i

ARTIFICIAL IMMUNE FUZZY INTRUSION DETECTION ALGORITHM OVER MANET

MAHA ABDELHAQ

THESIS SUBMITTED IN FULFILMENT OF THE DEGREE OF DOCTOR OF PHILOSOPHY

FACULTY OF INFORMATION SCIENCE AND TECHNOLOGY UNIVERSITY KEBANGSAAN MALAYSIA

BANGI

2014

i

ALGORITMA PENGESANAN PENCEROBOHAN IMUN KABUR TIRUAN KE ATAS MANET

MAHA ABDELHAQ

TESIS YANG DIKEMUKAKAN UNTUK MEMPEROLEH IJAZAH DOKTOR FALSAFAH

FAKULTI TEKNOLOGI DAN SAINS MAKLUMAT UNIVERSITY KEBANGSAAN MALAYSIA

BANGI

2014

iii

DECLARATION

I hereby declare that the work in this research is my own except for quotations and

summaries which have been duly acknowledged.

24th P50000

March 2014 MAHA ABDELHAQ

iv

ACKNOWLEDGMENTS

First and foremost, all praise to Almighty Allah for his blessings and patience, as well as for providing me with good health during this research.

This work is dedicated to the soul of my father, from whom I learned faith, strength, and determination. This work is also dedicated to my family, especially my beloved mother, who has shone an everlasting light on my mind and heart. Of course, this research is dedicated to my husband, Dr. Raed Alsaqour, who not only lives in my heart, but also shares my thoughts, ideas, and principles in different fields of science. I am grateful to my husband, who spent so much time guiding me in the best way he can and surrounding me with care and support.

I am grateful to my great brother, Shawkat Abdelhaq, for his continuous encouragement, love, and care. I thank my sisters for their unconditional love and support.

This work is also dedicated to the souls of martyrs (Shohadaa) in my beloved

country, Palestine, and to the Arab revolution martyrs in Tunis, Libya, Yamane, Syria, and Egypt. I greatly appreciate the Egyptian Muslim Brotherhood for their struggle and sacrifice. In particular, I would like to show my appreciation for the legitimate leader of Egypt, Dr. Mohammad Morsi, who taught me many things that are greater than the limits of completing my PhD studies and of higher value than merely obtaining a certificate and work. Dr. Morsi taught me determination, patience, and persistence to pursue my aspirations to achieve a better life for Arab countries and Muslim Ummah.

I thank my supervisors, Dr. Rosilah Hassan and Prof. Mahamod Ismail, for their guidance and support. I also thank Immunologist Prof. Daud Israf of University Putra Malaysia (UPM) for his assistance and advice. Finally, I thank my research group for their help and friendship and for creating a pleasant working environment throughout my years of study in Universiti Kebangsaan Malaysia.

v

ABSTRACT

Mobile ad hoc network (MANET) is a collection of mobile, decentralized and self-organizing nodes that are used in special cases such as military purposes. MANET properties render its environment vulnerable to different types of attacks namely black hole, wormhole and flooding-based attacks. Flooding-based attacks are one of the most dangerous attacks which could paralyze the functionality of the whole network. In essence, flooding attacks employ a technique which depends on overflowing the network with bogus packets and can be performed through various types of attacks which are resource consumption attack (RCA), hello flood, routing table overflow, rushing attacks and exploiting node penalizing schemes. In order to secure MANET from attacks, many researchers have introduced intrusion detection algorithms which are based on artificial immune systems (AISs). This is because AISs utilize the human immune system (HIS) analogy to introduce efficient, self-defensive and self-organizing algorithms, which could meet the challenges of the MANET environment. However, the current AIS algorithms lack the generality by which it could secure a standard routing protocol over MANET from a wide range of attack techniques with high accuracy and low false positive rates. In addition, research shows less attention on introducing an AIS algorithm that could reduce the effect of the attack on the main network performance metrics. The main objective of this research is to develop an efficient, self-defensive and self-organizing computational intelligent algorithm which combines the relevant features of danger theory-based AISs and fuzzy logic theory. This is done by inspiring the detection functionality of dendritic cells (DCs) in the HIS and the accurate decision making functionality of fuzzy logic theory to introduce an AIS intrusion detection algorithm called Dendritic Cell Fuzzy Algorithm (DCFA). The proposed algorithm has been tested and verified by detecting the denial of service (DoS) attack namely, RCA using QualNet version 5.0.2 simulator over MANET. The research has found that AIS is efficient for developing intrusion detection algorithms with high accuracy and low false positive rates. Moreover, the results show the capability of DCFA to perform the detection operation with high efficiency and effectiveness.

vi

ABSTRAK

Rangkaian Bergerak ad hoc (MANET) ialah suatu kumpulan nod bergerak, terpancar dan mengelola-sendiri yang digunakan di dalam kes-kes khas seperti untuk kegunaan ketenteraan. Sifat MANET menjadikan persekitarannya terdedah kepada pelbagai jenis serangan seperti black hole, wormhole dan serangan berasaskan-flooding. Serangan berasaskan-flooding merupakan salah satu serangan yang paling merbahaya yang boleh melumpuhkan kebolehfungsian seluruh rangkaian. Pada dasarnya, serangan flooding menggunakan teknik yang bergantung pada limpahan rangkaian dengan paket palsu dan boleh dilaksanakan melalui beberapa jenis serangan iaitu resource consumption attack (RCA), hello flood, routing table overflow, rushing attacks dan exploiting node penalizing schemes. Untuk menyelamatkan MANET dari serangan, ramai penyelidik telah memperkenalkan algoritma pengesanan pencerobohan yang berasaskan sistem imun tiruan (AISs). Ini ialah kerana AISs menggunakan analogi sistem imun manusia (HIS) untuk memperkenalkan algoritma yang cekap, swapertahanan dan mengelola-sendiri, yang mampu menentang cabaran persekitaran MANET. Walaupun demikian, algoritma AIS terkini kurang bersifat umum untuk membolehkan ia memastikan suatu protocol peroutan standard ke atas MANET yang melindungi dari julat teknik serangan yang luas dengan kejituan yang tinggi dan kadar positif palsu yang rendah. Tambahan lagi, penyelidikan telah kurang memberi tumpuan terhadap memperkenalkan suatu algoritma AIS yang boleh mengurangkan kesan serangan ke atas metrik utama prestasi rangkaian. Objektif utama kajian ini ialah untuk membangunkan satu algoritma pengiraan pintar ringan yang cekap, swapertahanan dan mengelola-sendiri yang menggabungkan ciri-ciri yang berkaitan AISs berasaskan teori bahaya dengan teori logik kabur. Ini dijalankan secara mengilhamkan fungsi mengesan sel dendritik (DCs) di dalam HIS dan fungsi membuat keputusan yang jitu teori logik kabur untuk memperkenalkan suatu algoritma sistem pengesanan pencerobohan AIS yang digelar Dendritic Cell Fuzzy Algorithm (DCFA). Algoritma yang dicadangkan itu telah diuji dan disahkan secara mengesan serangan penafian perkhidmatan (DoS), iaitu RCA, menggunakan pensimulasi QualNet versi 5.0.2 ke atas MANET. Penyelidikan tersebut mendapati bahawa AIS adalah cekap untuk membangunkan algoritma pengesanan pencerobohan dengan kejituan yang tinggi dan kadar positif palsu yang rendah. Dan lagi, dapatan menunjukkan kebolehan DCFA menjalankan operasi pengesanan dengan kecekapan dan keberkesanan yang tinggi.

vii

TABLE OF CONTENTS

Page

DECLARATION iii ACKNOWLEDGMENTS iv ABSTRACT v ABSTRAK vi TABLE OF CONTENTS vii LIST OF TABLES xi LIST OF FIGURES xii LIST OF ABBREVIATIONS xv LIST OF SYMBOLS xviii

CHAPTER I INTRODUCTION 1.1 Research Background 1 1.2 Problem Statement 4 1.3 Research Objectives 6 1.4 Research Contributions 6 1.5 Research Scope 7 1.6 Research Methodology 7 1.7 Thesis Outline 8 CHAPTER II LITERATURE REVIEW 2.1 Introduction 10 2.2 Mobile Ad hoc Network 10 2.2.1 MANET Characteristics 11 2.2.2 MANET Routing Protocols 12 2.3 Security over MANET 14 2.3.1 Security Primitive 15 2.3.2 Security Goals 16 2.3.3 Types of Attacks over MANET 17 2.4 Studies in the Effects of Attacks over MANET 20 2.5 The Human Immune System in Biology 22 2.5.1 Introduction to HIS 22 2.5.2 The HIS Cells 23 2.5.3 Innate and Adaptive Immunity 23 2.5.4 T-Cells 24 2.5.5 Dendritic Cells 25 2.5.6 Self Non-Self and Danger Theories 27 2.6 Fuzzy Logic Theory 28 2.7 Intrusion Detection Systems 29 2.7.1 Non Intelligent Intrusion Detection Systems 29

viii

2.7.2 Intelligent Intrusion Detection Systems 34 2.8 Summary 39

CHAPTER III METHODOLOGY 3.1 Introduction 41 3.2 The Analogy Between MANET and The Innate Immunity 41 3.3 Danger Theory Model 43 3.4 Biological Model of Dendritic Cells 44 3.5 Antigens and Signals 46 3.5.1 Antigens 46 3.5.2 Input Signals 47 3.5.3 Output Signals 48 3.6 Biological Model of T-Cells 50 3.7 Ad Hoc on-Demand Distance Vector Routing Protocol 51 3.8 Vulnerability of AODV to RCA 52 3.9 Fuzzy Logic Theory 53 3.9.1 Fuzzification 54 3.9.2 Fuzzy Rules and Fuzzy Inference 55 3.9.3 Defuzzification 56 3.9.4 Fuzzy Logic and DC 57 3.10 Simulation Environment 58 3.10.1 Simulation Parameters 58 3.10.2 Performance Metrics 59 3.10.3 Simulation Verification 62 3.11 Summary 64

CHAPTER IV EFFECTS OF RCA ON MANET 4.1 Introduction 66 4.2 Experimental Design 68 4.3 Experimental Results for Scenario A 69 4.3.1 Effects of RCA on Throughput and end-to-end

Delay for Scenario A

70 4.3.2 Effects of RCA on Total Energy Consumption for

Scenario A

72 4.3.3 Effects of RCA on Routing Overhead for Scenario

A

74 4.4 Experimental Results for Scenario B 76 4.4.1 Effects of RCA on Throughput and end-to-end

Delay for Scenario B

77 4.4.2 Effects of RCA on Total Energy Consumption for

Scenario B

78 4.4.3 Effects of RCA on Routing Overhead for Scenario

B

80 4.5 Summary 81

ix

CHAPTER V DENDRITIC CELL FUZZY LOGIC ALGORITHM 5.1 Introduction 83 5.2 General Design of DCFA 84 5.3 DCFA Particulars 91 5.3.1 DCFA Specifications 91 5.3.2 Fuzzy Logic System Component 95 I. Fuzzification Stage 96 II. Defuzzificztion Stage 99 III. Fuzzy Inference and Aggregation 100 5.4 AWorked Example 101 5.5 Summary 103

CHAPTERVI

VERIFICATION OF DENDRETIC CELL FUZZY LOGIC ALGORITHM

6.1 Introduction 105 6.2 Experimental Settings 105 6.3 Experimental Results for Scenario C 107 6.3.1 Evaluation of Security Performance for Scenario C 107 6.3.2 Evaluation of Network Performance for Scenario C 112 6.4 Experimental Results for Scenario D 119 6.4.1 Evaluation of Security Performance for Scenario D 119 6.4.2 Evaluation of Network Performance for Scenario D 123 6.5 Comparison Between DCFA And Previous Work

129

6.6 Summary 132

CHAPTER VII CONCLUSIONS AND FUTURE WORKS 7.1 Research Contributions 133 7.2 Acheivements 134 7.3 Research Advantages and Limitations 135 7.4 Suggestions for Future Works

137

REFERENCES 139

APPENDECES

150

A: List of Publications 148 B: Simulation Screenshots 150

x

LIST OF TABLES

Table No. Page

2.1 Non intelligent intrusion detection systems 34

2.2 Intelligent intrusion detection systems 39

3.1 Analogy between innate immunity properties and MANET characteristics

42

3.2 Brief overview of the input signals 48

3.3 Brief overview of the output signals 50

3.4 A comparison between T-cells and DCs 50

3.5 Simulation parameters 59

3.6 Intrusion detection performance metrics 60

5.1 DCFA Model Components 86

5.2 DCFA data structure 94

5.3 Fuzzy sets of input variable s 96 1

5.4 Fuzzy sets of input variable s 98 2

5.5 Fuzzy sets of FLS(Si) output variable 99

6.1 Comparison Between DCFA And Previous Works 130

xi

LIST OF FIGURES

Figure No. Page

1.1 Mapping of HIS model and MANET in AIS algorithm 4

1.2 Research Steps 8

2.1 Mobile ad hoc network 11

2.2 MANET routing protocols categories 13

2.3 Information security 15

2.4 Attacks over MANET 18

2.5 States of DC differentiations 26

3.1 Main functions of DCs 44

3.2 Main inputs and outputs of DC 45

3.3 Interaction among the input signals 48

3.4 AODV routing protocol 52

3.5 RCA 53

3.6 Fuzzy logic mechanism 54

3.7 Temperature membership function 55

3.8 Radio energy dissipation model (transceiver) 61

4.1 Distribution of RCA attackers with different positions 69

4.2 Effect of the number of attackers and their positions on throughput 71

4.3 Effect of the number of attackers and their positions on end-to-end delay 72

4.4 Effect of the number of attackers and their positions on the energy consumed in each mode

73

4.5 Effect of the number of attackers and their positions on total energy

consumed

74

xii

4.6 Effect of the number of attackers and their positions on the retried RREQs

75

4.7 Effect of the number of attackers and their positions on the initiated RREPs

76

4.8 Effect of increasing attackers radio ranges 76

4.9 Effect of the attackers radio range and flooding rate on throughput 77

4.10 Effect of the attackers radio range and flooding rate on end-to-end delay 78

4.11 Effect of the attackers radio range and flooding rate on energy consumption in each mode

79

4.12 Effect of the attackers radio range and flooding rate on total energy consumed

80

4.13 Effect of the attackers radio range and flooding rate on the retried

RREQs

81

4.14 Effect of the attackers radio range and flooding rate on the initiated RREPs

81

5.1 DCFA model 85

5.2 TGList in genes store 88

5.3 MTList in MT-cells 89

5.4 New pictured TGList 95

5.5 FLS applied by each DC 95

5.6 Membership functions of input variable s 97 1

5.7 Membership functions of input variable s 98 2

5.8 Output membership functions for output signal FLS(Si 100 )

5.9 Graphical illustration of fuzzy system stages 103

6.1 Effect of the number of attackers on false positive rate 107

6.2 Effect of the number of attackers on true negative rate 108

6.3 Effect of the number of attackers on false negative rate 110

xiii

6.4 Effect of the number of attackers on true positive rate 110

6.5 Effect of the number of attackers on accuracy rate 112

6.6 Effect of the number of attackers on throughput 113

6.7 Effect of the number of attackers on end-to-end delay 114

6.8 Effect of the number of attackers on energy consumed in transmit mode 115

6.9 Effect of the number of attackers on energy consumed in receive mode 116

6.10 Effect of the number of attackers on energy consumed in idle mode 116

6.11 Effect of the number of attackers on total energy consumed 117

6.12 Effect of the number of attackers on the retried RREQs 118

6.13 Effect of the number of attackers on the initiated RREPs 119

6.14 Effect of the attackers radio range on false positive rate 120

6.15 Effect of the attackers radio range on true negative rate 120

6.16 Effect of the attackers radio range on false negative rate 122

6.17 Effect of the attackers radio range on true positive rate 122

6.18 Effect of the attackers radio range on accuracy rate 123

6.19 Effect of the attackers radio range on throughput 124

6.20 Effect of the attackers radio range on end-to-end delay 125

6.21 Effect of the attackers radio range on energy consumed in transmit mode 125

6.22 Effect of the attackers radio range on energy consumed in receive mode 126

6.23 Effect of the attackers radio range on energy consumed in idle mode 127

6.24 Effect of the attackers radio range on total energy consumed 127

6.25 Effect of the attackers radio range on the retried RREQs 128

6.26 Effect of the attackers radio range on the initiated RREPs 129

xiv

LIST OF ABBREVIATIONS

ABAIS agent-based AIS

AC antigens controller

ADMR adaptive demand-driven multicast routing

Ag antigen agent

AIS artificial immune system

AODV ad hoc on-demand distance vector

AOMDV Ad hoc on-demand multipath distance vector

APC antigen presenting cell

CBR constant bit rate

CEDAR core-extraction distributed ad hoc routing

CGSR cluster head gateway switch routing

CIA co-stimulation inspired approach

CPN cognitive packet network

CREP confirmation reply

CREQ confirmation request

CSM costimulatory molecules

DC dendritic cell

DCA dendritic cell algorithm

DCMP dynamic core based multicast routing

DEAR device and energy aware routing

DGR direction guided routing

DoS denial of service

DRM dynamic route maintenance

xv

DSDV destination sequenced distance vector

DSR dynamic source routing

FRREP further route reply

FRREQ further route request

FSR fisheye state routing

G-BDODA gossip-based distributed outlier detection algorithm

GPS global positioning system

GPSR greedy perimeter stateless routing

HIS human immune system

H-LANMAR hierarchical landmark routing

HSR hierarchical state routing

IDS intrusion detection system

IL-10 interleukin-10

IL-12 interleukin-12

LAN local area networks

LANMAR landmark ad hoc routing

LAR location-aided routing

MAC medium access control

MANET mobile ad hoc network

MHC major histocompatibility complex

MT-cell Memory T-cell

NetTRIIAD network threat recognition with immune inspired anomaly detection

NTBR neighbor table based multipath routing

NT-cell Naive T-cell

xvi

OLSR optimized link state routing

PAMP pathogen-associated molecular patterns

PIR primary immune response

PRR pattern recognition receptor

QoS quality of service

RCA resource consumption attack

RP responding

RPQ routing packets queue

RREP route reply

RREQ route request

RTT round trip time

SID-RS source intrusion detection routing security

SIFS short inter frame space

SIR secondary immune response

SOC security operating system

ST-cell Suppressor T-cell

TC agent T-cells agent

TORA temporally ordered routing algorithm

TTM transmission time-based mechanism

WRP wireless routing protocol

ZRP zone routing protocol

FN false negative

FP false positive

xvii

LIST OF SYMBOLS

total energy consumed

total energy consumed in transmit, receive and idle modes

E energy consumed in transmit mode 1

E energy consumed in receive mode 2

E3 energy consumed in idle mode

membership value of the output parameter of each rule j j

P power consumed in receive mode receive

P power consumed in transmit mode transmit

P power consumed in idle mode idle

P power consumed in active mode on

P power consumed in sleep mode sp

P power consumed in transient mode tr

R rule number i i

T time duration of the receive mode receive

T time duration of the transmit mode transmit

T time duration of the idle mode idle

1

CHAPTER I

INTRODUCTION

1.1 RESEARCH BACKGROUND

In the last few decades, many researchers have focused on the area of mobile ad hoc

network (MANET) as a wireless network with specific features not found in other

types of networks. The decentralization, rapid deployable topology and open wireless

medium of MANET increase its feasibility for application in rough structured areas,

such as earthquake and war territories. However, these features as well as the

limitations of MANET (i.e., sharing of channel bandwidth and the limitation in the

energy of nodes) make this network very vulnerable to different types of attacks.

MANET routing protocols can be easily attacked by identifying the targeted

points of vulnerability of the network protocols. Many intrusion detection systems

(IDSs) have been introduced to protect the routing protocols in MANETs. However,

the conventional cryptographic IDSs utilized to secure routing protocols in MANETs

increase the control overhead by transmitting extra security information (digital

signatures and function hashes) through routing packets. Moreover, the lack of fixed

infrastructure in MANET renders the use of certificate authorities infeasible. Thus, the

general trend at present is to employ lightweight computing algorithms to secure

MANET. Based on the many similarities between human body tissue environment and

the MANET environment concluded from the study, in this research, the robust

defence achieved by the human immune system (HIS) can be translated into an

artificial immune system (AIS) to protect MANET. AISs are defined as a set of

computational algorithms or theories that reflect one or more HIS concepts and

principles (Wu & Banzhaf 2010). nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn

2

The introduced AIS intrusion detection algorithms can detect attacks in a

decentralized and self-organizing manner, which means that central management

points in the security system are not necessary when AISs are applied. This advantage

renders the technique feasible for securing MANETs and addressing the limitations

and challenges of such networks.

HIS consists of numerous functions and concepts, which motivated computer

scientists to envision its utilization in intrusion detection systems. However, research

on immunology shows that HIS is extremely complex; evidence on how HIS operates

is conflicting and controversial (Greensmith 2007). Understanding the biology of the

human body does not necessarily means being able to emulate all its models and

functions in detail. Adopting the concepts and principles that benefit the AIS

environment is enough to achieve the desired performance (M. Drozda et al. 2009;

Drozda et al. 2010).

Aickelin et al. (2003) attempted to improve the performance of previously

introduced AISs and they established the danger project, which is primarily based on

the danger theory in immunology. Danger project (Aickelin et al. 2003; Aickelin &

Cayzer 2002) is primarily based on the danger theory in immunology. The danger

theory implies that the response of the immune system to incoming pathogens is based

mainly on the existence of danger or safe signals emitted from the body tissues and

caused by these pathogens (Matzinger 1994, 2001, 2002, 2007). In a danger project, a

group of computer scientists and immunologists map actual up-to-date immunology

into AIS (Greensmith 2007; Greensmith et al. 2005, 2008; Greensmith et al. 2010; Ou

2012).

The dendritic cell algorithm (DCA) is one of the most well-known danger

project contributions. It utilizes the role of the dendritic cells (DCs) in HIS as forensic

navigators and important anomaly detectors. DCs are defined as antigen presenting

cells in innate immunity; these cells either stimulate or suppress T-cells in adaptive

immunity, thereby they control the type of response of the immune system (Wu &

Banzhaf 2010).mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm

3

Although DCA is effective in real-time IDSs, its results register a high false

positive alarm rate and low detection accuracy rate because it is sensitive to the order

of the detected data. Thus, our research utilizes the danger theory model in

combination with fuzzy logic theory, (Zadeh 1965) to propose a new DC fuzzy

intrusion detection algorithm (DCFA). DCFA promises high detection accuracy and

low false positive rate. Detection accuracy rate and false positive rate are the main

measurements that indicate the robustness of IDSs. Chapter II, Section 2.5 presents an

overview of HIS in biology to elucidate the importance of DCs biological model in the

human body.

A novel DCFA and its related model are introduced in this study. Using an AIS

inspired algorithm promises to address the challenges of MANETs environment that

make it vulnerable to attacks. No research has been able to meet the requirements for

the detection of all types of attacks (Deng et al. 2002; Lima et al. 2009; Su & Adviser-

Boppana 2009). Thus, DCFA is verified and tested in this study to detect one of the

flooding-based attacks on MANET, namely, resource consumption attack (RCA).

DCFA can be generalized to detect other types of attacks on MANETs.

Figure 1.1 shows an abstract mapping of HIS and MANET. Each message in

MANET represents a pathogen entering the human body. Each node represents the

human body or a part of the human body. Therefore, each node must apply the

proposed algorithm to protect itself from intrusions similar to how each part of the

human body depends on the immune system to protect itself from dangerous

pathogens.

4

(a) (b)

Figure 1.1 Mapping of HIS model and MANET in AIS algorithm. (a) Human immune

system (NIAIDS 2003), (b) MANET

1.2 PROBLEM STATEMENT

Securing MANET is a crucial research issue. The properties of MANET impede the

protection of the networks environment against attacks. MANET as an open area of

wireless mobile nodes allow external attackers to join the network easily and

masquerade legitimate nodes (D. Wang et al. 2008). Moreover, the limited bandwidth

of a MANET also renders its nodes vulnerable to isolation and its communications

susceptible to frequent breaks. Furthermore, the lack of centralized authorization and

security cooperation adds to the susceptibility of the entire network to attacks.

MANET is open to many types of attacks. Flooding-based attacks are the most popular

types of attacks because such attacks and dangerous and effective (Ghazali & Hassan

2011).

HIS is the basis of the intrusion detection algorithms of AISs. These algorithms

detect different types of attacks. For example, Greensmith introduced a novel danger-

based AIS called dendritic cell algorithm (DCA) to detect port scan attack over wired

network (Greensmith et al. 2005; Greensmith et al. 2010). DCA is inspired by the

capability of DCs to receive multiple antigens and signals, as well as reveal the context

of each antigen. However, the processing information fusion of multiple signals and

antigens without any association between each antigen and its related signals increases

the percentage of error in the detection operation. Therefore, DCA suffers from high

false positive rates and low accuracy rates. The AISs introduced by Amaral (2011),

5

Chelly and Elouedi (2010) and Wallenta et al. (2010) depend mainly on the core of

DCA with certain adaptations. The work done by Amaral (2011) depends on DCA and

uses fuzzy logic theory instead of the fixed weights used in DCA. The introduced

algorithm is applied to detect faults in analog circuits which are out of our research

scope. Chelly and Elouedi (2010) use fuzzy logic in the final stage of DCA to classify

the antigens after each antigen context has been decided according to DCA and its

empirical equation applied by Greensmith (2010), and their enhancement has been

applied to detect abnormality behaviours on a specific data set. Wallenta et al. (2010),

the authors applied DCA over wireless sensor networks (WSNs) to detect a flooding-

based attack called cache poisoning attack. As all of the above mentioned algorithms

depend mainly on DCA they, necessarily, suffer from high false positive and low

accuracy rates.

DCFA shares the previously introduced AIS-based IDs in inspiring the DC

biological model in HIS. Antigens and the related signals which represent the detected

attack and its behaviours are utilized by DCFA and the previous works. However,

DCFA makes an association between each antigen and its related signals which is not

performed in the previous works. Also, DCFA does not depend on or enhance any of

the previous works algorithms. It is a standalone developed Hybrid intelligent

algorithm. DCFA combines between the relevant features of both danger theory-based

AISs and fuzzy logic theory. Unlike the works in the literature, DCFA utilizes two

main pathways of intrusion detection operation in its AIS part, primary immune

response pathway (PIR) and secondary immune response pathway (SIR). The use of

each pathway is controlled by DCFA in order to achieve high security and network

performance.

The performance of each intrusion detection algorithm is measured by two

main metrics: false positive and accuracy rates. Current AIS algorithms produce high

false positive and low accuracy rates (Stibor et al. 2005; Wu & Banzhaf 2010). If an

AIS intrusion detection algorithm considers a normal node(s) as an attacker(s) by

mistake, those node(s) will be isolated from the network and the false positive rate will

increase. Hence, many normal nodes will be penalized by the AIS intrusion detection

algorithm as intruder nodes. Faulty detection of normal nodes leads to MANET

partitioning and degrading its performance as well. In contrast, if the AIS intrusion

6

detection algorithm considers one or more attacker(s) as normal node(s) by mistake,

this will encourage the attacker(s) to disseminate the threat and continue degrading

MANET performance.

Current research shows less interest in introducing a study in the effects of

RCA on MANET performance in depth such as, throughput, end-to-end delay, energy

consumption and routing overhead. Also, RCA has not been analyzed under varying

different factors which affect the efficiency of the attack itself like varying attackers

flooding rate, radio range, position of attack in the network and varying the applied

number of attackers in group attack. Therefore, an efficient, self-defensive and self-

organizing AIS intrusion detection algorithm with low false positive and high accuracy

rates must be introduced to protect MANET and increase its robustness. In addition, it

should be taken into account that securing MANET should not add overheads on its

performance metrics. This research attempts to achieve such.

1.3 RESEARCH OBJECTIVES

The core objective of this research is to build a new robust intrusion detection

algorithm for MANET by achieving the following precise objectives:

i. To develop a simulation model platform for a flooding-based attack and a

countermeasure for that attack over MANET.

ii. To implement and analyze the Flooding-based attack, namely RCA, over

MANET.

iii. To develop and evaluate a standalone AIS-based intrusion detection algorithm

which can detect RCA over MANET.

1.4 RESEARCH CONTRIBUTIONS

This research contributes to literature as follows:

i. A new RCA attack and its countermeasure DCFA models have been developed

and added to QualNet v5.0.2 to be implemented over MANET.

7

ii. New factors have been introduced to implement and analyze RCA over

MANET, specifically, varying number of attackers in combination with

attackers positions and varying attackers radio range and flooding rate.

iii. A new AIS-based algorithm and its related model has been developed and

evaluated. The model has been added to QualNet v 5.0.2 to be tested from both

security and network measurements. Five security performance metrics have

been used to test DCFA specifically, false positive, false negative, true

positive, true negative and accuracy rates. Also, four network performance

metrics have been used to test DCFA such as: throughput, end-to-end delay,

energy consumption and routing overhead.

1.5 RESEARCH SCOPE

This research is concerned with the development of a danger theory-based AIS

intrusion detection algorithm. The proposed algorithm utilizes innate immunity cell

functions as forensic navigators and anomaly-based intrusion detectors in human body

tissues. The focus is on the functions of DCs in innate immunity.

The decision of whether DCs contexts are mature or semi-mature is

implemented with fuzzy logic theory. Verification of the proposed algorithm is

performed on MANET to detect a flooding-based attack called RCA, which is also

called sleep deprivation attack. RCA can be detected in an AODV routing protocol

(Boukerche et al. 2011; Perkins et al. 2003; Perkins & Royer 1999; Royer & Toh

1999; Taneja & Kush 2010) . Simulation using QualNet v5.0.2 has been used to test

both the effect of RCA and the performance of the proposed DCFA.

1.6 RESEARCH METHODOLOGY

As shown in Figure 1.2, this research is conducted in five phases; Phase one includes

Building a comprehensive literature review from all types of published documents,

such as papers, surveys and books related to the research scope. Phase two includes

conducting a simulation to analyze the effect of flooding-based attacks, RCA in

8

particular, on specific MANET performance metrics such as throughput, end-to-end

delay, energy consumption and routing overhead. In Phase three, an AIS intrusion

detection algorithm called DCFA and its related model have been developed. Phase

four includes conducting a simulation to verify the effectiveness of the proposed AIS

algorithm; the performance evaluation results are analyzed. Figure 1.2 provides a

summary of the research steps. Finally, the results obtained from applying both RCA

and the proposed DCFA have been analyzed in phase five.

Figure 1.2 Research steps

1.7 THESIS OUTLINE

This research is structured as follows. Chapter II presents the review of related

literature. MANET concepts, challenges and routing protocols are introduced. Security

issues are then discussed followed by the efforts to study the effects of attacks on

MANET. Chapter II also presents the biological background of the danger theory in

HIS and provides a brief introduction of fuzzy logic theory. Furthermore, current

research efforts to develop intrusion detection algorithms and AIS algorithms to

protect routing protocols in MANET are surveyed and classified.

Chapter III presents the methodology employed in this research. The danger

theory model, which is the basis of the proposed AIS algorithm, is described. The

9

AODV routing protocol as the underlying routing protocol in this research and its

vulnerability to RCA are also discussed in this chapter. A detailed description of fuzzy

logic theory is presented and the simulation environment design, simulation

parameters and performance metrics employed in the experiments are detailed. The

vulnerability of AODV routing protocol to RCA is discussed comprehensively in

Chapter IV. A set of experiments and a simulation are conducted to determine the

negative effects of RCA on critical network performance metrics.

The formal description of the proposed AIS intrusion detection algorithm

called DCFA is introduced in Chapter V. The capability of the DCFA algorithm to

detect RCA is analyzed in Chapter VI. This chapter also presents the evaluation of the

network performance metrics when DCFA is applied. Finally, Chapter VII provides a

summary of the thesis as well as recommendations for future research.

10

CHAPTER II

LITERATURE REVIEW

2.1 INTRODUCTION

This chapter introduces a review to the work related to this research. It introduces a

background for MANET and its related topics such as routing and MANET special

characteristics. Security issues over MANET are also explained. In addition, this

chapter summarizes a set of research studies in the effects of attacks over MANET.

Furthermore, it reviews the biological concepts and functions of the HIS and discusses

the previously introduced AIS-based and non AIS-based intrusion detection

algorithms.

2.2 MOBILE AD HOC NETWORK

MANET is defined as a rapidly deployable, self-organisable and multi-hop wireless

network. It is typically set up for a limited period of time and for particular

applications such as the military, disaster areas and medical applications. Nodes in

MANET may move arbitrarily while communicating over wireless links. This network

is typically used in situations where there is no centralized administration or support

from networking infrastructure such as routers or base stations. Thus, nodes must act

as router end-systems and organize themselves in an efficient manner (Chlamtac et al.

2010; Murthy & Manoj 2004).

Figure 2.1 depicts an example of such MANET with 9 nodes. In the figure, the

circle around each node represents its radio range. Node S has one neighboring node,

node number1, within its radio range, but the destination D is beyond its radio range.

Thus, to communicate with D, S must use a multi-hop path S 1 2.

11

Figure 2.1 Mobile ad hoc network

2.2.1 Manet Characteristics

Many up to date studies pay attention to work on MANET as a new technology with

specific characteristics, which distinguish its environment from other types of

networks. These characteristics are as shown in the following (ayrc & Rong 2009;

von Mulert et al. 2012; D. Wang et al. 2008):

C1-Openness: MANET nodes communicate with each other through an open

wireless medium. Hence, the outer attackers can easily join the trusted node

environment.

C2-Limited resources: MANET has limited power and bandwidth capacity.

C3-Mobility and Dynamicity: MANET consists of highly frequently mobile

nodes which cause high dynamicity in its topology changes and

reconfiguration.

C4-Wireless medium signalling: The nodes in MANET interact with each

other through wireless signalling.

C5-Flexibility: MANET could be deployed in any types of areas even if they

are unstable such as military purpose areas, or the areas of frequent nature

disasters.

12

C6-Decentralization and self-organizing: MANET is an infrastructure-less

wireless network with no centralized management points. Every node manages

itself by itself and can help manage the other nodes by sending alarm messages

when an attacker is detected.

C7-Distributed Computation: Each node performs a routing processing and a

security processing and informs the other nodes to help the network to survive.

2.2.2 Manet Routing Protocoles

In all types of networks, routing is considered as the process of discovering certain

destination node under a request from the source node, which needs to send data

packets to that destination and maintaining the connection between them. However,

routing over dynamic mobile nodes in MANET would be a challenge which needs to

be solved by many routing protocols (Royer & Toh 1999; Zhao 2005). Any

introduced algorithm over MANET either for routing or security should deal

efficiently with a set of aspects. It should perform a distributed computing in each

node in a decentralized, self-organizing and self-healing manner. At the same time, the

algorithm over MANET should adjust its functionality to transfer data over limited

bandwidth using limited amount of the energy consumed(Alotaibi & Mukherjee 2011).

In previous years, routing protocols were classified, based on the routing information

updating mechanism, into two main categories: reactive and proactive routing

protocols.

In the current time, scalability problem which arises when using high number

of disseminated nodes and the need of dealing with the limitation in the flying nodes

battery powers consumed, along with the continuous tries of enhancing the previously

introduced routing protocols, all of these new categories of routing protocols over

MANET as appeared in Figure 2.2 (Boukerche et al. 2011).

In reactive (or on-demand) routing protocols, source node requests a route to

destination nodes, when needed, by flooding route request packets throughout its

neighbors in a stage called route discovery. Source node may request to only, one path

(uni-path) to destination node such as in AODV routing protocol.

13

In proactive (or table-driven) routing protocols, source node preserves routing

information to all existing network destinations in a routing table. Accordingly, the

route to destination is proactively established not like in previously mentioned reactive

routing category. Same as in reactive routing protocols, proactive routing protocols

are divided into uni-path and multi-path routing protocols. For instance, destination-

sequenced distance-vector (DSDV) (Perkins & Bhagwat 1994) is a uni-path routing

protocol, However, neighbor table-based multipath routing (NTBR) (Yao et al. 2003)

is a multi-path proactive routing protocol.

Figure 2.2 MANET routing protocols categories

Hybrid routing protocols combine the relating features of both reactive and

proactive routing protocols. Zone routing protocol (ZRP) (Samar et al. 2004). In

multicast routing protocols, source node may discover routes for several destinations

simultaneously. An example on this category is, dynamic core based multicast routing

(DCMP)(Das et al. 2002).

In Geographical (or location-aware) routing protocols, each node can

determine the geographical location of the other nodes and use this information in its

routing protocol. Specifically, the node can use global positioning system (GPS) to

14

determine the accurate coordinates of whatever destination for its communication. An

example of this category is location-aided routing (LAR) (Ko & Vaidya 2000).

In hierarchical routing protocols, mobile nodes are arranged hierarchically,

through clustering techniques. Consequently, the nodes in a higher level of the

hierarchy are responsible for providing special services for other nodes. This technique

reduces the routing overhead and solves the scalability problem especially when the

size of MANET becomes larger. An example on this category is, hierarchical state

routing (HSR)(Iwata et al. 1999). Finally, power-aware routing schemes have been

built to take the decision of routing based on the available energy in the mobile nodes.

An Example on this category is, Power aware routing in mobile ad hoc networks

(Singh et al. 1998).

2.3 SECURITY OVER MANET

The information security as shown in Figure 2.3 is categorized into two main

branches: computer security and communication security. Computer security protects

the host from both the hardware and software intrusions, such as damaging hardware

components and worms or viruses that violate the security services in each part

respectively. Communication security protects the link from passive and active

attacks.

Communication security is divided into two subcategories: transmission

security and emanation security. Transmission security which is the scope of this

research is defined as securing the transmitted data from being revealed to

unauthorized users and securing the link services from being disrupted. Emanation

security secures the visual audio information from being revealed by the receivers

(ayrc & Rong 2009).

15

Figure 2.3 Information security

In any secured system, adding more security functions means adding more

overheads (Sommerville 2004). In MANET this poses a big challenge that may

degrade the network performance. So, securing MANET through lightweight functions

to achieve the intended security goals is very important. It is worthy to say that there is

no perfect 100% secured system in the world.

2.3.1 Security Primitives

Intrusion detection systems formulate a line of defence that captures any malicious

action trying to violate one of the security services. The following intrusion detection

categories are well-known as being used in any intrusion detection technique (Brutch

& Ko 2003):

- Signature detection: this technique aims to keep all of the well-known attacks

in its database so that it can accurately and effectively detect any encountered

attack. However, this technique fails in detecting newly invented attacks.

- Anomaly detection: this technique uses a normal profile for each calculated

parameter which is updated at each period of time. When an abnormal

parameter enters the system, a large enough deviation could reveal the

existence of an attack. The strength in this technique is in its ability to detect

even the newly invented attack. However, it may produce high rates of false

positive alarms.

16

2.3.2 Security Goals

Security is an important aspect in wireless ad hoc networks especially for the more

sensitive applications in military and critical tactical wireless networks. To the best of

our knowledge, until now no research has achieved full secured MANET that is

protected against all the types of attacks (Greensmith 2007; Su & Adviser-Boppana

2009).

However, security systems are doing their best to fulfil as much as they can

from the security goals. The goals of security are to achieve the following

services(ayrc & Rong 2009; Juels 2006; Su & Adviser-Boppana 2009):

- Authentication: ensures that the node is making a communication with the

intended and correct node.

- Access control: protects the nodes and the network resources from being

accessed via unauthorized users.

- Confidentiality: protects the transmitted data from being revealed to

unauthorized users. This service is very important to protect messages

transmitted in sensitive cases such as the military messages in war and in the

countrys secret information connections.

- Integrity: protects the messages transmitted through the link from being

changed along their path by malicious nodes, so they have to be delivered with

the same contents as they were sent by the source node.

- Authorization: giving the claimed node the right to either modify the

information or receive it. It is achieved through integrity and authentication

services.

- Non-repudiation: ensures that the source node of the message is the one who

sent it in reality and not someone else.

17

- Availability: ensures the existence of network services and resources without

any depletion or disruption by the malicious nodes. This service is performed

against denial of service (DoS) attacks.

- Resilience to attacks: ensures the survivability of the network if one or more

nodes have been destroyed or compromised by the intruder.

- Freshness: prevents the malicious node from resending spoofed packets and

renewing the intrusion.

2.3.3 Types of Attacks over MANET

There are many types of attacks that form a real threat when applied on MANET; each

type of attack varies from the other ones in the way of applying the threat, the goal of

attacking and the stack layer that is targeted by the attacker. A summary of the

MANET attacks is shown in Figure 2.4. Some attacks are passive and others are

active. Active attacks may be internal or external. In the internal type of attacking the

attacker is located inside the attacked MANET so it is dangerous as the attacker is

considered at the beginning as a trusted node. However, in the external type of attack

the attacker comes from outside the MANET network so it is easier to be detected as it

is not well trusted. Passive attacks have been only performed internally.

18

Figure 2.4 Attacks over MANET

Active and passive attacks are defined as follows (ayrc & Rong 2009; D.

Wang et al. 2008):

Passive attack: in this type of attack, the intruder only performs some kind of

monitoring on certain connections to get information about the traffic without

injecting any fake information. This type of attack serves the attacker to gain

information and makes the footprint of the invaded network in order to apply the

attack successfully. The types of passive attacks are eavesdropping and traffic

analysis(ayrc & Rong 2009); each one is explained as follows:

- Eavesdropping: The intruder silently listens to the communication by tapping

the wireless link.

19

- Traffic analysis: The intruder analyses the traffic communications in order to

gain information about the network topology and hence inject the attack in a

strategic place (e.g. near the cluster head) that help the threat succeed.

Active attack: in this type of attack, the intruder performs an effective violation

on either the network resources or the data transmitted; this is done by causing

routing disruption, network resource depletion and node isolation. Below is a list

of active attacks and brief explanation on each type. Some active attacks depend

on flooding bogus packets mechanism to achieve their threat purposes. The last six

attacks in the list are examples on flooding-based attacks over MANET. All of the

listed attacks lead to DoS attack when lunched over MANET.

- Black hole: The intruder injects the control routing packets with fake

information in order to attract the node that requested the route and hence gain

that route. After the intruder acquires the route, the intruder could apply

different types of attacks such as dropping and modifying packets(von Mulert

et al. 2012; Yih-Chun & Perrig 2004).

- Gray hole: Same as black hole attack however, when the intruder succeeds in

controlling the route, he selectively drops and modifies the packets (D. Wang

et al. 2008).

- Worm hole: In this attack, a cooperation between two intruders as a minimum

is required to communicate through a high speed link to deceive the nodes that

wrongly consider the malicious link as the shortest path to the destined node

(von Mulert et al. 2012).

- Dropping packets: The intruder simply drops a packet into the network

destined for the target node. If it performs a selective dropping, it will be

harder to be detected (Baadache & Belmehdi 2012).

- Sybil: In this attack, the intruder masquerades under the identity of multiple

nodes.

20

- Selfishness: In this attack, the intruder does not relay the others received

packets and suppresses the other nodes to sleep in along back offs on the

medium access control (MAC) layer so it can use the link any time (ayrc &

Rong 2009; Kargl et al. 2005).

- Detour: In this attack, the intruder creates virtual nodes on the optimal routes

to appear longer and costlier than the other non-optimal routes; these forces the

nodes to wrongly use the non-optimal route (ayrc & Rong 2009).

- Rushing: In this attack, the intruder broadcasts a route request and reply

packets very quickly in order to make the nodes discard any other control

packet in the network (von Mulert et al. 2012; Yih-Chun & Perrig 2004).

- Exploiting node penalizing schemes: In this attack, the intruder broadcasts

error messages about well performing nodes and causes jamming to consider

these nodes to be put on the black list (ayrc & Rong 2009).

- Routing table overflow: In this attack, the intruder overflows the nodes

routing tables with fake routing information (D. Wang et al. 2008).

- Hello flood: In this attack, the intruder broadcasts hello messages to all the

network nodes by using strong enough power to be wrongly considered as their

neighbour(ayrc & Rong 2009).

- RCA: and also called sleep deprivation attack has been explained extensively

in section 3.8.

2.4 STUDIES IN THE EFFECTS OF ATTACKS OVER MANET

Studying the effect of certain attack over MANET discovers the points of strengths

and weaknesses of such attack. Therefore, this stage of study is considered as primary

before developing stage of a countermeasure to the attack threats. The following

studies introduced an investigation in the effect of certain attack over MANET.

21

In (Gupta et al. 2002),Gupta et al. studied the effects of flooding attacks on the

802.11 MAC protocol. They measured the effects of such attacks on the throughput of

legitimate nodes. The legitimate nodes located one hop from the attackers are affected

at a much higher degree than those at two hops or more because the one-hop

neighbours of the attackers lose almost their entire throughput under suppression

caused by the flooding.

In (Gu et al. 2007), Gu et al. analyzed the effect of the distributed denial of

service (DDoS) attack on the throughput of legitimate nodes in MANETs. They

examined the effect of remote and local flooding attacks and found that remote

flooding more effectively damages MANETs than does local flooding.

However, the authors in (Yi et al. 2005) investigated the effect of executing

RCA over the AODV routing protocol and used packet delivery ratio only as a

performance metric. They observed that when 30 RREQs/s flooding rate is applied;

the RCA attackers decrease about 97% of the packet delivery ratio. At a 20 RREQs/s

flooding rate, however, the attackers decrease about 50% of the packet delivery ratio.

Also, Ning and Sun in (Ning & Sun 2005) introduced a systematic analysis of

the AODV routing protocol under different attack actions. They explained how each

action is executed on each routing packet in AODV and the goal(s) achieved by

manipulating the protocol. The study is useful for researchers who are interested in

designing secure routing protocols, but the authors tested only one attacker.

Furthermore, they did not consider the vulnerability of AODV to RREQ packet

flooding attack, which strongly threatens the power capacity of network batteries.

In (Nguyen & Nguyen 2008), the authors simulated the effect of four types of

attacks, namely, rushing, black hole, neighbor and jellyfish attacks, on MANET. They

applied the attacks over the on-demand multicast routing protocol and found that as

the number of attackers increases, network performance decreases in all the four types

of attacks. They also determined that increasing the number of sender groups in

multicast routing protocols supports robustness and security.

22

Wallenta et al. In (Wallenta et al. 2010) measured the effectiveness and

efficiency of the interest cache poisoning attack on sensor networks (as a special type

of MANET). In burst attack, as a technique in interest cache poisoning attack, the

attacker continuously floods the network with numerous bogus packets which imposes

the worst effect on sensor caches.

Finally, in (Sakellari 2011), Sakellari evaluated the performance of the

cognitive packet network (CPN) (Gelenbe et al. 2002) routing protocol in MANETs

under the existence of worms and threats. CPN provides quality of service (QoS)

routing by self-learning from special packets. The evaluated performance was

compared with that of open shortest path first (Sidhu et al. 1993). CPN survives and

stays robust in guiding the network under the existence of worms.

2.5 THE HUMAN IMMUNE SYSTEM IN BIOLOGY

As immunology forms a wealth full of biological models and concepts from where

computer scientists inspire their introduced AIS algorithms, it is important to

understand HIS in biology through this section as a background science for any

coming discussion of AIS algorithms in this research.

2.5.1 Introduction to HIS

HIS is considered as a network of cells, molecules, tissues, organs (some are lymph

nodes) that cooperate with each other to protect the human body from invaders.

Human body invaders in biology are termed as pathogens and antigens. Pathogens are

defined as the microbes that cause disease for the human body such as, bacteria,

viruses, parasites and fungi. However, antigens are the molecules or protein segments

(peptides) from pathogens. HIS can recognize pathogens through their correlated

antigens. Each antigen has a specific structure and hence forms a specific pattern to be

detected and processed by the HIS. As a consequence, HIS can recognize its related

pathogen and take the decision either to tolerate or fight that pathogen. (Janeway et al.

2005; NIAIDS 2003).

23

2.5.2 The HIS Cells

In biology, cells are the main structural units which build all of the human body

systems such as, digestive, immune, lymphatic and cardiovascular. In any organism

system, specific functionality types of cells are congregated to form a particular tissue.

In the same way, the collection of same characteristic tissues forms a specific organ.

However, a group of cooperatively same functioning organs work together in same

biological system such as HIS.

The state of cells in HIS is in continuous interactions with human body tissues

environment from one side and with each other in the immune system from another

side. Each cell has receptors which are proteins that bound to the outer membrane of a

cell. These receptors have the capability to recognize various types of the incoming

molecules from body tissues in a lock and key manner. The binding between certain

receptor and molecule called affinity which reflects how much strong the binding is.

This affinity causes receptor activation which leads to many changes for the cell

metabolism, morphology and functionality.

A Molecule reacts to a certain receptor through its epitope portion, whilst a

receptor does the reaction through its paratope portion. Molecules which secreted

from body tissues and control cell behaviors are called cytokines. However, those that

cause immune cells to move and migrate are called chemokines (Alberts 2002; Lodish

et al. 1995). Cells in HIS are divided into two main categories, phagocytes (or Antigen

presenting cells (APCs)) such as, DCs, Granulocytes and Macrophages in the innate

immunity and lymphocytes such as, T-cells and B-cells in the adaptive immunity

(NIAIDS 2003). This requires explaining the two main cooperative HIS subsystems in

subsection 2.5.3.

2.5.3 Innate and Adaptive Immunity

HIS is usually divided into two main subsystems: innate immunity and adaptive

immunity. Each of which has specific functions and characteristics. Specifically,

innate immunity specialized in identifying the general pattern of the incoming

pathogens and inducing adaptive subsystem to determine an exact response (either

24

toleration or fighting) for those pathogens (Janeway 1998). However, adaptive

immunity is more complex and accurate than the innate immunity. It can recognize

specific pattern of the incoming pathogens and memorize their patterns for a long time

(Janeway et al. 2005).

As the innate immunity performs the defense in non-specific manner while the

adaptive immunity protect the human body in specific way, the reason behind this

complementary different resistance operations of these two subsystems needs to be

explored. By navigating deeply in the two subsystems cells, the immunologists found

that in the innate immunity, the receptors of the same types of cells have a fixed

genetic structure and can only recognize a general feature of a group of the incoming

pathogens.

2.5.4 T-CELLs

All of the human bodys cells are born from stem cells initiated from bone marrow

through stimulation operation. T-cells are born in the same way; however they do not

keep static in the HIS but undergo to a circular differentiation as a response to the

incoming signals (molecules). For example, when T-cells receive signals, this induces

its capability to produce cytokines and to be differentiated. Also, these cytokines may

influence other cells to be differentiated such as B-cells in the adaptive immunity.

The maturation place for T-cells is in a lymph node called thymus. In thymus,

T-cells go through two main maturation operations: positive selection and negative

selection. These operations are performed over T-cells in order to protect the human

body from autoimmunity. In other words, these operations filter the T-cells to avoid

them from binding with any of the human body antigens (self antigens). In positive

selection, T-cells that show a weak binding with non-self antigens are killed. In

negative selection T-cells that show strong binding with self antigens are killed

(Kyewski & Derbinski 2004).

After maturation stage, T-cells can be termed as nave T-cells since they have

never met the antigens which can bind with their receptors. This type keeps moving

25

through lymphatic and cardiovascular systems, body tissues until they encounter DCs

in the lymph nodes as explained in the forthcoming subsection.

2.5.5 Dendritic Cells

DCs have three main differentiation states, immature, semi-mature and mature. When

immature DCs receive enough input signals, they become either semi-mature or

mature DCs based on the concentration of specific types of these input signals.

Immature DCs receive four types of input signals, PAMP, danger, safe and

inflammation signals. PAMP signals indicate strongly the existence of infectious

pathogen. Danger signals are released by necroses which are the human body cells

under stress or abnormal death. However, safe signals are released by apoptosis which

are healthy cells or cells that die in a normal way. Inflammation signals are released as

a result of an increase in the cells temperature caused from unhealthy state or

infection. DCs input signals are divided into, endogenous and exogenous signals.

Endogenous signals are those released from the cells of the body itself such as safe,

danger and inflammation signals. However, exogenous signals are the signals released

from the microbes which inter the human body from the outside environment. An

example of this type is PAMP signals (Dasgupta et al. 2011).

When immature DCs are exposed to these input signals, the concentration of

each controls their next terminal differentiation state (either mature or semi-mature

DCs). For example, if the concentration of the received PAMP signals and danger

signals are greater than that of safe signals, this means the differentiation of immature

DCs is to mature DCs. PAMP and danger signals cause the receiver immature DCs to

process its contents and produce a certain cytokine called interleukin-12 (IL-12). Also,

PAMP and danger signals induce immature DCs to produce costimulatory molecules

(CSM), also called CD80/86 in biology.CSM signal simplifies the process of antigen

presentation to the T-cells in lymph nodes. Conversely, if the concentration of safe

signals is greater than that of PAMP and danger signals, then immature DCs should

differentiate to semi-mature DCs. Also, safe signals are responsible for producing

interleukin-10 (IL-10) in this case. Additionally, safe signals induce producing CSM

signals by the DCs same as PAMP and danger signals. Therefore, the received input

26

signals indicate the behavioral context of the digested antigens if either they are benign

or malignant.

Figure 2.5 pictures the three differentiation states of DCs. Although DCs have

same receptor structure in the three differentiation states; they appear different in their

morphology. As noticed in Figures 2.5 (b) and (c), semi-mature and mature DCs have

wider surfaces than immature DC. The reason behind that refers to increasing the

capability of both mature and semi-mature DCs to show their receptors and bind with

T-cells receptors when they are encountered in lymph nodes.

(a) (b) (c)

Figure 2.5 States of DC differentiations. (a) immature, (b) semi-mature, (c) mature (Greensmith et al. 2010)

When immature DCs collect antigens from tissue, the antigens should be

digested into small segments of proteins called peptides. Major histocompatibility

complex (MHC) helps in presenting the peptides on the surface of the DCs

formulating a combination of peptide-MHC, so that it could be easily recognized by T-

cells. When immature DCs have been exposed to certain amounts of signals, they

migrate to the lymph nodes in which they encounter naive T-cells (NT-cells). The

capacity of each immature DC for antigens and signals besides the concentration of the

external signals that causes immature DCs to migrate are still ambiguous issues in

immunology (Greensmith 2007).

Activation of T-cells in the lymph node needs two signals to take place. The

first signal occurs when the T-cells epitopes bind with the peptide-MHC on the surface

of the DCs in both cases of danger and safe existence. The second signal is either

emitted from the fully mature DCs as IL-12 to stimulate the T-cell to fight in the

danger state, or is emitted from the semi-mature DCs as cytokine IL-10 to suppress the

27

naive T-cell in the safe state (Bretscher 1999; e Sousa 2001; Oshashi & De Franco

2002).

The communication between DCs and T-cells is an example of the co-

stimulation concept applied by the immune system. Through co-stimulation, HIS cells

transfer in a path of changes and may produce a population of cells to fight against the

incoming danger. For instance, when naive T-cells bind with mature DCs and receive

IL-12, they pass through a set of differentiation processes in a term called clonal

expansions. Clones are then differentiated into memory T-cells (MT-cells) and

suppressor T-cells (ST-cells). One type of effector T-cells called cytotoxic T-cells

which are responsible for killing the incoming pathogen. MT-cells memorize the

recognized malignant pathogen to take a quick fighting response for that pathogen as

soon as it is detected in the body tissues. This type of quick and effective reaction to

the pathogens is called secondary immune response (SIR). However, if the immune

system needs to learn that pathogen through a long time of collection and activation

processes this termed as primary immune response (PIR)(Janeway et al. 2005).

2.5.6 Self Non-Self and Danger Theories

In (Forrest et al. 1994) the authors proposed a self non-self discrimination theory that

has been considered as the essential base for AIS to detect intrusions. Some up-to-date

studies still believe in its correctness and some follow its competitor the danger theory

proposed by Matzinger (1994, 2001, 2002 and 2007). In self non-self, the HIS

tolerates all of the self antigens and fights against all of the non-self ones. Negative

selection is the main operation in the self non self theory. In negative selection, the T-

cells which match with self antigens are killed and hence, the remaining T-cells are

considered as detectors for the non-self antigens. Applying negative selection in AIS

results in a drawback of scaling problem that leads to increasing false positive and

false negative alarm rates.

Danger theory takes the decision of fighting the antigen if the danger state

exists. So unlike self non-self, in danger theory the state of danger or safety that

reflects the antigen behaviour is the basic discrimination rule to be considered as

normal or attacker. Danger theory is more efficient because not all self antigens are

28

stable and safe to be tolerated and not all foreign antigens are harmful; for example,

some types of bacteria are useful for making vitamin K for the body. Also according to

Matzinger (1994) there is an ambiguity on the exact definition of self and non-

self. In real life, the human immune system does not tolerate the whole self set and

attacks the whole set of non-self. The theory has been developed over the years 2001,

2002 and 2007 (Matzinger 1994, 2001, 2002, 2007). A biological example on the

danger theory model is the interaction between DCs and naive T-cells.

2.6 FUZZY LOGIC THEORY

Fuzzy logic theory (Cox 1992) offers a natural way of representing and reasoning with

human knowledge involving uncertainty and ambiguity. Fuzzy logic was introduced

by Zadeh; a professor of computer science at the University of California in 1965.

Zadehs fuzzy logic theory (Zadeh 1965) provides a robust mathematical model for

dealing with real-world inaccurate data. This theory can be used as a general

methodology to incorporate knowledge, heuristics or theory, into controllers and

decision makers. Zadeh presented the concept of fuzzy logic as a mathematical model

to represent human thought. Fuzzy logic is basically a multi-valued logic that allows

intermediate values to be defined between conventional values like cool and hot.

Notions like freezing, cool, warm or hot can be formulated mathematically and

processed by computers. In this way, an attempt is made to apply a more human-like

way of thinking in the programming of computers and the control of systems.

MANETs are complex and dynamic environments with a substantial number of

uncertainties associated with network and environmental parameters. Moreover,

MANETs are subject to unexpected overloads, failures and they defy accurate

analytical modeling. For that, fuzzy logic appears to be a promising approach to

address many important aspects of current complex MANETs. Numerous fields have

taken advantage of fuzzy logic properties. In MANETs, fuzzy logic has been used to

improve decision-making, reduce resource consumption and increase performance. In

addition, fuzzy logic has been used to adaptively optimize protocol parameters more

accurately and dynamically. Several areas in which fuzzy logic is applied to include

QoS-based routing (Huang et al. 2007; Khoukhi & Cherkaoui 2010; Lopes Gomes et

al. 2011; Xia et al. 2012; Zhang et al. 2004), energy-aware routing (Chang et al.

29

2006a, 2006b; Liang et al. 2007), security (Dai et al. 2009; Kayarkar 2012; Khatri et

al. 2010; Xia et al. 2011) and MAC protocols (Ren & Liang 2005).

2.7 INTRUSION DETECTION SYSTEMS

This section sheds light on two categories of IDSs. Firstly, the non-intelligent-based

IDSs as shown in subsection 2.7.1. Secondly, the intelligent-based IDSs as appeared in

subsection 2.7.2. Subsection 2.7.1discusses many techniques that have been

introduced to overcome specific types of attacks that is lunched over specific protocol

layer (e.g. network layer or data link layer). However, in subsection 2.7.2, a historical

development of some best known AIS intrusion detection algorithms and frameworks

are thoroughly explained. As AIS-based IDSs are newly developed, a few researches

have applied this type of IDSs over MANET. Therefore, some of the mentioned

algorithms have been developed over wired networks, some are applicable over

MANET and only one (according to the best of our knowledge) has been applied over

WSNs.

2.7.1 Non Intelligent Intrusion Detection Systems

Ping et al. (2006) presented flooding-based attack called Ad Hoc Flooding Attack

(AHFA). In AHFA, the intruder broadcasts high rate of RREQ packets towards certain

targeted nodes over MANET in order to consume its energy and the network

bandwidth. The authors proposed a simple mechanism to detect such attack called

Flooding Attack Prevention (FAP). In FAP, each node calculates the rate of receiving

RREQ packet from each node, if that rate exceeds certain threshold it denies dealing

with the requests coming from the intruder. In this work, the authors tested their

proposed mechanism using only one network performance metric which is packet

delivery ration. Accordingly, the mechanism improves the packet delivery ratio only

by 30% compared with the case of zero protection under the effect of AHFA. The

mechanism is failed when the attacker changes its IP address each time it floods its

faked RREQ and cannot be detected by the proposed FAP.

Liu and Shen (2007) proposed a mechanism to mitigate flooding attack which

causes denial of the service from the normal nodes in MANET. According to the

30

proposed mechanism, each legitimate node has to monitor its neighbours and the

traffic coming from each of them. Consequently, each legitimate node should arrange

its buffer by giving certain partition or space for each. For example, if a legitimate

node has n neighbours it should give 1/n space from its buffer for each only. If the

legitimate node receives more than 1/n from any of the neighbours it will simply

discard the packets coming from that neighbor. This mechanism fails in the mobility

environment of MANET because it does not consider distinguishing between

legitimate neighbours and attackers identities. If a group of attackers keep their

movements among legitimate nodes they will have a buffer space in each legitimate

node to inject their flood of faked packets and will succeed in exhausting the network

resources.

Venkataraman et al. (2009) proposed a trust-based mechanism through which

each legitimate node should classify the neighboring nodes into three levels of

trustiness: friends (most trusted), acquaintances (trusted) and strangers (not trusted).

This classification is done according to certain parameters without using any of the

intelligent methods. The considered parameters are, the ratio of forwarded packets by

neighbours compared with the sent packets, the average time response of the neighbor

to route request and the number of intact received packets from that neighbours

compared with the number of the received packets. This mechanism fails in the same

failure scenarios of watchdog bellow.

Kim and Song (2010) proposed a period-based defence mechanism (PFM) to

detect flooding attack which floods request packets and data packets in order to

exhaust network resources such as bandwidth and nodes power capacity. In this

mechanism, each legitimate node should calculate the deviation of each received

packet from the average reception in each period of time. The packets that exceed

certain threshold of deviation are termed in blacklist for that period of time. The

blacklisted packet is then discarded and not forwarded in the next period of time. The

blacklisted packets are recalculated in each period of time which adds computational

overhead on the system and gives the attacker a new chance to inject its flooded faked

packets.

31

Marti et al. (2000) introduced watchdog which detects dropping packets attack

over data link layer. Watchdog overhears whether or not the neighbouring node

forwards the sent packet to the next hop node. This method of overhearing consumes

the nodes limited power in MANET. Also, this method fails when a collision occurs,

or the malicious node changes its power to make it include the previous node but not

the next one.

Lee et al. (2002) applied intrusion detection over DSR routing protocol to

detect black hole attack. The method requires the intermediate node to send route

confirmation request (CREQ) packet to the next hop node on the downstream. When

the next hop node receives the CREQ packet, it checks its cache for a route to the

destination. If it has one, it sends route confirmation reply (CREP) to the source node

in its route information. The source judges the validity of the route in the RREP packet

previously received by comparing its contents with the one in the received CREP

packet. This method is simple and accurate. However, it causes high routing overhead

which leads to degrading the network throughput and performance.

To secure AODV routing protocol, Deng et al. (2002) proposed a source

intrusion detection routing security (SID-RS) mechanism that detects black hole attack

when, only, an intermediate node unicasts a RREP packet. In the proposed intrusion

detection mechanism, when the source node receives a RREP from intermediate node,

it should sends a further route request packet (FRREQ) to the intermediates next hop

node through a new route to verify that it has a route to the intermediate node who

sends back the RREP packet and that it has a route to the destination or not. As soon as

the next hop node receives FRREQ packet, it sends further route reply (FRREP)

packet which includes check results to the source node. Based on these results, if the

next hop node has both a route to the destination and intermediate node, the source

node initiates the route. Otherwise, if it has a route to the destination but does not have

a route to the intermediate node, the source node initiates the route using a new route

to the next hop node and broadcast alarm message to isolate the intermediate node.

Otherwise, if the next hop does not have a route to both the intermediate and the

destination, here the source node will discover a new route.

32

The mechanism introduced by Deng et al. (2002) is efficient in detecting black

hole attack. However, there is more than one drawback. Resending Further Request

from the source node towards the next hop node and waiting for Further Reply from

the next hop node means increasing in routing overhead and delay. Especially when

this mechanism is applied in a large scale MANET and when the mechanism is

applied between long distant intermediate nodes from source node.

Kurosawa et al. (2007) introduced an anomaly based-intrusion detection

mechanism has been introduced to detect black hole attack locally at each node, not

like in previously proposed mechanisms by Deng et al. (2002) and Lee et al. (2002).

When source node broadcasts RREQ packet, each node records the destination IP

address and the destination sequence number in a routing table according to AODV

routing protocol. When a RREP packet is received, each node checks its routing table

to see if there is same destination IP address. If it exists the difference of the

destination sequence number is calculated. The average of this difference is finally

calculated for each time slot as a security profile for each destination. And the average

of each time interval is then calculated. If it is less than or equal to a certain threshold

the node is considered as normal. Else it is considered as malicious node and an alarm

is broadcasted. This work does not need additional routing packets overhead. But its

dependency on threshold to determine the attacker may fall it in false positive error.

The work done by Padilla et al. (2007) proposed a black hole intrusion

detection technique over table-driven tactical MANET using stable power supplied

topology graph server and distributed sensors. An optimized link state routing protocol

(OLSR) (Jacquet et al. 2001) was used. The proposed IDS draws a graph for the entire

network at each certain time interval through spread sensors. So, the truth about the

number of neighbours for each node, which is the main factor for each node to win the

route, appears in this graph. When any node sends a hello message that contains its

information, the system compares the number of neighbours the node claims that it has

with the true number in the systems graph. If the difference exceeds a certain

threshold the node is considered as a malicious node and the alarm is broadcasted.

Otherwise, the node is considered as normal and the route is accepted. The additional

sensors used to help the system build the graph about the network are a cost overhead.

33

Eriksson et al. (2006), Phuong et al. (2007), Su and Boppana (2008) and Su

(2009) proposed a time-based wormhole intrusion detection technique. True-link

(Eriksson et al. 2006) which applied its detection technique over MAC is applicable,

as it is based on a widely used protocol with some extensions. But, there is no

flexibility in the time out which is equal to short inter frame space (SIFS) as

mentioned by True Link. As a result, a false positive alarm may arise if there is a

congestion or traffic load on the link.

Transmission time-based mechanism (TTM) (Van Phuong et al. 2007) depends

on the round trip time (RTT) to detect the wormhole attack. TTM is a simple and

accurate technique that could allocate the position of the wormhole attack in the path.

But, the attackers on the tested path may write a fake RTT value to be the same as the

RTT written by the normal nodes, which increases the false negative rate.

Su and Boppana (2009) put forward certain equations to detect the wormhole

attack, but these equations include some parameters which must be filled by the

detected node which opens the chance for the attacker to fill fake information and

hence overcome the security detection system. True-link is the most self dependable

technique since it does not depend on any outer node to get the required information

for an intrusion detection technique.

Finally, Li et al. (2012), the authors proposed a collaborative and

multidimensional trust-based intrusion detection algorithm for securing MANET. The

proposed algorithm is called gossip-based distributed outlier detection algorithm (G-

BDODA).G-BDODA identifies the outliers which are defined by the authors as

abnormal behaviours shown from mostly likely attackers. Also, G-BDODA uses a

multi-dimensional management approach to estimate the honesty of the nodes using

different perspectives. The algorithm is efficient and accurate but suffers from routing

overhead drawback. Table 2.1 summarizes the previous non AIS-based intrusion

detection systems.

34

Table 2.1 Non intelligent intrusion detection systems

Authors Year Contribution Strengths Drawbacks

Li et al. 2012 G-BDODA -accurate -routing overhead H. Kim & Song

2010 PFM -simple -not accurate

Venkataraman et al.

2009 Trust-base mechanism

-simple -consume energy -fail in some cases.

Su &Boppana 2008 NEVO -simple - not self dependable. Kurosawa et al.

2007 Secure AODV -no routing overhead -ambiguous threshold.

Padilla et al. 2007 Secure tactical MANET

-no routing overhead -costly.

Phuong et al. 2007 TTM -simple -not self dependable Liu and Shen 2007 - -simple -fails in high mobility

MANETs. Ping et al. 2006 FAP -simple -fails when attacker

changes its IP address.

Eriksson et al. 2006 True-link -self dependable - Susceptible to FP

Lee et al. 2002 Secure DSR -simple & accurate -routing overhead

Deng et al. 2002 SID-RS -simple & accurate -routing overhead

Marti et al. 2000 Watchdog - low FP -consume energy -fail in some cases.

2.7.2 Intelligent Intrusion Detection Systems

Chelly and Elouedi (2010) introduced using fuzzy logic set in the last stage of DCA

proposed by (Greensmith et al. 2005) to smooth the separation between the normality

and abnormality in the calculated mature context antigen value (MCAV). The fuzzy

logic system consists of two parameters; the first parameter is the semi-mature DCs,

and the second parameter is the mature DCs. The defuzzification stage determines the

final maturity state of each DC and the antigens final context are more accurately

decided. The proposed fuzzy dendretic cell method (FDCM) is tested on a set of data

bases and the results achieve more accurate results than DCA. However, since FDCM

adds little enhancement on DCA and the core of calculating the received antigens

contexts depends mainly on DCA, FDCM still suffers from the same drawbacks of

high false positive rate and low accuracy rate especially when normal and abnormal

antigens are tested simultaneously (Chelly & Elouedi 2010).

35

Dickerson (2000) proposed fuzzy intrusion recognition engine (FIRE) as an

anomaly-based intrusion detection system. FIRE uses fuzzy logic to determine the

existence of transport layer attack, specifically TCP port scan and ICMP (ping) scan in

the wired network. Data mining techniques are used in FIRE to expose the attack

metrics processed by the fuzzy syst