Anomaly Detection in Manet

ANOMALY DETECTION IN MANET
NOVEMBER 2011

A seminar report submitted in partial fulfillment of the degree of:
MASTER OF TECHNOLOGY IN WIRELESS NETWORKS AND APPLICATIONS

Submitted by ANU T A DEEPA MARIA DIVYA M KAIMAL RAGI GR SRUTHY ANAND
AMRITA CENTER FOR WIRELESS NETWORKS & APPLICATIONS AMRITA VISHWA VIDYAPEETHAM (AMRITA UNIVERSITY) (Estd. U/S 3 of the UGC Act 1956) Amritapuri Campus Kollam -690525
November 2011
Page 1
NOVEMBER 2011
AMRITA CENTER FOR WIRELESS NETWORKS & APPLICATIONS AMRITA VISHWA VIDYAPEETHAM UNIVERSITY (Estd. U/S 3 of the UGC Act 1956) AMRITAPURI
BONAFIED CERTIFICATE
This is to certify that the p r o j e c t report entitled ANOMALY DETECTION IN MANET has been subm i t t ed by Anu T A(P2WNA10003), Deepa Maria(P2WNA10007), Divya M Kaimal (P2WNA10008), Ragi G R (P2WNA10014) and Sruthy Anand( P 2 W N A 1 0 0 2 0 ) , in partial fulfillment of the degree of Master of Technology in Amrita Center for Wireless Networks & Applications, Amrita Vishwa Vidyapeetham (AMRITA University), is a bonafied record of the work carried out by them at Amrita School of Engineering, Amritapuri, during Semester 3 of the academic year 2011-2012.
Teaching Assistant Ms Rekha Manoj
Faculty in Charge Dr. Radhika N
Place: Amritapuri Date: 22/11/2011
Page 2
NOVEMBER 2011
ACKNOWLEDGEMENT
We owe our heartfelt gratitude to God Almighty for all the blessings he has showered on us during the endeavor. We take this opportunity to express our sincere gratitude to all the people who has been instrumented in bringing out this work to correct form. We also thank and express our sincere gratitude to Sri Mata Amritanandamayi Devi, The Chancellor, Amrita University. We would like to express sincere gratitude to our HOD Dr. Maneesha V Ramesh , Head of Amrita Centre of Wireless Networks and Applications for her precious guidance for the successful completion of project. We are highly grateful to Dr. Radhika N for her instructions, unbounded support and cooperation for the successful completion of this project. We are very much thankful to our teaching faculty Mrs .Rekha Manoj for her timely help and encouragement. Last but not least we also thank our friends, classmates and family for providing us strength and endurance.
Page 3
NOVEMBER 2011
ABSTRACT
In this project, we have simulated the wormhole attack, a powerful attack that can have serious consequences on many proposed ad hoc network routing protocols. Wormhole refers to an attack on MANET routing protocols in which colluding nodes create an illusion that two remote regions of a MANET are directly connected through nodes that appear to be neighbors but are actually distant from one another. Based on results collected from a QualNet simulation, we evaluate the likelihood of such an attack. A mobile ad-hoc network (MANET) is a self-configuring infrastructure less network of mobile devices connected by wireless links. Each device in a MANET is free to move independently in any direction, and will therefore change its links to other devices frequently. Each must forward traffic unrelated to its own use, and therefore be a router. The primary challenge in building a MANET is equipping each device to continuously maintain the information required to properly route traffic. Such networks may operate by themselves or may be connected to the larger Internet. MANETs are a kind of wireless ad-hoc networks that usually has a routable networking environment on top of a Link Layer ad hoc network.
Page 4
NOVEMBER 2011
CONTENTS
Coverpage.....1 Certificate .....2 Acknowledgement3 Abstract .....4 Introduction ...6 Wormhole parameters10 Simulation Setup.12 Wormhole Scenario...15 Conclusion.....25 References.26
Page 5
NOVEMBER 2011
CHAPTER 1 Introduction
Wireless Sensor Networks (WSNs) are rapidly emerging as a new field of research. WSNs are built with a large number of tiny and inexpensive sensor nodes that are equipped with low-bandwidth radios. In a Mobile Ad Hoc Network (MANET), each node serves as a router for other nodes which allows data to travel by utilizing multi hop network paths without relying on wired infrastructure. Unlike wired networks where the physical wires prevent an attacker from compromising the security challenges especially for military applications, emergency rescue operations, and short-lived conference or classroom activities. Security of such network is a major concern [3]. The open nature of the wireless medium makes it easy for outsiders to listen to network traffic or interfere with it. These factors make sensor networks potentially vulnerable to several different types of malicious attacks. These malicious nodes can carry out both Passive and Active attacks against the network. In passive attacks a malicious node only eavesdrop upon packet contents, while in active attacks it may imitate, drop or modify legitimate packets[1]. A typical example of particularly devastating security active attack is known as a wormhole attack. In which, a malicious node captures packets from one location in the network, and tunnels them to another malicious node at a distant point, which replays them locally. The wormhole attack can affect network routing, data aggregation and clustering protocols, and location-based wireless security systems. Finally, the wormhole attack can be launched even without having access to any cryptographic keys or compromising any legitimate node in the network.
Fig.1. A network under a wormhole attack.
Page 6
NOVEMBER 2011
1.1 Significance of Wormhole Attack And Background

A wormhole attack is a particularly severe attack on MANET routing where two attackers connected by a high speed off-channel link called the wormhole link. The wormhole link can be established by using a network cable and any form of wired link technology or a longrange wireless transmission in a different band. The end-point of this link (wormhole nodes) is equipped with radio transceivers compatible with the ad hoc or sensor network to be attacked. Once the wormhole link is established, the adversary record the wireless data they overhear, forward it to each other, and replays the packets through the wormhole link at the other end of the network. Replaying valid network messages at improper places, wormhole attackers can make far apart nodes believe they are immediate neighbors, and force all communications between affected nodes to go though them.
Compared to jamming, wormhole attack is more covert in nature and harder to detect. The term wormhole refers to an adversary carrying information and traveling faster than anyone else, thus the adversary is capable of launching unusual timing attacks. While physical wormholes do not exist, communication wormholes do exist, because adversaries can forward packets faster than regular nodes that require a queuing delay, transmission delay, and MAC contention delay. Transparent Mode as external adversary: Wormhole devices are not regular network members. However, to make wormhole attack work, the adversary must be able to intercept legitimate wireless messages (assuming the wormhole attackers can thwart lowprobability-interception mechanisms). Messages are covertly intercepted at one location and replayed at other locations while regular network members do not know the existence of wormhole devices. In other words, the existence of the wormhole devices is transparent to regular network nodes. A corresponding implementation uses layer-1 devices in the victim network and layer-2 devices in the attacking network to implement the wormhole devices. Participant Mode as internal adversary: Wormhole devices are regular network members. They are compromised nodes with legitimate network addresses like IP addresses and MAC addresses. A corresponding implementation uses layer-3 devices to implement the wormhole devices. Because wormholes working in the transparent mode already significantly thwart victim network's routing functions, the participant mode is currently
Page 7
NOVEMBER 2011
not implemented due to implementation redundancy. A wormhole attacker tunnels messages received in one location in the network over a low-latency high-bandwidth link and replays them in a different location. This typically requires at least two adversarial devices colluding to relay packets along a fast channel available only to the attackers, so that it can disrupt multi-hop ad hoc routing. In the presence of wormholes, the attacking nodes can selectively let routing control messages get through. Then, the wormhole link has a higher probability of being chosen as part of multi-hop routes due to its excellent packet delivery capability. Once the attacking nodes know that they are en route, they can launch a black hole attack to drop all data packets, or a gray hole attack to selectively drop some critical packets. In practice, single-hop wormholes (i.e., wormholes with both ends in the one-hop transmission range of the victim network), are typically ineffective because the wormholes cannot gain any timing advantage because of the science of physics. Recommended physical length of a wormhole link is between 1.2R and 2R where R is the nominal one-hop transmission range of the victim network. Such a wormhole link can gain significant timing advantage over a multi-hop forwarding path in the victim network. Moreover, victim network's turnaround time at the physical layer and the link layer must be properly estimated. QualNet provides two configuration parameters, wormhole-victimcount-turnaround-time and wormhole-victim-turnaround-time, for the user to specify such delay. In IEEE 802.11 standard, this turnaround time includes all delays between the time an 802.11 receiver receives RF signals and the time the same 802.11 device finishes transmitting the corresponding response. Typically, the turnaround time includes RxRFDelay (receiving radio signals and analog-digital conversion), RxPHYDelay (decoding, de-interleaving, descrambling), MAC processing delay, TxPHYDelay (scrambling, interleaving, encoding) and TxRFDelay (digital-analog conversion and transmitting radio signals).
1.2 Features and Assumptions

Implemented Features (Multi-end) Wormhole network protocols including wormhole tunneling MAC as a contending bus, wormhole replaying MAC in an aggressive CSMA, queuing delays, transmission delays, propagation delays, prevention of infinite tunneling (i.e., do not tunnel wormhole-replayed packets, which have already been tunneled for at least once)
Page 8
NOVEMBER 2011
Omitted Features Tunneling MAC in other forms Replay MAC in other forms Traffic analysis Assumptions and Limitations Wormhole nodes can monitor victim nodes' RF signals and intercept victim's packets.
Page 9
NOVEMBER 2011
CHAPTER 2 Wormhole- Parameters

Table.1 lists the Wormhole parameters specified in the scenario
Page 10
NOVEMBER 2011
Page 11
NOVEMBER 2011
CHAPTER 3 Simulation Setup 3.1 Setting Scenario And FTP Properties

The simulations are designed in the QualNet simulation platform. The network size or terrain settings is set as 1500*1500 meters and in FTP General properties packet size is set as 512.
Page 12
NOVEMBER 2011
3.2 Configuring Wormhole Parameters

To configure the Wormhole parameters, perform the following steps: 1. Go to one of the following locations: To set properties at subnet level, go to the Wireless Subnet Properties Editor > MAC Layer. To set properties at interface level, go to one of the following locations: In this section, we show how to configure the general Wormhole parameters in the Wireless Subnet Properties editor. Parameters can be set in the other properties editors in a similar way. 1. Go to one of the following locations: - Interface Properties Editor > Interfaces > Interface # > MAC Layer or - Default Device Properties Editor > Interfaces > Interface # > MAC Layer. 2. Set MAC Protocol to Wormhole and set the dependent parameters listed in Table 2.
Page 13
NOVEMBER 2011
Setting Parameters To enable the THRESHOLD mode, set Wormhole Operation Mode to Threshold To enable the ALLPASS mode, set Wormhole Operation Mode to All Pass To enable the ALLDROP mode, set Wormhole Operation Mode to All Drop. 3. If Wormhole Operation Mode is set to Threshold,
3.3 Statistics and Output

Table lists the statistics collected for the Wormhole that are output to the statistics (.stat) file at the end of simulation.
Page 14
NOVEMBER 2011
CHAPTER 4 Wormhole Sample Scenario

4.1 Scenario Description In the sample scenario shown in Figure nodes 1 and 3 are connected to a wireless subnet. Nodes 5 and 6 are connected through another wireless subnet. Nodes 2 and 4 are wormhole nodes connected to a subnet. Wormhole is enabled on the subnet.
4.1.1 Wormhole All Drop PURPOSE:-To test the case when the wormhole drops ALL packets including both control packets and data packets. SCENARIO:-Totally 6 nodes in the scenario. Node 2 and 4 are wormhole terminals in the adversarial wireless subnet.
Page 15
NOVEMBER 2011
Page 16
NOVEMBER 2011
In case of Wormhole nodes 2 and 4 the different parameters observed are given below:
Frames intercepted all Frames dropped by wormhole Frames tunneled Frames replayed
Frames dropped by queue
Node 2 442 283 283 0 0
Node 4 404 305 305 0 0
Table1: Different parameters observed for Wormhole All Drop 4.1.2 Wormhole All Pass:
PURPOSE:-To test the case when the wormhole passes ALL packets including both control
packets and data packets.

SCENARIO:-Totally 6 nodes in the scenario. Node 2 and 4 are wormhole terminals in the
adversarial wireless subnet.
Wormhole All Pass
Page 17
NOVEMBER 2011
Node 2 1833 0 1125 1122 0
Node 4 1811 0 1122 1125 0
Table2: Different parameters observed for Wormhole All Pass
Page 18
NOVEMBER 2011
4.1.3 Worm Hole Propagation Delays

PURPOSE:-To test the impact of (a longer) propagation delay on the wormhole link. SCENARIO:-Totally 6 nodes in the scenario. Node 2 and 4 are wormhole terminals in the
Worm Hole Propagation Delays
Page 19
NOVEMBER 2011
Node 2 3521 739 3504 2522 0
Node 4
2531 0 2531 2756 0
Table3: Different parameters observed for Wormhole propagation delays
4.1.4 Wormhole Replay

PURPOSE:-To test the wormhole replay function with all packets going through the
wormhole link.
Wormhole Replay
Page 20
NOVEMBER 2011
Node 2 150 0 150 120 0
Node 4 120 0 120 150 0
Table4: Different parameters observed for Wormhole propagation delays 5. Wormhole Threshold
PURPOSE:-To test the wormhole tunneling function with a user-defined threshold value (72
bytes in this case).

Page 21
NOVEMBER 2011
Wormhole Threshold
Page 22
NOVEMBER 2011
Node 2 111 12 39 15 0
Node 4 15 0 15 27 0
Table 5: Different parameters observed for Wormhole threshold
4.1.6 Wormhole Tunnelling

PURPOSE:-To test the wormhole tunneling function with all packets tunneled through the
wormhole link.
Wormhole Tunnelling
Page 23
NOVEMBER 2011
Node 2 150 0 150 120 0
Node 4 120 0 120 150 0
Table6: Different parameters observed for Wormhole Tunneling
Page 24
NOVEMBER 2011
CHAPTER 5 Conclusion
In this project we have studied the wormhole attack, which is a powerful attack that can have serious consequences on many proposed ad hoc network routing protocols. In this work we simulated the wormhole attack considering various scenarios using QualNet and studied the performance of the adhoc network in terms of different parameters.
Page 25
NOVEMBER 2011
REFERENCES
[1] Yih-Chun Hu, Adrian Perring and David B. Johnson, Wormhole Attacks in Wireless
Networks
[2] Khin Sandar Win, Pathein Gyi, Analysis of Detecting Wormhole Attack in Wireless Networks
[3] QualNet-5.0.2-UsersGuide.pdf [4] T.V.P.Sundararajan, Dr. A.Shanmugam, Behavior Based Anomaly Detection Technique to Mitigate the Routing Misbehavior in MANET. [5] N. Song, L. Qian, X. Li, Wormhole Attack Detection in Wireless Ad Hoc Networks: a Statistical Analysis Approach, Parallel and Distributed Processing
Page 26

Anomaly Detection in Manet

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Anomaly Detection in Manet

Transféré par

Droits d'auteur :

Formats disponibles

ANOMALY DETECTION IN MANET