Alert Aggregation in Mobile Ad-Hoc Networks

By

Bo Sun, Kui Wu, Udo W. Pooch

Background

• Manet- Mobile Adhoc NETwork• Routing in MANETs is difficult

– mobility causes frequent network topology changes

– When network nodes move, established paths may break and the routing protocol must dynamically search for other feasible routes

• Protection of routes from malicious agents is tough!

Proposed technique

• Protection of routing protocols in MANET’s using – Non-overlapping Zone-Based Intrusion

Detection System for MANETs.

• Alert Aggregation algorithm with provides low false alarms

Threat Model

• Attacker: 1• Victims: 2,3,4,7,8• Attacker Objective: 3

3

1

4

8

5

7

2

6

Falsified RREP

{2,4,9,7,1,5,3}

Assumptions

• Network can be divided into non-overlapping zones

• Local IDS agent is tamper resistant

• Attacker uses fake address; but does not change it dynamically

ZBIDS Framework

• Gateway nodes 4, 7, 8

• Intra-zone nodes report to gateway nodes

IDS Agent

Determination of P

• Determination of P depends on – Attack intensity, Attack time, Node placement

• If P is low– Gateway nodes can detect attacks=> high

false positive

• Else– Gateway nodes can miss attacks => Low

false positive

Determine_p• P = ht * ptest + ha * Pattack

Where ht and ha are false positive ratio and detection ratio

Alert Aggregation

• Alert Aggregation algorithm– Detection sensitivity decreases with the

increase in the number of attackers– How about colluted attack’s ?

Performance Metrics

• False Positive Ratio: percentage of decisions in which normal alert aggregations are flagged as anomalous

• Detection ratio: number of gateway nodes raising correct alarms divided by total number of gateway nodes which should raise alarms in the anomalous data