Cross-Layer Intrusion Detection in

Mobile
Ad Hoc Networks – A Survey
 
 

Vivek Ojha, Anurag Pandey and

Hariom Yadav

Computer Science 3rd year

Ideal Institute Of Technology,Ghaziabad
 Outline Of The Presentation

1.Introduction

2.Classification Of Intrusion Detection Schemes

3.Rule Based Intrusion Detection Schemes

4.Anomaly Based Intrusion Detection Schemes

5.Summary Of Cross Layer Information Exchange

Between Layers

6.Suggestions For Future Work

7.References
Introduction
• A MANET is a collection of wireless mobile nodes that
are capable of communicating with each other without
the use of network infrastructure or any centralized
administration.

• In addition to the wide range of attacks that are similar

to the ones performed in wired networks, mobility,
limited bandwidth and limited battery life present
opportunities for launching novel attacks.
Layering in protocol stack, as is done in OSI, has two
disadvantages:

• first it is inflexible, and

•second it may not be offering optimal solution.

Layers in a wireless network must coordinate and

adapt with the change in the state of the wireless
network.
The cross layer design of protocol stack enables layers to
exchange state information in order to adapt the changes in
the state of the wireless network.

The sharing of network information amongst layers enables

each layer to have a Survey global picture of the constraints
and characteristics of the network.

The adaptation of changing state of network leads to better co-

ordinations amongst layers and enables them to take decisions
that would jointly optimize the performance of the network.
 Classification Of
Intrusion Detection
Schemes
These schemes can be classified on a number of parameters
like

• approach of intrusion detection (anomaly detection or rule-

based
detection)

• structure (centralized or decentralized)

• audit source (host-based or network based), and so on

Rule Based Intrusion
Detection Schemes
 1. Scheme proposed by Geethapriya Thamilarasu,
Arun Balasubramanium, Sumita Mishra,
Ramalingam Sridhar

They have considered packet dropping and packet misdirection

attacks at network layer, have made an attempt to get closer to
the node causing collision at link layer and have suggested
sufficient precaution not to consider a node with low battery
signal as a misbehaving node.

By simulation of above mentioned attacks and using cross-layer

approach, it has been shown that it is possible to detect the
misbehaving node with low false alarms.
 Inform
Information
ation
Provided by
Layer used Action taken by IDS
a layer to
by
IDS
Layer
Physical Battery Routin If battery level falls below a
(Energy) g value required for normal
Level Layer operation of node, broadcast
of a message that node cannot
neighb participate in normal
oring functioning due to low
nodes. energy level. Such a node
may be able to receive
messages, but will not
transmit new messages nor
•Transmitting
Link 1.Collision Link node
will participate in forwarding
Layer while Layer selects node within its
messages.
Transmittin transmission range as
ga “monitor”
massage •“monitor” node
submits a list (known as
hit list) of possible
defaulters for causing
collision to the
transmitting node
•Transmitting node
computers a list of
nodes, which occur
frequently in from
above hit lists
 Information provided by link
layer to Intrusion detection
module of that node:

1. Any node while transmitting a message to another node

cannot detect collisions, if any, with its ongoing transmission.
In this scheme, every sender node selects another node
within its transmission range to monitor collision(s) and pass
on a list of suspected nodes, which could have caused this
collision to the packets sent by this sender node.

2. In addition to this, link layer provides information

regarding available buffer space at that node. A
node is supposed to respond to RREQs only if
sufficient buffer space is there.
 Information provided by routing layer to
Intrusion detection module of that node:

Nodes with suspicious activities of packet dropping, and/or

packet misdirection are observed at routing layer.

In this scheme, precaution is taken that packet drop due

to genuine reasons like lack of buffer space at link layer or
low battery power do not consider it as a misbehavior.

However, if none of these two conditions is satisfied, and

the node is consistently dropping packets, then it is
termed as misbehavior.
This scheme has to be extended to:

(i) adapt other routing protocols like AODV, DSDV,

OLSR, TBRPF, and so on.

(ii) express packet drop due to poor channel conditions

leading to scattering, path loss and reflection, in a
measurable mathematical form.

(iii) generate suitable intrusion response.

(iv) allow measurement of congestion on the basis of

product of time for which a packet remains in buffer
and the number of packets in buffer, rather than
the number of free buffer space available.
 2 . Scheme proposed by Jarmo V.E. Molsa

Two cross-layers designs have been proposed to

mitigate the range attack, which is a new type of DoS
attack.
Attacker by getting very close (physically) to the
attacked node
changes the properties of its antenna in any one way of
the two
types of range attacks:

• the attenuating range attack

• the amplifying range attack

These type of attacks persist for a short period of time

but may
be repeated at regular/irregular intervals.
The routing layer and the MAC layer have at least the
following overlapping features regarding the range attack:

• Both layers may have different requirements for bi-

directionality.

• Both layers can implement tests for bi-directionality.

• Both layers can implement acknowledgement of

transmitted
messages.

• Both layers can detect disconnected links

All these features should be coordinated, and a cross-layer

design is
one possibility for this.
 3 Scheme proposed by Svetlana Radosavac, John S. Baras,

Nassir Benammar

In this paper the focus is on DoS attacks which aim to

partition the network. Attack detection is based on modeling
of MAC protocol (IEEE 802.11) using Extended Finite State
Machines (EFSM) and the validating communication patterns
in the network according to the modeled MAC behavior.

In this paper only IEEE 802.11 protocol of MAC layer has

been modeled using EFSM.
Further, MAC layer passes information regarding congestion and
interference to routing-layer

Since both these layers communicate with IDS as well, IDS will
make sure that selected route does not contain malicious
nodes.
The goal of this scheme is to maximize the probability of
detection while keeping intrusion detection time and number
of false alarms as minimum.
Table : Summary of EFSM scheme by Svetlana Radosavac .
 4. Scheme proposed by Yongjin Kim,
Ahmed Helmy
In this scheme traceback of DoS/DDoS attacker victimizing a
particular node by sending large number of packets is done
by cooperation at MAC and Network layers. It is observed
that DoS/DDoS attacks victimizing a node with large number
of packets have: (1) High Traffic volume during attack
period. (2) Attackers disguise their location by using spoofed
addresses. (3) Duration of such attacks may be short or long
periods.
 5 Scheme proposed by Jim Parker, Anand
Patwardhan, Anupam Joshi

In this scheme, the authors suggest that intrusion might be

taking place by an intelligent attacker at more than one layer
simultaneously. Thus detection at one layer may not suffice in
identifying an attacker. Authors showed by simulation that
packet dropping at routing layer and/or excessive RTS packet
generation (demanding excessive bandwidth) at MAC layer
simultaneously could reduce the throughput of the network
drastically.
 Anomaly-
basedIntrusion
Detection Schemes
 Scheme proposed by Yu Liu, Yang Li, Hong
Man.

This is a rule-based data mining anomaly detection technique

to detect MAC and routing layer attacks on ad hoc networks. In
general, anomaly detection techniques are prone to high false
positive rates, and require sizable computational capacity and
therefore energy consumption.

In this scheme a rule-based data mining technique, Apriori

algorithm, is used to find association patterns (rules) from
audit data. Since the algorithm produces a large number of
rules, these are further pruned by using maximal frequent
itemset (MFI) criteria.
Summary Of Cross
Layer Information
Exchange Between
Layers
 Here below we present a summary of cross-layer
information exchanged amongst layers and the
purpose for such information used in the papers
described above.
Layers Information passed on to receiving layer In paper (reference
number)

MAC layer to 1. Collision & Interference info so that

Routing Layer routing layer does not selects routes 1. Svetlana
through such links. Radosavac et al. [5]
2. Buffer space available at link layer; [6]
node to accept a RREQ only if sufficient 2. Geethapriya et al.
number of buffers at link layer are [1]
available. 3. Yongjin Kim et al.
3. MAC address of previous hop to be [2]
paired with so that node sending a large 4. Two papers:
number of messages to victim node can a. Svetlana
be traced back. Radosavac et al. [5]
4. Both MAC and routing layers share [6]
information such that only bi-directional b. Jarmo V.E. Molsa
links are used as required in IEEE 802.11 [3]
protocol.
TCP layer Acknowledgement 1. Jarmo V.E. Molsa
to of TCP layer [3]
Applicatio shared with
n layer application layer
so that application
does not sends
time-sensitive data
to TCP layer when
previous messages
Physical have energy
Low not been
level Geethapriya et al.
layer to cleared.
for transmission of [1]
routing messages by a
layer node. This node
should broadcast a
“low energy
message” to its
neighbors.
Suggestions for Further Wo
A good cross-layer IDS should have the following
characteristics:

1. Low Overhead: Time required for monitoring activities

should be a small percentage so that nodes utilize most of
their time in normal operations.
2. Low false positives: Number of times a good node is
declared, as a bad node should be very small.
3. Low true negatives: Number of times a bad node is not
detected by IDS should be very small.
4. Low detection time: Whatever may be the overall
architecture of the system (hierarchical, cooperative,
distributed and so on), a bad node must be detected fast and
appropriate response should be generated for it.
5. Should cater to a large variety of attacks. No known attack
should go undetected and it should be able to detect any
unknown attack.
6. Should be possible to cater to large variety of protocols
used at different layers of protocol stack.
References
[1] Geethapriya Thamilarasu, Arun Balasubramanium, Sumita
Mishra, Ramalingam Sridhar; “A Cross-Layer based Intrusion
Detection Approach for Wireless Ad hoc Networks” International
Workshop on Wireless Sensor Networks and Security with IEEE
MASS 2005.
[2] Yungjin Kim, Ahmed Helmy; “Attacker Traceback and
Countermeasure with Cross-layer Monitoring in Wireless Multi-
hop Networks” IEEE-INFOCOM, April 2006
[3] Jarmo V.E. Molsa; “Cross layer Designs for Mitigating Range
Attacks in Ad Hoc Networks” Proceedings of the IASTED
(International Association of Science and Technology for
Development) International Conference on Parallel and
Distributed Computing and Networks, Innsbruck, Austria, Feb.
2006, pp. 64-69.
[4] Jarmo Molsa; “Mitigating Denial of Service Attacks in
Computer Networks”, Doctoral Dissertation, 2006, Helsinki
University of Technology, Department of Electrical and
Communications Engineering.
[5] Svetlana Radosavac, Nassir Benammar, John S. Baras;
“Cross-layer attacks in wireless ad hoc networks” Proceedings of
38th Conference on Information Sciences and Systems,
Princeton University, March 17-19 2004.
[6] John S. Baras and Svetlana Radosavac; “Attacks &
Defenses Utilizing Cross-Layer Interactions in MANET”
NATO Cross-Layer Workshop, NRL, June 2-3, 2004.
[7] Yu Liu, Yang Li, Hong Man; “Short Paper: A Distributed
Cross-Layer Intrusion Detection System for Ad Hoc
Networks” First International Conference on security and
privacy for Emerging areas in Communications Network
(Securecomm Sept. 2005 pages 418-420)
[8] Yu Liu, Yang Li and Hong Man “MAC Layer Anomaly
Detection Ad Hoc Networks” 6th IEEE Information
Assurance Workshop, June 17, 2005
[9] S.Marti, T.J. Giuli, K. Lai, and M. Baker “Mitigating
Routing Misbehavior in Mobile Ad Hoc Networks” In
Proceedings of MOBICOM 2000, pages 255-265, 2000.
[10] Jim Parker, Anand Patwardhan, Anupam Joshi; “Cross-
layer Analysis for Detecting Wireless Misbehavior”, In IEEE
CCNC 2006 proceedings.
Thank
You