Efficient Anomaly Intrusion Detection System in Adhoc Networks by Mobile Agents

8/13/2019 Efficient Anomaly Intrusion Detection System in Adhoc Networks by Mobile Agents

1/5

E I D S h Nwk M

Abolfazl Esfandi

Department of Computer EngineeringIslamic Azad Universit, Boroujerd Branch

Boroujerd, [email protected]

A-Networks are protected using many rewalls andencryption software's. But many of them are not sucient andeffective. Most intrusion detection systems for mobile ad hocnetworks are focusing on either routing protocols or its

eciency, but it fails to address the security issues. Some of thenodes may be selsh, for example, by not forwarding thepackets to the destination, thereby saving the battery power.Some others may act malicious by launching security attackslike denial of service or hack the information.

The ultimate goal of the security solutions for wirelessnetworks is to provide security services, such as authentication,condentiality, integrity, anonymity, and availability, tomobile users. This paper incorporates agents and data miningtechniques to prevent anomaly intrusion in mobile adhocnetworks Innuendo, presenting an anomaly detection system

comprises of detection modules for detecting anomalies in eachlayer. Home agents present in each system collects the datafrom its own system and using data mining techniques to

observed the local anomalies. The Mobile agents monitoringthe neighboring nodes and collect the information fromneighboring home agents to determine the correlation amongthe observed anomalous patterns before it will send the data.This system was able to stop all of the successful attacks in anadhoc networks and reduce the false alarm positives.

Kwd u dc y dcwk Nwk Scu

I. NTRODUCTION

Intsion detection is an important part of computersecity. It provides an additional layer of defense againstcomputer misuse aer physical, authentication and access

control [5].A mobile ad hoc network is a collection of wireless

mobile hosts forming a dynamic network inastrctewithout y standard inasucte or centralizedadministration. The exibility in space and time induces newchallenges towards the secity inasucte. The nate ofmobility creates new vulnerabilities due to the open medium,dynamically chging netork topology, cooperativealgorithms, lack of centralized monitoring and managementpoints and yet many of the proven secity measues outto be ineective. Therefore, the aditional way of protectingwirewireless netorks with rewalls and encryptionsowe is no longer sucient [24].

97815509/10/$600 010 EEE

73

Milit, University campuses and conference settingsalso gain on account of these wireless networks since theyallow easy collaboration and ecient commication on they without the need for costly netork inastrcte.

Expectations are also high with respect to the use of thesenetworks in places like hotels, aiorts etc. But a vitalproblem that must be solved in order to realize theseapplications of ad hoc networks is that conceing thesecity aspects of such netorks [8].

Insion detection is used in the netorks by compinge set of baselines of e system with the present behaviorof e system [3]. Thus, a basic assumption is that the normald abnormal behaviors of the system can be chacterized.

The intrsion detection commnity has been deals mainlyon wired networks, but it is lack of secity in wirelessnetworks. Anomaly detection and misuse detection orsignate detection are the two techniques used for intrsiondetection system. Anomaly detection describes the abnormal

pattes of behavior, where "abnormal" pattes are denedbeforehand. Misuse detection relies on the use of specicallyknown pattes of unauthorized behavior.

Thus these techniques rely on snifng packets and usingthe sniffed packets for analysis. In order to realize these IDtechniques the packets can be snied on each of the endhosts. This is called as host intrusion detection (HID). It isalso possible to sni these packets on certain predeterminedmachines in the network. This is called as network intrsiondetection (NID).

Mobile agents are a special type of agents dened as"processes capable of roaming through large netorks suchas the adhoc wireless network, interacting with machines,collecting information and reing aer executing the tasks

adjusted by the user". The nate of mobility in a wirelessnetorks creates vulnerability due to the open medium,dynamically changing networks. In order to, avoid suchcircumstce, developing new achitecte and mechanismsand protecting the wireless netorks d mobile computingapplications [7].

The remainder of the paper is organized as follows:Section 2 contains related work; Section 3 describes o

proposed approach, Section 4 describes the Results andconclusion.


2/5

II. ELATED WO

Traditional secity mechanism such as inusiondetection system, rewall and encption methods are not

sufcient to provide secity in an adhoc networks.Cotering reats to an organization's wireless adhoc

network is an important ea of research. Inusion detectionmeans identiing any set of actions that attempt tocompromise the integrity, condentiality or availabilit ofresource [3].

May techiques have bee discussed to prevetattacks i a wireless adhoc etorks as follows.Ricardo Puttii et al [16], propose desig addevelopmet of the IDS are cosidered i a 3 maistages. A parametrical mixtre model is used forbehavior modelig om referece data. The associatedBayesia classicatio leads to the detection algorithm

[15]. MB variables ae used to provide IDS neededinfoation. Experiments of DS and scanner attacksvalidating the model are presented as wellJoo B. D.Cabrera Et al [17], provides the solution of inusiondetection in Mobile Ad-Hoc Networks (METs), utilizingensemble methods. A three-level hierarchical system for datacollection, processing and ansmission is described.

Local IDS (intusion detection systems) are attached toeach node of the MANET, collecting raw data of networkoperation, and computing a local anomaly index measingthe mismatch between the crent node operation and abaseline of noal operation. The complete suite ofalgorithms was implemented and tested, der two types ofMANET routing protocols and two pes of attacks against

the routing infrasucte. Yongguang Zhang et al [18]propose new intusion detection and response mechanismsare developing for wireless adhoc networks.

The wireless ad-hoc network is pticully vulnerabledue to its feates of open medium, dynamic changingtopology, cooperative algorithms, lack of cenalizedmonitoring and management point, and lack of a clear line ofdefense. Many of the intrusion detection techniquesdeveloped on a xed wired network are not applicable in thisnew environment. Faoq et al [19] propose the signatuedetection technique and investigate the ability of variousrouting protocols to facilitate inusion detection when heattack signates e completely known. We show thatreactive ad-hoc routing protocols suffer om a serious

problem due to which it might be dicult to detectintrsions even in the absence of mobility. Mobilit makesthe problem of detecting inuders harder. Vijay Bhuse et al[10], propose lighteight methods to detect anomalyintusions in wireless sensor networks (WSNs).

The main idea is to reuse the already available systeminfoation that is generated at vious layers of a networkstack. This is a different approach for anomaly inusiondetection in WSNs. Hongmei Deng et al [21], proposes theunderlying distributed and cooperative nate of wireless adhoc networks and adds one more dimension of cooperationto the intusion detection process. That is, the anomaly

74

detection is perfoed in a cooperative way involving theparticipation of multiple mobile nodes.

Unlike aditional signate-based misuse detectionapproaches, the proposed scheme detects vious types ofintusions/attacks based on the model leed only omnoal network behaviors. Without the requirements of prelabeled attack data, the approach eliminates the timeconsuming labeling process and the impacts of imbalanceddataset. Bo Sun et al [22], propose we rst inoduce twodifferent approaches, a Mkov chain-based approach and aHotelling's T2 test based approach, to constrct local IDSsfor MANETs.

Then demonsate that nodes' moving speed, a comonlyused parameter in ting IDS perforces, is not aneffective meic to te IDS perfoances der differentmobility models. To solve tis problem, author therpropose an adaptive scheme, in which suitable normalproles d coesponding proper thresholds can be selected

daptivelyby each local IDS through periodically measing

ts local change rate, a proposed ied perfoancemetric. Haiguang Chen et al [23], propose lightweightanomaly intrusions detection. In the scheme, authorsinvestigate dierent key feates for WSNs d dee somerles to building an ecient, accate and eective IntrsionDetection Systems (IDSs).

We also propose a moving window ction method togather the crent activity data. The scheme ts the demandsand restrictions of WSNs. The scheme does not need anycooperation among monitor nodes. Simulation results showthat the proposed IDSs are ecient d accate in detectingdierent kinds of attacks. Gabriela F. Cretu et a, propose the

use of model exchange as a device moves beteen differentnetworks as a means to minimize computation and tracutilization. Any node should be able to obtain peersmodel(s) and evaluate it against its own model of normalbehavior. Yu Liu et al [24], propose game theoreticamework to analyze the interactions between pairs ofattacking/defending nodes using a Bayesi foulation. Westudy the achievable Nash equilibrium for theattacker/defender game in both static and dynamic scenarios.

The dynamic Bayesian game is a more realistic modelsince it allows the defender to consistently update his beliefon his opponent's maliciousness as te game evolves. A newBayesian hybrid detection approach is suggested for thedefender, in which a lightweight monitoring system is used

to estimate his opponent's actions, d a heavyweightmonitoring system acts as a last resort of defense. Manyauthors proposed dierent techniques to prevent attacks inwireless adhoc networks. But all these methods reported tohave a lot of pros and cons of its own proposal.

The authors mainly classied their mechanism assignate method, anomaly method. In Signate BasedMeod, a threat is always be stored in database. New threatbeing scovered in the wild and signate for detecting ittreat. This Mechanism would be able to detect the newthreat.

In Anomaly Based Method, it monitors system and itsnetwork behaviors. It set the baseline of network and system.This mechanism work effectively against wireless networks


3/5

but it generates some false positive results. In this paper, anew attempt has been made and worked out effectivelyagainst attacks in wireless networks. This paper incooratesagent and data mining method to provide solution againstsecurity issues in MANET netorks. With the help of homeagent and mobile agents, it gathers information om its ownsystem and neiboring system to identi any attack andthrough data mining techniques to nd out the attacks hasbeen made in that networks.

III. UR APPROACH

approach is entirely based on anomaly basedmethod, which has been used to adess security problemsrelated to attacks in a wireless netorks. This paperincoorates new methodology such as mining d agents to

provide solutions against wireless netorks. Proposalprovides he three dierent techniques to provide suce

security solution to cent node, Neighboring Node andGlobal networks. The following gure clearly depicts thearchitecture of the system to prevent the attacks in wirelessnetworks. The following section outlines each moduleswork in detail:

g g

Figu 1. Proposed system Architecture Outline

Clasir

Home

Classir

lobal Integrtio

Mobile AgentGathers Information

Clasiir

Home

Figure 2. Proposed System Architecture

75

A. Home AgentHome agent is present in each system and it gathers

information about its system om application layer to

routing layer. proposed system provides solution in threetechniques. 1. It monitors its o system and its environmentdynically. It uses classier consuction to d out thelocal anomaly. 2. Whenever the node want to tansfer theinformation om the node F to B. It broadcast the messageto E and A. Before it sends the message it gathers theneighboring nodes (E &B) information using mobile agent. Itcalls the classier rule to nd out the attacks with help of testain data. 3. It provides same type of solution throughout theglobal networks. It has been explained in the followingsection. : Home Agent is present in the system

and it monitors its own system continuously. If anattacker sends any packet to gaer information or

broadcast through this system, it calls the classierconsuction to nd out the attacks. If an attack has beenmade, it will lter the respective system om the globalnetworks.

hb : Any system in the network ansferany information to some other system, it broadcastthrough intermediate system. Before it ansfer themessage, it send mobile agent to the neighboring nodeand gather all the information and it re back to thesystem and it calls classier rule to nd out the attacks.If there is no suspicious activity then it will forard themessage to neighboring node.

: Data collection module is included foreach anomaly detection subsystem to collect the values

of featres for corresponding layer in a system. Normalprole is created using the data collected during thenormal scenario. Attack data is collected ding theattack scenario.

pp: The audit data is collected in a leand it is smoothed so that it can be used for anomalydetection. Data preprocess is a technique to process theinformation with the test ain data. In the entire layeranomaly detection systems, the above mentionedpreprocessing technique is used.

B Cross feature analysis for classer sub modelconsruction

1. Each feature or character vector f in e training

data set, calculate classier C, for each featre using {, ... -I+.-f k}- Ci is leed omthe aining data set using Nave Bayesianclassication algorithm. The probability P. (l, 1 -i,f+1, ..., ) is leaed.

2. Compute the average probability for eachfeature vector f, and save in a probabilitydistribution matrix M. A decision threshold 0is leaed from the training data set. Normalprole is created using the threshold value. Ifthe probability is greater than threshold value it


4/5

is labeled as noal, otherwise it is labeled asabnoal. Anomaly detectionInput: Preprocessed train data, preprocessed

test dataOuut: Percentage of anomaly

1- Read processed data set le2 Call Bayesian classier program for raining

e classier for anomaly detection3- Read the test data le4- Test he classier model with the test data le5- Print the consion matrix to show e actal class

vs. predicted class6- Percentage of anomaly is calculated as follows

rW ge =

: Local integration moduleconcentate on self system and it nd out te localanomaly attacks. Each and every system der thatwireless netorks follow the same methodology toprovide sece global networks.

Gb : Global inteation module is usedto nd the intrusion result for entire netork. The aim ofglobal integration is to consider he neighbor node(s)result for taking decision towds response module

IV. XPERIMENTAL ESULTS

There e many number of attacks has been tested toprevent attacks in wireless network. This system not only

blocks the application oriented issues and it stops some ofthe netork secrity issues. Consider this limited number ofattacks and tested with this proposed system to nd out theattacks and got a encoage results. These are the parametershas been take to analyze the proposed system to nd out theeciency.

TABLE !. NUT AAETE CONSEATON

Parameters ValueNumber of nodes 30Terrain range 2000 X 2000 MetersRouting layer protocol DSRMobilit model Random wav oint

This system can tested with limited number of attackspreset i the wireless etoks It shows the ecoagemetresults to support the proposed system. Detection rate ofanomaly rate in o proposed system is high and itencorages the system.

TABLE I!. ETECTON ATE O THE OOSE SYSTE

Detection Module Detection RateAnomalDetection A) 80%Local Integration D 95.41%Global Interation (E 94.33%

7

This system acts such an Intrsion prevention system todetect and prevent the attacks. But the awback of existingIntrusion prevention system can generate the more falsealms, but it may work eciently. This system can able tostop the attacks as well as it could not generate the falsealarms and it work effectively against the web parameterattacks. Consider this limited number of access and testedwith this proposed system to nd out the alm rates.

TABLE III. LA ATE O THE OOSE SYSTE

Detection Module False ositiviAnomaly Detection 1.0%Local Integration (D) 0.8%Global Integration 0.75%

V. ONCLUSION

In is work, an anomaly detection system comprises ofdetection modules for detecting anomalies in each layer. Thissystem is cooperative and distributive; it considers theanomaly detection result from the neighbor node(s) dsends the crent working node's result to its neighbornode(s). Experimental results show that detection rate isincreased when compared to e other mechanism. Falsepositive rate is also reduced in this mechanism. Traditionalsecity mechanism such as IDS and rewall have not beensufcient to provide the secity of wireless networks,however, this mechanism is able to block abnormal approachto wireless netorks and to detect previously knownattacks as well as variations of known attacks.

EFERENCES

[1] Y. Zhang and w. Lee, 'Intrusion Detection in Wireless AdHocNetworks', 6th Int'l. Conf. Mobile Comp and Net. Aug.2000, pp.275-83.

[2] Y. Zhg, W. Lee, nd Y. A. Hug, 'Intrsion Detection Techniquesfor Mobile Wireless Networks', ACM J. Wireless Net., vol. 9, no. 5,Sept. 2003, pp.545-56

[3] Amitabh Mish, Ketan Nadkai, and Animesh Patcha,Virginia Tech'Intrsion Detection in Wireless Ad Hoc Networks', IEEE WirelessCommunications, February 2004,pp. 48-60.

[4] Y. Huang, W. Fn, W. Lee, and P. S. Yu, 'Crss-Feature Analysis forDetecting Ad-Hoc Routing Anomalies',Proceedings of the 23rd IEEEInteational Conference on Distributed Computing Systems, 2003,

pp. 478-487.

[5] Yu Liu, Yang Li and Hong Man, 'MAC Layer Anomaly Detection inAd Hoc Netorks' Proceedings of the 6th IEEE InformationAssurance Workshop, June 17, 2005, pp. 402-409.

[6] B. Sun, K. Wu, and U. Pooch, 'Routing Anomaly Detection in MobileAd Hoc Networks', Prceedings of the 12th IEEE Int'Conf. onComputer Communications d Networks (ICCCN'03), Dallas, TX,Oct. 2003, pp. 25-3 1.

[7] Abolfazl Esfandi, Ali Movaghar Rahimabadi, "Mobile Agent Securityin Multi agent Envirnments Using a Multi agent-Multi keyApproach", in Proc. 2nd IEEE Inteational Conference on ComputerScience and Information Technology, Vol. 4, August 2009, pp. 438-

442.

[8] Yia-an Huang, WEnke Lee, 'A Cooperative Intrsion DetectionSystem for Ad hoc Networks', Proceedings of the st ACM Workshopon Security of Ad hoc nd Sensor Networks, 2003, pp. 135-147.


5/5

[9] S. Jha, K. Tn, and R. Maxion, 'Markov chains, classiers, andintrsion detection', Proceedings of 14th IEEE Computer SecurityFoundations Workshop, 2001, pp. 206-219

[10] Baolin Sun, Hua Chen, Layun Li, 'An Intrsion Detection System

for AODV', Proceedings of the l oth IEEE Inteational Conferenceon Engineering of Complex Computer Systems (ICECCS '05), 2005,pp. 358-365.

[11] Iaonna Stamouli, Patroklos G. rgyroudis, Hitesh Tewri,'Real-timeIntrsion Detection for Ad Hoc Networks', Proceedings of the 6thIEEE Inteational Symposium on a World of Wireless Mobile andMultimedia Networks, 2005,pp. 374-380.

[12] A.A. Cardenas, S.Radosavac, J.S.Baras, 'Detection and Prevention ofMAC Layer Misbehavior in Ad Hoc Networks', Proceedings of the2nd ACM workshop on Security of Ad hoc Networks and SensorNetworks, 2004, pp. 17-22.

[13] Daniel C.Nash, Thomas L. Martin, Dong S. Ha, and MichaelS. Hsiao,'Towards an Intrusion Detection System for BatteryExhaustion

Attacks on Mobile Computing Devices' IEEE Int'l Conf. on PervasiveComputing and Communications Workshops, 2005, pp. 141-145.

[14] T.Martin, M.Hsiao, D.Ha, and J.Krishnaswami, 'Denial of Service

Attacks on Battery-powered Mobile Computers',Second IEEEInteational Conference on Pervasive Computing andCommunications, Mrch 2004, pp. 309-318.

[15] Hang Yu Yng, Li-Xia Xie, 'Agent based Intrsion Detection for aWireless Local Area Network', Proceedings of the IEEE thirdInteational Conference on Machine Leaing and Cybermatics,2004, pp. 2640-2643.

[16] Ricardo Puttini, Mara Hanashiro, Javier Garca-Villalba, C. J.Benco, " On the Anomaly Intrsion-Detection in Mobile Ad Hoc

Network Environments", Personal Wireless Communications,Volume 4217/2006, Springerlink, September 30, 2006

[17] Joo B. D. Cabrera, Carlos Gutirrez , Raman K. Mehra ,Ensemblemethods for anomaly detection and distributed intrsion detection inMobile Ad-Hoc Networks", Volume 9 , Issue I (January 2008) tableof contents, Pages 96-119 , Elsevier Science Publishers, 2008.

[18] Yongguang Zhng ,Wenke Lee, " Intrusion detection in wireless ad

hoc networks", Pages: 275 - 283 Year of Publication: 2000 ISBN: 1-58113-197-6, ACM, 2000.

[19] Farooq Anjum Dhant Subhadrabandhu and SaswatiSarkar,"Signure based Intrusion Detection for Wireless Ad-Hoc

Networks: A compative study of various routing protocols", Seas,2008.

[20] Vijay Bhuse , Ajay Gupta , " Anomaly intrsion detection in wirelesssensor networks" , Special issue on trsted inteet workshop (TIW)2004 , Joual of High Speed Networks, Volume 15 , Issue I (Jnuy2006), ACM, 2006.

[21] Hongmei Deng; Xu, R.; Li, J.; Zhang, F.; Levy, R.; Wenke Lee, "Agent-based cooperative anomaly detection for wireless ad hocnetworks", Parallel and Distributed Systems, Volume I, Issue , 0-0 0Page(s):8, 2008.

[22] Bo Sun I *, Kui Wu 2, Yang Xiao 3, Ruhai Wang 4, "Integration ofmobility and intrsion detection for wireless ad hoc networks", 2006.

[23] Haiguang Chen, Peng Han, Xi Zhou, Chuanshan Gao, "LightweightAnomaly Intrson Detection in Wireless Sensor Networks",Intelligence and Security Informatics, Springerlink, 2007.

[24] Yu Liu, Cristina Comaniciu, Hong Mn, "A Bayesian GameApproach for Intrusion Detection in Wireless Ad Hoc Networks",ACM 159593507X, 2006.

77

Efficient Anomaly Intrusion Detection System in Adhoc Networks by Mobile Agents

Documents

Transcript of Efficient Anomaly Intrusion Detection System in Adhoc Networks by Mobile Agents