Instruction Detection using Anomaly Detection in Mobile

Adhoc Network

#
Keerthi Kumar P, #Manoj J, #Nithyanandhan M and
#
Mahesh Kumar N B, Member, IEEE
#
Department of Computer Science and Engineering,
#Bannari Amman Institute of Technology, Sathyamangalam
Index Terms: Man in the middle attack,
malicious node, Instruction Detection System
Abstract - In the day-to-day life, mobile
adhoc networks (MANETs) are not secure 1. Introduction

when it is constructed. Due to this, the

A mobile ad-hoc network is a self
network is subjected to attacks that are caused
organizing network. It consists of mobile
by the intruders, via, malicious node and the
nodes that are capable of communicating with
Man-In-The-Middle (MITM) attack. The
each other without the help of fixed
detection of intruder in the Mobile Adhoc
infrastructure. It is also flexible that nodes can
network is difficult when compared to our
join and leave a network easily. But this
normal networks. In this paper, we propose a
flexibility of mobile nodes results in a
new scheme of anomaly detection to detect
dynamic topology that makes it very difficult
the malicious node in the network. In this
in developing secure ad-hoc routing
scheme the training data are updated
protocols. Mobility, an advantage of wireless
periodically. The training data includes the
communication, gives a freedom of moving
transfer of control packets in the network. The
around while being connected to a network
packet contains the information about the
environment. Security being a serious issue,
neighbour nodes in the network. The
the nature of ad-hoc networks makes them
malicious node can be identified with the help
extremely vulnerable to adversary’s malicious
of the training data and the information is sent
attacks. First of all, the use of wireless links
to the sender regarding the presence of a
renders a mobile ad-hoc network to be
malicious node in the network. The NS2
vulnerable to attacks of various types - black
simulator is used in the mobile adhoc network
hole attack being one of them.
for doing simulations.

2. Prior Work
2.1 Intrusion Detection System The first drawback is mobile nodes
have to maintain an extra database of past
Intrusion Detection Systems (IDS) are routing experiences in addition to a routine
one of the main techniques utilized to prevent work of maintaining their routing table. It is
attacks against security threats. Intrusion evident that maintaining past routing
detection is a process of detecting an experiences wastes memory space as well as
adversary and preventing its subsequent consuming a significant amount of processing
actions. IDS can be classified as Network- time which contributes to slow
based and Host-based. Network-based IDS communication.
can be installed on data concentration points The second drawback is over
of a network such as switches and routers consumption of limited bandwidth. Cross-
checking of the validity of routes contained in
2.1.1 Data Routing Information RREP message from an intermediate node is
implemented by sending a FREQ (Further
AODV as a routing protocol, a mobile
Request) message to the next-hop of the
node that wishes to communicate with other
particular intermediate node. Sending
node first broadcasts an RREQ message to
additional FREQ messages consumes a
find a fresh route to a desired destination
significant amount of bandwidth from an
node. This process is called route discovery
already limited and precious resource. The
[3]. Every neighbouring node that receives
third drawback is additional weakness of
RREQ broadcast first saves the path then
inability to prevent attack from multiple black
RREQ was transmitted along to its routing
hole nodes.
table. It subsequently checks its routing table
to see if it has a fresh enough route to the
3. Related Work
destination node provided in the RREQ
message. Here DRI technique is used to check
3.1 Intrusion Detection using
whether the route discovery has a past routing
Anomaly detection
experience of send any packets to the
destination node which is received from
Our proposed technique (IDAD) uses
source node. Routing discovery is a
Host-based IDS schema a because Network-
vulnerability of AODV protocol.
based IDS schema cannot be employed to
mobile ad-hoc networks where there is no
2.1.2 Drawbacks central device that monitors traffic flow.
IDAD assumes every activities of a user or a
system can be monitored and anomaly
activities of an intruder can be identified from
normal activities. Hence, by identifying
anomaly activities of an adversary, it is
possible to detect a possible intrusion and
isolate the adversary. To do so an IDAD
needs to be provided with a pre-collected set
of anomaly activities, called audit data. Once
audit data is collected and is given to the
IDAD system, the IDAD system is able to
compare every activity of a host with the
audit data on a fly. If any activity of a host
(node) resembles the activities listed in the
audit data, the IDAD system isolates the
particular node by forbidding further
interaction. Furthermore, IDAD works in a
principle that trusts no peer. This means
mobile nodes do not rely on other nodes to
prevent intrusions. In a black hole attack, a
malicious node deceives source nodes by
sending a fake RREP message.
The proposed technique consist of the
various steps like Training, Anomaly
detection, Intrusion Detection and Analysis.
3.1.1 Training
In this step, we get the training data by
running the simulation without any
attackers. The numbers of RREQ, RREP,
and RERR packets that are sending or
received by a particular node in the network
are recorded in the files for every 25 msec.
These training data are used for the
comparisons of the number of control
packets that are sending or received in the
network under attackers. If the existing of
control packet in the network is more then
we can find that network is under attack.
3.1.2 Anomaly Detection
The Neighbours node in the network
is detected by the routing protocol. The
AODV is one of the routing protocol that we
going to use in this work. The principle
component analysis is the method used to
explore the correlations between each feature.
The comparison is done by analyzing the
number of control packets which is
transmitted or received in the network at the
normal state and the network with the
attackers.
3.1.3 Analysis
In this step the attacks are analyzed
using the graphs. If the analyzed data is not in
the normal form then we discard that data
otherwise we store the data in the training file.
4. Simulation Results
4.1Training
Using ns2 we have create five source
node, five destination node and five
intermediate nodes In this module no attacker
is involved. If any node wants to send packets
first source node send route request to all
intermediate nodes then this is collected as
request packets reply from intermediate node
and also collected as reply packets, error
packets. These three packets are collectively
called as control packets. This has been
calculated for every node for every 25 msec.
Finally total number of control packets have
been calculated in network without any
attacker as shown figure 1.1
Figure 1.1 Control packets without Attacker
4.2 Anomaly Detection
In this step attack is involved. In first
step we have find total no of control packets
without any attackers. In this step we have
create many malicious node (black holes).
These nodes act as intermediate node. When
any request comes, the malicious node
immediately reply to source node with same
time stamp of request packets that is send by
source node. Now the total number of request
and reply packets increased results in increase
in total no of control packets. This has been
noted for every 25msec. Now we find there is
some malicious node comes in network.
Finally control packets were analyzed and
there is some black hole occur in network as
shown in the figure 1.2.
Figure 1.2 Control packets with attacker
5. Conclusion
In this paper, a new dynamic anomaly
detection system for MANETs has been
proposed. For enhancing the security in
MANETs, which are vulnerable to attacks,
robust learning methods against these attacks
are required. To differentiate an attack state
from the normal state, we have defined multi
dimensional features based on the
characteristics of these attacks and utilized the
projection distance using PCA based on
statistical theory.
References
[1] Y.F. Alema and Z.C. Xuan, “Preventing
Black Hole Attack in Mobile Ad-hoc
Networks Using Anomaly Detection”,
International Conference on Future
Computer and communications, Vol 3, p
no: 672-676, (2010).
[2] P. Raj and P. Swadas, “A dynamic
learning system against black hole attack
in AODV based MANET,” IJCSI
International Journal of Computer
Science, Vol 2, and p no: 54-59, (2009).
[3] H. Weerasinghe and H. Fu, “Preventing
cooperative black hole attacks in mobile
ad-hoc networks: simulation,
implementation and evaluation,”
International Journal of Software
Engineering and Its Applications, Vol. 2,
No. 3 (2008) pp. 39-54.
[4] H. Deng, W. Li, and D. Agrawal,
“Routing security in wireless adhoc
network, “IEEE Communications
Magazine, vol. 40, no. 10 (2002) pp. 70-
75.