10/2019 Sathya Thesis

    31/110

  • 8/10/2019 Sathya Thesis

    32/110

    32

    from difference sources at a small number of dedicated hosts. As networks grow bigger and

    get faster, such nodes become overwhelmed by increasing number of events.

    2.3 Approaches to Intrusion Detection

    Intrusion detection techniques [16, 17], have traditionally been classified into two

    paradigms, namely anomaly detection, also known as behavior-based intrusion detection

    and misuse detection, also called knowledge-based intrusion detection.

    In anomaly or behavior-based detection techniques, historical data about a systems activity

    and specifications of the intended behavior of users and applications are used to build a

    profile of the normal operation of the system. The detection process then attempts to

    identify patterns of activity that deviate from the defined profile; anything that does not

    correspond to a previously learned behavior is considered anomalous and suggests an

    intrusion attempt.

    Misuse or knowledge-based detection techniques take a complementary approach. Misuse

    detection tools are equipped with a number of attack descriptions (or signatures) that are

    matched against the stream of audit data to identify evidence of the occurrence of the

    modeled attacks. These IDS accumulate knowledge about attacks examine traffic and try to

    identify patterns indicating that a suspicious activity may be occurring.

    Misuse and anomaly detection both have advantages and disadvantages. Misuse detection

    can perform focused analysis of the audit data and usually produces very few false

    positives. However, it can detect only those attacks that have been modeled and possibly

  • 8/10/2019 Sathya Thesis

    33/110

    33

    variations on those attacks. This means that this approach can be applied against known

    attack patterns only, and the knowledge-base must be updated frequently.

    Anomaly detection has the advantage of being able to detect attempts to exploit new and

    unforeseen vulnerabilities without a priori knowledge of explicit security flaws. This

    advantage is paid for in terms of the large number of false positives generated; the entire

    scope of system behavior may not be covered during the learning phase and also legitimate

    behavior may change over time . It also comes with the difficulty of training a system with

    respect to a highly dynamic environment; obviously a finite training period is also needed.

    The assumption that the system in question is free of anomaly during the training period

    also may not always be true.

    2.4 Intrusion Detection for MANETs

    As discussed earlier, Mobile Ad Hoc Networks are fundamentally different from their

    wired-side counterparts or even the infrastructure-based networks. The nature of MANETs

    not only introduces new security concerns but also exacerbates the problem of detecting

    and preventing anomalous behavior. While in a wired network or in an infrastructure-based

    wireless network, an intruder could be a host that is either inside or outside the network and

    could be subjected to varying degrees of access control and authentication, in a MANETs,

    an intruder is a part of the network infrastructure. Moreover, at the outset, an intruder in a

    MANETs could be a trusted and integral component of the network infrastructure and only

    later exhibit aberrant behavior.

  • 8/10/2019 Sathya Thesis

    34/110

    34

    2.5 IDS Techniques for MANETs proposed in the literature

    Intrusion Detection that addresses secure routing, arguably the most important issue in

    MANETs has interested many researchers. Numerous techniques for ID have been

    proposed in the literature, in both the categories of anomaly detection and misuse detection.

    In this section we discuss some of these techniques.

    2.5.1 Watchdog and Pathrater

    Watchdog[18] was the first snooping intrusion detection protocol for MANETs. Watchdog

    relies upon DSR. Each node participates by watching its downstream node on the route

    from source to destination to ensure that it has retransmitted the packet without

    modification. The authors hold that if source routing is not used then a misbehaving node

    could simply broadcast to a non-existent node to fool the watchdog. To mitigate the effects

    of a misbehaving node, the authors also introduce Pathrater, which selects a path from

    source to destination based on reliability metric instead of the shortest path. This

    approach relieves the malicious node from the requirement of participating in the routing

    process which may be construed as a reward.

    2.5.2 Security Enhancements in AODV

    BHARGAVA et al [19] proposes a solution to attacks that are caused from a node internal

    to the Ad Hoc network where the underlying routing protocol is AODV. The intrusion

    detection system is composed of the Intrusion Detection Model (IDM) and the Intrusion

    Response Model (IRM). The Intrusion Detection Model claims to capture the following

    attacks:

  • 8/10/2019 Sathya Thesis

    35/110

    35

    o Distributed False Route Requests

    o Denial of Service

    o Destination is compromised

    o Impersonation

    o Routing Information Disclosure

    The Intrusion Response Model is a counter that is incremented wherever a malicious act is

    encountered. When the value reaches a predefined threshold, the malicious node is isolated.

    The authors have provided statistics for the accuracy of the model.

    2.5.3 Intrusion Detection in Wireless Ad Hoc Networks

    In this scheme, Zhang et al. [20] propose an intrusion detection technique for wireless Ad

    Hoc networks that used cooperative statistical anomaly detection techniques. Each

    intrusion detection agent runs independently and detects intrusion from local traces. Only

    one-hop information is maintained at each node for each route. If local evidence is

    inconclusive, the neighboring IDS agents cooperate to perform global intrusion detection.

    The authors utilize misuse detection technique to reduce the number of false positives.

    This method leverages information about the physical location of the nodes. Therefore, the

    nodes need to have an IDS running and a built-in GPS device.

    The approach to intrusion detection presented by the authors does not require each node to

    possess location detection capabilities. However, dependence on location information may

    not always be desirable for all the applications.

  • 8/10/2019 Sathya Thesis

    36/110

    36

    2.5.4 Real-time Intrusion Detection for Ad hoc Networks (RIDAN)

    The RIDAN system [10] is a novel architecture that used knowledge-based intrusion

    detection techniques to detect active attacks that an adversary can perform against the

    routing fabric of mobile Ad Hoc networks. Moreover, the system is designed to take

    countermeasures to minimize the effectiveness of an attack and keep the performance of

    the network within acceptable limits.

    The novelty of the system lies in the usage of timed finite state machines that enable the

    real-time detection of active attacks; the detection process relies on a state-based misuse

    detection system. In this case, every node needs to run the IDS agent.

    It is not clear in this system how an attack that requires more than one-hop information gets

    detected.

    2.5.5 A Specification-based Intrusion Detection System for AODV

    [21] proposes a solution based on specification-based intrusion detection to detect attacks

    on AODV. The approach involves the use of finite state machines for specifying correct

    AODV routing behavior and distributed network monitors for detecting run-time violation

    of the specifications. An additional field in the protocol message is proposed to enable the

    monitoring.

    2.5.6 Secure Efficient Ad hoc Distance Vector (SEAD)

    SEAD [22] is a proactive routing protocol based on the design of DSDV. The work focuses

    on protecting routing updates, both periodic and triggered, by preventing an attacker to

    forge better metrics or sequence numbers in such update packets.

  • 8/10/2019 Sathya Thesis

    37/110

    37

    Besides the fields common with DSDV such as destination, metric, next hop and sequence

    number, SEAD routing tables maintain a hash value for each entry. The use of one-way

    hash chains using a one-way hash function H is the key feature of the proposed security

    protocol.

    Each node computes a list of hash values h0, h1, , hn, where hi= H(hi-1), 0 < i < n, based

    on initial random value h0. The paper assumes the existence of a mechanism for

    distributing hn, to all the intended receivers. If a node knows H and a trusted value hn, then

    it can authenticate any other value hi, 0 < i n by successively applying the hash function

    H and then comparing the result with hn.

    To authenticate a route update, a node adds a hash value to each routing table entry. For a

    metric j and a sequence number i, the hash value hn-mi+jis used to authenticate the routing

    update entry for that sequence number, where, m-1 is the maximum network diameter.

    Since an attacker cannot compute a hash value with a smaller index than the advertised

    value, he is not able to advertise a route to the same destination with a greater sequence

    number or with a better metric.

    SEAD provides a robust protocol against attackers trying to create incorrect routing state in

    other nodes by modifying the sequence number or the routing metric. SEAD does not

    provide a way to prevent an attacker from tampering next hop or destination field in a

    routing update. Also, it cannot prevent an attacker to use the same metric and sequence

    number learnt from some recent update message for sending a new routing update to a

    different destination.

  • 8/10/2019 Sathya Thesis

    38/110

  • 8/10/2019 Sathya Thesis

    39/110

    39

    In the literature survey, we discussed different types of approaches to Intrusion Detection

    in MANETs. Each of the approaches works best for a given type of attack, for a particular

    scenario. Most of the problems work well for Intrusion Detection one-hop away. There are

    not many distributed solutions addressing Intrusion Detection deep down.

    In the next chapter, we discuss our approach to the problem of intrusion detection in

    MANETs with respect to sequence number modification attack and packet dropping attack.

  • 8/10/2019 Sathya Thesis

    40/110

    40

    3 Intrusion Detection AODV (IDAODV)

    In this chapter we propose and discuss IDAODV, an Intrusion Detection mechanism for

    Wireless Mobile Ad Hoc Networks.

    IDAODV is based on State Transition Analysis Technique, which was initially developed

    to model host-based and network-based intrusions in a wired network environment.

    Of all the routing protocols proposed for MANETs, AODV has been very popular and has

    become an Internet standard. This also has been the reason for AODV becoming more and

    more vulnerable to attacks. The AODV routing protocol was described in Chapter 2. Our

    IDS has been designed on top of this protocol.

    3.1 Problem Statement/ AODV Routing Attacks

    AODV presents many opportunities to attackers. We first identify a number of misuse

    goals that an inside attacker may want to achieve [32]. The misuse goals can be one or

    more of the following:

    o Route Disruption:Route Disruption means either breaking down an existing route or

    preventing a new route from being established.

    o Route Invasion:Route invasion means that an inside attacker adds itself into a route

    between two endpoints of a communication channel.

    o Node Isolation:Node isolation refers to preventing a given node from communicating

    with any other node in the network. It differs from Route Disruption in that Route

  • 8/10/2019 Sathya Thesis

    41/110

    41

    Disruption is targeting at a route with two given endpoints, while node isolation is

    aiming at all possible routes.

    o Resource Consumption: Resource consumption refers to consuming the

    communication bandwidth in the network or storage space at individual nodes. For

    example, an inside attacker may consume the network bandwidth by either forming a

    loop in the network.

    o Denial of Service

    To achieve these goals, the following misuse actions or attacks may be performed:

    3.1.1 Packet Dropping Attack

    In a packet dropping attack, the attacker simply drops the received routing message. Packet

    dropping is detected by checking whether a neighbor forwards packets towards the final

    destination. To be able to do this, it is necessary to maintain a neighbor table.

    This attack can be divided into various subcategories as follows:

    If an attacker applies such attacks to all the RREQ messages it receives, this kind of misuse

    is equivalent to not having the attacking node in the network. An inside attacker may also

    selectively drop RREQ messages. Attackers that launch such misuses are in nature similar

    to the selfish nodes.

    If the attacker applies this attack to RREP message, it can in some cases lead to route

    disruption.

  • 8/10/2019 Sathya Thesis

    42/110

    42

    The attack can also be applied to data packets, where an inside attacker prevents a victim

    node from receiving data packets from other nodes for a short period of time. The attacker

    may make the following modifications after it receives a RREQ message from the victim

    node: (1) Increase the RREQ ID by a small number; (2) Replace the destination IP address

    with a non-existent IP address; (3) Increase the source sequence number by at least one; (4)

    Set the source IP address in IP header to a non-existent IP address. The attacker then

    broadcasts the forged message. When the neighbors of the attacker receive the faked RREQ

    message, they update the next hop to the source node to the non-existent node, since the

    faked RREQ message will have a greater source sequence number. Due to the non-existent

    destination IP address, the faked message can be broadcast to the farthest nodes in the ad-

    hoc network. When other nodes want to send data packets to the source node, they will use

    the routes established by the faked RREQ message, and the data packets will be dropped

    due to the non-existent node. This attack, however, cannot fully isolate the victim node due

    to local repair mechanisms in the AODV protocol. The other nodes will initiate another

    round of route discovery if they note that the data packets cannot be delivered successfully.

    In addition, the victim node

    Figure 3.1: Concept of Sequence Number AttackFigure 3.1: Concept of Sequence Number AttackFigure 3.1: Concept of Sequence Number AttackFigure 3.1: Concept of Sequence Number Attack

    A B DC

    RREQ Broadcast

    1 2

    6 5

    M

  • 8/10/2019 Sathya Thesis

    43/110

    43

    may still be able to send data packets to other nodes.

    Several of the atomic misuses of RREQ messages use RREQ messages to add entries the

    routing table of other nodes. These entries are different from those established through

    normal exchange of RREQ and RREP messages. In particular, the lifetime of these entries

    is set to a default value (e.g., 3 seconds as in our experiments). Thus, to make such entries

    effective, an attacker needs to launch the atomic misuses periodically.

    3.1.2 Sequence Number Attack

    Sequence number indicates the freshness of route to the associated node. F an attacker

    sends out an AODV control packet with a forges large sequence number of the victim

    node, it will change the route to that victim node. The sequence number can be increased to

    update other nodes' reverse route tables, or decreased to suppress its update. This can apply

    to the Source Sequence Number or the Destination Sequence Number.

    RREQ ID along with the source IP address uniquely identifies a RREQ message; they

    indicate the freshness of a RREQ message. Since a node only accepts the first copy of a

    RREQ message, an increased RREQ ID along with the source IP address can guarantee that

    the faked RREQ message is accepted by other nodes.

    The concept of sequence number attack has been highlighted in Figure 3.1

    3.1.3 Field Modification Attack

    Although sequence number attack is a subclass of this attack, we list it separately to

    highlight its importance and its impact on proper routing.

  • 8/10/2019 Sathya Thesis

    44/110

    44

    The attacker can modify other fields in a RREQ or RREP message. Some of these are

    RREQ Message Field Modifications

    Type Change the message type

    RREQ ID Increase to make the faked RREQ message acceptable, or

    decrease to make the RREQ message unacceptable.

    Hop Count Decrease to update other nodes' reverse routing tables, or

    increase to invalidate the update.

    Destination IP Address Replace with another IP address

    Source IP Address Replace with another IP address to change the reverse route

    Several fields have immediate security implications when modified.

    To ensure loop freedom in AODV, after receiving a RREQ message, a node updates its

    reverse routing table only if the source sequence number field in the RREQ message is

    greater than that in its routing table, or the source sequence numbers are equal, but the hop

    count field in the RREQ message is smaller than that in the routing table. An inside

    attacker may also change these fields to affect other nodes' routing table.

    An intermediate node or a source node updates its forward routing table if the destination

    sequence number in the RREP message is greater than the one in its routing table, or the

    destination sequence numbers are the same, but the hop count in the RREP message plus

  • 8/10/2019 Sathya Thesis

    45/110

    45

    one is smaller than the one in its routing table. An inside attacker may increase the

    sequence numbers or decrease the hop count in a faked RREQ message to update other

    nodes' routing tables, or decrease the sequence numbers or increase the hop count to

    invalidate a RREQ message

    The attacker can also forge an RREP message, as if it had a fresh enough route to the

    destination node. By increasing the destination sequence number, the attacker may suppress

    the legitimate RREP message.

    3.1.4 Field Addition Attack

    An inside attacker may forge a RREQ message without receiving an RREQ message. The

    attacker may need to collect some necessary information to forge RREQ messages (e.g., by

    listening to the traffic). Theoretically, the attacker may forge any field in a RREQ message

    and cause disruption.

    3.2 Outline of Intrusion Detection AODV

    Our method is based on the work presented in [10]. Like RIDAN, our method uses Finite

    State Machines to enable the real-time detection of active attacks. However, RIDAN does

    not offer a solution for distributed architecture to detect attacks that require more than one-

    hop information.

    The IDAODV can be characterized as an architecture models for intrusion detection in

    wireless Ad Hoc networks. We call this an architecture model because it does not perform

    any change in the underlying routing protocol but merely intercepts routing and application

    traffic.

  • 8/10/2019 Sathya Thesis

    46/110

    46

    IDAODV has been implemented on top of AODV, which has recently become an Internet

    standard. However, the attacks that the IDAODV is designed to detect are specific to the

    AODV protocol. The process of detecting the attacks and the overall architecture can be

    extended to operate with ease with other protocols like DSR.

    The system follows knowledge-based technique to detect network intrusions. The fact that

    it uses Finite State Machine (FSM) enables the system to detect malicious activity in real-

    time rather than using statistical analysis of previously captured traffic.

    A finite state machine can be defined as an abstract machine consisting of a set of states

    (including the initial state), a set of input events, a set of output events, and a state

    transition function [25]. The function takes the current state and an input event and returns

    the new set of output events and the next state. The state machine can also be viewed as a

    function, which maps an ordered sequence of input events into a corresponding sequence of

    output events.

    The intrusion detection component operates locally in every participating node and thus its

    performance depends on the network traffic. Based on the number of packets received in

    any time unit, more than one FSM that are part of the intrusion detection component may

    be triggered.

    The FSM was constructed after studying the internal operations of the AODV routing

    protocol. In order to recognize the traffic patterns occurring when a malicious attack is

    performed against the routing fabric, the traffic for the protocol was analyzed in both its

    static and mobile conditions.

  • 8/10/2019 Sathya Thesis

    47/110

    47

    Figure 3.2 depicts the top-level architecture of IDAODV.

    3.3 Assumptions

    We make the following assumptions. They are realistic and can easily be realized in a

    MANETs.

    o Every link between the participating nodes is bidirectional

    o The MAC addresses of the participating nodes remain unchanged.

    o

    Duplicate MAC addresses are not present.

    o Network monitor is able to cover all nodes. Monitors passively listen to the routing

    messages and are discussed subsequently.

    o Nodes can listen to transmissions from immediate neighbors.

    o All the participating nodes other than the malicious nodes have the intrusion detection

    component activated.

  • 8/10/2019 Sathya Thesis

    48/110

    48

    3.4 Details of IDAODV

    We now describe the details of the design and implementation of the proposed IDAODV.

    IDAODV detects attacks against the AODV routing protocol in Wireless Mobile Ad Hoc

    Networks. The components of IDAODV are discussed in the following sections.

    Figure 3.2: Architecture of IDAODVFigure 3.2: Architecture of IDAODVFigure 3.2: Architecture of IDAODVFigure 3.2: Architecture of IDAODV

    3.4.1 Network Monitor

    The nature of Ad Hoc networks prohibits any single IDS node to observe all messages in a

    request-reply flow. Therefore, tracing of RREQ and RREP messages in a request-reply

    flow has to be performed by distributed network monitors (NM).

    Intruder

    A

    B

    S

    Public

    Network

    Active

    Monitor

    IDS

    Attack

    Knowledge

    Base

  • 8/10/2019 Sathya Thesis

    49/110

    49

    Figure 3.3 depicts the architecture of a network monitor. Network monitors passively listen

    to IDAODV routing message and detect incorrect RREQ and RREP messages.

    Messages are grouped based on the request-reply flow to which they belong. A request-

    reply flow can be uniquely identified by the RREQ ID, the source and destination IP

    addresses.

    Figure 3.3:Figure 3.3:Figure 3.3:Figure 3.3: Network MonitorNetwork MonitorNetwork MonitorNetwork Monitor

    3.4.2 Finite State Machine

    Specification-based approach provides a model to analyze attacks based on protocol

    specifications.

    Network Monitor

    Forwarding Table

    Session Tree

    FSM Constraints

    Sniff New Packet

    Exchange Data with Other

    NM if needed

    Updates

    Detect Anomaly

    Packets

  • 8/10/2019 Sathya Thesis

    50/110

    50

    A network monitor employs a finite state machine (FSM) [26] for detecting incorrect

    RREQ and RREP messages [21, 27, 28, 29]. It maintains an FSM for each branch of a

    request-reply flow. A request flow starts at the Source state. It transits to the RREQ

    Forwarding state when a source node broadcasts the first RREQ message (with a new

    REQ ID). When a forwarded broadcasting RREQ is detected, it stays in RREQ

    Forwarding state unless a corresponding RREP is detected. Then if a unicast RREP is

    detected, it goes to RREP Forwarding state and stays there until it reaches the source

    node and the route is set up. If any suspicious activity or an anomaly is detected, it goes to

    the Suspicious or Alarm states.

    When an NM compares a new packet with the old corresponding packet, the primary goal

    of the constraints is to make sure that the AODV header of the forwarded control packets is

    not modified in an undesired manner. If an intermediate node responds to the request, the

    NM will verify this response from its forwarding table as well as with the constraints in

    order to make sure that the intermediate node is not lying. In addition, the constraints are

    used to detect packet drop and spoofing. The finite state machine is depicted in Figure 3.4.

    Stamouli [10] has not used network monitor to trace RREQ and RREP message in a request

    reply flow for distributed network. Whereas in the proposed FSM, we used the above flows

    Figure 3.3.

    3.4.3 Sequence Number Attack Detection

    In order for the intrusion detection to identify the sequence number attack, we analyzed

    RREQ and RREP messages. The logic flow for the two is shown in Figures 3.5 and 3.6.

  • 8/10/2019 Sathya Thesis

    51/110

    51

    Figure 3.4: The finite state machine Figure 3.4: The finite state machine Figure 3.4: The finite state machine Figure 3.4: The finite state machine

    RERR from intermediate

    node

    Spoofing

    RREP

    forwardin

    OtherwiseIf forwarding RREP

    is not heard

    RREP unicast by intermediate node

    and no anomaly is detected

    If pair of IP and MAC

    address unknown

    If SN/ HC is not consistent

    Out of Range

    Suspicious

    Dropped/ LostAlarm

    If no forwarding is heard from neighboring

    NM

    RERR

    Source

    Otherwise go to RREP

    forwarding if it is an RREQ

    RREQ

    forwarding

    SNHC forgedAlarm

    If pair of IP and MACaddress unknown

    If SN/ HC is not consistent

    RERR to source and noanomaly is detected

    RREQ from source

    RREP Broadcast by

    intermediate node and no

    anomaly detected

    RERR from destination or

    RREP from intermediatenode, no anomaly detected

    SNHC forged

    If none of the neighboring

    NM disagrees

  • 8/10/2019 Sathya Thesis

    52/110

    52

    Figure 3.5: Analyze RREQ MessageFigure 3.5: Analyze RREQ MessageFigure 3.5: Analyze RREQ MessageFigure 3.5: Analyze RREQ Message

    Detected NewRREQ

    HC = 0

    RREQID dst;

    prev = read_route_entry(src).next_hop;

    next = read_route_entry(dst).next_hop;

    dseq = read_route_entry(dst).seq;

    Add_Route(dst, prev, dseq+1);

    Active_Reply(src, dst, dseq+1, cur, next);

    }

    If the attacker is close to a route from Source to Destination such that two consecutive

    nodes in this route, prev and next, are in the attackers 1-hop neighborhood, the attacker

    can first add a route to the Destination using prev as the next hop. It then generates an

    Active_Reply to next, using a larger sequence number for Destination in the RREP

    message. It will make next update its route to Destination via cur.

    When prev receives a packet from Source, the packet is forwarded according to the

    normal path and it will eventually reach next. However, next now thinks the best route

    to Destination is through cur and cur forwards it back to prev. This effectively

    creates a loop from Source to Destination and all packets will be dropped in the route

    when their TTL values drop to zero.

  • 8/10/2019 Sathya Thesis

    70/110

    70

    A similar attack can be implemented when the attacker is not close to the targeted route.

    The attacker can first find a victim node V that is close to the route. Instead of calling

    Add_Route locally on V (which will require an additional compromise on V), the attacker

    can use either False_Request or Active_Reply to force V to update its route to

    Destination via Vs corresponding prev.

    4.1.1 Loop Freedom of IDAODV

    AODV is a loop free protocol, which has already proved in [38]. IDAODV also follows the

    loop freedom properties of normal AODV protocol.

    4.2 Depleting Batteries

    Intruders may send data with the objectives of congesting a network or depleting batteries.

    We propose a method to detect this type of attack. The method calls for a minor

    modification to the existing AODV protocol. It incurs no additional overhead. This attack

    can be defined as being due to more number of RREQ_RATELIMIT. The proposed method

    has been designed to detect this type of attack on pure AODV as well as modified AODV

    protocols. To calculate the effectiveness of the proposed scheme, we simulated the attack in

    a mobile environment and studied the performance results.

    4.2.1 Proposed Method

    From RFC-3561, the default value for RREQ_RATELIMITis 10 RREQs per second. This

    means that each node is expected to observe some self-control on the number of RREQs it

    sends each second. A compromised node may choose to set the value of

    RREQ_RATELIMIT to a very high number or even disable this limiting feature, allowing it

  • 8/10/2019 Sathya Thesis

    71/110

    71

    to send a large number of RREQs packets per second. The proposed scheme shifts the

    responsibility of monitoring this parameter to the nodes neighbor, ensuring compliance of

    this restriction. This technique solves all of the problems caused due to unnecessary

    RREQs from a compromised node. Instead of self control, the control exercised by a

    nodes neighbor results in preventing this attack.

    RREQ_GOODLIST_LIMIT and RREQ_BADLIST_LIMIT

    The proposal is based on the application of two parameters: RREQ_GOODLIST_LIMIT

    and RREQ_BADLIST_LIMIT.

    RREQ_GOODLIST_LIMIT denotes the number of RREQs that can be accepted and

    processed per unit of time by a node. The purpose of this parameter is to specify a value

    that ensures uniform usage of a nodes resources by its neighbors. RREQs exceeding this

    limit are dropped, but their time stamps are recorded. This information aids in monitoring

    the neighbors activities. In the simulations carried out, the value of this parameter was

    kept at three (3 RREQs can be accepted per unit of time). This value, however, can be

    adaptive, depending upon node metrics such as memory, processing power and battery.

    TheRREQ_BADLIST_LIMITparameter is used to specify a value that aids in determining

    whether a node is acting malicious or not. To do so, the number of RREQs originated or

    forwarded by a neighboring node per unit time is tracked. If this count exceeds the value of

    RREQ_BADLIST_LIMIT, one can safely assume that the corresponding neighboring node

    is trying to flood the network with fake RREQs. A neighboring node identified as

    malicious can be badlisted, preventing further flooding of fake RREQs into the network.

  • 8/10/2019 Sathya Thesis

    72/110

    72

    The badlisted node is ignored for a period of time given by BADLIST_TIMEOUT, after

    which it is unblocked. The proposed scheme has the ability to block a node for

    BADLIST_TIMEOUTperiod on an incremental basis. The BADLIST_TIMEOUTperiod is

    doubled each time the node repeats its malicious behavior.

    In our simulations, the value of RREQ_BADLIST_LIMIT is kept as 10 (i.e. more than 10

    RREQs per unit time results in flooding activity). By badlisting a malicious node, all

    neighbors of the malicious node restrict the flood of RREQs. In addition, the malicious

    node is isolated by this distributed defense and cannot hog its neighbors resources. The

    neighboring nodes are therefore free to entertain the RREQs from genuine nodes. Nodes

    that are confident about the malicious nature of a particular node can avoid using it for

    subsequent network functions. In this way, genuine nodes are saved from experiencing this

    attack.

    Advantages of the Proposed Scheme

    1. The proposed scheme incurs no extra overhead, as it makes minimal modifications

    to the existing data structures and functions related to bad listing a node in the

    existing version of pure AODV.

    2. The proposed scheme is more efficient in terms of the resultant routes established,

    resource reservations and computational complexity.

    3. If multiple malicious nodes collaborate, they in turn will be restricted and isolated

    by their neighbors, because they monitor and exercise control over forwarding

    RREQs by nodes. Hence, the scheme successfully prevents distributed attacks.

  • 8/10/2019 Sathya Thesis

    73/110

    73

    The algorithms for our scheme are described below:

    Algorithm-1 (TIME of RREQ)

    1. RREQ Received

    2. If RREQ is forwarded then exit

    3. Find NODE_ID in the table of RREQ_RATELIMIT for the node that sent the

    RREQ

    4. Find NODE_ID and

    RREQ_TIME = RREQ_TIME + 1

    Algorithm-2 (Find RATE of RREQ and find the intruder): This algorithm is run once

    every second)

    1. For every item of RREQ_RATELIMIT Do

    2. If RREQ_TIME > threshold then put NODE_ID into BADLIST

    RREQ_TIME = 0

    3. Else

    RREQ_TIME = 0

    The functioning of the intruder is depicted pictorially in Fig 4.1

  • 8/10/2019 Sathya Thesis

    74/110

    74

    4.3 Simulation

    This experiment result was carried out using NS-2 [31]. We used the simulation

    environment detailed in [18] as a starting point. The following subsection provides details

    of the simulation environment, metrics and experimental results.

    4.3.1 Simulation Environment

    Grid Size:1000x1000 Meters

    Number of Nodes: 30 nodes in total. Out of these, 16 were involved in normal

    communication, and we varied the number of bad nodes.

    Routing Protocol: AODVwas used.

  • 8/10/2019 Sathya Thesis

    75/110

    75

    Figure 4.1: FunctiFigure 4.1: FunctiFigure 4.1: FunctiFigure 4.1: Functioning of Intruder (Top) , (Bottom) oning of Intruder (Top) , (Bottom) oning of Intruder (Top) , (Bottom) oning of Intruder (Top) , (Bottom)

    MAC Layer: 802.11, peer-to-peer mode was chosen as the MAC layer protocol.

    Radio: The No fading model was used, with the radio range set to 250 meters.

    Mobility:Random waypoint model was used with maximum speed set to 20 meters

    per second. Pause time was set to 15 seconds.

    Packet Traffic: 10 Constant Bit Rate (CBR) connections were generated

    simultaneously, where 4 nodes were the source for two streams each, and 2 nodes

    A

    B

    T

    C

    D

    U

    Intruder

    Intruder

    Bogus Traffic

    A

    B

    E

    C

    D

    F

    O

    I

    L

    G

    H J

    K

    N

    M

    Node

    Link for Attack Packet

  • 8/10/2019 Sathya Thesis

    76/110

    76

    were the source for single stream. Each destination node receives only one CBR

    stream.

    Simulation Time:Simulation was run for 900 seconds.

    Dropped Packet Timeout: Timeout period for dropped packets was set to 10

    seconds.

    Dropped Packet Threshold: Set to 10 packets.

    Clear Delay: This is an event expiration timer, set to 100 seconds. This is the

    amount of time for which a node considers an event before arriving at a conclusion.

    Modification Threshold:The modification threshold was set to 5 events.

    Neighborhood Hello Period: 30 seconds

    The metrics such as delivery ratio, false positive, detected bad nodes are the important

    determinants of network performance, which have been used to compare the performance

    of the proposed scheme in the network with the performance of the original protocol i.e.

    AODV. The study shows that the proposed scheme enhances the security of the routing

    protocol without causing substantial degradation in the network performance.

  • 8/10/2019 Sathya Thesis

    77/110

    77

    Figure 4.2: Delivery RatioFigure 4.2: Delivery RatioFigure 4.2: Delivery RatioFigure 4.2: Delivery Ratio Vs Number of ConnectionsVs Number of ConnectionsVs Number of ConnectionsVs Number of Connections

    Figure 4.3: Delivery Ratio Vs Node MobilityFigure 4.3: Delivery Ratio Vs Node MobilityFigure 4.3: Delivery Ratio Vs Node MobilityFigure 4.3: Delivery Ratio Vs Node Mobility

  • 8/10/2019 Sathya Thesis

    78/110

    78

    Figure 4.4: Percentage of False Positive Vs percentage of Bad nodes Figure 4.4: Percentage of False Positive Vs percentage of Bad nodes Figure 4.4: Percentage of False Positive Vs percentage of Bad nodes Figure 4.4: Percentage of False Positive Vs percentage of Bad nodes

    Figure 4.5: percentage of detected bad nodes Vs percentage of bad nodesFigure 4.5: percentage of detected bad nodes Vs percentage of bad nodesFigure 4.5: percentage of detected bad nodes Vs percentage of bad nodesFigure 4.5: percentage of detected bad nodes Vs percentage of bad nodes

  • 8/10/2019 Sathya Thesis

    79/110

    79

    The average results from Figures 4.2 and 4.3 show that the attack decreases while the

    delivery ratio improves by 80%.

    Figure 4.4 shows that the performance of Active Response protocols improves with respect

    to false positives as the density of the malicious nodes increases.

    Detection rate is shown in Figure 4.5. In the best case, 93% of the bad nodes can be

    detected; the worst case detection rate is 78%. In the previous chapter, we discussed why a

    bad node may go undetected.

    4.4 Performance Comparison Analysis with RIDAN System

    In this section, we present results of our experiment by using NS-2 simulator for an Ad Hoc

    network consisting of 30 nodes. We assume that there is one intruder sending a sequence of

    consecutive packets constituting an attack to the destination [39]. The intrusion is

    considered detected if the attack packets pass through any of the nodes that constitute the

    intrusion detection system.

    We use a randomly selected set of 5 nodes out of 30 nodes and experimented with [10] and

    consider a sequence of five consecutive packets as constituting the attack signature. We

    found the accuracy of detection both in static and dynamic condition.

    It is not clear in [10], how an attack that requires more than one-hop information gets

    detected but in IDAODV, multihop information is considered which overcome the

    limitation of RIDAN system.

  • 8/10/2019 Sathya Thesis

    80/110

    80

    We have produced percentage of detection of attack using RIDAN system [10] for both

    static and dynamic node case, which was not present in the original work. We have given a

    relative performance of IDAODV and RIDAN system below.

    For Static Case

    Consider that there is only one node in the intrusion detection system. This node is

    randomly selected to be one of the nodes out of 30 .We consider a system in which nodes

    that constitute the intrusion detection system (IDS) are chosen randomly.

    Figure 4.6: percentage of Detection

    We show the results for systems with no of Nodes 30 in Figure 4.6. We see that the

    performance of IDAODV is better than the RIDAN system [10]. IDAODV also detects

    multimode intrusion detection for a static condition.

  • 8/10/2019 Sathya Thesis

    81/110

    81

    For Dynamic case

    In Dynamic case, we consider a network using AODV. We assume that the intruder is

    moving at a speed of 15m/s. We change the criterion used to determine the nodes that make

    up the IDS. We use the same criterion as used in case of used in static case. The only

    difference is that now the intruder is assumed to be mobile. We show the results for such a

    case in Figure 4.7. Here IDAODV also detects multimode intrusion detection for a dynamic

    condition.

    Figure 4.7: percentage of detection

  • 8/10/2019 Sathya Thesis

    82/110

    82

    Number of Nodes 20 40 60 80

    RIDAN(Stamouli) 52 80 94 98.5Static

    Node case IDAODV 54 84 96 99.3

    RIDAN(Stamouli) 52 80.5 94 99Dynamic

    Node caseIDAODV 57.5 85.1 95 99.8

    Table 4.1: Comparison between RIDAN and IDAODV for % of Detection

    The above table gives a comparison of percentage of detection between RIDAN system and

    proposed method. For all values of number of nodes, the detection rate of proposed method

    is higher than RIDAN system. Where as the com