ASSIGNMENT

INTRUSION DETECTION AND PREVENTION IN MANET

INTRODUCTION
In the last decade, mobile ad hoc networks (MANETs) have emerged as a major next
generation wireless networking technology. MANET is a mobile and multi-hop
autonomous operation of wireless network. It is a collection of wireless mobile nodes
which forms a temporary network without using any pre-existing infrastructures.
MANETs are vulnerable to various attacks at all layers, including in particular the
network layer, because the design of most MANET routing protocols assumes that
there is no malicious intruder node in the network. Intrusion Detection & Prevention
System (IDPS) is one of the defence mechanisms to protect MANET against variety
of attacks due to the dynamic topology, lack of centralized control, limited physical
security and energy constrained operations.

MANET Features:

Light-weight Autonomous terminal: A function of mobile node may act as

both host/router.

Distributed Operations: Because there is no fixed network for control and

management operations are distributed among the terminals.

Multi-hop routing: Delivering packets via one or more nodes.

Dynamic network topology: As the network varies rapidly, the movable nodes
dynamically establish routing among themselves.

Security Issues of MANET

Since, MANET are easily vulnerable because due to absence of centralized control,
unguarded dynamic topology routing medium, ad hoc networks do not have a welldefined boundary area, and thus, mechanisms such as firewalls are not applicable for
lagging of security and reliability Quality of Service.

Two approaches for protecting mobile ad-hoc networks.

a) Reactive Approach: Looking or detecting security threats and reacts
accordingly.
b) Proactive Approach: It is trying to prevent attempts for an attacker from
launching attacks through various cryptographic techniques

Classification of Attacks on MANET

Many types of attacks can be performed over a MANET network.

Figure 1: Classification of Network Layer attacks in MANET

Passive attack: Attacker does not disturb the operation of the routing protocol but
attempts to seek some valuable information through traffic analysis.
Eaves dropping : Because of the wireless links in MANETs, a message sent by a node
can be heard by every device equipped with a transceiver and within radio range, and
if no encryption is used then the attacker can get useful information.
Routing Attacks : Both the reactive and proactive routing protocols are vulnerable to
routing attacks.
Sleep Deprivation Attack: Sleep deprivation (SD) is a distributed denial of service
attack in which an attacker interacts with the node in a manner that appears to be
legitimate, but where the purpose of the interaction is to keep the victim node out of
its power conserving sleep mode.
Black hole attack: If the intruder may succeed in becoming part of many routes in the
network and the intruder, once chosen as an intermediate node, drops the packets
instead of forwarding or processing them, causing a black hole (BH) in the network.
Grey Hole Attack: A grey hole attack (GH) is a special case of the BH attack, in
which an intruder first captures the routes, i.e. becomes part of the routes in the
network (as with the BH attack), and then drops packets selectively.
Sybil Attack: Each node in a MANET requires a unique address to participate in
routing, through which nodes are identified. However, in a MANET there is no central
authority to verify these identities. An attacker can exploit this property and send
control packets.

IDS
An Intrusion Detection System (IDS) is a device or software applications for
monitoring network traffic, suspicious activity if any deviation occurs against normal
behavior, then give alerts the system or network administrator. An IDS is a software
that automates the intrusion detection process. The primary responsibility of IDS is to
detect unwanted and malicious activities. Intrusion Prevention System (IPS) is
software that has all the capabilities of an intrusion detection system and can also
attempt to stop possible incidents.

Figure 2 : Basic Structure of IDS

IDS Techniques for MANET

For Based on detection techniques, there are few main categories of IDS operation
based on detection techniques for alarm triggering mechanism to be used as:
1) Signature-based (Misuse detection model)

(Knowledge-Based Intrusion Detection) Knowledge based intrusion detection

systems maintain a knowledge base that contains signatures or patterns of well-known
attacks and looks for these patterns in an attempt to detect them. In other words,
KBID systems have knowledge about specific attacks and look for attempts to use
them. A KBID system triggers an alarm when such an attempt is detected Signature-

based IDS generate an alarm, if fingerprint or signatures patterns are matched and it
also maintains a signatures pattern of known attacks.
Drawback: Difficulty to gather signatures/ detect unknown attack and keep them up
to date.
2) Anomaly-based detection (profile based detection)
Anomaly-based intrusion detection (ABID) systems flag as anomalous observed
activities that deviate significantly from the normal profile. ABID systems are also
known as behaviour-based intrusion detection, in which the model of normal
behaviour of the network is extracted, and then this model is compared with the
current behaviour of the network to detect intrusion in the network.

Ability to rectifying previously unknown and insider attacks, without need for
signatures.
Drawback: Generate large number of false positives alarm rate due to legitimate
activity.
3) Specification-based detection
Generally, specification-based intrusion detection systems (SBIDs) first explicitly
define specifications as a set of constraints. They then use these specifications to
monitor the routing protocol operations or network layer operations to detect attacks
in the network. The first step extracts the specifications, which define the correct

operation of (for example) the network or the MAC layer protocol through a set of
constraints. The system then monitors the execution of the protocol with respect to the
given specification, deviations from the specification being treated as intrusion.

Intrusion Detection and Prevention Systems (IDPS)

Primarily aware of IDPS to isolate as possible logging information and produce
reporting to security administrators and attempts to stop them. In additionally use,
IDPSes for other reason, such as identifying problems with documenting existing
threats, security policies, and deterring individuals from violating security policies.
An intrusion detection and prevention system (IDPS) is software that has all the
capabilities of an intrusion detection system and can also attempt to stop possible
incidents. IDS can be categorize as Network based which does packet analysis on the
boundaries of a network and Host based which identifies intrusion on host machine.
Challenges of Intrusion Detection Systems in MANETs
Intrusion detection in MANETs is more complex and challenging than in fixed
networks. In fixed networks, traffic is monitored at network gateways whereas in an
infrastructure less MANET a node can only observe other nodes within its radio
range; attackers outside this radio range can therefore escape easily. Consequently, the
network-based IDS (NIDS) proposals used in fixed networks are not directly
implementable in MANETs.
Attacks in MANETs differ from those in fixed networks and therefore most
detection methods used in fixed networks are not directly applicable; hence alterations

to existing techniques and the introduction of new methods for intrusion detection
have been considered by researchers.
SURYA K R
S2 ES, 23
VAST