Research On Methods Of Routing Intrusion Detection In Ad Hoc Networks

An Ad Hoc Network is a collection of wireless nodes forming a network without using any existing infrastructure. Some of the applications where such networks can be deployed are Military applications, Emergency, Search & Rescue applications etc. Contrary to other networks, there come some new problems in routing, node cooperation and security in a wireless Ad Hoc network due to its features of open medium, multi-hop, cooperative algorithms, lack of centralized monitoring and management point, and lack of a clear line of defense. The research on routing security is one of the key issues in developing wireless Ad Hoc networks. Examples of attacks include passive eavesdropping over the wireless channel, denial of service attacks by malicious nodes and attacks from compromised nodes. While cryptographic mechanisms and authentication techniques have been provided to protect wireless Ad Hoc networks against some types of attacks from external nodes, they still can not protect against malicious inside nodes which already have the required cryptographic keys. Therefore, detection techniques and reaction techniques should be also deployed in order to counter threats against wireless Ad Hoc networks.Based on the current researches on routing security and intrusion detection for wireless Ad Hoc networks, this dissertation focused on how to detect routing misbehaviors against wireless Ad Hoc network, how to exclude malicious nodes from wireless Ad Hoc networks, and how to make defenses against some special routing attacks in wireless Ad Hoc networks. The main contributions are as follows:A cooperative routing intrusion detection system (CRIDS) is proposed to protect the routing security of mobile Ad Hoc networks. Since a node of a wireless Ad Hoc network typically has limited battery power and resources, the monitors of an intrusion detection system can only be placed at some key points instead of at every node. Each monitoring node is responsible for detecting signs of intrusion in its neighborhood and neighboring monitoring nodes can collaboratively investigate in the entire network. In CRIDS, a distributed algorithm based on the concepts of min max-weighted connected dominating set is proposed for selecting the monitoring nodes. The proposed scheme is aimed to minimize costs of network monitoring and it can protect the routing security even when some monitoring nodes being selected are attacked. Moreover, an adaptive locally cooperative intrusion detection scheme is proposed for the routing of mobile Ad Hoc networks. To reduce the extra overhead of the communication of collaborative nodes, the detection structure mainly focuses on local detection and is supplemented with distributed collaboration. That is, the selected monitoring nodes perform local routing intrusion detection. Neighboring collaboration is only needed when local evidence can't conduct a result. So the efficiency of local detection is one of the key issues of the whole detection system. Single detection method or technique can't detect the routing attacks against mobile Ad Hoc networks due to its dynamic character, so a cooperative scheme is needed. An adaptive cooperative intrusion detection scheme which combines FSM-based specification detection and SVM-based anomaly detection is proposed to improve the precision of local detection and reduce the communication overhead.In a mobile Ad Hoc network, the security of routing forwarding is one of the key issues of routing security because the communication between the source and the destination node may need the help of routing forwarding of middle nodes. A comprehensive reputation-based system against routing abnormal forwarding (CRSRAF) is proposed for mobile Ad Hoc networks, which combines detection mechanisms and reputation mechanisms to detect and exclude selfish or malicious dropping nodes from the networks. In a mobile Ad Hoc network, it is not easy to judge whether it is caused by mobility of nodes and network hitch or by an attacker when a forwarding misbehavior of a node is detected. It will be a misjudgment if the misbehavior node is excluded from the network directly. The proposed scheme uses a reputation-based mechanism. Each node monitors the routing forwarding of neighboring nodes and makes comprehensive judgments according to the investigation of its own and neighboring nodes. Compared with other methods, the proposed scheme can reduce the false positive rate.An adaptive traffic control system (ATCS) is proposed to defend against a special kind of routing DoS attack caused by RREQ flooding of malicious inside nodes. The attack of fake routing request (RREQ) flooding is a typical kind of flooding attack that is easy to initiate to attack on-demand routing protocols of mobile Ad Hoc networks. Attackers initiate much more REEQ control packets than normal nodes to consume network resources, and then a non-malicious node cannot fairly serve other nodes due to the network-load imposed by the fake RREQs. This will not only lead to the exhaustion of the network resources like memory (routing table entries) ,? but also lead to the wastage of bandwidth and the wastage of nodes'processing time. The design of securing routing protocols cannot handle this type of attack caused by an inside node since the malicious node is not forging any information. ATCS could prevent mobile Ad Hoc networks from this specific kind of DoS attack by controlling the traffic spreading of RREQ packets automatically. It can also restrict the spreading of malicious RREQ packets while protecting the spreading of normal RREQ traffic initiated by legal nodes.An anomaly detection system based on unsupervised clustering (ADBUC) is used for routing anomaly detection in wireless Ad Hoc sensor networks. Nodes in a wireless Ad Hoc sensor network have a limited power supply, which makes communication much more expensive in comparison with local storage and computation. Then it is not suitable for monitoring routing activities of neighboring nodes by watchdog-like mechanisms, and it is also not easy for cooperation detection of nodes. So each IDS node could rely solely on information extracted from the node's routing table and traffic packets through the node. The detection rate can be approved by using machine learning methods. And it is not suitable for supervised detection since it is difficult to collect or label training data for intrusion detection system in a wireless sensor network. An anomaly detection system based on unsupervised clustering is proposed to detect routing attacks in wireless sensor networks. It needs non-labeled training data sets. Moreover, it is able to detect attacks that have not previously been seen and it is based on no priori knowledge.