2014 PhD Maha
-
Upload
mahamod-ismail -
Category
Documents
-
view
11 -
download
0
description
Transcript of 2014 PhD Maha
-
i
ARTIFICIAL IMMUNE FUZZY INTRUSION DETECTION ALGORITHM OVER MANET
MAHA ABDELHAQ
THESIS SUBMITTED IN FULFILMENT OF THE DEGREE OF DOCTOR OF PHILOSOPHY
FACULTY OF INFORMATION SCIENCE AND TECHNOLOGY UNIVERSITY KEBANGSAAN MALAYSIA
BANGI
2014
-
i
ALGORITMA PENGESANAN PENCEROBOHAN IMUN KABUR TIRUAN KE ATAS MANET
MAHA ABDELHAQ
TESIS YANG DIKEMUKAKAN UNTUK MEMPEROLEH IJAZAH DOKTOR FALSAFAH
FAKULTI TEKNOLOGI DAN SAINS MAKLUMAT UNIVERSITY KEBANGSAAN MALAYSIA
BANGI
2014
-
iii
DECLARATION
I hereby declare that the work in this research is my own except for quotations and
summaries which have been duly acknowledged.
24th P50000
March 2014 MAHA ABDELHAQ
-
iv
ACKNOWLEDGMENTS
First and foremost, all praise to Almighty Allah for his blessings and patience, as well as for providing me with good health during this research.
This work is dedicated to the soul of my father, from whom I learned faith, strength, and determination. This work is also dedicated to my family, especially my beloved mother, who has shone an everlasting light on my mind and heart. Of course, this research is dedicated to my husband, Dr. Raed Alsaqour, who not only lives in my heart, but also shares my thoughts, ideas, and principles in different fields of science. I am grateful to my husband, who spent so much time guiding me in the best way he can and surrounding me with care and support.
I am grateful to my great brother, Shawkat Abdelhaq, for his continuous encouragement, love, and care. I thank my sisters for their unconditional love and support.
This work is also dedicated to the souls of martyrs (Shohadaa) in my beloved
country, Palestine, and to the Arab revolution martyrs in Tunis, Libya, Yamane, Syria, and Egypt. I greatly appreciate the Egyptian Muslim Brotherhood for their struggle and sacrifice. In particular, I would like to show my appreciation for the legitimate leader of Egypt, Dr. Mohammad Morsi, who taught me many things that are greater than the limits of completing my PhD studies and of higher value than merely obtaining a certificate and work. Dr. Morsi taught me determination, patience, and persistence to pursue my aspirations to achieve a better life for Arab countries and Muslim Ummah.
I thank my supervisors, Dr. Rosilah Hassan and Prof. Mahamod Ismail, for their guidance and support. I also thank Immunologist Prof. Daud Israf of University Putra Malaysia (UPM) for his assistance and advice. Finally, I thank my research group for their help and friendship and for creating a pleasant working environment throughout my years of study in Universiti Kebangsaan Malaysia.
-
v
ABSTRACT
Mobile ad hoc network (MANET) is a collection of mobile, decentralized and self-organizing nodes that are used in special cases such as military purposes. MANET properties render its environment vulnerable to different types of attacks namely black hole, wormhole and flooding-based attacks. Flooding-based attacks are one of the most dangerous attacks which could paralyze the functionality of the whole network. In essence, flooding attacks employ a technique which depends on overflowing the network with bogus packets and can be performed through various types of attacks which are resource consumption attack (RCA), hello flood, routing table overflow, rushing attacks and exploiting node penalizing schemes. In order to secure MANET from attacks, many researchers have introduced intrusion detection algorithms which are based on artificial immune systems (AISs). This is because AISs utilize the human immune system (HIS) analogy to introduce efficient, self-defensive and self-organizing algorithms, which could meet the challenges of the MANET environment. However, the current AIS algorithms lack the generality by which it could secure a standard routing protocol over MANET from a wide range of attack techniques with high accuracy and low false positive rates. In addition, research shows less attention on introducing an AIS algorithm that could reduce the effect of the attack on the main network performance metrics. The main objective of this research is to develop an efficient, self-defensive and self-organizing computational intelligent algorithm which combines the relevant features of danger theory-based AISs and fuzzy logic theory. This is done by inspiring the detection functionality of dendritic cells (DCs) in the HIS and the accurate decision making functionality of fuzzy logic theory to introduce an AIS intrusion detection algorithm called Dendritic Cell Fuzzy Algorithm (DCFA). The proposed algorithm has been tested and verified by detecting the denial of service (DoS) attack namely, RCA using QualNet version 5.0.2 simulator over MANET. The research has found that AIS is efficient for developing intrusion detection algorithms with high accuracy and low false positive rates. Moreover, the results show the capability of DCFA to perform the detection operation with high efficiency and effectiveness.
-
vi
ABSTRAK
Rangkaian Bergerak ad hoc (MANET) ialah suatu kumpulan nod bergerak, terpancar dan mengelola-sendiri yang digunakan di dalam kes-kes khas seperti untuk kegunaan ketenteraan. Sifat MANET menjadikan persekitarannya terdedah kepada pelbagai jenis serangan seperti black hole, wormhole dan serangan berasaskan-flooding. Serangan berasaskan-flooding merupakan salah satu serangan yang paling merbahaya yang boleh melumpuhkan kebolehfungsian seluruh rangkaian. Pada dasarnya, serangan flooding menggunakan teknik yang bergantung pada limpahan rangkaian dengan paket palsu dan boleh dilaksanakan melalui beberapa jenis serangan iaitu resource consumption attack (RCA), hello flood, routing table overflow, rushing attacks dan exploiting node penalizing schemes. Untuk menyelamatkan MANET dari serangan, ramai penyelidik telah memperkenalkan algoritma pengesanan pencerobohan yang berasaskan sistem imun tiruan (AISs). Ini ialah kerana AISs menggunakan analogi sistem imun manusia (HIS) untuk memperkenalkan algoritma yang cekap, swapertahanan dan mengelola-sendiri, yang mampu menentang cabaran persekitaran MANET. Walaupun demikian, algoritma AIS terkini kurang bersifat umum untuk membolehkan ia memastikan suatu protocol peroutan standard ke atas MANET yang melindungi dari julat teknik serangan yang luas dengan kejituan yang tinggi dan kadar positif palsu yang rendah. Tambahan lagi, penyelidikan telah kurang memberi tumpuan terhadap memperkenalkan suatu algoritma AIS yang boleh mengurangkan kesan serangan ke atas metrik utama prestasi rangkaian. Objektif utama kajian ini ialah untuk membangunkan satu algoritma pengiraan pintar ringan yang cekap, swapertahanan dan mengelola-sendiri yang menggabungkan ciri-ciri yang berkaitan AISs berasaskan teori bahaya dengan teori logik kabur. Ini dijalankan secara mengilhamkan fungsi mengesan sel dendritik (DCs) di dalam HIS dan fungsi membuat keputusan yang jitu teori logik kabur untuk memperkenalkan suatu algoritma sistem pengesanan pencerobohan AIS yang digelar Dendritic Cell Fuzzy Algorithm (DCFA). Algoritma yang dicadangkan itu telah diuji dan disahkan secara mengesan serangan penafian perkhidmatan (DoS), iaitu RCA, menggunakan pensimulasi QualNet versi 5.0.2 ke atas MANET. Penyelidikan tersebut mendapati bahawa AIS adalah cekap untuk membangunkan algoritma pengesanan pencerobohan dengan kejituan yang tinggi dan kadar positif palsu yang rendah. Dan lagi, dapatan menunjukkan kebolehan DCFA menjalankan operasi pengesanan dengan kecekapan dan keberkesanan yang tinggi.
-
vii
TABLE OF CONTENTS
Page
DECLARATION iii ACKNOWLEDGMENTS iv ABSTRACT v ABSTRAK vi TABLE OF CONTENTS vii LIST OF TABLES xi LIST OF FIGURES xii LIST OF ABBREVIATIONS xv LIST OF SYMBOLS xviii
CHAPTER I INTRODUCTION 1.1 Research Background 1 1.2 Problem Statement 4 1.3 Research Objectives 6 1.4 Research Contributions 6 1.5 Research Scope 7 1.6 Research Methodology 7 1.7 Thesis Outline 8 CHAPTER II LITERATURE REVIEW 2.1 Introduction 10 2.2 Mobile Ad hoc Network 10 2.2.1 MANET Characteristics 11 2.2.2 MANET Routing Protocols 12 2.3 Security over MANET 14 2.3.1 Security Primitive 15 2.3.2 Security Goals 16 2.3.3 Types of Attacks over MANET 17 2.4 Studies in the Effects of Attacks over MANET 20 2.5 The Human Immune System in Biology 22 2.5.1 Introduction to HIS 22 2.5.2 The HIS Cells 23 2.5.3 Innate and Adaptive Immunity 23 2.5.4 T-Cells 24 2.5.5 Dendritic Cells 25 2.5.6 Self Non-Self and Danger Theories 27 2.6 Fuzzy Logic Theory 28 2.7 Intrusion Detection Systems 29 2.7.1 Non Intelligent Intrusion Detection Systems 29
-
viii
2.7.2 Intelligent Intrusion Detection Systems 34 2.8 Summary 39
CHAPTER III METHODOLOGY 3.1 Introduction 41 3.2 The Analogy Between MANET and The Innate Immunity 41 3.3 Danger Theory Model 43 3.4 Biological Model of Dendritic Cells 44 3.5 Antigens and Signals 46 3.5.1 Antigens 46 3.5.2 Input Signals 47 3.5.3 Output Signals 48 3.6 Biological Model of T-Cells 50 3.7 Ad Hoc on-Demand Distance Vector Routing Protocol 51 3.8 Vulnerability of AODV to RCA 52 3.9 Fuzzy Logic Theory 53 3.9.1 Fuzzification 54 3.9.2 Fuzzy Rules and Fuzzy Inference 55 3.9.3 Defuzzification 56 3.9.4 Fuzzy Logic and DC 57 3.10 Simulation Environment 58 3.10.1 Simulation Parameters 58 3.10.2 Performance Metrics 59 3.10.3 Simulation Verification 62 3.11 Summary 64
CHAPTER IV EFFECTS OF RCA ON MANET 4.1 Introduction 66 4.2 Experimental Design 68 4.3 Experimental Results for Scenario A 69 4.3.1 Effects of RCA on Throughput and end-to-end
Delay for Scenario A
70 4.3.2 Effects of RCA on Total Energy Consumption for
Scenario A
72 4.3.3 Effects of RCA on Routing Overhead for Scenario
A
74 4.4 Experimental Results for Scenario B 76 4.4.1 Effects of RCA on Throughput and end-to-end
Delay for Scenario B
77 4.4.2 Effects of RCA on Total Energy Consumption for
Scenario B
78 4.4.3 Effects of RCA on Routing Overhead for Scenario
B
80 4.5 Summary 81
-
ix
CHAPTER V DENDRITIC CELL FUZZY LOGIC ALGORITHM 5.1 Introduction 83 5.2 General Design of DCFA 84 5.3 DCFA Particulars 91 5.3.1 DCFA Specifications 91 5.3.2 Fuzzy Logic System Component 95 I. Fuzzification Stage 96 II. Defuzzificztion Stage 99 III. Fuzzy Inference and Aggregation 100 5.4 AWorked Example 101 5.5 Summary 103
CHAPTERVI
VERIFICATION OF DENDRETIC CELL FUZZY LOGIC ALGORITHM
6.1 Introduction 105 6.2 Experimental Settings 105 6.3 Experimental Results for Scenario C 107 6.3.1 Evaluation of Security Performance for Scenario C 107 6.3.2 Evaluation of Network Performance for Scenario C 112 6.4 Experimental Results for Scenario D 119 6.4.1 Evaluation of Security Performance for Scenario D 119 6.4.2 Evaluation of Network Performance for Scenario D 123 6.5 Comparison Between DCFA And Previous Work
129
6.6 Summary 132
CHAPTER VII CONCLUSIONS AND FUTURE WORKS 7.1 Research Contributions 133 7.2 Acheivements 134 7.3 Research Advantages and Limitations 135 7.4 Suggestions for Future Works
137
REFERENCES 139
APPENDECES
150
A: List of Publications 148 B: Simulation Screenshots 150
-
x
LIST OF TABLES
Table No. Page
2.1 Non intelligent intrusion detection systems 34
2.2 Intelligent intrusion detection systems 39
3.1 Analogy between innate immunity properties and MANET characteristics
42
3.2 Brief overview of the input signals 48
3.3 Brief overview of the output signals 50
3.4 A comparison between T-cells and DCs 50
3.5 Simulation parameters 59
3.6 Intrusion detection performance metrics 60
5.1 DCFA Model Components 86
5.2 DCFA data structure 94
5.3 Fuzzy sets of input variable s 96 1
5.4 Fuzzy sets of input variable s 98 2
5.5 Fuzzy sets of FLS(Si) output variable 99
6.1 Comparison Between DCFA And Previous Works 130
-
xi
LIST OF FIGURES
Figure No. Page
1.1 Mapping of HIS model and MANET in AIS algorithm 4
1.2 Research Steps 8
2.1 Mobile ad hoc network 11
2.2 MANET routing protocols categories 13
2.3 Information security 15
2.4 Attacks over MANET 18
2.5 States of DC differentiations 26
3.1 Main functions of DCs 44
3.2 Main inputs and outputs of DC 45
3.3 Interaction among the input signals 48
3.4 AODV routing protocol 52
3.5 RCA 53
3.6 Fuzzy logic mechanism 54
3.7 Temperature membership function 55
3.8 Radio energy dissipation model (transceiver) 61
4.1 Distribution of RCA attackers with different positions 69
4.2 Effect of the number of attackers and their positions on throughput 71
4.3 Effect of the number of attackers and their positions on end-to-end delay 72
4.4 Effect of the number of attackers and their positions on the energy consumed in each mode
73
4.5 Effect of the number of attackers and their positions on total energy
consumed
74
-
xii
4.6 Effect of the number of attackers and their positions on the retried RREQs
75
4.7 Effect of the number of attackers and their positions on the initiated RREPs
76
4.8 Effect of increasing attackers radio ranges 76
4.9 Effect of the attackers radio range and flooding rate on throughput 77
4.10 Effect of the attackers radio range and flooding rate on end-to-end delay 78
4.11 Effect of the attackers radio range and flooding rate on energy consumption in each mode
79
4.12 Effect of the attackers radio range and flooding rate on total energy consumed
80
4.13 Effect of the attackers radio range and flooding rate on the retried
RREQs
81
4.14 Effect of the attackers radio range and flooding rate on the initiated RREPs
81
5.1 DCFA model 85
5.2 TGList in genes store 88
5.3 MTList in MT-cells 89
5.4 New pictured TGList 95
5.5 FLS applied by each DC 95
5.6 Membership functions of input variable s 97 1
5.7 Membership functions of input variable s 98 2
5.8 Output membership functions for output signal FLS(Si 100 )
5.9 Graphical illustration of fuzzy system stages 103
6.1 Effect of the number of attackers on false positive rate 107
6.2 Effect of the number of attackers on true negative rate 108
6.3 Effect of the number of attackers on false negative rate 110
-
xiii
6.4 Effect of the number of attackers on true positive rate 110
6.5 Effect of the number of attackers on accuracy rate 112
6.6 Effect of the number of attackers on throughput 113
6.7 Effect of the number of attackers on end-to-end delay 114
6.8 Effect of the number of attackers on energy consumed in transmit mode 115
6.9 Effect of the number of attackers on energy consumed in receive mode 116
6.10 Effect of the number of attackers on energy consumed in idle mode 116
6.11 Effect of the number of attackers on total energy consumed 117
6.12 Effect of the number of attackers on the retried RREQs 118
6.13 Effect of the number of attackers on the initiated RREPs 119
6.14 Effect of the attackers radio range on false positive rate 120
6.15 Effect of the attackers radio range on true negative rate 120
6.16 Effect of the attackers radio range on false negative rate 122
6.17 Effect of the attackers radio range on true positive rate 122
6.18 Effect of the attackers radio range on accuracy rate 123
6.19 Effect of the attackers radio range on throughput 124
6.20 Effect of the attackers radio range on end-to-end delay 125
6.21 Effect of the attackers radio range on energy consumed in transmit mode 125
6.22 Effect of the attackers radio range on energy consumed in receive mode 126
6.23 Effect of the attackers radio range on energy consumed in idle mode 127
6.24 Effect of the attackers radio range on total energy consumed 127
6.25 Effect of the attackers radio range on the retried RREQs 128
6.26 Effect of the attackers radio range on the initiated RREPs 129
-
xiv
LIST OF ABBREVIATIONS
ABAIS agent-based AIS
AC antigens controller
ADMR adaptive demand-driven multicast routing
Ag antigen agent
AIS artificial immune system
AODV ad hoc on-demand distance vector
AOMDV Ad hoc on-demand multipath distance vector
APC antigen presenting cell
CBR constant bit rate
CEDAR core-extraction distributed ad hoc routing
CGSR cluster head gateway switch routing
CIA co-stimulation inspired approach
CPN cognitive packet network
CREP confirmation reply
CREQ confirmation request
CSM costimulatory molecules
DC dendritic cell
DCA dendritic cell algorithm
DCMP dynamic core based multicast routing
DEAR device and energy aware routing
DGR direction guided routing
DoS denial of service
DRM dynamic route maintenance
-
xv
DSDV destination sequenced distance vector
DSR dynamic source routing
FRREP further route reply
FRREQ further route request
FSR fisheye state routing
G-BDODA gossip-based distributed outlier detection algorithm
GPS global positioning system
GPSR greedy perimeter stateless routing
HIS human immune system
H-LANMAR hierarchical landmark routing
HSR hierarchical state routing
IDS intrusion detection system
IL-10 interleukin-10
IL-12 interleukin-12
LAN local area networks
LANMAR landmark ad hoc routing
LAR location-aided routing
MAC medium access control
MANET mobile ad hoc network
MHC major histocompatibility complex
MT-cell Memory T-cell
NetTRIIAD network threat recognition with immune inspired anomaly detection
NTBR neighbor table based multipath routing
NT-cell Naive T-cell
-
xvi
OLSR optimized link state routing
PAMP pathogen-associated molecular patterns
PIR primary immune response
PRR pattern recognition receptor
QoS quality of service
RCA resource consumption attack
RP responding
RPQ routing packets queue
RREP route reply
RREQ route request
RTT round trip time
SID-RS source intrusion detection routing security
SIFS short inter frame space
SIR secondary immune response
SOC security operating system
ST-cell Suppressor T-cell
TC agent T-cells agent
TORA temporally ordered routing algorithm
TTM transmission time-based mechanism
WRP wireless routing protocol
ZRP zone routing protocol
FN false negative
FP false positive
-
xvii
LIST OF SYMBOLS
total energy consumed
total energy consumed in transmit, receive and idle modes
E energy consumed in transmit mode 1
E energy consumed in receive mode 2
E3 energy consumed in idle mode
membership value of the output parameter of each rule j j
P power consumed in receive mode receive
P power consumed in transmit mode transmit
P power consumed in idle mode idle
P power consumed in active mode on
P power consumed in sleep mode sp
P power consumed in transient mode tr
R rule number i i
T time duration of the receive mode receive
T time duration of the transmit mode transmit
T time duration of the idle mode idle
-
1
CHAPTER I
INTRODUCTION
1.1 RESEARCH BACKGROUND
In the last few decades, many researchers have focused on the area of mobile ad hoc
network (MANET) as a wireless network with specific features not found in other
types of networks. The decentralization, rapid deployable topology and open wireless
medium of MANET increase its feasibility for application in rough structured areas,
such as earthquake and war territories. However, these features as well as the
limitations of MANET (i.e., sharing of channel bandwidth and the limitation in the
energy of nodes) make this network very vulnerable to different types of attacks.
MANET routing protocols can be easily attacked by identifying the targeted
points of vulnerability of the network protocols. Many intrusion detection systems
(IDSs) have been introduced to protect the routing protocols in MANETs. However,
the conventional cryptographic IDSs utilized to secure routing protocols in MANETs
increase the control overhead by transmitting extra security information (digital
signatures and function hashes) through routing packets. Moreover, the lack of fixed
infrastructure in MANET renders the use of certificate authorities infeasible. Thus, the
general trend at present is to employ lightweight computing algorithms to secure
MANET. Based on the many similarities between human body tissue environment and
the MANET environment concluded from the study, in this research, the robust
defence achieved by the human immune system (HIS) can be translated into an
artificial immune system (AIS) to protect MANET. AISs are defined as a set of
computational algorithms or theories that reflect one or more HIS concepts and
principles (Wu & Banzhaf 2010). nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
-
2
The introduced AIS intrusion detection algorithms can detect attacks in a
decentralized and self-organizing manner, which means that central management
points in the security system are not necessary when AISs are applied. This advantage
renders the technique feasible for securing MANETs and addressing the limitations
and challenges of such networks.
HIS consists of numerous functions and concepts, which motivated computer
scientists to envision its utilization in intrusion detection systems. However, research
on immunology shows that HIS is extremely complex; evidence on how HIS operates
is conflicting and controversial (Greensmith 2007). Understanding the biology of the
human body does not necessarily means being able to emulate all its models and
functions in detail. Adopting the concepts and principles that benefit the AIS
environment is enough to achieve the desired performance (M. Drozda et al. 2009;
Drozda et al. 2010).
Aickelin et al. (2003) attempted to improve the performance of previously
introduced AISs and they established the danger project, which is primarily based on
the danger theory in immunology. Danger project (Aickelin et al. 2003; Aickelin &
Cayzer 2002) is primarily based on the danger theory in immunology. The danger
theory implies that the response of the immune system to incoming pathogens is based
mainly on the existence of danger or safe signals emitted from the body tissues and
caused by these pathogens (Matzinger 1994, 2001, 2002, 2007). In a danger project, a
group of computer scientists and immunologists map actual up-to-date immunology
into AIS (Greensmith 2007; Greensmith et al. 2005, 2008; Greensmith et al. 2010; Ou
2012).
The dendritic cell algorithm (DCA) is one of the most well-known danger
project contributions. It utilizes the role of the dendritic cells (DCs) in HIS as forensic
navigators and important anomaly detectors. DCs are defined as antigen presenting
cells in innate immunity; these cells either stimulate or suppress T-cells in adaptive
immunity, thereby they control the type of response of the immune system (Wu &
Banzhaf 2010).mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
-
3
Although DCA is effective in real-time IDSs, its results register a high false
positive alarm rate and low detection accuracy rate because it is sensitive to the order
of the detected data. Thus, our research utilizes the danger theory model in
combination with fuzzy logic theory, (Zadeh 1965) to propose a new DC fuzzy
intrusion detection algorithm (DCFA). DCFA promises high detection accuracy and
low false positive rate. Detection accuracy rate and false positive rate are the main
measurements that indicate the robustness of IDSs. Chapter II, Section 2.5 presents an
overview of HIS in biology to elucidate the importance of DCs biological model in the
human body.
A novel DCFA and its related model are introduced in this study. Using an AIS
inspired algorithm promises to address the challenges of MANETs environment that
make it vulnerable to attacks. No research has been able to meet the requirements for
the detection of all types of attacks (Deng et al. 2002; Lima et al. 2009; Su & Adviser-
Boppana 2009). Thus, DCFA is verified and tested in this study to detect one of the
flooding-based attacks on MANET, namely, resource consumption attack (RCA).
DCFA can be generalized to detect other types of attacks on MANETs.
Figure 1.1 shows an abstract mapping of HIS and MANET. Each message in
MANET represents a pathogen entering the human body. Each node represents the
human body or a part of the human body. Therefore, each node must apply the
proposed algorithm to protect itself from intrusions similar to how each part of the
human body depends on the immune system to protect itself from dangerous
pathogens.
-
4
(a) (b)
Figure 1.1 Mapping of HIS model and MANET in AIS algorithm. (a) Human immune
system (NIAIDS 2003), (b) MANET
1.2 PROBLEM STATEMENT
Securing MANET is a crucial research issue. The properties of MANET impede the
protection of the networks environment against attacks. MANET as an open area of
wireless mobile nodes allow external attackers to join the network easily and
masquerade legitimate nodes (D. Wang et al. 2008). Moreover, the limited bandwidth
of a MANET also renders its nodes vulnerable to isolation and its communications
susceptible to frequent breaks. Furthermore, the lack of centralized authorization and
security cooperation adds to the susceptibility of the entire network to attacks.
MANET is open to many types of attacks. Flooding-based attacks are the most popular
types of attacks because such attacks and dangerous and effective (Ghazali & Hassan
2011).
HIS is the basis of the intrusion detection algorithms of AISs. These algorithms
detect different types of attacks. For example, Greensmith introduced a novel danger-
based AIS called dendritic cell algorithm (DCA) to detect port scan attack over wired
network (Greensmith et al. 2005; Greensmith et al. 2010). DCA is inspired by the
capability of DCs to receive multiple antigens and signals, as well as reveal the context
of each antigen. However, the processing information fusion of multiple signals and
antigens without any association between each antigen and its related signals increases
the percentage of error in the detection operation. Therefore, DCA suffers from high
false positive rates and low accuracy rates. The AISs introduced by Amaral (2011),
-
5
Chelly and Elouedi (2010) and Wallenta et al. (2010) depend mainly on the core of
DCA with certain adaptations. The work done by Amaral (2011) depends on DCA and
uses fuzzy logic theory instead of the fixed weights used in DCA. The introduced
algorithm is applied to detect faults in analog circuits which are out of our research
scope. Chelly and Elouedi (2010) use fuzzy logic in the final stage of DCA to classify
the antigens after each antigen context has been decided according to DCA and its
empirical equation applied by Greensmith (2010), and their enhancement has been
applied to detect abnormality behaviours on a specific data set. Wallenta et al. (2010),
the authors applied DCA over wireless sensor networks (WSNs) to detect a flooding-
based attack called cache poisoning attack. As all of the above mentioned algorithms
depend mainly on DCA they, necessarily, suffer from high false positive and low
accuracy rates.
DCFA shares the previously introduced AIS-based IDs in inspiring the DC
biological model in HIS. Antigens and the related signals which represent the detected
attack and its behaviours are utilized by DCFA and the previous works. However,
DCFA makes an association between each antigen and its related signals which is not
performed in the previous works. Also, DCFA does not depend on or enhance any of
the previous works algorithms. It is a standalone developed Hybrid intelligent
algorithm. DCFA combines between the relevant features of both danger theory-based
AISs and fuzzy logic theory. Unlike the works in the literature, DCFA utilizes two
main pathways of intrusion detection operation in its AIS part, primary immune
response pathway (PIR) and secondary immune response pathway (SIR). The use of
each pathway is controlled by DCFA in order to achieve high security and network
performance.
The performance of each intrusion detection algorithm is measured by two
main metrics: false positive and accuracy rates. Current AIS algorithms produce high
false positive and low accuracy rates (Stibor et al. 2005; Wu & Banzhaf 2010). If an
AIS intrusion detection algorithm considers a normal node(s) as an attacker(s) by
mistake, those node(s) will be isolated from the network and the false positive rate will
increase. Hence, many normal nodes will be penalized by the AIS intrusion detection
algorithm as intruder nodes. Faulty detection of normal nodes leads to MANET
partitioning and degrading its performance as well. In contrast, if the AIS intrusion
-
6
detection algorithm considers one or more attacker(s) as normal node(s) by mistake,
this will encourage the attacker(s) to disseminate the threat and continue degrading
MANET performance.
Current research shows less interest in introducing a study in the effects of
RCA on MANET performance in depth such as, throughput, end-to-end delay, energy
consumption and routing overhead. Also, RCA has not been analyzed under varying
different factors which affect the efficiency of the attack itself like varying attackers
flooding rate, radio range, position of attack in the network and varying the applied
number of attackers in group attack. Therefore, an efficient, self-defensive and self-
organizing AIS intrusion detection algorithm with low false positive and high accuracy
rates must be introduced to protect MANET and increase its robustness. In addition, it
should be taken into account that securing MANET should not add overheads on its
performance metrics. This research attempts to achieve such.
1.3 RESEARCH OBJECTIVES
The core objective of this research is to build a new robust intrusion detection
algorithm for MANET by achieving the following precise objectives:
i. To develop a simulation model platform for a flooding-based attack and a
countermeasure for that attack over MANET.
ii. To implement and analyze the Flooding-based attack, namely RCA, over
MANET.
iii. To develop and evaluate a standalone AIS-based intrusion detection algorithm
which can detect RCA over MANET.
1.4 RESEARCH CONTRIBUTIONS
This research contributes to literature as follows:
i. A new RCA attack and its countermeasure DCFA models have been developed
and added to QualNet v5.0.2 to be implemented over MANET.
-
7
ii. New factors have been introduced to implement and analyze RCA over
MANET, specifically, varying number of attackers in combination with
attackers positions and varying attackers radio range and flooding rate.
iii. A new AIS-based algorithm and its related model has been developed and
evaluated. The model has been added to QualNet v 5.0.2 to be tested from both
security and network measurements. Five security performance metrics have
been used to test DCFA specifically, false positive, false negative, true
positive, true negative and accuracy rates. Also, four network performance
metrics have been used to test DCFA such as: throughput, end-to-end delay,
energy consumption and routing overhead.
1.5 RESEARCH SCOPE
This research is concerned with the development of a danger theory-based AIS
intrusion detection algorithm. The proposed algorithm utilizes innate immunity cell
functions as forensic navigators and anomaly-based intrusion detectors in human body
tissues. The focus is on the functions of DCs in innate immunity.
The decision of whether DCs contexts are mature or semi-mature is
implemented with fuzzy logic theory. Verification of the proposed algorithm is
performed on MANET to detect a flooding-based attack called RCA, which is also
called sleep deprivation attack. RCA can be detected in an AODV routing protocol
(Boukerche et al. 2011; Perkins et al. 2003; Perkins & Royer 1999; Royer & Toh
1999; Taneja & Kush 2010) . Simulation using QualNet v5.0.2 has been used to test
both the effect of RCA and the performance of the proposed DCFA.
1.6 RESEARCH METHODOLOGY
As shown in Figure 1.2, this research is conducted in five phases; Phase one includes
Building a comprehensive literature review from all types of published documents,
such as papers, surveys and books related to the research scope. Phase two includes
conducting a simulation to analyze the effect of flooding-based attacks, RCA in
-
8
particular, on specific MANET performance metrics such as throughput, end-to-end
delay, energy consumption and routing overhead. In Phase three, an AIS intrusion
detection algorithm called DCFA and its related model have been developed. Phase
four includes conducting a simulation to verify the effectiveness of the proposed AIS
algorithm; the performance evaluation results are analyzed. Figure 1.2 provides a
summary of the research steps. Finally, the results obtained from applying both RCA
and the proposed DCFA have been analyzed in phase five.
Figure 1.2 Research steps
1.7 THESIS OUTLINE
This research is structured as follows. Chapter II presents the review of related
literature. MANET concepts, challenges and routing protocols are introduced. Security
issues are then discussed followed by the efforts to study the effects of attacks on
MANET. Chapter II also presents the biological background of the danger theory in
HIS and provides a brief introduction of fuzzy logic theory. Furthermore, current
research efforts to develop intrusion detection algorithms and AIS algorithms to
protect routing protocols in MANET are surveyed and classified.
Chapter III presents the methodology employed in this research. The danger
theory model, which is the basis of the proposed AIS algorithm, is described. The
-
9
AODV routing protocol as the underlying routing protocol in this research and its
vulnerability to RCA are also discussed in this chapter. A detailed description of fuzzy
logic theory is presented and the simulation environment design, simulation
parameters and performance metrics employed in the experiments are detailed. The
vulnerability of AODV routing protocol to RCA is discussed comprehensively in
Chapter IV. A set of experiments and a simulation are conducted to determine the
negative effects of RCA on critical network performance metrics.
The formal description of the proposed AIS intrusion detection algorithm
called DCFA is introduced in Chapter V. The capability of the DCFA algorithm to
detect RCA is analyzed in Chapter VI. This chapter also presents the evaluation of the
network performance metrics when DCFA is applied. Finally, Chapter VII provides a
summary of the thesis as well as recommendations for future research.
-
10
CHAPTER II
LITERATURE REVIEW
2.1 INTRODUCTION
This chapter introduces a review to the work related to this research. It introduces a
background for MANET and its related topics such as routing and MANET special
characteristics. Security issues over MANET are also explained. In addition, this
chapter summarizes a set of research studies in the effects of attacks over MANET.
Furthermore, it reviews the biological concepts and functions of the HIS and discusses
the previously introduced AIS-based and non AIS-based intrusion detection
algorithms.
2.2 MOBILE AD HOC NETWORK
MANET is defined as a rapidly deployable, self-organisable and multi-hop wireless
network. It is typically set up for a limited period of time and for particular
applications such as the military, disaster areas and medical applications. Nodes in
MANET may move arbitrarily while communicating over wireless links. This network
is typically used in situations where there is no centralized administration or support
from networking infrastructure such as routers or base stations. Thus, nodes must act
as router end-systems and organize themselves in an efficient manner (Chlamtac et al.
2010; Murthy & Manoj 2004).
Figure 2.1 depicts an example of such MANET with 9 nodes. In the figure, the
circle around each node represents its radio range. Node S has one neighboring node,
node number1, within its radio range, but the destination D is beyond its radio range.
Thus, to communicate with D, S must use a multi-hop path S 1 2.
-
11
Figure 2.1 Mobile ad hoc network
2.2.1 Manet Characteristics
Many up to date studies pay attention to work on MANET as a new technology with
specific characteristics, which distinguish its environment from other types of
networks. These characteristics are as shown in the following (ayrc & Rong 2009;
von Mulert et al. 2012; D. Wang et al. 2008):
C1-Openness: MANET nodes communicate with each other through an open
wireless medium. Hence, the outer attackers can easily join the trusted node
environment.
C2-Limited resources: MANET has limited power and bandwidth capacity.
C3-Mobility and Dynamicity: MANET consists of highly frequently mobile
nodes which cause high dynamicity in its topology changes and
reconfiguration.
C4-Wireless medium signalling: The nodes in MANET interact with each
other through wireless signalling.
C5-Flexibility: MANET could be deployed in any types of areas even if they
are unstable such as military purpose areas, or the areas of frequent nature
disasters.
-
12
C6-Decentralization and self-organizing: MANET is an infrastructure-less
wireless network with no centralized management points. Every node manages
itself by itself and can help manage the other nodes by sending alarm messages
when an attacker is detected.
C7-Distributed Computation: Each node performs a routing processing and a
security processing and informs the other nodes to help the network to survive.
2.2.2 Manet Routing Protocoles
In all types of networks, routing is considered as the process of discovering certain
destination node under a request from the source node, which needs to send data
packets to that destination and maintaining the connection between them. However,
routing over dynamic mobile nodes in MANET would be a challenge which needs to
be solved by many routing protocols (Royer & Toh 1999; Zhao 2005). Any
introduced algorithm over MANET either for routing or security should deal
efficiently with a set of aspects. It should perform a distributed computing in each
node in a decentralized, self-organizing and self-healing manner. At the same time, the
algorithm over MANET should adjust its functionality to transfer data over limited
bandwidth using limited amount of the energy consumed(Alotaibi & Mukherjee 2011).
In previous years, routing protocols were classified, based on the routing information
updating mechanism, into two main categories: reactive and proactive routing
protocols.
In the current time, scalability problem which arises when using high number
of disseminated nodes and the need of dealing with the limitation in the flying nodes
battery powers consumed, along with the continuous tries of enhancing the previously
introduced routing protocols, all of these new categories of routing protocols over
MANET as appeared in Figure 2.2 (Boukerche et al. 2011).
In reactive (or on-demand) routing protocols, source node requests a route to
destination nodes, when needed, by flooding route request packets throughout its
neighbors in a stage called route discovery. Source node may request to only, one path
(uni-path) to destination node such as in AODV routing protocol.
-
13
In proactive (or table-driven) routing protocols, source node preserves routing
information to all existing network destinations in a routing table. Accordingly, the
route to destination is proactively established not like in previously mentioned reactive
routing category. Same as in reactive routing protocols, proactive routing protocols
are divided into uni-path and multi-path routing protocols. For instance, destination-
sequenced distance-vector (DSDV) (Perkins & Bhagwat 1994) is a uni-path routing
protocol, However, neighbor table-based multipath routing (NTBR) (Yao et al. 2003)
is a multi-path proactive routing protocol.
Figure 2.2 MANET routing protocols categories
Hybrid routing protocols combine the relating features of both reactive and
proactive routing protocols. Zone routing protocol (ZRP) (Samar et al. 2004). In
multicast routing protocols, source node may discover routes for several destinations
simultaneously. An example on this category is, dynamic core based multicast routing
(DCMP)(Das et al. 2002).
In Geographical (or location-aware) routing protocols, each node can
determine the geographical location of the other nodes and use this information in its
routing protocol. Specifically, the node can use global positioning system (GPS) to
-
14
determine the accurate coordinates of whatever destination for its communication. An
example of this category is location-aided routing (LAR) (Ko & Vaidya 2000).
In hierarchical routing protocols, mobile nodes are arranged hierarchically,
through clustering techniques. Consequently, the nodes in a higher level of the
hierarchy are responsible for providing special services for other nodes. This technique
reduces the routing overhead and solves the scalability problem especially when the
size of MANET becomes larger. An example on this category is, hierarchical state
routing (HSR)(Iwata et al. 1999). Finally, power-aware routing schemes have been
built to take the decision of routing based on the available energy in the mobile nodes.
An Example on this category is, Power aware routing in mobile ad hoc networks
(Singh et al. 1998).
2.3 SECURITY OVER MANET
The information security as shown in Figure 2.3 is categorized into two main
branches: computer security and communication security. Computer security protects
the host from both the hardware and software intrusions, such as damaging hardware
components and worms or viruses that violate the security services in each part
respectively. Communication security protects the link from passive and active
attacks.
Communication security is divided into two subcategories: transmission
security and emanation security. Transmission security which is the scope of this
research is defined as securing the transmitted data from being revealed to
unauthorized users and securing the link services from being disrupted. Emanation
security secures the visual audio information from being revealed by the receivers
(ayrc & Rong 2009).
-
15
Figure 2.3 Information security
In any secured system, adding more security functions means adding more
overheads (Sommerville 2004). In MANET this poses a big challenge that may
degrade the network performance. So, securing MANET through lightweight functions
to achieve the intended security goals is very important. It is worthy to say that there is
no perfect 100% secured system in the world.
2.3.1 Security Primitives
Intrusion detection systems formulate a line of defence that captures any malicious
action trying to violate one of the security services. The following intrusion detection
categories are well-known as being used in any intrusion detection technique (Brutch
& Ko 2003):
- Signature detection: this technique aims to keep all of the well-known attacks
in its database so that it can accurately and effectively detect any encountered
attack. However, this technique fails in detecting newly invented attacks.
- Anomaly detection: this technique uses a normal profile for each calculated
parameter which is updated at each period of time. When an abnormal
parameter enters the system, a large enough deviation could reveal the
existence of an attack. The strength in this technique is in its ability to detect
even the newly invented attack. However, it may produce high rates of false
positive alarms.
-
16
2.3.2 Security Goals
Security is an important aspect in wireless ad hoc networks especially for the more
sensitive applications in military and critical tactical wireless networks. To the best of
our knowledge, until now no research has achieved full secured MANET that is
protected against all the types of attacks (Greensmith 2007; Su & Adviser-Boppana
2009).
However, security systems are doing their best to fulfil as much as they can
from the security goals. The goals of security are to achieve the following
services(ayrc & Rong 2009; Juels 2006; Su & Adviser-Boppana 2009):
- Authentication: ensures that the node is making a communication with the
intended and correct node.
- Access control: protects the nodes and the network resources from being
accessed via unauthorized users.
- Confidentiality: protects the transmitted data from being revealed to
unauthorized users. This service is very important to protect messages
transmitted in sensitive cases such as the military messages in war and in the
countrys secret information connections.
- Integrity: protects the messages transmitted through the link from being
changed along their path by malicious nodes, so they have to be delivered with
the same contents as they were sent by the source node.
- Authorization: giving the claimed node the right to either modify the
information or receive it. It is achieved through integrity and authentication
services.
- Non-repudiation: ensures that the source node of the message is the one who
sent it in reality and not someone else.
-
17
- Availability: ensures the existence of network services and resources without
any depletion or disruption by the malicious nodes. This service is performed
against denial of service (DoS) attacks.
- Resilience to attacks: ensures the survivability of the network if one or more
nodes have been destroyed or compromised by the intruder.
- Freshness: prevents the malicious node from resending spoofed packets and
renewing the intrusion.
2.3.3 Types of Attacks over MANET
There are many types of attacks that form a real threat when applied on MANET; each
type of attack varies from the other ones in the way of applying the threat, the goal of
attacking and the stack layer that is targeted by the attacker. A summary of the
MANET attacks is shown in Figure 2.4. Some attacks are passive and others are
active. Active attacks may be internal or external. In the internal type of attacking the
attacker is located inside the attacked MANET so it is dangerous as the attacker is
considered at the beginning as a trusted node. However, in the external type of attack
the attacker comes from outside the MANET network so it is easier to be detected as it
is not well trusted. Passive attacks have been only performed internally.
-
18
Figure 2.4 Attacks over MANET
Active and passive attacks are defined as follows (ayrc & Rong 2009; D.
Wang et al. 2008):
Passive attack: in this type of attack, the intruder only performs some kind of
monitoring on certain connections to get information about the traffic without
injecting any fake information. This type of attack serves the attacker to gain
information and makes the footprint of the invaded network in order to apply the
attack successfully. The types of passive attacks are eavesdropping and traffic
analysis(ayrc & Rong 2009); each one is explained as follows:
- Eavesdropping: The intruder silently listens to the communication by tapping
the wireless link.
-
19
- Traffic analysis: The intruder analyses the traffic communications in order to
gain information about the network topology and hence inject the attack in a
strategic place (e.g. near the cluster head) that help the threat succeed.
Active attack: in this type of attack, the intruder performs an effective violation
on either the network resources or the data transmitted; this is done by causing
routing disruption, network resource depletion and node isolation. Below is a list
of active attacks and brief explanation on each type. Some active attacks depend
on flooding bogus packets mechanism to achieve their threat purposes. The last six
attacks in the list are examples on flooding-based attacks over MANET. All of the
listed attacks lead to DoS attack when lunched over MANET.
- Black hole: The intruder injects the control routing packets with fake
information in order to attract the node that requested the route and hence gain
that route. After the intruder acquires the route, the intruder could apply
different types of attacks such as dropping and modifying packets(von Mulert
et al. 2012; Yih-Chun & Perrig 2004).
- Gray hole: Same as black hole attack however, when the intruder succeeds in
controlling the route, he selectively drops and modifies the packets (D. Wang
et al. 2008).
- Worm hole: In this attack, a cooperation between two intruders as a minimum
is required to communicate through a high speed link to deceive the nodes that
wrongly consider the malicious link as the shortest path to the destined node
(von Mulert et al. 2012).
- Dropping packets: The intruder simply drops a packet into the network
destined for the target node. If it performs a selective dropping, it will be
harder to be detected (Baadache & Belmehdi 2012).
- Sybil: In this attack, the intruder masquerades under the identity of multiple
nodes.
-
20
- Selfishness: In this attack, the intruder does not relay the others received
packets and suppresses the other nodes to sleep in along back offs on the
medium access control (MAC) layer so it can use the link any time (ayrc &
Rong 2009; Kargl et al. 2005).
- Detour: In this attack, the intruder creates virtual nodes on the optimal routes
to appear longer and costlier than the other non-optimal routes; these forces the
nodes to wrongly use the non-optimal route (ayrc & Rong 2009).
- Rushing: In this attack, the intruder broadcasts a route request and reply
packets very quickly in order to make the nodes discard any other control
packet in the network (von Mulert et al. 2012; Yih-Chun & Perrig 2004).
- Exploiting node penalizing schemes: In this attack, the intruder broadcasts
error messages about well performing nodes and causes jamming to consider
these nodes to be put on the black list (ayrc & Rong 2009).
- Routing table overflow: In this attack, the intruder overflows the nodes
routing tables with fake routing information (D. Wang et al. 2008).
- Hello flood: In this attack, the intruder broadcasts hello messages to all the
network nodes by using strong enough power to be wrongly considered as their
neighbour(ayrc & Rong 2009).
- RCA: and also called sleep deprivation attack has been explained extensively
in section 3.8.
2.4 STUDIES IN THE EFFECTS OF ATTACKS OVER MANET
Studying the effect of certain attack over MANET discovers the points of strengths
and weaknesses of such attack. Therefore, this stage of study is considered as primary
before developing stage of a countermeasure to the attack threats. The following
studies introduced an investigation in the effect of certain attack over MANET.
-
21
In (Gupta et al. 2002),Gupta et al. studied the effects of flooding attacks on the
802.11 MAC protocol. They measured the effects of such attacks on the throughput of
legitimate nodes. The legitimate nodes located one hop from the attackers are affected
at a much higher degree than those at two hops or more because the one-hop
neighbours of the attackers lose almost their entire throughput under suppression
caused by the flooding.
In (Gu et al. 2007), Gu et al. analyzed the effect of the distributed denial of
service (DDoS) attack on the throughput of legitimate nodes in MANETs. They
examined the effect of remote and local flooding attacks and found that remote
flooding more effectively damages MANETs than does local flooding.
However, the authors in (Yi et al. 2005) investigated the effect of executing
RCA over the AODV routing protocol and used packet delivery ratio only as a
performance metric. They observed that when 30 RREQs/s flooding rate is applied;
the RCA attackers decrease about 97% of the packet delivery ratio. At a 20 RREQs/s
flooding rate, however, the attackers decrease about 50% of the packet delivery ratio.
Also, Ning and Sun in (Ning & Sun 2005) introduced a systematic analysis of
the AODV routing protocol under different attack actions. They explained how each
action is executed on each routing packet in AODV and the goal(s) achieved by
manipulating the protocol. The study is useful for researchers who are interested in
designing secure routing protocols, but the authors tested only one attacker.
Furthermore, they did not consider the vulnerability of AODV to RREQ packet
flooding attack, which strongly threatens the power capacity of network batteries.
In (Nguyen & Nguyen 2008), the authors simulated the effect of four types of
attacks, namely, rushing, black hole, neighbor and jellyfish attacks, on MANET. They
applied the attacks over the on-demand multicast routing protocol and found that as
the number of attackers increases, network performance decreases in all the four types
of attacks. They also determined that increasing the number of sender groups in
multicast routing protocols supports robustness and security.
-
22
Wallenta et al. In (Wallenta et al. 2010) measured the effectiveness and
efficiency of the interest cache poisoning attack on sensor networks (as a special type
of MANET). In burst attack, as a technique in interest cache poisoning attack, the
attacker continuously floods the network with numerous bogus packets which imposes
the worst effect on sensor caches.
Finally, in (Sakellari 2011), Sakellari evaluated the performance of the
cognitive packet network (CPN) (Gelenbe et al. 2002) routing protocol in MANETs
under the existence of worms and threats. CPN provides quality of service (QoS)
routing by self-learning from special packets. The evaluated performance was
compared with that of open shortest path first (Sidhu et al. 1993). CPN survives and
stays robust in guiding the network under the existence of worms.
2.5 THE HUMAN IMMUNE SYSTEM IN BIOLOGY
As immunology forms a wealth full of biological models and concepts from where
computer scientists inspire their introduced AIS algorithms, it is important to
understand HIS in biology through this section as a background science for any
coming discussion of AIS algorithms in this research.
2.5.1 Introduction to HIS
HIS is considered as a network of cells, molecules, tissues, organs (some are lymph
nodes) that cooperate with each other to protect the human body from invaders.
Human body invaders in biology are termed as pathogens and antigens. Pathogens are
defined as the microbes that cause disease for the human body such as, bacteria,
viruses, parasites and fungi. However, antigens are the molecules or protein segments
(peptides) from pathogens. HIS can recognize pathogens through their correlated
antigens. Each antigen has a specific structure and hence forms a specific pattern to be
detected and processed by the HIS. As a consequence, HIS can recognize its related
pathogen and take the decision either to tolerate or fight that pathogen. (Janeway et al.
2005; NIAIDS 2003).
-
23
2.5.2 The HIS Cells
In biology, cells are the main structural units which build all of the human body
systems such as, digestive, immune, lymphatic and cardiovascular. In any organism
system, specific functionality types of cells are congregated to form a particular tissue.
In the same way, the collection of same characteristic tissues forms a specific organ.
However, a group of cooperatively same functioning organs work together in same
biological system such as HIS.
The state of cells in HIS is in continuous interactions with human body tissues
environment from one side and with each other in the immune system from another
side. Each cell has receptors which are proteins that bound to the outer membrane of a
cell. These receptors have the capability to recognize various types of the incoming
molecules from body tissues in a lock and key manner. The binding between certain
receptor and molecule called affinity which reflects how much strong the binding is.
This affinity causes receptor activation which leads to many changes for the cell
metabolism, morphology and functionality.
A Molecule reacts to a certain receptor through its epitope portion, whilst a
receptor does the reaction through its paratope portion. Molecules which secreted
from body tissues and control cell behaviors are called cytokines. However, those that
cause immune cells to move and migrate are called chemokines (Alberts 2002; Lodish
et al. 1995). Cells in HIS are divided into two main categories, phagocytes (or Antigen
presenting cells (APCs)) such as, DCs, Granulocytes and Macrophages in the innate
immunity and lymphocytes such as, T-cells and B-cells in the adaptive immunity
(NIAIDS 2003). This requires explaining the two main cooperative HIS subsystems in
subsection 2.5.3.
2.5.3 Innate and Adaptive Immunity
HIS is usually divided into two main subsystems: innate immunity and adaptive
immunity. Each of which has specific functions and characteristics. Specifically,
innate immunity specialized in identifying the general pattern of the incoming
pathogens and inducing adaptive subsystem to determine an exact response (either
-
24
toleration or fighting) for those pathogens (Janeway 1998). However, adaptive
immunity is more complex and accurate than the innate immunity. It can recognize
specific pattern of the incoming pathogens and memorize their patterns for a long time
(Janeway et al. 2005).
As the innate immunity performs the defense in non-specific manner while the
adaptive immunity protect the human body in specific way, the reason behind this
complementary different resistance operations of these two subsystems needs to be
explored. By navigating deeply in the two subsystems cells, the immunologists found
that in the innate immunity, the receptors of the same types of cells have a fixed
genetic structure and can only recognize a general feature of a group of the incoming
pathogens.
2.5.4 T-CELLs
All of the human bodys cells are born from stem cells initiated from bone marrow
through stimulation operation. T-cells are born in the same way; however they do not
keep static in the HIS but undergo to a circular differentiation as a response to the
incoming signals (molecules). For example, when T-cells receive signals, this induces
its capability to produce cytokines and to be differentiated. Also, these cytokines may
influence other cells to be differentiated such as B-cells in the adaptive immunity.
The maturation place for T-cells is in a lymph node called thymus. In thymus,
T-cells go through two main maturation operations: positive selection and negative
selection. These operations are performed over T-cells in order to protect the human
body from autoimmunity. In other words, these operations filter the T-cells to avoid
them from binding with any of the human body antigens (self antigens). In positive
selection, T-cells that show a weak binding with non-self antigens are killed. In
negative selection T-cells that show strong binding with self antigens are killed
(Kyewski & Derbinski 2004).
After maturation stage, T-cells can be termed as nave T-cells since they have
never met the antigens which can bind with their receptors. This type keeps moving
-
25
through lymphatic and cardiovascular systems, body tissues until they encounter DCs
in the lymph nodes as explained in the forthcoming subsection.
2.5.5 Dendritic Cells
DCs have three main differentiation states, immature, semi-mature and mature. When
immature DCs receive enough input signals, they become either semi-mature or
mature DCs based on the concentration of specific types of these input signals.
Immature DCs receive four types of input signals, PAMP, danger, safe and
inflammation signals. PAMP signals indicate strongly the existence of infectious
pathogen. Danger signals are released by necroses which are the human body cells
under stress or abnormal death. However, safe signals are released by apoptosis which
are healthy cells or cells that die in a normal way. Inflammation signals are released as
a result of an increase in the cells temperature caused from unhealthy state or
infection. DCs input signals are divided into, endogenous and exogenous signals.
Endogenous signals are those released from the cells of the body itself such as safe,
danger and inflammation signals. However, exogenous signals are the signals released
from the microbes which inter the human body from the outside environment. An
example of this type is PAMP signals (Dasgupta et al. 2011).
When immature DCs are exposed to these input signals, the concentration of
each controls their next terminal differentiation state (either mature or semi-mature
DCs). For example, if the concentration of the received PAMP signals and danger
signals are greater than that of safe signals, this means the differentiation of immature
DCs is to mature DCs. PAMP and danger signals cause the receiver immature DCs to
process its contents and produce a certain cytokine called interleukin-12 (IL-12). Also,
PAMP and danger signals induce immature DCs to produce costimulatory molecules
(CSM), also called CD80/86 in biology.CSM signal simplifies the process of antigen
presentation to the T-cells in lymph nodes. Conversely, if the concentration of safe
signals is greater than that of PAMP and danger signals, then immature DCs should
differentiate to semi-mature DCs. Also, safe signals are responsible for producing
interleukin-10 (IL-10) in this case. Additionally, safe signals induce producing CSM
signals by the DCs same as PAMP and danger signals. Therefore, the received input
-
26
signals indicate the behavioral context of the digested antigens if either they are benign
or malignant.
Figure 2.5 pictures the three differentiation states of DCs. Although DCs have
same receptor structure in the three differentiation states; they appear different in their
morphology. As noticed in Figures 2.5 (b) and (c), semi-mature and mature DCs have
wider surfaces than immature DC. The reason behind that refers to increasing the
capability of both mature and semi-mature DCs to show their receptors and bind with
T-cells receptors when they are encountered in lymph nodes.
(a) (b) (c)
Figure 2.5 States of DC differentiations. (a) immature, (b) semi-mature, (c) mature (Greensmith et al. 2010)
When immature DCs collect antigens from tissue, the antigens should be
digested into small segments of proteins called peptides. Major histocompatibility
complex (MHC) helps in presenting the peptides on the surface of the DCs
formulating a combination of peptide-MHC, so that it could be easily recognized by T-
cells. When immature DCs have been exposed to certain amounts of signals, they
migrate to the lymph nodes in which they encounter naive T-cells (NT-cells). The
capacity of each immature DC for antigens and signals besides the concentration of the
external signals that causes immature DCs to migrate are still ambiguous issues in
immunology (Greensmith 2007).
Activation of T-cells in the lymph node needs two signals to take place. The
first signal occurs when the T-cells epitopes bind with the peptide-MHC on the surface
of the DCs in both cases of danger and safe existence. The second signal is either
emitted from the fully mature DCs as IL-12 to stimulate the T-cell to fight in the
danger state, or is emitted from the semi-mature DCs as cytokine IL-10 to suppress the
-
27
naive T-cell in the safe state (Bretscher 1999; e Sousa 2001; Oshashi & De Franco
2002).
The communication between DCs and T-cells is an example of the co-
stimulation concept applied by the immune system. Through co-stimulation, HIS cells
transfer in a path of changes and may produce a population of cells to fight against the
incoming danger. For instance, when naive T-cells bind with mature DCs and receive
IL-12, they pass through a set of differentiation processes in a term called clonal
expansions. Clones are then differentiated into memory T-cells (MT-cells) and
suppressor T-cells (ST-cells). One type of effector T-cells called cytotoxic T-cells
which are responsible for killing the incoming pathogen. MT-cells memorize the
recognized malignant pathogen to take a quick fighting response for that pathogen as
soon as it is detected in the body tissues. This type of quick and effective reaction to
the pathogens is called secondary immune response (SIR). However, if the immune
system needs to learn that pathogen through a long time of collection and activation
processes this termed as primary immune response (PIR)(Janeway et al. 2005).
2.5.6 Self Non-Self and Danger Theories
In (Forrest et al. 1994) the authors proposed a self non-self discrimination theory that
has been considered as the essential base for AIS to detect intrusions. Some up-to-date
studies still believe in its correctness and some follow its competitor the danger theory
proposed by Matzinger (1994, 2001, 2002 and 2007). In self non-self, the HIS
tolerates all of the self antigens and fights against all of the non-self ones. Negative
selection is the main operation in the self non self theory. In negative selection, the T-
cells which match with self antigens are killed and hence, the remaining T-cells are
considered as detectors for the non-self antigens. Applying negative selection in AIS
results in a drawback of scaling problem that leads to increasing false positive and
false negative alarm rates.
Danger theory takes the decision of fighting the antigen if the danger state
exists. So unlike self non-self, in danger theory the state of danger or safety that
reflects the antigen behaviour is the basic discrimination rule to be considered as
normal or attacker. Danger theory is more efficient because not all self antigens are
-
28
stable and safe to be tolerated and not all foreign antigens are harmful; for example,
some types of bacteria are useful for making vitamin K for the body. Also according to
Matzinger (1994) there is an ambiguity on the exact definition of self and non-
self. In real life, the human immune system does not tolerate the whole self set and
attacks the whole set of non-self. The theory has been developed over the years 2001,
2002 and 2007 (Matzinger 1994, 2001, 2002, 2007). A biological example on the
danger theory model is the interaction between DCs and naive T-cells.
2.6 FUZZY LOGIC THEORY
Fuzzy logic theory (Cox 1992) offers a natural way of representing and reasoning with
human knowledge involving uncertainty and ambiguity. Fuzzy logic was introduced
by Zadeh; a professor of computer science at the University of California in 1965.
Zadehs fuzzy logic theory (Zadeh 1965) provides a robust mathematical model for
dealing with real-world inaccurate data. This theory can be used as a general
methodology to incorporate knowledge, heuristics or theory, into controllers and
decision makers. Zadeh presented the concept of fuzzy logic as a mathematical model
to represent human thought. Fuzzy logic is basically a multi-valued logic that allows
intermediate values to be defined between conventional values like cool and hot.
Notions like freezing, cool, warm or hot can be formulated mathematically and
processed by computers. In this way, an attempt is made to apply a more human-like
way of thinking in the programming of computers and the control of systems.
MANETs are complex and dynamic environments with a substantial number of
uncertainties associated with network and environmental parameters. Moreover,
MANETs are subject to unexpected overloads, failures and they defy accurate
analytical modeling. For that, fuzzy logic appears to be a promising approach to
address many important aspects of current complex MANETs. Numerous fields have
taken advantage of fuzzy logic properties. In MANETs, fuzzy logic has been used to
improve decision-making, reduce resource consumption and increase performance. In
addition, fuzzy logic has been used to adaptively optimize protocol parameters more
accurately and dynamically. Several areas in which fuzzy logic is applied to include
QoS-based routing (Huang et al. 2007; Khoukhi & Cherkaoui 2010; Lopes Gomes et
al. 2011; Xia et al. 2012; Zhang et al. 2004), energy-aware routing (Chang et al.
-
29
2006a, 2006b; Liang et al. 2007), security (Dai et al. 2009; Kayarkar 2012; Khatri et
al. 2010; Xia et al. 2011) and MAC protocols (Ren & Liang 2005).
2.7 INTRUSION DETECTION SYSTEMS
This section sheds light on two categories of IDSs. Firstly, the non-intelligent-based
IDSs as shown in subsection 2.7.1. Secondly, the intelligent-based IDSs as appeared in
subsection 2.7.2. Subsection 2.7.1discusses many techniques that have been
introduced to overcome specific types of attacks that is lunched over specific protocol
layer (e.g. network layer or data link layer). However, in subsection 2.7.2, a historical
development of some best known AIS intrusion detection algorithms and frameworks
are thoroughly explained. As AIS-based IDSs are newly developed, a few researches
have applied this type of IDSs over MANET. Therefore, some of the mentioned
algorithms have been developed over wired networks, some are applicable over
MANET and only one (according to the best of our knowledge) has been applied over
WSNs.
2.7.1 Non Intelligent Intrusion Detection Systems
Ping et al. (2006) presented flooding-based attack called Ad Hoc Flooding Attack
(AHFA). In AHFA, the intruder broadcasts high rate of RREQ packets towards certain
targeted nodes over MANET in order to consume its energy and the network
bandwidth. The authors proposed a simple mechanism to detect such attack called
Flooding Attack Prevention (FAP). In FAP, each node calculates the rate of receiving
RREQ packet from each node, if that rate exceeds certain threshold it denies dealing
with the requests coming from the intruder. In this work, the authors tested their
proposed mechanism using only one network performance metric which is packet
delivery ration. Accordingly, the mechanism improves the packet delivery ratio only
by 30% compared with the case of zero protection under the effect of AHFA. The
mechanism is failed when the attacker changes its IP address each time it floods its
faked RREQ and cannot be detected by the proposed FAP.
Liu and Shen (2007) proposed a mechanism to mitigate flooding attack which
causes denial of the service from the normal nodes in MANET. According to the
-
30
proposed mechanism, each legitimate node has to monitor its neighbours and the
traffic coming from each of them. Consequently, each legitimate node should arrange
its buffer by giving certain partition or space for each. For example, if a legitimate
node has n neighbours it should give 1/n space from its buffer for each only. If the
legitimate node receives more than 1/n from any of the neighbours it will simply
discard the packets coming from that neighbor. This mechanism fails in the mobility
environment of MANET because it does not consider distinguishing between
legitimate neighbours and attackers identities. If a group of attackers keep their
movements among legitimate nodes they will have a buffer space in each legitimate
node to inject their flood of faked packets and will succeed in exhausting the network
resources.
Venkataraman et al. (2009) proposed a trust-based mechanism through which
each legitimate node should classify the neighboring nodes into three levels of
trustiness: friends (most trusted), acquaintances (trusted) and strangers (not trusted).
This classification is done according to certain parameters without using any of the
intelligent methods. The considered parameters are, the ratio of forwarded packets by
neighbours compared with the sent packets, the average time response of the neighbor
to route request and the number of intact received packets from that neighbours
compared with the number of the received packets. This mechanism fails in the same
failure scenarios of watchdog bellow.
Kim and Song (2010) proposed a period-based defence mechanism (PFM) to
detect flooding attack which floods request packets and data packets in order to
exhaust network resources such as bandwidth and nodes power capacity. In this
mechanism, each legitimate node should calculate the deviation of each received
packet from the average reception in each period of time. The packets that exceed
certain threshold of deviation are termed in blacklist for that period of time. The
blacklisted packet is then discarded and not forwarded in the next period of time. The
blacklisted packets are recalculated in each period of time which adds computational
overhead on the system and gives the attacker a new chance to inject its flooded faked
packets.
-
31
Marti et al. (2000) introduced watchdog which detects dropping packets attack
over data link layer. Watchdog overhears whether or not the neighbouring node
forwards the sent packet to the next hop node. This method of overhearing consumes
the nodes limited power in MANET. Also, this method fails when a collision occurs,
or the malicious node changes its power to make it include the previous node but not
the next one.
Lee et al. (2002) applied intrusion detection over DSR routing protocol to
detect black hole attack. The method requires the intermediate node to send route
confirmation request (CREQ) packet to the next hop node on the downstream. When
the next hop node receives the CREQ packet, it checks its cache for a route to the
destination. If it has one, it sends route confirmation reply (CREP) to the source node
in its route information. The source judges the validity of the route in the RREP packet
previously received by comparing its contents with the one in the received CREP
packet. This method is simple and accurate. However, it causes high routing overhead
which leads to degrading the network throughput and performance.
To secure AODV routing protocol, Deng et al. (2002) proposed a source
intrusion detection routing security (SID-RS) mechanism that detects black hole attack
when, only, an intermediate node unicasts a RREP packet. In the proposed intrusion
detection mechanism, when the source node receives a RREP from intermediate node,
it should sends a further route request packet (FRREQ) to the intermediates next hop
node through a new route to verify that it has a route to the intermediate node who
sends back the RREP packet and that it has a route to the destination or not. As soon as
the next hop node receives FRREQ packet, it sends further route reply (FRREP)
packet which includes check results to the source node. Based on these results, if the
next hop node has both a route to the destination and intermediate node, the source
node initiates the route. Otherwise, if it has a route to the destination but does not have
a route to the intermediate node, the source node initiates the route using a new route
to the next hop node and broadcast alarm message to isolate the intermediate node.
Otherwise, if the next hop does not have a route to both the intermediate and the
destination, here the source node will discover a new route.
-
32
The mechanism introduced by Deng et al. (2002) is efficient in detecting black
hole attack. However, there is more than one drawback. Resending Further Request
from the source node towards the next hop node and waiting for Further Reply from
the next hop node means increasing in routing overhead and delay. Especially when
this mechanism is applied in a large scale MANET and when the mechanism is
applied between long distant intermediate nodes from source node.
Kurosawa et al. (2007) introduced an anomaly based-intrusion detection
mechanism has been introduced to detect black hole attack locally at each node, not
like in previously proposed mechanisms by Deng et al. (2002) and Lee et al. (2002).
When source node broadcasts RREQ packet, each node records the destination IP
address and the destination sequence number in a routing table according to AODV
routing protocol. When a RREP packet is received, each node checks its routing table
to see if there is same destination IP address. If it exists the difference of the
destination sequence number is calculated. The average of this difference is finally
calculated for each time slot as a security profile for each destination. And the average
of each time interval is then calculated. If it is less than or equal to a certain threshold
the node is considered as normal. Else it is considered as malicious node and an alarm
is broadcasted. This work does not need additional routing packets overhead. But its
dependency on threshold to determine the attacker may fall it in false positive error.
The work done by Padilla et al. (2007) proposed a black hole intrusion
detection technique over table-driven tactical MANET using stable power supplied
topology graph server and distributed sensors. An optimized link state routing protocol
(OLSR) (Jacquet et al. 2001) was used. The proposed IDS draws a graph for the entire
network at each certain time interval through spread sensors. So, the truth about the
number of neighbours for each node, which is the main factor for each node to win the
route, appears in this graph. When any node sends a hello message that contains its
information, the system compares the number of neighbours the node claims that it has
with the true number in the systems graph. If the difference exceeds a certain
threshold the node is considered as a malicious node and the alarm is broadcasted.
Otherwise, the node is considered as normal and the route is accepted. The additional
sensors used to help the system build the graph about the network are a cost overhead.
-
33
Eriksson et al. (2006), Phuong et al. (2007), Su and Boppana (2008) and Su
(2009) proposed a time-based wormhole intrusion detection technique. True-link
(Eriksson et al. 2006) which applied its detection technique over MAC is applicable,
as it is based on a widely used protocol with some extensions. But, there is no
flexibility in the time out which is equal to short inter frame space (SIFS) as
mentioned by True Link. As a result, a false positive alarm may arise if there is a
congestion or traffic load on the link.
Transmission time-based mechanism (TTM) (Van Phuong et al. 2007) depends
on the round trip time (RTT) to detect the wormhole attack. TTM is a simple and
accurate technique that could allocate the position of the wormhole attack in the path.
But, the attackers on the tested path may write a fake RTT value to be the same as the
RTT written by the normal nodes, which increases the false negative rate.
Su and Boppana (2009) put forward certain equations to detect the wormhole
attack, but these equations include some parameters which must be filled by the
detected node which opens the chance for the attacker to fill fake information and
hence overcome the security detection system. True-link is the most self dependable
technique since it does not depend on any outer node to get the required information
for an intrusion detection technique.
Finally, Li et al. (2012), the authors proposed a collaborative and
multidimensional trust-based intrusion detection algorithm for securing MANET. The
proposed algorithm is called gossip-based distributed outlier detection algorithm (G-
BDODA).G-BDODA identifies the outliers which are defined by the authors as
abnormal behaviours shown from mostly likely attackers. Also, G-BDODA uses a
multi-dimensional management approach to estimate the honesty of the nodes using
different perspectives. The algorithm is efficient and accurate but suffers from routing
overhead drawback. Table 2.1 summarizes the previous non AIS-based intrusion
detection systems.
-
34
Table 2.1 Non intelligent intrusion detection systems
Authors Year Contribution Strengths Drawbacks
Li et al. 2012 G-BDODA -accurate -routing overhead H. Kim & Song
2010 PFM -simple -not accurate
Venkataraman et al.
2009 Trust-base mechanism
-simple -consume energy -fail in some cases.
Su &Boppana 2008 NEVO -simple - not self dependable. Kurosawa et al.
2007 Secure AODV -no routing overhead -ambiguous threshold.
Padilla et al. 2007 Secure tactical MANET
-no routing overhead -costly.
Phuong et al. 2007 TTM -simple -not self dependable Liu and Shen 2007 - -simple -fails in high mobility
MANETs. Ping et al. 2006 FAP -simple -fails when attacker
changes its IP address.
Eriksson et al. 2006 True-link -self dependable - Susceptible to FP
Lee et al. 2002 Secure DSR -simple & accurate -routing overhead
Deng et al. 2002 SID-RS -simple & accurate -routing overhead
Marti et al. 2000 Watchdog - low FP -consume energy -fail in some cases.
2.7.2 Intelligent Intrusion Detection Systems
Chelly and Elouedi (2010) introduced using fuzzy logic set in the last stage of DCA
proposed by (Greensmith et al. 2005) to smooth the separation between the normality
and abnormality in the calculated mature context antigen value (MCAV). The fuzzy
logic system consists of two parameters; the first parameter is the semi-mature DCs,
and the second parameter is the mature DCs. The defuzzification stage determines the
final maturity state of each DC and the antigens final context are more accurately
decided. The proposed fuzzy dendretic cell method (FDCM) is tested on a set of data
bases and the results achieve more accurate results than DCA. However, since FDCM
adds little enhancement on DCA and the core of calculating the received antigens
contexts depends mainly on DCA, FDCM still suffers from the same drawbacks of
high false positive rate and low accuracy rate especially when normal and abnormal
antigens are tested simultaneously (Chelly & Elouedi 2010).
-
35
Dickerson (2000) proposed fuzzy intrusion recognition engine (FIRE) as an
anomaly-based intrusion detection system. FIRE uses fuzzy logic to determine the
existence of transport layer attack, specifically TCP port scan and ICMP (ping) scan in
the wired network. Data mining techniques are used in FIRE to expose the attack
metrics processed by the fuzzy syst