Intrusion detection and response systems for mobile ad hoc networks

A mobile ad hoc network (MANET) consists of a group of autonomous mobile nodes with no infrastructure support. The MANET environment is particularly vulnerable due to its dynamic topology, less powerful mobile devices and distributed environment. Unfortunately, many existing protection and defense mechanisms designed for wired networks cannot be applied in this new environment without modifications. In this research, we develop a distributed intrusion detection and response system for MANET specific attacks, and we believe it presents a second line of defense that cannot be replaced by prevention schemes, especially in common MANET scenarios where attacks can easily be launched by insiders or compromised nodes.; In our distributed framework, Intrusion Detection System (IDS) agents are deployed independently on individual mobile hosts. This is desired because we do not have a single traffic concentration point where a centralized IDS server can be deployed. In addition, collaboration among IDS agents can be enabled optionally for a more effective detection model.; The foundation of our detection infrastructure is based on systematic attack analysis in the MANET environment. We use an attack taxonomy study for that purpose. Based on this study, we propose a set of misuse and anomaly detection methods that are suitable of detecting different categories of attacks, and they can handle both known and new attacks effectively. Our approaches are based on routing protocol specification with both categorical and statistical measures. They are collectively known as node-based approaches because the only input to these approaches comes from the local data collected by each node itself.; Node-based approaches is most secure but they may be too restrictive in scenarios where attack or malicious patterns cannot be observed by any isolated node. To address this problem, we have developed cooperative detection approaches to enable collaboration among multiple IDS agents. One approach is to form IDS clusters by grouping nearby nodes, and information can be exchanged within clusters. The cluster-based scheme can result in lower false positive rate and also provide better efficiency in terms of power consumption and resource utilization compared with node-based approaches. As we have learned, security is a big issue in any distributed network without centralized authority. Our clustering protocol can be proved resilient against common security compromises without changing the decentralized assumption.; Intrusion detection will not be very useful unless proper response actions can be taken subsequently. In this research, we further address two important response techniques, traceback and filtering. Traceback schemes are useful to identify the source of a spoofing attack. Existing traceback systems are not suitable for MANET because they rely on incompatible assumptions such as trustworthy routers and static route topology. Instead, we propose a different solution, which we call hotspot-based traceback, that does not rely on these assumptions. Our solution is resilient in the face of arbitrary number of collaborative adversaries. We also develop smart filtering schemes where filters are deployed on selected routers so as to maximize the dropping rate of attack packets while minimizing the dropping rate of normal packets.; To validate our research, we present case study using both ns-2 simulation and MobiEmu emulation platform with three major ad hoc routing protocols: AODV, DSR and OLSR. We implemented various attacks that are representative based on the attack taxonomy. Our experiments show very promising results on detecting attacks in most attack categories using node-based and cluster-based approaches.