Vous êtes sur la page 1sur 5

(IJCSIS) International Journal of Computer Science and Information Security,

Vol. 9, No. 2, 2011


S.Thirumal M.C.A., M.Phil., Dr.V.Saravanan M.C.A.,M.Phil., Ph.D.,

Assistant professor, Professor and Director,
Department of computer science, department of computer applications
Arignar anna government arts college, Dr.N.G.P institute of technology,
cheyyar, tiruvannamalai district -604 407 1st Dr.N.G.P-Kallapatti road,coimbatore-641 048.

Abstract—Mobile Adhoc Network (MANET) is a collection of needed to detect any possible intrusions that occur in the
independent mobile nodes that can communicate to each other network and generate an appropriate action.
via radio waves. The mobile nodes that are in range of each other
can directly communicate, whereas others need the aid of
intermediate nodes to route their packets. These networks are
fully distributed a and can work at any place without the help of
any infrastructure. This property makes these networks highly
exible and robust. Intrusion Detection System (IDS) is an integral
part of any Mobile Ad-hoc Network (MANET). It is very
important for IDS to function properly for the efficient
functioning of a MANET. In this paper I evaluate the Co-
Operative game theory approach for intrusion detection in
MANET by comparing it with the existing other approaches. My
evaluation is concentrated both on Intrusion in Application layer
and network layer. Network simulator NS-2.34 is used for the
simulation of the intrusions in grid network.

A mobile ad hoc network is defined as a collection of Fig 1.1 Grid Architecture Model.
mobile platforms or nodes where each node is free to move In this paper, the performance of the Cooperative Game
about arbitrarily. Each node logically consists of a router that Theory that uses Shapley value algorithm to analyze the
may have multiple hosts and that also may have multiple contribution of each node in detecting the intrusion is evaluated
wireless communication devices. The vision of mobile ad hoc and compared with Anomaly detection approach. This ID will
networking is to support robust and efficient operation in constantly monitor the network and report the unusual behavior
mobile wireless networks by incorporating routing of the network back to the head nodes. It will detect the
functionality into mobile nodes. Such networks are envisioned unusual behavior at the application layer and at the network
to have dynamic, sometimes rapidly-changing, random, multi layer an aggregate function that computes the severity of the
hop topologies which are likely composed of relatively attack based on the values reported by the nodes is introduced.
bandwidth-constrained wireless links. A MANET may be The appropriate measure is taken based on the value of the
susceptible to varying degrees of intrusion that include passive aggregation function.
eavesdropping, broadcasting of false routing information,
disrupting traffic flow, etc. The nodes in the network have to Many papers have been submitted earlier on detecting and
cooperate in analyzing the intrusion in MANET. Thus a co analyzing intrusions in MANET. Also some have proposed
operative Intrusion Detection System as shown in Figure 1.1 is game theoretic approach for monitoring intrusions. A few of

216 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 2, 2011
them are mentioned below, A Cooperative Approach for presented using estimated congestion at intermediate nodes to
Analyzing Intrusions in Mobile Ad hoc Networks by Otrok, decide if the intermediate node is not forwarding packets at the
H. Debbabi, M. Assi, C. Bhattacharya, P.Concordia Univ., desired rate because of congestion or because of malicious
Montreal consider the problem of reducing the number of false behavior. It is unclear how statistical anomaly detection will
positives generated by cooperative intrusion detection systems succeed in the wireless domain, since it is a challenging one
(IDSs) in mobile ad hoc networks (MANETs). They define a because of dynamic decentralization and a lack of
flexible scheme using security classes, where an IDS is able to concentration points where aggregated traffic can be analyzed.
operate in different modes at each security class. This scheme Selfish nodes: The cooperative enforcement mechanism based
helps in minimizing false alarms and informing the prevention on a monitoring system, where the goal of this model is to
system accurately about the severity of an intrusion. Shapley detect selfish nodes and enforce them to cooperate. Each node
value is used to formally express the cooperation among all the keeps track of other nodes’ cooperation using reputation as the
nodes. A Game Theoretic Formulation for Intrusion Detection cooperation metric. The System ensures that misbehaving
in Mobile Ad Hoc Networks by Animesh Patcha and Jung-Min nodes are punished by gradually stopping communication
presents a game-theoretic model to analyze intrusion detection services and provides incentives for nodes, in the form of
in mobile ad hoc networks. We use game theory to model the reputation, to cooperate. It is calculated by information
interactions between the nodes of an ad hoc network. We view provided by other nodes involved in each operation then also
the interac- tion between an attacker and an individual node as we can’t stop the attack nodes, it is also less stable. Anomaly
a two player non-cooperative game, and construct models for detection: If an anomaly is detected with weak evidence,
such a game. A Moderate to Robust Game Theoretical Model because it uses a single layer of cluster heads. So a global
for Intrusion Detection in MANETs by Hadi Otrok, formalized detection process is initiated for further investigation about the
a nonzero-sum noncooperative game theoretical model that intrusion through a secure channel. The limitations and
takes into consideration the tradeoff between security and IDS drawbacks of this model are performance penalties and false
resource consumption. The game solution will guide the leader- alarm rates. Defending node: In a game theoretic framework,
IDS to find the right moment for notifying the victim node to for defending nodes we use three schemes in a sensor network.
launch its IDS once the security risk is high enough. In the first scheme the authors formulate attack-defense
problem as a two-player, nonzero-sum, non cooperative game
To achieve this goal, the Bayesian game theory is used to
between an attacker and a sensor network. It is shown that this
analyze the interaction between the leader-IDS and intruder
game achieves Nash equilibrium and thus leading to a defense
with incomplete information about the intruder. By solving
strategy for the network. In the second scheme they use
such a game, we are able to find the threshold value for
Markov decision process to predict the most vulnerable sensor
notifying the victim node to launch its IDS once the probability
node. In the third scheme they use an intuitive metric (node's
of attack exceeds that value. Simulation results show that our
traffic) and protect the node with the highest value of this
scheme can effectively reduce the IDS resource consumption
without sacrificing security. Agah et al [4] suggested a game
theoretic framework for defending nodes in a sensor network.
Three schemes of defense are designed. In the first scheme the II. DESIGN AND WORKING OF THE GAME THEORY BASED
authors formulate attack-defense problem as a two-player, IDS :
nonzero-sum, noncooperative game between an attacker and a
sensor network. It is shown that this game achieves Nash A. The Grid Architecture
equilibrium and thus leading to a defense strategy for the Heterogeneity of the mobile devices can be integrated to
network. In the second scheme they use Markov decision form an infrastructure known as grid. A grid by definition is a
process to predict the most vulnerable sensor node. system that coordinates resources that are not subject to
centralized control. Grid consists of three categories of nodes;
In the third scheme they use an intuitive metric (node's
Consumer node CN- Node which requests for a service,
traffic) and protect the node with the highest value of this
Service Provider node SPN- Node which processes the service
metric. All the above work focuses on IDS in a mobile ad hoc
requested by the CN, Grid Head node GHN- Node which
network at network layer, where the cooperative game theory
coordinates all the nodes in its grid. This GHN is responsible
approach goes one step further and tries to provide IDS system
for the allotment of an appropriate service provider node to a
using cross layer approach. In my work both application layer
node requesting for particular service based on parameters such
and network layer information are considered to provide IDS.
as cost, service time, etc. VetriSelvi et al [5] have suggested a
At the application layer a grid architecture proposed by
Grid architecture that efficiently makes use of heterogeneous
Vetriselvi et al [5] is considered, where the game theoretic
resources in an ad hoc network. A trace based mobility model
approach to provide security to this architecture is included.
is used to handle the movement of the nodes. Trace Based
Existing system: Mobility Model (TBMM) captures the regularity in movement
as a movement pattern. The nodes that are going to
Mobile Ad hoc Networks are wireless networks that lack communicate exchange this trace information that provides the
infrastructure. It is vulnerable to attacks. Intrusion attacks are position of the destination and its associated stability time.
of particular interest and concern to the nodes, because they With the help of the trace information as well as the resource
seek to render target systems inoperable. Many schemes are information appropriate service is provided to consumer nodes.
evolved to detect the attack but we can’t prevent the nodes
from attack properly. Packet drooping: This approach is

217 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 2, 2011
Grid Formation and GHN Election secondary head. Every time a service is being allotted to a SPN
to a GHN, the SPN immediately sends ‘busy’ message to the
Any SPN has the privilege to contest for the grid head. A
secondary head. Similarly after the successful completion of
SPN starts sending ‘Hello’ messages to all the nodes within its
service, the CN sends a ‘complete’ message to the secondary
hop limit. A hop limit is specified so as to keep a check on the
head. Thus the secondary head maintains the list of SPNs
number of nodes in a particular grid and also the density of data
which are busy. When the secondary head receives the ‘Bad
traffic which will result due to this broadcasting of messages.
Head’ message from a CN, it checks if the SPNs are actually
The ‘Hello’ message contains the stability time of its sender
busy. If not, it generates a ‘Ban’ message and broadcasts to all
and hop count. On receiving a ‘Hello’ message, any SPN
the nodes. On receiving this message, all the nodes discard that
which currently does not have a head checks if the sender’s
node and no longer have it as their GHN and add that node’s
stability is greater than its own stability. If it is the case it
address to a list of banned nodes that they maintain after which
simply stops broadcasting its own ‘Hello’ messages and starts
a reelection takes place for contention to become the new grid
broadcasting the newly received message to all the nodes in its
hop limit range after storing the stability of the sender as the
‘GHN stability’. If not, it simply discards the message and 2) Misbehaving SPN: After being allotted a specific SPN
continues to broadcast its own ‘Hello’ message. After finding for its service, a CN sends a ‘service me’ message to the SPN.
the GHN, it sends ‘Grid join’ message to GHN. If a SPN node A malicious SPN on receiving this message does only half the
is currently functioning under a grid head and receives a service required and reports completion of the service to both
‘Hello’ message, it checks to see if the sender’s stability is the GHN and the CN. On discovering that the service was not
higher than its head’s stability and if true, it starts broadcasting fully completed, the SPN generates a report to the GHN stating
the newly received ‘Hello’ message after storing the stability as the essential parameters like the SPN’s id, job id, etc. The GHN
‘GHN stability’. Any CN on receiving a ‘Hello’ message increments its report count for the particular SPN node and
simply forwards it. All the nodes store the first two highest waits till the count reaches a particular predefined limit after
stability times that they have received through ‘Hello’ which it checks the coalitions against the reported node. If it
messages. The node with the second highest stability is happens to be a winning coalition the GHN adds the SPN to the
appointed as the’ Secondary head’ of the grid. Any node which list of banned nodes and broadcasts the message on to all other
gets elected as the GHN should periodically send ‘Hello’ nodes in the network.
messages to all the other nodes and if it fails to do so, it is not
considered to be alive by the other nodes and a reelection takes Intrusions in Network Layer
place. In the network layer, two highly probable intrusions –
Service Processing flooding and flow disruption caused by malicious nodes are
proposed. Both of these intrusions are detected by the other
Any SPN joining a grid submits resource parameters, nodes and a coalition is formed to report the intruder.
stability, position, type of service, service cost, etc to the GHN.
A CN while requesting for a service states the type of service 1) Flooding attack: A malicious node starts sending
required and cost. The GHN maintains a Grid Maintenance innumerable route request/route discovery message to all the
Table (GMT), where in it stores the status of all the SPNs other nodes exhaustively. This affects the network bandwidth
under it- their service parameters and their availability. On adversely and paralyses the network. This is resolved by using
finding a suitable SPN for the service, it refers the SPN id to parameters like no. of control packets expected and received.
the requesting CN and assigns a job id to this service. The CN For a certain time interval, the total no: of control packets
then sends a ‘Service me’ message to the allotted SPN which in received is counted and checked with the threshold limit. If it is
turn completes the service and sends a ‘Done’ message to the exceeded then GHN is notified of the possibility of the attack.
CN and a ‘Comp’ message to the GHN indicating the Grid Head then forms the coalition, calculates the attack value,
completion of its assigned task. The CN sends an ‘ACK’ checks whether it is a winning coalition and finds an intrusion.
message to the GHN, acknowledging that it got the service 2) Flow disruption attack: A malicious node targets a route
completed by the SPN. The GHN now updates the SPN’s between a particular source and destination node and starts
status in the GMT. However, if an appropriate SPN is sending junk route discovery messages to all the nodes in that
unavailable at a particular instant for a CN, it sends a service particular route. Certain nodes are randomly identified as the
denial message prompting the CN to try later for the service target nodes by the attacker nodes. These attacker nodes are a
request. few among the nodes which route data packets from and to the
Intrusions in Application Layer target nodes. When the ACK messages for the target nodes
reach the attackers, they drop the packets instead of forwarding
In the paper, two probable intrusions in the application them. This causes the route between the particular source and
layer - grid head which itself is found to be malicious and destination to be broken thereby disrupting the flow between a
misbehaving service provider nodes are considered. pair of targeted nodes. After a stipulated waiting time, the
target nodes report to its grid head. On receiving the report, the
1) Malicious GHN: A GHN sends a service busy / service
grid head carries out the similar processing of checking for
denial message when to a requesting CN if it does not find a
coalitions and spotting a winning coalition.
suitable SPN. The CN keeps track of the count of the BUSY
messages sent by the GHN. Once it exceeds a predefined
threshold limit, the CN reports a ‘Bad Head’ message to the

218 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 2, 2011

Fig 4.1 Detection Efficiency vs No.of.reporters

The above graph shows performance evaluation of our
proposed scheme compare to existing system. Where the no of
reporters increases the detection efficiency also increases

Fig 3.1 Block Diagram of Intrusion Detection

Simulation studies are carried out to evaluate the
performance of IDS in grid architecture. For simulation the
network simulator NS-2.34 is used.
NS or the network simulator (also popularly called ns-2, in
reference to its current generation) is a discrete event network
simulator’s is popularly used in the simulation
of routing and multicast protocols, among others, and is heavily
Fig 4.2 Intrusion Detected vs Service Time
used in ad-hoc networking research. ns supports an array of
popular network protocols, offering simulation results for wired The graph shows the variation in the number of intrusions
and wireless networks alike. It can be also used as limited- detected to the increase in service time.
functionality network simulator. It is popular in academia for
its extensibility (due to its open source model) and plentiful
online documentation. However, modeling is a very complex
task in ns-2, given the need to learn scripting, modeling etc. NS
was built in C++ and provides a simulation interface
through OTcl,an object –oriented dialect of Tcl. The user
describes a network topology by writing OTcl scripts, and then
the main NS program simulates that topology with specified
Table 4.1 Parameters for the simulation of IDS
Number of Nodes 50
Fig 4.3 Detection Rate of ID in malicious SPN attack
Simulation Time 500 Seconds
Terrain Dimension (1000,1000) meters
Mobility Random Way Point model
Mac-Protocol 802.11
Routing Protocols AODV
The performance is analyzed by increasing the number of
reporters, increasing the service time, increasing the number of
nodes reporters, increasing the service time, increasing the
number of nodes in Grid Cluster and also the number of
Fig 4.4 Detection Rate of ID in flow disruption attack.

219 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 2, 2011
workshop,2007. ICDCSW’ 07 27 International Conference on
The above 4.3 graph shows our proposed scheme detect 22-29 June 2007. Issue Date: 22-29 June 2007
0.98 efficiency rate in malicious SPN attack. The 4.4 graph [2] A Game Theoretic Formulation for Intrusion Detection in
shows our proposed scheme detect 0.91 efficiency rate in flow Mobile Ad Hoc Networks by Animesh Patcha and Jung-Min
disruption attack. Park published in International Journal of Network Security,
Vol.2, No.2, PP.131–137, Mar. 2006.
[3] A Moderate to Robust Game Theoretical Model for
Intrusion Detection in MANETs by Hadi Otrok, Noman
I have tested the performance of our system in both Mohammed, Lingyu Wang, Mourad Debbabi and Prabir
network layer and application layer with underlying grid Bhattacharya published in IEEE International Conference on
architecture and in both cases the results have been positive. I Wireless & Mobile Computing, Networking &
have analyzed the simulation results and inferred that when Communication
there is more number of nodes participating to form coalitions, [4] Agah. A, Das. S and Basu. K, “Intrusion Detection in
there are better chances of obtaining a good winning coalition
Sensor Networks: A Non-cooperative Game Approach”, Proc.
thereby enhancing the efficiency of detecting intrusions. Also
3rd IEEE International Symposium on Network Computing
when there the number of nodes in a grid is larger, the
detection time is lesser. I have also deduced that when the and Applications, IEEE press, 2004.
service time is lesser, there are more intrusions detected. Also [5] VetriSelvi V, Shakir Sharfraz and Ranjani Parthasarathi
Intrusion detection systems remain efficient in detecting all (2007), “Mobile Ad Hoc Grid using Trace Based Mobility
attacks with varying number of attackers. These detections are Model”, Proceedings of the International Conference on Grid
done by using the shapely value concept of game theory. The an Pervasive Computing (GPC2007), Publisher:pringer-
nodes of a winning coalition are enabled to get an equal share Verlag, LNCS 4459, France, May 2007, pp. 274-285.
of the total gain and hence increase their reputation. Our [6] Xia Wang “Intrusion Detection Techniques in Wireless Ad
proposed system is more efficient in detection. HocNetworks”, IEEE 2006 - Proceedings of the 30th Annual
International Computer Software and Applications Conference
[7] Seema Bandyopadhyay and Subhajyoti Bandyopadhyay “A
[1] A Cooperative Approach for Analyzing Intrusions in Game Theoretic Analysis on the conditions of cooperation in a
Mobile Ad hoc Networks by Otrok, Wireless Ad hoc Network”, University of Florida, FL, USA,
H. Debbabi,M. Assi,C.Bhattacharya,P. Concordia Univ., 2006.
Montreal appeared Distributed computing system

220 http://sites.google.com/site/ijcsis/
ISSN 1947-5500